I manage a shop of arround 30 machines and 2 terminal servers (one production, one standby.) Should I really deploy Active Directory in our network?
Are there any really benefits, that could ballance the existence of another AD server? Our Terminal Server is to run independent, with no other services on it, except our corporate APP.
What great features am I missing if I will still run it without AD?
update: but are any of you running a successful shop without AD?
Using Active Directory brings a number of advantages to your network, a few I can think of off the top of my head:
Obviously these benefits also bring some overhead, and a good deal of work and time is needed to setup an AD environment, especially if you have an existing setup, however the benefits of the centralise management that AD brings are well worth it, in my opinion.
Some "drive-by" responses ...
1- If you are using Exchange for email, then AD is required. You likely are not using Exchange or you would know that, but I include it for those who may be considering this.
2- AD manages a "centralized authentication" system. You control users, groups, and passwords in a single place. If you don't have AD, you will likely have to setup your users separately on each terminal server, or have a generic user on each for access and use security in the application.
3- If you have other Windows servers, AD allows for straight-forward securing of resources on those servers in a single place (AD).
4- AD includes some other services (DNS, DHCP) which otherwise have to be managed separately. I suspect you may not be using them if the only Windows servers you have are the terminal servers.
5- Although not required, there is benefit to having the workstations in the domain. This allows for some (not comprehensive) single sign-on capabilities as well as significant control and management of the workstations through "group policies".
--> For instance, through GP you can control the screen saver settings, requiring that the screen saver lock the workstation after x minutes and requiring the password to unlock.
6- You might be a good candidate for Microsoft Small Business Server if you need email, file sharing, remote access and web serving.
I second the note about having two domain controllers. If you only have one DC and it fails, you are in for real pain getting access to things. It is (I believe) possible to have the terminal servers also be domain controllers, although I suspect many will not recommend it. In a small network like yours the DC workload will be insignificant, so it might work.
EDIT: in a comment s.mihai asked: "it's their interest to make us buy all we can. but can i be OK without AD ? local accounts, no exchange.... ?!"
Were I in your shoes, I would use the TS project as an excuse to add AD for the benefits, particularly on the workstations. But it sounds like your mind is made up and you want cover, so here it is.
ABSOLUTELY you can be OK without AD.
off the top of my head:
AD is also required for applications such as exchange.
MS has a whitepaper just for you on this topic.
AD has many features that you may find very useful. The first of which is Centralized Authentication. All user accounts are managed in a single location. This means that you can use your credentials among any of the machines in the environment.
Another item this allows is better security for sharing resources. Security groups are very useful for targeting access to resources such as file shares.
Group policy allows to you enforce settings across a number of machines or users. This would allow you to set different policies for users logging into the Terminal servers vs users logging into their workstations.
If you setup your terminal servers properly and depending on the applications, the centralized authentication, access rights via Security Groups and GPO policies would allow you to utilize both Terminal servers in more of a clustered style than in your current setup where one is idle all of the time this will allow you to scale up to more terminal servers (N+1 style) as the need for resources increases.
The downside is that you are only thinking about 1 Domain Controller. I strongly recommend 2. This ensures that you do not have a single point of failure for your Active Directory Domain.
As mentioned in several comments. Cost is likely to be a significant factor here. If the original questioner has a fully working setup, it may be out of his budget to bring in the hardware and software required to stand up an Active Directory domain environment without an overwhelming case to justify the costs. If everything is working, AD is certainly not a required for an environment to work. Those of us who have used it in corporate environments in the past however are very strong proponents. This is largely due to the fact that it makes the Administrators job much easier in the long run.
I recently moved into a (relatively large / successful) shop without MS AD. Sure, you miss out on Microsoft/Windows Single Sign On but there are other solutions for that such as Authentication Proxies (SiteMinder, webseal etc) As for Centralized user management any LDAP (or SiteMinder) could be an option as well.
So yes, you can be a successful shop without (MS) AD, you just need to find the alternative.
I think the bigger question is why not?
Are you leaving the User accounts separate for security? Do the users of each machine only use that machine?
If the same users need to use all the machines, AD will give them these benefits: If the login into the domain they are trusted in the all the places they and their groups are trusted. If they change their password, it is the same everywhere; they don't have to remember to change it on all 10 machines (or worse forget it and need you to reset it for them, every other week).
For you it gives the benefit of central/global control of permissions. If you have folders that have special permissions for groups and a new person is hired, you just add them to the group and done. you don't have to attach to each machine and create the same user over and over and set the permissions.
Also each user's machine will be in the domain, so can be controlled by the domain.
I think the biggest benefit, is GPO's When they log-in to the domain to can send policies to their PC that can protect the security of your entire network.
That being said my office is small (about 15), and we have no official IT department. So we (over)use MS Groove as our Infrastructure, and have no AD or any central servers really; We are Laptop based.
In my opinion one of the biggest is single-sign-on. While it sounds like your end users probably don't notice, it certainly is a nice thing from an admin standpoint. You only have one password to keep track of, and when it comes to changing it you only have to do it one one spot, not 32. There are loads of things you can do to manage your environment if you're not afraid of scripting.
The benefit of foregoing AD is obviously cost.
AD benefits boil down to 2 factors, if you don't care about them, the answer is "No".
I think the best advice is to peruse the active directory tag here on SF as it fills out - to see if you can spot enough features (e.g. Hyper V with 2008 server) that'll benefit your shop to make the purchase worthwhile.
All good answers here. I'll put my thumbs up for having two domain controllers as well. In a small environment even putting both of them as VM's on the same piece of hardware would be - OK. Someone can probably chime in on this more authoritatively, but if you use MS Hyper-V (server 2K8) as the host you may have some OS licensing benefits?
Having Single Sign On(SSO) / unified authentication will save you so much work creating accounts and setting folder permissions all over the place. Of course putting AD in place and adding the systems & users to the domain will take some effort.
Jeff
You need centralized authentication and management if you intend to grow this environment at all. Even if you don't intend to grow the environment, you'll see very real time savings in day to day operation by implementing centralized authentication and authorization now.
If it's a Windows environment, AD is the easy, but costly fix. If cost is the sticking point for AD, then implement Samba.
It will seem harder at first, but you'll get used to the tools and you'll look back and wonder how it wasn't completely obvious to you that you needed to do this.
You DO NOT need AD.*
Large law firm. We've ranged from ~103 to ~117 users, with 4 sites in 3 states for the last 2 years, with turnover of interns and clerks. We run the entire firm with 1 server box for domino/notes and accounting, a couple of dedicated w2k8 servers for specialty software, about 5 or 6 dedicated generic windows boxes for various apps and... 2 linux boxes for all file server needs and backup, plus a 3rd box for a firewall. It all runs like the energizer bunny, and we haven't had many issues with vendors or software.
For 30 machines? It's entirely optional.
I manage several big locations (30~125 systems/workstations per location on average) running without AD using Samba and batch/autoit scripts. They work fine, and apart from the odd software update breaking things, have been trouble free.
Reasons to use Active Directory
I successfully ran a system without Active Directory; however, you need to compensate the demands through alternative tools. I switched over to AD at about 150 users in three different organizations.
