Re: getting me ducks in a row - concepts
From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 10/19/04
- Next message: Marina Roos [SBS-MVP]: "Re: Server randomly locking out"
- Previous message: Lanwench [MVP - Exchange]: "Re: Remote file access"
- In reply to: barney: "Re: getting me ducks in a row - concepts"
- Next in thread: barney: "Re: getting me ducks in a row - concepts"
- Reply: barney: "Re: getting me ducks in a row - concepts"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 19 Oct 2004 10:27:20 -0400
barney wrote:
> Lanwench [MVP - Exchange] wrote:
>> barney wrote:
>
>>> 1) When I setup client PC's, can I specify that they can only logon
>>> through the domain controller or not at all (is the latter a good
>>> idea? I want to keep them controlled so they use the file space on
>>> the server)
>>
>> Yes. Don't create local login accounts for users, and make sure only
>> admin types know the local administrator credentials on all PCs.
>> Make sure all client PCs are running NT-based OSes like 2k or XP Pro.
>> Use folder redirection via group policy to redirect My Documents to
>> the user's home directory.
>
> Ah, group policy, that's how it's done.
That's the easiest way, yes.
> I assume that once I've setup
> the client PC's through the admin account to be a part of a domain
> the login screen will change from the normal XP login (with usernames
> automatically rendered to the welcome screen) to something like a
> Novell login? Where users must type in their UN and PW.
Yep.
>
>>> Secondly, when setting up local client machines;
>>>
>>> 1) should I flatten all the HDD's and "push" all the apps to those
>>> machines?
>>
>> You mean, reinstall Windows & all apps? I don't know if that's
>> called for, unless you don't know or trust whatever's on there
>> already & really want to make sure your workstations are
>> standardized. You can push out application installs via GP & MSI
>> files if you know what you're doing with that....try posting or
>> lurking in m.p.windows.group_policy
>
> Thanks. I was just thinking of consistancy and the ease of reloading
> or adding new machines. I only have around 15 machines, so maybe it's
> not worth the trouble?
Your call! Depends on how confident you are of the existing workstations'
general health/standardization.
>
>>> 3) Would I be able to push QuickBooks (yes I've read about some of
>>> the other QB issues with user rights and registry keys)
>>
>> Do all your users really need Quickbooks? Do you have enough
>> licenses to install it on all computers? Note that Intuit software
>> tends to assume that the user has local admin rights and you will
>> want to tweak this using RegMon and FileMon from www.sysinternals.com
>
> Not *all* users need it. Am I right is assuming that I don't need to
> give local admin rights if I provide users with admin rights to the
> QB registry keys on the server?
You don't load QB on the server - the registry keys or files/folders would
be local to each workstation. The data files should live on the server
(ideally in a share to which only an "Accounting" group has access)
>
>>> 4) could someone give a brief idea of what's involved (at a high
>>> level) in pushing apps - am I just sending the setup files or will
>>> the setup auto-run?
>>
>> How many apps are we talking about? How many desktops? Unless you
>> have a boatload, setting 'em up manually may be a lot faster &
>> easier for you.
>
> About 15 desktops, basic office apps and QB. Nothing huge.
If you think they're fairly standardized now, maybe there's no need to do
anything with them rather than joining them to the domain.
Note - the local profiles won't work with the new domain logins. I usually
prefer to create new profiles for each user anyway - and copy favorites &
any desktop items (which I discourage) over manyually.
>
>>> Lastly, (anyone still reading??) The two NIC setup;
>>>
>>> 1) Can this be performed satisfactorily with sbs standard in
>>> conjunction with a good firewall? Is it just a matter of whacking
>>> them on different subnets and running a routing wizard?
>>
>> Unless you use ISA or really need to use the built-in (and not
>> terribly configurable) W2003 firewall, use only one NIC - let your
>> firewall appliance do NAT, and handle Internet routing, filtering,
>> whatnot. You don't need to do anything with routing on the server at
>> all in that case. Assign your server/s static IPs in the same
>> (private) IP range as the LAN IP of your firewall - and set up DHCP
>> on the SBS server, not on the firewall.
>> Note: I may be in the minority on this topic, but I've been setting
>> up domains & servers a long time - and outside of the SBS groups, a
>> dual-homed DC is generally considered a big no-no. Given how cheap
>> router/firewall appliances are these days, I don't see it being
>> worth the bother.
>
> I do like the idea of using a different subnet with port forwarding
> from the router for external access though. I may try that first,
> seems reasonable to segment public traffic from private.
You absolutely must do this somehow. Like I said, I think the best device to
handle this is a router/firewall, not your server.
>
>>> Ok I think that's all for now, thanks to anyone who answers any of
>>> my numerous dumb questions.
>>
>> Hope this helps.
>
> It has indeed. Thank you.
No problem!
Remember - antivirus is also a must. I suggest the Trend Micro
Client/Server/Messaging suite for SBS. Make sure that the officescan client
on the server itself is set to exclude the Exchange database/log/queue
folders from any scanning at all, or you'll be very unhappy. I set all Trend
products on th server to check for updates hourly.
- Next message: Marina Roos [SBS-MVP]: "Re: Server randomly locking out"
- Previous message: Lanwench [MVP - Exchange]: "Re: Remote file access"
- In reply to: barney: "Re: getting me ducks in a row - concepts"
- Next in thread: barney: "Re: getting me ducks in a row - concepts"
- Reply: barney: "Re: getting me ducks in a row - concepts"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
