How many servers before a domain pays off

mryerse

2[H]4U
Joined
Jan 29, 2005
Messages
2,110
If you had a number of Windows servers used for various services, after how many would it pay off to put them in a domain? Creating and managing a domain and it's associated controllers has a cost, and using a domain pays off with reduced maintenance on admin accounts and the use of group policy. Where is the tipping point where it's worth it? Security patches are not a factor because WSUS works well with non-domain joined systems.
 

gimp

[H]F Junkie
Joined
Jul 25, 2008
Messages
10,481
part of it depends on what the employee turn-over rate is.
how often employees get moved between departments/divisions.

you have, say, 4 servers. Today, somebody gets a promotion. You have to go through all4 servers and update their permissions.
Tomorrow, somebody gets canned and you have to go through all 4 servers and remove their permissions.
In a week they hire a new person, and you have to go through all 4 servers and assign permission.

ugh... I would shoot myself.

Now obviously, if turn-over is very low and there's not a lot in terms of promotions or otherwise changing jobs, it may not be beneficial.

It's not all about how many servers, but also how many employees and the turnover rate.

FWIW, "managing" a domain is very low cost, really. The highest cost is the initial investment and setup. Once it's setup, maintenance is low.

add something else.. also depends on how much you care about security. Local accounts, it's easy to hack a password. A domain acct? not as easy, especially without domain admin rights. What happens if a user forgets their password? In AD it's as simple as opening up ADUC and resetting the password. no needing to login to the local machine as admin, changing their password, logging out, having them make sure they type the password correctly.
 

DeaconFrost

[H]F Junkie
Joined
Sep 6, 2007
Messages
11,495
I wouldn't go by the number of servers....I'd decided based on the number of users, how they use their systems, and how they use the servers' resources.
 

Demon10000

Supreme [H]ardness
Joined
Aug 20, 2006
Messages
4,502
A domain gives you a single point of administration. As you said, it also gives you group policy, which is very powerful. There are many other reasons to have a domain over a workgroup, but there really isn't much of a cost increase at all so I'm not following that logic.

I have a domain in my house for my wife and I. I've got all kinds of things set up so I can make things easier for both of us. She really doesn't even know she's using a domain -- just thinks she's logging into her computer. So even for two people it makes sense.

The central point of administration for secured resources and group policy are two very strong reasons to have a domain. I can't even imagine working in a workgroup environment!
 

Deimos

[H]ard|Gawd
Joined
Aug 10, 2004
Messages
1,024
I'd say the lower limit is 5 users and/or compuers, however roaming profiles are a headache and I would only enable them if users were moving between computers a lot.

Its actually pretty easy to set up a windows domain, with exchange I would say 1 to 1 and a half days work from scratch.
 

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
I wouldn't go by the number of servers....I'd decided based on the number of users, how they use their systems, and how they use the servers' resources.

^^^This^^^
Ease of use/management with number of users first. Adding more servers....it becomes incredibly easier. Adding servers in workgroup mode...ugh, shoot me now.

Keeping things wicked easy...Small Business Server. If the org will never get past 75 users.
 

mryerse

2[H]4U
Joined
Jan 29, 2005
Messages
2,110
Thank you all. I'm sold the number of servers needed before it pays off is quite low.

Next question is this. In a relatively small environment, would you deploy a separate domain for each logical environment, i.e. system test, customer test, production? Or one domain for all of them? I'm okay with one domain for all of them except for that when you want to make significant changes to your DC's how do you test them.

We're not much of a windows shop here and domains are kindof foreign. But we have like 30 windows servers now and managing them is getting kind of ridiculous.

I'm thinking maybe two domains. One for system test and customer test servers, and one for production. Can two domains like that be controlled by the same two domain controllers?
 

gimp

[H]F Junkie
Joined
Jul 25, 2008
Messages
10,481
Thank you all. I'm sold the number of servers needed before it pays off is quite low.

yup, it really is more based on the number of users. If you had 100 users and only 1 server, it would definitely pay off. On the other hand, 10 users and 30 servers, it would pay off.

Next question is this. In a relatively small environment, would you deploy a separate domain for each logical environment, i.e. system test, customer test, production? Or one domain for all of them? I'm okay with one domain for all of them except for that when you want to make significant changes to your DC's how do you test them.

this is why you would want, at a minimum, 1 backup domain controller. So if something goes tits up on the PDC, you have a fall-back. But I'm not sure what kind of "significant changes" you would be making that could cause a DC to take a dive.

We're not much of a windows shop here and domains are kindof foreign. But we have like 30 windows servers now and managing them is getting kind of ridiculous.

I would shoot myself :p

I'm thinking maybe two domains. One for system test and customer test servers, and one for production. Can two domains like that be controlled by the same two domain controllers?

that could be overkill. You can only have a PC joined to 1 domain. So you would either need users to move to a computer that is on the second domain, or would have to constantly dis-join/re-join domains. Neither or which are very viable long-term, not to mention duplicate domain accts that will need to be administered.

You should be able to do everything you want within a single domain, otherwise you are just complicating the network, really.

Just need "duplicate" servers for production and test/dev
 

drescherjm

[H]F Junkie
Joined
Nov 19, 2008
Messages
14,936
I have had a domain since the late 90s even the times there were only 30 machines. Since then we have converted all servers to linux so the domain controllers are running samba. We did that back in the early 2000s when we were plagued by worms (blaster, welcha ...) that kept bringing down active directory causing administrative nightmares.Keeping the worms out was pretty difficult at that time since there were many users outside our department (and outside our control) that were allowed (doctors) to freely plug in their home laptops to the company network. For the domain controllers I have 1 PDC and 2 BDCs. All of these run under VMs and do not share files. The fileservers are on other machines with 5 to 10TB of linux software raid 5 or 6 each. Every machine is connected to the network using a gigabit connection. I do most of my user/machine account administration using an openldap web application called LAM. http://www.ldap-account-manager.org/

On top of that I use nagios to monitor the health of the network (software and hardware)

http://www.nagios.org/
 
Last edited:

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
Thank you all. I'm sold the number of servers needed before it pays off is quite low.

Next question is this. In a relatively small environment, would you deploy a separate domain for each logical environment, i.e. system test, customer test, production? Or one domain for all of them? I'm okay with one domain for all of them except for that when you want to make significant changes to your DC's how do you test them.

We're not much of a windows shop here and domains are kindof foreign. But we have like 30 windows servers now and managing them is getting kind of ridiculous.

I'm thinking maybe two domains. One for system test and customer test servers, and one for production. Can two domains like that be controlled by the same two domain controllers?

Define your environment more.....you say relatively small, yet you mention 30x servers....that's not relatively small.

Same physical location?
Or offices spread around geographically, if so..connected with a WAN?

If it's a smaller network, IMO just 1x domain. Even if it's a medium network..IMO still just 1 domain. Organized your users in groups.
 

mryerse

2[H]4U
Joined
Jan 29, 2005
Messages
2,110
Yeah we use Nagios here too although it's more for all the linux/unix boxes and I'm not involved too much in it. Will use System's Center for these windows boxes.

The purpose for having two domains is, say I wanted to upgrade a domain controller from Server 2003 to Server 2008 and needed to know how it is going to impact all the domain joined systems. Out of the 30 servers we have about 10 are production servers and about 20 are not. We would never remove a system from a test domain and join it to a prod domain. What we would do is make a change in the test domain, see how it impacts the systems joined to the test domain, notate, and if all is good, make that same change to the production domain. Another example besides upgrading a domain controller might be something like implement certificate authentication for IPSEC or maybe require the use of smart cards to TS into a server. If I only have one domain (even if it has a PDC and two BDC's or whatever they're called), a domain is a domain and one change to one gets immediately replicated to the other so it's not really a good place to test things out. But y'all are the experts so I seek your input.

@YeOldeStonecat - the only users we have are administrators. But we do have explicit password complexity requirements, and use WSUS, so for those two items it would be nice to use group policy. Also, having admin accounts on all these servers seems absolutely ridiculous to me.

I just inherited 15 of these servers, so I'm taking it upon myself to convince the folks here we should be using a domain, and that it's insanity that we are not.

We might actually have another department with an existing domain that we could leverage. I know their enterprise admin and domain admin's would have access to our boxes, but what if we used network controls to limit access to them? Could they still use ADSI or WMI to cause damage? Either way, it seems with good auditing we could at least detect disgruntled employee attempts to sabotage.
 
Top