Multiple office Sites

[Levisallanon]

17 minutes ago, Fallen Soul said:

OK, 

I have uploaded the resources that cover the current typology (well it doesn't really), company profile etc

Resources.rar

Guess you already failed the excercise

The reader must acknowledge that this business plan contains confidential information that is a secret to Talon Textile Fasteners (TTF) and is for use by other parties only when expressly directed through written approval by TTF.

You should really read the stakeholders interview and from there extract some info :). I'm not going to do this excersise for you, but my quickly scanning it seems like some of the stakeholders already answered some of the questions asked here. It seems the connection for the offices is already settled so you will probably need a VPN/Tunnel between the offices.

Also by quickly scanning over it I would strongly reconment you look into the options of ms azure and especially power BI because it seems there is some need for it ;).

[Guest]

I do have notes typed up as to what they wanted. So what part states they already have the office's connections sorted? 

I was originally thinking of having the Main DC in HQ and then the other offices would replicate that down to their onsite Dc. ..... we have that at my current job (Level 1 System Admin) no clue how they do it though. 

 

[Levisallanon]

46 minutes ago, Fallen Soul said:

I was originally thinking of having the Main DC in HQ and then the other offices would replicate that down to their onsite Dc. ..... we have that at my current job (Level 1 System Admin) no clue how they do it though. 

 

So what level is this diploma again? If you don't know about trust relations and how to replicate the server this is going to be a very very very hard assignment ....

This part:

Quote

 

Well, I am not sure what I have got myself into here. I have some experience with Telcos in that past but do not have the expertise in server technologies to facilitate this upgrade. I have engaged Skillage I.T. to assist with the design and implementation of the whole thing, except for the comms, I’ll take care of that. I have had a wireless back haul installed on Mt. Burr, why not, we own it now, that points back to Millicent, so fast comms there are done. Pts. Pirie and Adelaide already have ADSL2 which will be fine for the number of staff there and I have arranged a fibre link for Head Office.
 

 

looks to be like the lines are already decided. you just have to think about the "software" part.

Here is some sugested reading material which might get you underway:

About the active directory:
https://msdn.microsoft.com/en-us/library/bb727085.aspx

Setting up windows vpn server(s):
https://technet.microsoft.com/en-us/library/cc725734(v=ws.10).aspx

About VoIP:
https://technet.microsoft.com/en-us/library/bb663703(v=office.12).aspx

Some tips for exchange:
https://technet.microsoft.com/en-us/library/cc164317(v=exchg.65).aspx

White paper about security when linking sites/offices together: IGNORE THIS ONE
https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739609.html

Guide about connecting remote sites with each other:
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-RemoteSiteUsingLocalInternetAccessDesignGuide-AUG14.pdf

I haven't been able to read them all myself but form quickly checking they seem to touch the topics you need for this assignment.

[Lurick]

1 minute ago, Levisallanon said:

-snip-

Second to last link is for data-center links, not branch office linkage  

Trust me, OP does not want to dive into ACI, lol.

 

Last link for DMVPN is good though  

[Levisallanon]

Just now, Lurick said:

Second to last link is for data-center links, not branch office linkage  

Trust me, OP does not want to dive into ACI, lol.

Oh right  that's a bit to much overkill indeed  .
The last link should probably give you everything you need anyways.

On the other hand ACI is very cool if you ever have some time to spare  .

[Lurick]

2 minutes ago, Levisallanon said:

Oh right  that's a bit to much overkill indeed  .
The last link should probably give you everything you need anyways.

On the other hand ACI is very cool if you ever have some time to spare  .

Yah, it's definitely a good read but not for OP's assignment.... yet, lol. Although a lot of the new SDA stuff with VxLAN overlays is blurring the line a bit between the data center and access areas.

I'm still in VxLAN standalone territory myself, I'll deal with ACI when work forces me that way but for now I'm avoiding going too far into it, haha.

[Levisallanon]

3 minutes ago, Lurick said:

Yah, it's definitely a good read but not for OP's assignment.... yet, lol. Although a lot of the new SDA stuff with VxLAN overlays is blurring the line a bit between the data center and access areas.

I'm still in VxLAN standalone territory myself, I'll deal with ACI when work forces me that way but for now I'm avoiding going too far into it, haha.

My work has it's own IAAS platform, so when I have to deal with this I will probably have to dive into ACI more too.

Oh btw @Fallen Soul it's not like I don't want to help you by not directly answering your questions. But this exercise you got, although difficult and long is very fun to do. Because you can play with some many different variables to see what works best and you will probably learn so many more options when you dive into what is possible.
If you have the time i would strongly suggest getting a evaluation copy of server 2016 and installing a few on virtual machines and try to replicate small parts of your setups to see if it works as expected. Doing this only once or twice will help you so much when you eventually have to do this "in real life". When you know a little bit what every options does it can save you so much time later on :).

[Lurick]

2 minutes ago, Levisallanon said:

-snip-

Yah, I've spent a lot of time lately working with the BU on validation of new Multi-Site VxLAN features/solutions on some new Nexus 9K hardware  

I'm sure I'll get pulled of this at some point though and get thrown right into ACI at some point, haha.

[Guest]

Thank you very much. I plan to read all the links supplied. 

Also, i already have a few virtual servers running  

 

[Guest]

1 hour ago, Levisallanon said:

The reader must acknowledge that this business plan contains confidential information that is a secret to Talon Textile Fasteners (TTF) and is for use by other parties only when expressly directed through written approval by TTF.

Well looks like we have a resolution to the post since now i don't have a job in this fake scenario

[Guest]

So, what you need to look at doing is quote A based on Azure and quote B based on on-premise equipment, this route is based on the requirement for two hardware options outlined previously.

 

Azure Option

 

This solution works around leveraging Microsoft Azure to serve workloads alongside Office 365 services for the hosting of mail and communication tools such as Skype for Business Online and Microsoft Teams.

 

Using the Azure / Office 365 approach would address the following key areas of concern:

 

• Easy disaster recovery plan using Azure Backup tools and Meraki auto-failover connections.
• Easy remote access via user-to-site VPN, enabling them to access files/applications.
• SLA backed availability - see here for SLA report and here for Office 365 SLA
  • Note - you'll need to put the AD servers in a HAG (high-availability group), ensuring that neither of them are offline simultaneously. 
• Security auditing is built into both Office 365 and Meraki. Azure is a bit different.
  • Office 365 Security & Compliance centre gives you a lot of options including support for MFA/2FA and IRM
  • Meraki (with advanced security license) will provide intrusion prevention & detection
  • Azure will still require good policies through AD/GPO as it's more of a conventional Windows environment
• Firewall management can be done in a couple of ways: you can either use the Meraki appliances to filter traffic there or force all internet bound traffic out through a virtual firewall (Fortinet SecureWAN) within Azure.
• Voice & video communications can all be handled by Skype for Business Online, for both internal and external communications. Note that either dedicated handsets (VoIP phones) or software based phones can be used for PSTN line calling.
• Network monitoring for server health would be handled by a dedicated program: I'm looking to switch our company across to Site24x7 which includes Office 365 and Azure workload support. This provides alerts for VM health, alerts to downtime and the like.
• Maintenance would be a standard maintenance schedule including things like WSUS and SMTP based alerting (where applicable, e.g. backup reports)

You would also look at deploying a new fleet of devices, all Windows 10 Pro minimum, joined to the virtualized domain controllers. 

 

The minimum skill set to deploy this scenario would be someone with minimum 2-3 years experience with Office 365 / Azure services who is ideally MCSA Office 365 certified. 

 

Infrastructure / Network

Your Azure option would work based on site-to-site VPN connections between Azure and each branch. Within Azure, you'd maintain 4-7 servers:

• AD / DHCP / DNS 1, Windows Server 2016
• AD / DHCP / DNS 2, Windows Server 2016
• SQL instance OR Windows Server 2016 + SQL Standard installed
  • Dependent on whether software supports Azure SQL instances
• Application server
• OPTIONAL File Server
  • Optional: can be otherwise included with AD servers
• OPTIONAL Azure AD Connect (DirSync) server OR ADFS server. Note that ADFS would require a WAP server too. 
  • Optional: recommended by Microsoft to be separate from the AD servers however in practical experience, it can be grouped together
  • This application is used to enable same-sign-on between the on-premise Active Directory (in this case, a virtual machine within Azure) and the Office 365 active directory.
• OPTIONAL Terminal Server
  • This may or may not be necessary, depending on whether or not the applications are able to operate over VPN. Some ERP/CRM software does not like working over a VPN and thus terminal services or virtualized desktops (VDI) are necessary. 

For network management, I'd recommend deploying Meraki gateway appliances, specifically the following models:

• Z3 Teleworker Gateway for single staff operation
• MX64W / MX65 (+MR33 AP's) appliances for larger locations.

These will support a primary network connection such as NBN, EOC / EFM or Fibre alongside a 4G or ADSL connection for failover. For the larger site (40 staff) and possibly the smaller site at Mt Burr (25 staff), I'd recommend a fixed wireless service as the failover should budget allow. 

 

You require the WAN link failover as if the connection to Azure is down, staff will have no access to file / applications without using a user-to-site VPN to Azure, normally based off 4G. This can cause serious business impact.

Optionally you can also get an MPLS connection between your primary site and Azure to provide a direct (non-VPN) connection between your virtual infrastructure and site. This can be given automatic failover as the Meraki MX appliances can deal with MPLS to VPN failover. 

 

On-Premise Solution

The on-premise solution would be very very similar, utilizing Office 365 and Meraki services where possible however without the Azure workloads. 

 

You would instead need to source the following equipment for on premise.

• Single virtualized server (HP/Dell/Lenovo), running either ESXi or HyperV
• APC UPS including network management module + extended runtime UPS
• Appropriate PoE switches
• NAS for backups (QNAP recommended)
• Use Veeam Backup & Replication alongside either Azure or a provider (like who I work for) to provide DRaaS

 

Other than that, the situation would be the same. Your workloads should still be the same, just your DR/backup would be handled by Veeam. Backing up locally to a QNAP NAS and replicating to Azure or a 3rd party provider. DR (disaster recovery) can also be provided by Veeam, either to Azure or to a 3rd party provider with a 15 minute RPO (restore point objective) Your RTO (restore time objective) will differ depending on Azure vs 3rd party hosted DRaaS

 

---------------------------------------------------------------

This is a very quick overview of 2 solutions for you.

 

As far as a very very very rough roadmap for deployment;

1. Order the comms links: fibre and the like can take 3 months + to deploy, depending on time of year and site location + order all hardware required
2. Deal with the Office 365 Exchange Online migration 
   1. You'll be doing a cutover migration as it doesn't mention anything about running and recent version of Exchange and I'd assume that there's no Google Mail or Lotus Notes system in place, based off the age of the environment
   2. Because of a cutover migration, you can't do a pilot system however can rely on publicly available whitepapers to show proven business success. 
3. Build new Azure workspace and copy production data across
4. Optional: perform DR & backup recovery testing
5. Image all new machines
6. Copy latest production data across
7. Deploy new machines & go live on new environment
8. Plan for S4BO deployment
9. Go live with S4BO

The reality of this is that each of these steps have dozens of things incorporated in them and there are pages upon pages of checklists, both from Microsoft and 3rd parties on things to consider (known as pre-deployment checklists). 

 

The scope of this assignment is absolutely ridiculous, a client hardware refresh, Exchange Online migration, PSTN > VoIP migration and P2V migration are all on their own, individual projects requiring immense amounts of planning, testing and implementation to meet the requirements outlined in those PDF's.

 

If you want specifics on pricing for anything or specific advice, please just ask - I can give you RRP's on pretty much all of that stuff as I work for a company who implements this sort of thing on a regular basis.

 

 

EDIT: Just saw the interviews doc:

 

• ADSL would not be sufficient at all: 
  • Skype for Business Online capacity calculator
  • Exchange Online capacity planning
• You need failover comms ideally at each site, especially if putting it in Azure. If workloads aren't in Azure, you'll need a redundant connection at the primary site as if 1 link goes down, all other branches are cut off from the servers at head office. 

 

 

 

 

 

 

 

 

[Guest]

10 minutes ago, Windspeed36 said:

So, what you need to look at doing is quote A based on Azure and quote B based on on-premise equipment, this route is based on the requirement for two hardware options outlined previously.

 

Azure Option

 

This solution works around leveraging Microsoft Azure to serve workloads alongside Office 365 services for the hosting of mail and communication tools such as Skype for Business Online and Microsoft Teams.

 

Using the Azure / Office 365 approach would address the following key areas of concern:

 

• Easy disaster recovery plan using Azure Backup tools and Meraki auto-failover connections.
• Easy remote access via user-to-site VPN, enabling them to access files/applications.
• SLA backed availability - see here for SLA report and here for Office 365 SLA
  • Note - you'll need to put the AD servers in a HAG (high-availability group), ensuring that neither of them are offline simultaneously. 
• Security auditing is built into both Office 365 and Meraki. Azure is a bit different.
  • Office 365 Security & Compliance centre gives you a lot of options including support for MFA/2FA and IRM
  • Meraki (with advanced security license) will provide intrusion prevention & detection
  • Azure will still require good policies through AD/GPO as it's more of a conventional Windows environment
• Firewall management can be done in a couple of ways: you can either use the Meraki appliances to filter traffic there or force all internet bound traffic out through a virtual firewall (Fortinet SecureWAN) within Azure.
• Voice & video communications can all be handled by Skype for Business Online, for both internal and external communications. Note that either dedicated handsets (VoIP phones) or software based phones can be used for PSTN line calling.
• Network monitoring for server health would be handled by a dedicated program: I'm looking to switch our company across to Site24x7 which includes Office 365 and Azure workload support. This provides alerts for VM health, alerts to downtime and the like.
• Maintenance would be a standard maintenance schedule including things like WSUS and SMTP based alerting (where applicable, e.g. backup reports)

You would also look at deploying a new fleet of devices, all Windows 10 Pro minimum, joined to the virtualized domain controllers. 

 

The minimum skill set to deploy this scenario would be someone with minimum 2-3 years experience with Office 365 / Azure services who is ideally MCSA Office 365 certified. 

 

Infrastructure / Network

Your Azure option would work based on site-to-site VPN connections between Azure and each branch. Within Azure, you'd maintain 4-7 servers:

• AD / DHCP / DNS 1, Windows Server 2016
• AD / DHCP / DNS 2, Windows Server 2016
• SQL instance OR Windows Server 2016 + SQL Standard installed
  • Dependent on whether software supports Azure SQL instances
• Application server
• OPTIONAL File Server
  • Optional: can be otherwise included with AD servers
• OPTIONAL Azure AD Connect (DirSync) server OR ADFS server. Note that ADFS would require a WAP server too. 
  • Optional: recommended by Microsoft to be separate from the AD servers however in practical experience, it can be grouped together
  • This application is used to enable same-sign-on between the on-premise Active Directory (in this case, a virtual machine within Azure) and the Office 365 active directory.
• OPTIONAL Terminal Server
  • This may or may not be necessary, depending on whether or not the applications are able to operate over VPN. Some ERP/CRM software does not like working over a VPN and thus terminal services or virtualized desktops (VDI) are necessary. 

For network management, I'd recommend deploying Meraki gateway appliances, specifically the following models:

• Z3 Teleworker Gateway for single staff operation
• MX64W / MX65 (+MR33 AP's) appliances for larger locations.

These will support a primary network connection such as NBN, EOC / EFM or Fibre alongside a 4G or ADSL connection for failover. For the larger site (40 staff) and possibly the smaller site at Mt Burr (25 staff), I'd recommend a fixed wireless service as the failover should budget allow. 

 

You require the WAN link failover as if the connection to Azure is down, staff will have no access to file / applications without using a user-to-site VPN to Azure, normally based off 4G. This can cause serious business impact.

Optionally you can also get an MPLS connection between your primary site and Azure to provide a direct (non-VPN) connection between your virtual infrastructure and site. This can be given automatic failover as the Meraki MX appliances can deal with MPLS to VPN failover. 

 

On-Premise Solution

The on-premise solution would be very very similar, utilizing Office 365 and Meraki services where possible however without the Azure workloads. 

 

You would instead need to source the following equipment for on premise.

• Single virtualized server (HP/Dell/Lenovo), running either ESXi or HyperV
• APC UPS including network management module + extended runtime UPS
• Appropriate PoE switches
• NAS for backups (QNAP recommended)
• Use Veeam Backup & Replication alongside either Azure or a provider (like who I work for) to provide DRaaS

 

Other than that, the situation would be the same. Your workloads should still be the same, just your DR/backup would be handled by Veeam. Backing up locally to a QNAP NAS and replicating to Azure or a 3rd party provider. DR (disaster recovery) can also be provided by Veeam, either to Azure or to a 3rd party provider with a 15 minute RPO (restore point objective) Your RTO (restore time objective) will differ depending on Azure vs 3rd party hosted DRaaS

 

---------------------------------------------------------------

This is a very quick overview of 2 solutions for you.

 

As far as a very very very rough roadmap for deployment;

1. Order the comms links: fibre and the like can take 3 months + to deploy, depending on time of year and site location + order all hardware required
2. Deal with the Office 365 Exchange Online migration 
   1. You'll be doing a cutover migration as it doesn't mention anything about running and recent version of Exchange and I'd assume that there's no Google Mail or Lotus Notes system in place, based off the age of the environment
   2. Because of a cutover migration, you can't do a pilot system however can rely on publicly available whitepapers to show proven business success. 
3. Build new Azure workspace and copy production data across
4. Optional: perform DR & backup recovery testing
5. Image all new machines
6. Copy latest production data across
7. Deploy new machines & go live on new environment
8. Plan for S4BO deployment
9. Go live with S4BO

The reality of this is that each of these steps have dozens of things incorporated in them and there are pages upon pages of checklists, both from Microsoft and 3rd parties on things to consider (known as pre-deployment checklists). 

 

The scope of this assignment is absolutely ridiculous, a client hardware refresh, Exchange Online migration, PSTN > VoIP migration and P2V migration are all on their own, individual projects requiring immense amounts of planning, testing and implementation to meet the requirements outlined in those PDF's.

 

If you want specifics on pricing for anything or specific advice, please just ask - I can give you RRP's on pretty much all of that stuff as I work for a company who implements this sort of thing on a regular basis.

 

 

 

 

 

 

 

thank you for all that information Windspeed36. 
I will be attempting to go over all the information supplied by all and take it all into consideration. 

I am still struggling to accept the sheer size of this assignment. Would have made more sense if it was a network and IT infrastructure of one building, not three remote offices on top. 

So far from what I have planned and is only very basic at moment. All office populated offices will have a server all running DC the replicate from each other (got to still work out how that works) The three servers will all most likely be running Hyper-V (more because I am familiar with it (to some extent)) which will house the other servers for print server etc.  I was going to look into office 365 and Skype for business to cater for the mail and VoIP service (need to look into that still as well). The DR plan I will use the one created from my last assignment I had previously ... maybe 

Also, they mentioned they had an SBS box.... no clue what that is and I couldn't find any info on that.

[Guest]

 

2 minutes ago, Fallen Soul said:

All office populated offices will have a server all running DC the replicate from each other (got to still work out how that works)

There's no need to do this - you can just have 2 servers, either in Azure or hosted in HyperV/ESXi at the head office running AD DS/DNS/DHCP in high availbility pools - all of the branches can access these via VPN so you won't need to put DC's out in branches. It's almost non existent to see more than 2 domain controllers (DC's) in a staff count below 300 and even then, that's pushing it.

 

2 minutes ago, Fallen Soul said:

Also, they mentioned they had an SBS box.... no clue what that is and I couldn't find any info on that.

Small Business Server - think cut down Server 2008 or Server 2003

[Guest]

Ok thank you. That makes it looks a little less hard but still hard. 

[leadeater]

On 11/11/2017 at 4:03 PM, Fallen Soul said:

How about I post the scenario so it makes more sense 

This is a heck of a lot for a Diploma course....

[Guest]

1 minute ago, leadeater said:

This is a heck of a lot for a Diploma course....

Yeah, i have started seeing this as a common comment from people I show this too. 

[leadeater]

1 hour ago, Windspeed36 said:

It's almost non existent to see more than 2 domain controllers (DC's) in a staff count below 300 and even then, that's pushing it.

Personally I never deploy less than 2 DCs, licensing permitting. Mind you I've always worked in the education sector so MS licenses are given out like free candy.

 

Too much headache if there is only one and it breaks for some reason, even with fast recovery options it can take a while to actually get the job to someone that can do it. Not something onsite desktop techs are allowed to do.

[Guest]

1 minute ago, leadeater said:

Personally I never deploy less than 2 DCs, licensing permitting. Mind you I've always worked in the education sector so MS licenses are given out like free candy.

 

Too much headache if there is only one and it breaks for some reason, even with fast recovery options it can take a while to actually get the job to someone that can do it. Not something onsite desktop techs are allowed to do.

well it looks like we both have something in common. i also work in the education department. i'm a on site tech but is heavily managed by head office. ( well the DC are any way). we only have 1DC, and two other physical servers the other 5 servers i have got virtualised (head office sets up the server... fairly disappointing) 

[leadeater]

18 minutes ago, Fallen Soul said:

well it looks like we both have something in common. i also work in the education department. i'm a on site tech but is heavily managed by head office. ( well the DC are any way). we only have 1DC, and two other physical servers the other 5 servers i have got virtualised (head office sets up the server... fairly disappointing) 

Before I changed job most schools got setup with 2 or 3 IBM/Lenovo x3650 servers with DS3500/V3700 storage array and backups sent to Netgear NAS (yuck use QNAP). We would pin (affinity rule) a DC to separate ESXi hosts as well as staff and student file servers. Again because MS licensing is free everything was setup in dedicated single service based VMs because there was no real additional cost other than vRAM and small amount of disk and CPU cycles.

 

This type of setup works well for schools that have rolls 300-4000 students, there's a bunch of other stuff but eh off topic. I know the company I used to work for is pushing hosted services rather heavily now instead of deploying hardware in schools, not a big fan of that myself but pros and cons for each method.

[Guest]

1 hour ago, Windspeed36 said:

all of the branches can access these via VPN so you won't need to put DC's out in branches.

so if they connect via VPN to HQ will the workstations in those branches still be connected to the domain and act like the workstations in HQ? 

[Guest]

20 minutes ago, Fallen Soul said:

so if they connect via VPN to HQ will the workstations in those branches still be connected to the domain and act like the workstations in HQ? 

Correct 

[brwainer]

48 minutes ago, Fallen Soul said:

so if they connect via VPN to HQ will the workstations in those branches still be connected to the domain and act like the workstations in HQ? 

 

26 minutes ago, Windspeed36 said:

Correct 

Just to give an example of this... right now I have some computers in VA that are getting their DNS (and therefore AD also) from a pair of servers that are in a different subnet and physically located in PA, accessed via a routed path through a VPN tunnel. Works fine aside from the slight latency for DNS lookups. Yes, the VPN tunnel becomes a single point of failure, but the reason you deploy two AD DCs is to prevent against disk/system failure, corruption, etc., not necessarily to be an HA solution (but it has the side benefit of being that also)

[Guest]

1 hour ago, brwainer said:

Yes, the VPN tunnel becomes a single point of failure, but the reason you deploy two AD DCs is to prevent against disk/system failure, corruption, etc., not necessarily to be an HA solution (but it has the side benefit of being that also)

Having said that, automatic VPN failover is a thing 

[brwainer]

6 hours ago, Windspeed36 said:

Having said that, automatic VPN failover is a thing 

true, but in my case a VPN connection failure means the BGP routes between are jacked up or there is some other issue "in between" (happens about once a month, normally between 1AM and 6AM), so failing over from that would require some other external node to route traffic through, assuming it also isn't affected...

[Guest]

Hi All, 

I have stated looking at condifuring routers from each office in packet tracer. However, I am unsure how replicate the internet between the 4 branches.