Link to home
Start Free TrialLog in
Avatar of DCreature
DCreature

asked on

Advantages and Disadvantages of Active Directory / Domain Controller dependant environment.

I am current conducting an analysis of advantages and disadvantages of having our production environment of 10 Windows Server 2003 servers (currently running as stand alone and independant of each others) in Active Directory / Domain environment, as part of a proposed changes.

The main benefit that was brought up was the users and passwords management, which could grow to be massive amount of work having to manage them individually on each independant servers. Hoping that the proposed changes of migrating the whole platform to Active Directory environment will assist in propagating the changes (such as new users, password changes, new security requirements via GPO, etc) on to the servers (which will run as domain clients, only 1 or 2 will run Primary and Secondary ADC. Not all these servers are going to run host AD or be an ADC, server OS is used due to it's robustness and reliability).

I am assigned the task of performing this analysis, while I am doing this right now, I am only a junior in the domain administration areas. So could you experts help me in identifying / listing these advantages and disadvantages of using AD environment?

One that I could think right now is dependencies, if the Active Domain Controller fails, this could possibly bombs out rest of the machine.

Thank you!
SOLUTION
Avatar of TheCleaner
TheCleaner
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of DCreature
DCreature

ASKER

TheCleaner, though we have 10 of 2003 Servers, only 2 of the physical servers can be used for AD and it's failover. Some real words of advice from someone with experience would be muchly appreciated.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
DCreature,

Yeah, that's what I'm saying...take 2 physical servers and assign them as Domain controllers, DNS, etc. for AD.  I would use the smallest (in terms of hardware specs, etc. as long as they aren't too old) servers you have.  If you don't have a lot of users (more than a few hundred) then you aren't going to be taxing the servers at all.  Just get a 100MB NIC or better in them.  Simple 1U servers with P3 or better, 512MB RAM or better, and mirrored 18 or 36GB drives should be enough for an AD DC.

The rest of the servers are for applications/mail/file/print, etc.


I was on a project just like yours (consultant work) last year and they had 32 servers total across 4 metro locations, running a mix of Windows workgroup model and Novell.

We migrated them to a central office datacenter with only 14 servers, 2 of which were domain controllers.

The benefits will far outweigh the negatives...and it won't cost you anything but soft costs to implement if you already have the hardware and software licensed.

The links I provided will make the case for Active Directory.  There are also case studies on MS's site at www.microsoft.com/technet that can be used for real world experiences.

In my opinion, decentralized management is a waste of time and resources.  Trying to maintain and manage users on each server is 1990 stuff.  Novell and NT 3.51 did away with that model a long time ago, and now it is easier than ever to implement a centrally managed solution.

A domain environment will allow you to manage everything so much easier, and will allow for new servers/users/email/etc to be implemented with ease.
blohrer:
"I think the main question would be what are your servers being used for?"

the servers will be used as IVR servers, that said, each IVR would run independantly of each others in the application perspectives, but it is important find the best way to centrally manage them as a group in a fast and easy manner, therefore my original question.

As a classic example, imagine having to add 9 new users to 10 servers manually, that's 90 users all up which will be very time consuming and inefficient. Sure I can run a messy script to add users, but that's not efficient for this purpose. There would also be other tasks requiring the same actions on all the production servers.

At the moment we could designate 2 servers machines to be used as they are intended monitoring servers, these are the servers I want to make DC / AD (one is primary and the other is secondary /backup).
I forgot to add that the servers are networked in the same subnet, could be two or so different subnets in the future, it all depends on each decision we make along the way.
DCreature,

I think the benefits of making those 2 "monitoring servers" to include the AD/DC roles would really make your life easier.

You would need to take the up front time to configure them, setup the AD topology (the OU structure is about it since you only have 1 subnet right now and only 2 DCs at one site), then you'd need to make the security groups, and set up these groups to have the permissions and access needed on each of the servers.

You should get to the point that adding a new user is a matter of creating their account in AD, adding them to the proper groups, and clicking OK.
TheCleaner, understandably good points. There's one more big concern here, where all servers will later become part of an Active Directory, and it's a requirement to run applications on all servers under the same credential (e.g. AppUser).

If someone try to attack or someone without knowledge of the password try to logon too many times consecutively, and get the account locked out on one of the server, what would happen to all the applications on the rest of the servers?

Will those applications that run under AppUser credential loses it's permisisons to read / write to certain directories that has Allowed permission applied to them? And will they exit? (This is possibly the Most IMPORTANT question now).

Will the logged on sessions of AppUser credential on other servers get kicked out (becomes locked or else)? Basically, what are the impacts of accounts getting locked out, passwords getting chagned etc, in scenarios like these when a single credential in Active Directory environment is needed to run on multiple servers.

Thank you.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Regarding your APPUser situation:

You could also just create a local account on each server, call it AppUserServer1, etc., then use that user for the credentials for the application.

Depending on the type of app, you could create a single user in AD, then give that user a crazy long password that is very difficult to attack/hack into, and again depending on the type of app you could create a policy on those servers that allowed that user to only log on locally, and not be accessible via the network.

Also, I believe if the app runs as a service using those credentials, then the account getting locked out wouldn't stop the services currently running for the app, but if the account remained locked out, if the server needed to be rebooted it may prevent the service from starting.
Local account was also one of the ideas, when domain GPO applies to the accounts, would the domain GPO overrides the local machine GPO?

What I am really concern about is, if I have Domain's GPO to lockout an account after a number of retries, I still want the local account to still able to keep it's apps running, and still have permissions to write to registries and things. If the local account can be kept totally segregated in terms of impacts when things goes  wrong on the Active Directory and Active Directory accounts side, then its good.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the points!  Happy to help.