Solved

Simple advice on topography deployment

Posted on 2007-11-30
16
308 Views
Last Modified: 2012-06-27
Was to build 2 independent servers for a new facility with 2 departments. Now they've purchased software that all clients will need access to (sql server 2000 installed on one server with site) Now thinking best way to deploy. No more than 20 clients in each department. Don't plan on using exchange at the moment. Should I make one domain and and arrange clients in OUs? Or, should I use the VLAN option on the firewall and create 2 subnets (wondering if routing the sql site to both would be a pain). Or use 2 pairs of NICs in each server -- Ideas? This is flexible project and im little rusty with server (good with routing though) No rush, Don't yell at me, Just your intellectual input :D lol Thanks!
 
Im sure I left out something -II just wanted to get this off.. I'll stick around to respond quickly to whichever generous person may be writing
0
Comment
Question by:InterloperKO
  • 9
  • 7
16 Comments
 
LVL 4

Expert Comment

by:mdefalco
ID: 20386802
What are the security concerns? Or, bandwidth concerns? What I mean is, if the two departments shouldn't be talking to each other, than VLANs with Firewall is a good idea, thus not allowing one subnet to talk to the other, but sharing an internet connection. This is quite normally something done for the financial, or executive departments. And, sometimes Q&A will have their own subnet so there testing does not affect production servers.

But, if it is more simple than that, just to departments. I would create one domain and configure group security.

Hope that helps you a little, please feel free to ask me more detailed questions,

Jim
0
 

Author Comment

by:InterloperKO
ID: 20386827
Thanks Jim :)
Secuity: I'd rather not let the two departments see each other, but still both access one same website
Bandwidth: Internet=not an issue, LAN topograpy= 2 closets, one for each department, with independent switches and star topography to clients (approx 30 each -at max). 3 server-to-server CAT6 lines. One for a NAS to backup just about everything.
0
 
LVL 4

Assisted Solution

by:mdefalco
mdefalco earned 468 total points
ID: 20386853
Ok,

Then the two switches in the closets should connect to one main switch, using vlans. This switch connects to a third vlan for the servers. Then on the main switch you can setup the rules to disallow the vlans from talking to each other, but also allow them to talk to the server vlan.
The firewall will be placed on the internet connection, I am not sure if you need your server to be live on teh Internet, or just local. So I don't know where you would put the firewall. Between the internet, obvoiusly, but maybe one between the servers and the two vlans. Just, in case.

You should be able to do the routing for this pretty easily, I think cisco switches are good for vlans.

Jim
0
 

Author Comment

by:InterloperKO
ID: 20386864
Ok, my objective is to find out whether I should use the firewall attached to both servers with an extra* NIC in each server for their independent LANs. This way the servers would be on the same subnet with the NAS unit and still share the SQL site (am I correct?) OR use a VLAN with each private lan using the same network class addressing so both servers can talk.
On that point, would it be possible to use both servers to act as an active directory backup for each other assuming we had 2 domains, or one child domain??? Im I on the right page here?!?
OR- Should both servers and all clients with NAS be on the same subnet with one domain, using OUs to distinguish resources and use one of the servers strictly as a backup domain controller?
 Thanks
 
0
 

Author Comment

by:InterloperKO
ID: 20386866
Thanks again Jim, just got your reply
0
 

Author Comment

by:InterloperKO
ID: 20386885
It's just a local setup. The firewall im using has 4 ports and the ability to select which port you want to be what IE: LAN, VLAN, DMZ. I could use one LAN then the other VLAN, but use the same subnet addresses for both LANS and only permit the two servers to talk via the firewalls rules??? is that right? I still want each LAN to have their own share point sites, same internet, and share one internal website to both LANs. Pretty much only objective :)
0
 
LVL 4

Expert Comment

by:mdefalco
ID: 20386889
The easiest thing to do is to what you are thinking with the server having two nics. Two subnets, IIS will let you run a website with two ip on different subnets, and SQl uses named pipes. This would work well. I believe you would keep all users data on the server, and backup the server to the san. I think this would work well.

Using one server as a main server and the other as a backup domain controller, that would work well. Give that two nics and put it on the network. You can also setup sql replication to this server so you can have a working copy of your sql to. The website is easier since the files do not change too often. that's an easy restore.

hope that helps,
0
 

Author Comment

by:InterloperKO
ID: 20386912
But with only one domain? Then why separate the two LANs? Little confused.
:D
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 4

Assisted Solution

by:mdefalco
mdefalco earned 468 total points
ID: 20386929
I thought you wanted them not be able to talk to each other. This will be the case, you can tell the firewall to not allow traffic to talk from, lets say,
192.168.100.x to 192.168.200.x

The server will have ip addresses 192.168.100.1 and 192.168.200.1. So all users have access to sql and iis, but can not talk to each other. They can have seperate shared folders on the server with security by groups. each department in their own groupd. So they can never talk to each other, but have access to all resources. They can each toalk to the server, but by using group security you can kee them out of each others stuff, and allow to share certain thing is needed.

If you keep them on the same subnet, then they can see each others computer, and anyone who thinks to open \\computername, they will see the other departments stuff., by disallowing that at the lower layer then can never talk to each other, they have to do it through the server, which you secure by groups.
is that a little clearer? If not I will try to explain it different.
0
 

Author Comment

by:InterloperKO
ID: 20388479
Ok, thanks Jim :)
  I understand what you are saying. If I did that, is it possible to use the two servers as backup  domain controllers for each other?  It sounds crazy, but I'm wondering what the next best steps would be to configure something like that. At this step is where I pretty much about lost it  lol . Any input would be appreciated.
0
 
LVL 4

Accepted Solution

by:
mdefalco earned 468 total points
ID: 20389178
Yes, install one server a a domain controller, the 1st. Then when you install the second one, also promote that to a domain controller. You need to follow these steps from this website;

http://support.microsoft.com/kb/313994

Make sure not to remove the global catalog server from the old. You want to have two. This means that when the 1st goes down, the second will allor people to login to the domain. You can also setup FRS - file replication services, for any shared directories, this way they are backed up as well.

So in summary, Install the first domain controller and configure the way you want, setup shared directories and logins and all that. Test and make sure everything is working. Then setup the second computer, also make this a domain controller and setup as a global catalog server. Configure FRS for replication of shared directories, find info about FRS here; http://support.microsoft.com/kb/840675

This should do it, of course make sure to backup everything to your nas device nightly.
0
 

Author Comment

by:InterloperKO
ID: 20389217
Sweet Jim,
  I will try that. Thanks for being on the same level :D I might have newb questions if you don't mind in the process :) but thanks for everything
0
 
LVL 4

Expert Comment

by:mdefalco
ID: 20389552
Np problem, I hope it works out for you
0
 

Author Comment

by:InterloperKO
ID: 20466198
Ok Jim, :D
  I've set up the servers somewhat to your single Domain spec. How should the domain names be applied when installing the OS ? I've never set up a forest before -Though the links you sent were informative. Thanks, hope you're still around :)
0
 
LVL 4

Expert Comment

by:mdefalco
ID: 20469350
normally when I setup a domain, I use the MS way of doing things. this means, that is I work for microsoft.com then I would make my domain microsoft.local
my first server naem would be dc01 and my second dc02 so their FQDN's would be

ds01.microsoft.local and ds01.microsoft.local

do not use the  .com or .net or whatever unless you plan on having a live DNS server, which 90 percent of people do not. I hope that is what you are looking for
0
 

Author Comment

by:InterloperKO
ID: 20470304
Yeah, I made
group1.ourbiz.local and group2.ourbix.local
They both have dual Gb NiCs.
I should disregard the extra NIC and use the firewall to vlan the two servers and rule the clients from seeing each other? You mentioned 192.168.100.x and 192.168.200.x scheme? How should I initially connect all clients to one serve r to setup OUs / permissions?
After that, use group2 as the backup domain controller?
I was leaning setting it up this way as well because if using the dual nics with separate subnets, in the event of a server or NIC failure, the whole subnet would be without the server And the internet. Whereas if I used the firewall to DHCP lease for all clients and use the DHCP redirect service from the servers to point to the firewall  -if the server goes down the internet would still work. -all of course IF you were telling me to do it this way lol
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now