As I brought up in part 1, it is not much more expensive to keep a server onsite than moving a cloud based file management solution and removing a server.  For years, most small business ran peer-to-peer networks.  The lowering cost, pushed most to the more sophisticated, secure and efficient client/server model.

I am amazed at how many people come to me, wanting to go server-less and want to move back to peer-to-peer.   Even though the labor to do it (remove machines from the domain, create new local profiles, migrate data, re-add printers, etc) will be more than the labor to put in a new server.  Plus re-introduction of all the issues and mayhem that comes with a peer-to-peer un-managed network.

Partly as an exercise for myself,  (always trying to provide our clients with the best advise) I’m trying to outline all the benefits you get, and conversely lose, with or without a server/domain controller.

Definitions:  A domain controller has two main engines; Active Directory and Group Policy.  Below are some basic definitions for these, and a couple other terms used in this article.

Domain Controller: Runs on Windows Server operating system.  Manages a network of users and computers.

Active Directory: A centralized area to track and control the businesses users, computers, servers, printers and other devices.

Group Policy: Centralized management of the items in Active Directory.

Local user on a computer: A user on a computer that is not a user in Active Directory on a Domain Controller.

Domain user on a computer: A user on a computer that is joined to a “domain controller ‘domain’” and using that domain account to logon the computer.

Client/Server: Centrally managed user and recourse management. Very efficient. Great leverage. Great Auditing.

Peer to Peer: Every PC is its own island. Everything is manual. Very inefficient. Tons of busywork, with no way to audit, except manually.

Let’s begin by covering a categorical list of features provided by running a domain controller.  These are the Pros to having a domain at your business:

Security
Consistency and automation
Sharing files and resources
Data Protection

Pro #1: Security

The most important thing for someone to understand about file security, is that if a bad actor can get physical access to a machine, they can boot to a password reset tool, reset the password for any “local” user and have access to any thing on that computer that the aforementioned “local” user has.   That includes My Documents, Desktop, synced Dropbox files, synced OneDrive files, synced Google Drive files, etc.

The way to lock down that data is to have it reside on a server. And have your users log in as “domain accounts”.  In this scenario, one cannot reset domain users with a password reset disk. The users credentials are not stored on the machine (not 100% true, but true enough for the context of this concept). So all one could compromise are the local accounts, which will not have access to  server data. An important caveat. The server needs to be locked in a secure room, or it faces the same threat.

Group policy can be used to force a password policy.  Complex passwords, password expiration, history and more.

Account “bad login attempts” can be set to cause automatic account lockouts.

Ability to set a mandatory screen lockout policy across the network.

Security auditing.  Much better control of who is accessing what, from where.

Ability to disable accounts immediately for employee exits.

Some of the above can be done in a peer to peer network setup, but manually on each computer with no way to audit to be sure one was not missed.

Pro #2: Consistency and automation

Users can logon to any computer and have many settings and applications follow them. This eliminates the need to perform many setup steps manually.  This includes mapped drives, printer installation and settings, Desktop Wallpaper, access to certain settings to be disabled, Internet browser settings, even some application push ability.

Much easier to see and enforce business Nomenclature like username and computer naming conventions.

Pro #3: Sharing files and resources

Share files, by group or department, apply permissions and control visibility.

Share and control printers.

Central holding area to use for “scan to folder” and other uses.

Pro #4: Data Protection

A central area to store data for simple backup.

Redirect My Documents and Desktop to the server for security and simple backup of workstation data.

That’s an abbreviated  list of the features you get with a domain controller.  Many argue that’s replaceable with cloud services.  Yes, there is Azure Active Directory, but that is only the password piece for now. And there are some group policy third party tools. But as of today, the best way to manage a larger network is still Windows Server.

Bret Erickson
Passkey
http://www.passkeyinc.com