Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Server 2003 Network Design Help ...

Posted on 2004-04-06
14
Medium Priority
?
287 Views
Last Modified: 2010-04-19
Hi Guys .... We have the luxury of building a new Windows Server 2003 network from scratch with no legacy issues to get in our way. Of course we want to do this correctly right from the get-go so I'm looking for a little (or a lot) of suggestions on how we should roll this out.

We are going to implement a network model where an independent organization will provide centralized IT services to a number of related but seperate companies. Although we'd like to have complete administration control of the "enterprise" we can't have any of the companies able to access or even see the existence of the other companies involved. All of the related companies currently have their own internet domain names and POP3 mail servers. We'd also like to eventually migrate them to Exchange but with their own identity so that there is no hint of their participation in the multi-company IT structure.

All companies have to be setup with the minimum of dependencies since they may be spun off or sold at any point in time.

How's that for a start? I'm sure the nuts & bolts available can do the job but if anyone else has been down this road I would certainly appreciate your input. Nobody likes to reinvent the wheel.

Thanks in advance for your help on this. Regards - Jamie G.

0
Comment
Question by:ITGroupPHX
  • 7
  • 4
  • 3
14 Comments
 
LVL 20

Assisted Solution

by:What90
What90 earned 200 total points
ID: 10772261
Off the top of my head thoughts on this would be:


Your company as the Forest root with your guys as Enterprise domain admins and each company as a child domain of your root using Windows 2003.
This gives you control over the low level domains, but resticts them to your naming standards (for domain names and DNS if in AD mode) makes admin more central, but any schema updates would effect the entire tree and domains

or

Totally separate domains with no trusts to each other or part of any forest.
 You would have a Admin account which you could log on to the domain. This would allow you to build the domains are the client requests. Heaps more documentation require to keep track of clients requirements. This is much more work, but gives total freedom to the client and how they want to change/grow their network.

In both cases you'd have to sign an confidiential agreement with the clients as you'd have totall access to the info and data
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 800 total points
ID: 10772371
ITGroupPHX

If you implement a single forest root, then each company will be able to browse to the top of the tree and see the others.

I recommend a forest for each company with a forest trust topology in place to support control and management by the parent company. A seperate installation of exchange to each company with no more than SMTP links between the rest of the companies involved will ensure that to break off a branch simply involves removing your admins from their group memberships and cutting the trust.

You may also decide to implement parent a child domains for each sub company to facilitate expansion of the individual companies in their own right.

AD design is a complex game (I do it for a living!) and not all the questions can be realistically answered here.

I suggest you pay particular attention to delegation of administration design and DNS design. DNS will be particularly complex if you want to enable the companies to interact as a group yet keep the actual links hidden. There are lots of issues to consider!

Cheers

JamesDS

0
 
LVL 20

Expert Comment

by:What90
ID: 10772492
Oops, forgot about that - I readily defer to JamesDS experience and knowledge. Nice CV by-the-by!
I don't get much time to build sites any more - just fix the problems caused by others ;-)

0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 16

Expert Comment

by:JamesDS
ID: 10772700
What90

Thanks for that, but I can't help noticing you're at 3rd in the league and I am but a lowly 6th :)

Cheers

JamesDS
0
 
LVL 20

Expert Comment

by:What90
ID: 10772838
JamesDS -

I've notice you flying up the table and you've only just joined!
 
The reason I'm 3rd is 'cos it's slow around here (work, that is) at the moment and the nice questioners think some of my replies are actually useful ;-)

Actually, most of the q's are very interesting to follow through on as everything here is remarkably stable, (not that I'm complaining!) and I have a mountain of documentation to update as no-else bothered :-(

It's nice to keep the mind working and be corrected by experts like yourself.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10772899
aha documentation, the bane of our lives.

I see 1 to 3 clients a year and a fully designed and documented AD and associated technologies typically requires around 500 pages of docs - much of which I can't cut and paste from the previous client!

You have my sympathies but you do get used to it after a while and it helps one to remember those little obscure problems that turn up here all the time.

Nobodys perfect (epsecially me) and I find that often the correct answer depends on how the question is read - it's easy to misinterpret the problem and run of at a tangent :)

Cheers

JamesDS
0
 

Author Comment

by:ITGroupPHX
ID: 10779391
Excellent ideas/points. I had considered a Forest Root design similar to what WHAT90 had suggested but after reading the comments from JAMESDS I'm starting to change my mind. I especially like the touch about implementing parent & child domains to deal with potential expansion of the individual companies.

JAMESDS, if I follow your logic, are you suggesting that I set up an autonomus domain for the enterprise management group and then create trusts to allow for administration of each company forest? If so, what kind of complications am I going to run into if I try to share file and print services between the other domains? This is a less than likely scenerio at the moment but I could see this happening as a couple entities may merge in the future.

Also, any thoughts on domain naming conventions these days? There seems to be a new trend emerging where companies want to change their name for marketing reasons so I'd like to stay away from directly tagging their name to the domain. A domain rename is something I'd like to avoid.

Thanks again guys!
0
 
LVL 16

Assisted Solution

by:JamesDS
JamesDS earned 800 total points
ID: 10781487
ITGroupPHX

the parent child domain model does allow for greater flexibility on delegation of administration, which you need - but it costs more as you need a few extra DCs to support a parent domain that will be barely used (hard to justify to the bosses)

Yes, an autonomous domain to handle the entreprise management is best. This can be the "holding company" or simply a domain that has no specific relation to the corporate structure.

Sharing print services is complex if you want to secure the resources and impossible to do if you want to ensure the companies have no sight of each other - however if you open up the access lists on printing to everyone (which I think is actually the default!) then the printer server simply becomes another addressible resource and its location is irrelevant, subject to frewalling restrictions of course.

Naming convention advice is difficult as every company is different but here goes:
Keep it short and memorable
Only apply standards to things you really need to standardise - there are about 65 object types that can be standardised so don't get carried away.
Whenever you create a standard ask yourself "under what circumstances the name of the object is going to change" IE don't name a machine after the user who uses it or it will need renaming when they leave.
Give users username - not user numbers as it makes them easier to identify in lists of group members and the like.
Always begin Distribution lists with a # or an _ so that they appear together and at the top of the Global Address list in outlook and Exchange, keep DList names shorted then 26 characters as the window in the outlook address book only display the first 26 digits !!

I could go on for days (I have no life!)

Cheers

JamesDS
0
 

Author Comment

by:ITGroupPHX
ID: 10784412
Thanks again JAMESDS. I've got a pretty good idea on where I need to go with this. It's time to wind this question down. Since you "have no life" I thought I'd bounce a couple of final things off of you. This enterprise management group will be responsible for VPN deployment and maintain the hub at their site, Altiris Cllient Management and Veritas Backup centralized backup management. Any thoughts on how that might be impacted by the proposed model?  
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10784550
ITGroupPHX

wow, maybe you should just hire me, i'm free at the end of the month and this looks like a good challenge ;)

Hmm, without building a pretty sizeable test environment I can't say for sure as there are dozens of variables to take into account. Provided your delegation of admin model is well designed and documented there should be no authentication issues with Altiris Cllient Management and Veritas Backup. You might have to sacrifice some of the "total lack of inter-company awareness" tho if your going to pull it off - after all even the most basic user will be able to tell that it's not his IT department in overall control!

I will advise you strongly to build a dual hub system and use the replication topology to create a fully redundant top level - maybe even host the FSMO roles for the sub-companies in these hubs as well, depending on budget and business continuity requirements.

Your DNS design is going to be pretty large so learn it well or outsource the design to Microsoft Consultancy (OK it's about £1500 a day!) if you're not 100% confident of pulling it off.

This is a lot of hardware and some big money so I close by reminding you of Gartner's report into AD in 2003 where they said "design and implementation problems caused by lack of specific design experience will force 60% of all Active Directory deployments to be redesigned and redeployed within 18 months of initial deployment, at significant and unplanned cost." So, caveat emptor, the little stuff is easy, the big stuff is a bitch and we haven't even covered how many sites you're planning on deploying to.

Best of luck

Cheers

JamesDS
0
 
LVL 20

Assisted Solution

by:What90
What90 earned 200 total points
ID: 10784819
ITGroupPHX,

Your question now screams "BIG PROJECT" and I'd take up JamesDS comments on getting a third party in to help with planning (or his services!)
It's take the company I'm working for 8 months to fully deploy a complex 2003 Forest structure to around 35,000 users. Having seen the deployment plan, having a team in that lives and breath AD roll out must have saved a fortune in cock-ups and troubleshooting.

My humble thoughts to your last questions:

Backups, depending on what solution (and basically how much money you have to throw at any given solutions) and what the key customers requirements (securing of data, system states, brick level backups of exchange mailbox) could be done by a central SAN-like system. This would require permissions to access all the domains and sub domains which would have to be taken in to account allong with customers requirements for backup windows.

Altiris software to deploy servers (as long as your company specifies the make and model, not the client) is a great option.
Cloning servers for DR purposes or quick deployment is a joy.

As to VPnNdeployment using a hardware model such as cisco make swap out and trouble shooting fast and fairly straightward, plus you've got a great support model pre built.


Good luck!
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10785777
ITGroupPHX

At the risk of starting a "mutual appreciation society" What90 is right on the button ;)

A VERY large proportion of my work comes from re-design and re-implementation of AD projects that have gone south. Usually these repair projects take almost as long as the original project did - so the costs can often double the original budget and timescales.

Agree 100% with everything else he (most of us are blokes!) says

Cheers

JamesDS

0
 

Author Comment

by:ITGroupPHX
ID: 10786082
What90 & JamesDS ... I agree with you guys 100%. The last thing that I need to do is rebuild AD in 18 months. Just as an aside, we are actively discussing the option of spinning off or outsourcing much of our IT group at some point in the future. Our concern right now is to have the model clear in our heads so that we confidently challenge any group that might be brought into the project. Are you two close to Arizona? :-)

I'm going to close this question now. Many thanks. I'm going to split the points up here and give What90 50 and JamesDS. I think we all agree that James DS needs the points anyways. :-). Cheers - ITGroupPHX
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10795761
ITGroupPHX

Thanks for the points - apparently I need them :)

I live in the UK, but I do travel and have worked in Ohio and Florida in the last 2 years.

Cheers all

JamesDS
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question