Problem : Advantages and Disadvantages of Active Directory / Domain Controller dependant environment.
I am current conducting an analysis of advantages and disadvantages of having our production environment of 10 Windows Server 2003 servers (currently running as stand alone and independant of each others) in Active Directory / Domain environment, as part of a proposed changes.
The main benefit that was brought up was the users and passwords management, which could grow to be massive amount of work having to manage them individually on each independant servers. Hoping that the proposed changes of migrating the whole platform to Active Directory environment will assist in propagating the changes (such as new users, password changes, new security requirements via GPO, etc) on to the servers (which will run as domain clients, only 1 or 2 will run Primary and Secondary ADC. Not all these servers are going to run host AD or be an ADC, server OS is used due to it’s robustness and reliability).
I am assigned the task of performing this analysis, while I am doing this right now, I am only a junior in the domain administration areas. So could you experts help me in identifying / listing these advantages and disadvantages of using AD environment?
One that I could think right now is dependencies, if the Active Domain Controller fails, this could possibly bombs out rest of the machine.
Thank you!
Solution : Advantages and Disadvantages of Active Directory / Domain Controller dependant environment.
You have to set account policies like lockouts at the domain level for them to take effect in a GPO, and a domain GPO always overrides a local machine GPO if that machine is part of the domain. That said, the best way to alleviate your issue of a lockout on the appuser account is either:
1. Create a local or domain account for the service to run under and make it specific to that server. I use something like _svcServiceServername myself, so I know exactly what that account is used for. I then set the password to a difficult password and set it to not expire. I’ve never had a problem yet with the account getting locked out.
2. You could use the local administrator account on the server to run the app under. This account is not subject to local lockouts.
I really don’t forsee you having a problem if you follow one of those choices.
