Solved

When do I need AD?

Posted on 2006-07-11
13
220 Views
Last Modified: 2010-04-18
Sorry if this turns into a discussion rather than a question. We currently have 600 PC's spread across 50 locations. Our main application is an electronic medical records system and it's really self contained. There was never a need to use any other application other than our in-house software. Recently, there has been an increased need for file and printer sharing and application sharing. I'm sharing everything out now using bat scipts (that obviously expose a username and password) and whenever I need to add printers, I find myself walking to each PC and adding them. On an annual basis, I'm finding myself traveling around the State of New York to update the PC's, one office at a time.

I know that AD will increase my security and concentrate things to my main location, but I can't just walk into my bosses office for a licensing quote for 600 PC's either. Also, because my group manages physicians offiices, there is a lot of turnover. Managing usernames and passwords to each PC be very difficult with our limited staff. We do currently have 3 Windows 2003 servers, none running AD. I've done some searching but it's difficult to get other professional advice on a webpage. Although comments on this subject do not necessarily answer a question, I will do my best to spread points out.
0
Comment
Question by:prlit
  • 6
  • 6
13 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 17086812
You use a Domain when you want to manage things centrally.

In your case, you could setup a domain at the main office, then a few stragically placed DCs in remote sites.  You can create Sites that group logical sites so that they can use a single DC in one physical site rather than all authenticating to your main server.

As long as the WAN links are stable, then you can utilize VPN between sites.

If this is way outside the budget (which it could be) then the best option to cover some of your requirements would be to setup WSUS locally or configure each PC via script to use Microsoft Update at 3am each night and install the updates automatically.  As long as the user logs out, then the updates will run at 3am and reboot.

As for File and Print sharing - can you really afford a real server at all 50 sites?  Even a 10 sites that are strategicly placed will require 10 servers + licenses.

This will be no small undertaking.

0
 
LVL 1

Author Comment

by:prlit
ID: 17086828
I assumed that for just 600 PC's, I could manage everything though one server at my location. Right now, all of the locations are connected to my central location by via T1 point to point circuits or router to router vpn's. I am using WSUS now as well. I have access to the entire network, all 50 locations.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17086865
You can use a domain and have people authenticate to you there - since you already have connectivity then it will work.  You may have issues with GC and DNS lookups since every PC will be talking with your servers.

So why do you have to visit each site for updates if you already run WSUS?  Personally, if these sites go direct to the Internet instead of through your connection to the Internet, then it's more effective to have the PC update directly from MS.

Right now, you have (potentially) 600 PCs pulling updates over your connection.  Once you create the domain and have all the PCs join then you will have tons of lookup and authentication traffic added since you MUST point all members of the domain to your DNS server(s) only in order for them to communicate with the domain controllers.

I'm not saying it's impossible, it's just going to suck the life out of your link.



0
 
LVL 1

Author Comment

by:prlit
ID: 17086884
I'm running MRTG to all of my locations and there is very little bandwidth being used (except that first night that a PC is connected when it pulls over all the updates). I just assume AD would be so much easier to manage when I have a doctors office 100 miles away with 3 PC's there. All office are using my main location for internet all well. We have a proxy/content filter here that controlls web browsing.
0
 
LVL 1

Author Comment

by:prlit
ID: 17086908
I have to visit an office if if I'm already adding WSUS when they tell me they need to print from Windows rather than our EMR printing system (doesn't allow winprinting). I end up traveling and sharing printers constantly. Plus, WSUS only pushed microsoft updates. If someone decides they need Word installed, I need to go install it - no one has admin rights (for good reason).
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 17086925
Sounds tight - which is good.

You can also use AD for Publishing Applications, patching existing non-MS applications (with MSPs) or adding scripts to install updates from a central share.

You would want at least 2 DCs running DNS at your site that are also GCs.  The third server could be a file share (installation source) for the clients that could have teamed NICs so you get some throughput.

This could be *doable* given what you already have.  Be prepared to try to use traffic shaping as you'll see in MRTG what traffic needs better QoS.

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 51

Expert Comment

by:Netman66
ID: 17086931
Printers can also be published in the Directory so users can be walked through the process of attaching to it or you can use RDP to the desktop and do it for them.

If you update to R2 then you can use Print Management Console and setup GPOs to deploy printers from AD.

0
 
LVL 1

Author Comment

by:prlit
ID: 17086944
Let's say I wanted to push windows defender or another spyware (anti) app on all the PC's. Could I use AD for that? What is a GC?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17087008
Yes, you can deploy Defender.  You can either Assign it to the computer (it will install before the user gets the logon box on next boot) or Publish or Assign it to users (publishing allows the user to install it using Add/Remove or Assigning it will automagically install it when the log in).

GC stands for Global Catalog.  This is important for Authentication more than anything.  It's also heavily used by Exchange.

0
 
LVL 1

Author Comment

by:prlit
ID: 17087563
As far as traffic goes, are you more worried about traffic over our T1's or LAN traffic to our servers? I'm really surprised you're reccomending having that many servers do the work for 600 PC's. Besides printing and logins, would there be a lot of traffic that I'm currently not used to?

0
 
LVL 8

Expert Comment

by:bilbus
ID: 17088061
AD replicates data between servers so if you have more then one server at diffrant locations it will use bandwidth.

600 clients no AD, wow thats going to be alot of work to setup

you can install any program with a msi file, and others you can turn into a msi. I have symantec auto installed on every desktop at login. This way if somone removes symantec it will re reinstalled at next login.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17090507
Replication isn't going to be the issue since all servers are on the same wire at the same location.

What I am concerned about is 600 workstations getting Authenticated to your single site over the T1 lines.  Even if each T1 can handle the number of users on the remote site's end, you still have a concentration of all these users coming together on your side of the cload and saturating the link between you and the ISP.

What will make things worse is deployments, updates and Internet access as well as normal daily domain communication all aggregating on your link.

That's my only concern - the architecture is good and the concept should be okay.

0
 
LVL 1

Author Comment

by:prlit
ID: 17090761
Well, we're looking at 12 PC's per office (avg). Each office has a dedicated T1 back to us (we have a T3 here). Half of those offices are Time Warner business class Road runner at 3meg down and 512mb up connected via vpn. I think we'll be ok. On this end I'm running gigabit ethernet to those servers as well.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now