3 Windows 2003 servers, the best way to setup?

We are going to setup 3 windows servers: a file server,
an Exchange server and a SQLServer.

Based on your "real field experience", what is the right way to setup these 3 servers while considering the followings
1. faulgt tolerant
if one server is down, the 20 users can still log on into the network.
2. internet access
the server failure wont affect internet access.
3. security
how to setup the firewall to protect 3 servers while we can still use "Outlook Web Access" and remote control server from outside the company network
We wont buy Cisco, it's too expensive. We may use a regular 4 port router or a cheaper firewall (maybe SonicWall)
4. any other thoughts or ideas?

pls kindly advise, points may be splitted  or increased depending on the feedback


Y YconsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Leave it to Microsoft to require THREE SERVERS to service a WHOLE 20 USERS.

Ah, but that's not the question.  I will not do further Microsoft bashing in this comment.

For login fault-tolerance you need a PDC and a BDC for your AD or domain (depending on which model you choose.)  If you are getting the "latest and greatest" Exchange, then you're stuck with doing an AD implementation, even though for an installation that size, a Domain model would be easier.  Login fault-tolerance will not give you data fault-tolerance - the users may be able to log in, but they might not be able to access their data, if the file server is the one that's down.  To cover that, you'd need to do some sort of cluster with SAN, which is probably beyond your budget.

For server-independent internet access for internal users, you would probably want a firewall appliance that does not depend on AD or domain authentication.  That will keep the internet acccess independent of any of the Win2K3 servers.

Any decent firewall appliance will allow you to set up NAT, packet forwarding, filtering, whatever it takes to access the
Outlook Web Access and Remote Control from the WEB.  Anything less, I wouldn't consider secure.

For added fault-tolerance, use hardware-based RAID5 disk arrays, servers with hot-plug PCI and N+1 redundant power supplies, and adequate UPS to keep it all up for 15-30 minutes in the event of a power outage.

As I said earlier, I will bite my tongue regarding further thoughts in order to avoid the appearance of M$ bashing.
P.S. - I have 3 servers at home, but they're my toys... ;)
This is the setup I use with a similar sitution.

First the firewall.  I hate Cisco.  Its total overkill for most small applications and unless you want to use command line I suggest something else.  Ive used Sonicwall's and have had good success with them when they work although one of the two Ive used broke.  Sonicwall says its a known issue and Ive heard others say the same thing.  Ive used Watchguard, which has a nice interface.  Depending on your traffic and needs and preferences this can be a complicated choice.  Sonicwall Soho3 is fine, others are fine too.  Hell you could even use Microsoft's new firewall device which actually works fine and has a nice interface.  (Not the most powerful or flexible though)

Next, the Windows 2003 setup.
Machine 1 - Active Directory Controller, Global Catalog Server and Exchange 2003 box.  This is the machine that runs DNS also.  You need IIS to run OWA on this machine although you could use the file server as a exchange front end box.  Ill keep it simple and just say, this is your webserver.  The traffic is not that much and will run fine.

Machine 2 - File Server and backup. Also make this a AD controller and a Global Catalog server just in case  Machine 1 goes down, this one still keeps running.  This one obviously needs DNS to run AD.  Use this machine also to run daily backups.  You can backup to HD without a problem.  You can also backup SQL to this machine as well.  

Machine 3 - SQL Server.

Make sure to raise the functional level of AD to WIndows 2003 level.

I think thats the basics...questions?
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

I have seen posts on EE that advise against having Exchange on your PDC...
Ive seen different points of view on it, but Exchange 2003 requires all kinds of information from Active Directory.  It runs faster on the same box.  I do it here and it runs great.
Since techcity wants to have login redundancy, I would recommend having file/print on the PDC and Exchange on a BDC.
There is no such thing as a BDC in Windows 2003 Active Directory Domain Controllers.  I wish you NT old-foggies would get with the new slang. ;)

So exchange will run faster if its on a domain controller (any) but dont mistake that one domain controller is more of a domain controller than another.
Ahhhhccchhh, it's all the same dang thing, just with a "transitive trust" kludge.

The "multimaster" stuff is just smoke-and-mirrors.  If you want to have a fault-tolerant, redundant system, then your most stable system is where you should put your "master" "PDC" whatever.  You can put a copy of AD on your Exchange server, but it shouldn't be your "main" copy.  Since the most important part of your network will be file and print services, you want the "main" copy on your file/print server, and that should be the one that has the backup system and the most fault-tolerant hardware.
ShineOn (is that a reference to Berry Gordy's The Last Dragon?) didnt you start this thread with, Microsoft stinks?  Its not just smoke and mirrors.  If you have your GC and your AD on two different servers.  Either one can go down and you are ok.  There are FSMO roles, but I dont think this particular question requires special attention to them.  Im assuming that he turns off Netbios to avoid extra network chatter as well.  By "main" do you mean "first"?

By the way, you can always be MORE redundant, more fail-safe.  Usually requiring more hardware.  We brought up fibre channel SANs but if the questioner has 3 servers to do these things, I dont imagine he has lots of cash floating around for extra hardware.

Anyway, Im rambling, its late.  ;)  I love Windows 2003 server by the way.  Im extremeley pleased with everything about it.
Glad you're happy.

ShineOn is a reference to the Pink Floyd "Wish You Were Here" album, specifically the song "Shine On You Crazy Diamond."  I am a Pink Floyd fan.  Nothing else implied.

I started  this thread with "leave it to Microsoft to require THREE SERVERS to service a whole 20 Users."  Not "Microsoft Stinks."  Those are your words, don't put them in my mouth.

Anyway, why would it be even remotely within reason to expect a 20-USER environment to have THREE SERVERS or even MORE as you have implied?  Next you guyz'll be suggesting a server for each user...

AD is STILL a transitive-trust kludge on top of the domain model.  I'm still waiting to see what it'll be like when it grows up.
You could run 20 people, exchange, file server, SQL, AD etc on one box, something from dell costing between 1-2k.  It would run just fine and no one would have trouble.  Splitting out SQL and splitting out the file server just disperses the load to more than one machine and makes fewer single points of failure for everything.  But dont act like 1 box would crumble under 20 people.  It wouldnt.  Ok Im going tosleep.  I think we answered the question and then some.
Wouldn't it be better to have 2 servers that can handle all the stuff a 20-user environment would need, and have them in a clustered, failover configuration than to spread each service over separate servers?  Why is it that server consolidation isn't a priority?  25 years ago, before the PC was even dreamt of, mainframe computers were running multiple services all on the same box without a problem.  Why doesn't it seem to be a step backward to you, to require separate servers for the various services?
Y YconsultantAuthor Commented:
Sorry for the delayed reply. I was too busy to come back.

Thanks Shineon, Thanks Kokoglen. Thanks for all the comments. They are very helpful.

To: Shineon
RE: 20 users VS 3 servers
You are correct: for 20 users, 3 servers is really a overkill. I was thinking running Windows Small Business Server 2003 on 1 server box to support file/internet sharing, ISA firewall,  Exchange and SQL, and make this server very robust: dual CPUs, dual power supplies, RAID 10. But I still have 2 concerns about this all-in-1 solution.
1. If the RAID card is dead, the server will be down for about 4 hrs before Dell replaces it. ( we are going to buy 3 yr, 24X7, 4 hrs response on-site warranty from DELL)
2. If something is wrong with software (e.g. viruses, windows corrupted, etc), no matter how fault tolerant the hardware is, the server has to be down to have a service.
That is why i am thinking about running 3 servers to split the load to avoid "single point of failure", just like Kokoglen said.

You are correct. It is beyond our budget. We will not deploy it.

RE:Server independent internet access.
I will do some research to find out a firewall which deals with internet connection sharing

RE: hot plug PCI and N+1 power supply
What is hot plug PCI?
What is N+1 power supply?

TO: Kokoglen
RE: Sonicwall
1. Is this firewall based on user license? I mean, do i have to buy 20 user licenses to run this firewall or it will protect the whole network no matter how many PCs/servers are behind it ?
2. Does this firewall deal with Internet connection sharing? Can it be a DHCP server?
3. You mentioned you have one broke. What kind of "broke" is it?
Stopped functioning? or a design problem? Which model of the problematic Sonicwall is it? so that i will avoid buying it.
4. You mentioned Soho3 and Watchguard, which one works better in your 3 server environment?

RE: Windows 2003 setup
Your explanation is pretty detailed and clear.
You mentioned "you can backup to HD without a problem", what are you trying to say? I guess you are saying that i can put IDE HDs in server and do the backup on them in addition of the tape backup. Am i right?

Thanks again

hot-plug PCI:

Some servers have the capability of adding PCI devices without downing the server.  It's often called "hot add."  I know IBM has that capability on several of its Intel servers.  With hot-plug or hot-add PCI, if, for instance, if your server's NIC dies - you can add another NIC without shutting down, and get things going again with minimized impact.

n+1 redundancy is essentially one of the basics of RAID, and when applied to power supplies, means that if one power supply fails, the remaining power supplies take over, and you can remove and replace the failed power supply without downing the server.  It means that the server's power supplies are multiply redundant.
Y YconsultantAuthor Commented:
TO: Kokoglen
I am happy to know you have the similar environment, so i put a few more questions for you in here. Hopefully you would spend a while to look at them.

RE: backup
What backup software are you running? Veritas Backup Exec?
If i purchase Exchange and SQL agents, it will be expensive.
Do you use the native  backup?

RE: antivirus
What antivirus software are you running? Symantec? TrendMicro? or McAfee?

Answers to questions

Either firewall (sonicwall or watchguard or other) will protect all the people on the inside AND can act as a DHCP server. (Make sure NOT to make the servers DHCP.  They need to be static)  There are also decent devices from netgear, linksys (although I dont like linksys personally), netscreen, symantec, and others.  I almost went with this netgear...
Because I was going to use VPNs from the outside.  You have lots of choices, all will do the job well.  Which would I suggest?  I liked the sonicwall functionality but Id have to lean away based on the brick problem I had.  Id suggest the cheapest watchguard or if you want to save money, try the netgear above.  Ask a followup question in security/firewall if you want to ask for a comparission between the two...they love cisco in that forum though. ;)

The sonicwall "broke" in the brick.  The black block thing that plugs into the wall.  It just stopped working for any device.  I called Sonicwall and they said, Yeah that happens, we will send you a new one.  I was really pissed off.  I ran to Radioshack and got a replacement, but what the hell kind of crap is that?  The brick broke??  Anyway, I heard from two other people that their brick broke too.  It was the soho2 not the soho3, so for all I know, its been fixed.

Backing up...
I use the native backup in Windows.  It can backup SQL, Exchange, AD, Files.  ITs very good.  Of course, Ive used Veritas and its good too, but its just one more program to install you know.  Try the native first and if you think it doesnt have enough control, then go for the veritas...but save the money first and try without it.

Also I backup to hard drive.  I dont backup to tape.  Reason why...Tape is expensive and slow.  And then I take the tapes and put them in a safe...who needs it.  NAS devices are cheap as hell these days, so are USB 2.0 hard drives.  Get a USB 2.0 hard drive (or two of them) and backup to disk with it and then put one in a safe or off site.  They are light to carry but more importantly...when you want to restore, it will be much faster.

Virus protection
Ive used a couple.  Scanmail for Exchange works well to eliminate viruses in email.  ServerProtect (also from trend) is good for file servers.   Ive used the symantec suite and didnt love the interface.  Panda makes a suite too, wasnt bad.  You can also get the spam gateway products from Trend, but its a more complex setup...you need a gateway server.  Of course you have extra servers so you COULD do that.  I have no experience with the spam filtering quality...never used that one.  I tend to stay away from Mcafee...ever since they got bought, I think their quality has slipped.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I'll drop off an let you two do it your own way.  The whims of youth always trump the wisdom of age.

Take care...
Y YconsultantAuthor Commented:
TO: Shineon
Thx for the fast response to my question. You are the first one commented on my question. And your comments are also valuable even I a little bit disagree your all-in-one-box sulotion.
You mentioned in the old days, the main frame deals with everything and works fine. This is because the main frames are very expensive. People can not afford a few main frames running together to split workload. Also, they take a lot of space. I used to work on IBM4381, we built a huge computer room for this giant.

TO: Kokoglen
Thx for your further comments, we are closer. Your comments are very valuable. You answered pretty much of my questions. I will think about to see if i still have any this weekend and i will close this case by next Monday.

I am also a tech support and i also answer questions in this forum (using a different name though). I really appreciate you guy's time and efforts. And i also know  the feeling when you spend time input your comments but get no reply or no points.

I will increase the points for this question for sure and split the points for you guys.

thx again

Y YconsultantAuthor Commented:
TO: Kokoglen

RE: USB hard drive
Your USB HDD backup solution is very attactive. It is cheaper, faster. If we purchase a few, we can also take them off site just like we do on tapes.
How long have you been running this solution? is it ok so far?

RE: Native backup
Do you think we can make the native backup to backup files, exchange and sql all together and AUTOMATICALLY?
Because this client doesnot have a full time IT guy to take care of the servers. So i have to make the backup solution as simple as possible.


USB HD backup.  Yes it works fine.  Basically the limitations are that IDE drives (which are inside the USB enclosures) last as long as IDE drives normall last.  So expect to replace them every 3-5 years with newer ones, but its still pretty cheap.  Make sure its USB 2.0, its much faster than 1.1.  Ive been doing this for about a year.

Native Backup.  Yes, you can, but you will need to read some documentation on how to backup SQL.  Exchange and Files are simple.  Ive only done this once before with someone else helping so I know it works but not the details.  (might be worth a seperate question).
Some helpful links:


Basically, its easier if you spend the money on Veritas, but it WILL work without it, its just harder.

But Ive forgotton a major thing here...Windows 2003 has a feature called Shadow Copy (which Ive never used).  Supposedly it creates a live copy of the server with everything on it.  You could set it up this way:

Machine 1: AD, DNS, Exchange, NT backup to USB Drive
Machine 2: AD, DNS, SQL server and File Server
Machine 3: Shadow Copy of Machine 2

This way you have a LIVE backup machine just waiting to be used.  It will have a copy of all the files and all SQL configuration and detail.

Its just a thought but this would handle 20 users just fine and have very nice redundancy.  Sorry If Im changing gears mid-question.  Ive never used this solution myself so its just brainstorming.
Y YconsultantAuthor Commented:
I increased points from 50 to 250, and split them to you guys
Hopefully you guys feel ok for the points arrangement. If any of you feel your answer(s) worth more points, pls let me know, i will do my best.

I appreciate your comments and attitude which can not be evaluated by points.

Thanks and have a nice weekend,

no worries, good luck
First, on the mainframe thing.  I used to work on a 4381 as well... and a 4341 and a 4361 and a 3083 and so on...  The idea isn't that these boxes were exepnsive (they were) or large (they were) but that the processing power in today's Intel servers is much greater than what was available with those old mainframes.  You get a lot more MIPS from a 2Ghz Xeon processor that you ever could hope for from an air-cooled 4300-series mainframe - plus a whole lot more, and faster, memory and much cheaper and faster disk storage.

That's why consolidating your services DOES make sense these days, because you can set up a failover cluster relatively cheaply.

As far as backup is concerned, one thing you might consider is to burn a baseline backup to DVD on a regular basis, say once a quarter,  DVD isn't subject to degradation caused by EM fields.
Y YconsultantAuthor Commented:
TO: Shineon

If i am not wrong, consolidating services with cluster offers fault tolerance on hardware. What happens if the OS or application corrupted? You have to down the whole thing to fix it.

Distributing services on different servers will keep the whole network up even we have to down one of them. Say if email server is down, we can still have access file server and sql server.

I quite agree with you about baseline backup on DVD or CD. My clients always ask me whether the hard drive is big enough. Actually it can never be big enough. The hard drive can be so easily filled up no matter how big it is. So i always do an offsite backup on old emails and docs and save them on discs. Fewer data left on hdd makes the system running healthier and also make the tape drive last longer.

thx for the contribution to my questions, and your knowledge benefits me a lot.

If the cluster pair is resilient you should be able to remove one of the two from the cluster, fix it, and then bring it back online and resync the changes.  The user data in a cluster should be on a SAN, so it shouldn't matter which server is handling the data.

Data redundancy is another matter.  You can do that with a SAN, too, IIRC, by having a flash copy taken on a regular basis - it's not really redundancy, more of a checkpoint backup.

If you have to shut down both nodes of a cluster to fix anything then something is wrong with how the cluster is configured, IMHO.

Do you think the ppl that use Datacenter Server have a server for each service on those big, expensive boxes?  Not likely.  

Today, mainstream hardware is cheap, but time is not.  The only way to get anywhere NEAR five-nines is with a cluster.
Y YconsultantAuthor Commented:
now i got your point, thanks and have a nice weekend
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.