Date post: | 01-Apr-2018 |
Category: |
Documents |
Upload: | truonglien |
View: | 222 times |
Download: | 0 times |
SKV PROPOSAL
TO TLC FOR ACTIVE DIRECTORY SITE
IMPLEMENTATION
Date:
Jan 27,2014
Prepared by:
Sainath K.E.V
Microsoft Most Valuable Professional
Introduction:
SKV Consulting is a Premier Consulting providing Enterprise solutions on designing Microsoft
Technologies. SKV follows Microsoft standard frameworks and proven methodologies in designing
and implementing the Infrastructure solutions.
SKV has successfully performed Enterprise Infrastructure transformations including both Desktop
transformations and Server transformations. SKV has proven track record of quality and delivery
methodologies and provide value to its customers by reducing the Operations costs and increase the
revenue.
1 Summary TLC is built on CISCO and Microsoft stack of Network devices and Servers. There are two physical
sites configured which are separated by CISCO Routers and an Hybrid infrastructure configured for
Servers and Virtualization stack.
Our proposal to TLC with the following services required:
1) Network Infrastructure validation
SKV Consulting will perform Layer 2 Network analysis and Layer 3 Network analysis. SKV Consulting will follow
industry Operations Frameworks and proven monitoring tools and baselines to provide detail report to TLC Corp.
SKV will validate VLAN trunks, Port aggregation, Bandwidth management and Routing Protocol Design
2) Active Directory Site Validation
SKV Consulting will validate Active Directory Site infrastructure and run different Microsoft Tools to examine the
Active Directory replication health. SKV Consulting will validate Site design and report the information to TLC
Corp.
3) Remote Access
SKV Consulting is spread across Australia and require Consultants to have Remote access to the Data Center
Servers. Consultants would require RDP access and necessary user accounts with appropriate privileges to run
and report the data.
2 Solution Overview
Introduction:
Existing TLC Data Center is hosted in Sydney and managed by In-House staff. TLC has 2 offices (
Sydney and Melbourne ) each of the sites are hosted on specific datacenters and connected with high
speed networks.
TLC users access Financial application which is hosted on mission critical servers connected with
high speed networks. Users access resources across sites which includes Shared Folders, Backup,
Print Services etc. Front End application connects with back end database and requires fast network
to support real time data read / write.
In this proposal, SKV Corp will perform initial assessment of both Network and Microsoft Active
Directory infrastructure and SKV Technology Consultants will run different Health tools and
Baseline metrics to validate the environment.
TLC is using local ISP for internet connectivity of 4 MBPS link. TLC Sites are configured with Site-
Site VPN connection. Each Datacenter is a replica and has the below infrastructure.
TLC Network Infrastructure Description
Cisco Catalyst 3560 x 2 Network Resiliency and Security
Cisco 7600 Router x 2 Network Routing
Cisco Fabric Interconnect x 2 Management Interface
Cisco UCS Blade x 2 Server virtualization
Physical Servers VLAN Descrption
Microsoft SQL Server VLAN 1 SQL server installed on HP Pro Server
FICO Server VLAN 1 Financial Application running on the server
UNIX Server VLAN 1 Hosted on HP Pro Server
Hyper-v Server Hosts Virtual Networks Virtualization tier
Symantec Backup Server VLAN 1 Backup server
Microsoft Infrastructure Components
VLAN Descrption
Primary Domain Controller VLAN 1 Forest Root Domain
Additional Domain Controller VLAN 1 Secondary Domain Controller with DNS
Microsoft Exchange Server VLAN 1 Microsoft Exchange Server 2010
Microsoft SharePoint Server 2010 VLAN 2 Microsoft Sharepoint Services
Microsoft System Center Operations Manager
VLAN 2 Servers Monitoring Enterprise solution
Microsoft System Center Configuration Manager
VLAN2 Patch Management and Software Distribution
DNS Namespace Description Domain Controllers
Local TLC.LOCAL FRD1.TLC. LOCAL
FRD2.TLC.LOCAL
Global TLC.com Hosted by ISP
Solution Diagram:
Production Environment/UCS Blade
Production Environment/UCS Blade
Fabric
Extender
Fabric
Extender
Fabric Interconnect 1 Fabric Interconnect 2
Port Port
Port Port
VLAN1-ProdVLAN2-Prod
Router 3750x
3560
HY
PER-V
HY
PER-V
3560
ISP
SAN Storage replication
Hybrid Cloud
SQL Server,Hyper-v,UNIX,Symantec
Servers
DC, ADC,Exchange
SAN Storage replication
Hybrid Cloud
SharePoint,SCOM,SCCM
Production Environment/UCS Blade
Production Environment/UCS Blade
Fab
ric Extend
er
Fabric
Extender
Fabric Interconnect 1 Fabric Interconnect 2
Port Port
Port Port
VLAN1-ProdVLAN2-Prod
Router 3750x
3560
HYPER
-V
HY
PER-V
3560
ISP
SAN Storage replication
Hybrid Cloud
SQL Server,Hyper-v,UNIX,Symantec
Servers
DC, ADC,Exchange
SAN Storage replication
Hybrid Cloud
SharePoint,SCOM,SCCM
10 MBPS WAN
Connection
Melbourne Data CenterSydney Data Center
Each Data Center consist of 5 physical servers configured on HP Pro Servers. TLC Corp uses
Microsoft Hyper-v as their virtualization stack hosted on Windows Server 2008 R2 Enterprise
Operating Systems. There are two VLANs configured to host different Application Servers with a DMZ
network configured with Microsoft ForeFront , Blue Coat Servers respectively. The second data
center acts as High Availability and DR site with the exact replica of servers configured.
Users are located within Sydney and TLC Corp will be expanding their infrastructure base to Tokyo
this year. Primary Sydney site hosts Microsoft FSMO roles with Microsoft Exchange 2010 Server and
Microsoft System Center Operations Manager 2008 R2 supporting the entire infrastructure for
critical alerts and monitoring.
Microsoft Hyper-v Server hosts Virtual Servers which communicates with VLAN 1 and VLAN 2 and
with the Client network which is out of scope for SKV Consulting to monitor. In addition Physical to
Virtual migration is proposed by Customer with the view of Virtualizing the entire Data Center by
end of this year.
Scope of Work
Following are the requirements gathered after infrastructure analysis and discussion with
Architectural group.
SKV Tasks:
Detail Network Analysis which includes both Layer 2 and Layer 3 will be performed by SKV
Consultants.
Automated solutions will be proposed based on the assessment
Executes different tools and document the analysis
Suggest Architectural changes on Network and Microsoft Active directory Sites
Phase 1 – Start of the Project
SKV Project Managers will be involved in discussion with TLC Corp to identify the activities and
timeframes. Detailed project plan will be submitted to the TLC
Phase 2 – Network Assessment
SKV Consultants will perform detail analysis of Layer 2 and Layer 3 networks which follows detail
discussions with TLC Network Staff to understand their existing infrastructure.
Phase 3 – Active Directory Assessment
SKV Consultants will perform detail analysis of existing Active Directory Site structure and execute
Microsoft Tools to record infrastructure details. Discussions will be made with TLC Active Directory
Staff
Assumptions:
1. Data center hosting is performed by TLC Employees
2. Configuration of CISCO Switches, VLAN configuration is performed by TLC
3. Provision of Internet Protocol Addresses are provided to SKV Consultants by TLC
4. Firewall exception rules are performed by TLC
5. Server Maintenance is performed by TLC which includes Server Patch Management
6. Storage provisioning is performed by TLC which includes provision of LUNs and Configuration
of ISCSI on Windows Servers.
7. Communications between VLANs is provisioned by TLC
8. DR procedures are managed by 3rd party vendor
9. Private Namespace is hosted by TLC
10. Privileges to logon to DNS Servers / Domain Controllers are provisioned by TLC which
includes Group Policy creation and Service accounts provisioning.
11. Network diagram is provided by TLC Corp
12. Access to Network devices which includes Layer 2 , Layer 3 are provisioned by TLC
13. Access to execute commands on Network devices are provisioned by TLC
14. Access to all the required Subnets are provisioned by TLC
15. Access to second data center is provisioned by TLC
16. Active Directory infrastructure diagram is provided by TLC
17. Access to execute commands on Domain Controllers are provided by TLC
18. Access to Active Directory Sites and Subnets is provisioned by TLC
19. Access to DNS is provisioned by TLC
20. This document will not provide detail step-step visual information about the configuration of
DNS server or Domain Controllers for TLC.
21. This document will not cover step-step information about installing and configuring of Domain
Controllers
22. This document will provide best practices to validate the existing Network infrastructure and
Active Directory Site Implementation.
Network Assessment:
SKV will be performing the following Network assessment on TLC Corp
Network Monitoring Overview
Monitor the Access Layer for Network connectivity. Monitor Voice convergence, Wireless
connectivity and verify the logs. Review and validate Default gateway redundancy using dual
connection from switches.
Validate the convergence and verify only the required access is provisioned for wireless
devices. Validate DHCP security to ensure no Snooping occurs, followed by ARP inspection.
Test Virtual Router Redundancy Protocol and First Hop Redundancy Protocol (FHRP) for
successful failover and redundancy. HSRP election process validation is the key in
monitoring, in order to validate the HSRP, SKV consultant should perform VM Live Migration.
Report about the layer 2 extensions, VPLS, Fabric Path and TRILL. HSRP election process
validation is the key in validation.
Validating Layer 3 switching environment includes verifying for packet manipulation
(checksum access). SKV Consultant will validate for Gigabit density and LAN –WAN
convergence.
Validate Trunk Configuration by ensuring 802.1Q trunks are used, set DTP mode to
desirable, set DTP mode to encapsulation.
Disable Trunks on host ports and set Native VLAN to unused VLAN.
Validate Dynamic Trunk Protocol, check for the Permanent trunk mode, validate Port which is
configured as Desirable, verify for ISL encapsulation on the trunk link.
The above tests will validate the 3 major layers (Access, Distribution and Core layers). Further
monitoring activities will be performed based on the client request.
Active Directory Validation
SKV will perform below tasks to validate Active Directory Site Infrastructure for TLC.
a) Validate Site Objects and report errors to TLC
b) Validate Subnet Objects and report errors to TLC
c) Validate Site and Subnet Associations and report inconsistencies to TLC
d) Validate and verify DNS site information and report misconfigurations to TLC
e) Validate Logon requests association against the proper Active Directory Sites
f) Validate Site Replication and report back to TLC
g) Verify Clients DNS IP address associations
Active Directory Monitoring
1) Ensure the Static IP address are configured on the Domain Controllers, validate the subnet
mask and Default gateway configured on the server – Strictly no multi home networks on
Domain Controllers.
2) Ensure the Network Ports are opened for various Active directory and DNS communications
Protocol and
Port AD and AD DS Usage Type of traffic
TCP and
UDP 389
Directory, Replication, User and
Computer Authentication, Group Policy,
Trusts
LDAP
TCP 636
Directory, Replication, User and
Computer Authentication, Group Policy,
Trusts
LDAP SSL
TCP 3268
Directory, Replication, User and
Computer Authentication, Group Policy,
Trusts
LDAP GC
TCP 3269
Directory, Replication, User and
Computer Authentication, Group Policy,
Trusts
LDAP GC SSL
TCP and
UDP 88
User and Computer Authentication,
Forest Level Trusts Kerberos
TCP and
UDP 53
User and Computer Authentication,
Name Resolution, Trusts DNS
TCP and
UDP 445
Replication, User and Computer
Authentication, Group Policy, Trusts
SMB,CIFS,SMB2, DFSN, LSARPC,
NbtSS, NetLogonR, SamR, SrvSvc
TCP 25 Replication SMTP
TCP 135 Replication RPC, EPM
TCP
Dynamic
Replication, User and Computer
Authentication, Group Policy, Trusts
RPC, DCOM, EPM, DRSUAPI,
NetLogonR, SamR, FRS
TCP 5722 File Replication RPC, DFSR (SYSVOL)
UDP 123 Windows Time, Trusts Windows Time
TCP and
UDP 464
Replication, User and Computer
Authentication, Trusts Kerberos change/set password
UDP
Dynamic Group Policy DCOM, RPC, EPM
UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS
Datagram Service
TCP 9389 AD DS Web Services SOAP
UDP 67 and
UDP 2535
DHCP
Note
DHCP is not a core AD DS service but it is often present in many AD DS deployments.
DHCP, MADCAP
UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name
Resolution
TCP 139 User and Computer Authentication,
Replication
DFSN, NetBIOS Session Service,
NetLogon
3) Verify that the disk partition is formatted with NTFS
4) Verify the DNS Zone TLC.LOCAL and corresponding folders ( MSDCS, TCP, UDP, Sites )are
created and populated with
a) Kerberos SRV records pointing to Domain Controller
b) LDAP record pointing to Domain Controller
c) _Kpasswd SRV record pointing to Domain Controller
5) Ensure the Dynamic Updates are configured on the DNS zone
6) Enable Aging and Scavenging on the DNS Server
7) Ensure the Forwarding timeout is set to 6 seconds
8) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients
can find Resource records on either of the Domains.
9) Configure the DNS reverse lookup zones for the specific IP subnets.
10) Ensure the DNS host file on the DNS server should be empty
11) Ensure the recursion timeout must be greater than the forwarding timeout
12) Ensure Replication between sites are using RPC over IP
13) Understand whether the Network is fully routed vs hub and spoke configurations. If the
configuration is Hub and Spoke, careful understanding of Networked WAN Sites is required.
Site Link bridges are required only for the sites which has Domain Controllers configured.
Again careful understanding is required to propose an installation of Domain Controllers in a
Physical Site. If there are adjacent sites with different domain, then there is no need to create
site link between desperate Domains.
14) Validate BASL ( Bridge All Site Links ) against the network. BASL should be enabled /
switched on if the network is routable ( Domain Controllers should be able to communicate
with each other ). If the Domain Controllers logs Event ID 1311, ensure that all the sites (
WAN ) / Site links are routable , validate the site link bridges and remove any unrouted WAN
links from the AD Sites and Services.
15) For any given Active Directory Site with a Global Catalog, all the GC’s should be used for
replication.
Validation Tools and Analysis:
Microsoft Active Directory Sites are designed to map the Physical Infrastructure with Logical
Infrastructure and assist logon / Replication within Active Directory Domain Controllers located
across multiple regions. Replication is key in managing the data / object consistency across the
Domains located within Sites, across sites ( Inter-site ). Please note that replication within sites is
always fast when compared to the replication occurring across WAN which uses site link objects.
Knowledge Consistency Checker [kcc] Monitoring:
KCC is responsible for creating inbound connections between domain controllers which finally forms
a replication topology ( Inter-site). Initial nomination of the Bridgehead server takes upto 2 hours
and even in the event of re-nomination ( when customer wants to re-designate Bridgehead Server ) ,
the process takes 2 hours or more to assign a BH server. KCC builds the replication topology with
the help of CNAME record and determines inbound and outbound Domain Controller to create the
Inbound connections.
Intrasite topology is built automatically by KCC, it’s a ring topology. Replication between sites are
configured with the help of Site Link objects. KCC while building the replication topology contacts
the domain controller within the site and the Domain Controller should respond within the 0 failed
attempts which is, when KCC polls the Domain Controller, it should respond immediately. For
replication between sites, the default time is 2 hours.
Domain Controller KCC Initial Replication with intrasite replication partners
(5 minutes )
Note: Ensure all the services ( DNS/ DHCP ) starts before KCC starts its initial replication.
Test Case 1:
SKV consultants to perform negative test case scenarios to verify if the KCC automatically rebuilds
the topology by shut down the preferred Bridgehead server and validate if KCC automatically elects
the Bridgehead server and rebuilds the topology.
Test Case 2:
Disable Inter-site topology calculation on the Domain Controller of a given site and re-enable it at a
given period. This will ensure the replication load is managed during off peak hours and reduce
network traffic. Use the following link http://support.microsoft.com/kb/242780 to disable the inter-
site topology.
Test Case 3:
Disable Inter-site topology and manage them manually. This requires Administrators to understand
Corporate Network Topology and designate manual Site link connections. This activity also include
Administrators to provide redundant manual connections which helps KCC to recalculate if a
specific Domain Controller goes down.
Tools: RepAdmin
Conclusion: This document explains monitoring guidelines for Network and Active Directory site
structure. This document explains different monitoring measures for Layer 2 , Layer 3 and general
networking for CISCO devices and explains different monitoring metrics for Active Directory site
implementation.