Here's my evaluation based on the questions:
Two or 3 computers? No way.
5 computers? If the environment is distributed enough and turnover is
regular -- maybe.
10 computers? You bet. Even without exchange and such, central management is
crucial (IMHO) at this point. Passwords, remote administration, group policy
all play into easier management and (you mentioned how little time you have)
less administrative overhead. Set up properly with a (well maintained)
default user profile, OU's if required for the distribution of policy,
re-directed "My Documents" and "Application Settings" for archival and
backup purposes - which leads to centralized backups (including open file
options that work without the expense of an agent on each workstation),
DNS-Integrated DHCP, central logon scripts --- I just wouldn't do it any
other way. The $650.00 for S2K3 Standard will pay for itself in no time vs
the time spent maintaining a workgroup scenario.
What would be the three chief reasons?
1) Central administration of accounts, permissions, and policy.
2) Remote administration.
3) Granular permissions/rights for individual users according to need.
What is your opnion of the value of Active Directory versus risks on a one
to four scale (1=lowest)
What are the risks? No backup? No disaster recovery plan? Are the risks WITH
AD really any different than WITHOUT AD - given the same lack of planning?
A good DC will have redundant Disks (a Mirror at the very least). Redundant
(or at least a cold spare) power supply. Daily backups (tape drive or some
kind of NAS). If you really want to protect yourself from downtime, put up a
second DC. It doesn't have to be as robust as the "big one", and it'll keep
you going if the main one dies, plus it'll make AD restoration a breeze.
I don't see a lot of gray area here. Either you're in need of a central op
or you're not. Once you cross the line, I'd say your main consideration is
not risk vs reward, but more cost vs reward (and selling the reward vs cost
to the folks who control the $$). You'll need a server, server OS, and
plenty of time to join workstations, transfer user account settings from
local to AD accounts. There's lots of planning. Obviously, you dont' want
everybody to be a domain admin. What about local admin? Everybody? Or just a
few? What are the software ramifications (of apps you are currently running
and will keep) ? Do you need to set up a test environment? What are the
associated costs of that? If you're not migrating from something else, the
danger of rendering your network unusable is fairly low as long as you're
bringing up a NEW server as the DC (HIGHLY recommended ! ). You can always
log into the local accounts even after you've joined the domain, and the
old permissions and such will still be valid. After the domain is fully
functional and all of the bugs have been ousted you can delete all the local
accounts (one at a time, making sure nothing breaks as a result).
....kurt
