19, solo IT, need some guidance
Posted by The_Magic_Moose_@reddit | sysadmin | View on Reddit | 104 comments
Hey everyone, I could really use some guidance.
For some context, I'm 19, still in school, and about 10 months ago I basically got thrown into being the sole "IT guy, as in I have absolute authority over anything tech related and a company card without a strict budget" for a manufacturing company (we're primarily a woodshop). Up until now, I’ve spent almost all my time just putting out fires and troubleshooting end devices. I haven't had the time to really dive into the infrastructure, but it’s finally time to fix it, because right now, it’s a mess.
To give you an idea of what I inherited: * The network is just one giant, flat subnet. * Wi-Fi is strictly WPA2 Personal. * None of the Ethernet runs out in the shop are labeled. * We use Google Workspace for email/productivity. * Our "file server" for engineering and the shop floor is literally just a Windows 11 Pro desktop. Everyone uses a shared login to access the smb share on it. * I’ve got a couple of MSSQL Express instances running on random machines for specific applications.
The one main improvement I've made is getting ninjaone RMM on my endpoints, which has made things infinitely easier.
I was just told by a vendor that I need to set up a machine running a proper Windows Server OS for a machine-monitoring application. The vendor says anything from Server 2016 to 2025 is supported. Since I have to do this anyway, I want to use it as an opportunity to fix the infra
I'm pretty overwhelmed balancing this with school, so my main questions are:
- Do I actually need a domain and Active Directory? Since we already use Google Workspace, is there a way to just use Google as our Identity Provider for Windows logins? Setting up a full on-prem AD sounds like overkill if I can avoid it.
- How do I actually get a Windows Server license? I've never bought enterprise Microsoft licensing before.
- General advice? What should my priority list look like for untangling this?
Any resources, guidance, or just some words of wisdom would be incredibly appreciated.
ImportantMud9749@reddit
From you post and comments, I think you have a good handle on things and, while the environment is a bit messy, it's from a lack of infrastructure rather than bad infrastructure. Which is an awesome opportunity for you.
Here is how I would tackle it:
Set up a system for tracking and labeling ethernet, use that as a task to do when I need to 'reset' or just do something a bit physical.
Order a server rack if you don't have one already, and then two servers. Spec one as a domain controller to link google workspace IDaP with Microsoft Entra ID. This one will need a Standard Windows Server license. Spec the other server for virtualization and purchase a windows server datacenter license. With the datacenter license, you can spin up virtual machines on the server licensed for standard windows server. Now you can make a VM for the vendor and a VM for the file shares and the infrastructure to deal with the SQL Servers in the future.
I would focus on getting Microsoft Entra + Google Workspace working, then get the file server up and your other VMs and once you're happy with it, create everyone else's IDs and start joining their machines to your domain.
You will need a vendor for the microsoft licensing, you might be able to have whoever you order the servers from as that vendor as well.
I believe that will get you Microsoft Endpoint Management as well which should help you a good deal and can probably replace ninjaone in time.
The_Magic_Moose_@reddit (OP)
Would it be wise to virtualize all of my Windows servers? I've used Proxmox pretty extensively for homelabbing and know my way around virtualization I. Linux, of do you think I'm better off running windows server bare metal for the domain controller, another issue I have is I have pms that travel with Microsoft surface laptops with cellular plans, should I refrain from enrolling them into the domain? Or am I better off with a cloud AD solution, I don't know much about windows administration.
ImportantMud9749@reddit
Data center windows server licenses all windows server's running virtually on that bare metal, i would not virtualize that one. You completely could just get server one and do your DC virtual as well. I'd do the primary as bare metal and then a virtual one as secondary. You could do one server with proxmox and a vm with windows server for DC, AD, and windows endpoint management, then linux servers for the file shares and SQL dbs. I'm not very familiar with cloud AD systems, I prefer on-prem for better control over everything. Sometimes it saves money, sometimes it doesn't. It does keep in-house skills sharper.
For the traveling users, how often are they in the office? MS caches the credentials for a while, so you add them to the domain, have them log in, then they can log in from anywhere with or without network. As long as they're in the office semi-frequently it won't be an issue. If they're out more often or you have fully remote workers, you'll want a VPN or you can look into cloud/hybrid ADs.
With 200 endpoints and what sounds to be a fairly in-person environment, an on-prem AD is likely the most cost effective solution. It'll be more work for you as the cloud providers do a lot of the lift, but it's a good sized environment, not too big to be too complicated, not too small to be pointless, and it's currently operational so you have time to plan, learn, and test.
With AD and MECM, you can customize the windows experience per user group. Auto push applications, allow end users to install packaged applications from "Software Center" without admin rights, lots of nifty things.
InfiltraitorX@reddit
How many computers are running pro versions?
Home versions of Windows will not join a domain so they would need to be upgraded.
The_Magic_Moose_@reddit (OP)
All of my machines are on Pro, thankfully.
Josh_Fabsoft@reddit
Full disclosure: I work at FabSoft, which makes AI File Pro.
Dude, being thrown into solo IT at 19 is intense but you're getting incredible experience! The fact that you're thinking about infrastructure while putting out fires shows good instincts.
For manufacturing environments, document chaos is usually a huge time sink - CAD files, work orders, specs, manuals all scattered everywhere. Users constantly asking "where's the drawing for part XYZ?" eats up tons of your day.
A few things that might help: - Set up automated file organization (AI File Pro can watch network folders and auto-organize by rules you set - saves our manufacturing customers ~500 hours annually) - Standardize naming conventions without having to train everyone - Create a searchable document repository so people stop bugging you for files
The key is automation. Every manual process you can eliminate frees you up for actual infrastructure work. Start with your biggest pain points - probably file management and user requests.
AI File Pro handles the document side (works great in manufacturing with all those technical drawings), but you'll also want to look at network monitoring tools, backup automation, and maybe a simple ticketing system so people stop walking up to your desk.
You're in a great position to build things right from the start. Most of us inherited years of technical debt. Take advantage of having that company card and authority - invest in tools that scale with the business.
What's your biggest daily time waster right now?
nowildstuff_192@reddit
This is similar to how I started out.
My recommendation is to get an MSP who can get you set up and hold your hand while you learn the ropes. You want to be the first line of defense before things hit their support team, and the point-of-contact for the MSP. In my experince, MSP's love this arrangement, it saves them tickets. You, in turn, will get your experience while having a big safety net under you. If your employer balks at the cost of an MSP, say that this is temporary, and that the long game is to take it all on yourself once you've gotten some experience.
I still work with an MSP backing me up. A lone sysadmin holding up a business with no redundancy at all is a bad idea.
jma89@reddit
To expand on the "Backup NOW!!11!" remarks: Synology has a pretty stellar backup solution that's included with their "+" series units called Active Backup. This can likely fill your endpoints and services backup needs pretty nicely with $0 ongoing costs, aside from power. (It doesn't support Proxmox (yet?), but otherwise is very capable.)
The other bit I haven't seen folks mention: Get some sort of vulnerability and patch management solution at least onto your master plan. I've been using Action1 personally and find it to be a stellar product, and it's free for the first 200 endpoints.
justmirsk@reddit
I run an MSP that specifically focuses on co-managed partnerships with companies like yours. You have gotten some great advice here from others around labeling things, mapping out the network, getting backups in order, etc etc.
If you ever want to get on a call together to talk through some things, I would be happy to do so (free advice, not trying to charge you). You have a great opportunity here and it can certainly help you speed up your career.
Once you start to get a handle on things, before making any big purchases or changes, I would suggest talking to management to determine if you have any specific regulatory compliance requirements (IE, laws you have to follow focused on IT and security). Even if you don't, a good question to ask your management is "How much money would the business lose if XYZ system was down for an hour, a day, etc. this will help you determine areas that need priority focus from a business perspective, rather than just technical issues. It can also help you sell to the boss that they need to spend additional money to protect systems or get better things.
The_Magic_Moose_@reddit (OP)
I might have to take you up on that call, I've got still got a lot of unanswered questions, I really would appreciate it.
justmirsk@reddit
Absolutely. Shoot me a DM and I can give you my email address.
Previous-Low4715@reddit
It’s awesome that you’re 19 and doing this. Big respect.
The_Magic_Moose_@reddit (OP)
It doesn't feel awesome, I'm underpaid and stressed all the time :(
cookerz30@reddit
Take Backups of everything
Buy a nice label maker
Put label on label maker "only for IT"
Buy a netool.io and draw out the wallports on paper
Label wall ports/ethernet in the shop and back at the main distribution
Get the network mapped out, then start on productivity boosters:
Haelios_505@reddit
Also buy a cable tester like a noyafa one with multiple remotes. Will make cable labeling faster and easier. Start making friends with your local IT Hardware supplier for servers and licensing. When buying the server, include warranty for 5 years, over spec slightly and work out your 3 2 1 backup solution at the same time.
Haelios_505@reddit
Just to also add re backups. Make sure you have a way to test that they work every month or so. It's like having a Genny, no point in it sitting there if you don't know if it has fuel or works.
Bogus1989@reddit
Felt like you deserved an award for enduring enough pain from hp that you proudly wear it as a badge of honor, thank you for your service. also for making me LMFAO
anteck7@reddit
This. Bad things will happen. Backups are a #1 because you aren’t going to fix everything before some random wars, drive failure, or just dumbass thing kills mission critical data.
Corgilicious@reddit
Hey, join the party, you’re just preparing for your future career! /s
thaneliness@reddit
You’ll learn to not be stressed about work stuff as much. I used to loose sleep about projects, or clients hardware failing. Granted I was at an MSP, but you can’t control everything
critical_d@reddit
ONE OF US...ONE OF US!!
Creative-Type9411@reddit
yep ur already ahead of the curve 🫠
Previous-Low4715@reddit
Welcome to the party pal!
RegularMixture@reddit
For real.
VanderPatch@reddit
AD: Yes, with 30 employees i would highly recommend. It helps with coordination and allowances on who can access what and who could delete or move files/folders.
Backups: Veeam is your best friend for backing up full on machines for free. Backup goal could be a NAS, which then would do a copy onto an external drive, which you swap every day so one backup is at home and secured in case of fire or similar.
LAN/WLAN: those should be separated by a VLAN if possible. Everything that can connect wirelessly and doesnt need acceess to your fileserver shouldnt be on the same IP-Range/LAN.
Server: You local hardwarestore on a businesslevel is you best buddy usually. If you go the server Route you need CALS - and there are two options: User or Device CALS.
- If you have 10 PCs but only 5 employees working at a time, you go with User cals
- If you have 10 employees but 5 computers you go with device cals.
If you setup a server, make its base a VME like Proxmox - then you put your server as a virtual amchine on top of that.
Netowrk cableing: once you got your stuff backed up, as others recommended get a labeling machine and a network tester.
chickibumbum_byomde@reddit
Sounds about right, your setup does need structure, but don’t try to fix everything at once. start with basics, proper identity and access control (AD or cloud-based), then backups, then network segmentation (VLANs). That alone will massively reduce chaos.
not really optimal to go full AD many setups use cloud identity + lightweight domain or even just proper device management. AD is useful, but only if you can maintain it. additionally, document everything and add simple monitoring early when you’re solo, visibility saves you more time than any “perfect” design.
EmmaRoidz@reddit
This is honestly one of the few well intentioned subreddits.
Y'all are pouring all your knowledge and experience out for this one person who's struggling but doing their best.
You're all great and it's lovely to see.
vanderaj@reddit
No. You already have Google Workspace, don't migrate unless you need to do something. For authentication, you might want to look at Google Credential Provider for Windows, which allows users to use their existing Google Workspace credentials to log in to Windows. This eliminates any local accounts that you don't manage.
Work with a reseller. You can find one via https://partner.microsoft.com/en-us/partnership/find-a-partner - many folks here might have suggestions for one in your local area.
General advice.
You need to make sure you have backups right now. This is critical. You need to make your backups effective and restore them from time to time to ensure they work. This is your only and highest priority until you have confirmed that backups work and are effective for any incident from single device loss to complete site loss. The other stuff can wait until your backups are solid.
I recommend finding an enterprise cloud-based backup provider to do a offline backup of your Google Workspace, because encrypting ransomware is a thing and it will encrypt your computers and G drive fairly easily, and having that offline backup you can restore later means faster recovery times, and you can ignore the ransomware demands.
Create a "to go" kit to quickly rebuild base-image PCs, such as a bunch of USB sticks that can reimage your SSDs from scratch with a fairly ready-to-go Windows 11 build and some of your apps on them. You don't want to learn how to build a ton of your workstations in a live incident. There are many options out there, but if you do get ransomwared, you need to be able to build a clean network quickly and start over, only connecting the newly rebuilt computers to the "clean" network. You need to find out the PCs that have custom software on them, because in all likelihood, you have some CNCs or machines with difficult-to-find drivers, like an A0 plotter that runs some horrible custom thing that was released more than a decade ago. These should be as few of these as possible, and will need local storage with restoration documentation and backup solutions. Most workstations should be considered cattle and just reimaged if they get encrypted or broken.
We use Google Drive for file storage, not local or on prem storage. You could buy a NAS or a basic Windows Server 2025 license to replace your Windows 11 Pro machine with sufficient local storage (and integrating Entra ID with federated Google Workspace), and then you'll need to get into backups, either tape or cloud, if going tape, buying a document safe (these are designed to withstand fires for about 30 minutes), and finding an offsite tape storage solution. Windows 11 Pro only has 5 user CALs, so if you're connecting more than 5 people to it, your theoretically breaking licensing today. You need to have sufficient Windows Server CALs to cover the number of users or devices connecting to the file share. It's complicated by design to make you buy more licenses than you actually need. Your MS partner will give you guidance and a price for this. It's not cheap. That's a lot of work and expense. Or you can just use Google Workspace, which you already pay for, and be done with it.
I recommend you use Google Workspace's Drive, and migrate as much of your local data to shared drives. By policy, we require people to store work files in Google Drive because it's effectively backed up by Google and you can restore things that were deleted if you need. If you can't get the policy changed, you would have a hard time with even going to a NAS or a proper Windows Server. So, work with them to understand that if their files aren't on Google Drive, they aren't backed up and they will lose them if their computer dies or gets hacked.
You might want to look at your Google Workspace plan to see if you need any features of the higher level plans, like Vault or endpoint management.
For device management, you should look at inTune or Google's end point management that comes included with Google workspace. We use inTune to enforce password complexity policies (not rotation - don't ever force your users to rotate passwords - it's against NIST 800-63), mandate automated patching and local device encryption, and to ensure that we can remotely lock and wipe stolen laptops.
Further down the line, once you've sorted out the wiring mess, you might want to look into Cisco Meraki wireless APs. These allow you to segment your network, which will be handy if you do get ransomwared, so you can create a "clean" network for only newly rebuilt computers. At the moment, I doubt your current gear can do this.
Darthethan77@reddit
Setting up AD is pretty simple and I think the benefits are worth it. Ig depends on org buy in and sounds like you’re in a small mom and pop shop I assume? So that also would dictate what you can do or should prioritize but I think you’re making steps in the right direction!
The_Magic_Moose_@reddit (OP)
Manufacturing, have two sites.
Darthethan77@reddit
Mmm gotcha ok then would be best I think to do on prem AD it can help that a lot.
The_Magic_Moose_@reddit (OP)
My main problem is I've got several project managers, that use surface tablets primarily that travel a lot, should I exclude those devices from AD? or should I look for a cloud solution?
Darthethan77@reddit
Ohhhh ok ya that can get tricky fast you would really need intune etc for long term viability. I would advise excluding them for now as well and just try to manage them best you can atm. So what exactly is like your environment and how ig strict do you wish to be on endpoints? A lot of what you can do obviously is gonna be budget issues and also ig like for instance when we rolled out okta at my place users hated 2fa as its extra work lol. Security is not convenient so as long as your end users are good with that as well you can do more.
The_Magic_Moose_@reddit (OP)
I think there's a lot more I could be doing with ninjaone which I already have for managing the endpoints, I primarily just use it for patching and remote access, but I could probably do more, it has really extensive scripting features.
Plane_Yak2354@reddit
Hey man! I’d love to mentor you if you want.
Sai_Wolf@reddit
For new environments, evaluate if it's feasible for you to set up on-prem infrastructure or if you want to do Entra with Intune. I'm going to assume that the users have a GMail account tied to Google Workspace, so you don't have to worry about Exchange.
Remember, Active Directory's main selling point is centralized management. Users, Computers, Groups. Group Policy, etc. You can get away with the same thing in Microsoft Entra with a bit of a learning curve.
Does your company mind a subscription fee? Then I'd go Entra and set up federation with Google Workspace.
In regards to your laundry list:
"The network is one giant, flat, subnet." - Okay, how many devices roughly are on that subnet? What IS that subnet? Is it a class C? Class B? Class A? If it's a Class C, and there are less than 252 devices, then it's fine.
"Wi-Fi is strictly WPA2 Personal." - Do you need anything higher? By itself, so long as you don't have strict security requirements, this is fine, so long as it's WPA2 AES, and not TKIP or TKIP+AES.
"Our "file server" for engineering and the shop floor is literally just a Windows 11 Pro desktop. Everyone uses a shared login to access the smb share on it." - So, I might catch a bit of heat for this, but a NAS is a golden use case here; assuming that all you need is file sharing and not a full-blown server. I've used Synology NAS boxes in places where the user count was far too low for a full built server and they work just fine with on-prem AD. (They even seem to play nice with Entra, but I can't really speak on that.)
"I’ve got a couple of MSSQL Express instances running on random machines for specific applications." - Consolidation is your friend here and SQL needs some hefty resources. You can't skimp here, sadly. SQL Server licensing is something you'll have to also look into.
"None of the Ethernet runs out in the shop are labeled." - Get this done first, my guy. Get a complete map of your network. What wires go to what switches, where each switch is, etc.
Bogus1989@reddit
I think a NAS is fine, but since Synology or whomever doesnt offer real SLAs(and is what generally is the reason why people dont recommend in enterprise)
there is a solution, just have a spare of the same model on site incase of failure.
Finn_Storm@reddit
Prod should have nothing but certificate based auth if you have to have Wi-Fi. Exploits were found for wpa2 that make bruteforcing them trivial. Even wpa3 is not going to help you. Guest access is fine though, just make the vlan route only to the WAN
The_Magic_Moose_@reddit (OP)
My subnet is at about 200 devices, on a class C, I don't have any strict security requirements, but Ideally would like to have some sort of identity management, I'm learning about RADIUS in my CCNA course right now, but I'm at the very beginning of that.
GradeAccomplished322@reddit
Are all 200 of those devices actual production machines, or are employees/guests allowed to connect their personal devices to the wifi?
I'd say if you have the hardware already that supports it (say Ubiquiti APs) separating out a guest network with VLANs for internet access that employees and guests can use on personal devices would be a good exercise.
I like to just password protect guest networks but make the password easy, like the company's phone number or a hashtag they use in advertising, but there's fancier stuff you can do with guest gateways and stuff if you want.
Bogus1989@reddit
Ad isnt that big of a deal. its just a click and a few more clicks of the "Next" button. Lol that is probably the absolute worst description ive ever given of it....but once you set it up its not that complicated.
Also no you dont necessarily have to use AD, but hell you may as well set it up so you understand the basic principles and how it works. Once you have that knowledge, you will be able to understand some of the concepts of why and how Entra (formerly known as Azure Active Directory) works in the cloud.
AffectionateNumber17@reddit
Dude, congrats on taking on such an immense responsibility. That’s huge at your age.
There’s some awesome advice in this thread, but if you want some 1:1 coaching & advice from both a high-level strategic standpoint (how does all of this pull together, what should you prioritize, how do you plan for down the road, what reduces your workload today, etc.) and from a blocking/tackling, daily perspective, shoot me a DM.
I’ve been an IT Director & VP for a manufacturing org of about 200+ employees, and I’ve gone from the “go-to IT guy” to a team of 6 direct reports. Happy to help others in their career!
I’m not selling anything, just FYI. Just love investing in people that do good work and want to grow.
florence_pug@reddit
This should not be solely on your shoulders.
The_Magic_Moose_@reddit (OP)
Probably not, I just got kind of thrown into the role since I was friends with the owners son and I got my A+ and the owner was sick of trying to troubleshoot everything himself
eMikey@reddit
Eh, it builds grit.
OneSeaworthiness7768@reddit
I hope they’re paying you accordingly and not taking advantage of your age
The_Magic_Moose_@reddit (OP)
They aren't, I make $20 hourly and get 5 days of PTO, I did applications for months for just tier 1 support jobs with having my A+ linux essentials, and some other odds and ends, and I only got like 3 interviews :(
OneSeaworthiness7768@reddit
Oof. Well at least you should get a decent job after this experience. Don’t let em keep ya there forever just because you feel bad for them. Improve what you can and know when it’s time to move on.
anonymousITCoward@reddit
You should know that this might destroy your friendship...
eMikey@reddit
What are you doing for DR and backups? Are the computers that run the machines cloned / backup up?
Connect-Comparison-2@reddit
Look into Proxmox and deploying a PVE and a PBS server. Trust, it will change your life in terms of backups and deployment.
The_Magic_Moose_@reddit (OP)
I love Proxmox, it's what Ive run in my homelab for years!
JLee50@reddit
Document everything you’ve got before you change stuff, make sure you have backups of everything, make sure nobody’s using pirated software, make sure everything important is on a UPS, and only change one thing at a time haha
Masterjuggler98@reddit
I'm in a similar position (relatively small company, I started with bubkis and built/am building everything up myself), and I agree with basically everything here. In no particular order:
- Don't get sucked into the "must have 1,000,000 vlans" rhetoric. Create with purpose. If you've got a public facing web server, I'd probably put that in a DMZ vlan. Short of that, unless you've got a reason to segment things, don't do it right now. Heck, if you get more devices and still don't need vlans yet, just make the subnet /23 instead of /24.
- Synology seems to work well for a lot of people, but they've been making moves to enshittify. They recently reversed a decision to vendor lock to house-brand hard drives. I'd personally either go Truenas or Unifi. I use Truenas for my company, if you're comfortable with linux, it's pretty simple to set up the basics.
- Use netbox or draw.io or something to document your physical hardware and network runs. Get a cheap cable tester like the NOYAFA NF-8508 to trace mystery lines. When something craps the bed and you need to get things back up, mystery cables do not help. It's far too easy to put off, but don't do it.
- I think most people won't say this or may disagree, but use Claude for your initial research into something. I constantly ask ai to give me the landscape of what products are out there for a task when I don't know anything yet, and I use that output as my starting point to do real research and product testing. Don't use it as a crutch or you'll hurt yourself long term, but boy is it a good kick starter. Just be sure to sanitize any input of confidential info or PII.
- Spinning up RADIUS is pretty annoying if you aren't starting out with an already in place system and documentation, and normally requires bypassing 2fa from google/microsoft. I set up a freeradius server because I needed to not have to change the wifi password when an employee is terminated. If you don't yet have that requirement, I'd put it off. A woodshop isn't exactly a priority target for in-person WPA2 wifi cracking. just set the password to something longer than the minimum 8 characters. There are also alternatives, like Unifi Identity that are dead simple.
The_Magic_Moose_@reddit (OP)
I've seen that I can use google workspace for identity management with a RADIUS server, I would like to have it, for security and just to learn since I'm almost done with my CCNA Course, and I eventually want to move into network engineering.
Masterjuggler98@reddit
If you're in it for the experience, then probably what you want is to set up a FreeRADIUS server. There are some good youtube videos about setting it up, and you'll need to get into the weeds with network authentication protocols. I set one up the way I wanted, cloned the VM it runs on to our second location, then set the router to default to their local RADIUS server and fail over to the remote one. That only works though because I'm using an external IdP, microsoft entra, so they're essentially stateless.
I don't think it should be a business priority unless you have a practical reason for its functions. Saying "Security" is great, but if that's your goal, there is definitely lower hanging fruit like removing local admin PCs, implementing MAM on personal devices that access company resources, enforcing 2fa for everyone, setting up break glass accounts, implementing phishing training/testing, setting up SPF/DKIM/DMARC, etc. It's just not likely that your woodshop will have its wifi hacked, it is much more likely that a senior member loses personal or company money through phishing. It's great to set up FreeRADIUS for the experience, just make sure you're not letting higher priority work that could save your butt fall behind. Perhaps make it a homelab project, then just copy it over when it's time.
The_Magic_Moose_@reddit (OP)
Cool thanks for the info, I really need to start hosting trainings about phishing and stuff, we almost had an incident last week through what looked like a legitimate invoice for business consulting, luckily someone in the chain asked me about it and I could take a look at the email before it got paid, but they almost paid it, employee training isn't something I've even thought about yet, thanks for the reminder.
apparentlyunoriginal@reddit
https://etducky.com/blog/rmm-pricing-vs-real-diagnostics
Here's a pricing+feature comparison for a few different RMM platforms that you can refer to when you're up for renewal.
The_Magic_Moose_@reddit (OP)
Oh cool! I really like ninja one and will probably stick with it, but thanks for the resource!
Generico300@reddit
First, tell your boss to hire an adult. No disrespect to you, and it's great that you've made it thus far, but a 19 year old should not be in a position with that much responsibility, for any company. Seems kind of exploitative to me. If that file server loses all the engineering data do you really want to be responsible for the fallout of that? Small companies often go out of business because of IT failures. Nobody of your age and experience should have that kind of weight on their shoulders.
That said, your priority should be backups of all important data. Particularly whatever is on your "file server", and any sort of accounting data you might be storing on-prem. Even if it's just buying a USB drive and manually copying things once a week or so, that's better than nothing. Maybe look at replacing that file server with a Synology or QNAP NAS. That will get you some better management features, snapshots, and disk fault tolerance on a budget. And no, a snapshot is not a replacement for a backup.
I wouldn't worry about anything else until you've got regular backups going and a real file server.
The_Magic_Moose_@reddit (OP)
I've got backups, to a local external drive, and then to another server I put at the owners house, and then to our Google drive, same with the SQL servers, I've already had a failure I've successfully restored from backup, my boss knew I would be learning as I go when he hired me, and he was okay with that, I think I've got an important opportunity to build my skills here.
ManLikeMeee@reddit
You're doing better than most of my staff already at 19.
You're awesome!
BWMerlin@reddit
No you don't need AD. Yes you can use Google credential provider to allow users to sign into Windows with their Google account.
Some general advice. Document EVERYTHING!! I cannot stress this enough. Make sure you have backups and you test them.
DiligentPhotographer@reddit
Buy a refurbished dell poweredge and setup hyper-v on it. Contact a local MSP or buy directly from CDW yourself for licensing. You will need user or device CAL licenses as well, if you have a lot of shared computers device CALs may be cheaper. You'll have to get some advice from whoever you're buying from on this for your situation.
If your company is cheap, have one VM for the DC and one for the File/App server. Many smaller orgs run like this. If they can spring for a datacentre license, have a VM for each role. Since you're using google workspace just setup AD and link it to google. Then you can setup GPOs on the workstations and lock things down.
At our MSP we require clients above 10 users to have Entra/Intune or On Prem AD. I don't care which. But 100 staff on a workgroup network is wild lol. Seeing as you have the need for an actual server, just go with Active Directory.
Invest in some kind of backup solutions. Veeam can backup to a nas or an optiplex with a simple mirrored pair of disks, depending on how much data you have. Or contact an MSP and buy something like datto BCDR.
The_Magic_Moose_@reddit (OP)
Is it really that necessary to have dedicated backup software? I currently just have some powershell scripts I wrote that back up the main file server to an external drive, make another copy to a server at the owners house, and then another copy to our google drive which has around 100 TB.
DiligentPhotographer@reddit
Yes it is. Veeam community edition is free for 10 workloads. It should easily backup a few VMs for you. If you get the paid version it can scan the backups for malware. Ideally you run this on a non domain machine to a hardened repository but a NAS with no connection to the production domain should work okay. Keep it in a separate VLAN and only allow it to reach out to the host to back up the VMs. Nothing should be able to talk to it.
This is actually a great learning experience, provided you do it right.
The_Magic_Moose_@reddit (OP)
All my switches are layer 3 and I'm architecting out the plan to segment right now, Somebody else mentioned running pfsense as a dedicated firewall instead of the router firewall, looking into that as well, I'll look into Veeam, thanks for the recommendation.
40513786934@reddit
Are you managing archival and collapsing daily snapshots into weekly, monthly etc?
or do you just have several identical copies of the latest data?
The_Magic_Moose_@reddit (OP)
no, I don't really archive, the main data is job files for CNC's that were nested a decade ago and we run repeat jobs a lot, and I just take a copy of the latest data every night. since nothing ever really gets removed, just added to the machine files folder.
40513786934@reddit
so when your production files are ransomwared, corrupted, or just messed up by some employee... and then the "backup" runs... you have 4 copies that are all useless. thats not a backup in the traditional sense. definitely look into proper backup software
The_Magic_Moose_@reddit (OP)
Okay, good point.
Livid_Strategy6311@reddit
General Advice:
Learn and perform full backups weekly and difference backups daily on the file server and probably the MSQL instances depending on if the data is considered important (meaning if we lose the data it will hurt the business).
Learn basic networking, what a subnet actually does, how it works, what a default gateway is, how it works, what's appropriate for the computer it's configured on, troubleshooting tools, like ping, telnet, tracert.
Learn linux. You can use a linux server for centralized administration IF you actually need it. The first question to ask is do we need it and why? It makes administration easier but with a small company it's easy to just have a local admin account on each box and connect via the network. It's not ideal, but it's cheap.
Do you have a firewall???? look into pfsense community version. It's free and will run on a micro PC (the pfsense site has specs, I'd buy my own from Amazon). LEARN TO USE and CONFIGURE the firewall properly. ONLY Open the ports that are actually needed. 80/443 and any required by applications that don't work with the default settings. Anything that needs a time server, point to the firewall.
Start slow and steady. Don't make too many changes at once. Make a change, let it soak for a week to make sure there aren't issues.
Security updates - Do these at least weekly to ensure nothing is missing. Before you update applications on the workstations do a backup of the box to an external USB drive (on a test box actually TEST backing up, removing the software from the box, then restore. VERIFY the app works 100%. if not, fix that before doing anything on production (work) boxes.
That's more than enough to get you started. I'd focus on security updates, backups, then firewall, networking..etc
if you truly put your head down that will eat up all of your time except when you're sleeping. It WILL be rewarding and help you long term. It's a marathon, not a sprint. DON'T make it fancy, just focus on making it work reliably and secure.
The_Magic_Moose_@reddit (OP)
I've already got backups, and am almost done with my CCNA, I know a bit already about networking, I've been running a pretty sophisticated homelab for several years on linux,. so I've got the foundations, it's mainly just the more enterprise stuff I need help with like identity management, and how to properly manage windows.
Livid_Strategy6311@reddit
Have you restored on a test system? if you haven't done restores you don't have backups. To properly manage windows make sure security updates are applied and critical data is on the file server which is being backed up. Identity management: as far as I know *nix can do that out of the box and windows has support for it. Microsoft has fed my family for more than 36 years and I'd not implement an AD setup in a small environment unless there weren't any other choices. You have choices. Just research it.
The_Magic_Moose_@reddit (OP)
Yeah I've restored on a test, and i've had two instances of machines dying where I've successfully restored from my backup.
Livid_Strategy6311@reddit
perfect. You're a head of the curve. So firewall.. have one? know how to configure it? deny by default. It's a business. Get buy in from the owners on configuration.
The_Magic_Moose_@reddit (OP)
I have tp link omada gear for my network, I'm just using the firewall built in to that on my network, I'm familiar with zero trust network design from managing my homelab.
Livid_Strategy6311@reddit
look into PFSense. A router firewall is nowhere near as secure. Especially of one of the internal hosts is infected.
The_Magic_Moose_@reddit (OP)
I run OPNSense in the homelab, I'll look into implementing here at work, I hadn't thought of that, thanks.
devious_204@reddit
Just passing along some general advice.
Look for a basic ticketing solution to help streamline your day to day troubleshooting. We are all human and forget things so having this will 1) help you keep on top of what you need to get done 2) help you proritize what needs to get done on the day to day issues 3) start collecting data to easier spot patterns that can be solved by either purchasing new hardware or get the user some better training. Its easier to justify a company spend to higher ups when you have lots of documentation you can print down and plop down on a desk.
If you are a woodshop have they adopted anything like six sigma or lean policies? If so learn how to use kanbans (trello is great for now) to further help you plan your short, medium, and long term to dos, will also start helping you dive into light project management skills.
Document EVERYTHING, make sure its updated atleast weekly if you aren't doing it as you go along (prefered). Make sure its detailed, even with pics if you can. The two ideas above will help with this. Plus its easier to clean up messes when you have a visual of what your current state is right in front of you and plan some of your next moves.
If you do fuck up and do something drastic or something critical blows up. Stop, breathe, and come up with a logical plan. Do your best to not go deer in the headlights or panic. Give yourself room to analyze the problem, come up with 3 solutions for quickest, balanced, best and possible time frames for each. As others have said, if you can find a local MSP that will do hybrid support, know when its time to stop circling and give them a call. If you have a good relationship with them, sometimes advice can be free, and that can bail you out when you need it the most.
Make sure your google-fu is up to snuff. Its very rare now a days that there is a computer issue that someone out there in world hasn't had and had a documented fix for it.
And lastly, good IT guys aren't made in schools, they are made in the field. Never pass up a disaster as a learning experience. Once the dust is settled, go back and analyze what happened, why it happened, how it could have been prevented or mitigated, and what other resolutions you could have used that would have been better than the one you implemented. Celebrate your wins, even if its just you celebrating. Our job can easily turn into a thankless one and if this is the career path you decide to keep, you will encounter times where you think its not worth it because of the way non IT staff can treat you.
Good luck! You got this.
The_Magic_Moose_@reddit (OP)
I've heard my boss talk about LEAN before, and that's how he designs his production lines, but I don't really know anything about it, I do have a contact at a local MSP because I worked with one of their techs to set up the new company into one of our buildings we sold, because the machines needed some special network shenanigans to work properly, he gave me his phone number if I needed help, thanks for the kind words, I've spent the last hour or two creating an action plan document, I'll probably post it at some point to get some feedback, but we will see.
gumbrilla@reddit
omg. You've got it! I don't do on prem.. so I'll leave it to wiser heads, but you are one of us.
Excellent_Pilot_2969@reddit
You're in the right age to get started on the right path. Get a trial license of Windows Server. You can rearm it for up to 3 years before making the purchase. Learn how to set up AD. It's very easy once you know the basics. Youtube videos and tutorials exist online all over the place.
This will be an excellent experience and prepare you for the next step, for bigger things. Don't get sucked too much into the Google-garbage world...
The_Magic_Moose_@reddit (OP)
We rely pretty heavily on our Google drive storage, and I've gotten familiar with the admin tools, I wouldn't even know where to start in transferring allat to microsoft
overflow_@reddit
Document everything, virtualize your existing servers , ensure all accounts are using randomly generated passwords and MFA, segment the network and harden your firewall as needed and get a list of the business' plan for the future so you can accurately spec out network and hardware requirements.
TechMonkey605@reddit
For your size yes, I would do AD and for the sister company a trust or subdomain for security. WPA2 is fine, network should be compartmented for security at least the “server” and a firewall. Google has directory sync so still get AD email etc. don’t have to switch completely over to Microsoft(or any LDAP provider) but if you need licenses I can help. Do you have to worry about compliance or exports? That’s what’s really gonna drive your architecture. But for being 19 , you’re asking great questions!
The_Magic_Moose_@reddit (OP)
No I don't really have to worry about compliance, we just make cabinets and countertops mostly, the main workflow is just Engineering designing and generating all the machine files, then they go to the file server, the machines pull off of that, and they run the job, we don't really hold any personal customer data, the only thing is maybe building blueprints and such.
TechMonkey605@reddit
Ah cabinets, have quite a few of those peeps. I’d move to AD and google directory sync. 2 vms for DC and 1 for file server. Each user has its own account and each machine has its own service account. Permissions are controlled via groups. If you want to play more with stuff (which I suspect, because you’re asking questions) then you can look at things
The_Magic_Moose_@reddit (OP)
For AD, I have quite a few project managers that use microsoft surface laptops with cellular plans, for when they go out to job sites, how does AD work in that case? would I want them always connected back via our client to site VPN?
TechMonkey605@reddit
If you’re doing that use, entra and use something like cloudflare zero trust to access. But if it’s just files, use SMB over QUIC.
Atrium-Complex@reddit
As a couple others have said, this is definitely something that should not be on your shoulders, additionally, they will not like the dollar figures that come with this, expect pushback and the need to provide justification.
Also, I'm primarily a M365 admin with very, very limited experience in Google Workspaces. It may not be possible to manage those servers through google workspaces like you can workstations, hence it may eventually require transitioning yourselves from a workgroup with Google Workspaces separate to a proper AD domain and federate with Google Workspaces. That may also be way over your head now.
The_Magic_Moose_@reddit (OP)
I have like 30ish workstations, my boss had talked about switching to m365 and I was on board because I think some of the plans came with Microsoft in-tune and stuff, but they ultimately said it was too expensive, and yeah I don't have a huge budget especially since the most I was able to get my pay too was around 40k a year, I already have backups for everything, in a state where if the building blew up no data would be lost, I wrote a power shell script for backing up the sql servers, and have started converging some things to my proxmox server, I come from a homelabbing background so i'm super familiar with linux and stuff, it's just all the microsoft and enterprise stuff that goes over my head.
BearysWorkRedditName@reddit
If you're succesful in your endeavor here, you need an immediate pay raise. A big one. I don't know how many hours you're working, but if it's 40/week, you're making $20/hr for something that should be a 100k salaried position. If they won't do that, document everything you've done and prepare to move on. Leave them with what they need, but, more importantly, add this(minus any company identifiable info) to your portfolio. Being able to spin up an entire org from a PC carrying a company to a functioning business environment is a huge selling point on a resume.
The_Magic_Moose_@reddit (OP)
I work about 45 a week, my rate is 20 an hour, but I do get time and a half for my 5 hours of overtime.
ProfessionalEven296@reddit
In addition to the item above, consider an antivirus solution. Also, try to leave time each week for personal improvement - aim for 80% work, 20% education. Get certs in the items you’re working on anyway. That’ll improve your saleability when it comes time to move on. Also look at some business courses on communication etc; that’ll set you apart. Get the company to pay for a subscription to something like pluralsight.
Pitiful_Duty631@reddit
See a local MSP would be willing to come in and do an assessment and help with project work.
Ad-1316@reddit
Do the computers have pro versions of windows? (If not, as you replace them get pro.)
Move the file server to a NAS box with RAID! I like Synology. - will get you by, till you get funding for a Real serv er. Then can be used for backups. -$500 depending on HDs
Work on buying a real server from HP or Dell. With 3-5years warranty. And budget to replace every 5yrs. - $10-20k
Setup Windows Server, AD, file and print.
Install a good firewall.
Upgrade the APs, to something with central management.
Look at replacing switches.
Work on labeling the cabling. (lable maker, and toner.)
This can't be done overnight, make a plan, work with management for funding. And schedule or get MSP to help.
cf-william@reddit
First off, don’t panic. What you inherited is very common in small shops. You don’t need to boil the ocean all at once. I’ve walked into this exact situation several times; this is the kind of stuff that separates good techs from the ones that quit.
1) Do you need AD?
If you’ve got SMB shares, random SQL apps, and Windows machines everywhere; Active Directory will make your life easier fast.
Long-term, I would look at using cloud identity with Microsoft Entra ID + Google federation. It helps tie everything together with SSO.
But with your time constraints?
Do that later. Start simple with an on-prem DC.
2) Licensing
Buy legit. Seriously.
Get Windows Server Standard through a reseller (CDW, Insight, etc.).
People will suggest grey-market keys; don’t. They can get revoked, and then you’ve got a much bigger problem.
3) What to fix first (priority list)
🔴 Phase 1 – Stop the bleeding
Kill the shared Windows login
Create individual user accounts
Lock down that Windows 11 “file server” (or plan to replace it)
🟠 Phase 2 – Foundation
Stand up a Windows Server box
Domain Controller
DNS
Join all PCs to the domain
🟡 Phase 3 – File server done right
Move shares off Windows 11 → Server
Set permissions by group, not user
Back it up (seriously — don’t skip this)
🟢 Phase 4 – Visibility & control
You already nailed this with NinjaOne — good call.
Add:
Patch management policies
Basic monitoring
🔵 Phase 5 – Network sanity
Break up the flat network (VLANs: office, shop, Wi-Fi)
Move Wi-Fi to WPA2-Enterprise or WPA3 if possible
⚫ Phase 6 – Cleanup
Consolidate those MSSQL Express instances
Document everything (even rough notes is fine)
Final advice
Don’t try to make it perfect, just make it better than yesterday. Take a deep breath and tackle one problem at a time. There is only one way to eat a elephant i was told and its 1 bite at a time.
The_Magic_Moose_@reddit (OP)
Thank you chatgpt
cf-william@reddit
not really.. i did parse it into chatgpt to clean up my rambling but everything is what ive done several times in my 30+ years in IT.
hologrammetry@reddit
I second the commenter who recommended going with Azure/Entra ID.
LegRepresentative418@reddit
Do not start building servers. Microsoft doesn't want you to do this, and they will make it difficult. They want you to use Azure/Entra ID for all of your file sharing and authentication reuirements. This is the path I recommend.
I don't know if you can use google for authentication. If I had to guess, I would say that you cannot.
Conscious-Arm-6298@reddit
How many users do you have potentially?
The_Magic_Moose_@reddit (OP)
I have around 100 employees, in total, but only about 30 or so office workers I'm actually managing, there is also a small sister company with about 4.