Solved

Windows Server 2003 Network Design Help ...

Posted on 2004-04-06
14
278 Views
Last Modified: 2010-04-19
Hi Guys .... We have the luxury of building a new Windows Server 2003 network from scratch with no legacy issues to get in our way. Of course we want to do this correctly right from the get-go so I'm looking for a little (or a lot) of suggestions on how we should roll this out.

We are going to implement a network model where an independent organization will provide centralized IT services to a number of related but seperate companies. Although we'd like to have complete administration control of the "enterprise" we can't have any of the companies able to access or even see the existence of the other companies involved. All of the related companies currently have their own internet domain names and POP3 mail servers. We'd also like to eventually migrate them to Exchange but with their own identity so that there is no hint of their participation in the multi-company IT structure.

All companies have to be setup with the minimum of dependencies since they may be spun off or sold at any point in time.

How's that for a start? I'm sure the nuts & bolts available can do the job but if anyone else has been down this road I would certainly appreciate your input. Nobody likes to reinvent the wheel.

Thanks in advance for your help on this. Regards - Jamie G.

0
Comment
Question by:ITGroupPHX
  • 7
  • 4
  • 3
14 Comments
 
LVL 20

Assisted Solution

by:What90
What90 earned 50 total points
ID: 10772261
Off the top of my head thoughts on this would be:


Your company as the Forest root with your guys as Enterprise domain admins and each company as a child domain of your root using Windows 2003.
This gives you control over the low level domains, but resticts them to your naming standards (for domain names and DNS if in AD mode) makes admin more central, but any schema updates would effect the entire tree and domains

or

Totally separate domains with no trusts to each other or part of any forest.
 You would have a Admin account which you could log on to the domain. This would allow you to build the domains are the client requests. Heaps more documentation require to keep track of clients requirements. This is much more work, but gives total freedom to the client and how they want to change/grow their network.

In both cases you'd have to sign an confidiential agreement with the clients as you'd have totall access to the info and data
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 200 total points
ID: 10772371
ITGroupPHX

If you implement a single forest root, then each company will be able to browse to the top of the tree and see the others.

I recommend a forest for each company with a forest trust topology in place to support control and management by the parent company. A seperate installation of exchange to each company with no more than SMTP links between the rest of the companies involved will ensure that to break off a branch simply involves removing your admins from their group memberships and cutting the trust.

You may also decide to implement parent a child domains for each sub company to facilitate expansion of the individual companies in their own right.

AD design is a complex game (I do it for a living!) and not all the questions can be realistically answered here.

I suggest you pay particular attention to delegation of administration design and DNS design. DNS will be particularly complex if you want to enable the companies to interact as a group yet keep the actual links hidden. There are lots of issues to consider!

Cheers

JamesDS

0
 
LVL 20

Expert Comment

by:What90
ID: 10772492
Oops, forgot about that - I readily defer to JamesDS experience and knowledge. Nice CV by-the-by!
I don't get much time to build sites any more - just fix the problems caused by others ;-)

0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10772700
What90

Thanks for that, but I can't help noticing you're at 3rd in the league and I am but a lowly 6th :)

Cheers

JamesDS
0
 
LVL 20

Expert Comment

by:What90
ID: 10772838
JamesDS -

I've notice you flying up the table and you've only just joined!
 
The reason I'm 3rd is 'cos it's slow around here (work, that is) at the moment and the nice questioners think some of my replies are actually useful ;-)

Actually, most of the q's are very interesting to follow through on as everything here is remarkably stable, (not that I'm complaining!) and I have a mountain of documentation to update as no-else bothered :-(

It's nice to keep the mind working and be corrected by experts like yourself.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10772899
aha documentation, the bane of our lives.

I see 1 to 3 clients a year and a fully designed and documented AD and associated technologies typically requires around 500 pages of docs - much of which I can't cut and paste from the previous client!

You have my sympathies but you do get used to it after a while and it helps one to remember those little obscure problems that turn up here all the time.

Nobodys perfect (epsecially me) and I find that often the correct answer depends on how the question is read - it's easy to misinterpret the problem and run of at a tangent :)

Cheers

JamesDS
0
 

Author Comment

by:ITGroupPHX
ID: 10779391
Excellent ideas/points. I had considered a Forest Root design similar to what WHAT90 had suggested but after reading the comments from JAMESDS I'm starting to change my mind. I especially like the touch about implementing parent & child domains to deal with potential expansion of the individual companies.

JAMESDS, if I follow your logic, are you suggesting that I set up an autonomus domain for the enterprise management group and then create trusts to allow for administration of each company forest? If so, what kind of complications am I going to run into if I try to share file and print services between the other domains? This is a less than likely scenerio at the moment but I could see this happening as a couple entities may merge in the future.

Also, any thoughts on domain naming conventions these days? There seems to be a new trend emerging where companies want to change their name for marketing reasons so I'd like to stay away from directly tagging their name to the domain. A domain rename is something I'd like to avoid.

Thanks again guys!
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 16

Assisted Solution

by:JamesDS
JamesDS earned 200 total points
ID: 10781487
ITGroupPHX

the parent child domain model does allow for greater flexibility on delegation of administration, which you need - but it costs more as you need a few extra DCs to support a parent domain that will be barely used (hard to justify to the bosses)

Yes, an autonomous domain to handle the entreprise management is best. This can be the "holding company" or simply a domain that has no specific relation to the corporate structure.

Sharing print services is complex if you want to secure the resources and impossible to do if you want to ensure the companies have no sight of each other - however if you open up the access lists on printing to everyone (which I think is actually the default!) then the printer server simply becomes another addressible resource and its location is irrelevant, subject to frewalling restrictions of course.

Naming convention advice is difficult as every company is different but here goes:
Keep it short and memorable
Only apply standards to things you really need to standardise - there are about 65 object types that can be standardised so don't get carried away.
Whenever you create a standard ask yourself "under what circumstances the name of the object is going to change" IE don't name a machine after the user who uses it or it will need renaming when they leave.
Give users username - not user numbers as it makes them easier to identify in lists of group members and the like.
Always begin Distribution lists with a # or an _ so that they appear together and at the top of the Global Address list in outlook and Exchange, keep DList names shorted then 26 characters as the window in the outlook address book only display the first 26 digits !!

I could go on for days (I have no life!)

Cheers

JamesDS
0
 

Author Comment

by:ITGroupPHX
ID: 10784412
Thanks again JAMESDS. I've got a pretty good idea on where I need to go with this. It's time to wind this question down. Since you "have no life" I thought I'd bounce a couple of final things off of you. This enterprise management group will be responsible for VPN deployment and maintain the hub at their site, Altiris Cllient Management and Veritas Backup centralized backup management. Any thoughts on how that might be impacted by the proposed model?  
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10784550
ITGroupPHX

wow, maybe you should just hire me, i'm free at the end of the month and this looks like a good challenge ;)

Hmm, without building a pretty sizeable test environment I can't say for sure as there are dozens of variables to take into account. Provided your delegation of admin model is well designed and documented there should be no authentication issues with Altiris Cllient Management and Veritas Backup. You might have to sacrifice some of the "total lack of inter-company awareness" tho if your going to pull it off - after all even the most basic user will be able to tell that it's not his IT department in overall control!

I will advise you strongly to build a dual hub system and use the replication topology to create a fully redundant top level - maybe even host the FSMO roles for the sub-companies in these hubs as well, depending on budget and business continuity requirements.

Your DNS design is going to be pretty large so learn it well or outsource the design to Microsoft Consultancy (OK it's about £1500 a day!) if you're not 100% confident of pulling it off.

This is a lot of hardware and some big money so I close by reminding you of Gartner's report into AD in 2003 where they said "design and implementation problems caused by lack of specific design experience will force 60% of all Active Directory deployments to be redesigned and redeployed within 18 months of initial deployment, at significant and unplanned cost." So, caveat emptor, the little stuff is easy, the big stuff is a bitch and we haven't even covered how many sites you're planning on deploying to.

Best of luck

Cheers

JamesDS
0
 
LVL 20

Assisted Solution

by:What90
What90 earned 50 total points
ID: 10784819
ITGroupPHX,

Your question now screams "BIG PROJECT" and I'd take up JamesDS comments on getting a third party in to help with planning (or his services!)
It's take the company I'm working for 8 months to fully deploy a complex 2003 Forest structure to around 35,000 users. Having seen the deployment plan, having a team in that lives and breath AD roll out must have saved a fortune in cock-ups and troubleshooting.

My humble thoughts to your last questions:

Backups, depending on what solution (and basically how much money you have to throw at any given solutions) and what the key customers requirements (securing of data, system states, brick level backups of exchange mailbox) could be done by a central SAN-like system. This would require permissions to access all the domains and sub domains which would have to be taken in to account allong with customers requirements for backup windows.

Altiris software to deploy servers (as long as your company specifies the make and model, not the client) is a great option.
Cloning servers for DR purposes or quick deployment is a joy.

As to VPnNdeployment using a hardware model such as cisco make swap out and trouble shooting fast and fairly straightward, plus you've got a great support model pre built.


Good luck!
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10785777
ITGroupPHX

At the risk of starting a "mutual appreciation society" What90 is right on the button ;)

A VERY large proportion of my work comes from re-design and re-implementation of AD projects that have gone south. Usually these repair projects take almost as long as the original project did - so the costs can often double the original budget and timescales.

Agree 100% with everything else he (most of us are blokes!) says

Cheers

JamesDS

0
 

Author Comment

by:ITGroupPHX
ID: 10786082
What90 & JamesDS ... I agree with you guys 100%. The last thing that I need to do is rebuild AD in 18 months. Just as an aside, we are actively discussing the option of spinning off or outsourcing much of our IT group at some point in the future. Our concern right now is to have the model clear in our heads so that we confidently challenge any group that might be brought into the project. Are you two close to Arizona? :-)

I'm going to close this question now. Many thanks. I'm going to split the points up here and give What90 50 and JamesDS. I think we all agree that James DS needs the points anyways. :-). Cheers - ITGroupPHX
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10795761
ITGroupPHX

Thanks for the points - apparently I need them :)

I live in the UK, but I do travel and have worked in Ohio and Florida in the last 2 years.

Cheers all

JamesDS
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now