Solved

how to set server structure

Posted on 2009-04-13
10
301 Views
Last Modified: 2012-05-06
hi all

I plan to size servers and their roles for company (about 100 useres) now all is on one sbs2000 server.
I want to have: Two Domain conntrolers ( win2008 server std, exchange2007, and etc.(wsus, sharepoint services, Office comm. server)
I can't use EBS becouse in future i need to establish trust reletionships with others domains.
This is what i am thinking of (with using 3 physical machins: ISA(3 nics, DC with exch, DC1)

                                            |                        | internal NIC2  -> LAn clients
internet ->external NIC 1 |   ISA 2006      |
                                                 |                        | internal NIC3 -> LAN for servers (w2k8 DC with                exch2007,w2k8 DC1)

in this case i have servers protected from both internet and local and i think is a good solution.
BUT  in this a) ISA is very sensitive, what if isa fails? b) is in that possibility to doing exchange cluster without adding phisical machines?

i have read about instaling exch on DC.
i am not looking for general solution but a good advice and right path to future planing

What are Your suggestions mayby different structure??
maybe virtualize someting in this?

unfortunately this is a trial account sa propably i can't post it back to your posts
Drawing1.pdf
0
Comment
Question by:Userek
  • 5
  • 4
10 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 24133059

Your proposed ISA configuration is one I would avoid. In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks. You also place a rather large single point-of-failure into the network; if the ISA Server failed, you would lose connectivity between the LAN and the servers.

Instead, I'd suggest connecting the servers and LAN clients to the same switch. The ISA Server can then be connected to that switch and be used (with 2 NICs) as a gateway to the Internet. If necessary, you could segregate traffic using VLANs - a much more robust solution than an ISA Server to perform this routing.

An Exchange CCR (automated failover) or SCR (standby continuous replication) Cluster would require at least 2 installations of Exchange. With suitable server hardware, you can use virtualisation (such as VMWare) to virtualise two Exchange machines on the same server. This would give software resilience, while no hardware redundancy of Exchange in case of a hardware failure.

-Matt
0
 

Author Comment

by:Userek
ID: 24133389
ok
thank You for different look on my problem.

I totally agree, in my solution Isa is "large single point-of-failure into the network" and this is what i need
to do something on it and avoid isa fail down-  but what? cluster? or ... i dont know.
from the other hand this solution gives me a added protection for my servers (i mean DC, exch behind nic on isa) vs connecting servers direct to the lan as You mention
i met my solution couple of times in other enviroments implemented successfully (on other "it" portal)
in this doc http://www.isaserver.org/tutorials/Teaching-Boss-Network-ISA-Firewall-Part1.html 
part: Inter-network Access Control Solution this configuration on isa is sugessted and suported

What You mean in this: "In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks"
please post details  on it.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24136717

You could use multiple ISA servers if you wished, but this would add unnecessary complexity to the network. The point I was trying to make is rather than relying on hardware, such as switches and VLANs, to achieve routing and segregation in your network, you are relying on a software product. It is more likely for a more complicated software package to fail than it is for dedicated switching hardware to fail.

You can achieve the same result which you are achieving with ISA by purchasing a Layer 3 VLAN-capable switch, and configuring your servers and LAN on separate VLANs. Routing is then performed between VLANs, per the rules you configure, by the Layer 3 switch. ISA Server then sits on the outside, and acts as the gateway for the network.

ISA does give protection, and still would give protection. I'm not saying to remove the ISA Server from the deployment completely; I'm just saying to not use it for routing between servers and LAN, but instead, use it for the routing between the public network (Internet) and your internal network.

-Matt
0
 

Author Comment

by:Userek
ID: 24137735
ok

I agree and the fact is that is pretty good idea.
actually i'am looking on this capabilty on my dell powerconnect  2748 switch to decide what to choice from that two ideas.

of course Isa will be still a network point which needs to consider a redundancy.
THX
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 24137936

The technical specifications show the switch supports VLANs: http://www.dell.com/content/products/productdetails.aspx/pwcnt_2748?c=us&cs=555&l=en&s=biz.

Whether it is a Layer 2 or Layer 3 switch remains to be seen; if it is Layer 2, you'd need a separate router device to enable routing between the VLANs. The point I am making is that using hardware to do this, rather than using an ISA Server, will be much more reliable, will be a LOT less likely to fail, and will be a much simpler configuration to handle (which indirectly contributes to the reliability).

-Matt
0
 

Author Comment

by:Userek
ID: 24138308
unfortunately its Layer 2 and the third party router will be needed
OK sa ganerally speaking i will consider it all and so on.

Thank You for Your opinion and help
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24138452

Why the auto-close request, and why am I only receiving 200 points? I believe I have answered your question as fully as possible within the realms of this particular question.
0
 

Author Comment

by:Userek
ID: 24145359
sorry my fault with point - should be 500 is it correct? I agree that Your answers was helpfull
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 24149762

Thank-you :-)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now