3

I have somehow been nominated as the sysadmin for my family's small business. While administering this should be easy, I'm torn on what the best way of doing this is.

A unique aspect of the aforementioned business is that it is very decentralised - there are 30 locations, each with only one computer. There are also 5-10 staff who move frequently between locations, and each staff member and branch has a company-provided laptop running Windows 10 Professional.

While I could (and have been) applying Group Policy manually to each computer and manually installing programs, it gets tiring after doing this to 40 machines and driving hundreds of miles between these wide-apart branches. Ideally, this company would have centralised Windows authentication, roaming user profiles and folder redirection between branches, centralised group policy, and network drives shared between certain users.

I assume the best way to do this in a normal environment would be to have an Active Directory Domain Controller in each branch and use this to centralise these aspects of administration and to provide file shares. However, it is not economical for a small business to have so many dedicated servers, in locations that change frequently. In fact, it is impossible - the company has no fixed headquarters I could theoretically run such a server from.

It seems like my only solution is cloud computing... My first thought was to have an AD DC in the cloud (sounds stupid to me), and for the clients to connect to this using a VPN (DirectAccess doesn't work in the cloud due to IP stuff). They then join the domain as usual and everything gets enforced.

I went to Google Cloud Platform (with which I'm most familiar, Azure wasn't much different), provisioned a Windows server, made it an AD DC, installed OpenVPN server, configured routing, made some certificates, installed them on a laptop, joined the domain successfully, and everything seemed okay (apart from Group Policy only half-applying, but I'll figure that out later).

E-mail is also integral to operations. Each day of downtime for this is around £10,000 ($13,000) lost revenue, and this figure doubles annually. No capacity planning was done by my predecessor so everything is pretty hastily thrown together. This will need to authenticate against AD DS, since single-sign-on is expected by employees and management. I can't do e-mail in the cloud unless I use a third-party e-mail service, but we need to keep deliverability at 100% and we're maintaining our own IP reputation at the moment. There is no e-mail SSO at the moment, and e-mail is running on a separate Linux server with a separate VPS provider (which obviously isn't easily scalable).

Also, there's the problem of having SMB shares over a high-latency connection. While this wasn't a problem when I was using it, I'm aware this could pose an issue.

So, am I going about this the right way? Is this an appropriate use of Active Directory? Should we move everything to a hosted groupware product and webmail, and not bother with this altogether? If so, that hugely decreases the probability that management will agree to my plans.

EDIT: We're managing our own e-mail because we have a lot more addresses than machines (lots of part-time employees), so we can't afford to pay per-user.

Alex V-P
  • 33
  • 5
  • Do these users use Microsoft Office? What other applications do you need to provide for them? Do you need company-wide shared document/file storage as well as individual document/file storage? What are you using for email now? Who manages your email? – joeqwerty Sep 07 '17 at 20:05
  • @joeqwerty Yes, they do, but we don't have a volume-licensing agreement so we use ClickToRun so there's no MSI or Group Policy AFAIK. It's just general productivity stuff: a decent web browser and that's it. I'm not making any special use of group policy apart from what's built into Windows. Yes, I was planning to use file shares with varying permission levels. We're using a Debian Linux server with iRedMail, so I'm stuck managing e-mail, too. It's a precarious situation to say the least. – Alex V-P Sep 07 '17 at 20:23

1 Answers1

4

My suggestion would be to look into Office 365. You can purchase O365 services that include Office apps, Sharepoint (document libraries and storage), OneDrive for Business (personal document/file storage), Exchange Online, Microsoft Teams (group chat), Skype for Business, etc.

This frees you up from having to manage licenses, Office installs, updates, it frees you from having to manage your own email server, and frees you up from having to purchase, install, or manage any of your own infrastructure.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • This doesn't allow me to enforce group policy, administrative templates, etc., though (afaik?). We can't BYOD due to confidentiality problems ; we handle some really sensitive data. Otherwise it's an option I'll definitely look at for email hosting. Thank you. – Alex V-P Sep 07 '17 at 22:46
  • 1
    You said in your other comment that you're not making any special use of Group Policy. If you can add some information to your question regarding what, if any, Group Policy settings you need to apply and what specific security requirements you have then we can tailor our responses to those issues. – joeqwerty Sep 07 '17 at 23:05
  • 1
    For all-remote machines, MS InTune will do a better job of patching and policy than trying to cloud-host an AD environment. – mfinni Sep 08 '17 at 04:05
  • @mfinni Thank you. I was looking for Enterprise Mobility + Security from Microsoft 365. The only specification it doesn't fit is cost, but I can probably make it work. – Alex V-P Sep 08 '17 at 07:01