Windows - AD, Infrastructure and public/private IP addresses - Knowledgebase

Portal Home > Knowledgebase > Articles Database > Windows - AD, Infrastructure and public/private IP addresses

Windows - AD, Infrastructure and public/private IP addresses

Posted by W3bbo, 08-27-2011, 05:44 PM
We'll be re-organising our current ghetto technology set-up into (what we hope to be) a first-class installation. I won't discuss our current set-up because it's truly awful, but I would like technical feedback and advice on the arrangement I'm proposing below: For our Windows-based hosting company, we have six servers neatly arranged in a rack at the datacentre. Our Internet connection is provided by our colocation provider and they have given us two IP addresses for every physical server, so we have 12 IP addresses to play with. This is what I'm proposing: The rack contains two switches: a switch that connects the servers NIC1 ports to the "Internet" pipe provided by our colo. The second switch connects all of the NIC2 ports on the servers, this will be used for internal communication. None of the computers will register their public IP addresses in the private network DNS, and similarly none of the private IP addresses will appear in any public DNS (which is pointless, as 192.168.* isn't a routable IP range anyway). All servers will make full-use of the built-in "Windows Firewall with Advanced Security". At this moment I don't see any point in using a dedicated hardware firewall as the advice is to maintain the software firewall anyway. SVR1: One public IP address so it can be RDP'd into directly from outside (and to allow the box to connect to the Internet itself, for updates and downloads). This box will also have a single private IP address on the private network. This computer will be an AD Domain Controller and also provide internal DNS services. Finally, this server will also be the private network's Certificate Authority for internal use. Only RDP traffic and ICMP Echo will be allowed through the firewall. SVR2: This machine will host public DNS services, Microsoft SQL Server, as well as serving websites. SVR3: This machine will host MySQL databases, our hosted TFS and SVN services, as well as also serving websites. SVR4: This will be the main mailserver, running Exchange Server 2010 with the three main roles (Mailbox, Client Access, and Hub Transport). It will serve as the main MX for all hosted email domains. Email is protected by Microsoft Forefront for Exchange. This server may also serve websites if necessary. SVR5: This is an 'internal' server like SVR1, it will also be a domain controller in addition to internal DNS. It won't do much else. SVR6: This is the second public DNS server, it will also run Exchange 2010 (but only for the Hub Transport role) so that the organisation can continue to receive email when SVR4 is unavailable (such as when rebooting or down for maintenance) this will also have Forefront installed. This server will also provide centralised backup facilities with Microsoft DPM using short-term disk-based backup (there is no requirement for long-term tape storage). SVR5 and SVR6 are both rather old boxes that have a non-zero probability of failure in the coming years, as a result they have been relegated to serve as 'backup' servers (namely secondary DNS, secondary domain controller, failover MX). I'd like critique of this arrangement, and if there are any better alternatives or if I've got this totally wrong and there's another way of doing things differently. Years ago when we had fewer servers, we relied on Hyper-V for things like the mail-server and public DNS, but we weren't happy with the performance overheads so we'd like to avoid virtualiation entirely.
Posted by UmbeeHosting, 09-13-2011, 06:26 PM
Hey, This is right up my street thanks for posting :-) First, you need to look at Unified Access Gateway it's a great product and will make your solution much more secure take a look Second, If I was you I would use VMware to virtualize everything except the SQL box the performance issues you had with Hyper V were most probably due to mis-configuration. You also might want to think about having a separate DMZ AD domain, I was unsure of the exact domain config from your proposal. Another thing I would try and stay away from Microsoft DNS for the public DNS a little Centos VM will do a much better job IMHO... Apart from that I think all looks OK do you have a Visio you can share? Last edited by UmbeeHosting; 09-13-2011 at 06:30 PM.
Posted by network82, 09-16-2011, 07:38 AM
As is, I don't think you could refine much better than what you have got. You could virtualise, BUT, as you've not detailed any SAN Storage I think the only advantage Virtualising (without SAN) would be to give you more "servers" out of your physical resources, you don't get any fail over without running centralised SAN storage so even though you'd get more "servers", like-for-like that would be the only benefit... I don't think even VMWare can do live migration between Host machines that aren't part of the same SAN, because the time it would take to transfer the VHDs in a saved state. I do think using Active Directory will help you centrally manage security policies, and as umbee pointed out AUG (formally Microsoft ISA) would help this as its a firewall and proxy/NAT server all built so would make NAT'd IPs easier to work with, but it's fairly expensive. And as your using AD, you've no choice but to use MSDNS because it's used in part for AD synchronisation between Domain Controllers. If you use a different DNS Server it has to be a standalone outside of the AD Domain... If you had a SAN, I personally would virtualise, and would recommend Hyper-V on the basis that your mostly using Microsoft Technologies, it would be easier to manage licensing, I would have also recommended Microsoft System Centre (SCVMM) to allow you to better manage the clustered virtualisation envirnment from one place rather than each host server.. You could have all those servers doing the roles you've outlined running (inc SQL) as VMs over 4x Physical Servers (or at a push 5x Host Servers) and have the remaining physical server(s) Running Active Directory and DNS Services which needs to run outside of the Cluster otherwise your VMs won't be able start if those services weren't available. SCVMM will also automatically give you fail over and live migrate VMs to other hosts where resources are available if a physical host should fail or need rebooting.. With my Setup, I use the SCVMM SDK and automated everything for my hosting envirnment, even whether or not to power up new physical host machines and provision more VMs to them in the cluster or power them down when no longer needed. Last edited by network82; 09-16-2011 at 07:49 AM.
Posted by MyITGuy, 09-16-2011, 10:20 AM
It's not pointless, you do not want any private addresses appearing in your public DNS as end user machines will try to resolve this address. I would advise against this, when and where possible you always want to place your equipment behind a hardware firewall. Out of curiosity, where to you see this advise that states otherwise? Out of curiosity, what are the specs on these machines (I.E. Have you sized them appropriately)? Additionally, placing all of your exchange roles on 1 server with no redundancy is not ideal and doesn't provide for an easy way to scale. You may want to rethink this portion and setup 2 servers for each role (2 MBX, 2 CAS and 2 HUBS) with a dedicated server for each or look into virtualization. I almost always use VMWare ESX in all of my deployments. If planned for properly you will have almost no issues with overhead/performance. Last edited by MyITGuy; 09-16-2011 at 10:32 AM.
Posted by Sheps, 09-16-2011, 02:58 PM
Couple of questions to help me understand your goals better: What services are you using internally? What services are you providing as a hosted service? Are you going to be using exchange with the /hosting switch? Are you planning on using a SAN now or in the future to store data? What kind of products are you offering with this exactly? What I mean by that is: IIS, Apache, etc? Exchange, some other third party mail program? Are you offering a control panel? If so is it going to be a third party control panel or are you building one from scratch?
Posted by W3bbo, 09-19-2011, 06:43 PM
Ideally virtualisation makes sense, yes; however most of our servers are Dell R200 and R210 models, which have two internal drives in RAID1 which is ill-suited for running IO-intensive operations on (e.g. Exchange or databases). We don't have the budget to get a SAN system now, nor for the next couple of years (a good SAN is going to cost about £8-£10k) and it's hard to justify it economically when we can pick up a brand new server that does one thing for about £800 or less. MSDNS for the "internal" DNS - that's a given. Microsoft MSDNS doesn't offer any fine-level tuning it means that the Domain controllers (with their own DNS servers) cannot be the same DNS servers that will serve "public" requests to resolve customer's website domain names, but this isn't a problem. MSDNS is quite capable when used for public DNS (disable forwarding, for example) but it does need to be run on a separate machine from the internal network. MSDNS isn't perfect though: it lacks support for wildcard or regex DNS (it probably violates spec, but it has its uses for cool user domain name applications, like deviantArt-style domain names). Sage advise, but as I said, we're not in a position where we can afford SAN right now. I have noted this because it sounds like a great idea. One of the things I don't like about our existing set-up (or the set-up I'm proposing) is that a server hosting our customers' websites will need to be rebooted periodically, and I wince every time I hit Shutdown. But that's what I said: the "private" IP addresses (192.168.x.x) would only appear in the Internal Active Directory DNS servers which would not be exposed to the public Internet at all (the MSSDNS servers would be configured to not respond to requests on any of their public interfaces). The public IP addresses would only appear in the public DNS servers. I can't remember where exactly I read the advice, but it was something along the lines of never assuming that there is a hardware firewall between the servers and the public Internet, simply because a careless tech' could mistakenly forget to reconnect servers to the firewall and not the switch when servicing machines. Three servers are Dell R200 machines that are well-stocked on RAM and CPU power, and all have two 7200rpm SAS drives in RAID1 configuration using the Dell SAS6iR controllers. The other two servers are older Dell 2850 servers, but are dual-processor Xeons with four 10krpm drives in RAID5 configuration. They are also maxed out on RAM. They are all running Windows Server 2008 R2. Thank you for the advice and I have decided to run all Exchange roles on SVR6 instead of just Hub Transport. I do need to think of a way to allow access to OWA from the same URI if one server goes down, however. Can you recommend any solutions or will we need to buy a hardware load balancer? As said in my OP: IIS, MSSQL, MySQL, Exchange, MSSDN, ADWe're providing customer access to the same services (i.e. Windows web-hosting) but we also have agreements with a small number of SaaS developers and will be hosting their applications too, but these are just more IIS web applications and no different to normal websites.Yes, currently we're using Exchange 2007 in the officially unsupported segregated mode, but when we do the systems overhaul we will be moving to Exchange 2010 with the /hosting switch so we can benefit from official support. I will miss the GUI support, but I'm sure we can cook something simple up to compensate (PowerShell makes this easy).Eventually we would like to move to a SAN and use Blades as well, as it minimises power and rack-space consumption. But it won't be for some time because the main expenses now are equipment purchasing rather than running prices.We're developing our own "control panel" software - we also offer access to IIS Management, SQL Server Management Studio, and MySQL Workbench. We'd also like our customers and clients to use WebDAV and FTPS instead of FTP, but some people (and their antiquated tools) are just stubborn like that. After we finish deploying our control panel solution we are interested in marketing it to other companies, but we don't know where to begin. If anyone here is interested then please drop me a PM.
Posted by MyITGuy, 09-19-2011, 07:09 PM
As far as the SAN, look into StorMagic. It allows you to utilize your server hard drives (Ideally, 10K or 15K Drives) as a SAN, with replication and etc to secondary servers (IIRC, its approximately 2K USD per server for the high-availability license) I didn't see that distinction being made and I try to avoid making assumptions =D Doesn't sound like advice that's saying not to use a hardware firewall...just never to make an assumption that there is one in place. I'd still take the position that a hardware firewall needs to be in place. I'm assuming SVR6 is one of the 2850's? This would probably be your best bet as the R200's wouldn't be able to handle a sizable database load. Regarding OWA, if your installing Exchange 2010 then the NLB services should care for this for you, although if you have the resources to buy a load balancer then you would most likely be better off.
Posted by W3bbo, 09-19-2011, 07:27 PM
How does Windows NLB work in this case, though? I always assumed you need a dedicated hardware load-balancer (and what's the guarantee that would never go down?). Please forgive my lack of experience in this area. The documentation on TechNet doesn't get to the point very quickly.
Posted by MyITGuy, 09-19-2011, 08:54 PM
Basically here's how it works: Your DNS points to a single IP Address. This single IP Address is assigned as the "public IP Address" (Can be an internal IP Address that is natted) on all of your NLB Hosts. All NLB Hosts receive traffic destined for the "public IP Address" and the NLB Service manages which host should actually receive/process the traffic. Here's some articles that may help you out: How NLB Works - http://technet.microsoft.com/en-us/l...8WS.10%29.aspx How to setup NLB: http://howtoexchange.wordpress.com/2...0-walkthrough/ How to setup Exchange /hosting (This is a guide I link to frequently, but utilizes Citrix for load balancing instead of NLB): http://www.yusufozturk.info/exchange...de-part-1.html
Posted by W3bbo, 09-19-2011, 09:06 PM
I thought it was illegal for multiple hosts in the same subnetwork to have the same IP addresses? Windows Server gives you a nasty popup message if that is the case.
Posted by MyITGuy, 09-19-2011, 11:20 PM
Somehow Microsoft has found a way around that with the NLB Driver and how it filters/responds to network traffic. I don't know how it works (I didn't create the code so I just go off what is posted), I just know it works.
Posted by network82, 09-20-2011, 05:19 AM
We use NLB for our host hyper-V Host machines as well as some of the services we use on the VMs. I've used the feature in windows 2003 and 2008, and I have to say 2003 is quite limited in use. Microsoft seem to have re-wrote network coms for Windows 2008 for better support for things like NLB particularly around virtualisation as it's an important part of failover. Also regarding MSDNS, it does support the "anything" wildcard which I use for subdomains and custom HTTP Handlers, but as far as I've ever played with that's about it. I wouldn't advice running your AD DNS schema on the same DNS server group as your public DNS. For that I use SimpleDNS which does have all the things your after, including round robin and a basic form of dynamic DNS failover and GEO distribution.

Add to Favourites Print this Article