prlit
asked on
When do I need AD?
Sorry if this turns into a discussion rather than a question. We currently have 600 PC's spread across 50 locations. Our main application is an electronic medical records system and it's really self contained. There was never a need to use any other application other than our in-house software. Recently, there has been an increased need for file and printer sharing and application sharing. I'm sharing everything out now using bat scipts (that obviously expose a username and password) and whenever I need to add printers, I find myself walking to each PC and adding them. On an annual basis, I'm finding myself traveling around the State of New York to update the PC's, one office at a time.
I know that AD will increase my security and concentrate things to my main location, but I can't just walk into my bosses office for a licensing quote for 600 PC's either. Also, because my group manages physicians offiices, there is a lot of turnover. Managing usernames and passwords to each PC be very difficult with our limited staff. We do currently have 3 Windows 2003 servers, none running AD. I've done some searching but it's difficult to get other professional advice on a webpage. Although comments on this subject do not necessarily answer a question, I will do my best to spread points out.
I know that AD will increase my security and concentrate things to my main location, but I can't just walk into my bosses office for a licensing quote for 600 PC's either. Also, because my group manages physicians offiices, there is a lot of turnover. Managing usernames and passwords to each PC be very difficult with our limited staff. We do currently have 3 Windows 2003 servers, none running AD. I've done some searching but it's difficult to get other professional advice on a webpage. Although comments on this subject do not necessarily answer a question, I will do my best to spread points out.
ASKER
I assumed that for just 600 PC's, I could manage everything though one server at my location. Right now, all of the locations are connected to my central location by via T1 point to point circuits or router to router vpn's. I am using WSUS now as well. I have access to the entire network, all 50 locations.
You can use a domain and have people authenticate to you there - since you already have connectivity then it will work. You may have issues with GC and DNS lookups since every PC will be talking with your servers.
So why do you have to visit each site for updates if you already run WSUS? Personally, if these sites go direct to the Internet instead of through your connection to the Internet, then it's more effective to have the PC update directly from MS.
Right now, you have (potentially) 600 PCs pulling updates over your connection. Once you create the domain and have all the PCs join then you will have tons of lookup and authentication traffic added since you MUST point all members of the domain to your DNS server(s) only in order for them to communicate with the domain controllers.
I'm not saying it's impossible, it's just going to suck the life out of your link.
So why do you have to visit each site for updates if you already run WSUS? Personally, if these sites go direct to the Internet instead of through your connection to the Internet, then it's more effective to have the PC update directly from MS.
Right now, you have (potentially) 600 PCs pulling updates over your connection. Once you create the domain and have all the PCs join then you will have tons of lookup and authentication traffic added since you MUST point all members of the domain to your DNS server(s) only in order for them to communicate with the domain controllers.
I'm not saying it's impossible, it's just going to suck the life out of your link.
ASKER
I'm running MRTG to all of my locations and there is very little bandwidth being used (except that first night that a PC is connected when it pulls over all the updates). I just assume AD would be so much easier to manage when I have a doctors office 100 miles away with 3 PC's there. All office are using my main location for internet all well. We have a proxy/content filter here that controlls web browsing.
ASKER
I have to visit an office if if I'm already adding WSUS when they tell me they need to print from Windows rather than our EMR printing system (doesn't allow winprinting). I end up traveling and sharing printers constantly. Plus, WSUS only pushed microsoft updates. If someone decides they need Word installed, I need to go install it - no one has admin rights (for good reason).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Printers can also be published in the Directory so users can be walked through the process of attaching to it or you can use RDP to the desktop and do it for them.
If you update to R2 then you can use Print Management Console and setup GPOs to deploy printers from AD.
If you update to R2 then you can use Print Management Console and setup GPOs to deploy printers from AD.
ASKER
Let's say I wanted to push windows defender or another spyware (anti) app on all the PC's. Could I use AD for that? What is a GC?
Yes, you can deploy Defender. You can either Assign it to the computer (it will install before the user gets the logon box on next boot) or Publish or Assign it to users (publishing allows the user to install it using Add/Remove or Assigning it will automagically install it when the log in).
GC stands for Global Catalog. This is important for Authentication more than anything. It's also heavily used by Exchange.
GC stands for Global Catalog. This is important for Authentication more than anything. It's also heavily used by Exchange.
ASKER
As far as traffic goes, are you more worried about traffic over our T1's or LAN traffic to our servers? I'm really surprised you're reccomending having that many servers do the work for 600 PC's. Besides printing and logins, would there be a lot of traffic that I'm currently not used to?
AD replicates data between servers so if you have more then one server at diffrant locations it will use bandwidth.
600 clients no AD, wow thats going to be alot of work to setup
you can install any program with a msi file, and others you can turn into a msi. I have symantec auto installed on every desktop at login. This way if somone removes symantec it will re reinstalled at next login.
600 clients no AD, wow thats going to be alot of work to setup
you can install any program with a msi file, and others you can turn into a msi. I have symantec auto installed on every desktop at login. This way if somone removes symantec it will re reinstalled at next login.
Replication isn't going to be the issue since all servers are on the same wire at the same location.
What I am concerned about is 600 workstations getting Authenticated to your single site over the T1 lines. Even if each T1 can handle the number of users on the remote site's end, you still have a concentration of all these users coming together on your side of the cload and saturating the link between you and the ISP.
What will make things worse is deployments, updates and Internet access as well as normal daily domain communication all aggregating on your link.
That's my only concern - the architecture is good and the concept should be okay.
What I am concerned about is 600 workstations getting Authenticated to your single site over the T1 lines. Even if each T1 can handle the number of users on the remote site's end, you still have a concentration of all these users coming together on your side of the cload and saturating the link between you and the ISP.
What will make things worse is deployments, updates and Internet access as well as normal daily domain communication all aggregating on your link.
That's my only concern - the architecture is good and the concept should be okay.
ASKER
Well, we're looking at 12 PC's per office (avg). Each office has a dedicated T1 back to us (we have a T3 here). Half of those offices are Time Warner business class Road runner at 3meg down and 512mb up connected via vpn. I think we'll be ok. On this end I'm running gigabit ethernet to those servers as well.
In your case, you could setup a domain at the main office, then a few stragically placed DCs in remote sites. You can create Sites that group logical sites so that they can use a single DC in one physical site rather than all authenticating to your main server.
As long as the WAN links are stable, then you can utilize VPN between sites.
If this is way outside the budget (which it could be) then the best option to cover some of your requirements would be to setup WSUS locally or configure each PC via script to use Microsoft Update at 3am each night and install the updates automatically. As long as the user logs out, then the updates will run at 3am and reboot.
As for File and Print sharing - can you really afford a real server at all 50 sites? Even a 10 sites that are strategicly placed will require 10 servers + licenses.
This will be no small undertaking.