Multiple Small Sites: Best Plan for AD Authentication

[partner1220]

I'm doing some volunteer work with a small non-profit (and therefore small budget, of course). I'm looking for some 'architecture' suggestions. Any tips would be greatly appreciated. The core requirement is to centralize user management at all sites (i.e., Active Directory).

Here's a summary of their requirements:

- 5 sites with 2-5 staff or volunteers at per site at any given time.
- Staff is highly mobile between offices. Each staff may work out of one of the remote sites on any given day.
- Core: Ability to log into any PC at any office using the same username/password (i.e., AD)
- Eligible for significant non-profit discounts on Microsoft software through Techsoup, so if the best option is for us to build something, that's an option. However, there isn't much funding for ongoing monitoring/support/operations. Since they have the potential for so many licenses with part-time staff and volunteers, cloud services that are priced per user get pricey quickly.

What they're doing today:
- Currently utilizing hosted Exchange / SharePoint 2013 for e-mail and document sharing
- 'Main' site has an old SBS 2003 server simply for AD User Management services at their main office. However, the main office does not necessarily have the bulk of the employees at any given time.
- Remote sites are completely separate workgroup, just adding / removing users as necessary. Obviously, this becomes an issue as soon as someone needs to change a password, quits, etc.
- SOHO routers

What's my best bet? AD server at main site and site-to-site VPNs? Is this going to be reliable enough for me to maintain with limited availability? What about an Amazon Cloud server and setup remote access from the remote sites?

I'd appreciate any thoughts or suggestions - Let me know if there's any additional info I can provide

Thanks everyone!

 

[shade91]

Do the remote sites have any on-site servers like a file server? Otherwise, keep AD at the main site and do site-to-site VPNs. File serving over the WAN will suck though.

 

[XOR != OR]

Do the remote sites have any on-site servers like a file server? Otherwise, keep AD at the main site and do site-to-site VPNs. File serving over the WAN will suck though.

It may be worth looking into Remote Desktop in this case. You get the non-profit discounts, it's something I'd at least explore.

Remote App is pretty awesome and may fit the OPs needs perfectly. Heck, depending on the security needs and regulations involved, each site might simply be able to get away with generic workstations which staff can then use to access the Remote Desktop environment at the home office. No need to even worry about VPNs in that case.

 

[Mackintire]

Do the remote sites have any on-site servers like a file server? Otherwise, keep AD at the main site and do site-to-site VPNs. File serving over the WAN will suck though.

What he said above.

But if you encounter any issues just stand up a "read only" DC at the trouble site.

The Dell T110 II servers are perfect for this.


Zyxel Zywall 110s at each site. Keep (1) extra at the home offfice. Use the built in IPsec matrix tunnels to build a site to multipoint site tunnel setup.

Make sure you have each router/firewall on a properly sized UPS

Just remember to create backups of each site's config.

There are business that have been running the Zyxel USG units for years without restarting.

Everything should operate as if it was one big network.

Routed throughput will be higher than the network connection speed.

 

[partner1220]

Do the remote sites have any on-site servers like a file server? Otherwise, keep AD at the main site and do site-to-site VPNs. File serving over the WAN will suck though.

No servers at any remote sites. While not ideal, we're using SharePoint for file serving at the moment and they are fine with it.

I thought about site-to-site VPNs, but I've been reading and everyone recommends having a read-only DC at the remote sites. It's just not financially feasible. The hardware cost may be fine, but the ongoing monitoring/maintenance/etc is probably not going to fly.

It may be worth looking into Remote Desktop in this case. You get the non-profit discounts, it's something I'd at least explore.

Remote App is pretty awesome and may fit the OPs needs perfectly. Heck, depending on the security needs and regulations involved, each site might simply be able to get away with generic workstations which staff can then use to access the Remote Desktop environment at the home office. No need to even worry about VPNs in that case.

I actually took them from a RDP-focused deployment with Server 2003. Managing all the different printers became a huge pain, with people wanting to print from home, etc. Has TS printing improved much in 2008/2012?

Even with TS, I still have the problem of authentication for all of these users at each PC at the remote sites. I guess I could go thin clients. It's just an area I don't have much experience with.

They do not have to be HIPAA compliant today, but I think it's coming in the future.

 

[partner1220]

Zyxel Zywall 110s at each site. Keep (1) extra at the home offfice. Use the built in IPsec matrix tunnels to build a site to multipoint site tunnel setup.

This might sound like a crazy question, but would Hamachi work in place of hardware endpoints?

 

[Nate7311]

I actually took them from a RDP-focused deployment with Server 2003. Managing all the different printers became a huge pain, with people wanting to print from home, etc. Has TS printing improved much in 2008/2012?

TS is now RDP and has improved tremendously since 2003. also as XOR metioned Remote App is pretty slick as well. To cure printing, there are more than a few remote printing helper programs that integrate nicely as well.

 

[/usr/home]

This might sound like a crazy question, but would Hamachi work in place of hardware endpoints?

Dear Lord no. Don't even bother with software VPN. Do it at the router if you are doing it.

 

[Mackintire]

No servers at any remote sites. While not ideal, we're using SharePoint for file serving at the moment and they are fine with it.

I thought about site-to-site VPNs, but I've been reading and everyone recommends having a read-only DC at the remote sites. It's just not financially feasible. The hardware cost may be fine, but the ongoing monitoring/maintenance/etc is probably not going to fly.

Wait What???

Monitoring and maintenance is going to be close to zero dude.

Its a read only DC....its a friggen toaster. No one writes to the the thing other than the central DC...no one logs directly into it.

If you loaded it with core server 2012 it's even less maintenance as a third of the updates are not even required and half of the remaining updates and patches no longer even require a restart.

If you blow it up.....oh well. Now they have to use a remote DC until you stand up a new one which will take a whopping 30 minutes.

Its a backup that happens to also, increase authentication performance, limits traffic requests across the VPN and allows local authentication for users if something occurs to the tunnel.

I'd make everything server 2012 and make the RODC core server 2012. As long as you have (1) full server 2012 install you can manage all the core servers with it's gui.

http://mizitechinfo.wordpress.com/2...configuring-a-rodc-in-windows-server-2012-r2/

http://blogs.technet.com/b/keithmay...e-features-in-winserv-2012-part-19-of-31.aspx


Good Hardware VPN is in another category completely compared to Hamachi.

If you want monitoring....

On your ONE real server 2012 add the hyper-V role and install PRTG (the free version) http://www.paessler.com/prtg

You can monitor everything for free. Up to 10 machines

Expect a 5-7 year lifecycle for the VPN routers I recommended. Although It wouldn't surprise me if most of them will probably still be in service 10 years from now.

The point is you should design this thing so it runs like a top and doesn't waste your time.

Plan for success. For the cheaper servers software RAID 1 is fine as Intel fixed their crappy code when they rewrote the RTS driver into .net around version 9. It's not fast, but at this point it does what it is supposed to do.

I'd also consider having the read only DC's run DNS as well. Use the Zyxel Zywall for DHCP, but make sure the RODC's have static IPs. (yes it can offer multiple scopes, reserves and static addresses as well)

Also make darn certain that sites and services in AD is setup properly with every location, subnet and zone properly defined.

Microsoft has revised their DNS AD integration guidance multiple times in the past 20 years. But luckily they finally came up with some definitive guidance which no one can ever find

Luckily I'm a bit of a nutjob when it comes to doing these things the right way...and so here you go: http://blogs.technet.com/b/askds/ar...ill-ever-find-from-microsoft.aspx?PageIndex=2

If you follow these guidelines your DNS will most likely be implemented properly.

Each item links to the reference on when and why Microsoft came to its final determination.

Note again that the link above overrides any previous advice that microsoft has given and should be considered the new standard for DNS AD integration.

Later,

Mackintire

 

[Biznatch]

No servers at any remote sites. While not ideal, we're using SharePoint for file serving at the moment and they are fine with it.

I thought about site-to-site VPNs, but I've been reading and everyone recommends having a read-only DC at the remote sites. It's just not financially feasible. The hardware cost may be fine, but the ongoing monitoring/maintenance/etc is probably not going to fly.



I actually took them from a RDP-focused deployment with Server 2003. Managing all the different printers became a huge pain, with people wanting to print from home, etc. Has TS printing improved much in 2008/2012?

Even with TS, I still have the problem of authentication for all of these users at each PC at the remote sites. I guess I could go thin clients. It's just an area I don't have much experience with.

They do not have to be HIPAA compliant today, but I think it's coming in the future.

I'm guessing the cost of monitoring/maintenance is peanuts compared to the loss of productivity if they whole site is unable to authenticate for a day. What about 2 days? 3? That's how you have to approach hardware upgrades to management.

 

[XOR != OR]

TS is now RDP and has improved tremendously since 2003. also as XOR metioned Remote App is pretty slick as well. To cure printing, there are more than a few remote printing helper programs that integrate nicely as well.

Actually, printing with RDP is pretty slick. The way I have it here is to have the client set the RDP session printer to the local default printer. Viola, no issues.

I'm guessing the cost of monitoring/maintenance is peanuts compared to the loss of productivity if they whole site is unable to authenticate for a day. What about 2 days? 3? That's how you have to approach hardware upgrades to management.

Yup, give them the cost breakdown of downtime. In some cases it's acceptable, in others it's not. I've had a few clients who felt they could stomach a long term internet outage, and indeed they did. I've also had a few that thought they could but found out they couldn't. The point being; it's their decision, not yours. The consultant's job is to give the company the data they need to make the decision, along with the recommendation.

 

[MrGuvernment]

KISS.

as few sites / domains / child's as possible.

 

[vr.]

Do a lot of reading on RODC's before you purchase them for your client. RODC's are not all they are perceived to be but you may not find this out until your design is validated by the site connectivity being down and you've already burned the money on licenses.

 

[goodcooper]

Do a lot of reading on RODC's before you purchase them for your client. RODC's are not all they are perceived to be but you may not find this out until your design is validated by the site connectivity being down and you've already burned the money on licenses.

what is the perception of RODCs that is usually wrong?

 

[vr.]

what is the perception of RODCs that is usually wrong?

That they magically solve everything.

 

[Mackintire]

The only things I've seen them solve are SQL authentications that like to time out and the ability to login to local site domain resources when the PDC is unavailable or disconnected.