Do I really need MS Active Directory? [closed]
I manage a shop of arround 30 machines and 2 terminal servers (one production, one standby.) Should I really deploy Active Directory in our network?
Are there any really benefits, that could ballance the existence of another AD server? Our Terminal Server is to run independent, with no other services on it, except our corporate APP.
What great features am I missing if I will still run it without AD?
update: but are any of you running a successful shop without AD?
Solution 1:
Using Active Directory brings a number of advantages to your network, a few I can think of off the top of my head:
- Centralised user account management
- Centralised policy management (group policy)
- Better security management
- Replication of information between DC's
Obviously these benefits also bring some overhead, and a good deal of work and time is needed to setup an AD environment, especially if you have an existing setup, however the benefits of the centralise management that AD brings are well worth it, in my opinion.
Solution 2:
Some "drive-by" responses ...
1- If you are using Exchange for email, then AD is required. You likely are not using Exchange or you would know that, but I include it for those who may be considering this.
2- AD manages a "centralized authentication" system. You control users, groups, and passwords in a single place. If you don't have AD, you will likely have to setup your users separately on each terminal server, or have a generic user on each for access and use security in the application.
3- If you have other Windows servers, AD allows for straight-forward securing of resources on those servers in a single place (AD).
4- AD includes some other services (DNS, DHCP) which otherwise have to be managed separately. I suspect you may not be using them if the only Windows servers you have are the terminal servers.
5- Although not required, there is benefit to having the workstations in the domain. This allows for some (not comprehensive) single sign-on capabilities as well as significant control and management of the workstations through "group policies".
--> For instance, through GP you can control the screen saver settings, requiring that the screen saver lock the workstation after x minutes and requiring the password to unlock.
6- You might be a good candidate for Microsoft Small Business Server if you need email, file sharing, remote access and web serving.
I second the note about having two domain controllers. If you only have one DC and it fails, you are in for real pain getting access to things. It is (I believe) possible to have the terminal servers also be domain controllers, although I suspect many will not recommend it. In a small network like yours the DC workload will be insignificant, so it might work.
EDIT: in a comment s.mihai asked: "it's their interest to make us buy all we can. but can i be OK without AD ? local accounts, no exchange.... ?!"
Were I in your shoes, I would use the TS project as an excuse to add AD for the benefits, particularly on the workstations. But it sounds like your mind is made up and you want cover, so here it is.
ABSOLUTELY you can be OK without AD.
Solution 3:
off the top of my head:
- centralized user & security management and auditing
- computer group policies centralized
- software deployment (via GPO)
AD is also required for applications such as exchange.
MS has a whitepaper just for you on this topic.