The history of one infrastructure. MS solutions. Part 2
The history of one infrastructure. MS solutions. Part 1
First of all, they installed quite a good air conditioner in the premises of the switching and computing center. And, as a result, hard drives began to fail twice as rarely.
Then they took up the modernization of the existing fiber optic lines and switching in order to ensure communication, where there is none yet, to ensure full redundancy of the main fiber optic lines, to unify the used switching equipment. The process was not fast and the chronology of events could not be restored. I will say that as a result we have twelve FOC segments (with a total length of 3 km) and six peripheral switching points. For the organization of optical converters (50 pcs.), Managed chassis (7 pcs.) Of rack-mount design are used. As a standard, an inexpensive and popular managed switch (of which 20 pieces are used) 2 levels and 24 Gigabit Ethernet ports, with support for VLAN groups (using VLAN groups organized demilitarized zones), with the possibility of port aggregation (we use aggregation everywhere) trunk segments, switch connections, server connections). At the peripheral switching points, all equipment was placed in turnkey special cabinets, in the central node everything comes in a rack for switching equipment. Summarizing, I will say that nothing remained of the initial design of the commutation of the plant's administration and the workshops of the factory complex. All former equipment was decommissioned and placed in the far corner of a special room, i.e. about one and a half times we invested in one project. Unification worth it!
Somewhere here, in the intervals between ongoing infrastructure development projects, the direction of the IT enterprise has grown to be called the information technology department (ITD) at the head of which, I stood up. The software engineer of the general department entered at my disposal, changing the direction of activity due to the lack of actual need of the previous one, and my former, now vacant, position as an engineer for automated systems was allowed to accept a person, which was done. The document “Distribution of tasks of OIT employees” was developed, according to which the software engineer focuses on technical support for users on client software issues, development of instructions for users of information systems and other documentation, and the engineer on automated systems is engaged in technical support for users on equipment issues and enterprise switching. I also got organizational tasks and infrastructure issues. Work has become more fun!
And, of course, we were not spared "the fashion for licensing software products of one well-known manufacturer." The first bell of news that it was time to live honestly and to steal is punishable forced the management to adopt a software licensing policy. It was decided to conduct licensing under the Open License program in several stages - first server software, then client and client access licenses in three stages. And we acquired all the newest things - Windows Server 2003 R2 Std (as it turned out, the Enterprise editions are absolutely useless), Exchange Server 2007, SQL Server 2005, ISA Server 2006, Live Communications Server 2005, Windows XP Professional, Microsoft Office 2003 / 2007
After the acquisition, to ensure "licensed purity", the following questions automatically arose:
After examining these issues and taking into account all the existing deviations concerning the server hardware used, in agony decided to gradually replace and upgrade equipment that does not meet our reliability requirements (all as part of software licensing of the enterprise).
')
And then the question arose of choosing software to provide comprehensive protection against malware (anti-virus protection). The main desire was to choose a software package from one manufacturer to protect client PCs, Exchange mail databases, and file storage. We looked in the direction of tested and familiar solutions, but, unfortunately (and perhaps to the joy), none of the familiar software vendors in the field of data protection had time to release a complete solution for the new Exchange server. And just then MS made a noise with its new Forefront product line. He waved his hand ("Be that as it will") and decided in favor of MS Forefront products. We purchased three years for the Open Value program, Forefront Client Security (FCS), Forefront Client Security Management Console, Forefront Security for Exchange and Forefront Security SharePoint (I didn’t say? We tried SharePoint and decided that we would have it too, but later ).
Around this time, we were able to acquire a very short second-level domain name, corresponding to the short name of the company, very inexpensively. Lucky just! Accordingly, it was decided that the migration to the licensed software will be accompanied by the renaming of the domain, which we will gradually abandon using the old mail domain.
Work has begun to boil. Systematically carried out the tasks of licensing software and eliminate deviations. We bought new equipment. Installed. Migrated our data. Threw out the old. For example, the hardware configuration of the main server for Exchange is as follows: two Intel Xeon 5410 processors on the Intel S5000PSLSATA board and on the Intel SC5400LX with two 830W hot-swappable CPUs, with hot-swap baskets for ten SAS hard drives, with RAID- Intel SRCSAS18E controller and an additional battery, with 8GB of RAM and 10 73GB 15K SAS hard drives (2 drives in RAID1 for the OS, 6 drives in RAID10 for the database and 2 Hot Spare drives). Those servers where there is no need for a high-performance disk subsystem (for example, domain controllers, ISA server, Exchange Edge Server) completely cost the baskets on four SAS disks and three installed disks (2 disks in RAID1 for the OS and 1 Hot Spare disk) and smaller 4GB RAM The main task was to ensure maximum redundancy, where it is possible with minimal investment (mirrored RAID1 arrays, Hot Spare disks, network interface aggregation, power redundancy). The goal has been achieved.
And it seems that when projects are already nearing a logical conclusion, the management wishes to have the opportunity to hold daily working meetings of the heads of departments through a PC and the existing network. A newly acquired Live Communications Server 2005 does not support multipoint audio-video conferencing and will not, because its new version of Office Communications Server 2007 (OCS) has just been released. Well, the project is calculated, agreed, the decision is made - we purchase fresh Office Communications Server 2007 and an iron server to it (it will be useful to us - we haven’t replaced everything yet). Acquired by the Open License program and quickly implemented. They only managed audio conferences, however, the microphones had to be picked up - they chose Arthur Forty conference microphones (they somehow didn’t work with home appliances).
Along the way, all the restructuring, upgraded uninterruptible power supply system (UPS) - bought the missing UPS, and the existing ones supplemented with battery modules. As a result, two servers have one UPS 3KW with two additional battery modules. The battery life of this set more than satisfied us - about 5 hours. A total of 5 UPS and 10 battery modules installed near two racks with servers. For the rack with switching equipment the same set, but a little simpler, at 1.5KW (with an autonomy of about 10 hours). We were lucky, we initially chose the "correct" UPS and did not have to change anything.
Unification of server hardware was more than successful! True, there are slight differences in the configurations of the disk subsystem of servers, due to the fact that the servers were acquired at different times, just when SAS came to replace SCSI. But, put a tick - the deviations are eliminated.
Also, in parallel with these projects, work was underway to replace client “technically non-compliant” PCs, many new jobs were established. The number of client PCs exceeded 100.
By heroic efforts within one month, detailed documentation of the enterprise’s IP was created (which currently has more than 100 documents (graphical diagrams, descriptions and tables) in electronic form and 250 pages on paper). Another secret knowledge - detailed documentation is extremely important. For example, in the process of documenting, you can detect configuration errors, non-optimal architectural solutions. Slender documentation - slender infrastructure!
Eliminating deviations in equipment and communication lines and drawing a line under these milestones, we can estimate what services we have and what we have, as well as where to go further:
Continued ...
Redo!
First of all, they installed quite a good air conditioner in the premises of the switching and computing center. And, as a result, hard drives began to fail twice as rarely.
Then they took up the modernization of the existing fiber optic lines and switching in order to ensure communication, where there is none yet, to ensure full redundancy of the main fiber optic lines, to unify the used switching equipment. The process was not fast and the chronology of events could not be restored. I will say that as a result we have twelve FOC segments (with a total length of 3 km) and six peripheral switching points. For the organization of optical converters (50 pcs.), Managed chassis (7 pcs.) Of rack-mount design are used. As a standard, an inexpensive and popular managed switch (of which 20 pieces are used) 2 levels and 24 Gigabit Ethernet ports, with support for VLAN groups (using VLAN groups organized demilitarized zones), with the possibility of port aggregation (we use aggregation everywhere) trunk segments, switch connections, server connections). At the peripheral switching points, all equipment was placed in turnkey special cabinets, in the central node everything comes in a rack for switching equipment. Summarizing, I will say that nothing remained of the initial design of the commutation of the plant's administration and the workshops of the factory complex. All former equipment was decommissioned and placed in the far corner of a special room, i.e. about one and a half times we invested in one project. Unification worth it!
Organize!
Somewhere here, in the intervals between ongoing infrastructure development projects, the direction of the IT enterprise has grown to be called the information technology department (ITD) at the head of which, I stood up. The software engineer of the general department entered at my disposal, changing the direction of activity due to the lack of actual need of the previous one, and my former, now vacant, position as an engineer for automated systems was allowed to accept a person, which was done. The document “Distribution of tasks of OIT employees” was developed, according to which the software engineer focuses on technical support for users on client software issues, development of instructions for users of information systems and other documentation, and the engineer on automated systems is engaged in technical support for users on equipment issues and enterprise switching. I also got organizational tasks and infrastructure issues. Work has become more fun!
Licensed fashionably ...
And, of course, we were not spared "the fashion for licensing software products of one well-known manufacturer." The first bell of news that it was time to live honestly and to steal is punishable forced the management to adopt a software licensing policy. It was decided to conduct licensing under the Open License program in several stages - first server software, then client and client access licenses in three stages. And we acquired all the newest things - Windows Server 2003 R2 Std (as it turned out, the Enterprise editions are absolutely useless), Exchange Server 2007, SQL Server 2005, ISA Server 2006, Live Communications Server 2005, Windows XP Professional, Microsoft Office 2003 / 2007
After the acquisition, to ensure "licensed purity", the following questions automatically arose:
- replacement of installed editions of Windows Server 2003 R2 Enterprise with standard and licensed
- replacing installed Windows Server 2000 with licensed Windows Server 2003 R2
- replacement of the used SQL Server 2000 with the licensed SQL Server 2005
- replacing used Exchange Server 2003 with licensed Exchange Server 2007
- replacing ISA Server 2004 with licensed ISA Server 2006
- replacement of the used Live Communications Server 2005 with the licensed version
After examining these issues and taking into account all the existing deviations concerning the server hardware used, in agony decided to gradually replace and upgrade equipment that does not meet our reliability requirements (all as part of software licensing of the enterprise).
')
As part of licensing ...
And then the question arose of choosing software to provide comprehensive protection against malware (anti-virus protection). The main desire was to choose a software package from one manufacturer to protect client PCs, Exchange mail databases, and file storage. We looked in the direction of tested and familiar solutions, but, unfortunately (and perhaps to the joy), none of the familiar software vendors in the field of data protection had time to release a complete solution for the new Exchange server. And just then MS made a noise with its new Forefront product line. He waved his hand ("Be that as it will") and decided in favor of MS Forefront products. We purchased three years for the Open Value program, Forefront Client Security (FCS), Forefront Client Security Management Console, Forefront Security for Exchange and Forefront Security SharePoint (I didn’t say? We tried SharePoint and decided that we would have it too, but later ).
Around this time, we were able to acquire a very short second-level domain name, corresponding to the short name of the company, very inexpensively. Lucky just! Accordingly, it was decided that the migration to the licensed software will be accompanied by the renaming of the domain, which we will gradually abandon using the old mail domain.
Work has begun to boil. Systematically carried out the tasks of licensing software and eliminate deviations. We bought new equipment. Installed. Migrated our data. Threw out the old. For example, the hardware configuration of the main server for Exchange is as follows: two Intel Xeon 5410 processors on the Intel S5000PSLSATA board and on the Intel SC5400LX with two 830W hot-swappable CPUs, with hot-swap baskets for ten SAS hard drives, with RAID- Intel SRCSAS18E controller and an additional battery, with 8GB of RAM and 10 73GB 15K SAS hard drives (2 drives in RAID1 for the OS, 6 drives in RAID10 for the database and 2 Hot Spare drives). Those servers where there is no need for a high-performance disk subsystem (for example, domain controllers, ISA server, Exchange Edge Server) completely cost the baskets on four SAS disks and three installed disks (2 disks in RAID1 for the OS and 1 Hot Spare disk) and smaller 4GB RAM The main task was to ensure maximum redundancy, where it is possible with minimal investment (mirrored RAID1 arrays, Hot Spare disks, network interface aggregation, power redundancy). The goal has been achieved.
And it seems that when projects are already nearing a logical conclusion, the management wishes to have the opportunity to hold daily working meetings of the heads of departments through a PC and the existing network. A newly acquired Live Communications Server 2005 does not support multipoint audio-video conferencing and will not, because its new version of Office Communications Server 2007 (OCS) has just been released. Well, the project is calculated, agreed, the decision is made - we purchase fresh Office Communications Server 2007 and an iron server to it (it will be useful to us - we haven’t replaced everything yet). Acquired by the Open License program and quickly implemented. They only managed audio conferences, however, the microphones had to be picked up - they chose Arthur Forty conference microphones (they somehow didn’t work with home appliances).
Along the way, all the restructuring, upgraded uninterruptible power supply system (UPS) - bought the missing UPS, and the existing ones supplemented with battery modules. As a result, two servers have one UPS 3KW with two additional battery modules. The battery life of this set more than satisfied us - about 5 hours. A total of 5 UPS and 10 battery modules installed near two racks with servers. For the rack with switching equipment the same set, but a little simpler, at 1.5KW (with an autonomy of about 10 hours). We were lucky, we initially chose the "correct" UPS and did not have to change anything.
Unification of server hardware was more than successful! True, there are slight differences in the configurations of the disk subsystem of servers, due to the fact that the servers were acquired at different times, just when SAS came to replace SCSI. But, put a tick - the deviations are eliminated.
Also, in parallel with these projects, work was underway to replace client “technically non-compliant” PCs, many new jobs were established. The number of client PCs exceeded 100.
Again, evaluating the results ...
By heroic efforts within one month, detailed documentation of the enterprise’s IP was created (which currently has more than 100 documents (graphical diagrams, descriptions and tables) in electronic form and 250 pages on paper). Another secret knowledge - detailed documentation is extremely important. For example, in the process of documenting, you can detect configuration errors, non-optimal architectural solutions. Slender documentation - slender infrastructure!
Eliminating deviations in equipment and communication lines and drawing a line under these milestones, we can estimate what services we have and what we have, as well as where to go further:
- physical communications service (communication lines, switching equipment).
- directory service (Active Directory, DNS, DHCP, Certificate Authority) in a fault-tolerant configuration on two Windows Server 2003 R2 servers. Designed to manage the infrastructure. Group policies provide almost complete control of devices on the network.
- Routing Service (ISA Server 2006) on Windows Server 2003 R2. It is intended for access of IP clients to resources of the global network, for publication of internal resources, for support of demilitarized zones, for remote access of clients to IP resources.
- Mail service (Exchange Server 2007) on two Windows Server 2003 R2 servers, the primary and the edge server located in the perimeter network. The main mail server is designed to store user mailboxes, provide a global list of addresses to clients, provide access to mailbox resources via RPC (Outlook client), SMTP, POP, and remote access protocols — RPC over HTTPS (Outlook client), HTTPS (web customer). The Edge server is designed to accept connections from Internet mail servers, filter unwanted messages, and send correspondence to remote domains. Forefront Protection 2010 for Exchange (formerly Forefront Security for Exchange) is used to protect against malware on mail servers.
- File Storage service on Windows Server 2003 R2. It is intended for the organized storage of user documents (using group policies, user documents are redirected to the repository). The storage structure corresponds to the organizational structure of the enterprise. The user can use the “Previous Versions” functionality (provided via shadow copy). Content is filtered and storage usage reports are provided. Storage content is indexed and available in SharePoint search results.
- DB service (SQL Server 2005) on Windows Server 2003 R2. Designed to manage the database applications "1C". It is also used to store the update service database (WSUS), protection service (FCS), document management service (SharePoint).
- Conferencing Service (OCS 2007) on Windows Server 2003 R2. Designed for instant messaging and files, organizing voice and video conferencing, as well as for transferring information about the presence of users on the network and for desktop sharing (the client uses Office Communicator 2007 R2). Integration with voice mailbox mailbox functions.
- Update Service (WSUS) is shared with the database service. Designed to install updates on client PCs and enterprise servers (timely installation of updates is a prerequisite for the normal functioning of the system as a whole - this is secret knowledge, a child of experience).
- The Forefront Client Security protection service is hosted in conjunction with database services. Designed for centralized management of client software for anti-virus protection. It uses the Update Service (WSUS) to distribute itself and its updates, uses the directory service (group policies) to distribute its settings, uses Operation Management 2005 (MOM) to collect data. This product showed itself perfectly for all the time of use - we have not had any PC infection cases (for 3 years).
- Document Management Service (SharePoint Server 2007) on Windows Server 2003 R2. It is intended for the orderly storage of documents, the organization of document management processes and much more, as further I will tell you in more detail with specific examples. To protect against malware on the workflow server, Forefront Security for SharePoint is used.
Continued ...
Source: https://habr.com/ru/post/91477/
All Articles