April 20, 2010 at 09:19The story of one infrastructure. MS solutions. Part 2
The story of one infrastructure. MS solutions. Part 1
First of all, we installed a very good air conditioning in the premises of the switching and computing center. And, as a result, hard drives began to fail twice less often.
Then they began to modernize the existing FOCLs and commutations in order to ensure communication where it is not already available, to ensure full redundancy of backbone FOCLs, to unify the used switching equipment. The process was not fast and the chronology of events could not be restored. I will say that as a result we have twelve wok segments (with a total length of 3 km) and six peripheral switching points. For the organization of optical converters (50 pcs.) Are used controlled chassis (7 pcs.) Rackmount. An inexpensive and popular managed switch (20 of which are used) of 2 levels and with 24 Gigabit Ethernet ports, with support for VLAN groups (with the help of VLAN groups organized demilitarized zones), with the ability to aggregate ports (we use aggregation everywhere - was chosen as the standard trunk segments switch connections, server connections). At the peripheral switching points, all equipment was placed in special turnkey cabinets, in the central node everything comes into the rack for switching equipment. In summary, I’ll say that nothing was left of the initial project of switching the plant management and the shops of the factory complex. All previous equipment is decommissioned and placed in the far corner of the special room, i.e. About one and a half times we invested in one project. Unification is worth it! All previous equipment is decommissioned and placed in the far corner of the special room, i.e. About one and a half times we invested in one project. Unification is worth it! All previous equipment is decommissioned and placed in the far corner of the special room, i.e. About one and a half times we invested in one project. Unification is worth it!
Somewhere here, in the intervals between the ongoing infrastructure development projects, the direction of the enterprise’s IT has grown to the point of being called the information technology department (IT), which I headed. The software engineer of the general department came at my disposal, changing the direction of activity due to the lack of urgent need for the previous one, and my former, now vacant, position as an engineer for automated systems is allowed to accept a person, which was done. A document “Distribution of tasks of OIT employees” was developed, according to which the software engineer now focuses on technical support of users on client software issues, development of instructions for IP users and other documentation, and the AC engineer is engaged in technical support for users on equipment issues and enterprise switching. I got organizational tasks and infrastructure issues. Work has become more fun!
And, of course, we were not spared by the "fashion for licensing software products of one well-known manufacturer." The first bell of news that it was time to live honestly and steal punishably forced the leadership to adopt a software licensing policy. It was decided to license under the Open License program in several stages - first, server software, then client and client access licenses in three stages. And we got all the newest - Windows Server 2003 R2 Std (as it turned out, we absolutely don't need Enterprise Edition), Exchange Server 2007, SQL Server 2005, ISA Server 2006, Live Communications Server 2005, Windows XP Professional, Microsoft Office 2003 / 2007.
After the acquisition, in order to ensure "license cleanliness", the following questions automatically arose:
Having studied these issues and taking into account all the deviations regarding the server hardware used, they decided to gradually replace and upgrade equipment that does not meet our reliability requirements (all within the framework of enterprise software licensing).
And then the question arose of choosing software to provide comprehensive protection against malware (antivirus protection). The main desire was to choose a software package from one manufacturer to protect client PCs, Exchange mail databases, file storage. We looked in the direction of tried-and-true solutions, but, unfortunately (and maybe even happily), not one of the usual software manufacturers in the field of data protection managed to release a complete solution for the new Exchange server. And just then MS made a noise with its new Forefront product line. He waved his hand (“be that it will be”) and decided in favor of MS Forefront products. Bought under the Open Value program for three years, Forefront Client Security (FCS), Forefront Client Security Management Console,
Around this time, we were able to acquire a very short domain name of the second level, corresponding to the short name of the company, very inexpensive. Just lucky! Accordingly, it was decided that the migration to licensed software will be accompanied by a domain renaming, that we will gradually refuse to use the old mail domain.
The work began to boil. Systematically fulfilled the tasks assigned to software licensing and elimination of deviations. Purchased new equipment. Installed. Migrated our data. They threw out the old. For example, the hardware configuration of the main server for Exchange is as follows: two Intel Xeon 5410 processors on the Intel S5000PSLSATA board and in the Intel SC5400LX chassis with two 830W hot-swap power supplies, with hot-swap baskets for ten SAS hard drives, with RAID Intel SRCSAS18E controller and an additional battery, with 8GB of RAM and 10 hard drives 73GB 15K SAS (2 disks in RAID1 for the OS, 6 disks in RAID10 for the database and 2 Hot Spare disks). Those servers where there is no need for a high-performance disk subsystem (for example, domain controllers, ISA server, Exchange Edge Server), they completely cost baskets for four SAS disks and three installed disks (2 disks in RAID1 for the OS and 1 Hot Spare disk) and a smaller amount of RAM - 4GB. The main objective was to ensure maximum redundancy where possible with minimal investment (RAID1 RAID arrays, Hot Spare drives, aggregation of network interfaces, redundancy of power supply). The goal has been achieved.
And it seems that when the projects are already nearing their logical conclusion, the management expresses a desire - to be able to conduct daily work meetings of heads of departments through a PC and an existing network. And the freshly acquired Live Communications Server 2005 does not support multi-point audio-video conferences and will not, because its new version of Office Communications Server 2007 (OCS) has just been released. Well, the project has been calculated, agreed, the decision has been made - we’ll get a fresh Office Communications Server 2007 and an iron server in addition to it (we’ll just come in handy - not all have been replaced yet). Bought under the Open License program and quickly implemented. They cost only audio conferences, however, they had to select microphones - they chose Arthur Forty conference microphones (it somehow did not work out with home devices).
Along with all the restructuring, we upgraded the uninterruptible power supply system (UPS) - bought the missing UPS, and supplemented the existing ones with battery modules. As a result, two servers have one 3KW UPS with two additional battery modules. The battery life of such a kit more than suited us - about 5 hours. In total, 5 UPS and 10 battery modules were installed, installed near two server racks. For a rack with switching equipment, the same kit, but a little easier, at 1.5KW (with battery life of about 10 hours). We were lucky, we initially chose the "right" UPS and did not have to change anything.
Unification of server hardware was more than successful! True, there are slight differences in the configurations of the server disk subsystem due to the fact that the servers were purchased at different times, just when SAS replaced the SCSI. But put a tick - the deviations are eliminated.
Also, in parallel with these projects, work was underway to replace client computers that were “not technically appropriate”, and many new jobs were installed. The number of client PCs has exceeded 100.
Through heroic efforts, a detailed documentation of the enterprise’s IP was created within one month (which currently has more than 100 documents (graphic diagrams, descriptions and tables) in electronic form and 250 pages on paper). Another secret knowledge - detailed documentation is extremely important. For example, during the documentation process, you can detect configuration errors, suboptimal architectural solutions. Slim documentation - slim infrastructure!
Having eliminated the deviations in equipment and communication lines and drawing a line under these milestones, we can evaluate what services we have and which have us, as well as where to move on:
To be continued ...
Redo!
First of all, we installed a very good air conditioning in the premises of the switching and computing center. And, as a result, hard drives began to fail twice less often.
Then they began to modernize the existing FOCLs and commutations in order to ensure communication where it is not already available, to ensure full redundancy of backbone FOCLs, to unify the used switching equipment. The process was not fast and the chronology of events could not be restored. I will say that as a result we have twelve wok segments (with a total length of 3 km) and six peripheral switching points. For the organization of optical converters (50 pcs.) Are used controlled chassis (7 pcs.) Rackmount. An inexpensive and popular managed switch (20 of which are used) of 2 levels and with 24 Gigabit Ethernet ports, with support for VLAN groups (with the help of VLAN groups organized demilitarized zones), with the ability to aggregate ports (we use aggregation everywhere - was chosen as the standard trunk segments switch connections, server connections). At the peripheral switching points, all equipment was placed in special turnkey cabinets, in the central node everything comes into the rack for switching equipment. In summary, I’ll say that nothing was left of the initial project of switching the plant management and the shops of the factory complex. All previous equipment is decommissioned and placed in the far corner of the special room, i.e. About one and a half times we invested in one project. Unification is worth it! All previous equipment is decommissioned and placed in the far corner of the special room, i.e. About one and a half times we invested in one project. Unification is worth it! All previous equipment is decommissioned and placed in the far corner of the special room, i.e. About one and a half times we invested in one project. Unification is worth it!
Organize!
Somewhere here, in the intervals between the ongoing infrastructure development projects, the direction of the enterprise’s IT has grown to the point of being called the information technology department (IT), which I headed. The software engineer of the general department came at my disposal, changing the direction of activity due to the lack of urgent need for the previous one, and my former, now vacant, position as an engineer for automated systems is allowed to accept a person, which was done. A document “Distribution of tasks of OIT employees” was developed, according to which the software engineer now focuses on technical support of users on client software issues, development of instructions for IP users and other documentation, and the AC engineer is engaged in technical support for users on equipment issues and enterprise switching. I got organizational tasks and infrastructure issues. Work has become more fun!
It is fashionable to be licensed ...
And, of course, we were not spared by the "fashion for licensing software products of one well-known manufacturer." The first bell of news that it was time to live honestly and steal punishably forced the leadership to adopt a software licensing policy. It was decided to license under the Open License program in several stages - first, server software, then client and client access licenses in three stages. And we got all the newest - Windows Server 2003 R2 Std (as it turned out, we absolutely don't need Enterprise Edition), Exchange Server 2007, SQL Server 2005, ISA Server 2006, Live Communications Server 2005, Windows XP Professional, Microsoft Office 2003 / 2007.
After the acquisition, in order to ensure "license cleanliness", the following questions automatically arose:
- replacing installed editions of Windows Server 2003 R2 Enterprise with standard and licensed
- replacement of installed Windows Server 2000 with licensed Windows Server 2003 R2
- replacing used SQL Server 2000 with licensed SQL Server 2005
- replacement of used Exchange Server 2003 with licensed Exchange Server 2007
- replacement of used ISA Server 2004 with licensed ISA Server 2006
- replacement of the used Live Communications Server 2005 with the licensed version
Having studied these issues and taking into account all the deviations regarding the server hardware used, they decided to gradually replace and upgrade equipment that does not meet our reliability requirements (all within the framework of enterprise software licensing).
As part of the licensing ...
And then the question arose of choosing software to provide comprehensive protection against malware (antivirus protection). The main desire was to choose a software package from one manufacturer to protect client PCs, Exchange mail databases, file storage. We looked in the direction of tried-and-true solutions, but, unfortunately (and maybe even happily), not one of the usual software manufacturers in the field of data protection managed to release a complete solution for the new Exchange server. And just then MS made a noise with its new Forefront product line. He waved his hand (“be that it will be”) and decided in favor of MS Forefront products. Bought under the Open Value program for three years, Forefront Client Security (FCS), Forefront Client Security Management Console,
Around this time, we were able to acquire a very short domain name of the second level, corresponding to the short name of the company, very inexpensive. Just lucky! Accordingly, it was decided that the migration to licensed software will be accompanied by a domain renaming, that we will gradually refuse to use the old mail domain.
The work began to boil. Systematically fulfilled the tasks assigned to software licensing and elimination of deviations. Purchased new equipment. Installed. Migrated our data. They threw out the old. For example, the hardware configuration of the main server for Exchange is as follows: two Intel Xeon 5410 processors on the Intel S5000PSLSATA board and in the Intel SC5400LX chassis with two 830W hot-swap power supplies, with hot-swap baskets for ten SAS hard drives, with RAID Intel SRCSAS18E controller and an additional battery, with 8GB of RAM and 10 hard drives 73GB 15K SAS (2 disks in RAID1 for the OS, 6 disks in RAID10 for the database and 2 Hot Spare disks). Those servers where there is no need for a high-performance disk subsystem (for example, domain controllers, ISA server, Exchange Edge Server), they completely cost baskets for four SAS disks and three installed disks (2 disks in RAID1 for the OS and 1 Hot Spare disk) and a smaller amount of RAM - 4GB. The main objective was to ensure maximum redundancy where possible with minimal investment (RAID1 RAID arrays, Hot Spare drives, aggregation of network interfaces, redundancy of power supply). The goal has been achieved.
And it seems that when the projects are already nearing their logical conclusion, the management expresses a desire - to be able to conduct daily work meetings of heads of departments through a PC and an existing network. And the freshly acquired Live Communications Server 2005 does not support multi-point audio-video conferences and will not, because its new version of Office Communications Server 2007 (OCS) has just been released. Well, the project has been calculated, agreed, the decision has been made - we’ll get a fresh Office Communications Server 2007 and an iron server in addition to it (we’ll just come in handy - not all have been replaced yet). Bought under the Open License program and quickly implemented. They cost only audio conferences, however, they had to select microphones - they chose Arthur Forty conference microphones (it somehow did not work out with home devices).
Along with all the restructuring, we upgraded the uninterruptible power supply system (UPS) - bought the missing UPS, and supplemented the existing ones with battery modules. As a result, two servers have one 3KW UPS with two additional battery modules. The battery life of such a kit more than suited us - about 5 hours. In total, 5 UPS and 10 battery modules were installed, installed near two server racks. For a rack with switching equipment, the same kit, but a little easier, at 1.5KW (with battery life of about 10 hours). We were lucky, we initially chose the "right" UPS and did not have to change anything.
Unification of server hardware was more than successful! True, there are slight differences in the configurations of the server disk subsystem due to the fact that the servers were purchased at different times, just when SAS replaced the SCSI. But put a tick - the deviations are eliminated.
Also, in parallel with these projects, work was underway to replace client computers that were “not technically appropriate”, and many new jobs were installed. The number of client PCs has exceeded 100.
Again assessment of results ...
Through heroic efforts, a detailed documentation of the enterprise’s IP was created within one month (which currently has more than 100 documents (graphic diagrams, descriptions and tables) in electronic form and 250 pages on paper). Another secret knowledge - detailed documentation is extremely important. For example, during the documentation process, you can detect configuration errors, suboptimal architectural solutions. Slim documentation - slim infrastructure!
Having eliminated the deviations in equipment and communication lines and drawing a line under these milestones, we can evaluate what services we have and which have us, as well as where to move on:
- physical communications service (communication lines, switching equipment).
- directory service (Active Directory, DNS, DHCP, Certificate Authority) in a fault-tolerant configuration on two Windows Server 2003 R2 servers. Designed for infrastructure management. Group policies provide almost complete control of devices on the network.
- routing service (ISA Server 2006) on Windows Server 2003 R2. Designed for IP clients access to global network resources, for publishing internal resources, for supporting demilitarized zones, for remote client access to IP resources.
- a mail service (Exchange Server 2007) on two Windows Server 2003 R2 servers, a primary and an edge server located in the perimeter network. The main mail server is designed to store user mailboxes, provide a global list of addresses to clients, provide access to mailbox resources through the RPC protocols (Outlook client), SMTP, POP and remote access protocols - RPC over HTTPS (Outlook client), HTTPS (web client). The Edge Server is designed to accept connections from Internet mail servers, perform spam filtering, and send correspondence to remote domains. To protect against malware, mail servers use the Forefront Protection 2010 for Exchange system (formerly Forefront Security for Exchange).
- file storage service on a Windows Server 2003 R2 server. Designed for organized storage of user documents (using group policies, user documents are redirected to the repository). The storage structure corresponds to the organizational structure of the enterprise. The functionality of “Previous Versions” (provided by shadow copying) is available to the user. Content is filtered and reports on storage usage are provided. Storage content is indexed and available in SharePoint search results.
- DB service (SQL Server 2005) on Windows Server 2003 R2. Designed to manage the application database "1C". It is also used to store the database of the update service (WSUS), protection service (FCS), document management service (SharePoint).
- Conferencing Service (OCS 2007) on Windows Server 2003 R2. Designed for exchanging instant messages and files, organizing voice and video conferences, as well as for transmitting information about the presence of users on the network and for sharing the desktop (Office Communicator 2007 R2 is used as a client). Integrated with voice features of mail service mailboxes.
- update service (WSUS) is hosted in conjunction with the database service. Designed for installing updates on client PCs and enterprise servers (timely installation of updates is a prerequisite for the normal functioning of the system as a whole - this is secret knowledge, a child of experience).
- the protection service (Forefront Client Security) is hosted in conjunction with the database services. Designed for centralized management of client software for anti-virus protection. It uses the update service (WSUS) to distribute itself and its updates, uses the directory service (group policies) to distribute its settings, and uses Operation Management 2005 (MOM) to collect data. This product showed excellent performance over the entire period of use - we had no PC infection incidents (for 3 years).
- workflow service (SharePoint Server 2007) on a Windows Server 2003 R2 server. Designed for orderly storage of documents, organization of document management processes, and much more, which I will discuss in more detail below with specific examples. Forefront Security for SharePoint is used on the workflow server to protect against malware.
To be continued ...