Network Infrastructure Overhaul - Small Business needs to work like Big Business - Coherent Multi-Site Setup RRS feed

  • General discussion

  • We are a small company in the process of re-architecting our infrastructure (probably to a “big company” architecture) and I’m seeking some guidance on best practices for a coherent multi site set-up.  We also need to ensure that whatever we deploy will serve us well for various security accreditations such as ISO27001.


    Current Situation

    ·         Two sites: HQ (offices) and Co-Lo presence (datacenter - DC).

    o   HQ provides admin, development roles etc.

    o   Co-Lo provides hosting for servers that we manage for clients.

    §  All servers are web-facing.

    §  Most are physical servers deployed behind individual firewalls.

    §  Some VMs deployed behind a shared firewall.

    §  Servers at DC are managed via Remote Desktop via internet and IP restriction

    §  Servers at DC are “islands”, separated by firewalls, not connected to a domain.

    ·         HQ currently uses Small Business Server 2003 (SBS)


    Desired Situation

    ·         Configure two-way SAN replication between HQ and DC via VPN from x2 Cisco ASA firewalls to facilitate disaster recovery.  (We are setting up separate ISCSI networks at each site and will join together with a VPN to support replication)

    ·         Ability for HQ or DC workload to be “spun up” at other site in case of DR scenario.  Minimal configuration is OK at this stage – doesn’t need to be fully automatic.

    ·         SAN to act as storage fabric for workloads at HQ and DC

    ·         Set up Hyper-V High Availability (HA) cluster at DC – we’ve got plenty of info on this.

    ·         Migrate physical machines at DC to be VMs on top of Hyper-V HA

    ·         Have machines at DC connect to a domain (probably not our HQ domain?) to support the use of Group Policy, Single Passwords for Admins etc.

    ·         Consolidate servers behind a single firewall set-up (i.e. remove “islands” of functionality behind multiple firewalls)

    ·         Centralized event logging from all devices to comply with ISO27001.

    ·         Create a separate “management” domain (e.g. for firewall management ports and other “out of band” management ports (probably separated from our HQ production network?)

    ·         Make use of our “internal use” software licences provided by the MS “Action Pack” wherever possible.

    ·         Upgrade SBS 2003 to SBS 2008 (or Essentials – if appropriate).


    Future Aims

    ·         Expand DC HA Cluster to be a Geographic HA cluster with nodes at HQ


    We have three security contexts:

    ·         (HQ) Users (Admin Staff, Server Administrators, Developers, Designers etc.)

    ·         (DC) Dedicated Hosting with Special Security Requirements

    ·         (DC) Shared Hosting with less strict security concerns

    With the above background in mind, these are the challenges that I am looking for guidance on:

    How many network ranges should be implemented?

    I think that from a separation perspective we probably require the following network ranges:

    ·         HQ – ISCI

    ·         HQ – Production

    ·         HQ – Out of Band Management Network

    ·         HQ – DMZ

    ·         DC – ISCSI

    ·         DC – Out of Band Management Network

    ·         DC – DMZ/Dedicated Hosting servers with special security requirements.

    ·         DC – DMZ/Shared Hosting serves

    I would think a class C would keep us going on each of the above for the time being (wouldn’t mind future-proofing the hosting ranges to accommodate more than the 253 machines.  Would it be more sensible to go for a class B?).

    However, this is a significant leap forward from where we are now, and it feels like the above probably over complicates things – any views / alternative suggestions would be welcome.  Is there a way that we could route all of the site-to-site traffic down a single VPN tunnel –I’m hoping that we’d not need to set up multiple tunnels for the various relationships that we needed.  Should we be looking at “spanning” a network range between the two sites – or will Windows domains work fine using multiple network ranges tunneled via a VPN.

    How many windows domains should we implement?

    Way back in the days of NT4 web server admin, I recall that the recommendation was that Web Servers should never be a member of a domain - and this has kind of stuck with me ever since.  However, things have moved on now, and I think there’s more benefits to be had (group policy, single logins, central event logging etc.) if the web servers we host for clients were joined to a domain.  However, part of me is still a little uncomfortable with the idea of these servers being joined to our HQ domain.  My feeling is that we should perhaps create a DMZ domain that spans the DC and the DMZ range at our HQ. 

    From what I understand this probably means we’d need a separate domain controller to our SBS 2008 install.  AFAIK, SBS only supports one domain.  I guess best practice would be to have a secondary DC at the alternate location to (e.g. PDC for DMZ located at DC, BDC located at HQ).

    If we opted for two domains, my next question would be.  How do we make connecting to servers from users on our network as straightforward as possible?  Would we need to set up domain trusts (probably not possible with SBS2008) in order to allow administrators located on our HQ production network the ability to log on to the DMZ domain.  I’m guessing that best practice would probably be for them to have a separate account on the other domain? We’d then be managing two accounts, which I’d ultimately like to avoid.

    Any background reading advice for this would be welcome. I guess that there’s some AD planning docs – can anyone recommend a suitable one?  My background is a bit strange in that I kind of missed the launch of AD in Windows 2000 – my experience centers around NT4 and then 2003 (2000 kind of got missed) and my AD experience in 2003 is limited to tweaks of our SBS2003 AD set-up.  So "AD Architechting for dummies" is probably the way to go  for me ;)


    How will domain traffic get on with all those network ranges?
    I’ve heard that domain traffic is not that straightforward to configure through a firewall.  Can anyone suggest some guidance as to what we need to set up for everything to be “happy”?


    How to segregating multiple servers connected to the same domain?

    If servers that were previously isolated behind separate firewalls are connected together and joined to the same network / domain, how should we go about preventing machine A communicating with machine B?  The scenario I’m thinking of here is: previously, a compromise on machine A could not affect machine B, however, when they then are joined to the same network, it becomes possible.  I guess this is the same question faced by many ISPs – e.g. they have a bunch of servers behind a single firewall, but they don’t want customer A’s server to communicate with customer B’s server.  I think the solution is to be found in VLANs – however it’s something I’ve never quite been able to grasp – any recommended docs greatly received.


    Would Multiple Domains Mean Multiple Purchases of Software?
    We’re looking to invest in software such as SCVMM.  Ideally, we’d like the software to work across all domains and network ranges.  Is this likely to be possible, or would we need to purchase SCVMM for our HQ domain, and for the DMZ domain?

    How to restrict access to out of band management interfaces?

    My feeling here is that we would just configure a group of IPs that are allocated to System Admin PCs on the network (perhaps via DHCP tied to MAC address) – ideally, the computer’s IP address would be allocated based on the domain account (but I don’t think that’s possible).  We would then set up firewall rules to permit certain PCs to access the various out of band management ports.

    I appreciate that this is quite a wide topic / set of questions, however, I’m looking for somewhere to bounce ideas off and seek feedback regarding best practice.  I hope that this is the right place, and am grateful of any help that you can offer.

    • Changed type Kevin Remde Friday, June 18, 2010 10:50 AM many questions and no one right answer
    Thursday, June 17, 2010 6:01 PM

All replies

  • Wow... that's a big laundry list.  :)

    In future you might want to break down this kind of post into multiple posts, and really just ask one question in each.  (In fact, I think I'll change the "type" of this thread to be a general discussion, as there are so many questions here, and really no one correct answer for any of them.)

    Let me try to address a couple of them:

    "How many windows domains should we implement?"

    It depends on how much of a security boundary you need to maintain between HQ and DC resources.  Are you configuring accounts for all of your customers and their web applications you're hosting?  Are you concerned that someone managing resources at the DC should have absolutely no ability to mess with anything in your company's domain?  And if you're looking for a security boundary, the question really should be "How many forests should we implement?"

    You are right that you'll need to do something other than SBS if you want multiple domains.  But if it's just a matter of a new domain, you can simply create it on seperate servers. (No.. there will be NO trust relationship possible to the SBS domain.  That's not allowed, either.)  I'd say that, if you're not managing authentication for your customers on those DC servers, you should just keep your SBS domain at HQ and have a domain at your data center.

    SCVMM can manage Hyper-V hosts that are not domain members, or not members of the same domain that the SCVMM machine is a part of.  So as long as you have the networking configured properly between your HQ and DC, you should be able to run your SCVMM from your HQ domain. 

    I'm going to leave the networking questions to someone more experienced in the kind of configuration you're looking for, but I do suggest that you consider how something like "Server and Domain Isolation" using IPSec could help you set and enforce boundaries between servers.  (NOTE: This is much easier to implement if you're running Windows Server 2008 or newer, as the Advanced Firewall makes it easy.  Otherwise IPSec can be a pain to configure.)  This kind of enforced isolation is the foundation of one form of "NAP" (Network Access Protection).  Check out Thomas Shinder's excellent articles on the subject: 

    I hope this helps, and I'm looking forward to seeing what the rest of you recommend here.




    Kevin Remde US IT Evangelism - Microsoft Corporation
    Friday, June 18, 2010 10:50 AM