Logon to computer vs logon to domain

[aspenjim]

Hey everyone. I am getting ready to install a new server 2003 in a local sheriff's dept. Right now, the old server is 2003 with around 25 clients. It is setup as a workgroup server (no domain), which all of the clients (2000, xp home and pro) login to a database which is apparently ran by SQL server 2000 all using Administrator and the same password. I don't have to worry about reconfiguring SQL, because the vender that supplies the software will do that.

My question is.... which is the prefered method (or advantages) of logging on to the computer or the domain. I've added other PC's to a similiar 2000 domain and some are logging on to the local PC and others are logging on to the domain. I've learned through another post I made in here while back to setup the users with domain admin rights and then I get away from having to log-off of the domain to do Windows updates, etc. Is one advantage that users can logon to domain from any PC on the network and have access to their doc's, etc.

Right now also, this particular account has a volume license and 20 CALS for both SQL and 2003. However, the CAL's were never installed and the "License MGR" is disabled. That is probably because they have about 10 XP Home PC's. I've only setup one other domain (with success) and they have 4 XP Pro and 5 XP home Clients and I've never ran into the issue of having to install additional CAL's.

What would be nice is if a few of the readers of this might post a link or 2 to guides to setting up a domain, with the pro's and con's of different scenarios. Unfortunately, I live in a small rural town, and don't have access to servers setup professionally to study their methods and obviously I'm not certified.

TIA for any input

aj

Edited March 23, 2006 by aspenjim

[nmX.Memnoch]

You definitely want to opt for setting up a domain vs. letting them use local user accounts. There are several reasons for this:

1. Probably the biggest...Group Policies. You can control all sorts of settings on the clients through Group Policies.

2. Centralized user management.

3. User accountability. With their current setup they have no way of truely knowing who did what. If something in the database gets messed up...how do you know who did it? Just because it comes from a particular workstation doesn't really prove anything...they all use the same username/password.

4. Security. This comes in with Group Policies and several other technologies inherit to using a domain structure.

5. Logon scripts. You can map drives, display messages, etc, etc using logon scripts. You really don't realize how handy they are until you start using them.

Also, they should not all be setup with Domain Admin privs. This is extremely dangerous to the well being of your domain and network. To be honest, they really shouldn't have Local Admin access to the workstations either.

One thing to note is that you will NOT be able to join the Windows XP Home machines to the domain. Windows XP Home was not designed for corporate networks and doesn't have the capability of joining a domain. Those machines will need to be upgraded to Windows XP Professional.

Here's a TechNet article on Active Directory features and technologies:

http://technet2.microsoft.com/WindowsServe...6241f91033.mspx

And here's one on Group Policy:

http://technet2.microsoft.com/WindowsServe...6241f91033.mspx

[aspenjim]

So that means "logon to the domain", right? From what I see, (and maybe it's a one time thing), it takes a long time for the first logon. I initially sat clients up that way, but shied away when I found out I couldn't do windows updates without first logging off the domain. Also, in another government account I picked up, they have an access database and I couldn't install the client software being logged on to the domain, because of the MDAC components it had to install. It seems like the drive mappings were way harder to get right. They liked U for users, s for shared, and H for the database. I would install the software as the Administrator, and then set up a user account and logon as the new user and the U, S and H drive letters weren't available. Then I would get all ugly errors, because they couldn't get into the database, etc. So from a previous post I made here at MSFN, someone suggested giving them domain admin rights. I did this and the installs started getting a little easier. The first couple took me about 3 hours each to do a seemingly simple task. Now doing the "domain admin" way, and then installing the client software was much easier. I realize this is a security hazard, but in this case, it is a nursing home and the users are quite naive. (It is pretty embarassing to me to take 3 hours to do a 15 minute job, but I'm a rookie at this domain business). I also fully realize that XP home can't join a domain. I didn't sell the PC's, just took over the accounts.

So when one is logged on the domain, then are all of the doc's, favorites, etc are all stored on the server by default? I have set everyones docs up on the server for backup purposes in a data partition.

Back to the Sheriff Dept where the new server is going to be..... Right now they have a P3-933 w/ 512 meg of Ram supporting about 25 users. I plan to install a Dell 1800 with 2-3.0 Xeon Procs and 2 - 73 gig 15k SCSI drives in RAID 1 and 2 gigs of RAM. If I do manage to pull this off this way (logging on to the domain), will they notice a speed decrease? (in exchange for security). If so, I need to prewarn them that security is the trade-off for speed. They have $24000 they need to spend pretty quick, so I was going to suggest getting everyone upgraded to XP Pro from Home and 2000. They are also getting a T1 and a new SONIC Wall and Cisco Router and 3 Cisco 1200 APs along with a barcoding setup for inmate wristbands with this 24k. I'm only providing the Server and XP software.

This is going to be a major stretch for me to pull this off and look like I fully know what I'm doing, working with these other vendors (the barcoding people and the ISP). Right now the entire setup is a joke. But in their defense, they built a new jail with 125 beds and originally had one with 5 and over the last 5 years went from about 5 PC's (including the P3 server) to around 35, some provided by the CBI, Canteen people etc.

I will read the links you provided and see if I can clarify some things on my own.

Also as far as the login scripts, the nursing home account I got has a 2000 server and it is set up with scripts. It is pretty impressive of how clean it works. I've tried to use it as my example and have studied it and as I have added clients, I copied the Scripts and made slight modifications to the drive mappings for individual users. that is however, where I was saying that it originally took me 3 hours to do a 15 minute job.

thanks again for the advice. I will have more questions, I'm sure.

aj

BTW.. those are the same link (and the terminology is hard to grasp eg. "schema"). Also. would you kindly explain the role of CAL's? Is it just a legal requirement from microsoft? Both of the 2003 server networks I support have the "license manager" service disabled.

Edited March 24, 2006 by aspenjim

[nmX.Memnoch]

Almost any piece of software you install is going to require Local Administrator privileges on the workstation. Giving them Domain Admin privileges gives them access to screw up A LOT of things for EVERYONE...even if they don't do it on purpose. You should never give a user Admin privs on the local workstation. This limits them so that they can't install software (i.e. Spyware, Adware, Viruses) and helps to keep everything clean and running smooth. The thing you have to remember is it's not about making it easier for you to complete tasks, it's about making it harder for them to screw things up. Giving them Domain Admin gives them full access to every computer on the network...including the server. One rampant virus can take the entire thing down.

As for the drive maps...drive maps are per profile. This is why you use logon scripts. You can have it automatically map the drives each time they logon. This can be something as simple as a CMD file or something as "complicated" as a KiX or VBS script.

As for running Windows Update...this is something the systems administrator should be doing anyway. Create your own domain account and put that in the Domain Admins group. This will automatically give you local admin on all workstations and you'll be able to run Windows Update under your logon. However, instead of using Windows Update I recommend looking into WSUS (Windows Server Update Services). It's basically a local Windows Update server and you can approve or disapprove which patches to install. It can be setup to auto-approve certain types of patches...it's very granular so you can narrow it down to "all critical patches for Windows XP Service Pack 2" if you want. Once you get WSUS running you force the clients to use it through Group Policy settings for the Automatic Updates client.

As for user profiles (Desktop, My Docs, Favorites, etc)...those are stored locally on the client by default. From the sound of things you want roaming profiles...which are stored server side. I've never done roaming profiles so hopefully someone else will step in and answer this one for you. Using roaming profiles will result in slower logons because everything has to be pulled from the server. If the network is decent they may not notice too much of a difference. The server upgrade will help to offset some of the speed.

I also have a suggestion on your server setup. Instead of the 1800 go with a 2800. It'll offer you a little more upgrade room and doesn't cost that much more. I'd also look into changing the drive configuration to two 36GB 15K RPM drives in RAID1 for the OS and two 73GB 15K RPM drives in RAID1 for the data. You may even want to just go ahead and get four 73GB 15K RPM drives in RAID5 (so two 36GB/RAID1 and four 73GB/RAID5). The 2800 chassis has space for 10 drives so you can still add more later (the 1800 chassis only has 6 drive slots). Split up as much of the I/O as you possibly can by also getting the split backplane option as well. This way the OS and Data drive arrays will be on different channels of the RAID controller.

As an aside, using KiXtart for logon scripts is something of a specialty for me. I'd be more than happy to help you get a basic one going so that you can see how to get started with things.

[fizban2]

Roaming profiles are good, but the bigget they get the longer it will take for a user to log onto his machine, and also log off( the profile will have to sync again at that time)

Roaming Profiles and Redirection

another alternative would be folder redirection, redirecting important folders like my documents to a network share will allow those files to be available at what ever PC the client logons at, this also allows you to build the machines to a standard (standard apps, standard locations for those apps) that way where ever they logon at they will have the apps they need and their information.

From the description you gave of the server that you would be storing the profiles on it would not be much of a decrease in speed to do roaming profiles. Though network speed plays more of a role in that case, i will assume a 100 mbt network because that where is should be at (especially if they are getting new CISCO swtiches to boot)

BTW.. those are the same link (and the terminology is hard to grasp eg. "schema"). Also. would you kindly explain the role of CAL's? Is it just a legal requirement from microsoft? Both of the 2003 server networks I support have the "license manager" service disabled.

In such a small environment schema is something you won't have to worry about. for AD with only that few of users most likely a single OU (organizational Unit) will be all that you need unless you need more granular control. as for the CAL's, every computer or user that connects to the server needs a CAL, or you can license by server

Example

--------------------

Client Access Licensing Modes

After you have selected a license type—Windows Device CAL or Windows User CAL, you have the option to use the server software in two different modes: Per User/Per Device mode or Per Server mode. Both modes are available for either type of license.

Per User or Per Device Mode

Per User/Per Device mode is defined as follows:

• A separate Windows CAL (of either type) is required for each user or device that accesses or uses the server software on any of your servers.

• The number of Windows CALs required equals the number of users or devices accessing the server software.

• If you choose this licensing mode, your choice is permanent. You can, however, reassign a Windows CAL from one device to another device or from one user to another user, provided the reassignment is made either (a) permanently away from the one device or user or (B) temporarily to accommodate the use of the Windows CAL either by a loaner device, while a permanent device is out of service, or by a temporary worker, while a regular employee is absent.

Per User/Per Device mode tends to be the most economical designation for Windows CALs in distributed computing environments where multiple servers within an organization provide services across most devices or users.

Note that Per User/Per Device mode replaces Per Seat mode, used in previous licensing models.

Per Server Mode

Per Server mode is defined as follows:

• A separate Windows CAL (of either type) is required for each user or device that accesses or uses the server software on any of your servers. (This does not change the per server connection allowance of one CAL per one connection.)

• The number of Windows CALs required equals the maximum number of users or devices that may simultaneously access or use the server software installed on a particular server. The Windows CALs you acquire are designated for use exclusively with a particular server.

• If you choose this licensing mode, you have a one-time right to switch to the other licensing mode—Per User/Per Device mode. Your Windows CALs (of either type) would then be used in Per User/Per Device mode instead.

Per Server mode tends to be the most economical designation for Windows CALs in computing environments where a small number of servers have limited access requirements.

in your case with only one server to connect to per server mode would be ideal, out of curiosity, are yo installing windows small business server or server 2003 standard edition for the clients?

Server 2003 Licensing

[nmX.Memnoch]

BTW.. those are the same link

I missed that. Here's the link to the Group Policy stuff:

http://technet2.microsoft.com/WindowsServe...6deecd1033.mspx

in your case with only one server to connect to per server mode would be ideal, out of curiosity, are yo installing windows small business server or server 2003 standard edition for the clients?

With the current setup, you're correct. However if they add any more servers later, planned or not, then they'll have to purchase more CALs. I've always recommended user Per User/Device for possible future needs.

Although, if I recall correctly you can switch from Per Server to Per User/Device...just not the other way around.

Personally, I never use Per Server...but then again I work in an environment where we have 10+ servers just for Exchange.

[fizban2]

you are right memnoch, you can switch once from per server to per device/user once, which could be used when they went to add more servers to the network. Per server deifantly doesn't work for most companies even those with just 2 or 3 servers, but for a single server system that probably won't be upgraded again for a year or 2 but i agree per user/device is the best way to go, but becomes more expensive with all the CALs you have to buy. but i agree, when you have 8 machines clustered for exchange iteslf you defiantly have to go Per user/Device. But just wait for Exchang 12, X64 will shrink that number nicely

[nmX.Memnoch]

But just wait for Exchang 12, X64 will shrink that number nicely

Maybe...we have well over 10,000 mailboxes (not including distribution lists) for our one location. The sad thing is that we're still on Exchange 5.5. We're supposed to be upgrading to Exchange 2003 in the next few months though (they're working on migrating the domain controllers from 2000 to 2003 first).

They recently added two more domain controllers for the 2003 upgrade, taking our DC total to six.

[jftuga]

If you start using AD, you are going to want to have at least 2 domain controllers, in case one goes down or in case AD get corrupted on one of the systems.

-John

[aspenjim]

To whomever asked is is 2003 standard. They purchased a volume license of 2003 in may 2004 and got 20 CAL's and also purchased a volume license for SQL 2000 and 20 CAL's for that. (they also got software assurance which should entitle them to get 2003 - R2 and SQL 2005). However, I don't think the CAL's were installed and this week their Sonic Wall just exceeded it's 25 user license. That tells me that 5 more PC's than CAL's are all connected to the server or on the network. Also as I mentioned before, the licensing mgr is disabled on this server and another in the courthouse. That particular server was just installed a month ago as the former lease was up on it and about 10 clients. (I haven't mentioned server #3 before). It is setup as a workgroup peer and used as a file server and also has SQL on it.

So having said that, is it possible the CAL's aren't installed? This licensing business is SO **** complicated. When you all refer to devices, does that mean the AP's and networked printers also? It's pretty intense trying to figure out what all they really need and what all they already have. (right now they have a mess) All of the doc's are local and not on the server and they have at least 10 XP home's. I've got 2 or 3 weeks to get this down in my mind and to make a solid proposal.

I never mentioned also that they are installing a T1 to connect 5 entities together, with an option to add a gigabit fiber optics line for future growth. One at the Sheriff Dept, one at the courthouse, one at the nursing home and a 4th a human services and a 5th at a "events center" (a couple of meeting rooms and the fairgrounds). They are also purchasing 15 Cisco 1200 AP's. The main point of all of this is to eventually get them all on the same financial system. It is ACS Leasing, apparently a nation wide company providing govt accounting software for treasurer, assessor and finance. The entire network has about 75 PC's networked and a couple smaller networks (ambulance and recording) with about 10 more PC's and another 2000 domain server (I don't know why it is a tiny domain as it is just used to scan and record legal documents). I guess before getting all of this advice, I should have drawn the whole picture clearly. Right now the Sheriff Dept is what I'm working on.

I want to do this right and professionally, as this county is barely crossing the "digital divide". They are having a website designed right now.... http://co.washington.co.us/

As for me, I have been a PC tech since 1999 and have been in business for myself for 3 full years now. I went through a semester of a CNA course and was hired by a company in Aspen, Colorado to help get them through Y2K and picked the rest up on my own. That particular company had about 30 - 40 networks, but almost all Novell Servers. I also worked for a year at a John Deere dealer, and got a good feel for JDIS domains, as this dealer had 5 branches.

I've gotta admit this website is an absolute goldmine of information and thank all who offer advice for this project.

[nmX.Memnoch]

If you start using AD, you are going to want to have at least 2 domain controllers, in case one goes down or in case AD get corrupted on one of the systems.

That's not really necessary for a small network. Most small networks use SBS...and there can only be on domain controller in an SBS domain.

However, having looked at the complete picture in the last post...you definitely want to go with a domain model. Make a single domain for the entire setup...something like washington.county. You can use whatever you want (just be careful not to use anything that exists out on the internet or you'll run into internal and external DNS problems at some point). In the long run you should end up with a domain controller at each site. "Site" is another term you should familiarize yourself with. Your sites can be named as such:

SherrifDept

NursingHome

Courthouse

HumanServices

etc

You'll also want to seperate the workstations and users by physical location using OUs. This isn't a requirement, but is recommended. It'll help with deciding which Group Policies should apply to each location. You can even give someone at each location rights to the OUs so they can unlock user accounts and stuff without having to call you every time. Something like:

TLD (top level domain)

--SherrifDept

----Computers

----Groups

----Users

--NursingHome

----Computers

----Groups

----Users

--Courthouse

----Computers

----Groups

----Users

etc

I would also recommend looking into starting out with Server 2003 R2 from the get go. There are some changes to DFS and replication that should help things work a bit smoother.

You mentioned an existing Windows 2000 Active Directory. You should be able to migrate this into the new domain without any problems.

Doing it this way you can also consolidate all of the SQL Servers onto one box at a predetermined main location.

What I've touched on here is barely the tip of the iceberg compared to what you should be looking at. There are many documents on the Microsoft website that explain in detail how to do exactly what you're looking into doing.

Don't forget to look into backup solutions as well. There are several options available, but you may want to start out with adding a decent SDLT or LTO (preferably because the tapes hold more and are faster) into the PowerEdge 2800 you're about to purchase. Also, since you're purchasing the server new, go ahead and purchase it with Server 2003 R2 Enterprise Edition. This will automatically give you another 25 user CALs (Standard Edition only comes with 5 CALs) and support for more than 4GB RAM (not a concern if you get the X64 version).

[aspenjim]

You have to remember that I have never designed a domain before and need to keep it simple to minimize any downtime and keep their confidence in me. I have had this account for 18 months now and they have alot of faith in me (and I want to keep it that way). My head is swimming now with all of this info and I've also been looking at other resources. I also want to use their existing 2003 server OS (or maybe the R2 upgrade they should be entitled to) to save them money and ensure that I get the hardware business. The barcoding vendor has proposed about $20k for a new server also. By me keeping their existing OS, it should be a shoe-in for the hardware. BTW, I am probably going to load XP on the existing server P3-933 and use it for a backup PC as opposed to getting a new tape drive, since it already had scsi drives in RAID 1.

[nmX.Memnoch]

You're going to be required to purchase an OS with the server from Dell. I would keep the existing Server 2003 license on the PIII 933 box...or move the license to one of the other locations/sites. Of course, that option assumes that they're all going to be pooling finances together to get this up and running.

You're already purchasing quality hardware so downtime shouldn't be much of an issue there (that's what redundant power and RAID are for). Granted, there is always another contingency to plan for, but to take care of all of these things is well out of your budget. The PE2800 with the few extra options I suggested should help to greatly reduce any downtime.

Having more than one domain controller will also help reduce downtime. Putting one at each site will help things run smoother at each individual site. It'll also make things MUCH simpler in the long run. Start with a single domain/site at the Sherrif's Dept and then add each of the other sites as they come online with the links and hardware.

[fizban2]

Maybe...we have well over 10,000 mailboxes (not including distribution lists) for our one location. The sad thing is that we're still on Exchange 5.5. We're supposed to be upgrading to Exchange 2003 in the next few months though (they're working on migrating the domain controllers from 2000 to 2003 first).

ugh 5.5, i am going to need a young priest and an old priest....

we just went through that migration just moved the original 8 5.5 server to a 4 node cluster of 2003 with exchange 2003, 15000+ mailboxes running happily together 45 2003 DCs and R2 in the works to be life cycled into the next series of servers to go in. you be a happy man once you get the that native 2003 mode, runs so very smooth..

@ aspenjim

Sounds like you have alot to work out, good luck to you.

Somethings just to think on,

the Dell server that memmnoch suggested would be very ideal in this situation,

i priced one out at just under 7k for this server (10k normal price but 34% off for dell small business )

Dell 2850

2 x 2.8 Xeon Dual core

4 gigs ram (2 x 2 gig sticks)

2 36 gig 15k SCSI drives RAID 1

3 73 gig 15 SCSI drives RAID 5

All on a single backplane (yes i know this isn't the best option but i do hate making changes of dells site to get the 2 + 4 backplane setup)

PowerVault 100T, DAT72, 36/72GB, Internal Tape Backup Unit w/Onboard SCSI

Server 2003 Standard edition X64 w/ 5 cals

overall a **** good price for just about everything you need, plus you get the backup DAT addon which is a bonus

the RAID 1 is good for the OS partition and since this server is being used by all these different depts and groups the RAID 5 is in my opinion required to have data redunency and uptime for the clients.

Since you already have the other server license with the 20 CALS you now would have 25 CALS, if more are needed you will have to buy then in packs or individually, i won't pretend know well how the Licenseing scheme works (that takes at least a MS or PHD ) X64 is the way to go, even if you don't use it now you will later on in future upgrades (exchange 12 will be only x64 bit compatible also possibly longhorn(next server version)) also using the 64 bit will help add a little speed to the system overall.

Defiantly keep the old licesnse on that old server but upgrade it to Server 2003 R2, it can be used in the domain either as a second DC or for DHCP, or anything else you would want on a second server incase the first goes down. Also for the SQL servers make sure they go with 2005, any old 2000 database can be install on a 2005 server with no compatibility issues (this is what MS says but always play the devils advocate and test test test) as for the 3# server like memmnoch said migrate the accounts that are in the 2000 AD to your new 2003 DC (the Dell machine) then upgrade that machine to 2003 also, if you want to leave it at that site with the SQL 2005 installed even as a DC for that site incase their link goes down they will still be able to function.

as for the CALs not being installed, this is ok but in the new environment you will want to log the CALs so you can keep track of what is being used and know when you will need to buy more.

use Memmnochs advice for the OUs and sites they are right on target for that and will make you life as an admin easier in the future.

[nmX.Memnoch]

Attached is a PDF of the way I'd configure the server. It comes in at roughly $8.5K, but I included a few more things (like 2003 R2 X64 Enterprise Edition instead of Standard).

Basically:

- Dual Xeon 3.8GHz w/ Hyperthreading -- it's actually a little cheaper than doing the 2x2.8GHz Dual-Core Xeons and will likely be faster. Either one is going to be plenty fast.

- 4GB RAM -- no change

- 2x36GB 15K RPM RAID1 for OS -- no change

- 4x73GB 15K RPM RAID5 for data -- added one drive for slight speed increase as well as extra storage. This still leaves you with two built in slots and the option to get the media bay drive cage to add another two drives. You could even add one more and set it up as a hot spare (or just get the 4 I configured, set three up in RAID5 and one as a hot spare...extra redundancy).

- Server 2003 R2 X64 Enterprise Edition -- only because it comes with 25 CALs and it's obvious they'll need them later. This is where the major difference in our price comes from as Enterprise Edition adds almost $1650.

- 2x4 Split Backplane -- better for I/O operations

- PowerVault 100T DAT drive w/ controller -- same

- Onboard NICs vs. the default option of Intel PRO/1000MT add-in adapters -- if I'm not mistaken, the onboard NICs in the server are already Intel PRO/1000MT adapters so there's no need to add anymore. If they aren't the Intel adapters then they're Broadcom GigE adapters, which are pretty decent as well.

- Redundant PSUs

- APC 1500VA UPS Battery Backup

- 24X CD-RW/DVD Combo Drive

- 3 Years, 4Hr Response Silver Support

You'll notice that I have the 36GB drives as the last two drives in the configuration. This isn't the way I'd normally configure it, but it was the only way to get the price for the two drives. For some reason Dell's site doesn't have the 36GB drive as an option for the "Primary Drive". You can obviously move the drives around so that the 36GB drives are first when you get the server.

Anyway, that's just my take on how I'd configure it. If you take the OS from Enterprise Edition down to Standard Edition, the price changes to $6.9K with all of the other options remaining the same. Personally, I'd leave it with Enterprise Edition.

Dell_PE2800.zip