Server tips for newer people

[Smite]

Server tips to save your hair: or maybe the "Don't list."

 

AD should always be on its own server/vm host but can include services such as integrated dns. (Always have 2 or more Domain Controllers, however both can be VM's if everything is following best practices - i.e. set to boot first after critical server maintenance, etc. There are exceptions to this (i.e. small branch office with RODC), if in doubt look at the Technet best practices articles)

 

AD backups last 90days max if you try to go back further than this, it “might” work, if very very little has changed, but is never recommended.

 

You can quickly spot someone who has no clue about AD when you ask them what’s their domain/forest level? If the response is we have upgraded everything to Server 2012 R2, and then find out they are at 2003 domain level, this is a quick face palm. (Better yet, is to know what each functional level does, going from 2k3 -> 2k8r2? good upgrade, going from 2k8R2 -> 2k12r2, only if you have the time, yes there are more important things to work on)

 

Email servers are complex and should be treated as such, make sure you have gone toughly threw the basics such as MX records and correct IP’s. (better yet, stop hard coding IP's where possible? DNS was invented for a reason, you might know if if you added a CNAME or A Record to it. Even better, learn what forward and reverse lookup zones are).

 

Everyone likes different server OS’s for different reasons. If you just installed linux or BSD for the first time ever, you probably should do some more research before jumping in the “help me plz pool”. (Yep, we all spent years and hundreds of dollars learning this stuff, and we've only just passed the 'mt. stupid part', pick up a book read about it)

 

Virtualizing just to virtualize is a bit silly, why would you want to run all of these VMs, on a toaster? (If it is part of a larger plan, i'd say it's fine, abstracting the HW layer is a good thing - i.e. Motherboard crashed on main host, just host in to another box till vendor replaces mobo, no need to worry about drivers).

 

For the last time Freenas wants direct access to your drives this means HBA cards or direct motherboard connections, leave them high dollar raid cards alone.

 

For the love of all that is holy, do not use .local or .com .net etc for your domain. This can cause so many issues, pick something different and learn about FQDN's. (It's not an issue is you actually own the domain)

 

Enthusiast hardware is not enterprise hardware and should not be treated as such. A major reason the enterprise stuff is stupid expensive is redundancy and support. The reason you think enthusiast stuff is expensive is all them features like overclocking.

 

“But, yo dog I spent $1000 on dis bad ass xeon.” I am sorry you didn’t scale your build to your needs properly.

I will add more as this progresses.

 

Raid  ≠ Back up    Linus proved this when one of his cards tanked. 

 

99% of Rack hardware is designed to sit right on top of one another. Leaving gaps can cause airflow issues(this is more noticeable in data centers with multiple racks).

 

Cabling does matter in your rack because a curtain of cables can and will block airflow.

 

You don't need a ballin rig for pfsense. The main concern is having enough NIC's

 

Running a decent size production environment database on access. I cringe every time.

 

When removing an exchange server from production, do NOT just shut down the server and delete the VM later. This leaves traces of this old exchange server lingering in AD. Run the uninstaller and it will clean itself out of AD. 

 

[WolfoftheShadow7465]

I would love to hear more of these, I recently got into servers and such so im still learning

[Jarsky]

1 hour ago, Smite said:

For the love of all that is holy, do not use .local for your domain. This can cause so many issues, pick something different.

 

lol, and don't use a TLD (e.g .com, .net, .org, etc...) unless you actually own the domain for an FQDN.

The amount of people that make it .com/.net because of the example contoso.com zzz

[leadeater]

6 hours ago, Smite said:

AD backups last 90days max if you try to go back further than this, it “might” work, if very very little has changed, but is never recommended.

If it is a single restore of a single domain controller then by policy the other domain controllers will not allow the restore or allow this old domain controller back in to the system. If you are restoring the whole of AD if all of it died then what will most likely happen is every machine will have broken trust relationships.

[Zodiark1593]

RAID does not == Backup.

[Smite]

Updated.

 

[dalekphalm]

On 2016-02-26 at 1:24 AM, Zodiark1593 said:

RAID does not == Backup.

My old boss couldn't understand that difference. His server (Small office, ~5 users) ran a RAID1 mirror, which he considered a local onsite backup. He didn't understand that the RAID1 mirror wouldn't protect against accidental file deletions, virus infections, randsomware, etc.

[Blake]

On 2/25/2016 at 6:44 AM, Smite said:

Server tips to save your hair: or maybe the "Don't list."

 

AD should always be on its own server/vm host but can include services such as integrated dns. (Always have 2 or more Domain Controllers, however both can be VM's if everything is following best practices - i.e. set to boot first after critical server maintenance, etc. There are exceptions to this (i.e. small branch office with RODC), if in doubt look at the Technet best practices articles)

 

AD backups last 90days max if you try to go back further than this, it “might” work, if very very little has changed, but is never recommended.

 

You can quickly spot someone who has no clue about AD when you ask them what’s their domain/forest level? If the response is we have upgraded everything to Server 2012 R2, and then find out they are at 2003 domain level, this is a quick face palm. (Better yet, is to know what each functional level does, going from 2k3 -> 2k8r2? good upgrade, going from 2k8R2 -> 2k12r2, only if you have the time, yes there are more important things to work on)

 

Email servers are complex and should be treated as such, make sure you have gone toughly threw the basics such as MX records and correct IP’s. (better yet, stop hard coding IP's where possible? DNS was invented for a reason, you might know if if you added a CNAME or A Record to it. Even better, learn what forward and reverse lookup zones are).

 

Everyone likes different server OS’s for different reasons. If you just installed linux or BSD for the first time ever, you probably should do some more research before jumping in the “help me plz pool”. (Yep, we all spent years and hundreds of dollars learning this stuff, and we've only just passed the 'mt. stupid part', pick up a book read about it)

 

Virtualizing just to virtualize is a bit silly, why would you want to run all of these VMs, on a toaster? (If it is part of a larger plan, i'd say it's fine, abstracting the HW layer is a good thing - i.e. Motherboard crashed on main host, just host in to another box till vendor replaces mobo, no need to worry about drivers).

 

For the last time Freenas wants direct access to your drives this means HBA cards or direct motherboard connections, leave them high dollar raid cards alone.

 

For the love of all that is holy, do not use .local or .com .net etc for your domain. This can cause so many issues, pick something different and learn about FQDN's. (It's not an issue is you actually own the domain)

 

Enthusiast hardware is not enterprise hardware and should not be treated as such. A major reason the enterprise stuff is stupid expensive is redundancy and support. The reason you think enthusiast stuff is expensive is all them features like overclocking.

 

“But, yo dog I spent $1000 on dis bad ass xeon.” I am sorry you didn’t scale your build to your needs properly.

I will add more as this progresses.

 

Raid  ≠ Back up    Linus proved this when one of his cards tanked. 

 

99% of Rack hardware is designed to sit right on top of one another. Leaving gaps can cause airflow issues(this is more noticeable in data centers with multiple racks).

 

Cabling does matter in your rack because a curtain of cables can and will block airflow.

 

You don't need a ballin rig for pfsense. The main concern is having enough NIC's

 

Running a decent size production environment database on access. I cringe every time.

 

When removing an exchange server from production, do NOT just shut down the server and delete the VM later. This leaves traces of this old exchange server lingering in AD. Run the uninstaller and it will clean itself out of AD. 

 

 

F some of TFY.

 

Good points.

[leadeater]

46 minutes ago, Blake said:

F some of TFY.

 

Good points.

 

I very much agree with your amendments, especially around the always run two domain controllers and virtualization strategy.

 

I'd also like to add that not all UPS's are equal, as mentioned in Linus's Eaton UPS video. Eaton also happens to be my much preferred brand. If possible always buy an Online Double Conversion UPS with network management module and ability to graceful shutdown VMs. Never just let a virtual host die or only graceful shutdown the host and not the VMs on it.

[leadeater]

Always put shares behind a DFS namespace, you will thank yourself in 3-5 years time when you go to migrate the physical storage system.

[pat-e]

On 2/25/2016 at 9:44 PM, Smite said:

For the love of all that is holy, do not use .local or .com .net etc for your domain. This can cause so many issues, pick something different and learn about FQDN's. 

Well, if you run an AD with Exchange Servers in it (lowest version Exchange 2010 or better higher) and you have Exchange "autodiscover" setup correctly, then it is very easy for the people to remember "E-Mail-address equals username".

 

And if you plan to run a hybrid environment with Office 365 and putting like Exchange in the cloud, Microsoft also advises you to change your login domain to your used e-mail-address-domain (like making your AD to whatever.com when your e-mails will be someone@whatever.com and also the username of the persion will be "someone").

 

It really depends on how you want it: Convinient for the end-users = running you internal domain like your external domain and using split DNS or more secure by obfuscating the e-mails of your users and the associated username (including the user domain).

[leadeater]

1 hour ago, pat-e said:

Well, if you run an AD with Exchange Servers in it (lowest version Exchange 2010 or better higher) and you have Exchange "autodiscover" setup correctly, then it is very easy for the people to remember "E-Mail-address equals username".

 

And if you plan to run a hybrid environment with Office 365 and putting like Exchange in the cloud, Microsoft also advises you to change your login domain to your used e-mail-address-domain (like making your AD to whatever.com when your e-mails will be someone@whatever.com and also the username of the persion will be "someone").

 

It really depends on how you want it: Convinient for the end-users = running you internal domain like your external domain and using split DNS or more secure by obfuscating the e-mails of your users and the associated username (including the user domain).

You can change users UPN to use the email domain so the email address will work for username and have different local internal domain name than the email domain name.

 

We used to do a lot of hybrid Office 365 deployments with onsite existing exchange servers for schools. Students would have their mailboxes in Office 365 and staff local. Student email addresses would be a subdomain i.e. my.<schoolname>.school.nz and we would set the UPN to <username>@my.<schoolname>.school.nz. Probably not the best deployment configuration for a true hybrid setup but the easiest and least disruptive to an existing setup.

 

Also I'm not a dedicated Exchange/O365 admin so I will defer the best advice to someone that actually is.

[Smite]

8 hours ago, Blake said:

Snip

Updated will all of your comments, 100% agree

[pat-e]

7 hours ago, leadeater said:

You can change users UPN to use the email domain so the email address will work for username and have different local internal domain name than the email domain name.

 

We used to do a lot of hybrid Office 365 deployments with onsite existing exchange servers for schools. Students would have their mailboxes in Office 365 and staff local. Student email addresses would be a subdomain i.e. my.<schoolname>.school.nz and we would set the UPN to <username>@my.<schoolname>.school.nz. Probably not the best deployment configuration for a true hybrid setup but the easiest and least disruptive to an existing setup.

 

Also I'm not a dedicated Exchange/O365 admin so I will defer the best advice to someone that actually is.

I know about UPN change, but sometimes when you have an old environment running all sorts of servers (some are Windows 2012 R2, some are still Windows 2003 with very old legacy apps), then multiple UPN are not supported by some specialized applications.

 

The thing with the selection of AD-name: Consider possible forecasts, what does your business want, what does your "it security" say about possible naming, etc.

 

Sometimes the IT-department is not the deciding part but only the "team who implements the wishes of the business".

 

And generally: It is always better to work as IT-Department together with your business (or other non-technical departments).

[leadeater]

30 minutes ago, pat-e said:

I know about UPN change, but sometimes when you have an old environment running all sorts of servers (some are Windows 2012 R2, some are still Windows 2003 with very old legacy apps), then multiple UPN are not supported by some specialized applications.

 

The thing with the selection of AD-name: Consider possible forecasts, what does your business want, what does your "it security" say about possible naming, etc.

 

Sometimes the IT-department is not the deciding part but only the "team who implements the wishes of the business".

 

And generally: It is always better to work as IT-Department together with your business (or other non-technical departments).

Schools were never a very complex environment and since the Microsoft agreements here are so good they are always up to date with the latest products. I never did like the way we setup the O365 deployments but that was our company standard and for support reasons it is better to keep every client setup the same.

 

I don't work for that company anymore so I don't have to care now . I work for a large University and yea we are still trying to decommission old 2003 servers that run custom software critical to business processes.

 

I will say working for an IT consulting company versus in-house IT team is vastly different, I like both but some advice suits each type better etc. IT consulting is also far more demanding work load wise, at least going from where I was to where I am now.