question directed to Bert kindly: what are the advantages of a domain, and how hard is it to set one up? I thought I knew a fair amount about computers, but networks seem to be my Waterloo. I started P2P and found I needed to get a server as windows XP would not let me connect all the computers in my office. My server has a 3-disc RAID array and big battery backup. I am solo, but have about 17 computers as I can only have a single chart open at a time on one computer. I have static IP addresses and just upgraded my wireless network to N. Any great ideas to help "bullet-proof" or speed-up the system?
mkweiss:
Great question and you already have a lot of things in place such as RAID3 (a bit outdated though) and battery backup. Here is the deal:
First, for everyone, we need to clear up some issues with the differences of P2P, Client/Server and a domain. This is going to be shocking but in the way most people think or set up their network, there is NO difference between the first two. You can purchase Dell's most expensive server and run Windows Server 2008 and have a peer to peer. Almost all networks on here have clients and main computer connected to a switch so that all computers can see each other. In the old days, P2P was just that: a bunch of computers connected to each other with NO central computer. If you have a "main computer" whether it is the one described above or a little old tiny computer running XP, you still have P2P. The one difference is once could connect more computers on the network as 2008 or whatever OS has few limitations as to how many computers can connect.
XP home is limited to 5 and XP Pro is limited to 10, so you would be out of luck with 17 if I recall the numbers. But, if all computers connect to the central computer one has designated, in essense you have a client (all your workstations) looking at the "main computer" (server) and you have a client/server set up. Now there would be those who would argue but look at ANY diagram online and you will see.
Now a setup with a domain is a whole different thing. You have just gone from a Subaru to a Jaguar. And, to do this, you MUST have a server OS. Most server OS will only run on a computer designed for this.
Now, with a domain, all of your clients are no longer individual workstations. Your users cannot simply log onto "their computer." In fact they cannot log into "their computer." Here is one of the big keys:
1. They MUST log into the server. The server must authenticate them and say, OK, you have shown me that you are a user that can access me so you can log in and use your computer. This is whether the computer is logged off or locked. So, if you were at home and were worried about an issue with someone that shouldn't be using a computer to access data on the server, you could log them off. You could do this other ways...but...much easier this way. And, you will know when and what computer and what user logged into your server at what time and did what.
You can set things up so no client can see another client or access important files on that computer, and there should be no important data on the clients anyway except for Facebook and all of your users grandchildren, etc. (this is joke but is true).
You will be able to set up ALL of your data in folders and ALL of your databases (think AC and your PM software) on the server on one drive that is shared out to the users. Each user will be able to access this by accessing the domain and seeing the entire list of shared folders. Or, their programs will run, because they are accessed to the shared folders.
Now, with a domain, you can determine who does what and who has access to what. This can be tricky to explain but let me try:
1. When you add a user (Susan at the front desk) you choose what level on the SERVER she is. Say a domain admin (not a good idea), a power user, or a user, etc. This is good because when you provide group policies or permissions, she will by default have certain access. Say, she is a user (which she will be) and you allow users access to AC, then she will have access to AC. But, say, you have a folder on the data drive that you want to access only: say all of the info about your users, passwords, your information, etc. you would not allow users permissions to that. So, on a domain you instantly decide who they are. Think of a medical student at a hospital. He or she is designated a medical student user who has access to hardly anything. But, you, would have access to nearly everything except the administrative stuff that IT has. Of course, if you left for the ACUC, you may want to elevate your most trusted employee to domain admin so they could run the network (be careful). All of these things can be changed on the fly. As you make the user, you have around four choices to give them. But, you could make a template called "Users plus your folder" and anyone made that could access your folder.
2. Now even though they are all users, you could still decide to keep them from certain things on certain folders. Let's say AC. You as the domain admin could access the AC folder and do ANYTHING to it, because on the properties of that folder the admin would have full permissions (it would be checked off), while the users would have read/write and could do anything, but when you highlight users, you would give that permission but not the Full. The key here is that they would be unable to add, change or delete files. Imagine a disgruntled employee, deleting your .xml file or your database. Very nice work admin.
3. So on the server (the central central) you set shares (all folders that need to be used by a client MUST be shared. But, because of NTFS hard drive formatting, you can set the permissions above. There are hundreds of setting combinations. FYI: I don't go crazy with these, because I actually see a patient once in awhile and this would be great for a part time or full time IT person.
4. This brings us to group policy. Let's say you have ten computers, and three people on computers are billers or scanners or whatever and have NO need to be in a certain folder, AC or anything. Rather than setting their permissions individually (imagine a large network with 250 users fitting that situation), you simply make a group policy that does not have permission to that folder and put their user names in that policy, and boom, they have no permission. You can always take a user out if you need to.
5. Active Directory. When Microsoft rolled out Windows Servers 2003, they added Active Directory. This basically allowed all users and computers and Exchange and all separate applications of the server to be rolled into one AD. It also made overall security such as HIPAA security and encryption easier to implement across the network. It used to be that you need separate passwords for each section such as Exchange or Windows Updates, etc.
6. It is crucial to understand the difference between a domain administrator and a local administrator. A domain administrator is god. He or she can access the server with full rights and can access any local computer with full rights, download and install applications, etc. Anything. By definition a domain admin would also be a local admin on a local client.
7. Your users on THEIR computers -- nothing to do with the server -- also have roles and permissions. A local administrator can do pretty much anything on their computer such as download applications and make changes. You know download games, etc. and put viruses and other nasties on the clients. So you can make them just "users" for THEIR own clients. A lot of anal-retentive ITs will do that. It is just difficult when you try to help them and they are logged on under their non-administrator account and you can't do much. Of course, you can right-click and choose Run AS and be a temporary domain admin. This is one of the most difficult things for a new person running a domain server to understand. Local and domain admins. Pretty much you will be the only domain admin. Your users should NEVER be. But, you can make them a local admin on their own PC.
8. Once you have a domain (and Active Directory) to allow you to set Group Policies, you can do hundreds of things to control your clients. You can control whether they can make wallpaper, change their desktops, what color their wallpaper will be, how long before their screen savers pop up, what their screen saver will be, whether or not the screen save locks them out. There is nothing worse than each user making a collage of their grandchildren.
9. And, almost most important, you can control their passwords. You can make then 8 or 10 or whatever characters and make them use capitals and certain characters, etc. You can change their passwords on the fly. You can make them tell you your password so you have access to their computer (I toyed with letting them have control), but there are too many times you need to install AC on their PC or whatever. Besides, you can always delete their password and make a new one, making them wonder what you did to their computer the night before. And, when they tell you that their password is Fido1234 and the user next to them knows they have a dog named Fido, they can pass that information on. You want difficult passwords, and you can control this.
10. You can control who gets remote access.
11. Crucial -- you can use DHCP from the server (I would never do it from the router -- sorry Wendell), but of course Wendell would never choose to live in Bangor, Maine, lol. You can control the scope of what IP address can be given out. You control the printers and scanners and copiers.
12. I could go on and on and on.
13. Backups are much easier to control.
14. One thing I have always wondered about and talked about on here is when people talk about client/server and P2P, it is always in relation to AC. But, there is so much more than that on your network. I would hope. Like PM other things.
15. Domain networks with Active Directory can be a LOT more fun.
16. Domain networks with Active Directory can be a pain in the [censored] keeping you at the office a lot longer. Up to you.
17. Also this: Imagine, as I do many times, walking into the office and PA number 2 or receptionist says, this or that won't work. You suddenly have to figure out what in the hell did they do to THEIR computer. With a server that controls everything, not only do you have a much easier time of figuring it out, but you have centralized logs for error messages.
18. Centralized antivirus and updates.
19. Never, ever, ever allow a user to touch the server. If a medical student tries to get on the Internet from the server, they fail the rotation.
20. For you: Never change the server once it works unless you have to.
Well, I will stop there. FYI: This is solely based on Microsoft. Those with Linux and Mac will say there's is 100 times better. And, it probably is.
