3

We operate a Windows 2003 Active Directory network. As the new IT manager I've inherited this infrastructure from previous outside contractors that have come in to help maintain our company network. The network is composed of approximately 30% Windows 7 Domain Members, 20% Windows (XP/7/Vista) Workgroup members and the rest Mac OS X (not bound to AD Domain).

We're going to be updating our server infrastructure to Windows Server 2008 R2 and I'm therefore considering consolidating the network infrastructure.

My question is should I add/bind the 70% of computers not in the domain to Active Directory? What is, if any, the network performance impact of having a mixed environment like this? Bearing in mind that a lot of network file sharing goes on between client computers and also our central file server, I wouldn't want there to be excess authentication chatter as a result? I know also there are benefits to having domain members such as Group Policies and centralised authentication.

Any help or pointers much appreciated!

Thanks

Jay1980
  • 152
  • 1
  • 6

1 Answers1

8

Yes, you should join as many/all of the clients you can to the domain, and no, you don't need to worry about authentication traffic impacting network performance, unless you have an obscenely large number of clients, obscenely insane AD configurations, or are running the world's only AD domain over 300 baud modems.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • Does not being a domain member increase authentication traffic? or does it not make any difference? – Jay1980 Sep 26 '12 at 10:57
  • 1
    @Jay1980, if it does it would be such a small amount it's not worth worrying about. – tombull89 Sep 26 '12 at 11:14
  • @Jay1980 While being a domain member does increase network traffic as a result of communications with the Domain Controller(s) that would otherwise not occur, the amount is so small that it's negligible even if you're connecting to the DC over a 56Kbit ISDN line. (Sadly, I do speak from experience on that, too.) – HopelessN00b Sep 26 '12 at 13:28
  • @HopelessN00b I was referring to the potential for more authentication / network chatter between the non-AD machines and the AD machines. I was told by an IT consultant that the scenario of having non-member computers and member computers authenticating against each other is more expensive than if all machines are on the same domain... I'm not sure if this is right or not? Nevertheless I'm of the opinion all machines (Mac's included) should be on the same domain. – Jay1980 Sep 26 '12 at 14:26
  • 1
    @Jay1980 Technically yes, there is more authentication traffic between communicating clients if they're using different authentication types (domain/workgroup). Overall, authentication traffic should be so little that you'd never notice. Especially if there's any "real" data flying around. – Chris S Sep 26 '12 at 15:01
  • @Jay1980 The point here is auth traffic is totally irrelevant in terms of network impact, even on 100MB switches. We're talking occasional kb differences, like a grain of sand on the beach. You should focus on all of what you LOSE by them not being on the domain. You can't easily control their security policies, logon accounts, and a hundreds other benefits of being members of Active Directory. Members of AD give you *increased* security, *increased* management/control, and improved feature-set for users (e.g. pass-through auth). – Bret Fisher Sep 26 '12 at 20:43