locked
Network Design RRS feed

  • Question

  • Our company has 15 branch offices (with about 70 users at each) close to each other connected by wireless. We run all the servers in one central hub which hosts AD, Exchange, Oracle, SharePoint, Files etc. I have two questions now

    1. How do I improve efficiency in case of network downtime. I was thinking an RODC and a File Server(with DFS replica) at each branch so even if WAN link goes down they can at least logon to the domain and perform non-database driven activities. We can't afford to host all the replica's of servers in all branches. Anything else I should consider?

    2. How do I improve network security at our IT hub? 90% of our connections to servers come from wireless/Internet so is perimeter network design required here? How safe is it expose all servers to Internet with few basic firewall rules in place. Exchange has Edge server but I was wondering about other solutions for services like AD, Oracle & SharePoint

     

    Thursday, July 7, 2011 1:53 AM

Answers

  • Mark, here is some general info, your question is not an easy 1, 2, 3 to answer.  I would advise you to look into additional consuting via the Microsoft for your AD needs and your network provider.

    Now, lets tackle each step briefly.

    1. How do you improve the efficency in case of downtime.  That is nto exactly the way to look at it, downtime is not efficent.  You want to limit the time of your outage.  you mention RODC's with File and print services at each location, what you need to do is look at the branches, which ones have the better bandwidth?  Then how do they all connect? is it a star pattern? or do some branches connect to others?  You will need to diagram that out.  I would look into placing at least 3 AD servers, 1 at the primary location and 2 at the ones that are locationally/bandwith wise the best.  I would not make them RODC's.  Setup the site links and so forth.  For those locations that are on a smaller bandwith pipe, with more users, setup a RODC if you choose to do so.  That way should yoru primary location go down you will still have your core AD functionality, if you made them all RODC's then recovery would be a lot more painful.  Microsoft has very good folks in thier business solutions group that can provide a full AD assesment and roadmap plan, I would suggest reaching out to them.  This response was my take on it, and people will have different opinions all day long on this.

    2. Improving security, sounds like you need to get a lot covered.  You want security in Wireless, and Security for your servers.  For wireless security, I will differ to the "get a good linksys/cisco access point solution" follow the guide on hardening that up as much as you can WPA/WEP etc... based on your devices.  As for your servers, hanging them out on the internet is not a good thing.  I would have them behind two firewalls at least.  Excuse the poor asci art below:

    Internet  <------> peremiter firewall <------> DMZ/WEB/PROXY <------> firewall <-----> internal servers and users and wireless users

    With the firewalls you want to reduce your surface by locking it down as much as possible port wise.   Also use Forefront for exchange for antivirus/antispam.  Your core networking/firewalls you may be able to leverage your ISP for advice and services and security the network layer.

    To your solution overall there are many ways to skin this cat as thier are flavors of ice cream.  Hope this helps.  Here are three good books by Microsoft Press that I suggest you read up on.

    http://oreilly.com/catalog/9780735626485/

    http://oreilly.com/catalog/9780596520601/

    http://oreilly.com/catalog/0790145314413/

     

     

    • Marked as answer by Markx404 Saturday, July 16, 2011 2:07 PM
    Friday, July 15, 2011 6:57 PM

All replies

  • Mark, here is some general info, your question is not an easy 1, 2, 3 to answer.  I would advise you to look into additional consuting via the Microsoft for your AD needs and your network provider.

    Now, lets tackle each step briefly.

    1. How do you improve the efficency in case of downtime.  That is nto exactly the way to look at it, downtime is not efficent.  You want to limit the time of your outage.  you mention RODC's with File and print services at each location, what you need to do is look at the branches, which ones have the better bandwidth?  Then how do they all connect? is it a star pattern? or do some branches connect to others?  You will need to diagram that out.  I would look into placing at least 3 AD servers, 1 at the primary location and 2 at the ones that are locationally/bandwith wise the best.  I would not make them RODC's.  Setup the site links and so forth.  For those locations that are on a smaller bandwith pipe, with more users, setup a RODC if you choose to do so.  That way should yoru primary location go down you will still have your core AD functionality, if you made them all RODC's then recovery would be a lot more painful.  Microsoft has very good folks in thier business solutions group that can provide a full AD assesment and roadmap plan, I would suggest reaching out to them.  This response was my take on it, and people will have different opinions all day long on this.

    2. Improving security, sounds like you need to get a lot covered.  You want security in Wireless, and Security for your servers.  For wireless security, I will differ to the "get a good linksys/cisco access point solution" follow the guide on hardening that up as much as you can WPA/WEP etc... based on your devices.  As for your servers, hanging them out on the internet is not a good thing.  I would have them behind two firewalls at least.  Excuse the poor asci art below:

    Internet  <------> peremiter firewall <------> DMZ/WEB/PROXY <------> firewall <-----> internal servers and users and wireless users

    With the firewalls you want to reduce your surface by locking it down as much as possible port wise.   Also use Forefront for exchange for antivirus/antispam.  Your core networking/firewalls you may be able to leverage your ISP for advice and services and security the network layer.

    To your solution overall there are many ways to skin this cat as thier are flavors of ice cream.  Hope this helps.  Here are three good books by Microsoft Press that I suggest you read up on.

    http://oreilly.com/catalog/9780735626485/

    http://oreilly.com/catalog/9780596520601/

    http://oreilly.com/catalog/0790145314413/

     

     

    • Marked as answer by Markx404 Saturday, July 16, 2011 2:07 PM
    Friday, July 15, 2011 6:57 PM
  • Thanks for the reply. Much appreciated. I do have other queries regarding this design optimization but I will research on the Internet first before I ask here.
    Saturday, July 16, 2011 2:06 PM