Personal computing discussed

Moderators: renee, Flying Fox, Ryu Connor

 
|FN|Steel
Minister of Gerbil Affairs
Topic Author
Posts: 2160
Joined: Wed Dec 26, 2001 7:00 pm
Location: Kansas

Active Directory

Mon Jul 13, 2015 2:02 pm

Sooo... there's potential in my future that, a company I've been doing some light maintenance for, might want to setup a server with AD, for somewhere around 50-60 users. My networking knowledge sucks ass, but I can follow instructions well and, after pouring through a few tutorials, FAQs, and tips and tricks type articles... it doesn't seem like it would be too far outside my skill set as long as I pay attention and practice some due diligence on the research and planning side.

Or am I completely fooling myself and this is far more difficult than it seems?
Sucking down the easy flowing milk from society's warm breasts.
 
PainIs4ThaWeak1
Gerbil
Posts: 77
Joined: Fri Jun 26, 2009 11:13 am

Re: Active Directory

Mon Jul 13, 2015 2:26 pm

IMHO, Creating AD on a Domain Controller is very easy. Edited for clarity: DCPROMO (if Win2008) / ("Add Role" if Win2012), create users, create security groups, assign users to security groups. Done (for the most part.)

Where the complexity starts to come into play is with security group memberships and Group Policy Objects (GPOs). Eg. Logoff/on scripts, printer/share mappings, etc etc. And ensuring that those GPOs/Group Memberships are applied correctly, and not un-doing/overriding your initial intentions. (I.E. - SalesUser1 probably doesn't need read/write permissions to a share used by the HR department.)

Again, IMHO, with only 50-60 users, you probably won't find it too mentally taxing to design. I find it helps me to white-board my ideal structure, and refine it as necessary during the implementation.
 
|FN|Steel
Minister of Gerbil Affairs
Topic Author
Posts: 2160
Joined: Wed Dec 26, 2001 7:00 pm
Location: Kansas

Re: Active Directory

Mon Jul 13, 2015 2:37 pm

Thanks for that. It's pretty much where I was in my consideration of such a setup. Luckily, it's a telemarketing company and nearly all end users are the low totem variety. Very few people would require any real elevated access.

My secondary concern is upkeep. They current just have me work on an as needed basis. I imagine there needs to be a bit more maintenance with a server and it needs ot be checked a bit more regularly. Especially in the beginning. Any ideas on that side of things?
Sucking down the easy flowing milk from society's warm breasts.
 
Aphasia
Grand Gerbil Poohbah
Posts: 3696
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden
Contact:

Re: Active Directory

Mon Jul 13, 2015 2:43 pm

The big job is not setting up the AD itself, that's the easy part as long as you aren't going to need setup a whole forest and trusts or cross forest trust, saml, federation and stuff, that's where stuff can really get hairy and you need to have both networking, application and AD knowledge going.

Now, the big thing is, what are the AD supposed to do. As PainIs4ThaWeak1 already was in on, GPO's rights, etc. What are your structure supposed to enforce. Is it only going to be a basic user directory. Do you wan't to have integrations with other things, like group membership will give access to mail, business systems, vpn, etc.

How does the organisation look today. Do you have separation of duties setup, or is data all contained locally, or on shares, how are rights setup today.
What do you wan't to do with the AD. Do you have a need for controlling rights, application logins, share access, etc.

What it boils down to is not the technical side, but the organisational side of what policies you have and if you have a need to enforce them, and in that case, which parts will the AD help you enforce.

Also, AD generally have zip to do with networking. In a larger organisations, I've mostly seen separation into separate groups with AD/Exchange(mail), Client, Server, Security(Technical and Informational groups), Networking (routing/Switching and Firewall/proxy/vpn groups).


Edit: With regards to upkeep, you need to have a schedule for patching, and if you are going to start using AD for rights and logins, who and when will new employees be configured, is it a big turnaround, what are the defaults going to be. What about any other incidents or changes that needs to be performed, etc.And also, backups, and recovery plans. What happens if/when the AD goes down, for how long can you work without it, can you survive on local login for profiles for a few days.

Now, for small shops they usually call their usual contact, or put in a ticket to the ones doing the consulting, so just make sure that expectations are in the right place. And depending if they have anybody at least a bit tech savy themselves, can some things be performed in the day-to-day business, like setup of new users, assigning rights, etc. What are needed for this, instructions for certain tasks, etc.
Last edited by Aphasia on Mon Jul 13, 2015 2:51 pm, edited 1 time in total.
 
|FN|Steel
Minister of Gerbil Affairs
Topic Author
Posts: 2160
Joined: Wed Dec 26, 2001 7:00 pm
Location: Kansas

Re: Active Directory

Mon Jul 13, 2015 2:49 pm

Yeah, the primary purpose is to provide uniformity across workstations, nuke the ability for them to install things, maybe a few website restrictions, and perhaps e-mail down the line. Everything today is largely done through Google.
Sucking down the easy flowing milk from society's warm breasts.
 
mattshwink
Gold subscriber
Gerbil First Class
Posts: 198
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: Active Directory

Mon Jul 13, 2015 2:49 pm

Yes, setting up AD is fairly simple. The harder (but not impossible part) will be creating all the users, joining the computers, etc. Once all that is done management generally becomes easier.

A couple of tips:
1. Setup two domain controllers if you can. Do not install anything else on them (I realize in the small business environment this may not be possible).
1. A. Domain controllers do not consume many resources. They don't have to be high end systems (4 GB of RAM and a single core would be plenty).
1. B. A 2nd domain controller gives you fault tolerance if one fails, otherwise you run into a situation where no one can login
2. Create separate partitions for the DB and Syslog (aside from C: for both). These can be on slow/cheap disks
3. It is highly recommended that you create a policy to change the Administrator account to something else (on PCs, Servers, and Domain Controllers)
4. Group Policy can make managment much easier, but make sure you test policies (you can use OUs or security filtering to scope them before wide deployment) before you implement them
5. Back up Active Directory! Make sure whatever backup product you use is "Active Directory Aware". Being able to restore single objects can be useful (we use Quest - now Dell - Recovery Manager for Active Directory for this). This feature comes in handy occassionaly (it is one of those things you don't really need until you do - and then you really need it)
6. Make the default administrator (which you hopefully renamed in step 3) password long and complicated and never use it again (stick it in a file/box somewhere). Create accounts for whoever will be managing AD (presumably you) and add that account to domain administrators
6. A. Try not to give everyone domain admin. Active Directory rights can be very granular (for instance you can give someone rights to change passwords in a particular OU, or grant rights to only create computer objects, or create users but not delete them - etc.) and using a least privilege approach tends to keep people out of trouble.

Maintenance of AD is easy. You maintain just like any other windows server. Keep it up to date with patches and it will run happily.
 
PainIs4ThaWeak1
Gerbil
Posts: 77
Joined: Fri Jun 26, 2009 11:13 am

Re: Active Directory

Mon Jul 13, 2015 2:51 pm

I may be incorrect, but companies like Solarwinds may offer some sort of trial/free-ware monitoring solution (think, E-mail alerts based on condition.) Shoot, Win Server may already have a similar functionality built in with "Performance Monitor", or the like. (I've only ever used third party solutions for real-time monitoring. Most of which, have been Solarwinds products.)

I would use Snapshots (if virtualized) frequently during setup/configuration phase, in case "Oh, Sh*t!". You may want to consider identifying a lower-level Admin on-site - Someone who can reset locked accounts/passwords/and the like, if you cannot access their AD structure publicly. Periodic backups of the AD database, and/or server, would obviously be a "best practice", but YMMV.

Consider any other machines/servers that offer services to said company, may need to be joined to your new AD domain (for sake of ease of user access). Client computers may need the same treatment as well. Again, depending on their needs vs. how much work you're willing to put into the project.
 
Flying Fox
Gerbil God
Posts: 25542
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: Active Directory

Mon Jul 13, 2015 2:52 pm

mattshwink wrote:
2. Create separate partitions for the DB and Syslog (aside from C: for both). These can be on slow/cheap disks

Is this for speed or sanity of management? If it is for speed then a single SSD should solve that?
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
 
mattshwink
Gold subscriber
Gerbil First Class
Posts: 198
Joined: Wed Jul 16, 2008 7:54 am
Location: Alexandria, VA

Re: Active Directory

Mon Jul 13, 2015 3:08 pm

Flying Fox wrote:
mattshwink wrote:
2. Create separate partitions for the DB and Syslog (aside from C: for both). These can be on slow/cheap disks

Is this for speed or sanity of management? If it is for speed then a single SSD should solve that?


Neither....and both :)

Yes, you can use a single disk, but I recommend partitioning (so partition for OS (C:), partition for AD DB, partition for AD TL, partition for Sysvol). They can be small (5 GB each), so 15 GB total for AD (and most of that won't be used).

In general it is done so that something "else" does not fill up those disks. If an errant program (or person) fills the drive, AD goes down. In larger environments it can help performance, but we're talking really large (25,000+). Seperating them out allows security to be done at the root of the file system to keep privileges at a mininum.

It's important to remember that AD is a database. If you nornally colocate your databases with the OS, then this won't make much sense to you. But I am always protective of AD since if it goes down it tends to take a lot with it.

For the record, - the default locations for AD files on C:, and that is fully supported by Microsoft.
 
blitzy
Gerbil Jedi
Posts: 1844
Joined: Thu Jan 01, 2004 6:27 pm
Location: New Zealand

Re: Active Directory

Mon Jul 13, 2015 3:53 pm

AD is a pain in the ass, I've only had to deal with it in a testing environment and that's been enough for me to know that it's a bane. It's really something that if re-designed today would be sooooo much simpler to interact with. That said, getting up and running with it is not too bad. The annoyances come later when you're trying to do stuff and the get odd error messages that are really due to problems with the trust relationship.

My 2c would be make sure you have a secondary domain controller in case the first one goes down. And when you encounter odd behaviour, consider that you may need to rejoin a PC to the domain. Odd situations can arise particularly when working with VMs and snapshots which mess with the trust relationship.

The position you describe is certainly doable, AD is not too hard to learn and you will be able to get it up and running. But after spending some intimate time with AD I doubt you will ever think to yourself 'wow where was AD in my life 5 years ago, this thing is great' :D

Who is online

Users browsing this forum: No registered users and 3 guests
GZIP: On