Wednesday, November 9, 2016

email - How should a decentralised business use Active Directory?



I have somehow been nominated as the sysadmin for my family's small business. While administering this should be easy, I'm torn on what the best way of doing this is.



A unique aspect of the aforementioned business is that it is very decentralised - there are 30 locations, each with only one computer. There are also 5-10 staff who move frequently between locations, and each staff member and branch has a company-provided laptop running Windows 10 Professional.




While I could (and have been) applying Group Policy manually to each computer and manually installing programs, it gets tiring after doing this to 40 machines and driving hundreds of miles between these wide-apart branches. Ideally, this company would have centralised Windows authentication, roaming user profiles and folder redirection between branches, centralised group policy, and network drives shared between certain users.



I assume the best way to do this in a normal environment would be to have an Active Directory Domain Controller in each branch and use this to centralise these aspects of administration and to provide file shares. However, it is not economical for a small business to have so many dedicated servers, in locations that change frequently. In fact, it is impossible - the company has no fixed headquarters I could theoretically run such a server from.



It seems like my only solution is cloud computing... My first thought was to have an AD DC in the cloud (sounds stupid to me), and for the clients to connect to this using a VPN (DirectAccess doesn't work in the cloud due to IP stuff). They then join the domain as usual and everything gets enforced.



I went to Google Cloud Platform (with which I'm most familiar, Azure wasn't much different), provisioned a Windows server, made it an AD DC, installed OpenVPN server, configured routing, made some certificates, installed them on a laptop, joined the domain successfully, and everything seemed okay (apart from Group Policy only half-applying, but I'll figure that out later).



E-mail is also integral to operations. Each day of downtime for this is around £10,000 ($13,000) lost revenue, and this figure doubles annually. No capacity planning was done by my predecessor so everything is pretty hastily thrown together. This will need to authenticate against AD DS, since single-sign-on is expected by employees and management. I can't do e-mail in the cloud unless I use a third-party e-mail service, but we need to keep deliverability at 100% and we're maintaining our own IP reputation at the moment. There is no e-mail SSO at the moment, and e-mail is running on a separate Linux server with a separate VPS provider (which obviously isn't easily scalable).




Also, there's the problem of having SMB shares over a high-latency connection. While this wasn't a problem when I was using it, I'm aware this could pose an issue.



So, am I going about this the right way? Is this an appropriate use of Active Directory? Should we move everything to a hosted groupware product and webmail, and not bother with this altogether? If so, that hugely decreases the probability that management will agree to my plans.



EDIT: We're managing our own e-mail because we have a lot more addresses than machines (lots of part-time employees), so we can't afford to pay per-user.


Answer



My suggestion would be to look into Office 365. You can purchase O365 services that include Office apps, Sharepoint (document libraries and storage), OneDrive for Business (personal document/file storage), Exchange Online, Microsoft Teams (group chat), Skype for Business, etc.



This frees you up from having to manage licenses, Office installs, updates, it frees you from having to manage your own email server, and frees you up from having to purchase, install, or manage any of your own infrastructure.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...