present - Joe Elway Home

Document Sample
present - Joe Elway Home Powered By Docstoc
					Windows Server 2008 and
Branch Office Infrastructure

How to use Windows Server 2008 to solve common
business issues.

           Aidan Finn
           C Infinity
           Email: afinn<at>cinfinity<dot>ie
           Windows Server User Group: http://ws-
• What problems face an organisation with
  multiple sites?
• What can Windows Server 2008 do to solve
  these problems?
The Problems
• Many servers – more than we need?
• More administration
• Backups aren’t easy or cheap
• Disaster recovery / Business Continuity
• More regulations to comply with
• The business requires cross-location teams
  and information sharing
• WAN is NOT cheap.
• Hidden, not-so hidden and possible future
Our Sample Company - BigBank
• Multinational Finance Company.
• Billion Euro Transactions with multinational
• Business deals may include staff from any
  number of branch offices and HQ.
• Must comply with regulations in many
  jurisdictions, e.g. data privacy and disaster
• Single Forest – Single Domain.
BigBank: The Offices


                     New York                                        Tokyo

                                                        Hong Kong


 W               E

Server Numbers
• Servers in every office
• High capital costs every three years
• Backups to do – who is doing them?
• Management agents
• Anti virus – AV isn’t easy, is it?
• Patching
• Administration – branch offices outsource?
• Complexity – more to go wrong!
Consolidate Servers?
Question: What does “consolidate” really
Wrong Answer: “Put more of applications onto
  fewer servers?” OUCH!
Correct Answers:
• Place identical or similar roles onto fewer
  servers, e.g. 1 file server cluster instead of 6
  servers. Easier clustering and x64.
• Virtualisation, e.g. place many virtual
  machine guests onto one physical host.
• Consolidation: Instead of 2 file servers in
  each office, have 2 larger file servers in
  central location, etc.
• Domain controllers placed in physically
  secure regional HQ’s. Less complexity.
• File Server clusters. Less to back up.
• Exchange 2007 clusters. RPC over HTTP.
• Skills that are easy to acquire.
• Easier for disparate users to share.
• Fewer servers.
• Backup is easier.
• Etc.
• Cross-WAN access is slow.
• WAN is not cheap.
• Latency. What is latency?
• Aren’t there times when it seems like the
  WAN is your biggest problem when working
  with branch offices?
• What’s the usual solution? You can’t afford
  more bandwidth so you restrict traffic, i.e.
• We need to make more from what we have.
• Enter Windows Server 2008 and Windows
Latency – The Real Enemy
More bandwidth is not always the solution.


     < 1MS
     < 1MS


Latency – Solutions?

Wrong: “Throw more bandwidth at the
We cannot change the laws of physics.

Correct: Send more at once.
The Next Generation TCP Stack
• In Vista and Windows Server 2008
• IPv6 included natively
• Receive Window Auto Tuning
• QoS by policy
• Compound TCP & SMB 2.0
Receive Window Auto Tuning
• Only so much data is sent in one packet.
  This amount is statically defined.
• More packets compounds the effect of
• We’re not using bandwidth to fullest
• Send fewer, larger packets.
• Do this intelligently
Without Receive Window Auto Tuning

  10 MB Document
                   Windows Sever 2003               Windows XP
                                            Receive Window = 8760 Bytes
                                 Latency = 150ms

                                 Latency = 150ms

                                 Latency = 150ms

                                 Latency = 150ms

                                  Latency = 150ms

                                2MB WAN
                         93 Seconds at 0.9 MBPS
                              (Tolly Group)
With Receive Window Auto Tuning

 10 MB Document
                  Windows Sever 2008              Windows Vista
                                           Receive Window = Auto Tuned
                                                 Max 65,535 Bytes
                                Latency = 150ms

                                Latency = 150ms

                                Latency = 150ms

                                2MB WAN
                        42.85 Seconds at 2 MBPS
                              (Tolly Group)
Receive Window Auto Tuning
• Auto Tuning not in XP or 2003. Must be
  statically defined. One size does not fit all.
• We now can utilise bandwidth to 100%.

• Uh-oh : We now can utilise bandwidth to
• We need to control how WAN bandwidth is
Policy Based QoS
• Qualty of Service (QoS)
• Group Policy defined rules: sending
  application, destination & source address
  and port, TCP/UDP and Active Directory
  users or groups.
• Assign a Differentiated Service Code Point
  value (0 – 63) to the packet at source.
• RFC 1474 compliant routers prioritise traffic
  based on defined rules using the DCSP value
  in the packets.
Compound TCP
Typical Network Transaction:
 Send
 Send
 Send
 Etc

This allows latency to impact the transaction.
Without Compound TCP

              Windows Sever 2003               Windows XP
                             Latency = 150ms
                             Latency = 150MS
                             Latency = 150ms
                             Latency = 150MS
                             Latency = 150ms
                             Latency = 150MS

                           900 Milliseconds
With Compound TCP

              Windows Sever 2008               Windows Vista
                             Latency = 150ms
                             Latency = 150ms
                             Latency = 150ms
                             Latency = 150MS

                           600 Milliseconds
TCP Improvements Together
• Receive Window Auto Tuning: Send more at
• Compound TCP: Send fewer ACK packets.
• Effect: Latency has less impact on cross-
  WAN services.
• SMB 2.0: New file and print protocol to make
  use of new TCP stack.
Centralisation At BigBank
We can centralise servers from some offices to
 the regional HQ’s.
• Los Angeles and Vancouver -> New York
• Sydney and Tokyo -> Hong Kong
BigBank: Remaining Servers


             New York

                                                Hong Kong


 W       E

Why Not Centralise Every Server?
• Business uptime VS network complexity.
• Regulatory compliance.
• Politics.
• WAN is more expensive in some places than

We need to reduce server numbers in the
 remaining branch offices.
Virtual Consolidation
• Few servers seem to utilise more than 10% of
• Run more than one virtual machine on one
  physical host.
• Virtual machines share RAM, storage and
  I/O of the host.
What Does Virtualisation Do?


                    Host1          Host2                     Host3             Host4

 Virtual Machine         Virtual Machine         Virtual Machine         Virtual Machine

                                     Virtual Machine         Virtual Machine
             Virtual Machine
Virtual Consolidation

                       Operating System

                       Virtualisation Layer
                                              Operating System

    Operating System   Operating System


       Hardware             Hardware             Hardware

       Traditional                            Windows Server
                       Virtual Server 2005        2008
                                R2               Hyper-V
Benefits Of Virtual Consolidation
• Use CPU installations to their fullest ability.
• Fewer physical hosts.
• Quick to deploy
• Fault tolerant
• Physically abstract hardware.
• Cheaper in the long run.
• Will cost around $28/host.
• Can be clustered for failover.
• Manage using System Centre Virtual
  Machine Manager.
• Integrate with other System Centre products,
  e.g. SCCM 2007 and SCOM 2007.
• There will be a Hyper-V Edition of Windows
  Server 2008
• Attend Dave Northey’s sessions … much
  more info there.
Hyper-V At BigBank
• The servers in the Luxembourg and Krakow
  offices can be virtualised
• We can also virtualise the centralised servers
  in the regional HQ
BigBank: Remaining Servers


             New York

                                                Hong Kong


 W       E

Branch Office: Physical Security
• There is no security without physical security.
• Sometimes we must place servers and
  domain controllers in small offices with no
  physical security.
• Losing physical control to a domain
  controller is BAD!
• Included with Windows Server 2008.
• Fully encrypt disks of required servers.
• Can Utilise a TPM chip on the motherboard,
  USB stick and PIN to secure the encryption.
• Losing physical security is no longer as
  disastrous as it was.
Domain Controllers
Server Core:
• An installation variant with no GUI.
• Smaller footprint and attack surface.
• Requires less hardware.
• Read-Only Domain Controller – stores no
• Active Directory as a service. Non-domain
  administrators can manage the hardware
  and operating system with limited rights.
• Encrypt using BitLocker
BigBank Domain Controllers
• Luxembourg and Krakow have small offices.
  The business won’t approve building secure
  computer rooms there. The hardware
  maintenance is outsourced to local IT
  services companies.
• Deploy RODC’s in Luxembourg and Krakow.
  Delegate administration of the hardware to
  security groups containing users for IT
  services. Enable BitLocker to secure the
Backing Up Aint Easy!
• Why is it that backing up is so hard? Isn’t it
  just a file copy?
• We need reliable hardware, disks and tape.
• Offsite storage.
• Who is doing backups in the branch office?
  The receptionist.
Distributed File System
• Namespace – abstract the physical location
  of file shares and connect users via Active
• Replication – Block level replication of files
  and cross file replication.
DFS Namespace

   \\FS3                    \\\

                                                      Domain Controller


                                                      Domain Controller


                              net use z: \\\ourfileshares
                              cd z:\Accounts
DFS Namespace
Abstract the physical location of file shares:
• Consolidate all file shares to a single point.
• Use Access Based Enumeration (ABE).
• Make file shares agile.
• Simplify administration: home directories,
  profiles, folder redirection, applications,
  software installation, scripts, etc.
DFS Replication

                        Changed Blocks
   Dublin File Server    Approx 1MB      Krakow File Server

                                                       Writes The
                                                     Changed Blocks
    100MB File                                        Approx 1MB

               Saves a 1MB
                                            100MB File

      Dublin PC
DFS Cross File Replication
                            No Data Replicated

       Dublin File Server                        Krakow File Server

                                                           performs local copy
100MB File 1   100MB File 2

                 User Copies File

                                                   100MB File 2

          Dublin PC
DFS Replication
Replicates when the file handle is closed.
Does not replicate file locks.
Last writer wins.
Good for static or single-user data:
• Home directories.
• Profiles.
• Destinations with no user access.
• Software installation points.
• Office templates.
DFS Replication
Don’t consider DFS-R for:
• Replicating databases, e.g. SQL, Exchange
  or Oracle. Use native functionality.
• Collaboration, e.g. Users in Dublin working on
  the same documents as users in Krakow.
  Last writer wins.
BigBank: Centralise Backups

                                          Disk-Disk         Tape Library
                            (HQ)           Backup

           DFS-R                             DFS-R
 \\\Luxembourg            \\\Krakow

   Luxembourg                                    Kracow
BigBank: Centralise Backups
• Use DFS-N and DFS-R to centralise Krakow
  and Luxembourg backups in Dublin.
• This gives them offsite backups.
• Enable Volume Shadow Copy on all servers
  for day-to-day recovery. Train “power

Hey! We can use this for file server archiving
  too. BigBank only needs to install archiving
  solutions in Dublin to service all of Europe.
Branch Office Disaster Recovery
• AKA Business Continuity
• Recover when an office is unavailable.
  Have a replica site available location.
• Timelines, procedures, staff selection.
• Costs … “Sure, the 50 user office in Krakow
  turns over €5billion every year but we’re not
  investing in a complete replica of their
Regulatory Compliance
• “Must make a best attempt at business
• Data must be offsite.
• Data must be in a remote location
• Data must be in the same country VS data
  must be in another country.

• The Directors still don’t want to spend the
Regulatory Compliance
Typical Solution: “Server Assurance” and
  recover from tape.
• You really will get those servers when the city
  shuts down?
• Is the hardware the same?
• How will this integrate with the corporate
• Does the branch have required skills?
• How LOOOOOOONG will this take?
Business Continuity Using DFS-R
• Use DFS-R to replicate file servers to HQ.
• Use DFS Namespace to maintain the same

Hey! Didn’t we already do this for backups? 

• Invest in an access mechanism for users, e.g.
  VPN or Terminal Services.
BigBank: Business Continuity



 net use z: \\\Luxembourg
 cd z:\Marketing

                                                     DFS-R                             DFS-R
                                           \\\Luxembourg            \\\Krakow

                 At DR Location

        net use z: \\bigbank.comLuxembourg
        cd z:\Marketing

                                                        Luxembourg             Kracow
                           In The Office
• The business requires people in all offices to
  work as one.
• Multiple locations e.g. a user in Krakow may
  work with users in Tokyo and NY to get
  business from one client.
• Projects come and go quickly. Traditional
  solutions require administration and controls.
  IT slows down the business.
• File shares != collaboration.
Windows SharePoint Services 3.0
• Included in Windows Server 2008.
• IIS and SQL based solution allowing
• Sites with owners and permissions, web
  applications, document libraries, Outlook
  integration with shared calendars and
  contacts, blogs, wikis, tasks, meetings, etc.
• Introduce versioning and change control.
• Allow users to deploy, customise and control
  access to their own sites.
BigBank: Collaboration
• A WSS cluster is configured in Dublin.
• Owners of sites are identified and given
  administrative rights of those sites.
• All users can access the same collaboration
  solution and work together as a single,
  cooperative entity.
• The business can adapt and compete.
BigBank: Password Policies
• The security department has relaxed
  password policies for users in North America.
• Normally requires another domain or using
  3rd party solution, e.g. SpecOps.
• Windows Server 2008 allows group based
  granular password policies.
• Outside of password resets, probably one of
  the largest causes of helpdesk tickets.
• Use the Print Management Console to:
   – Connect users to printers via Group Policy.

   – Monitor and manage printers from a central
PC’s – We Almost Forgot
The ever present question:
“What do we do with those PC’s?”
• Keep them as is.
• Manage using System Centre and ForeFront.
• Terminal Services.
• Vista Enterprise Centralized Desktop (VECD)
Keep The PC’s
• Can be the simplest solution.
• Might be the cheapest: €400/PC!
• Patch using WSUS 3.0 (in Windows Server
• Manage configuration using System Centre
  Configuration Manager 2007.
• Secure using ForeFront Client Security.
Terminal Services
• RemoteApp: Seamless applications instead
  of the full desktop.
• Terminal Services Gateway: An SSL access
  point to applications via the Internet.
• TS Gateway: Works seamlessly with
• XPS Printer: “Thin printing”. Windows Server
  2008, Vista and Windows XP SP3.
Vista Enterprise Centralized Desktop
• AKA Virtual Desktop Infrastructure (VDI)
• Run the desktop as a virtual machine on a
  centralised host, e.g. Hyper-V.
• Access using an RDP terminal.
Advantages over Terminal Services:
• No change control for day-to-day
• User gets their own environment.
• Dodgy applications don’t interfere with
  each other.
BigBank: The PC’s
• Asia prefers to keep their PC’s. They will
  manage PC’s using WSUS 3.0, System Centre
  Configuration Manager 2007 and ForeFront
  Client Security.
• North America will deploy Windows Server
  2008 Terminal Services. PC’s are
  reconfigured as dumb terminals. All
  applications made available via
  RemoteApp and TS Gateway. SoftGrid for
  Terminal Services deployed to avoid
  “application silos”.
Branch Office Hardware
• New blade solutions designed for branch
• HP C3000 and IBM BladeCentre S.
• Includes servers, PSU, storage and backup
• Quiet & power efficient.
• The chassis can come on wheels!!!
• IBM: TPM in next generation of blades.
• HP: No response.
Some Reading Material
Mastering Windows Server 2008 by Mark Minasi,
 etc. (Sybex)
• Networking Foundations
• Essentials Technologies
• Enterprise Technologies
The End
Aidan Finn
C Infinity

Email: afinn<at>cinfinity<dot>ie


Windows Server User Group:

Shared By:
xiangpeng xiangpeng
About pengxiang