Solved

Windows Server 2012 R2 AD Domain

Posted on 2014-04-02
12
949 Views
Last Modified: 2016-11-23
I have a client that is in need of purchasing a server to maintain a financial package database (Peachtree) and user files (word, excel, pdf, etc.)  They estimate 5 to 10 people will eventually need to access this server, but initially it will only be 4 people.

The server will be Dell T320 server with a single XEON processor, 16Gbs of RAM, and (3) 600Gb RAID drives for the OS and data.

They have no need for Exchange on-premise or Office365 since they are very happy with their Google mail solution.  

I usually prefer setting an AD domain for offices that have a server and at least 5 users, but at the same time I am thinking this office could simply use this server as a member server with network shares, etc.  

I am still inclined on setting up an AD domain, but I am not sure of the actual AD domain name to use.  I have always used a .local domain, and now Microsoft recommends using a valid .com name instead.  Microsoft keeps going back and forth on this matter.  

So the domain name for this company's website and email is long, let’s say something like (www.automatedproductsgroup.com).  They own this public domain, so am I supposed to setup the AD Domain Name as automatedproductsgroup.com?  I want to abide by Microsoft's naming requirements, but this name seems a bit long and not right.  I simply wanted to use "apg.com", so it abbreviates the name, but they do not own this public domain name.  I was simply thinking of using apg.local instead to avoid all of this, but I am not sure what kind of problems a .local domain name will cause down the line.  

This office also has a need where the owners (3 people) will need to work remotely and access the financial application and user files.  They will have laptops that travel with them and are used in the office.  So they will not have desktop computers to remote into while out of the office.  They have another facility setup across the country that was setup be a local consultant as follows:

They use logmein himachi to setup a VPN.
Once the VPN is established they can access network shares for that remote network.
They have a Peachtree icon on their desktops that opens slowly, but eventually allows them to open the company file from the peachtree server share residing on the remote server.  

The problem is they do not have desktops in the office to RDP into, and have a dire need accessing their Peachtree database.  Right now I am not concerned about the server setup at the other facility across the nation, and I am concerned about providing a more robust RDP solution at this new facility.

Since three people may need to simultaneously RDP and access the same database, I was thinking of purchasing a 5 pack license of Windows 2012 RDP CALS (approx $400.00).  I would think they do not need a VPN connection, and be able to RDP to the public IP of their router, and have their router forward all RDP requests to the server.  I believe Microsoft RDP is a secure enough connection without the need of a VPN.  If so, all they would need to do is enter the pubic IP in the RDP connect host.  I also need to find out with Peachtree whether using their application on a terminal server is an issue or even supported.

So, let me breakdown what I need help with:

1.  Setup a simple member server instead of an AD domain?  Thinking an AD domain the best way to go.

2.  The internal AD domain name.  This companies public domain automatedproductiongroup.com.  Do I need to use this actual name since they own the public domain name or can I abbreviate it to agp.com.  The do not own the public name apg.com.  Or simply go the .local approach apg.local to make things simple.

3.  A minimum of 3 people need to RDP this new server.  They currently use logmein himachi as a VPN solution to access network server shares and access a Peachtree database.  This solution works fine for file shares, but accessing the Peachtree database is a bit cumbersome and rather slow in my opinion.  Possible resolution, purchase and setup Windows Server 2012 RDP CALs, and instruct the users to enter the public ip of the router to directly RDP to their server (terminal server) without a VPN.  

4.  Based on the server hardware config mentioned above, is it configured with enough resources (processor, RAM, hard disk space) for a server that will be the sole AD domain controller, DNS, DHCP, terminal server, TrendMicro worry free business standard server, printer shares, file shares, and Peachtree database server for 5 to 15 users.  Terminal services will not be used by all employees.  Not sure RRAS maybe included in the mix should VPN access be necessary.

Please forward your suggestions and recommendations.  I just want to make sure I set things up looking at the future and not simply to quickly get things going.
0
Comment
Question by:cmp119
  • 7
  • 3
  • 2
12 Comments
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 39972069
I would add a second processor and more ram and setup Rdp right into the servers as a TS/Rdp server. Install Peachtree on the server as an app and allow employees to login with Rdp, run the app on the server and save their data right there. We do this with QuickBooks and it works well.
0
 

Author Comment

by:cmp119
ID: 39972123
Wow a second processor by itself is not cheap.  I was not thinking it would be necessary.  Adding more RAM and a second processor will be over $1K would be me guess.  I do not think the client will tolerate such an increase in cost.
0
 
LVL 25

Assisted Solution

by:Tony Giangreco
Tony Giangreco earned 250 total points
ID: 39972147
We run multiple locations like this and learned the hard way a 2nd processor and additional ram on an Rdp server really helps. I would not want to under sell a solution and them have to explain why the system runs slow after it's installed.  It's cheaper to add resources before going live than after.
0
 

Author Comment

by:cmp119
ID: 39972190
I understand what you're saying.  I don't want to be put under those circumstances.  My thought was the count of users hitting the server at an given time would be 5 to 10 at most.  I usually get a second processor and more RAM (24 to 32gbs) for an SBS server that will host exchange, Sharepoint, and possibly SQL.  I could possibly see doubling the RAM to 32Gbs, but the cost of the processor will be a tuff sell.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39972233
You can keep same AD domain name as external, it will be helpful.

This will simplify your digital Certificate management.
Also it won't create any problems even if your AD domain name is more than 15 characters long as it will limit domain NetBIOS name only to 15 characters.

I hope you will be having at least Two \ Four core to that XEON CPU which is enough according to  me for 15 peoples
You can deploy Hyper-V 2012 \ 2012 R2 standard edition on host server with two free Virtual machines (one 2012 R2 server as a DC and another as a Application + RD Gateway server to which your users will get connected  for accessing application).

Then you can have one public SSL certificate for Remote Desktop gateway server and RDS cals for users who are going to connect.

Mahesh.
0
 

Author Comment

by:cmp119
ID: 39972237
What do you think about using RDP without a VPN connection?  My understanding is an RDP connection is already an encrypted connection.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:cmp119
ID: 39972263
The single Intel XEON E-24XX V2 Processor has eight cores.  I just don't like the idea of using automatedproductionsgroup\JohnDoe.  It would be so much better using apg\JonhDoe.  I believe you stated it will only take the first 15 characters, so I guess it would be automatedproduc\JohnDoe then.  If that is the case, that still does not look right and appears to be cumbersome.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39972978
In previous comment, When I said that you can use RD gateway server, you are ultimately using encrypted RDP sessions only because RD gateway requires SSL certificate for communications
RD Gateway is the server through which you are getting authenticated with AD and able to logon to internal server with RDP only
RD Gateway server IP is published on internet with public DNS name
For Ex: RDgateway.automatedProductiongroup.com
OR
yourapp.automatedProductiongroup.com
Also please note that even if you keep automatedProductiongroup.com as domain name, you can keep custom NetBIOS name such as APC and AD will give you option during initial AD setup

Check below link for more info to setup RD gateway server
http://ryanmangansitblog.com/2013/03/27/deploying-remote-desktop-gateway-rds-2012/

Mahesh.
0
 

Author Comment

by:cmp119
ID: 39973578
I am sorry to say the client stated they are happy using logmein himachi as a VPN solution to simply access server shares to access there data.  They were not willing to spend more for RDP licenses, extra processor, more memory, and an SSL Certificate.  

Thank you for your feedback.  It was greatly appreciated.
0
 

Author Comment

by:cmp119
ID: 39973599
Mahesh -

I am trying to understand your statement:

Also please note that even if you keep automatedProductiongroup.com as domain name, you can keep custom NetBIOS name such as APC and AD will give you option during initial AD setup

I presume you are suggesting I go ahead and setup the AD domain name as automatedProductiongroup.com.  I do not understand the portion pertaining to a custom NetBIOS name.

Maybe you can forward some articles pertaining to this so that I have a better understanding. Thank.s
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 250 total points
ID: 39974254
When you run dcpromo, you will come to know What I am trying to Say

By default when you run dcpromo, system will provide NetBIOS name to your specified AD domain, which is same as domain name

For Ex: Your domain name is Contoso.com
Then system will auto generate NetBIOS name and keep in front of you such as CONTOSO . You can change it if wanted to, the best practice is to keep it as it is as suggested by system
However if your domain name is more than 15 characters long, due to limitations of NetBIOS name in Windows, it can be max 15 characters long
Hence you don't have left any choice other than renaming it to some meaningful name

For Ex: ContosoNetworkSystems.com domain requires that NetBIOS name should be equal to domain name (CONTOSONETWORKSYSTEMS) which is simply not possible due to system restrictions and hence it will accept only 1st 15 characters, that you can change any way to some meaningful name such as CONTOSO only

Check dcpromo advanced wizard for clear understanding
http://www.jppinto.com/2010/07/dcpromo-on-windows-server-2008/

Mahesh.
0
 

Author Closing Comment

by:cmp119
ID: 39975082
Thank you gentlemen for your input and suggestions.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Losing network connectivity 8 70
website went down 6 35
Is it possible to create a playfile with setacl or icacle? 3 26
Group policy backup error 8 25
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now