Domain or Peer to Peer (was: Do I need a LAN server?)

This is the original post that started the original thread. The original issue has been discussed in that thread. However, from this discussion the topic moved to a new debate. I have separated the original thread so as to keep the two discussions separate and therefore clearer. ReggieB

Hello. My current work enviroment consists of a LAN running XP Pro at the workstations with everyone in a workgroup setup. About 26-30 workstations.

The problem is we keep losing bandwidth to various things: p2p, video, etc. I've recently noticed that on the weekends when no one is here I'm missing about 50% of our bandwidth (5-6MB lost). By process of elimination (shutting them down!), I have it narrowed down to 3-4 workstations. Checking task mgr shows nothing out of the ordinary, and I've removed spy/virus-ware from these pc's several times.

So, I'd like to put a system (server?) in place where I can monitor the outgoing/incoming bandwidth usage per LAN ip (to help me determine the problem areas), and have the ability to restrict bandwidth for certain LAN ip(s).

Doing some initial research it appears that Microsoft has Small Business Server 2003 Premium (w/ ISA 2004). I'm confused on the license requirements however. Does every user need a license? So it comes with 5, I would need 21-25 additional licenses? If so that will get $$! Especially considering I've already purchased XP, then I will purchase SBS, then additional licenses! I really don't need all the other additional features that SBS offers (Exchange, SQL, etc), just the gateway-proxy features I suppose.

Am I heading in the right direction? Is there a cheaper linux alternative (but not too terribly complicated)?

Sorry for the length, and thanks for any/all help.

 

Just some food for thought.

Remember Microsoft recommends a Domain Controller for workgroups over 10.

I have seen a few 25+ workgroup was killing LAN speeds due to all of the PCs fighting over Elections for the master browser.

 

If you could, I would sincerely appreciate a cite for this. The fact that Win2k and XP were limited to 10 connections says nothing about Microsoft's demand for the use of a Domain Controller in this instance.

NETBIOS is chatty, which is why Microsoft does not recommend its use in large LAN/WAN settings. But browser elections are a small part of any traffic, and are controllable. You can declare a Master Browser for any end-point, and configure the clients not to contest this election.

You can for free use LMHOSTS, and have a single computer be the LMHOST repository.

If the only reason you suggest a Domain is to control traffic created by NETBIOS hostname resolution, there are many non-Domain solutions. For example, configure a Windows Server box as DNS and DHCP and WINS server and disable NETBIOS completely. There are excellent freeware DNS servers that can be run on a single PC, allowing hostname resolution to be done using pure DNS just as in a Domain. And I am sure you know that a Linux box can easily handle file and print server, DNS and run strictly on SMB -- as can an only Windows Workgroup with some of the earlier suggestions.

Somehow the P2P community has managed to connect millions of machines in a workgroup without worries about Master Browser elections.

Under XP, netbios over TCP/IP is an option, not the default. It follows the work begun under Win2k to move away from dependence on the chatty NETBIOS for hostname resolution. Windows Vista by default deprecates NETBIOS to the point that you have to really search to figure out how to enable it. It has moved on for Workgroup settings to using UPnP and SSDP client agents for hostname discovery and resolution.

If you see a Workgroup with Master Browser election issues, and excessive NETBIOS broadcasts, you are looking at a Workgroup that was poorly set up from the start.

In my client base I have three sites that are Workgroup, not Domain-based, have more than 500 clients, and chose deliberately a Workgroup model because that model exactly fits their line of business and security concerns. None of them use NETBIOS, all use SMB. And honestly I would go broke if it were not for my Domains. I rarely hear an issue from my Workgroups. I hear all day long from the IT staff of the Domains.

Most of the confusion under XP Networking was that it served as a transition point between Win3.x & Win9x Networking, the NT OS versions, and the future. XP tried too hard to look backwards. The fact that out of the box it did not clearly support NETBUI was a scandel at the time.

VISTA makes it clear that a break with the past was needed. Gone is Appletalk, IPX/SPX, NETBUI; and very nearly NETBIOS. But this suggests more efficient name resolution models for both Workgroups and Domains, not a move towards a Domain-centric world for Microsoft Networking.

The central issue with the older protocols is security. The original thinking about using Domains was to ease network management. Then they grew to the present state of being a centrally managed security object as well. One of the interesting things that Vista reveals about Microsoft thinking is that more responsibility has to be done by the client, and not the Domain Controller. And that the Domain Controller needs to better handle pre-client authentication issues as a serious focus.

This change in the security model can easily seen in Longhorn Server (in Beta), and Vista client (now RTM). The need for a DC is now more a management rather than security principal in the network. The burden is being shifted to the client, with the DC acting as a validator for allowing any connection.

 

I don't know about a web site. I just remember it being mentioned while I was in and out of consciousness during MSCE classes.

It's hard to imagine a LAN with 25+ desktops not needing some sort of central management.

 

Central Management does not equal a Domain. Group Policies can be applied in a Workgroup (as well as on a stand-alone machine). Centralized File and Printer management does not require a Domain either.

While a Domain has a lot of advantages, management in a Domain is complex, and fraught with peril. It is these dangers and the associated costs of a larger IT department to handle Domain chores, that amount to one serious cost of ownership that a company has to consider.

 

I'm with Scott here.

My previous job was installing networks for small businesses and then managing the network installation team. My current job is running a small business network. So I've install and bug fixed a lot of 5 to 30 user networks.

The recommendation of having a server if there are more that 10 users is an excellent rule of thumb.

In a Microsoft environment, that means using Windows 2003, so yes a new OS environment and new tools to get used. However, in my opinion Win2003 is the best MS OS I've used so not a bad experience for me. Setting up a domain with Win2003 is straight forward and wizard driven. There are some basic rules that make things easier - like making sure you use a .local domain name rather than your internet domain - but I'd argue it is straight forward.

Then the advantages of having a single location to manage users make the pain of managing each user on each PC a thing of the past. Then when you start using the other services that come along with the bundle - web services, centralised storage, network application - the experience just gets better and better.

 

I am not anti-Domain (rather the opposite, quite frankly) but I found the earlier comment by Scotty and your re-endorsement specious.

You will not find a Microsoft document that states you must use a Domain if you have >= 10 users. It does not exist. And as a rule of thumb it suffers as do all generalities -- it is prima facia wrong.

Most Windows server products (65%) are used in a Domain, but Workgroup settings are 35% of the use of Windows Server. Using Windows Server does not mean using it set-up as a Domain Controller. This is a choice.

Many companies have security concerns that match perfectly using a Workgroup. Remember that you are only limited to the number of workgroups you can cluster: 254. Windows Networking fully supports multiple workgroups without issue. The NT Security model applies fully.

To many business the notion of having Accounting, Administration, Legal, R&D, Sales, Marketing, General Users as different workgroups matches their organization, and simplifies security.

As for centally managing this, the expense of an IT Department stuffed with newly minted MCSEs to baby their Domain is prohibitive. It is therefore three things that can drive a Workgroup v. Domain choice:

. It is familiar to their IT staff;
. It matches their business organization
. It matches their security concerns

All of this (other than the first) can be done in a Domain. But the suggestion it can only be done in a Domain setting is just simply not true. And the implication that it is easier in a Domain has not been the experience of many.

 

I absolutely agree with this. You do not need a domain. Peer to peer network can work in large networks. After all, individual users connecting to the internet are to some extent acting as peer to peer members of a very large network.

My point is that in my experience it is easier to manage a network via a central server, and that the point where the complication of having to manage access to each PC individually rather than centrally, becomes greater effort than having to get your head round the additional complication of having a server, is around the ten user point.

The point varies. More experienced users can manage access to their own PC. So in my experience, the problems of managing peer to peer are less if you have experienced users.

Even so, I think anyone running a 20 user peer to peer network is making their lives unnecessarily complicated, no matter how expert the end users.

So nothing stops people running large networks without a server, the same way nothing stops people running bicycles with square wheels. As with many computing systems: it is your choice. If you prefer peer to peer, good for you, but I would always recommend server/client.

 

The analogy is perjorative on its face as to the content of the previous discussions, and is nonsensical to boot.

Surely Reggie something more apt and fair could be used for your argument.

If this is the best argument you can make for Domains then the Workgroup folks win.

Neither of the Domain-only for 10+ user supporters have answered the questions I have asked.

. Where is the security benefit?
. Where is the central management benefit, and how is it measured? Work hours, cost of ownership, effectiveness? There is not one thing you can do with GPOs that is not available in a Workgroup. Workgroup clients are as subject to Group Policy on identical terms, and for the same internal reasons, as any Domain client.
. Where is the cost savings? Show me an example of a corporate site that saved money by moving from a Workgroup to a Domain.

There are honest answers to the questions above, and none of these answers requires bashing Workgroups.

 

Come on Bill it's the MS way or the highway.

 

Come on Scott, show the cite. Microsoft does not require a Domain for 10+ users.

I pinged the MSFT Product Group for Networking Products. To their knowledge there has never been a Microsoft publication making your claim.

What I was told that was interesting was that some suggestion of Workgroup limits for a single workgroup can be found in the SBS documentation. The limitations are essentially server-side. That licensing caps were placed on a single SBS server at 75 users under R2. At that point additional servers are needed. There are no limitations imposed on Windows Server products.

Finally, as to limits on Workgroup models, the limit is a binary double word, of 65,456 users.

 

Bill if I get a chance I'll scan some pages of the MCSE 2000 books.
They are littered with statements of that effect.
In fact they were adamant that 10 simultaneous connections was the limit to a source in a Peer to Peer network.

Try that and let me know how that goes.

Finally,
A simple Google search of "Peer to Peer limits" brings up several MS articles.

I poped this out of the first one I found.

Now,
how many 25+ workgroups can be found that share no resources? Not even a folder on a hard drive or a printer?

 

For NT client OS models the limit as a server is 10 simultaneous connections.
Windows Server is limited by your CALs as to simultaneous connections.

Microsoft shows 35% of Windows Server installs are done under the Workgroup model, and 90% of Small Business Server installs are Workgroup and not Domain.

Windows9x is unlimited in its peer-to-peer connection limit.

As I said way up above to you, do not confuse the connection limit on a client OS in a server role with the ability to create simultaneous connections in a workgroup. XP, for example, is unlimited in the number of simultaneous connections it can make as a client. It is limited to 10 connections as a server.

For this reason you often see Linux distributables involved with SAMBA to create a file and printer server for Windows Networking -- Domain or Workgroup model. There are no connection limits, and there are no CALs.

 

I think you may have the use of the term server confused here. All NT based Windows systems provide a "Server" service and a "Workstation" service. The Workstation service provides out going connections and the Server service provides incoming services.

So in a XP peer to peer network each computer communication will be from the Workstation service on one PC to the Server service on the other PC. So every connection will involve the Server service on one PC, and therefore may be limited because of the 10 simultaneous server connection limit. Any of the PCs will be limited to 10 incoming connections.

While I agree that 10 simultaneous connection limit will not be too much of a burden on a 10 node network, it will become a problem as you increase above 10. Therefore, I don't think its the killer for where the limit for peer to peer should be (if I was basing my limit on this alone, I think it would be near 30 to 40 PC as the maximum). However, it does support our case that using a Server becomes advantageous as PC numbers increase.

 

Those are my favourite types of analogies

The main security benefit is that access rights and user management are controlled in one place - the server.

While you may be able to secure peer-to-peer as tightly as a client/server network, you have to do so on each peer. So many places where you can make a mistake or fail to update.

I think one example will do. I want to change the password for my user Joe. Through a domain or AD, I change it once, centrally at the server. Peer to peer, I have to change it on every system Joe uses.

There is more to network management than group policies. User management (for example setting passwords), file access rights, share access rights, providing network wide administration access are all things that are easy to manage via a Windows server outside of GPOs.

That's difficult because it would be very hard to find a corporate that got to any reasonable size peer to peer, so few if any are going to have documented a transition. So my only answer to this is to ask the peer to peer advocate to provide examples of corporate peer to peer network larger than 50 seats.

Workgroups are fine on very small networks. They just don't scale well.

 

The use of "server" in the context of a client OS under NT is exactly right as written.

As I note with the example of XP, as a client it can make unlimited connections. Its server side is limited to ten connections. All NT client OS versions support both roles and support both roles in simultaneous use. This was written with complete understanding that the OS divides the two roles and uses a different process for each.

That was never the claim made. If it had been stated that reasonably I would have no argument. The actual claim was that a Domain was required with more than ten users. Your restatement was that it was a "good rule of thumb." Neither claim is correct. And this is the first time that your wrote "Server" rather than "Domain ", a distinction I have tried to get across several times earlier.

Nor can anything be read into the 10 connection limit on the client. My guess is that it was more a marketing choice than a technical one. It certainly has no technical value anymore. If I run XP using modern dual cores, with four processors, I find it hard to believe it cannot handle more than 10 connections. And that somehow as a technical suggestion, the issue would suddenly disappear if on the same machine I ran Windows Server.

Nor do the technical merits of your claim hold: If I run Windows Server in Workgroup mode this is bad according to you. If I run it as a Domain server it suddenly morphs into being good.

And all bets are off if on the machine I run XP64. Its resource capabilities make pale what a Microsoft Server OS version could offer now.

There are thread and memory enhancements, and background task processing and scheduling, enhancements for the Windows Server versions relative to the client OS versions.

But the remarkable thing about this whole thread is not once in any of my discussions did I suggest you use the client OS as the File and Printer Server on the Workgroup. I repeatedly discussed using Windows Server products for this, including discussion of Small Business Server and the use of Linux.

For some reason Reggie and Scott keep thinking client OS. The limitations of the client OS are not the issue under discussion, and on my side have never been so. The issue is whether you have to use a Domain when you have more than ten users. My answer has consistently been no.

 

All of these can be managed by the command line, and all of these are scriptable. Moroeover, remember that using a Workgroup does not mean not using a server OS.

Your entire list are things managed at the server, not at the client.

Again, you are assuming that the Workgroup model is completely decentralized. I suppose you could set it up that way, I never have. You are assuming there are not centralized file and centralize print servers. There are. Peer-to-peer is one form of a Workgroup. It however is not the only Workgroup Model. Using a Server OS does not mean installing a Domain. The default for any Windows Server OS product is a Workgroup Model and not a Domain model.

None of your examples is a Domain-only example. The NT security model applies in full in a Workgroup, just as it does in a Domain.

 

I grant that there is some confusion about terminology (something not helped by past Microsoft use of the term domain). So I'll set out my arguments more clearly:

• A single PC running a server OS in standalone mode can act in a peer to peer mode on a network.
• A Client/Server network is one where one or few computers act as dedicated servers, and the rest of the computers act as dedicated clients.
• Peer-to-peer network comprise groups of computers that can act both as server and client to each other.
• The main advantage of Client/server is centralised resources and management. Most of the work is done at the server, so you can dedicate additional resources to the servers.
• Microsoft Server OS have tools bundled that ease central management of resources and users. To enable these tools you have to use Domains. NT3.5/4 both provided centralised network management via NetBIOS domains. Win2k and Win2003 both use Active Directory in this role, and AD relies heavily on DNS (a different type of domain, but a domain no less). So you need domains if you want to use all the centralised management tools that a Microsoft server OS provides.
• Samba allows Unix/Linux systems to share files and printers via a Windows network. They can do this either in peer to peer mode (where each user has to be set up on the Samba server) or Client/server (connecting to a central user management system via LDAP). LDAP too relies of DNS domains for structuring the topmost levels of its hierarchy.

My argument in this thread is that as a network grows it becomes more difficult to manage user access on each PC individually (which you have to do on a peer to peer network). Instead a more easily managed system is to centrally manage the network via a central server. To get the central management tools to work, a domain (NetBIOS or DNS) is needed.

The key network size where the peer-to-peer becomes unwieldy in my experience is around 10 PCs. So if I was designing a network that was or was likely to grow beyond 10 PCs, I would alway recommend a Microsoft Server running a domain.

 

Of course it is. They couldn't assume that ever server was going to be installed into a domain environment. As you can't install a domain reliant system before the domain is installed, the default configuration has to assume there is no domain.

 

Windows Server OS does not equal Domain.
Domain does not equal an AD Domain.
Workgroup does not equal peer-to-peer, anymore than SMB communications from server to client in a Domain, which are peer-to-peer, mean that the network is a peer-to-peer network

The notion that only AD provides centralized management is simply not true other than in WANs. You are carving yourself very little tree limb left to stand on, as very little day-to-day management concerns AD. None of your previous examples of network managemnt, for instance, require AD.

You are welcome to make that design choice. But this is a far cry from stating that it was a requirement. Nor should you assume the design choices you happen to make should apply universally to all as a standard. I for one think it is ridiculous to spend the money on a Windows Server Domain with AD for a LAN with 11 users.