We build infrastructure based on MS products

After the publication of my first post “Why I love Microsoft. Notes of Zombies ” I received quite a few letters with a similar request - to write more about the products used.
Asked - get it. When writing an article, I set myself a goal - to describe the main route. It makes no sense to paint the details of installation and configuration - there are enough of them on the Internet. I tried to read the post administrator knew the names of products and technologies, for which they are needed and then he could deftly google everything else. In order to facilitate the search the key names will be in English. If any abbreviation is unfamiliar - this is a reason to read about it. And, yes, I will describe the solutions from Microsoft, since I only understand something about them. I want to immediately warn you that the topic is very short-lived.


Before I start - help and appeal :)
After the first article I wrote many times that I am wrong, without indicating how much pleasure costs. Kicks legal, is expensive. They asked - we answer. Roughly you can appreciate it like this - an Enterprise Agreement license (you can buy it from 250 PCs) will cost you 1000 Euros per workplace. Servers in this all go down. That is, very roughly, licensing of the spread infrastructure for 300 PCs will cost $ 300 thousand. You will have to pay 100 thousand per year for 3 years, during this time you can install all the latest versions of the purchased software.
This is the most expensive and non-hemorrhoid licensing method, others are cheaper. By the way, if you buy Microsoft software on such a scale - my advice is to bargain.
How expensive it is to decide for yourself. Specifically for my organization, the implementation of Project Server alone allowed, due to effective planning of employees working on projects, not to hire 7 more employees to the existing 40 and thus save about 7 * $ 1,300 * 12, that is, those same 100 thousand per year, this became obvious argument for the effectiveness of the solution.
Just want to make a reservation. I do not urge to steal or on the contrary buy Microsoft software. I call for another: It doesn’t matter whether you are free or proprietary software - think about how to build something more than an infrastructure that provides only basic services. Build a good infrastructure, friendly to people, try to minimize the number of papers in the office, take care of the forests and let your karma rise to bright heights.

Below is a very concise procedure. Even so, the topic turned out to be too big, but I do not want to split it up.
How things should be at certain stages will be in italics . It is unlikely that you will be able to implement everything in the order given below, it is rather for the sake of coherence. The infrastructure described below is relevant for a company with approximately 50-500 users.
')
So, the actual leadership. Getting started.
0. I really love Hyper-V. We put Server 2008 in core mode and, all other things equal, we deploy the infrastructure on virtual machines.
0.1 Backups backups backups. We do not put into operation any system without understanding how we will conduct the backup.
1. We put the server, we lift the Active Directory. We are raising the basic services of DNS, DHCP. At the first opportunity we put the second serer, on which we also raise AD. Although many small organizations neglect this, it is very important, because if a single domain controller dies, it will be very sad. <update 04/12/10 10:15> We assign the second domain controller as the Global Catalog server. / update Set up time synchronization on a domain controller with external reference time sources. NTP.
1.1 DNS. Think in advance about how your domain will be called, whether the name will coincide with the real name or differ from it. Read about Split DNS. It is convenient for people to memorize single addresses for services. For example, mail.yourdomain.ru - should always be mail, regardless of the outside or inside the company's network, an employee works. If the DNS names of the external and internal networks are different - raise the zone of yourdomain.ru within the network
1.2 DHCP. There should be no fixed addresses. Use Reservation for MAC addresses of devices. This is necessary so that you can at any time have complete information on the distribution of addresses on the network.
1.3 We get in AD all users. Each unit is allocated Organizational Unit in accordance with the hierarchy of the organization. We push users by OU. For each OU we create a group in which we include all users. Each user - an account. No records "Storekeeper" for 12 storekeepers at once. For computer accounts, it is also desirable to have a separate OU hierarchy according to the organization hierarchy — this makes it easier to bind group policies for all PCs in a department.
1.4 We give the secretaries the right to change the field phone numbers in AD. We train. Fill in and maintain this data up to date is now their responsibility. They or HR must keep up to date the name of the position and department in AD for all employees. Also, when transferring employees, the administrator drags the accounts into the required OU, changes the group membership. We make regulations - how a user gets into our network when applying for a job, what we do when he is fired, when transferred to another department. We introduce standards for the formation of the Login name and mailing addresses of employees.
2. We drive users' computers to the domain.
3. If possible, deprive users of administrative rights. Part of the software, with its ordinary work, wants to write data in the places prohibited by default - we catch it with the help of special software, for example Process Monitor, fine-tune the rights. Once we understand the program, we write out to which branches of the registry and directories it should additionally have access, make settings, distribute them using Group Policy to the appropriate OU. With the help of GP we catch people with the nearest printers. We add to the login script software that collects data on our PCs — the name of the user who logged in, what the hardware costs, the IP address, the MAC address, and so on, and adds all this stuff to the server.
4. If necessary, we limit access to external drives, for example, using Device Lock.
<update 9.04.10 15:55> You can also configure this using group policies. / update
5. Set up a corporate antivirus, monitor its updates
6. We lift and configure WSUS. Do not be afraid, only updates approved by you will be placed.
7. Sharing file resources on server. We fight with mortal combat, so that resources can be shared on groups, not on personal employees. Otherwise, very soon the system of rights turns into a mess, it is impossible to give a new employee the same rights as another employee who is already working, and so on. It is very important to convey to the management why it is necessary to do this way and receive requests from them for changes of rights in this section.
8. Raise the SQL server. We need it to keep 1C bases there and in general a good thing.

All our users work with shared resources on the server. We are well protected from virus intrusions. Thus, we have more or less equipped the workplaces of employees.

9. We raise and configure the ISA server to access the Internet. Now his successor ForeFront TMG, we have not yet implemented. We configure Proxy autodiscovery and / or prescribe all our proxies in IE with group policies, we register the internal network in the address of exceptions - access to it by proxy. Do not forget to think and check how laptops will work outside our network. Will they not try to get into the Internet through procs?
9.1 We configure rules for user access outside. The rules that allow access anywhere based on the IP address of the employee - this is at a minimum, only for the director's communicator. We create groups in AD according to the type of access, for example: “only according to the white list”, “anywhere”. We put groups of divisions into these groups. For example, the Warehouse group is stuffed into the White List Only group. We create on ISA a white list of sites, a black list of sites, configure rules with access rights in accordance with AD groups and site lists. For client banks and other software that does not know how to authenticate on our server, we turn on the monitor in ISA, look where IT breaks and allow all traffic to the client-bank server IP not based on the user account, but on the basis of the computer’s IP, ideally We also prescribe protocols.
The general logic of the rules on the ISA - with very rare exceptions, all traffic must go through our gateway according to the rules that are tied to the user's domain account.
Personally, I do not like the ISA Firewall Client, we always do without it and advise you. All settings on the server is centralization.
9.2 If we have branches - a tunnel between ISA servers, if we have remote users - VPN access to our network.
9.3 If you need good restrictions for users - for example, Ivanov can download no more than 200Mb per day - Bandwith Splitter
9.4 All logs, of course, are stored on the SQL server and not for seven days, but for at least 45 - someday you will definitely need to generate a report of who downloaded how much in a month.

Our users work in the Internet. Internet access is clearly delimited by rules. All the moves we recorded for subsequent analysis. Remote users have the ability to connect and work within our network.

10. We lift the server of terminals. We drive users who work from home, those who are actively working with our resources from a remote branch, perhaps part of office users.
11. Raise the Certification Authority, it will be needed.
12. We lift Exchange Server. Mail users must lie on it, no Personal Folders - only for long-term archives. Work of users - through Outlook. If the organization is obsessed with security - Message Mirror mail to a separate address, we think about how often we will clean it and where we will archive its contents. We check the work of the Global Address List, create its offline version. We adjust restrictions for the size of the letter, a box and so on. We configure antivirus and antispam on the server. We set up collective mailboxes of the type support@yourdomain.ru, give those in charge the right to write on behalf of the support, we train them. We are setting up Public Folders, stuffing the general calendars of meeting rooms, demostands, and so on, we think that we also have a collective one. If you find it convenient, we keep personal calendars on Outlook and fiddle with their superiors. You do not need to do a common task system based on Outlook tasks — Outlook tasks are inconvenient for teamwork.
13. We publish our Exchange through ISA, check the passage of external mail in both directions, do not forget about open relay, sign everything we need with certificates, check the operation of Outlook Web Access, enable OMA, publish RPC over HTTP. For laptop users, we configure Outlook for RPC over HTTPS, caching and offline address book. If you need to cache shared folders, add them to your Favorite folders in Outlook and then to Favorites.

We have mail, people can connect using Outlook both from inside the network and from the outside - just access to the Internet. We can work using the Web interface, as well as from our mobile devices. From everywhere we see the same contents of the box.
We learned to work collectively with support@yourdomain.ru addresses.

14. We read about Unified Communications. We set up Office Communications Server and make friends with our PBX. Customize routing and numbering plans. We set up his friendship with a list of users from AD.
We arrange for interested users of Office Communicator, issue headsets.

Calls via office communicator to other office communicators, internal phones, city. All without additional prefixes. The communicator knows all users from AD, along with their internal and mobile phones.

15. We raise Sharepoint Server. We put in there a beautiful list of employees, data on the birthdays of employees, but without a year of birth (girls are worried), company news. Then we begin to create a structured information repository there, we are trying to make the main part of the file dump move smoothly there. Later we pull up work processes, applications and so on. We throw back reservations negotiation and other things that were kept in public folders.
16. If we are actively working with projects - we deploy Project Server

We have a corporate portal - a single place for reference information, basic workflows, structured file storage.

<update 04/09/10 14:25> When the organization has grown, we implement the application processing system on our portal. We do this using Workflow at Sharepoint. Read about InfoPath and Sharepoint Designer. Applications must come to a single place, be assigned to employees, the author of the application must see its current status, receive notifications on it. / update

We describe the main methods of working with our infrastructure, and better do video courses. We spread to common areas (I’m talking about the server), we train people to look in there by alerts on the portal - work with new services will be described there. We introduce familiarization with these documents as one of the required items for the first day of work of a new employee.
The described actions should be enough to implement all the examples of use given in this topic. If you forgot something - write. The Microsoft System Center theme remains unlit, be sure to read about it, but this is a product aimed at bringing benefits not to ordinary users, but to system administrators.
<update 04/09/10 14:25> Thanks for the comments. In general, with such a scale of organization, it is already time to think about simplifying the life of the IT department; for this, all the necessary technologies are present. Read about System Center. / update

Good luck.