Recommendations for the best way to set up an office of 15 to work on-site and from home

Question

I handle an office of 15 employees that need to access their workspace from home and at work and was looking for advice on making things easier to manage. Right now the office is in a workgroup and the regulars who work on-site have their files stored on their workstation. Those who work from home connect to a Windows Server 2003 box via Remote Desktop that contains all of their files. More and more, employees are working both from home and in the office so their files are out of sync. Any time I need to update programs I must do it individually on each workstation and then on the server.

How can I make this setup simpler? I was thinking of putting them on a domain with roaming profiles but it sounds like too much fussing around to make certain applications work correctly. My other idea was to run the entire office through Remote Desktop and effectively make the workstations dumb terminals. If I went with the domain or Remote Desktop route, I wouldn't want the entire office going down if a single server failed. What is a good way to have a secondary server standing by with a recent copy of all programs/data?

I'm not asking for step-by-step instructions but just some best practice recommendations from those who have experience in this area. Thanks!

Answer 1

Here's Evan's "plain vanilla" answer:

• Promote the server computer to being a domain controller.
• Join all the PCs to the domain.
• Convert all the users' local profiles to roaming user profiles and implement folder redirection
• Setup some kind of VPN (either using the W2K3 server as a VPN server or using a dedicated hardware appliance-- your call)
• Configure client computers to allow incoming Remote Desktop sessions and use them as "dumb terminals"
• Run backups of user data on the server computer-- daily, weekly, etc. Test your backups. Make sure they really are backups (see http://www.taobackup.com/).
• Have sufficient fault-tolerance in the server hardware to handle hard disk drive failure, at minimum (i.e. RAID). Handling power supply failure is nice, too, but more expensive. Having a UPS on the server computer is "a must".

I'm glossing over a lot of that. It's probably only a few days work, when all is said and done. There are a lot of questions I'm not asking here, but it's a good skeleton of a plan. W/ 15 clients I'd be shocked if it took more than 30 hours to whip that into shape. It could all be done once PC at a time, too, to prevent your users from all experiencing downtime at once. If you pay attention to detail it can be done reasonably seamlessly for the users (by migrating their user profiles) such that they hardly notice it happened.

You should be storing data centrally and running backups centrally. You can't have any information security (confidentiality, integrity, or availability) without that. Storing files on PCs make them ticking time bombs.

Roaming user profiles, group policy, and centralized file storage allow your PCs to become "cogs" to be swapped in and out as necessary when PC hardware fails.

The server computer's hardware should be able to withstand minor faults (ECC memory, RAID, redundant power if you can afford it) and should be warranted with a service contract with an appropriate response level for the expense, per hour, of downtime.

Having the remote users work right on desktop machines via RDP means that you don't have "file sync" issues to worry about, and you can button the VPN down to allow only the RDP protocol into the LAN. (Windows Small Business Server can do such an RDP scenario w/ no VPN server or VPN client software.)

You really don't need the added expense and complexity of a "standby server". You just need good, tested backups, and a solid server to begin with. (Come back when you have 100 users and we'll talk about a "standby server"-- and even then it probably won't make sense unless your cost-per-hour for downtime is very, very high.)

There's lots of good info on Server Fault to help with this kind of setup, but you really should get a local professional (with some good references) to come on-site and help you get started with it. It sounds like you'd want to do a lot of the work yourself, so look for somebody who is interested more in getting you started down the right path versus billing and billing and billing you. (There are consultants / contractors who work that way, but they're harder to find.)

You'll be tempted to scrimp on backup. Don't. Read that "Tao of Backup" web site. It's, admittedly, a sales pitch and a bit dated, but it's all correct. Same goes w/ the UPS-- don't scrimp on that, either.

You'll get other nice stuff, too-- group policy and Windows Server Update Services (to allow you to control update distribution on your PCs), just to name a couple of things. Depending on what you're using for DNS and DHCP right now, you may end up with nicer to manage solutions for them, as well. You'll get the ability to do real per-user / per-group file permissions. Yay, security!

Personally, I wouldn't be able to sleep at night w/ files stored on PCs and users having "file sync" issues. I'd want to get that cleaned up ASAP.

Answer 2

Small Business Server (SBS) would seem to be an excellent solution for you - it would require re-installing your server but that shouldn't be a big deal since you would already have a massive migration issue if you moved to a domain (which you should).

SBS provides some very useful features but how useful does depend a little on what your office setup is like. Do you have workstations for the users at work or are they using laptops and taking them hom. If you have computers at work that users typically use, having an SBS domain can provide a feature called "Remote Web Workplace" RWW. This feature allows people to connect to their desktops easily through a web site (without VPN, but still securely).

Now, do you NEED SBS or can you use your existing server? You CAN use your existing server, but SBS is DESIGNED to be managed by the less technical systems admin (The guy/gal who is by default the person everyone asks to fix their computer problems in the office). So it's generally much easier to setup and manage and it is VERY wizard driven.

I would recommend hiring a person who knows and understands SBS to install it properly. (There are MANY people out there who don't know it/understand it and they mess it up and provide a lot of false information about the product because they've only heard bits and pieces about it). Once installed, you can manage it for day-to-day operations, such as adding users, resetting passwords, setting up shares, etc.

Feel free to ask more about SBS or provide more details and maybe another solution is more appropriate (it's rare that I see an organization your size where SBS would NOT be an appropriate solution).

Answer 3

First and foremost, I recommend getting all corporate data off of all individual workstations. Even if you're not in an Active Domain network, have all of the users access the data from a shared network drive. This will not only allow the data to survive a workstation failure, it will provide you with a centralized backup point to backup all corporate data (for historical archiving and offsite storage).

But, to answer you question, I recommend either of the following solutions. The first would be to provide everyone with their own workstation located onsite. This workstation would contain of all their applications and have mappings to the mapped drives from above. Then via a secured VPN tunnel, allow the users to access their individual workstations remotely using Remote Desktop. The downside to this method is that you're still going to need to update software on individual workstations, although at least they'll all be local to the office.

The second solution, which you briefly touched on, is to install Terminal Services on a dedicated server and have everyone run their applications from it. Not only will all productivity stop if that server fails, the server itself would have to be very powerful to handle the average workload of 15 power users. Although this does provide a simple solution to not having to manage the "up keep" of individual workstations.

In my environment, all of the employees don't run the exact same software. Of course, we all need the essentials (MS Office...) but since most of us use different types of software it wouldn't make sense for us to bog down a Terminal Server with several apps that only one or two people would use. We decided to use my first idea from above all of the workstations in an Active Directory domain. Being in a Windows domain allows me to configure Group Polices and logon scripts to make sure that drives are mapped, etc. In addition, we also use automation software to for patching, updates, etc.

Hopefully this helps somewhat! ;) There might be some holes in it, just a quick brain dump.

Answer 4

1 - Setup a Domain.

This will give you central management. This will allow you to deploy software, setup policies, lock down the machines, centralize user accounts, etc. You may not need anything fancy right now but it will get you started. But please, please stay away from SBS.

2 - Get your remote users laptops.

It is bad practice to allow people to remotely connect corporate asset from their personal computers, you have no idea what is on there and have no control of antivirus or who has access to the machine and by extension corporate resources and privileged information.

3 - If you don't have one setup already, force them to connect through a vpn.

This is actually probably the most important thing you can do, you do not want to allow unencrypted access to your corporate network. Probably the easiest approach would be to use something like a Cisco/Sonicwall/some other hardware device or a windows server running RRAS/IAS (not your primary DC/File server) or a linux box running something like openVPN.

4 - Make users save all documents to a central file server

Part of this is going to be a process instead of technological fix, you will need buy-in from management to really make this stick. Some of the benefits will be centralized backup of all important documents, people not having 4 different copies of a file on 7 different machines. Roaming profiles are not as important with laptops + centralized file server and has done use well with our mobile workforce of about 40 people.