Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 323
  • Last Modified:

Simple advice on topography deployment

Was to build 2 independent servers for a new facility with 2 departments. Now they've purchased software that all clients will need access to (sql server 2000 installed on one server with site) Now thinking best way to deploy. No more than 20 clients in each department. Don't plan on using exchange at the moment. Should I make one domain and and arrange clients in OUs? Or, should I use the VLAN option on the firewall and create 2 subnets (wondering if routing the sql site to both would be a pain). Or use 2 pairs of NICs in each server -- Ideas? This is flexible project and im little rusty with server (good with routing though) No rush, Don't yell at me, Just your intellectual input :D lol Thanks!
 
Im sure I left out something -II just wanted to get this off.. I'll stick around to respond quickly to whichever generous person may be writing
0
InterloperKO
Asked:
InterloperKO
  • 9
  • 7
3 Solutions
 
mdefalcoCommented:
What are the security concerns? Or, bandwidth concerns? What I mean is, if the two departments shouldn't be talking to each other, than VLANs with Firewall is a good idea, thus not allowing one subnet to talk to the other, but sharing an internet connection. This is quite normally something done for the financial, or executive departments. And, sometimes Q&A will have their own subnet so there testing does not affect production servers.

But, if it is more simple than that, just to departments. I would create one domain and configure group security.

Hope that helps you a little, please feel free to ask me more detailed questions,

Jim
0
 
InterloperKOAuthor Commented:
Thanks Jim :)
Secuity: I'd rather not let the two departments see each other, but still both access one same website
Bandwidth: Internet=not an issue, LAN topograpy= 2 closets, one for each department, with independent switches and star topography to clients (approx 30 each -at max). 3 server-to-server CAT6 lines. One for a NAS to backup just about everything.
0
 
mdefalcoCommented:
Ok,

Then the two switches in the closets should connect to one main switch, using vlans. This switch connects to a third vlan for the servers. Then on the main switch you can setup the rules to disallow the vlans from talking to each other, but also allow them to talk to the server vlan.
The firewall will be placed on the internet connection, I am not sure if you need your server to be live on teh Internet, or just local. So I don't know where you would put the firewall. Between the internet, obvoiusly, but maybe one between the servers and the two vlans. Just, in case.

You should be able to do the routing for this pretty easily, I think cisco switches are good for vlans.

Jim
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
InterloperKOAuthor Commented:
Ok, my objective is to find out whether I should use the firewall attached to both servers with an extra* NIC in each server for their independent LANs. This way the servers would be on the same subnet with the NAS unit and still share the SQL site (am I correct?) OR use a VLAN with each private lan using the same network class addressing so both servers can talk.
On that point, would it be possible to use both servers to act as an active directory backup for each other assuming we had 2 domains, or one child domain??? Im I on the right page here?!?
OR- Should both servers and all clients with NAS be on the same subnet with one domain, using OUs to distinguish resources and use one of the servers strictly as a backup domain controller?
 Thanks
 
0
 
InterloperKOAuthor Commented:
Thanks again Jim, just got your reply
0
 
InterloperKOAuthor Commented:
It's just a local setup. The firewall im using has 4 ports and the ability to select which port you want to be what IE: LAN, VLAN, DMZ. I could use one LAN then the other VLAN, but use the same subnet addresses for both LANS and only permit the two servers to talk via the firewalls rules??? is that right? I still want each LAN to have their own share point sites, same internet, and share one internal website to both LANs. Pretty much only objective :)
0
 
mdefalcoCommented:
The easiest thing to do is to what you are thinking with the server having two nics. Two subnets, IIS will let you run a website with two ip on different subnets, and SQl uses named pipes. This would work well. I believe you would keep all users data on the server, and backup the server to the san. I think this would work well.

Using one server as a main server and the other as a backup domain controller, that would work well. Give that two nics and put it on the network. You can also setup sql replication to this server so you can have a working copy of your sql to. The website is easier since the files do not change too often. that's an easy restore.

hope that helps,
0
 
InterloperKOAuthor Commented:
But with only one domain? Then why separate the two LANs? Little confused.
:D
0
 
mdefalcoCommented:
I thought you wanted them not be able to talk to each other. This will be the case, you can tell the firewall to not allow traffic to talk from, lets say,
192.168.100.x to 192.168.200.x

The server will have ip addresses 192.168.100.1 and 192.168.200.1. So all users have access to sql and iis, but can not talk to each other. They can have seperate shared folders on the server with security by groups. each department in their own groupd. So they can never talk to each other, but have access to all resources. They can each toalk to the server, but by using group security you can kee them out of each others stuff, and allow to share certain thing is needed.

If you keep them on the same subnet, then they can see each others computer, and anyone who thinks to open \\computername, they will see the other departments stuff., by disallowing that at the lower layer then can never talk to each other, they have to do it through the server, which you secure by groups.
is that a little clearer? If not I will try to explain it different.
0
 
InterloperKOAuthor Commented:
Ok, thanks Jim :)
  I understand what you are saying. If I did that, is it possible to use the two servers as backup  domain controllers for each other?  It sounds crazy, but I'm wondering what the next best steps would be to configure something like that. At this step is where I pretty much about lost it  lol . Any input would be appreciated.
0
 
mdefalcoCommented:
Yes, install one server a a domain controller, the 1st. Then when you install the second one, also promote that to a domain controller. You need to follow these steps from this website;

http://support.microsoft.com/kb/313994

Make sure not to remove the global catalog server from the old. You want to have two. This means that when the 1st goes down, the second will allor people to login to the domain. You can also setup FRS - file replication services, for any shared directories, this way they are backed up as well.

So in summary, Install the first domain controller and configure the way you want, setup shared directories and logins and all that. Test and make sure everything is working. Then setup the second computer, also make this a domain controller and setup as a global catalog server. Configure FRS for replication of shared directories, find info about FRS here; http://support.microsoft.com/kb/840675

This should do it, of course make sure to backup everything to your nas device nightly.
0
 
InterloperKOAuthor Commented:
Sweet Jim,
  I will try that. Thanks for being on the same level :D I might have newb questions if you don't mind in the process :) but thanks for everything
0
 
mdefalcoCommented:
Np problem, I hope it works out for you
0
 
InterloperKOAuthor Commented:
Ok Jim, :D
  I've set up the servers somewhat to your single Domain spec. How should the domain names be applied when installing the OS ? I've never set up a forest before -Though the links you sent were informative. Thanks, hope you're still around :)
0
 
mdefalcoCommented:
normally when I setup a domain, I use the MS way of doing things. this means, that is I work for microsoft.com then I would make my domain microsoft.local
my first server naem would be dc01 and my second dc02 so their FQDN's would be

ds01.microsoft.local and ds01.microsoft.local

do not use the  .com or .net or whatever unless you plan on having a live DNS server, which 90 percent of people do not. I hope that is what you are looking for
0
 
InterloperKOAuthor Commented:
Yeah, I made
group1.ourbiz.local and group2.ourbix.local
They both have dual Gb NiCs.
I should disregard the extra NIC and use the firewall to vlan the two servers and rule the clients from seeing each other? You mentioned 192.168.100.x and 192.168.200.x scheme? How should I initially connect all clients to one serve r to setup OUs / permissions?
After that, use group2 as the backup domain controller?
I was leaning setting it up this way as well because if using the dual nics with separate subnets, in the event of a server or NIC failure, the whole subnet would be without the server And the internet. Whereas if I used the firewall to DHCP lease for all clients and use the DHCP redirect service from the servers to point to the firewall  -if the server goes down the internet would still work. -all of course IF you were telling me to do it this way lol
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now