To centralize or not in your infrastructure?
So I have started at a new job and I’m noticing some funny things about the way they set networks up. Now, I work for a small business that consults IT services for other small business.
I’ve noticed that on our virtualization servers(hyper-v) and on our SAN’s (Equallogic), that the prevailing design is to not add those machines to the AD domain. AD, Exchange, Terminal Services, etc are all on the domain. Now I’d still say I’m rather new to IT, but I told my Network Admin from my last job this and he’s scratching his head. He’s been in IT for about 13 years.
It would seem to make more sense to me to have everything in the domain and I realize that may be just a Windows mentality. At my last job we did not have the Virtualization cluster (Xenserver) nor the SAN’s (NetApp) authenticate against the AD.
So centralized authentication would add for ease of admin and I would think increased security, as long as your directory server is protected. Non-central authentication I could see would add some complexity and probably confusion if they were to be attacked.
Thoughts?
Comments
-
xxxooxxx Member Posts: 19 ■□□□□□□□□□I think you will get more response in the Visualization forum.
Typically, I don't like to add the Hyper-V host to the domain. I look at it the same way as ESXs host where they are just a box to allow guest machines to run. They should be managed differently then the production domain servers that are serving clients. -
it_consultant Member Posts: 1,903I think this mentality is more a fear of failure then anything else. Linux based appliances (SANs, spam filters, routers, etc) all have LDAP capability built in and it is very nice to be able to use your own creds and groups from AD to log into these other devices. Sometimes the LDAP configuration can be a little tricky, but I have always found the payoff to be worth the work.
-
kalebksp Member Posts: 1,033 ■■■■■□□□□□I typically setup directory authentication for any device that supports it.
I'm not too familiar with Hyper-V but I could see an argument that you might not want your virtualization hosts to be dependent on AD, particularly if your domain controllers are virtualized.