Solved

how to set server structure

Posted on 2009-04-13
10
300 Views
Last Modified: 2012-05-06
hi all

I plan to size servers and their roles for company (about 100 useres) now all is on one sbs2000 server.
I want to have: Two Domain conntrolers ( win2008 server std, exchange2007, and etc.(wsus, sharepoint services, Office comm. server)
I can't use EBS becouse in future i need to establish trust reletionships with others domains.
This is what i am thinking of (with using 3 physical machins: ISA(3 nics, DC with exch, DC1)

                                            |                        | internal NIC2  -> LAn clients
internet ->external NIC 1 |   ISA 2006      |
                                                 |                        | internal NIC3 -> LAN for servers (w2k8 DC with                exch2007,w2k8 DC1)

in this case i have servers protected from both internet and local and i think is a good solution.
BUT  in this a) ISA is very sensitive, what if isa fails? b) is in that possibility to doing exchange cluster without adding phisical machines?

i have read about instaling exch on DC.
i am not looking for general solution but a good advice and right path to future planing

What are Your suggestions mayby different structure??
maybe virtualize someting in this?

unfortunately this is a trial account sa propably i can't post it back to your posts
Drawing1.pdf
0
Comment
Question by:Userek
  • 5
  • 4
10 Comments
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Your proposed ISA configuration is one I would avoid. In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks. You also place a rather large single point-of-failure into the network; if the ISA Server failed, you would lose connectivity between the LAN and the servers.

Instead, I'd suggest connecting the servers and LAN clients to the same switch. The ISA Server can then be connected to that switch and be used (with 2 NICs) as a gateway to the Internet. If necessary, you could segregate traffic using VLANs - a much more robust solution than an ISA Server to perform this routing.

An Exchange CCR (automated failover) or SCR (standby continuous replication) Cluster would require at least 2 installations of Exchange. With suitable server hardware, you can use virtualisation (such as VMWare) to virtualise two Exchange machines on the same server. This would give software resilience, while no hardware redundancy of Exchange in case of a hardware failure.

-Matt
0
 

Author Comment

by:Userek
Comment Utility
ok
thank You for different look on my problem.

I totally agree, in my solution Isa is "large single point-of-failure into the network" and this is what i need
to do something on it and avoid isa fail down-  but what? cluster? or ... i dont know.
from the other hand this solution gives me a added protection for my servers (i mean DC, exch behind nic on isa) vs connecting servers direct to the lan as You mention
i met my solution couple of times in other enviroments implemented successfully (on other "it" portal)
in this doc http://www.isaserver.org/tutorials/Teaching-Boss-Network-ISA-Firewall-Part1.html
part: Inter-network Access Control Solution this configuration on isa is sugessted and suported

What You mean in this: "In separating the LAN from the servers via an ISA Server would require significant considerations in terms of routing between the two networks"
please post details  on it.
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

You could use multiple ISA servers if you wished, but this would add unnecessary complexity to the network. The point I was trying to make is rather than relying on hardware, such as switches and VLANs, to achieve routing and segregation in your network, you are relying on a software product. It is more likely for a more complicated software package to fail than it is for dedicated switching hardware to fail.

You can achieve the same result which you are achieving with ISA by purchasing a Layer 3 VLAN-capable switch, and configuring your servers and LAN on separate VLANs. Routing is then performed between VLANs, per the rules you configure, by the Layer 3 switch. ISA Server then sits on the outside, and acts as the gateway for the network.

ISA does give protection, and still would give protection. I'm not saying to remove the ISA Server from the deployment completely; I'm just saying to not use it for routing between servers and LAN, but instead, use it for the routing between the public network (Internet) and your internal network.

-Matt
0
 

Author Comment

by:Userek
Comment Utility
ok

I agree and the fact is that is pretty good idea.
actually i'am looking on this capabilty on my dell powerconnect  2748 switch to decide what to choice from that two ideas.

of course Isa will be still a network point which needs to consider a redundancy.
THX
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
Comment Utility

The technical specifications show the switch supports VLANs: http://www.dell.com/content/products/productdetails.aspx/pwcnt_2748?c=us&cs=555&l=en&s=biz.

Whether it is a Layer 2 or Layer 3 switch remains to be seen; if it is Layer 2, you'd need a separate router device to enable routing between the VLANs. The point I am making is that using hardware to do this, rather than using an ISA Server, will be much more reliable, will be a LOT less likely to fail, and will be a much simpler configuration to handle (which indirectly contributes to the reliability).

-Matt
0
 

Author Comment

by:Userek
Comment Utility
unfortunately its Layer 2 and the third party router will be needed
OK sa ganerally speaking i will consider it all and so on.

Thank You for Your opinion and help
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Why the auto-close request, and why am I only receiving 200 points? I believe I have answered your question as fully as possible within the realms of this particular question.
0
 

Author Comment

by:Userek
Comment Utility
sorry my fault with point - should be 500 is it correct? I agree that Your answers was helpfull
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Thank-you :-)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

by Nathan Brom/Bromy2004 Introduction There are numerous websites out there for any different type of program you can imagine.  Of those, you'll need to decide which ones are legitimate and aren't trying to steal your money or infect your comput…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now