Enterprises have had them for ages, but there’s a lot to be said for an office domain, even if you don’t span a hundred acres
I
magine this: an employee finds a useful piece of free software on the Internet, installs it, and spreads the good word among his colleagues. Everyone installs it, and all goes well until the software vendor comes a-knocking at your door, asking you to cough up for the corporate license (the free version is only for home user)-and this is the first time you’re even hearing about this program!You’ve probably never even been close to such a situation, but if you’re managing twenty or more workstations individually, you’re inviting it. There’s a simpler way to manage the PCs on your network than running around to each one of them-you need to set up a domain for your office.
What Is It?
The traditional LAN workgroup is a peer-to-peer (P2P) network-all computers are at the same level, where no one machine can dominate another, even if it’s to apply a security patch. So every time there’s a new security fix for Windows XP (and that’s quite often), you have to either go to each PC and install it yourself, or hope that the user has seen the update notification and installed it himself-neither of which is a hassle-free proposition.
In a domain, one computer-the Domain Controller (DC)-is responsible for the network, and the users logged on to it. For instance, it maintains a central database of users, so when someone logs on to his machine, it’s the domain controller that authenticates him and sets his security privileges. Once someone is authenticated on the domain, he has seamless access to all the resources on the network that you want him to-all with a few clicks here and there.
Ingredients
To set up a Windows domain, you’ll need Windows Server 2003-the Standard Edition works for most-at Rs 25,000, it comes with a 25-user license, with additional licenses at Rs 1,250 each. It will scale up as your company grows, and it even supports multiple domains should the need arise. For companies with 75 users or less, we recommend Windows Small Business Server (SBS) 2003-at around Rs 26,000 for five client licenses, it’s a somewhat limited version of Server 2003, but comes bundled with Microsoft Exchange Server to manage your e-mail, and SharePoint Server for collaboration, both of which are very useful (and very expensive) products that have to otherwise be purchased separately. Before you invest in it, you will need to take a good look at the way your company is growing-SBS supports a maximum of 75 clients, so cutting corners now might not work out to be profitable if you’re going to grow beyond that soon.
If your company’s backbone is Linux-based, you can also set up a domain controller using Samba-it effectively manages both Windows and Linux machines. Though the feature set isn’t as elaborate as that of Windows Server or SBS, it does give you the essentials.
In The Jungle
At the heart of your Windows domain is the Active Directory (AD), which organises all the information about your network. Everything falls under one of three categories-users, resources (printers, file servers, and so on) or services (like e-mail). All these objects, their properties and their access rights, and other rules collectively fall under what is known as a forest. The forest comprises of one or more trees, each comprised of one or more domains. The Samba equivalent works in roughly the same way, but can’t replicate the Windows AD in the features department.
The AD is broken into a Schema which contains details about all the types of objects (called classes) you have on the network (users, workstations, printers and so on), a Configuration which stores the forest’s structure, and a Domain which contains all the objects that have been created-physical representations of those in the schema.
Knowing all the technical jargon isn’t particularly important, but you do need to plan your forest properly-making drastic changes to the schema can cause crazy things to happen in the domain, especially if it involves removing an object class. A good idea is to plan your network’s hierarchy to reflect the hierarchy in your company-each department as a separate user group, for instance.
So you’ve planned the network and shelled out for your new server and OS-now what?
The Safe Network
Like we mentioned before, the Domain Controller maintains a central database of users in your company, and it records every user logon, so you know exactly who’s getting on to your network and from where. Their access rights are the same no matter which machine they use, so one team member could log on to another’s workstation for, say, an official document, without being able to change any important settings or access any protected data.
User access rights are controlled through the very powerful Group Policy Editor-the name is indicative of its function (we’ve talked about this tool under Windows XP in Digit, December 2006). It allows you very granular control over the machines and users on your network, including the ability to enable or disable USB drives to prevent data theft.
Security patches for Windows 2000 and XP are released more often than anyone would like, and you can hardly be expected to run around the office asking everyone to make sure they installed the latest one. With a domain controller, you can just push these updates to every machine-not only is it much easier, users won’t even feel the intervention and can carry on working as usual. No more “my system is being updated” breaks! Even the enterprise versions of popular anti-virus suites integrate with domain controllers, so you can load the latest virus databases to all workstations in one go.
…perhaps the most compelling reason to shift to a domain architecture
is that Microsoft Exchange Server will turn Outlook from a personal
mail client and PIM to a very rich collaboration tool
In Control
Right out of the box, Windows Server 2003 lets you monitor programs that users are installing on their workstations, and can even give you a daily update via e-mail. You can also install or uninstall programs from their machines, thus deftly avoiding any nastiness that may arise from unauthorised software.
Beyond this, you can choose to purchase Windows XP Business Desktop Deployment (BDD), which lets you create images of Windows XP installations based on user groups and deploy them from your server itself, so no more worrying about installing XP on a new workstation or re-installing it on an existing one, or even many workstations at a time. Add-ons like Solution Accelerator for BDD are available for free download, and help you streamline the process even more. Creating a deployment image is a long task thanks to the dizzying number of options you can set, but this one-time effort will pay off in the long run. One caveat, though: the images created in BDD only work for identical hardware configurations. BDD for Windows Vista, incidentally, won’t have this limitation.
Outlook, Exchange, And The Domain
After centralised security and administration, perhaps the most compelling reason to shift to a domain architecture-specifically under Windows SBS 2003-is that using Microsoft Exchange Server for managing your e-mail will turn Outlook from a personal mail client and PIM to a very rich collaboration tool. The calendar, for example, lets you set up a meeting with any user on the domain (they all turn up in a global address book), using their calendars to tell you when they’re free. You can also assign tasks and deadlines to anyone-they’ll even receive reminder e-mails when they miss one-even appoint delegates to handle your correspondence while you’re on those much-needed vacations.
Bottom Line
While Microsoft enthusiastically recommends setting up a domain for anything more than two PCs, the costs-the hardware, the OS, electricity consumed by the always-on domain controller and a recommended backup controller-would really start to justify themselves in the vicinity of 15-20 PCs. All you need to remember is to go about it slowly and meticulously-test the domain setup on a small set of PCs first, iron out any kinks, and find your sweet spot in re global settings before you unleash it system-wide. Growing pains will be inevitable, but you should soon be able to sit back and watch all that free time trickle back into your schedule.