Best practices for AD Domain Network?

[dalekphalm]

Hi Guys,

 

At work we are in the process of planning a network upgrade. We recently virtualized, with a 2x host Cluster (Both Dell servers with 10c20t CPU's) running ESXi and vSphere.

 

We're now looking to totally redo our domain and network design, since the current one has been carried over for basically 10+ years.

 

Here's what we've got:

1. Primary DC + DNS + DHCP + Roaming Profiles

 

2. Backup DC + Backup DNS

 

3. File + Print Server

 

4. AV Server

 

5. Backup Server

 

6. SCCM/System Manager + WSUS Server

 

7. SQL Server

 

8. Various third party servers required for our Library Infrastructure.

 

Can anyone give me suggestions on this setup? Recommended changes? Did I miss any services we should be running? Best practices?

 

Each numbered entry will be hosted on the VM cluster as a separate guest OS. We have a large SAN that holds all the data on the VM cluster, including large data pool, and all the VHD's for the VM's.

[LAwLz]

WPA2-Enterprise is great if you got WiFi.

You can configure it using the network policy server (built into Windows Server), or you can also use FreeRADIUS. Both of them can hook into AD for authentication and policies.

 

 

Depending on how large the network will be, it might be a good idea to do some load balancing on FSMO roles. Although, you might want to avoid it because I've run into lots of issues with it (or do a lot of testing before implementing anything).

 

If you want a monitoring tool then I can recommend PRTG. The free version is limited to 100 sensors (one sensor can be for example a SNMP to check CPU usage, and another sensor would be SNMP to check RAM usage, etc) which is more than enough to at least try it out.

 

Remember to implement logging and NTP (in the Windows domain, the clients synchronizes their clocks against the PDC Emulator). Super important if you ever get attacked.

[thepriceyman]

I would put in place DFS and have Roaming / Redirected folders in place on both servers means that if one server goes down for some odd reason or another the other server will stay alive and keep your shares working.

 

[dalekphalm]

1 minute ago, LAwLz said:

WPA2-Enterprise is great if you got WiFi.

You can configure it using the network policy server (built into Windows Server), or you can also use FreeRADIUS. Both of them can hook into AD for authentication and policies.

 

 

Depending on how large the network will be, it might be a good idea to do some load balancing on FSMO roles. Although, you might want to avoid it because I've run into lots of issues with it (or do a lot of testing before implementing anything).

 

If you want a monitoring tool then I can recommend PRTG. The free version is limited to 100 sensors (one sensor can be for example a SNMP to check CPU usage, and another sensor would be SNMP to check RAM usage, etc) which is more than enough to at least try it out.

 

Remember to implement logging and NTP (in the Windows domain, the clients synchronizes their clocks against the PDC Emulator). Super important if you ever get attacked.

We currently have WIFI, with a hybrid implementation. We have Cisco AP's and a Wireless Controller that manages the AP's on the main site as well as our branches (6 AP's total between all locations). We have several SSID's configured for both Staff and Public Use. Public use is a simple Authentication Portal where they need to agree to our terms of service. Staff WIFI connections are simply using WPA2-PSK - we don't have many staff that require WIFI (and they can use the Public WIFI for their personal devices).

 

Our network is (comparatively) pretty small, with ~75-ish users on the Staff network. So we really wouln't need load balancing or DFS. Although once we implement roaming profiles, we may re-examine that need, depending on the load.

 

For monitoring, vSphere can do most of that already, and we can quickly check CPU Load, temps, RAM usage, etc. We can also configure alerts via email, etc.

 

Can you elaborate on the logging aspect? What logging should we configure beyond the default settings that Windows Server logs? We also already have an NTP Server setup on our DC I believe.

[LAwLz]

1 minute ago, dalekphalm said:

Can you elaborate on the logging aspect? What logging should we configure beyond the default settings that Windows Server logs? We also already have an NTP Server setup on our DC I believe.

I was thinking of logging for example routers and switches, not just the Windows clients and the servers.

So that you can see which people logged into the devices, at what time and what changes they made, and so on.

 

Not sure how critical the network is, or how likely it is to get attacked, but in case of an attack or error it is very useful for determining what exactly went wrong.

[dalekphalm]

4 minutes ago, LAwLz said:

I was thinking of logging for example routers and switches, not just the Windows clients and the servers.

So that you can see which people logged into the devices, at what time and what changes they made, and so on.

 

Not sure how critical the network is, or how likely it is to get attacked, but in case of an attack or error it is very useful for determining what exactly went wrong.

Ah good point. Our physical network infrastructure is actually managed by a third party vendor, who configured the Cisco ASA Firewall, primary switch, Wireless Controller, and all the secondary switches throughout the network (Including configuring all the subnets, VLAN's, etc). I'm not sure what level of logging that they implemented, but there is some.

 

We're a Public Library, so we're not the biggest target, but we do have a public facing WIFI which does present a point of attack, but we have security configured pretty heavily on the Firewall and main Switch to keep naughty people out.

 

For other logging, we can only do so much, since, for example, the Wireless Controller, we didn't buy the Reporting Module from Cisco, so at best we can send traps to a trap receiver (This is actually how we calculate our wireless stats, and man it sucks ass). But we're doing a partial Wireless upgrade next year that will hopefully remedy that issue.

[Smite]

Friendly reminder give WSUS enough space. With updates these days the size can be a bit large. 

[dalekphalm]

9 minutes ago, Smite said:

Friendly reminder give WSUS enough space. With updates these days the size can be a bit large. 

Well we have about 7-ish TB of usable space on the SAN (12TB raw data, I believe it's in RAID 6, and some of the space was left unpartitioned), so we should be alright

 

Do you have a specific recommendation for the WSUS database store? In my test server, I gave it a 100GB virtual disk.

[Smite]

I ran a mixed environment of windows 7 and 8 and it was roughly ~450gb 

[leadeater]

14 hours ago, dalekphalm said:

We currently have WIFI, with a hybrid implementation. We have Cisco AP's and a Wireless Controller that manages the AP's on the main site as well as our branches (6 AP's total between all locations). We have several SSID's configured for both Staff and Public Use. Public use is a simple Authentication Portal where they need to agree to our terms of service. Staff WIFI connections are simply using WPA2-PSK - we don't have many staff that require WIFI (and they can use the Public WIFI for their personal devices).

 

Our network is (comparatively) pretty small, with ~75-ish users on the Staff network. So we really wouln't need load balancing or DFS. Although once we implement roaming profiles, we may re-examine that need, depending on the load.

 

For monitoring, vSphere can do most of that already, and we can quickly check CPU Load, temps, RAM usage, etc. We can also configure alerts via email, etc.

 

Can you elaborate on the logging aspect? What logging should we configure beyond the default settings that Windows Server logs? We also already have an NTP Server setup on our DC I believe.

I would highly recommend using DFS paths, you don't have to use DFS replication or anything as that doubles up on data but it makes life much easier long term. What makes it so nice is that it abstracts the server/storage from the UNC path so if you need to do a storage migration or share name change you can without remapping shares and updating GPOs. Basically DFS anything and everything you can and do so when you get the chance to. Can't recommend this enough.

 

Have a read through the following thread for a more detailed example I gave, also shows some good share naming practices like always using hidden shares for the underlying DFS share.

 

Question, why are the roaming profiles on the DC?

 

I would also in future when the chance comes up when replacing the SAN look at options that have native SMB and NFS capabilities so you don't have to run virtual file servers, Dell/Netapp etc have good options.

 

I would split scope your DHCP across both DC's for resiliency.

 

I also second @LAwLz advice to setup a RADIUS/NAP server and using WPA2-Enterprise so you can use the computer account of laptops to automatically join the wireless before login. This also allows for better auditing and tracking.

[leadeater]

This is more of just questions but also doubles as advice if you aren't doing these.

 

Do you have separate VLANs/subnet for management interfaces i.e. ESXi host, SAN mgmt, wireless controller, switches/routers/firewalls. Do you also have another VLAN for wireless APs to talk to the wireless controller not used by wireless clients.

 

Individual wireless subnets for trusted wireless (WPA2-Enterprise), staff BYOD, public/guest?

[leadeater]

13 hours ago, dalekphalm said:

Do you have a specific recommendation for the WSUS database store? In my test server, I gave it a 100GB virtual disk.

If your using SCCM then WSUS doesn't store any data, it's only used as a query interface in to the Microsoft Updates Service to get the direct url download links then SCCM downloads them to a distribution point(s).

[leadeater]

14 hours ago, dalekphalm said:

Ah good point. Our physical network infrastructure is actually managed by a third party vendor, who configured the Cisco ASA Firewall, primary switch, Wireless Controller, and all the secondary switches throughout the network (Including configuring all the subnets, VLAN's, etc). I'm not sure what level of logging that they implemented, but there is some.

Well I should have read the entire thread, this makes my second post regarding the networking setup a little pointless .

[dalekphalm]

7 hours ago, leadeater said:

I would highly recommend using DFS paths, you don't have to use DFS replication or anything as that doubles up on data but it makes life much easier long term. What makes it so nice is that it abstracts the server/storage from the UNC path so if you need to do a storage migration or share name change you can without remapping shares and updating GPOs. Basically DFS anything and everything you can and do so when you get the chance to. Can't recommend this enough.

 

Have a read through the following thread for a more detailed example I gave, also shows some good share naming practices like always using hidden shares for the underlying DFS share.

 

Question, why are the roaming profiles on the DC?

 

I would also in future when the chance comes up when replacing the SAN look at options that have native SMB and NFS capabilities so you don't have to run virtual file servers, Dell/Netapp etc have good options.

 

I would split scope your DHCP across both DC's for resiliency.

 

I also second @LAwLz advice to setup a RADIUS/NAP server and using WPA2-Enterprise so you can use the computer account of laptops to automatically join the wireless before login. This also allows for better auditing and tracking.

We'll take a look at DFS paths, and I'll have a read through that link you posted.

 

The roaming profiles themselves can be on any server, I suppose. We're still in the planning stages for this. Where should they go? Obviously the files themselves are stored on the SAN regardless (because whether it's a Network share, or the Servers "HDD", it's all VHD's on the SAN in the end).

 

The SAN itself has native SMB capabilities I'm sure. It's a quite expensive Dell Equilogix SAN (don't recall the specific model), but pretty much the entire capacity of the SAN is configured as a couple various Data Stores in vSphere. So we can take those Data Stores in vSphere and then create VHD's and give those directly to a computer or server, or whatever.

 

Can you elaborate on what "split scope" for DHCP means? Does this just entail running a secondary DHCP server on the backup DC, or is there more to it then that?

 

WPA2-Enterprise is something we'll eventually consider, but it's definitely not in the books anytime soon. We also only have about a half dozen "Work laptops" that actually even connect to the Staff WIFI network, and these computers aren't dedicated to any specific users, they're available to be booked out by any staff who requests. Aside from that, we've got about ~40 iPads (soon to be closer to ~80) that are also connected to the Staff WIFI network, and then a random assortment of PC's that we use as Signage Controllers for our TV's (A sort of rolling slideshow/video presentation that has upcoming events, dates and times, info, etc). Most of these TV Controller PC's aren't even joined to the staff Domain, as there's little need (and half of the computers are running Windows 8.1 Home and thus cannot join without upgrading Windows to Pro).

7 hours ago, leadeater said:

This is more of just questions but also doubles as advice if you aren't doing these.

 

Do you have separate VLANs/subnet for management interfaces i.e. ESXi host, SAN mgmt, wireless controller, switches/routers/firewalls. Do you also have another VLAN for wireless APs to talk to the wireless controller not used by wireless clients.

 

Individual wireless subnets for trusted wireless (WPA2-Enterprise), staff BYOD, public/guest?

 

7 hours ago, leadeater said:

If your using SCCM then WSUS doesn't store any data, it's only used as a query interface in to the Microsoft Updates Service to get the direct url download links then SCCM downloads them to a distribution point(s).

SCCM and WSUS is in our "nice to have" group right now. Basically, if we have money left over in the budget for licensing, we'll grab SCCM and setup WSUS with it. So what you are saying is that SCCM directs WSUS to download and dump to a central "data storage" location (I assume a folder on a local HDD or on a network share)?

 

Does that 450GB figure listed above make sense? We're 90% Windows 10, and 10% Windows 7 at this point.

7 hours ago, leadeater said:

Well I should have read the entire thread, this makes my second post regarding the networking setup a little pointless .

No worries. Does that give you some insight into our setup?

[Unhelpful]

23 hours ago, LAwLz said:

If you want a monitoring tool then I can recommend PRTG. The free version is limited to 100 sensors (one sensor can be for example a SNMP to check CPU usage, and another sensor would be SNMP to check RAM usage, etc) which is more than enough to at least try it out.

I can agree with that, I love PRTG.

 

It should be noted that it is (in some cases) only as smart as the person setting it up... I.E. LABEL THINGS CORRECTLY.

[leadeater]

5 hours ago, dalekphalm said:

The roaming profiles themselves can be on any server, I suppose. We're still in the planning stages for this. Where should they go? Obviously the files themselves are stored on the SAN regardless (because whether it's a Network share, or the Servers "HDD", it's all VHD's on the SAN in the end).

File shares should never be hosted on a DC, this includes roaming profiles. Reason for this is not only security but DC's by default enforce signed and encrypted SMB sessions so the performance isn't great and causes high CPU demand.

 

5 hours ago, dalekphalm said:

Can you elaborate on what "split scope" for DHCP means? Does this just entail running a secondary DHCP server on the backup DC, or is there more to it then that?

Basically yes but it can also load balance DHCP and help make sure DHCP is available all the time. https://blog.thesysadmins.co.uk/configuring-dhcp-split-scope-in-server-2008-r2.html

 

5 hours ago, dalekphalm said:

SCCM and WSUS is in our "nice to have" group right now. Basically, if we have money left over in the budget for licensing, we'll grab SCCM and setup WSUS with it. So what you are saying is that SCCM directs WSUS to download and dump to a central "data storage" location (I assume a folder on a local HDD or on a network share)?

Far as WSUS is used in SCCM it's practically not used at all, the only thing it does is run syncs to Microsoft Updates to get a list of released updates and the direct URL download link. SCCM does the actual downloading of the updates, approvals and distribution of them to clients.

 

I would say though don't bother with SCCM, I don't think you'll get enough benefit out of it for your size network and the resources to run it is rather high. Just use GPO, WDS+MDT and WSUS. This gives you about 95% of the functionality SCCM does for image deployment, updates and software distribution.

[dalekphalm]

1 minute ago, leadeater said:

File shares should never be hosted on a DC, this includes roaming profiles. Reason for this is not only security but DC's by default enforce signed and encrypted SMB sessions so the performance isn't great and causes high CPU demand.

 

Basically yes but it can also load balance DHCP and help make sure DHCP is available all the time. https://blog.thesysadmins.co.uk/configuring-dhcp-split-scope-in-server-2008-r2.html

 

Far as WSUS is used in SCCM it's practically not used at all, the only thing it does is run syncs to Microsoft Updates to get a list of released updates and the direct URL download link. SCCM does the actually downloading of the updates, approvals and distribution of them to clients.

 

I would say though don't bother with SCCM, I don't think you'll get enough benefit out of it for your size network and the resources to run it a rather high. Just use GPO, WDS+MDT and WSUS. This gives you about 95% of the functionality SCCM does for image deployment, updates and software distribution.

Oh, yeah sorry, the Roaming Profiles themselves will of course be hosted on the File Server. The DC is simply configuring users to use them. I didn't mean to imply we were gonna store the profiles/files on the DC itself (Although if you saw our old network, you'd have a heart attack lol literally every service we had was running on one non virtualized Windows 2008 R2 box - a minor service goes down and requires reboot? Everything went down during the reboot).

 

Yeah after your post I looked up DHCP Split-Scope and Failover. I don't know if we would use Split-Scope specifically though. I think we would more likely use DHCP Failover w/ Hot Standby.

 

I'll definitely consider your recommendation about not using SCCM - as I said, it was never part of the original redesign plan, just a "nice to have" optional component.

[2FA]

I would actually recommend looking into Aruba Airwave. It allows you to make it so that wireless users are validated when they login to their machine to make sure they have appropriate AD credentials to use the wireless network. It also has some pretty good monitoring built in as well.

 

EDIT: Airwave includes RADIUS which others have suggested.