0

I've searched the forums but nothing quite matches what we're looking for. I've read through enough forums, documentation, and other web resources, but I'm still a novice Windows Server 2008 potential user.

Setup right now with:

  • About 20 workstations with 5 laptops, one Terastation RAID 5 (switchable from workgroups to AD), with one Windows Server 2003 (not a DC) running Visual SVN standard.
  • The enterprise edition (which we are not running) is where users are able to access VisualSVN Server using their Active Directory domain credentials, but they don't want to upgrade to that version.

VisualSVN maintains its own internal user database. If we go to a Server 2008 R2 configuration, I understand all computers and storage devices will need to be added to AD as well as the users.

My questions:

  1. Would we be able to maintain workgroup access to those devices not added to AD? I read in another forum that you still have access to workgroup devices, but how is that done?

  2. Could we just use Windows Server 2008 to maintain a user database (create/delete users, change passwords) without going full AD?

    Reason being is that my manager is constantly changing users passwords on their workstations because they either forget them and they don't expire out.

    They also want to move the authentication from the VPN device to server 2008 to simplify management. I mentioned upgrading to AD would be the best solution, but they are adverse to the idea since they won't have a full time domain administrator.

    They're also not interested in the security aspects of AD aside from the passwords for user accounts.

  3. Would it still be wise to turn on scavenging for DNS (if we do upgrade to Server 2008 AD) if there are no more than 5 laptops that are connected and disconnected from the network?

I'm sure I'll come up with more questions later, but until then, any answers would be appreciated.

gideon
  • 1,135
  • 2
  • 13
  • 28
user113920
  • 41
  • 2

1 Answers1

1

This is a really open ended question. It feels like you're basically asking "how do I architect my IT infrastructure?"

That being said I'd still like to try to help.

I would recommend Active Directory. Now your quote "Secondly, could we just use Server 2008 to maintain a user database (create/delete users, change passwords) without going full AD" is pretty much the definition of AD LDS (formerly ADAM, uses LDAP, etc...) but just use AD. When you are logging on to a Windows workstation there are two possibilities - you either authenticate to the local SAM on that machine, or you authenticate to an Active Directory. Plus you'll actually find it easier to get help with vanilla AD problems because it's so much more common.

It's ridiculous for you or your boss to have to walk around the office changing people's passwords on their workstations.

Yes, you can still communicate with devices outside of your domain, but it will not be single-sign-on. You simply have to authenticate separately to a device that is outside of your domain.

You'll also have to design a DNS structure that includes DNS records for devices that are in workgroups or other domains. (Research GNZ or GlobalNames for that.)

edit: Didn't see your last question about scavenging. I would say it's fine to turn it on. I don't know your DHCP situation or subnet(s), but if you have clients connecting and disconnecting from the network all the time, such as a laptop, you'll end up with lots of stale DNS records in your zone if you don't enable scavenging, because they'll keep getting new DHCP addresses and registering new DNS records.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Thanks Ryan, a few more questions. If I do set Server 2008 as AD, would I have to add the workstations to the domain for them to be able to login with their credentials from that workstation? As for the storage devices outside the domain, if they are set as public, would they access them without credentials? Sorry if they seem basic, but I'm still at the research stage at the moment. – user113920 Mar 13 '12 at 19:25
  • Yes. There would be no point in standing up a domain with a domain controller, if you didn't then join your workstations to that domain. As for your storage devices, I don't know what they are but if you can access them now with no authentication, you will not have to do so once you're inside a domain either. If you have to supply credentials to them now, you will still have to do so once you are inside a domain. That is of course unless you can get the storage devices to join the domain with you. – Ryan Ries Mar 13 '12 at 19:36
  • Final question hopefully. You mentioned GNZ but isn't that mainly concerned with transitioning away from WINS? Can't the workgroup resolve to the server 2008's DNS? – user113920 Mar 13 '12 at 23:10
  • Yes, the workgroup computers may use the domain controller as their DNS server. However, they will not have the ability to register their own names in the domain DNS zone because they're not part of that domain. You could create "fake" A records in your domain DNS zone that resolve to the IP addresses of the workgroup computers, but that is bad behavior and I don't recommend it. The GNZ is to help get away from WINS when for legacy reasons you still need to resolve some old hosts by single label name. – Ryan Ries Mar 13 '12 at 23:39
  • That said, if everything is on the same subnet, you will probably still be able to resolve the names of the workgroup computers from inside the domain because it will fail back to NetBIOS. Hopefully. – Ryan Ries Mar 13 '12 at 23:45
  • But they will still be able to accesst those devices via their IP addresses correct? edit: To fall back to NETBIOS would WINS need to be added to 2008? – user113920 Mar 14 '12 at 00:00
  • If not having name resolution is good enough for you, then yeah IP addresses will still work. ;) – Ryan Ries Mar 14 '12 at 00:10