Docstoc

present - Joe Elway Home

Document Sample
present - Joe Elway Home Powered By Docstoc
					Windows Server 2008 and
Branch Office Infrastructure

How to use Windows Server 2008 to solve common
business issues.




           Aidan Finn
           C Infinity
           Email: afinn<at>cinfinity<dot>ie
           Blog: http://joeelway.spaces.live.com
           Windows Server User Group: http://ws-
           ugi.spaces.live.com
AGENDA
• What problems face an organisation with
  multiple sites?
• What can Windows Server 2008 do to solve
  these problems?
The Problems
• Many servers – more than we need?
• More administration
• Backups aren’t easy or cheap
• Disaster recovery / Business Continuity
• More regulations to comply with
• The business requires cross-location teams
  and information sharing
• WAN is NOT cheap.
• Hidden, not-so hidden and possible future
  costs.
Our Sample Company - BigBank
• Multinational Finance Company.
• Billion Euro Transactions with multinational
  clients.
• Business deals may include staff from any
  number of branch offices and HQ.
• Must comply with regulations in many
  jurisdictions, e.g. data privacy and disaster
  recovery.
• Single Forest – Single Domain.
BigBank: The Offices



                                               Krakow
                                  Dublin
     Vancouver
                                  (HQ)



                     New York                                        Tokyo
                                       Luxembourg
                     (Regional)

      LA
                                                        Hong Kong
                                                        (Regional)




                                                                     Sydney
        N


 W               E


        S
Server Numbers
• Servers in every office
• High capital costs every three years
More:
• Backups to do – who is doing them?
• Management agents
• Anti virus – AV isn’t easy, is it?
• Patching
• Administration – branch offices outsource?
• Complexity – more to go wrong!
Consolidate Servers?
Question: What does “consolidate” really
  mean?
Wrong Answer: “Put more of applications onto
  fewer servers?” OUCH!
Correct Answers:
• Place identical or similar roles onto fewer
  servers, e.g. 1 file server cluster instead of 6
  servers. Easier clustering and x64.
• Virtualisation, e.g. place many virtual
  machine guests onto one physical host.
  Hyper-V!
Centralisation
• Consolidation: Instead of 2 file servers in
  each office, have 2 larger file servers in
  central location, etc.
• Domain controllers placed in physically
  secure regional HQ’s. Less complexity.
• File Server clusters. Less to back up.
• Exchange 2007 clusters. RPC over HTTP.
• Skills that are easy to acquire.
• Easier for disparate users to share.
Centralisation
Pros:
• Fewer servers.
• Backup is easier.
• Etc.
Cons:
• Cross-WAN access is slow.
• WAN is not cheap.
• Latency. What is latency?
The WAN
• Aren’t there times when it seems like the
  WAN is your biggest problem when working
  with branch offices?
• What’s the usual solution? You can’t afford
  more bandwidth so you restrict traffic, i.e.
  business.
• We need to make more from what we have.
• Enter Windows Server 2008 and Windows
  Vista.
Latency – The Real Enemy
More bandwidth is not always the solution.

      LAN



    Request
     < 1MS
    Response
     < 1MS



                         WAN



                      Request
                      150MS
                      Response
                       150MS
Latency – Solutions?
Solutions:


Wrong: “Throw more bandwidth at the
  problem!!!”
We cannot change the laws of physics.


Correct: Send more at once.
The Next Generation TCP Stack
• In Vista and Windows Server 2008
• IPv6 included natively
• Receive Window Auto Tuning
• QoS by policy
• Compound TCP & SMB 2.0
Receive Window Auto Tuning
Problem:
• Only so much data is sent in one packet.
  This amount is statically defined.
• More packets compounds the effect of
  latency.
• We’re not using bandwidth to fullest
  capacity.
Solution:
• Send fewer, larger packets.
• Do this intelligently
Without Receive Window Auto Tuning


  10 MB Document
                   Windows Sever 2003               Windows XP
                                            Receive Window = 8760 Bytes
                                 Latency = 150ms

                                 Latency = 150ms

                                 Latency = 150ms

                                 Latency = 150ms




                                  Latency = 150ms


                                2MB WAN
                         93 Seconds at 0.9 MBPS
                              (Tolly Group)
With Receive Window Auto Tuning


 10 MB Document
                  Windows Sever 2008              Windows Vista
                                           Receive Window = Auto Tuned
                                                 Max 65,535 Bytes
                                Latency = 150ms

                                Latency = 150ms




                                Latency = 150ms


                                2MB WAN
                        42.85 Seconds at 2 MBPS
                              (Tolly Group)
Receive Window Auto Tuning
• Auto Tuning not in XP or 2003. Must be
  statically defined. One size does not fit all.
• We now can utilise bandwidth to 100%.


• Uh-oh : We now can utilise bandwidth to
  100%.
• We need to control how WAN bandwidth is
  used.
Policy Based QoS
• Qualty of Service (QoS)
• Group Policy defined rules: sending
  application, destination & source address
  and port, TCP/UDP and Active Directory
  users or groups.
• Assign a Differentiated Service Code Point
  value (0 – 63) to the packet at source.
• RFC 1474 compliant routers prioritise traffic
  based on defined rules using the DCSP value
  in the packets.
Compound TCP
Typical Network Transaction:
 Send
 ACK
 Send
 ACK
 Send
 Etc


This allows latency to impact the transaction.
Without Compound TCP


   Document
              Windows Sever 2003               Windows XP
                                  Send
                             Latency = 150ms
                                   Ack
                             Latency = 150MS
                                  Send
                             Latency = 150ms
                                   Ack
                             Latency = 150MS
                                  Send
                             Latency = 150ms
                                   Ack
                             Latency = 150MS

                           900 Milliseconds
With Compound TCP


   Document
              Windows Sever 2008               Windows Vista
                                  Send
                             Latency = 150ms
                                  Send
                             Latency = 150ms
                                  Send
                             Latency = 150ms
                                   Ack
                             Latency = 150MS

                           600 Milliseconds
TCP Improvements Together
• Receive Window Auto Tuning: Send more at
  once.
• Compound TCP: Send fewer ACK packets.
• Effect: Latency has less impact on cross-
  WAN services.
• SMB 2.0: New file and print protocol to make
  use of new TCP stack.
Centralisation At BigBank
We can centralise servers from some offices to
 the regional HQ’s.
• Los Angeles and Vancouver -> New York
• Sydney and Tokyo -> Hong Kong
BigBank: Remaining Servers



                                       Krakow
                          Dublin
                          (HQ)



             New York
                               Luxembourg
             (Regional)

                                                Hong Kong
                                                (Regional)




     N


 W       E


     S
Why Not Centralise Every Server?
• Business uptime VS network complexity.
• Regulatory compliance.
• Politics.
• WAN is more expensive in some places than
  others!


We need to reduce server numbers in the
 remaining branch offices.
Virtual Consolidation
• Few servers seem to utilise more than 10% of
  CPU.
• Run more than one virtual machine on one
  physical host.
• Virtual machines share RAM, storage and
  I/O of the host.
What Does Virtualisation Do?


                                                 SAN




                    Host1          Host2                     Host3             Host4




 Virtual Machine         Virtual Machine         Virtual Machine         Virtual Machine


                                     Virtual Machine         Virtual Machine
             Virtual Machine
Virtual Consolidation

                              VM
                       Operating System



                       Virtualisation Layer
                                                     VM
                                              Operating System

    Operating System   Operating System

                                                 Hypervisor


       Hardware             Hardware             Hardware

       Traditional                            Windows Server
                       Virtual Server 2005        2008
           OS
                                R2               Hyper-V
       Installation
Benefits Of Virtual Consolidation
• Use CPU installations to their fullest ability.
• Fewer physical hosts.
• Quick to deploy
• Fault tolerant
• Physically abstract hardware.
• Cheaper in the long run.
Hyper-V
• Will cost around $28/host.
• Can be clustered for failover.
• Manage using System Centre Virtual
  Machine Manager.
• Integrate with other System Centre products,
  e.g. SCCM 2007 and SCOM 2007.
• There will be a Hyper-V Edition of Windows
  Server 2008
• Attend Dave Northey’s sessions … much
  more info there.
Hyper-V At BigBank
• The servers in the Luxembourg and Krakow
  offices can be virtualised
• We can also virtualise the centralised servers
  in the regional HQ
BigBank: Remaining Servers



                                       Krakow
                          Dublin
                          (HQ)



             New York
                               Luxembourg
             (Regional)

                                                Hong Kong
                                                (Regional)




     N


 W       E


     S
Branch Office: Physical Security
• There is no security without physical security.
• Sometimes we must place servers and
  domain controllers in small offices with no
  physical security.
• Losing physical control to a domain
  controller is BAD!
BitLocker
• Included with Windows Server 2008.
• Fully encrypt disks of required servers.
• Can Utilise a TPM chip on the motherboard,
  USB stick and PIN to secure the encryption.
• Losing physical security is no longer as
  disastrous as it was.
Domain Controllers
Server Core:
• An installation variant with no GUI.
• Smaller footprint and attack surface.
• Requires less hardware.
• Read-Only Domain Controller – stores no
  passwords.
• Active Directory as a service. Non-domain
  administrators can manage the hardware
  and operating system with limited rights.
• Encrypt using BitLocker
BigBank Domain Controllers
• Luxembourg and Krakow have small offices.
  The business won’t approve building secure
  computer rooms there. The hardware
  maintenance is outsourced to local IT
  services companies.
• Deploy RODC’s in Luxembourg and Krakow.
  Delegate administration of the hardware to
  security groups containing users for IT
  services. Enable BitLocker to secure the
  servers.
Backing Up Aint Easy!
• Why is it that backing up is so hard? Isn’t it
  just a file copy?
• We need reliable hardware, disks and tape.
• Offsite storage.
• Who is doing backups in the branch office?
  The receptionist.
Distributed File System
• Namespace – abstract the physical location
  of file shares and connect users via Active
  Directory.
• Replication – Block level replication of files
  and cross file replication.
DFS Namespace

   \\FS3                    \\bigbank.com\
                            OurFileShares


                                                      Domain Controller
                                                        bigbank.com

   \\FS2




                                                      Domain Controller
                                                        bigbank.com

   \\FS1
           \\FS1\Accounts




                              net use z: \\bigbank.com\ourfileshares
                              cd z:\Accounts
DFS Namespace
Abstract the physical location of file shares:
• Consolidate all file shares to a single point.
• Use Access Based Enumeration (ABE).
• Make file shares agile.
• Simplify administration: home directories,
  profiles, folder redirection, applications,
  software installation, scripts, etc.
DFS Replication

                          Replicate
                        Changed Blocks
   Dublin File Server    Approx 1MB      Krakow File Server



                                                       Writes The
                                                     Changed Blocks
    100MB File                                        Approx 1MB




               Saves a 1MB
                 Change
                                            100MB File




      Dublin PC
DFS Cross File Replication
                            No Data Replicated


       Dublin File Server                        Krakow File Server




                                                               Destination
                                                           performs local copy
100MB File 1   100MB File 2




                 User Copies File

                                                   100MB File 2




          Dublin PC
DFS Replication
Replicates when the file handle is closed.
Does not replicate file locks.
Last writer wins.
Good for static or single-user data:
• Home directories.
• Profiles.
• Destinations with no user access.
• Software installation points.
• Office templates.
DFS Replication
Don’t consider DFS-R for:
• Replicating databases, e.g. SQL, Exchange
  or Oracle. Use native functionality.
• Collaboration, e.g. Users in Dublin working on
  the same documents as users in Krakow.
  Last writer wins.
BigBank: Centralise Backups


                                          Disk-Disk         Tape Library
                            Dublin
                            (HQ)           Backup




           DFS-R                             DFS-R
 \\bigbank.com\Luxembourg            \\bigbank.com\Krakow




   Luxembourg                                    Kracow
BigBank: Centralise Backups
• Use DFS-N and DFS-R to centralise Krakow
  and Luxembourg backups in Dublin.
• This gives them offsite backups.
• Enable Volume Shadow Copy on all servers
  for day-to-day recovery. Train “power
  users”.


Hey! We can use this for file server archiving
  too. BigBank only needs to install archiving
  solutions in Dublin to service all of Europe.
Branch Office Disaster Recovery
• AKA Business Continuity
• Recover when an office is unavailable.
  Have a replica site available location.
• Timelines, procedures, staff selection.
• Costs … “Sure, the 50 user office in Krakow
  turns over €5billion every year but we’re not
  investing in a complete replica of their
  infrastructure”.
Regulatory Compliance
• “Must make a best attempt at business
  continuity”.
• Data must be offsite.
• Data must be in a remote location
• Data must be in the same country VS data
  must be in another country.


• The Directors still don’t want to spend the
  money!
Regulatory Compliance
Typical Solution: “Server Assurance” and
  recover from tape.
• You really will get those servers when the city
  shuts down?
• Is the hardware the same?
• How will this integrate with the corporate
  network?
• Does the branch have required skills?
• How LOOOOOOONG will this take?
Business Continuity Using DFS-R
• Use DFS-R to replicate file servers to HQ.
• Use DFS Namespace to maintain the same
  navigation.


Hey! Didn’t we already do this for backups? 


• Invest in an access mechanism for users, e.g.
  VPN or Terminal Services.
BigBank: Business Continuity

                                                                      Dublin
                                                                      (HQ)

                                                     VPN


 net use z: \\bigbank.com\Luxembourg
 cd z:\Marketing

                                                     DFS-R                             DFS-R
                                           \\bigbank.com\Luxembourg            \\bigbank.com\Krakow


                 At DR Location




        net use z: \\bigbank.comLuxembourg
        cd z:\Marketing




                                                        Luxembourg             Kracow
                           In The Office
Collaboration
• The business requires people in all offices to
  work as one.
• Multiple locations e.g. a user in Krakow may
  work with users in Tokyo and NY to get
  business from one client.
• Projects come and go quickly. Traditional
  solutions require administration and controls.
  IT slows down the business.
• File shares != collaboration.
Windows SharePoint Services 3.0
• Included in Windows Server 2008.
• IIS and SQL based solution allowing
  collaboration.
• Sites with owners and permissions, web
  applications, document libraries, Outlook
  integration with shared calendars and
  contacts, blogs, wikis, tasks, meetings, etc.
• Introduce versioning and change control.
• Allow users to deploy, customise and control
  access to their own sites.
BigBank: Collaboration
• A WSS cluster is configured in Dublin.
• Owners of sites are identified and given
  administrative rights of those sites.
• All users can access the same collaboration
  solution and work together as a single,
  cooperative entity.
• The business can adapt and compete.
BigBank: Password Policies
• The security department has relaxed
  password policies for users in North America.
• Normally requires another domain or using
  3rd party solution, e.g. SpecOps.
• Windows Server 2008 allows group based
  granular password policies.
Printers
• Outside of password resets, probably one of
  the largest causes of helpdesk tickets.
• Use the Print Management Console to:
   – Connect users to printers via Group Policy.

   – Monitor and manage printers from a central
     location.
PC’s – We Almost Forgot
The ever present question:
“What do we do with those PC’s?”
• Keep them as is.
• Manage using System Centre and ForeFront.
• Terminal Services.
• Vista Enterprise Centralized Desktop (VECD)
Keep The PC’s
• Can be the simplest solution.
• Might be the cheapest: €400/PC!
• Patch using WSUS 3.0 (in Windows Server
  2008)
• Manage configuration using System Centre
  Configuration Manager 2007.
• Secure using ForeFront Client Security.
Terminal Services
• RemoteApp: Seamless applications instead
  of the full desktop.
• Terminal Services Gateway: An SSL access
  point to applications via the Internet.
• TS Gateway: Works seamlessly with
  RemoteApp.
• XPS Printer: “Thin printing”. Windows Server
  2008, Vista and Windows XP SP3.
Vista Enterprise Centralized Desktop
• AKA Virtual Desktop Infrastructure (VDI)
• Run the desktop as a virtual machine on a
  centralised host, e.g. Hyper-V.
• Access using an RDP terminal.
Advantages over Terminal Services:
• No change control for day-to-day
  troubleshooting.
• User gets their own environment.
• Dodgy applications don’t interfere with
  each other.
BigBank: The PC’s
• Asia prefers to keep their PC’s. They will
  manage PC’s using WSUS 3.0, System Centre
  Configuration Manager 2007 and ForeFront
  Client Security.
• North America will deploy Windows Server
  2008 Terminal Services. PC’s are
  reconfigured as dumb terminals. All
  applications made available via
  RemoteApp and TS Gateway. SoftGrid for
  Terminal Services deployed to avoid
  “application silos”.
Branch Office Hardware
• New blade solutions designed for branch
  office.
• HP C3000 and IBM BladeCentre S.
• Includes servers, PSU, storage and backup
  device.
• Quiet & power efficient.
• The chassis can come on wheels!!!
• IBM: TPM in next generation of blades.
• HP: No response.
Some Reading Material
Mastering Windows Server 2008 by Mark Minasi,
 etc. (Sybex)
• Networking Foundations
• Essentials Technologies
• Enterprise Technologies
The End
Aidan Finn
C Infinity

Email: afinn<at>cinfinity<dot>ie

Blog: http://joeelway.spaces.live.com

Windows Server User Group:
http://ws-ugi.spaces.live.com

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:5/11/2013
language:English
pages:64
xiangpeng xiangpeng
About pengxiang