3

I currently have about 50 different work stations, all running windows xp who are part of various workgroups. These machines were all setup by different people with no communication between them. I honestly, don't know what to expect when I dive in to them. I'm working on migrating them over to a Domain. I have the DC set up and it seems to be working well.

What do I need to do and in what order to make this all happen?

How do I lock down these machines ? Group Policy? Do you know of any good resources for wrapping my head around what Group Policy is?

Can switching from 50 machines using NETBIOS and workgroups to a domain make the network run faster or no?

Noah Clark
  • 547
  • 4
  • 10
  • 20

2 Answers2

6

Heh, well the good thing is that you're certainly heading in the right direction!! Not sure how much speed benefit you'll notice, but you will certainly improve the efficiency of things.

I would do things in this kind of order:

  1. Lock your door so the users can't get to you to gripe about locking them down (haha)
  2. Make sure you have Active Directory containers configured how you want them. This should't be too bad with only 50 PC's.
  3. Create domain user accounts for your users in AD
  4. Create home network shares if you want to use them
  5. Configure the domain's Group Policies in AD
  6. Write login scripts if you want to use them
  7. Configure your PC's to use your DC as the dns server if they're not already (or whatever dns server holds your AD SRV records). You might consider setting up DHCP at this point if you don't already have it in place. NOTE based on comments: DO USE DHCP! The prior wording was supposed to say that, but admittedly was not clear. Set up DHCP and configure your clients to use it.
  8. Back up your users' profiles on their PC's. They will get new user profiles with their domain accounts.
  9. Join your PC's to the domain

Some of that can be switched around a little but basically it's

  1. Set up your domain and group policies
  2. Set up your user resources
  3. Migrate the PC's

Do this with a handful of PC's in a a lab before you do this in production until you are comfortable with the process. You'll also benefit from a workstation naming standard when joining your PC's to the domain (from a sanity perspective).

Here's the site to start learning about group policy.

squillman
  • 37,618
  • 10
  • 90
  • 145
  • +1, especially for item 8. Far too many admins skip that step and create a whole lot of unnecessary work and annoyance for the users. A person who has their machine set up just the way they want it is going to be real peeved if you make them start all over. As an admin you don't need the grief that would bring either. – John Gardeniers Sep 14 '09 at 23:28
  • 1
    +1 - I'll second this strategy, except that I'd encourage you to implement "Folder Redirection" and learn how to migrate the local user profiles into roaming user profiles (see http://serverfault.com/questions/17832/migrate-local-profiles-to-roaming-profiles/17841#17841 for a very, very brief description). You can create a completely seamless experience for the user if you give a bit of attention to detail. Even if you don't bring over their personal registry hive, at least bring over their files from the local profile into their new redirected folders. – Evan Anderson Sep 15 '09 at 01:34
  • Great point about the roaming profiles. Word of caution, though, is that they get exceedingly cumbersome when dealing with remote access users who like to keep an inordinate amount of crap on their desktop. – squillman Sep 15 '09 at 02:43
  • Excellent suggestions - except the DHCP suggestion shouldn't be a *maybe*, it's a *must* if you want any kind of control over the workstations networking. Can you imagine administrating all those PCs manually if you decide to change DNS server, or anything else of that nature? Furthermore, if they're all statically assigned, there's no DNS registration (yes this can be set up via GPO, but it's messy). +1 for the excellent suggestions, -1 for the DHCP suggestion, net 0! – Izzy Sep 15 '09 at 05:02
  • Awesome this is exactly what I'm looking for. Would it be better to reinstall the OS? or No? – Noah Clark Sep 15 '09 at 13:24
  • 1
    @Izz: True dat re: DHCP. Students often asked me "How many client computers would you have in a LAN to consider using DHCP?" My answer was always "more than one". As soon as you have more than one computer to deal with your configuration labor becomes a multiple of the time taken to do the work once. – Evan Anderson Sep 15 '09 at 13:30
  • @Izzy, @Evan: Yup, I totally agree on the DHCP. The wording of the post doesn't really convey what I was thinking. I was more implying that this would be a good time to do it, not that you might want DHCP period. – squillman Sep 15 '09 at 13:37
  • @Noah: I don't really think you need to reinstall the OS. I would definitely make sure that they're all at least [very] close to the latest patch level, though, if not completely patched. – squillman Sep 15 '09 at 13:39
  • Thanks. A lot of people complain about slow PCs. I haven't read about copying things over yet, but my concern is that the slowness could be coming from something in their user profile if this includes the registry. Obviously, I could run a registry cleaner, but maybe starting fresh with a locked down PC isn't a bad idea? I knew what you meant about DHCP. We are currently using it and it works well. – Noah Clark Sep 15 '09 at 13:46
  • If it's no skin off your back I would say go for it. Doing that you could prep a new machine and swap it with a user's existing machine. At that point you could copy any profile items. That helps to make it more transparent to the user. – squillman Sep 15 '09 at 14:38
  • Doing this would require more time, how would manage a non-domain and a domain network at the same time? My only real concern would be the file server. I know it's IP address is x.x.x.x so I just hop right on there, but everyone else knows it as //server. – Noah Clark Sep 15 '09 at 15:12
  • As long as it's in DNS and everyone uses that DNS server there shouldn't be any problem there. The one gotcha in a pice-by-piece migration related to this is that you might need to give everyone their domain credentials ahead of time if the file server is going to be joined to the domain early in the game. They won't be able to use their workgroup logons unless the username and password are the same as on the domain. If you change your account naming convention then they'll have to enter their domain credentials to connect to shares. – squillman Sep 15 '09 at 18:26
  • Regarding **OS Reinstall** - if you can afford the time, then most definitely. Trust me, when you get it all done, and you look around your shiny new domain with shiny new machines, all clean and ordered and neat, you'll be glad. – Izzy Sep 16 '09 at 01:50
1

A domain will sure allow for better management, and better network performance too (no more NETBIOS broadcasts all around).

Steps to bring all of this into a domain:

  • Give each computer (and your DC, of course) an IP address/subnet mask pair so that all of them are on the same subnet.
  • Make each computer use your DC as its DNS server.
  • Make each computer use the default gateway for your network.
  • Make sure your DNS server can resolve Internet names (it does, by default; but you should configure forwarders for better performance).
  • Join each computer to the domain.
  • Create user accounts for your users.
  • If needed, give users local administrator rights on their computers.

This should get you going.

For group policies, you can start here.

Massimo
  • 68,714
  • 56
  • 196
  • 319