Introducing Windows Server
Background
I've been doing peer-to-peer networks for a long time. While I've worked with Windows Server systems, it's not at all the main stream technology in the market I deal with. For those customers who are using Windows Server, they have no idea why and are only using them as file servers. So, the level of experience that I've gained is limited. Yet, I'm perfectly capable of learning more and through a more serious initiative.
To be honest, we're doing fine without any servers - that's our long-standing way of doing things.
And, we are doing quite well with more computers involved in a single network than some imagine reasonable.
But, we should be concerned that we could be missing something important and should be learning things and trying things.
I tend to think of systems as a collection of functional blocks. So, I think of servers the same way. They start out as nothing much more than just a computer with a few "different" tools. Many of the things that the mainstream folks seem to think of as "server" tasks can also be done with a Windows workstation OS - so there's a perspective issue there but not an actual, technical difference.
Objective
In order to introduce Windows server technology into (or alongside) a production environment WITHOUT disruption for starters and WITHOUT looking for a pristine setup for starters, what things would you add to the mix of capabilities using a Windows server and why?
If you don't "like" this objective then perhaps reconsider the sermon that you might want to deliver. :-)
(Sorry, speaking from experience here - and much of this is driven by environmental factors that are out of your or my control. Think of it this way: you would be helping me get your perspective in meeting a rather limited goal).
Things that I can already think of:
- File server (although I see little real need for this, it wouldn't be disruptive and there may be tools that are useful)
- Radius server or the equivalent (maybe disruptive)
- AD (but I don't have an idea what this really means in a minimal implementation sense). Goes along with name service. Perhaps name service between subnets - which we don't have now (via MPLS). Maybe think "minimal" vs. "whole hog".
- WMI or SIEM and whatever it entails.
- Windows Update management. What does it bring besides #control#? I'd be looking for "better/quicker" compared to individual workstation updates. (50 computers to deal with - and they are already being dealt with). Maybe just automated checking?
Things that I don't care about:
- web servers
- DHCP servers (but maybe...)
So, a useful answer for me would be like this:
Set up a server in a corner and implement one thing:
[here is the one thing]
Then add another:
[here is the other thing]
etc.
Consider more disruptive changes in some order of "not very disruptive" and "really useful":
-
-
-
I'd just like to get some opinions for a gradual introduction - as the "introduction" may become the "final answer". A few nuggets for initial implementation could be very useful advice.
I've been doing peer-to-peer networks for a long time. While I've worked with Windows Server systems, it's not at all the main stream technology in the market I deal with. For those customers who are using Windows Server, they have no idea why and are only using them as file servers. So, the level of experience that I've gained is limited. Yet, I'm perfectly capable of learning more and through a more serious initiative.
To be honest, we're doing fine without any servers - that's our long-standing way of doing things.
And, we are doing quite well with more computers involved in a single network than some imagine reasonable.
But, we should be concerned that we could be missing something important and should be learning things and trying things.
I tend to think of systems as a collection of functional blocks. So, I think of servers the same way. They start out as nothing much more than just a computer with a few "different" tools. Many of the things that the mainstream folks seem to think of as "server" tasks can also be done with a Windows workstation OS - so there's a perspective issue there but not an actual, technical difference.
Objective
In order to introduce Windows server technology into (or alongside) a production environment WITHOUT disruption for starters and WITHOUT looking for a pristine setup for starters, what things would you add to the mix of capabilities using a Windows server and why?
If you don't "like" this objective then perhaps reconsider the sermon that you might want to deliver. :-)
(Sorry, speaking from experience here - and much of this is driven by environmental factors that are out of your or my control. Think of it this way: you would be helping me get your perspective in meeting a rather limited goal).
Things that I can already think of:
- File server (although I see little real need for this, it wouldn't be disruptive and there may be tools that are useful)
- Radius server or the equivalent (maybe disruptive)
- AD (but I don't have an idea what this really means in a minimal implementation sense). Goes along with name service. Perhaps name service between subnets - which we don't have now (via MPLS). Maybe think "minimal" vs. "whole hog".
- WMI or SIEM and whatever it entails.
- Windows Update management. What does it bring besides #control#? I'd be looking for "better/quicker" compared to individual workstation updates. (50 computers to deal with - and they are already being dealt with). Maybe just automated checking?
Things that I don't care about:
- web servers
- DHCP servers (but maybe...)
So, a useful answer for me would be like this:
Set up a server in a corner and implement one thing:
[here is the one thing]
Then add another:
[here is the other thing]
etc.
Consider more disruptive changes in some order of "not very disruptive" and "really useful":
-
-
-
I'd just like to get some opinions for a gradual introduction - as the "introduction" may become the "final answer". A few nuggets for initial implementation could be very useful advice.
Dave Baldwin
The main reason for 'servers' is sharing. Windows non-servers are limited in the number of connections they can have. Windows servers are limited only by the resources available. Note that most NAS boxes are Linux based.
So, as an IT Professional who does this all the time. let me ask you, what is your end goal? The watchword for anything here is to use the KISS method.
So, what is it that you are lacking now?
What is it that your computers or network is not doing for you?
What is your current structure?
How big is your business?
Where do you want to go with this?
What are your concerns? Security, Hacking, Malware Infections, Ransomware, Loss of Data?
Server 2016 can do a ton of things, but is it the right solution for you? Yes, it can excel as a file server, but so can a good NAS unit.
You could use this for some networking services, but a Router or Firewall can also do this.
If you are not in a domain environment now, you manage everything through every device. Adding a Domain with Active Directory lets you centrally manage the security of all your users, data and computers. If you go that route though, for best practices you need 2 Servers.
So, to really give you some realistic answers, give me an idea of your size, current configuration and where you want to go with this. It sounds like someone has the itch for 2016, but no idea of what it will do for them.
I will tell you though, that if you are running any kind of business, a peer to peer network is not the way to go unless you are very small and use some central storage, like a NAS for your shared files.
I can also tell you that you need good and robust backups in any case.
So, if you have never setup a server and just want to introduce something, a File Server is pretty harmless.
Unless you know, and have a distinct need for a Radius server, WMI, SIEM, Windows Update Management, Polka CD of the Month Club, don't even think in that direction.
Utilize your technology. If my small business had 50 workstation, you are darn right I would be setting up at least a couple of servers. The amount of administrative overhead on all of those PC's with their shares, etc. would more than justify going into a Domain Structure.
In that case, I would setup 2 Active Directory Domain Controllers, each handling DNS and DHCP. For a company like this without a massive amount of data, you could get away with using those DC's as file servers as well, however it is recommended to put the file servers somewhere other than the Domain Controller.
Again use the KISS method and do not complicate this more than it needs to be.
So, what is it that you are lacking now?
What is it that your computers or network is not doing for you?
What is your current structure?
How big is your business?
Where do you want to go with this?
What are your concerns? Security, Hacking, Malware Infections, Ransomware, Loss of Data?
Server 2016 can do a ton of things, but is it the right solution for you? Yes, it can excel as a file server, but so can a good NAS unit.
You could use this for some networking services, but a Router or Firewall can also do this.
If you are not in a domain environment now, you manage everything through every device. Adding a Domain with Active Directory lets you centrally manage the security of all your users, data and computers. If you go that route though, for best practices you need 2 Servers.
So, to really give you some realistic answers, give me an idea of your size, current configuration and where you want to go with this. It sounds like someone has the itch for 2016, but no idea of what it will do for them.
I will tell you though, that if you are running any kind of business, a peer to peer network is not the way to go unless you are very small and use some central storage, like a NAS for your shared files.
I can also tell you that you need good and robust backups in any case.
So, if you have never setup a server and just want to introduce something, a File Server is pretty harmless.
Unless you know, and have a distinct need for a Radius server, WMI, SIEM, Windows Update Management, Polka CD of the Month Club, don't even think in that direction.
Utilize your technology. If my small business had 50 workstation, you are darn right I would be setting up at least a couple of servers. The amount of administrative overhead on all of those PC's with their shares, etc. would more than justify going into a Domain Structure.
In that case, I would setup 2 Active Directory Domain Controllers, each handling DNS and DHCP. For a company like this without a massive amount of data, you could get away with using those DC's as file servers as well, however it is recommended to put the file servers somewhere other than the Domain Controller.
Again use the KISS method and do not complicate this more than it needs to be.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Steve McCarthy: Nobody has an itch for anything in particular. As I said, 50 computers.
The setup is 3 sites with 3 subnets/workgroups that are interconnected via MPLS using IP addressing.
The sites vary in size. 10 workstations, 14 workstations and 25 workstations.
SIEM is implemented with WMI using one monitoring computer / access is configured on the workstations manually.
Network monitoring is implemented separately at each site with a little overlap.
We make good use of remote access for all this.
File sharing is distributed among a number of workstation/file servers. Their access is configured on the workstations manually as file access is needed.
Backups are triply redundant across the sites and in the cloud.
Windows update status is monitored manually and I've been looking for something more automated. A nice to have.
Overall, this isn't too much of a workload and it works pretty well.
The addition of SIEM has been more work as Windows updates flow into the system and change settings.
It isn't likely that updates will be "tested" before being installed - no matter what.
But maybe SIEM could be made easier to maintain. Things like that are on my mind. Thus the question.
So we're at the high end of that at one site and the inter-site communication doesn't add much. Maybe our tolerance for hard work and diligence is better than average. I don't know any better.
The setup is 3 sites with 3 subnets/workgroups that are interconnected via MPLS using IP addressing.
The sites vary in size. 10 workstations, 14 workstations and 25 workstations.
SIEM is implemented with WMI using one monitoring computer / access is configured on the workstations manually.
Network monitoring is implemented separately at each site with a little overlap.
We make good use of remote access for all this.
File sharing is distributed among a number of workstation/file servers. Their access is configured on the workstations manually as file access is needed.
Backups are triply redundant across the sites and in the cloud.
Windows update status is monitored manually and I've been looking for something more automated. A nice to have.
Overall, this isn't too much of a workload and it works pretty well.
The addition of SIEM has been more work as Windows updates flow into the system and change settings.
It isn't likely that updates will be "tested" before being installed - no matter what.
But maybe SIEM could be made easier to maintain. Things like that are on my mind. Thus the question.
a peer to peer network is not the way to go unless you are very smallThe opinions on this run from 5 to 25 computers.
So we're at the high end of that at one site and the inter-site communication doesn't add much. Maybe our tolerance for hard work and diligence is better than average. I don't know any better.
and use some central storage, like a NAS for your shared files. Not doing centralized storage was an initial objective. Before my time. But I'm not seeing a disadvantage in distributed storage with centralized and redundant backup.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alan: Great examples!
And so?
A user needs to log in to a different machine
And so?
A user forgets their passwordAnd so?
Permissions on network shares need to be alteredI've done this...
Answering 'Who has access to this XXX currently?'???
PC dies - I can replace it and have them up and running with all settings and configuration exactly as per every other machine using minutes of my (billable) time.How is that done? I can imagine the simple stuff but what about custom DCOM settings, WMI settings, etc? I can imagine Group Policies and the like but.... and.."as per every other machine? They aren't the same.. ??
Hi,
If you setup a user in AD, then you can allow them to login to any machine (or any sub-set of machines) with no additional setup required.
User forgets their password, you just reset it from AD, or delegate that to someone onsite who can do that for all users, without having to give anyone admin access to the machines.
Permissions on network shares - you can create a security group and just add / remove people from the group without setting individual permissions all over shares / subfolders.
How are you setting all the config / software installs etc on workstations currently? I am guessing you are doing it all manually, and if using an image, you have to change the image each time something changes. With Group Policy, that all happens automatically, and if you need to change anything, then you do it once, and all workstations will get updated - no chance of someone forgetting a machine for example, and you don't have to wait for users to be off the machine, then login remotely (or run around all the machines physically). I have seen plenty of examples where the admin is 'reluctant' to make a change due to the time it would take until you point out they can do it once with a GPO, and then they magically are all for it.
Answering 'Who has access to this XXX currently? - If you have set permissions directly on shares, then it is very difficult to know who has access to what. If you setup security groups, you can then see who has access, or conversely, easily see everything that a given user has access to.
Just examples of course. As I mentioned before - this is all about time and therefore cost, not whether it *could* be done without a server (almost anything can be).
Alan.
If you setup a user in AD, then you can allow them to login to any machine (or any sub-set of machines) with no additional setup required.
User forgets their password, you just reset it from AD, or delegate that to someone onsite who can do that for all users, without having to give anyone admin access to the machines.
Permissions on network shares - you can create a security group and just add / remove people from the group without setting individual permissions all over shares / subfolders.
How are you setting all the config / software installs etc on workstations currently? I am guessing you are doing it all manually, and if using an image, you have to change the image each time something changes. With Group Policy, that all happens automatically, and if you need to change anything, then you do it once, and all workstations will get updated - no chance of someone forgetting a machine for example, and you don't have to wait for users to be off the machine, then login remotely (or run around all the machines physically). I have seen plenty of examples where the admin is 'reluctant' to make a change due to the time it would take until you point out they can do it once with a GPO, and then they magically are all for it.
Answering 'Who has access to this XXX currently? - If you have set permissions directly on shares, then it is very difficult to know who has access to what. If you setup security groups, you can then see who has access, or conversely, easily see everything that a given user has access to.
Just examples of course. As I mentioned before - this is all about time and therefore cost, not whether it *could* be done without a server (almost anything can be).
Alan.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There have been many good points made here so far. All are good food for thought. Most of them I understand and some of them I think I get the idea.
I appreciate the comment about cost.
Even though I'm paid strictly on time and materials, nonetheless, for the customer's benefit, I try to minimize what *I* cost them. I'm sure that you do the same.
I didn't start this question to set up barriers or to do a sales pitch. My feeling is that there *is* likely benefit such as many have described. At the same time, I think I'm going to have to take it fairly gradually. I don't see any other way that will be acceptable.
- Setting up a new system is going to take time. So that's a cost on top of everything currently ongoing. I have to be sensitive to that.
- I could hire a consultant to help with the architecture and the transition planning. That may be the best approach.
- There is no particular "pain" .. yet.
- Nonetheless, I'd like to pursue what we're discussing here. So, the question was "how?".
It seems clear enough to me that adding a domain will be a fairly big deal - perhaps the biggest technical/operational hurdle.
Yet, many of the "benefits" depend on that.
Maybe I could set up a domain at one of the smaller sites first? And then, because the sites are small enough, expand it into another site and so on until the largest site has been incorporated? Or is that a bad idea?
What else?
I appreciate the comment about cost.
Even though I'm paid strictly on time and materials, nonetheless, for the customer's benefit, I try to minimize what *I* cost them. I'm sure that you do the same.
I didn't start this question to set up barriers or to do a sales pitch. My feeling is that there *is* likely benefit such as many have described. At the same time, I think I'm going to have to take it fairly gradually. I don't see any other way that will be acceptable.
- Setting up a new system is going to take time. So that's a cost on top of everything currently ongoing. I have to be sensitive to that.
- I could hire a consultant to help with the architecture and the transition planning. That may be the best approach.
- There is no particular "pain" .. yet.
- Nonetheless, I'd like to pursue what we're discussing here. So, the question was "how?".
It seems clear enough to me that adding a domain will be a fairly big deal - perhaps the biggest technical/operational hurdle.
Yet, many of the "benefits" depend on that.
Maybe I could set up a domain at one of the smaller sites first? And then, because the sites are small enough, expand it into another site and so on until the largest site has been incorporated? Or is that a bad idea?
What else?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- Cliff Galiher (https:#a42340970)
-- Alan (https:#a42341294)
-- Lee W MVP (https:#a42341427)
-- Alan (https:#a42346700)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- Cliff Galiher (https:#a42340970)
-- Alan (https:#a42341294)
-- Lee W MVP (https:#a42341427)
-- Alan (https:#a42346700)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer