SAMIT: Do You Need Two AD Domain Controllers?
-
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
In an environment with only one AD server, how do you handle DNS if your lone AD server dies?
Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.
You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.
BIND, Host files
See my comment about folks not really having the skill set to run BIND (not in the SMB market anyway).
Host files could work, but then you have to keep them distributed and updated. Something like Sodium could work if the SMB is aware of it for that purpose, or some kind of automatic scripts to do it... But would somebody at the SMB level of IT actually think about something like that?
I don't accept the "SMB hires bad people and therefore should do a bad job" argument. It makes no logical sense. Why would anyone hire someone that can't do the job, why would they keep them if they hired them by accident, and why would someone in that position be excused to not attempt to do a good job? Why does the SMB so often get used as an excuse to not need basic business or IT competence?
There is no logic that connects "people often do things badly" with "people shouldn't be told how to do things well."
-
@syko24 said in Do You Need Two AD Domain Controllers? SAMIT Video:
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
In an environment with only one AD server, how do you handle DNS if your lone AD server dies?
Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.
You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.
BIND, Host files
See my comment about folks not really having the skill set to run BIND (not in the SMB market anyway).
Host files could work, but then you have to keep them distributed and updated. Something like Sodium could work if the SMB is aware of it for that purpose, or some kind of automatic scripts to do it... But would somebody at the SMB level of IT actually think about something like that?
Apart from tickets can Sodium do anything else at this point? Or did you mean once the functions are added?
Functions need to be added, but that one will be soon. Hosts management is very simple.
-
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
But would somebody at the SMB level of IT actually think about something like that?
This is like asking if we should bother telling people how to brake safely on snow or ice since most people will just panic and slam the brakes, anyway.
-
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@syko24 said in Do You Need Two AD Domain Controllers? SAMIT Video:
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
In an environment with only one AD server, how do you handle DNS if your lone AD server dies?
Sure, you could drop in Google for the DNS, but that doesn't help you for servers that are inside your network.
You could spin up a Windows DNS server, but that is still another Windows license. In the SMB, I wouldn't expect many folks to have the skill set to run BIND for DNS.
BIND, Host files
See my comment about folks not really having the skill set to run BIND (not in the SMB market anyway).
Host files could work, but then you have to keep them distributed and updated. Something like Sodium could work if the SMB is aware of it for that purpose, or some kind of automatic scripts to do it... But would somebody at the SMB level of IT actually think about something like that?
Apart from tickets can Sodium do anything else at this point? Or did you mean once the functions are added?
Functions need to be added, but that one will be soon. Hosts management is very simple.
Cool looking forward to the updates. I just thought maybe I missed something.
-
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
But would somebody at the SMB level of IT actually think about something like that?
This is like asking if we should bother telling people how to brake safely on snow or ice since most people will just panic and slam the brakes, anyway.
That's kinda my point. Somebody could think about BIND after AD has already spread its guts all over the virtual walls, lol.
I think for most, the best bet is as @JaredBusch mentioned if you have a single AD controller, just virtualize it so you can restore from snapshots or backups and be done with it.
-
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
But would somebody at the SMB level of IT actually think about something like that?
This is like asking if we should bother telling people how to brake safely on snow or ice since most people will just panic and slam the brakes, anyway.
That's kinda my point. Somebody could think about BIND after AD has already spread its guts all over the virtual walls, lol.
But, how is that a point? What relevance does that have? Why would "some people might not have taken advice" affect "when we give advice?"
-
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
But would somebody at the SMB level of IT actually think about something like that?
This is like asking if we should bother telling people how to brake safely on snow or ice since most people will just panic and slam the brakes, anyway.
That's kinda my point. Somebody could think about BIND after AD has already spread its guts all over the virtual walls, lol.
But, how is that a point? What relevance does that have? Why would "some people might not have taken advice" affect "when we give advice?"
Until my brain remembers where I was going with that, I'll have to say: You got me there.
We don't give advice just to give advice. We give advice in the hopes that we'll help somebody avoid a painful experience down the road.
-
@dafyre said in Do You Need Two AD Domain Controllers? SAMIT Video:
We don't give advice just to give advice. We give advice in the hopes that we'll help somebody avoid a painful experience down the road.
Right, which is why we say you don't need two domain controllers. Just because people might not take the advice doesn't mean that we should avoid giving it or give intentionally bad advice.
-
Good points here. Every environment is unique. I could be wrong but i think some people try to use "best practices" reasoning because they do not know how to go about figuring out if something like this makes sense or not. its the "easy" button for them.
-
@jmoore said in Do You Need Two AD Domain Controllers? SAMIT Video:
Good points here. Every environment is unique. I could be wrong but i think some people try to use "best practices" reasoning because they do not know how to go about figuring out if something like this makes sense or not. its the "easy" button for them.
Right, when really best practices is always "determining what is right for your environment" and "hiring people competent enough to make good decisions."
-
If you think about small biz server 2000 - with ISA server, AD, Exchange, File shares all on the same box, directly connnected to your LAN and your internet connection, you really have to perceive MS best practices we're designed for very large companies. SMB was an after thought once it was identified as a growth market.
Lotus had a server product called Foundations that I thought was kick ass before the cloud arrived. You got Domino server, file services and the Domino App/Database servers.
-
@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:
If you think about small biz server 2000 - with ISA server, AD, Exchange, File shares all on the same box, directly connnected to your LAN and your internet connection, you really have to perceive MS best practices we're designed for very large companies.
That, by definition, means it isn't a best practice. A true best practice is not affected by size of company.
-
There are other windows functions tied to AD (Print Servers, GPO's, authentication if users are domain users).
Are we at the point of using MDM systems for management, and external identity and SSO for authentication? -
@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:
There are other windows functions tied to AD (Print Servers, GPO's, authentication if users are domain users).
Are we at the point of using MDM systems for management, and external identity and SSO for authentication?Honestly I cant believe we arent at the point where everyones cell phone doubles as a desktop CPU and all business apps arent pushed through app streaming.
-
@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:
Are we at the point of using MDM systems for management, and external identity and SSO for authentication?
- Yes, MDM systems or similar, which is just another term for LANless authentication, is definitely the point we've been at for years.
- Is central authentication really all that important? What a lot of people are finding is that that is an overblown bit of hype. Certainly important, but not critical in the way that people have behaved for the last 20 years.
-
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:
Are we at the point of using MDM systems for management, and external identity and SSO for authentication?
- Yes, MDM systems or similar, which is just another term for LANless authentication, is definitely the point we've been at for years.
- Is central authentication really all that important? What a lot of people are finding is that that is an overblown bit of hype. Certainly important, but not critical in the way that people have behaved for the last 20 years.
I would agree, the only important thing is probably being able to reset a user's forgotten password. Which one can easily accomplish without directory services.
-
@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:
@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:
There are other windows functions tied to AD (Print Servers, GPO's, authentication if users are domain users).
Are we at the point of using MDM systems for management, and external identity and SSO for authentication?Honestly I cant believe we arent at the point where everyones cell phone doubles as a desktop CPU and all business apps arent pushed through app streaming.
Well, I can tell you, some major reasons I don't want that are....
- I want my cell phone free for other tasks, I don't want it locked up being tied to a monitor all day.
- Doing this would interfere with my battery management regime, not impossible to work around, but would take something simple and make it complex.
- I need my computer as a backup device, the more I tie to my cell phone, the more issues I have if it gets broken or lost
- Most phones are single user devices, they lack user control mechanisms, which could easily fall under your "why don't they make this work" feeling, but is a current problem that people see them as an identifying object like an RSA card, but treat them as a computer a la Windows 98
- If all we are doing is app streaming and nothing else, I don't want the hassle of attaching my phone or anything else, I want that minimal logic built into the monitor or, for trivial effort, bolted onto it like we already do today.
Honestly, I think where we are today is better than it would be if we used our phones for it.
-
@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:
Are we at the point of using MDM systems for management, and external identity and SSO for authentication?
- Yes, MDM systems or similar, which is just another term for LANless authentication, is definitely the point we've been at for years.
- Is central authentication really all that important? What a lot of people are finding is that that is an overblown bit of hype. Certainly important, but not critical in the way that people have behaved for the last 20 years.
I would agree, the only important thing is probably being able to reset a user's forgotten password. Which one can easily accomplish without directory services.
Right, exactly. The need to have a central authentication authority is often assumed, I think based on conversations I've had about this, to do things that are not actually related to it. Central authentication, while it does have value, in the SMB seems to be primarily deployed out of confusion, rather than out of solving a problem.
-
@bigbear said in Do You Need Two AD Domain Controllers? SAMIT Video:
@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:
@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:
Are we at the point of using MDM systems for management, and external identity and SSO for authentication?
- Yes, MDM systems or similar, which is just another term for LANless authentication, is definitely the point we've been at for years.
- Is central authentication really all that important? What a lot of people are finding is that that is an overblown bit of hype. Certainly important, but not critical in the way that people have behaved for the last 20 years.
I would agree, the only important thing is probably being able to reset a user's forgotten password. Which one can easily accomplish without directory services.
You can generally do that without any infrastructure, just using scripts or something.
-
If we are going to talk about AD (MIcrosoft Active Directory) Then I would still debate that even when you don't need to have 2 DC you need to separate some functions from a DC such as Exchange or SQL (If you are using that still in-house) which then begs the question where are we moving forward with technologies and the cloud.
There are many IaaS and DaaS that can cover the need for a DC, OwnCloud and then like for file collaboration and something like PrintLogic for PrintServers
https://www.printerlogic.com/
That combined with a centralized scripting deployment will work well. That is why something like Sodium or RMM tool comes into play. Even the policies are applied much faster (As soon as the agent or services are contacted).