Questions

Opinions requested on a move/expansion Active Directory/Exchange project

Tags:
+
0 Votes
Locked

Opinions requested on a move/expansion Active Directory/Exchange project

ssmile10
I'm not sure if this is appropriate to ask this here, but I'd like some feedback since I'm the only IT guy working here and have no one else to discuss with.

I work for a company that has a main office and two branch locations.

The branch locations are not connected via VPN at this time, but will be once we move our main office to a new location.

Our main office currently has the following:
Server 1: AD/DNS/File Sharing/Printer/Exchange - bogged down and overburdened.
Server 2: Web based Application - Runs fine
Server 3: Backup for Web based Application - Experiences issues

What we want:
Main office:
-Host all above services
Branch1
-Domain membership
-Access to all services at main office
Branch2
-Domain membership
-Access to all services at main office

Here's what I'm thinking:
Main Office
-Purchase a VM server and host the following
--VM1: AD/DNS/Printer
--VM2: Exchange
--VM3: Web based application
-Use one of the older servers as a DFS server to link with branches
-Purchase a NAS for backups
Branch1
-Use one of the older serves as a RODC with AD/DNS/Printer/File with DFS
Branch2
-Use one of the older serves as a RODC with AD/DNS/Printer/File with DFS

Does anybody see any problems with this plan?
  • +
    0 Votes
    robo_dev

    Hardware is so cheap these days that a new primary/secondary server at each site would have better uptime than a creaky old server. An extra $500 server is cheaper than having to hightail it to a branch site on a holiday weekend :)

    If you create a site-to-site VPN between the two branch sites, that gives you a secondary network path to the main site for either location. (more complex routing and AD scenario, but more fault tolerant.

    +
    0 Votes
    ssmile10

    The servers are probably 8 years old. I have to agree that putting newer servers in the branches is a better option, however, I was just told that my budget is not what I was hoping. I am pushing for dedicated site-to-site connections. We will see.

    +
    0 Votes
    gechurch

    Eight years?? Wow - you've got some work to do to persuade management not to use servers that old. I work with several small companies as a consultant and am often told there's not the budget for upgrades. I always explain to them the risk they are taking. There are a few ways I explain it, depending on the client:
    * I explain that most companies replace their servers every 3-5 years, because the chances of hardware failure increase substantially after this period.
    * That an eight-year-old server does not have warranty. This is a double-whammy; your servers are far more likely to fail because of their age, and since there's no warranty it could take weeks to ship an appropriate part in, or the part may no longer be available at all.
    * I explain that having warranty and decent-aged servers is a form of insurance. I then ask if they would consider not having insurance on their building and contents. Most business owners would say that is unthinkable.

    I also generally ask them how big a deal it would be if they lost all the work they entered into the system yesterday. When they answer that I then ask 'What about if you lost all the work across the whole company for a day?". Then "Ok, now imagine that happens, and on top of that you don't have access to the server for a week while we express a replacement part in. No email. No <whatever> database. No access to your files. How big a deal would that be?". People tend to look fairly pale about now as the consequence of downtime dawns on them.

    Remember - it's not that the budget doesn't exist. It's that management have budgeted the money elsewhere because they don't see any need to spend money when the system is working fine. It's your job to educate them and get them to see that servers that old won't continue to work fine; they will fail at some point and by not replacing them they are gambling with their company's data.

    Sorry to drone on about this point but seriouslty - running servers that old is a bad idea, and if a failure does happen and the servers are down for a week they will be coming to you allowed this to happen.

    If you explain the situation clearly you should now be asked to do some quoting (if not, send an email around to management to the effect of "I want to get in writing our conversation from earlier today. I consider it a huge risk to continue running servers of this age. It's not a matter of if they will fail, but when and I'd like it to make sure that I have explained the consequences of a hardware failure"). I agree with robo_dev - you don't need top-of-the-line servers. New hard drives are a must, so too is a good quality RAID card. You can pick up a used P400 RAID card with BBWC for about $100 on Ebay. That's a proper hardware RAID card, and at that price you can pick up a spare in case the first one fails. (Just be sure it is compatible before you buy). You can go beige-box PCs for your server if you must. Or better, purchase a second-hand server on Ebay. You can get good 3-year-old, high-end servers for very little from companies that rotate their servers that often. As above, just make sure you're using new drives. On that, drives are the most expensive part of the server. You don't have to go with expensive SAS drives (although it's recommended for anything important, and for IO intensive apps like Exchange). You can choose to go with SATA. Just make sure they are RAID-compatible drives, then set them up either with a hot-spare or as RAID6. Also, definitely consider virtualisation if you're not doing it already. ESXi, Hyper-V and XenServer are all free. Then make sure you are backing up the VMs themselves, and make sure you have a DR server to fail over to (and of course test the recovery process). Again, this can be done on the cheap - grab a second cheap Ebay server. You can get by with a single HDD for testing the restore process. If the DR server ever does die you can go and grab a few SATA drives locally and setup RAID.

    Along with the above make notes about how likely each component is to fail, and what the cost (in money for replacements, and in downtime) will be if failure happens. Also be sure to note what sort of lifetime they can expect to get out of the gear, and list an estimate of your labour. Also quote what you think is an adequate setup (new servers, SAS drives, dual PSUs etc) so management can see what the cost savings are by cheaping out. Once you've done this, going the proper option will often look attractive because your labour will be significant, and you'll have to do it all again sooner with second-hand gear.

    If all this fails and there really is no budget, another option may be to move things to the cloud. At least this way they will be paying monthly instead of needing a huge outlay. And the advantage for you is clear; you won't be losing sleep at night worrying about hardware failure.

    +
    0 Votes
    gechurch

    Grrr! TR just won't let me post a response. I've tried at least 5 times across 3 browsers and two different PCs. Hopefully this shorter response will work.

    Basically my response was that it should be fine. I strongly recommend speaking to your ISP about having a dedicated connection between the three sites. I don't know what the generic name for this is, but the main ISP in Australia call it Connect IP. Basically they will connect your sites together just like a VPN, only they take care of it for you so it's all transparent. They will also be able to offer you things like QoS and dedicated bandwidth.

    The other alternative to consider is to put in a good RDS/Citrix server and have the branch employees remote in. Advantages of this are centralising management, having a fast link between all servers, no sync'ing needed, and employees can access it from anywhere.

    +
    0 Votes
    gechurch

    Oh, something else to consider is contacting a local IT firm to help you out. It's hard being the sole IT person. No-one in their right mind should expect you to be an expert at configuring new servers, VPNs etc because you don't get the chance to do it often. A decent local firm will have expertise and experience in doing this and will be able to make good recommendations to you about which VPN gear to buy, or what sort of link to put in between branches, and will know how to set up the remote servers and which GPOs to set etc etc. Any place worth their salt will be happy to work with you too and let you do as much or as little of the grunt work as you like.

    At the very least I would recommend contacting a couple of places to get their recommendations. Even if you ultimately decide to do the whole project yourself, it can't hurt to have a few more opinions.

    +
    0 Votes
    ssmile10

    So when you say "remote in" are we talking about accessing VMs as their desktops using a thin client? I would love to use this setup, but it's not going to be easy to convince the decision makers to purchase more hardware, or use the existing desktops as the thin client and purchasing more Desktop licenses to cover the VMs. But I guess it would be cheaper than purchasing new servers to put in each branch.

    +
    0 Votes
    gechurch

    Yeah, pretty much. I was talking about using the remote desktop protocol to connect in to a terminal server at head office (either a VM or physical). If you're buying hardware then thin clients are a good idea, but if you have existing PCs I wouldn't throw them away - there are a few Linux distro's that you can install that basically turn your desktop PCs into thin clients.

    You are correct to start considering licensing costs. The OS itself is fine (in fact this is a saving - you only need to buy one server OS instead of purchasing one for each branch), but you will need to have a Remote Desktop Services (RDS) CAL for each user or PC. Additionally, you need to have volume licenses for Microsoft Office. Office is a particular pain in the bum actually. It's licensed per-device only these days, which means if you have an employee that occassionally logs in from home then you need to buy an extra Office CAL. Or have someone go on a trip and use an Internet cafe to remote in to check their email? Yep - another CAL needed. (Apparently if you get software assurance it includes a roaming right that gets around this). You also have to go volume license for Office these days - retail and OEM will refuse to install on a terminal server.

    So in summary you have no new hardware costs, but licensing could range anywhere between nothing and "oh my God you said how much?" depending on what licenses you currently own.

  • +
    0 Votes
    robo_dev

    Hardware is so cheap these days that a new primary/secondary server at each site would have better uptime than a creaky old server. An extra $500 server is cheaper than having to hightail it to a branch site on a holiday weekend :)

    If you create a site-to-site VPN between the two branch sites, that gives you a secondary network path to the main site for either location. (more complex routing and AD scenario, but more fault tolerant.

    +
    0 Votes
    ssmile10

    The servers are probably 8 years old. I have to agree that putting newer servers in the branches is a better option, however, I was just told that my budget is not what I was hoping. I am pushing for dedicated site-to-site connections. We will see.

    +
    0 Votes
    gechurch

    Eight years?? Wow - you've got some work to do to persuade management not to use servers that old. I work with several small companies as a consultant and am often told there's not the budget for upgrades. I always explain to them the risk they are taking. There are a few ways I explain it, depending on the client:
    * I explain that most companies replace their servers every 3-5 years, because the chances of hardware failure increase substantially after this period.
    * That an eight-year-old server does not have warranty. This is a double-whammy; your servers are far more likely to fail because of their age, and since there's no warranty it could take weeks to ship an appropriate part in, or the part may no longer be available at all.
    * I explain that having warranty and decent-aged servers is a form of insurance. I then ask if they would consider not having insurance on their building and contents. Most business owners would say that is unthinkable.

    I also generally ask them how big a deal it would be if they lost all the work they entered into the system yesterday. When they answer that I then ask 'What about if you lost all the work across the whole company for a day?". Then "Ok, now imagine that happens, and on top of that you don't have access to the server for a week while we express a replacement part in. No email. No <whatever> database. No access to your files. How big a deal would that be?". People tend to look fairly pale about now as the consequence of downtime dawns on them.

    Remember - it's not that the budget doesn't exist. It's that management have budgeted the money elsewhere because they don't see any need to spend money when the system is working fine. It's your job to educate them and get them to see that servers that old won't continue to work fine; they will fail at some point and by not replacing them they are gambling with their company's data.

    Sorry to drone on about this point but seriouslty - running servers that old is a bad idea, and if a failure does happen and the servers are down for a week they will be coming to you allowed this to happen.

    If you explain the situation clearly you should now be asked to do some quoting (if not, send an email around to management to the effect of "I want to get in writing our conversation from earlier today. I consider it a huge risk to continue running servers of this age. It's not a matter of if they will fail, but when and I'd like it to make sure that I have explained the consequences of a hardware failure"). I agree with robo_dev - you don't need top-of-the-line servers. New hard drives are a must, so too is a good quality RAID card. You can pick up a used P400 RAID card with BBWC for about $100 on Ebay. That's a proper hardware RAID card, and at that price you can pick up a spare in case the first one fails. (Just be sure it is compatible before you buy). You can go beige-box PCs for your server if you must. Or better, purchase a second-hand server on Ebay. You can get good 3-year-old, high-end servers for very little from companies that rotate their servers that often. As above, just make sure you're using new drives. On that, drives are the most expensive part of the server. You don't have to go with expensive SAS drives (although it's recommended for anything important, and for IO intensive apps like Exchange). You can choose to go with SATA. Just make sure they are RAID-compatible drives, then set them up either with a hot-spare or as RAID6. Also, definitely consider virtualisation if you're not doing it already. ESXi, Hyper-V and XenServer are all free. Then make sure you are backing up the VMs themselves, and make sure you have a DR server to fail over to (and of course test the recovery process). Again, this can be done on the cheap - grab a second cheap Ebay server. You can get by with a single HDD for testing the restore process. If the DR server ever does die you can go and grab a few SATA drives locally and setup RAID.

    Along with the above make notes about how likely each component is to fail, and what the cost (in money for replacements, and in downtime) will be if failure happens. Also be sure to note what sort of lifetime they can expect to get out of the gear, and list an estimate of your labour. Also quote what you think is an adequate setup (new servers, SAS drives, dual PSUs etc) so management can see what the cost savings are by cheaping out. Once you've done this, going the proper option will often look attractive because your labour will be significant, and you'll have to do it all again sooner with second-hand gear.

    If all this fails and there really is no budget, another option may be to move things to the cloud. At least this way they will be paying monthly instead of needing a huge outlay. And the advantage for you is clear; you won't be losing sleep at night worrying about hardware failure.

    +
    0 Votes
    gechurch

    Grrr! TR just won't let me post a response. I've tried at least 5 times across 3 browsers and two different PCs. Hopefully this shorter response will work.

    Basically my response was that it should be fine. I strongly recommend speaking to your ISP about having a dedicated connection between the three sites. I don't know what the generic name for this is, but the main ISP in Australia call it Connect IP. Basically they will connect your sites together just like a VPN, only they take care of it for you so it's all transparent. They will also be able to offer you things like QoS and dedicated bandwidth.

    The other alternative to consider is to put in a good RDS/Citrix server and have the branch employees remote in. Advantages of this are centralising management, having a fast link between all servers, no sync'ing needed, and employees can access it from anywhere.

    +
    0 Votes
    gechurch

    Oh, something else to consider is contacting a local IT firm to help you out. It's hard being the sole IT person. No-one in their right mind should expect you to be an expert at configuring new servers, VPNs etc because you don't get the chance to do it often. A decent local firm will have expertise and experience in doing this and will be able to make good recommendations to you about which VPN gear to buy, or what sort of link to put in between branches, and will know how to set up the remote servers and which GPOs to set etc etc. Any place worth their salt will be happy to work with you too and let you do as much or as little of the grunt work as you like.

    At the very least I would recommend contacting a couple of places to get their recommendations. Even if you ultimately decide to do the whole project yourself, it can't hurt to have a few more opinions.

    +
    0 Votes
    ssmile10

    So when you say "remote in" are we talking about accessing VMs as their desktops using a thin client? I would love to use this setup, but it's not going to be easy to convince the decision makers to purchase more hardware, or use the existing desktops as the thin client and purchasing more Desktop licenses to cover the VMs. But I guess it would be cheaper than purchasing new servers to put in each branch.

    +
    0 Votes
    gechurch

    Yeah, pretty much. I was talking about using the remote desktop protocol to connect in to a terminal server at head office (either a VM or physical). If you're buying hardware then thin clients are a good idea, but if you have existing PCs I wouldn't throw them away - there are a few Linux distro's that you can install that basically turn your desktop PCs into thin clients.

    You are correct to start considering licensing costs. The OS itself is fine (in fact this is a saving - you only need to buy one server OS instead of purchasing one for each branch), but you will need to have a Remote Desktop Services (RDS) CAL for each user or PC. Additionally, you need to have volume licenses for Microsoft Office. Office is a particular pain in the bum actually. It's licensed per-device only these days, which means if you have an employee that occassionally logs in from home then you need to buy an extra Office CAL. Or have someone go on a trip and use an Internet cafe to remote in to check their email? Yep - another CAL needed. (Apparently if you get software assurance it includes a roaming right that gets around this). You also have to go volume license for Office these days - retail and OEM will refuse to install on a terminal server.

    So in summary you have no new hardware costs, but licensing could range anywhere between nothing and "oh my God you said how much?" depending on what licenses you currently own.