[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


how to set server structure

Posted on 2009-04-13
Medium Priority
Last Modified: 2012-05-06
hi all

I plan to size servers and their roles for company (about 100 useres) now all is on one sbs2000 server.
I want to have: Two Domain conntrolers ( win2008 server std, exchange2007, and etc.(wsus, sharepoint services, Office comm. server)
I can't use EBS becouse in future i need to establish trust reletionships with others domains.
This is what i am thinking of (with using 3 physical machins: ISA(3 nics, DC with exch, DC1)

                                            |                        | internal NIC2  -> LAn clients
internet ->external NIC 1 |   ISA 2006      |
                                                 |                        | internal NIC3 -> LAN for servers (w2k8 DC with                exch2007,w2k8 DC1)

in this case i have servers protected from both internet and local and i think is a good solution.
BUT  in this a) ISA is very sensitive, what if isa fails? b) is in that possibility to doing exchange cluster without adding phisical machines?

i have read about instaling exch on DC.
i am not looking for general solution but a good advice and right path to future planing

What are Your suggestions mayby different structure??
maybe virtualize someting in this?

unfortunately this is a trial account sa propably i can't post it back to your posts
Question by:Userek
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 58

Expert Comment

ID: 24133059

Your proposed ISA configuration is one I would avoid. In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks. You also place a rather large single point-of-failure into the network; if the ISA Server failed, you would lose connectivity between the LAN and the servers.

Instead, I'd suggest connecting the servers and LAN clients to the same switch. The ISA Server can then be connected to that switch and be used (with 2 NICs) as a gateway to the Internet. If necessary, you could segregate traffic using VLANs - a much more robust solution than an ISA Server to perform this routing.

An Exchange CCR (automated failover) or SCR (standby continuous replication) Cluster would require at least 2 installations of Exchange. With suitable server hardware, you can use virtualisation (such as VMWare) to virtualise two Exchange machines on the same server. This would give software resilience, while no hardware redundancy of Exchange in case of a hardware failure.


Author Comment

ID: 24133389
thank You for different look on my problem.

I totally agree, in my solution Isa is "large single point-of-failure into the network" and this is what i need
to do something on it and avoid isa fail down-  but what? cluster? or ... i dont know.
from the other hand this solution gives me a added protection for my servers (i mean DC, exch behind nic on isa) vs connecting servers direct to the lan as You mention
i met my solution couple of times in other enviroments implemented successfully (on other "it" portal)
in this doc http://www.isaserver.org/tutorials/Teaching-Boss-Network-ISA-Firewall-Part1.html 
part: Inter-network Access Control Solution this configuration on isa is sugessted and suported

What You mean in this: "In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks"
please post details  on it.
LVL 58

Expert Comment

ID: 24136717

You could use multiple ISA servers if you wished, but this would add unnecessary complexity to the network. The point I was trying to make is rather than relying on hardware, such as switches and VLANs, to achieve routing and segregation in your network, you are relying on a software product. It is more likely for a more complicated software package to fail than it is for dedicated switching hardware to fail.

You can achieve the same result which you are achieving with ISA by purchasing a Layer 3 VLAN-capable switch, and configuring your servers and LAN on separate VLANs. Routing is then performed between VLANs, per the rules you configure, by the Layer 3 switch. ISA Server then sits on the outside, and acts as the gateway for the network.

ISA does give protection, and still would give protection. I'm not saying to remove the ISA Server from the deployment completely; I'm just saying to not use it for routing between servers and LAN, but instead, use it for the routing between the public network (Internet) and your internal network.


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 24137735

I agree and the fact is that is pretty good idea.
actually i'am looking on this capabilty on my dell powerconnect  2748 switch to decide what to choice from that two ideas.

of course Isa will be still a network point which needs to consider a redundancy.
LVL 58

Accepted Solution

tigermatt earned 2000 total points
ID: 24137936

The technical specifications show the switch supports VLANs: http://www.dell.com/content/products/productdetails.aspx/pwcnt_2748?c=us&cs=555&l=en&s=biz.

Whether it is a Layer 2 or Layer 3 switch remains to be seen; if it is Layer 2, you'd need a separate router device to enable routing between the VLANs. The point I am making is that using hardware to do this, rather than using an ISA Server, will be much more reliable, will be a LOT less likely to fail, and will be a much simpler configuration to handle (which indirectly contributes to the reliability).


Author Comment

ID: 24138308
unfortunately its Layer 2 and the third party router will be needed
OK sa ganerally speaking i will consider it all and so on.

Thank You for Your opinion and help
LVL 58

Expert Comment

ID: 24138452

Why the auto-close request, and why am I only receiving 200 points? I believe I have answered your question as fully as possible within the realms of this particular question.

Author Comment

ID: 24145359
sorry my fault with point - should be 500 is it correct? I agree that Your answers was helpfull
LVL 58

Expert Comment

ID: 24149762

Thank-you :-)

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My purpose is to describe the basic concepts of virtual memory as implemented in a modern Windows-based operating system. I will also describe the problems inherent in older systems and how virtual memory solves them. The dark ages - before virtu…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question