Good Practice on setting up a small local network based on Active Directory

In my work, I often had to deal with seemingly working grids, but in which any minor incident could result in hours of idleness on level ground. Cd's dead? Do not worry, we have a second. How do balls not open? Why the gateway does not ping? And, on that CD was the only DHCP server and now everyone has disappeared.



In this article I will try to describe the correct, from my point of view, solutions for creating the infrastructure of a small enterprise network. And of course, this article reflects the personal good practice of the author and may differ from the ideals of the reader.



So. We have in an asset up to 100 customers. Everything is standard, users go to the Internet, send mail, use file storages, work in 1s, want a cooler computer and try to catch viruses. And yes, the clouds, we do not know how.

A pair of pillars of almost any infrastructure

and then we'll go over the obvious and not so nuances. By the way, I repeat, we have a small-medium business, do not aggravate.

')

Data integrity "In the server I got a bomb."

If to you in the server I got a mine, then most likely the safety of the data will interest you last. It is much more likely that on December 31 the pipe burst from the top, which caused a fire there and the floor fell through.

- Data is our everything. One of the backup servers must be located outside the server. This is a lifeline. Even if it contains only the most important, for a day or two you can again buy and rent a server and deploy a working infrastructure. You will never be able to restore the irretrievably lost base 1c. By the way, the old man a la P4-2400 / 1024 with properly organized backups usually copes.

Monitoring “01/01/2013 02:24 | From: Zabbix | Subject: Nuclear launch detected! ”

You have a great time celebrating the New Year with friends. By the way, not only you, the caretaker of the building where you rent premises, too, do not waste time in vain. Thus, a burnt-out room flooded with water will be a pleasant bonus in the morning to your aching head in the Happy New Year.

- If something goes wrong, you just have to find out about it first. The same SMS alerts about critical events is the norm. By the way, if the monitoring server did not unsubscribe from the morning after 5 minutes after the start of the alarm clock, it is time to sound the alarm. After all, the server that monitors the monitoring server also did not write anything. In general, do not worry, you have a backup server outside the server, which still wrote to you that he lost all, but in the ranks.

Recovery plan “Calmly, Kazladoev, let's sit mustache!”

This is the worst New Year in your practice. Yes, after receiving the SMS and assessing the situation, the firefighters were called immediately, and they arrived almost 5 minutes later, and put out quickly. But all the same, one part of the server was burned, the second was covered with foam, and the third failed as a result under the floor.

- Lies, of course. This is not the most pleasant, but not the worst New Year. Yes, you will have a busy week, but thanks to a clear plan you know where to start and what to do. I recommend in terms of disaster recovery to paint everything thoroughly in detail, including console commands. If you need to restore any MySQL server that was configured three years ago, do you think you will remember some insignificant nuance that you have to spend half a day on. By the way, things will go somewhat differently than you planned, perhaps even completely wrong, be ready for this.

Now to the basics of networking on AD.

I'm not going to paint the benefits of clustering and other LiveMigration. We have a small business and there is no money for vMotion. However, it is not necessary, most services are perfectly reserved "out of the box." Below will not be how to configure, but I will try to give the right direction for self-study.

• Active Directory. The domain controller should be two, physically on different pieces of iron. By the way, Microsoft does not recommend (recommended) doing all the CDs in virtual machines, i.e. at least one CD should be pure iron. In general, this is nonsense, on different physical hosts, you can do different CDs, just follow the general Microsoft recommendations for configuring CDs in a virtual environment. By the way, do not forget to store the GC on both domain controllers.
• DNS is just the foundation. If your Domain Name Service works crookedly, you will constantly be jamming shoals out of the blue. There should be at least two DNS servers and for this we need a CD. And contrary to the recommendations of the Compliance Analyzer with the Recommendations on the CDs themselves, I advise you to point yourself to the master. And one more thing, forget about the practice of registering servers on clients by IP addresses: if it is an NTP server, then clients should know it as ntp.company.xyz, if it is a proxy, then something like gate.company.xyz, Well, in general, it is clear. By the way, it can be the same server with the name srv0.domain.xyz, but with different CNAME. When expanding or moving services, it will greatly help.
• NTP server following the DNS. Your CD should always give the exact time.
  
  Thanks foxmuldercp for the advice
• There should be two DHCP servers too. On the same CD, quite the working scheme. Just configure it so that the output ranges do not overlap, but so that each DHCP server can cover the entire fleet. And yes, let each DHCP server issue itself as the first DNS server too. I think it is clear why.
• File server Here, too, everything is easy. We do DFS with replication, on the same CD. In general, replication has nothing to do with it, just always register links to balls through DFS, try to adhere to this practice in relation to all file resources. When you need to transfer the ball to a new place, just transfer the ball and change the link in DFS. The client may not even notice anything.
• MSSQL server 1c. It is no longer easy. And expensive. You have a partly large database, and it is not permissible to keep a backup SQL server. This piece cannot be reserved, in any case, we need a new instance that costs money. Backups are our everything, nothing terrible. Think over where you can quickly deploy a temporary database server. By the way, there is a free MSSQL Express with a limit on the size of the database, maybe you can stop it.
• Gateway. Linux and other FreeBSD. It would not be unpleasant, but there is no money for TMG and other Kerio. You still have to understand iptables. Here I can give a definite advice - you are friends with OSI - there will be no problems, you will not be friends - there will be problems with kerio. By the way, if you think that you are an admin and do not know what the difference between a frame and a frame is, then it will be hard for you.
• Security. Very extensive topic, so the following points about this intimate question.
  
  Users should work under Domain Users. Any, I emphasize, any application can be configured to work in an environment with limited rights. Sometimes it is enough to add write access to the directory with the installed program and inside to prohibit writing executable files. Sometimes to find out the features you will need to monitor the registry and file system. Sometimes you want to score and issue admin rights. Sometimes it is advisable. Choose you, but never disable UAC. Yes, and you, sitting at the workplace, the maximum should have the rights of the local administrator over all workstations, in no case the admin domain. If necessary, drive servers through the terminal.
• Accounts. I won't say anything about users, I think it is clear that one account per user. But not everyone understands that each service must have its own account. For example, MSSQL, working in the AD environment nafig do not need admin domain rights. Create a regular user account and specify it when installing the DBMS. The installer will prescribe the necessary rights and everything will work fine. And so almost with any services. If any openfire to connect to AD asks for the admin account - this is one name, it only needs to read the directory service.
• Software Update. Deploy WSUS and do not forget, at least for the second Wednesday of the month, to go in and check for new updates. Select 10-15 cars from your fleet and include in the test group. New updates check it on this group, and when you do not find jambs, deploy to all. By the way, here there is info how to update any software through WSUS.
• Antivirus. It should work, and you have to control it. I wrote about monitoring at the beginning.
• Scs. A very sore subject for many institutions. There is only one advice. If you do it yourself, then do it for yourself, in any other case, prove to management that it is vitally necessary for your company to provide work for outsourcing. Remember, the next admin can easily find your place of residence.

For a start, perhaps, that's enough. If it was interesting, I am ready to continue, having detailed and added to each of the points. Write healthy criticism, thank you all.