Do I need Active Directory?


Recommended Posts

Hey everyone!

I'm fairly new to the networking thing, so bare with me...

My boss recently tasked me with setting up a new network at one of our remote offices. He can be stuck in his way sometimes, and asked me what I knew about Active Directory (which was close to nothing). He was also not really sure what AD was, and after a few minutes of talking we finally got down to what it is he wants to accomplish:

He wants the server set up exactly the way we have it, with everyone having access to the network drive. However, depending on the user, he wants a personal folder setup on the server that only they can access. On top of that, he still wants everyone to have access to the entire drive on the server, just not writing abilities (which I'm assuming is just simple Read/Write permissions, correct?)

My question is, is this something that AD is needed for? Or something I can simply configure on the server?

Link to comment
Share on other sites

You can configure local accounts on the server, but without AD machines can not join - so they would have to auth with the local accounts you create on the server.

The one thing that AD brings to the table is a central userbase that you can use to control access to resources, be it shares or printers or machines, etc.. anything that is part of the domain you can use this central userbase to assign permissions.

With just a standalone server your dealing with its accounts, and then machines all have their own local database of accounts -- they do not share info. You can do some tricks with using the same username and same password (btw blank is not a password) to allow access -- but they are not the same.

One thing to keep in mind if you want to go the AD route - is what versions of desktop OSes are you running, HOME version can not join a domain!! This is quite often a show stopper for small companies wanting to move to a domain. They have 50 machines all running home, etc.

You also gain alot more than just a central userbase -- group policy is HUGE in control and maintaining the machines that join the domain.

Long story short - yes you would want to go the AD route, but there is going to be a learning curve and cost if your member machines can not join above the cost of just the server OS.

Link to comment
Share on other sites

Thanks Bud!

I find it fascinating that you have helped me quite a few times, and you are a mere 20 minutes away!

One last question is an idea I can't seem to get my head around is (maybe its because I haven't seen AD deployed yet?) is how does the account system work? Like you said all the machines have their own databases of accounts, so where do the AD accounts actually come into play? Do you use them to actually log into Windows on the machine? Or is it something used on the just the network? Like will I be able to use my AD account information across different computers, and when I do log into a different machine, my folder and files are on my desktop?

Link to comment
Share on other sites

Thanks Bud!

I find it fascinating that you have helped me quite a few times, and you are a mere 20 minutes away!

One last question is an idea I can't seem to get my head around is (maybe its because I haven't seen AD deployed yet?) is how does the account system work? Like you said all the machines have their own databases of accounts, so where do the AD accounts actually come into play? Do you use them to actually log into Windows on the machine? Or is it something used on the just the network? Like will I be able to use my AD account information across different computers, and when I do log into a different machine, my folder and files are on my desktop?

AD accounts are held on the domain controller and only authenticate user info as well as some other parameters including e-mail/exchange info, VPN access, etc.

Information across computers is totally different, you are getting into roaming profiles at that point, at least on your desktop. Otherwise you need to setup everyone with like a Z: home drive, for their own private usage, as well as a public departmental drive for all people in that office/department to use.

Link to comment
Share on other sites

Thanks Bud!

I find it fascinating that you have helped me quite a few times, and you are a mere 20 minutes away!

One last question is an idea I can't seem to get my head around is (maybe its because I haven't seen AD deployed yet?) is how does the account system work? Like you said all the machines have their own databases of accounts, so where do the AD accounts actually come into play? Do you use them to actually log into Windows on the machine? Or is it something used on the just the network? Like will I be able to use my AD account information across different computers, and when I do log into a different machine, my folder and files are on my desktop?

The domain controller would keep a listing of all the users on the domain. At my work we have a domain using AD and my computer has an admin login that is local to the machine, and a shadrack@localdomain.local (names made up) account that also has admin access to my computer. The account information is stored locally on my machine and is updated by the domain controller when it can see the domain controller. When I take my machine off site (it's a laptop) I can still login with my domain username and password, because it is cached on my machine.

I can also use my domain login and password to login to any other computer on the domain (so long as it can "see" the domain controller and retrieve my info). But I don't have admin access to those computers if I do this, just limited user mode. Hope that helps.

Link to comment
Share on other sites

Okay, that is what I THOUGHT, but my boss can be stubborn and swore that it was possible to do that through AD. I'm pretty new to it myself, so I had to take his word on it for the time being.

So basically, what is going to happen is I'll be on a computer, and go to access the network drive, and what user name they use will determine what access they have to the network drive?

Link to comment
Share on other sites

"and what user name they use will determine what access they have to the network drive?"

This is always the case be it AD or just stand alone machines. With a domain you would work with all the accounts you create in the domain, and it would easy to give access to billy, suzy, kevin or frank that are user accounts in the domain.

Now if not in AD, you can still create say a frank account in the server database, and you can share out a folder where frank has permission.

But to access that share I would need to auth with frank account from that server. What account do I login to my workstation with, is it frank? Do the passwords match? When password is changed on server database, it will not reflect anything on the workstation. They are to completely different userbases.

Now if franks machine joins the Domain -- then he would login as frank@yourdomain.tld, it would just look like frank to him.. But he changes his password on his machine - its really going to change the password in the domain. And all is good, he logins in as frank on his machine - and any resources you have given frank access to on the server he would have access to without any issues.

Now sure unless you have restricted it, then sure frank could go to any machine that has joined the domain and login as frank - out of the box no he would not get the same desktop he had on machine1, but he would have all the same access on the domain. Does not matter what domain machine he logins in with since they are all sharing the same common userbase.

You can limit if you want what machines frank can login with, and sure you could do something like roaming profiles so no mater where he logins his desktop would look the same. Or you could use just login scripts to map shares to drive letter connect printers he has access too, etc. etc.

This is just one of the few advantages to AD, you can also admin settings on the machines they login with group policy. Say you want homepage of IE to be http://somedomain.tld -- you don't have to go touch ever machine to make that happen, you can just set a group policy to have it set like that on every machine.

Maybe you don't want users to be able to access the control panel on the machines - group policy setting.

The stuff you can do with an AD vs just standalone server is you would have to write a Book ;)

If you wanting to control access to shares, and make it as simple for the admin and the user as possible then yes a AD is the better way to go vs just a standalone setup of windows server.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.