Topic: A few newbie questions: Domain Vs Workgroup

[uomonet]

Hi everbody!
I have read many posts about this argument and now it's time for me to clearly understand.
- When do I have to chose "yes" on "no" for "domain controller"?
- If I have XP Home machines, that cannot join the domain, I have to create users accounts locally to access shared resources on SME like users directorys and various ibays; Is that right?
- If I have XP PRO machines, I chose "Yes" and configure netlogon.bat to automatically create shares on client machine. Is this the only difference for choosing "yes" or "no"?
- If I have different OSs (linux, mac, win) which is the better way to configure "workgroup" section in SME?
- It is wise to save money by buying XP Home instead of XP PRO to act as client machine in a SME workgroup since these have not so many differences?
Thank you all and sorry for my english...

[girkers]

Some short comings of XP Home:-
Only 5 computers can be networked together in a workgroup
No Remote Desktop facility
Can't authentic against a domain (each user needs to be created on the computer)


By making the SME server the Workgroup & Domain controller it does more than just allow you to use the netlogon.bat. It authentics users to allow you to set permissions for network resources such as ibays and computers.

Only computers that are joined to the domain run the netlogon.bat, although you can still use security to by setting up individual users on local computers.

The server will also maintain a list of computers/shares etc on the network.

Hope this helps in some little way.

[jester]

hi uomonet,

in addition to girkers post, i don't think XP home edition has the capabilities to join a domain.

About your problem joining a domain with XP, take a look at:
http://no.longer.valid/phpwiki/index.php/SME7FAQs#Clientx20.Computers or search the forums.

Win and Mac clients work perfectly with SME, for Lin clients you'll have to do a search:
http://forums.contribs.org/index.php?action=search2&search=nis+nfs and find out yourself because i don't know much about it either.

regards,
jester.

[uomonet]

Thankyou all but...

i don't think XP home edition has the capabilities to join a domain

Can't authentic against a domain

THIS IS VERY CLEAR FOR ME. I wrote on my first post:

If I have XP Home machines, that cannot join the domain...

About your problem joining a domain with XP, take a look at:
http://no.longer.valid/phpwiki/index.php/SME7FAQs#Clientx20.Computers or search the forums.

I don't have problems joining a domain with XP and I have read the manual many times. My questions were only for choosing  the "best way" to make things.

It authentics users to allow you to set permissions for network resources such as ibays and computers.

Sorry, could you explain me it in other ways? If have a XP home machine and create a local user/password in the same sme workgroup I can connet to my home dir and my ibays on the server as well as using an XP Pro machine.
I'm very sorry, maybe I'm quite stupid    but after all tests I've done using XP Home and PRO machines I can't understand the REAL difference that can make me chose one instead of another!

Only 5 computers can be networked together in a workgroup

90% of my costumers have less than 5 PC's

No Remote Desktop facility

I use VNC!
Thank you all for your patience
SME is fantastic!

[RvLardin]

- It is wise to save money by buying XP Home instead of XP PRO to act as client machine in a SME workgroup since these have not so many differences?

In addition to what was said here :
The main difference is that you *don't have to create a local account* on your XP machine. On the logon screen, you can chose to log to the domain either than the local machine. In that case the network authentification is done once for all at login time and you don't have to manage different password on different machines.
In addition, you can -after a first login- declare a network user (you for example) as a local admin of the machine. It is cool to be able to log on diffrent machines with administrator wrights using a central authentification ...

RV.

[MSmith]

Girkers:  I must respectfully disagree about the number of XP Home machines that can be in a workgroup.  I maintain several networks with many more than 5 workstations in the same workgroup running XP Home.  For most people in small networks, they neither know nor care if they're in a domain or not, so I usually set every workstation up with username default or office and have the user automatically logged in.  This makes it very easy to give everyone access to shared resources on an SME Server.

Of course, those with a need for greater security get it with better username/password combinations.

[andy_wismer]

Hi everyone.

The BIG difference between a MS Domain and Workgroup for Windows is the question "Where are the User Accounts?".

In a Workgroup every PC basically needs every user created.

In a Domain only the Domain-Controller has accounts, the local mashines still have the local administrator account.

Consequences:
==========

With three mashines in a Workgroup with SME, a password change means doing it on all mashines AND on the SME Server.
In a Domain you just do that once, it's a form of SSO (Single Sign On).

A Domain allows a central login script. MS even allows a per-user Login Script. (Warning: during Login the Netlogon Share is mapped as drive Z:)
Loginscripts or drive mappings are a pain in the neck with workgroups, especially on Notebooks.

The difference between Windows Mapped Network drives and those set by a logon script is that notebooks with windows mappings always sees the network share, it just can't connect. A login script allows a notebook to display what it actually can connect to. (This doesn't count if you use "Make available offline" as the server is always visible, at least the offline folders.
 
Then come Policies. Policies allow you to centrally set "Rules" for your network. The ntconfig.pol files go of course in the Netlogon Share.

Nice are "wandering profiles", your favorites, mail, last used documents are synchronized by the server to any box you logon to. This also gives you a central "backup" of your Windows profile. The Profile is - if the server is available - copied over from the server at logon, and copied back to the server when you log off. Only when the server can't be reached does your PC use the local profile.

Software Distibution is much easier with the Domain Model.

Gadgets and applications like NAS (Network Attached Storage), Remote Control, etc. can profit from SSO and realize your new password is accepted by the Domain Controller.

As to the amount of Home XP's in a Network or LAN: You can put as much in as you want, I think the Workgroup limit is somewhere like several thousand. However, Windows 2000 Pro, XP Pro only allow ten simultaneous connections, XP Home allows 5. Browsing the Betwork like XP does in default mode can "cost" some connections...

Important Note for those not familiar with Domains and Notebooks:
A lot of people don't realize that Windows NT, 2000 and XP all can be "Domain activated", meaning log on to a Domain. On the road, without connection to any LAN, you can still use your Domain-User (cached Authentification) and Profile.

If you like fixing XP Home with connections, Password Problems and so on, then XP Home is a viable option.
Otherwise get a Domain set up and save yourself a lot of work and headaches...

[uomonet]

Thank you very much andy_wismer for your answer.

Nice are "wandering profiles"....

Did you mean "roamin profiles"? Do they work fine on SME7?
In which case do you recommend to use (or not use!) them?

Then come Policies. Policies allow you to centrally set "Rules" for your network. The ntconfig.pol files go of course in the Netlogon Share.

Do the user policies work also in SME? Isn't only a microsoft stuff?

To MSmith:

I usually set every workstation up with username default or office and have the user automatically logged in.

You use same login for all PC's on the network? So you use same "name" for login and different users/logins for e-mail?

[idp_qbn]

A. Roaming profiles:
These are very useful for the situation where users change PCs....ie they log in at different PCs each time. Their profile is stored on the Domain Controller and copied to the PC when they logon. Screen settings, email settings, Favourites etc....even locations of files and programs.

BUT...there is a downside: all that profile must be copied to the PC and back again when they logoff. And profiles grow....and grow....

B) Policies work with SME....they are stored as a file (files) on the DC and applied to the PC.....so, they wun on the PC. There is a whole wonderful world awaiting you out there about policies....machine policies, user policies, group policiesand which policies get applied first and take precedence. (Sorry, I can't help you; I know only enough to know there's problems if you are unwary)

Policies can be used to control user access to the PC they are using and the domain shares etc. They can also be used to limit (or prevent) copying of profiles....ie a size limit on the profile can be set. Things like files stored on the desktop get included in the profile to be copied, which is one way they get bigger.

C) Default usernames and passwords? Sounds like the PCs are just kiosk machines...ie anyone can use them. And that's fair enough if you have other security measures in place, or don't really care too much about what is stored on the PCs and who uses them. I can envisage a situation where you might want that, but you must also be preapred to reload and reconfigure and explain to users what happened to their data. So, it works and may be useful, but there are problems.

My advice is
a) use a DC and get them to authenticate (logon) to that.
b) use roaming profiles if you have roaming users.

A final note on roaming profiles: they can be very useful when you get a phone call from a user saying that they have a dead PC and you are not on site. You can tell them to go to another desk and logon and they will be back at work.

[andy_wismer]

Hi

Users:

I only use a "Default user" on mashines with a special purpose, like Kiosks.
Anyone in front of them can do what's needed. Examples are Surf-Stations, RIP Printing Controllers, etc.

Otherwise I implement a strict username scheme. Userprofiles are very dependent on OS Version, as they contain the user part of the registry (HKEY currant user). I mostly use Win2000, a few NT boxes and log in on those with "wismera". my Notebooks are XP and Mac, and I login on those with "aw".

Roaming Profiles:

Make sure that the size gets limited, a profile size of 1 GB is not "Handy" any more. I've experienced users at clients I deal with who wait more than 1 hour for their PC to login and display the desktop.

Typical Culprits are:

IE / Firefox cache, I force that down to 20 MB and use a squid proxy, sme comes with that.

Files stored on the Desktop or "My Documents", those are basically part of your profile. I remap the "My Documents" to H:, the userhome mapping I always use. TIP: Look for PERSONAL in the Registry.

Make them a Link on the Desktop pointing to H: (User's home) and S: (Company data Share).

I don't like using UNC, I prefer a Drive letter. That gives me the security of an additional abstraction layer I can modify if the needs arise. Say point to another server when migration time comes by. I just make sure the PC's get the mappings needed, with a login script.

Policies:

Forcing PC's to use this or do that is where the Policies come in Handy. I use the NT Policy Editor a lot and created / modified Policy Rules for stuff like MS-Office, IE, Outlook, VNC, etc.

Permissions:

Certain Apps still need local Admin privileges to work. They don't need Domain or network Admin permissions. In that case, simply add the network UserID to the local PC's Administrators group. That way, a network user gets admin perms on his box, the app works. But he's still only king of the box, not the network!

MS doesn't give reasonable default settings. See the local cache on a new PC: 1.5 GB cache. This goes in the users profile. Or has anyone set up a MS 2003 Server with full, real DNS recently? Still the wizard does the NS and SOA records, but forgets the needed A record. The whole Reverse is forgotten. MS doesn't really seem to understand DNS - even though that's a requirement for DNS. In 2001 MS went of the internet for a week or two. Four DNS Servers - enough redundancy one might think - all behind the same router in the same subnet. A typo on a routers routing table CAN have big consequences. After that, MS doesn't do their own DNS anymore...

Summary:

if you know what you're doing, Policies, Profiles & and the such can be a great help and reduce a lot of headaches...

[andy_wismer]

Hi

To make those tricks work, it is highly advisable to make sure the PC's all have the apps installed in the same place, or on P:, what I use as network program share. Installing apps on the server make that easier to handle, and as a bonus the imaging time & size goes down, whatever you use (Acronis, Ghost, etc.).

And do copy the profile to default sers after setting up a PC...

YMMV

Andy

[uomonet]

Hi andy_wismer
Your post is GREAT!!!

it is highly advisable to make sure the PC's all have the apps installed in the same place, or on P:,

This is genial!
But you hate to reisntall all apps for all client also if the are stored in network share "p:"? (to install file systems and other microsoft stuff..)
And what about sharing outlook appointments, calendar, notes and mail like MS Windows server 2003+Exchange. Did you find something working on SME? Like openexchange or egroupware?
Thank in advance for your answers!    

[andy_wismer]

Hi

Groupware
========

For Groupware I'm personally running Groupwise / Exchange / OpenXchange.
But protected by a SME Server...

For Clients running SME as Primary, I haven't used OpenXchange yet, which would be my preferred solution.

At the Moment I'm using mostly MoreGroupware, have been using PGPGroupware for years. Both are stable, very usable apps, but limited to a web interface. The MoreGroupware has a good GUI Design, and runs well on SME 6 / 7 using IMAP to connect to the SME Mail.

I admit to clients and myself using Outlook, but usually use the Outlook to sync PDAs, Handphones and the such. I don't want to go to the hassle of having to create a custom solution for every model of handphome my clients use. I let Outlook do that - as a Gateway. The Backend is an Access Application (soon to be ported to a UNIX Server Solution) which syncs the Databases of Outlook with MoreGroupware (MySQL). I might even release the code of this "crutch" someday...


P: Network Program Share
==================

Actually, I'm VERY strict on drive letters. Any Windoze Box I setup or support will have the CD/DVD on drive J:.

My basic sheme is as follows:
H: User Home Share
I: Install, a place to keep Installers, MSI, Setups, Drivers, etc.
P: Network Program Share, with subfolders as required (See below)
S: Data for Company / Institution
T: TwixTel Telephone Number CD
W: TeamWork Transfer Share, no special permissions, free for all.
     (This share uses a script cleansing untouched files, no Backup)

P: Network Program Share Details
======================
P: Network Program Share, with subfolders as required (See below)
 eg.: P:\Win32\Eng, P:\Win32\Deu (German), P:\WinNT\Eng, P:\WinNT\Deu, P:\Win9x\Eng, P:\Win9x\Deu, P:\MSDos\Eng, P:\MSDos\Deu, P:\OS2\Eng, P:\OS2\Deu, and so on.

One Program you'll find on all my networks using SMB (Samba) is the Windows Server Manager and User Manager for Domains. These programs are included on the MS Server Versions, Res-Kits, etc. The different Versions available for Win9x, WinNT and Win2K-Win2003 make different folders nessesary. Most Apps go in under Win32.

On most PC's I install Office locally, as this is usually the most used.
Other Stuff, like Dreamweaver MX, Corel Draw use a lot of disk-space. I like keeping the C: Drive of my PCs down to 8 GB (till Win2000) or 10 GB WinXP. That makes the disk - and the image file - smaller, and handier. It's also noticible when you use Ghost or Acronis to make an Image of say a 10 GB C: Disk, or like some notebooks bought off the shelves coming with a 80 GB C: Disk.

Hope that sets you on the right track

YMMV

Andy Wismer

[tuxtux]

Hi all, indeed very interesting discussions and helpful too.

Some of you out there might shed a light in my situation where I need to setup SME servers in 2 different locations with single-logon. All clients will be a mix of Win2000Pro/XP Pro.

So, is there anyway that I can configure the SME to become a PDC-BDC setup ? The BDC must be able to replicate and synch the user accounts database with the PDC. Understand that the backend database must be LDAP-based?

Any sample configurations/pointers will be much, much, much appreaciated.

Cheers,
Tux tux

[uomonet]

To andy_wismer:

P: Network Program Share Details
======================
P: Network Program Share, with subfolders as required (See below)
eg.: P:\Win32\Eng, P:\Win32\Deu (German), P:\WinNT\Eng, P:\WinNT\Deu, P:\Win9x\Eng, P:\Win9x\Deu, P:\MSDos\Eng, P:\MSDos\Deu, P:\OS2\Eng, P:\OS2\Deu, and so on.

If you install the same application in several XP box using P: as destination, you have to reinstall the same application several times in the same path? does it works? if you change a setting on an application installed in p: for several computers, you change it for all installations? (eg: .ini files)