domain questions?

[aspenjim]

I'm going to setup my first domain controller (SBS2003) for a customer next week and would like to know the pro's and con's and difference's between logging on to the computer and logging on to the domain. I know one diff is I can't do windows updates or otherwise alter any files in the windows directory while logged on to the domain. This is going into a small headstart school with about 10 clients (2 being mobile).

The reason I ask is I also do the IT work for a nursing home and they have a domain. I've noticed (through doing upgrades and software updates) that I almost always have to be logged off the domain to make changes. More specifically why I ask is about 5 out of 10 clients logon to the computer and the other 5 logon to the domain.

I'd like to get some consistency in new install, but need some advice in this next week.

I also have trouble with configuring DNS and DHCP when the server has 2 nics and a linksys router connected to a wireless bridge supplying the internet. My long term goal with my personal server is ISA 2004, but without the firewall function (just the acceleration part). Could someone also tell me the preferred settings for the 2 nics when one will be connected to a router and the other to the local network. I use the 10.10.10.0 subnet for the LAN and leave the nic connected to the router dynamic.

Thx,

aj

[cluberti]

I also have trouble with configuring DNS and DHCP when the server has 2 nics and a linksys router connected to a wireless bridge supplying the internet. My long term goal with my personal server is ISA 2004, but without the firewall function (just the acceleration part).

I'd suggest not using the server as a router (you've already got a router, you don't need two), especially if you are only going to use ISA 2004 as a caching device (there are articles on how to configure ISA with only one NIC). I'd say configure DHCP to pass out the linksys address as the gateway, and your SBS server as the WINS/DNS servers (you should have DHCP, DNS, and WINS server services installed on your SBS server) and disable the DHCP services of the Linksys device. Active Directory is highly dependant on DNS, and using the Windows DHCP, DNS, and WINS server services reduces some of the issues that can arise when using non-Microsoft versions of these services in an AD environment.

I've noticed (through doing upgrades and software updates) that I almost always have to be logged off the domain to make changes.

Most likely, the user account you're using on the domain isn't a domain administrator - add the account to the domain administrators group, and you should not have that problem.

As to the domain issue, it's always easier to have centralized control over all of the PC's when using a domain structure, but you may not want or need the centralized security, login scripting, and permissions that a domain provides. I really don't see a need not to have a domain, but some people just don't want to bother with the extra work it takes to make one work properly (and it is understandable if that person is not an administrator by trade).

I would say that you made a good choice in using SBS 2003 as the server since you plan on using one box for everything. It's a great product, and makes all configuration of everything about your domain very easy (read: wizard-driven).

Edited December 16, 2005 by cluberti

[aspenjim]

I'd leave it as a workgroup server and not a domain controller, but it shut down every few hours and complains about violating the EULA. My server always complains about the router and then I have trouble getting by the "Configure" DHCP scopes when the wizard comes up. I also want to learn the RIS stuff and in that case it has to be a domain controller and have AD installed. I'd let it be the DHCP server, but I have a customer in the offices next to me tapped into my internet and I need to keep the internet going 24/7 for them and occasionally my server is down.

Edited December 16, 2005 by aspenjim

[Ghostrider]

I'd leave it as a workgroup server and not a domain controller, but it shut down every few hours and complains about violating the EULA. My server always complains about the router and then I have trouble getting by the "Configure" DHCP scopes when the wizard comes up. I also want to learn the RIS stuff and in that case it has to be a domain controller and have AD installed. I'd let it be the DHCP server, but I have a customer in the offices next to me tapped into my internet and I need to keep the internet going 24/7 for them and occasionally my server is down.

You should make sure you setup as a Domain controller, with domain name as example.local. SBS 2003 is an excellent choice. Remove/disable 1 of the NICs and use only 1. you can re-enable later when/if you install ISA. Set a static IP address and if you still need the router then disable Server DHCP and reserve the Server ip address or use one outside the router DHCP range. The server will be the primary DNS controller, make sure it points to itself for DNS settings and you can use the router ip as secondary DNS. Set the router as the gateway then make sure all workstations have the Server ip address as the DNS Server. Enable/disable exchange as required during the wizard setup and you should have internet for all computers.

As for Admin... NEVER give users admin status on the server, if they need admin privilages to work on the workstation then join the domain, reboot, login to local machine with administrator account then go to user accounts and add new user, add the domain login name then add server domain name (don't browse) click next then select administrator then reboot and login to the domain you should still have admin status on the workstation but user on the server.

[fizban2]

Creating a domain would provide some benefits for your clients, Creation of network drives for file storage, sharing and backup. easier management of user accounts and permissions to shares and network rescources, also easier to setup email and other network services to all users. go with the domain setup, in the long run it will save you headaches if they ever grow or need more then a workgroup can offer them

[aspenjim]

What's the fundamental difference in the logons - logon to this computer and logon to the domain? Sorry for such a basic question. I want to get everybody the same so we can start a password reseting schedule. What would the preferred logon be and why? I also want to setup logon scripts so everyone gets to the right documents.

Edited December 16, 2005 by aspenjim

[kyuuzo]

Having users log onto the domain will allow you to better control them. Using group policy and security groups you can determine what they do and don't have access to on their local computer/network. Also by logging onto the domain they will become authenticated on the domain which allows for easier access of network resources (printers, shares, etc.) Usually if you go through the trouble required to set up a domain, there isn't much of a point in giving your users local (non-domain) accounts.

[PhillyGeek]

I do not know of a way to control password resets and changes on a number of machines at once without a domain, inside a domain its fairly easy.

Also as kyuuzo was saying there isn't any point for them to have local accounts. You can grant or refuse "log in locally" permissions, as well as make a specific user or all users "local admins" or "power users" allowing them to install and change things on the local machine while logged in. This may or may not be a good thing in your enviroment. In most domains the goal is to lock the user down as much as you can so they cannot do anything more then they need to. However I work in an enviroment where the users NEED to be local admins just for one specific job critical program to work so all security on the local machines is lost and I spend my time killing viruses and malware. Something to consider when you decide what rights a user will have to a machine.

[cluberti]

Logging onto the computer is just like logging on at home - there's no communication with the domain structure, thus no policies, logon scripts, etc. get applied to the machine and/or the user. Also, the user account used is local to the machine (rather than an account stored in a centralized directory), and if you need to share files or folders based on permissions, you will need the same user account (with the same passwords!) on all of the other machines you wish to access. Obviously, if the machines are in the domain, you only have one location where user account information is stored, making file sharing, password resets, even user profile storage much more centralized and easier to manage.

[aspenjim]

I'm embarrassed a little. I've been working on PC's professionally since 1999 and can get them connected to a domain, usually with no problem. Installing software is sometimes a problem. I've never set up a true domain w/ 10 users. Lots of peer networks though. Just thought this would be a good place to learn the best methods.

@Ghostrider... that's what I need to do. Thanks.

Edited December 16, 2005 by aspenjim