Solved

Domain Structure Design

Posted on 2012-03-28
6
310 Views
Last Modified: 2012-04-02
Good day everyone. I have a very general question that I have been contemplating in the company I work for.

We currently have an online application (constructed of ASP.NET and C Sharp) which runs on IIS 6 and links to a MS SQL 2005 server database for querying purposes only. No input is made through the online application. Only used for reporting purposes. This application is on a Windows 2008 R2 Server.

We also currently use SQL database to manage all of the accounts that log in to the application.

We currently also have Windows 2008 R2 server that acts as our fileserver. Finally have a Windows 2003 Server as our DC.

We are looking at bringing all of this up to standards as we carry sensitive data that must meet HIPPA and FERPA requirements.

We are looking at hosting all of this to Rackspace and setting all of this in one server with three VM environments. One for DC (AD), another for SQL, and third for IIS. We would like to use AD in our new environment to handle all logon credentials.

Questions are as follows:

1) Would AD be adequate to manage accounts for something like this when most of our users are external, and we have about 1500 accounts but only about 350 active users (bad user management) that login to the online application only?

2) Would we need a failover server with all three VMs mirrored as disaster recovery since Rackspace offers 2 hour turnaround on disaster recovery?

3) Could we place our DC and AD on Rackspace and be able to authenticate our computers to it from our office (for the employees only)?

4) Finally, would it be smart to have a secondary DC in a hosted environment such as this?

Please let me know any thoughts or opinions aside from these questions as this is a venture I would like to proceed with, if viable.

Thank you
0
Comment
Question by:mig1980
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 5

Accepted Solution

by:
Michael W. Krout earned 500 total points
ID: 37779417
1) Would AD be adequate to manage accounts for something like this when most of our users are external, and we have about 1500 accounts but only about 350 active users (bad user management) that login to the online application only?

Active Directory could be an overkill but you could us Active Directory Lightweight Directory Services.   This is an LDAP server giving you the ability to track users a so forth.   Active Directory would be used more of an in-house environment.   Not saying that you cannot run it in the cloud.   Another solution would be to run this in an Office 365 environment.   You need to make sure you have a very secure environment for HIPPA and FERPA.   The requirements are pretty stringent.   Is there a reason to put it in the cloud?   You might want to consider using Hyper-V because it is free on Windows Server 2008 R2.   I am not sure what you are considering.

2) Would we need a failover server with all three VMs mirrored as disaster recovery since Rackspace offers 2 hour turnaround on disaster recovery?  

That is a given.   You always want to have a failover scenario.   This can be accomplished easily in Office 365 because they house all of the servers.   It provides you with a 99.9% SLA agreement.   If you are doing it in Rackspace make sure you look at the SLA and what they have to offer with failover.  

3) Could we place our DC and AD on Rackspace and be able to authenticate our computers to it from our office (for the employees only)?

The only way you will be able to do this is to make sure you have a strong pipe and persistent connection.   Anything is possible but the cost is a factor.   I would recommend housing AD in house and not on Rackspace.   You are looking at a scurity disaster.   You could do this:

2 DC's inhouse
1 AD LDS (Active Directory Lightweight Directory Services) in a DMZ with AdamSync enabled to update accounts on the outside and the inside (authentication for web application)

2 DC's inhouse will provide the authentication for the internal users.   The AD LDS server is the authentication for web application.  

4) Finally, would it be smart to have a secondary DC in a hosted environment such as this?

Always have at least 2 DC's to provide redundancy.   Remember that AD uses Multi-master replication and you can update any DC.   Not having an additional DC will give way to providing an environment that is not fault tolerant.   Make sure that you look at the placement of your FSMO roles.   Schema Master, Domain Naming are Forest wide.   PDC, RID and Infrastructure are Domain Wide.   If you lose these then your environment will be hindered.   When you have two or more DC's you can recover from a DC failure.  

Let me know if you need more clarification.  

Idea Dudes
25-Steps-to-Recover-a-Downed-Dom.pdf
0
 

Author Comment

by:mig1980
ID: 37779483
Thank you so much for the in-depth response. I have a little clarification to make on question number 3. I stated authenticating to AD at rackspace but now were are thinking of completely isolating the Rackspace environment and having that AD only to authenticate external users accessing the web application.

We are thinking of creating another domain in-house and having AD configured to authenticate employees to that.

We are not looking at placing our web application environment in a shared "Cloud" environment. Rackspace offers managed hosting which is different from their cloud hosting in that it would be a private cloud solution with server configuration, and fully managed.

Would it make sense to completely isolate our web app from our internal domain and manage two separate domains in such a small environment?

We are essentially looking for the most secure and practical environment for our needs. Any suggestions on how this should be designed/configured would be greatly appreciated.
0
 
LVL 5

Expert Comment

by:Michael W. Krout
ID: 37779519
Again, you can do an inhouse AD setup and then use AD LDS to provide the authentication for the web environment.   You can then keep syngery for both the web application and the internal AD.   You can then add users into AD and have them available from within AD LDS.   See using AD LDS provides an LDAP service just like AD without the domain controller.   You can then sync up the two directories using ADAMSync.   This is the bridge between AD and AD LDS.   AD LDS does not have to be on a domain controller and you can provide Secure communications through port 50636 or another port of your choice.  

Does this make sense or do you need more clarification?

Idea Dudes
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 

Author Comment

by:mig1980
ID: 37782854
With AD LDS could we manage permissions for external users in a way that would allow us to show or hide certain areas of the web application or allow us to grant access to certain areas for some and other areas for others?

Also, all good ideas above and suggestions. Would it be possible for a detailed breakdown of what we would need to make the above happen and where I could find install/configuration information for each of the steps (hardware, software, etc)

I will be raising the point award for this question to 500 since it has become a larger question.

Thank you
0
 

Author Comment

by:mig1980
ID: 37782860
Points increased to 500
0
 
LVL 5

Assisted Solution

by:Michael W. Krout
Michael W. Krout earned 500 total points
ID: 37783510
Yes, you can manage permission just like AD.  The AD LDS server is installed using Server Manager on Windows Server 2008 or R2.   The configuration for your website will take a little bit of time to design.   I would talk to your development folks.   That includes getting ADAMSync configured.   This should give you a start.  

Does this help?

Idea Dudes
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here .   Some years back, I worked as the CTO.  During my tenure, I had a head of IT support reporting to me.  He did his job quite well and had a commendable sense of duty …
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question