Tuesday, June 4, 2019
Windows Server Deployment Proposal
Windows Server Deployment ProposalContoso Advertising has two locations. The main site location is in Pensacola, Florida (FL) with a smaller site in Casper, Wyoming (WY). Multiple hosts depart be distributed through with(predicate)out these sites to support the various services required by each department. Throughout the increase opening move, at that place give initially be 90 employees distributed into five departments in the midst of the two sites. Contoso has a small Executive department of 9 personnel, 15 employees in the Accounts and Sales department, 49 personnel staffing the Creative, Media, and Production department, 12 members of the Human elections and Finance department and 5 IT employees. As FL is Contosos main site, the majority of employees leave alone be establish there with one-third of each department working out of the WY site to split conjunction responsibilities between locations.Windows Server 2012 depart be the Operating strategy (OS) deployed to all legions within the organization due to a few key features. Firstly, the practice of PowerShell within Windows Server 2012 ordain be very important to the guidance of Contosos intercommunicate. Microsoft has vastly increased the number of avail able-bodied PowerShell cmdlets to allow for more robust management from the command line (Otey, 2011). This volition allow the IT staff to manage company assets via command line interface and script out a majority of routine network management duties. Furthermore, Microsofts Server Manager utility can remotely manage quadruplex legions, up to 100 at a single time (Microsoft, 2013). This depart allow the IT employees to manage the entire organization remotely without physically visiting each waiter as well as eliminating the need for the Remote Desktop Protocol (RDP) for management tasks. These two features in particular leave simplify the network management for Contosos small IT support staff throughout both sites. Other featur es much(prenominal) as the use of Storage Tiers will be quite impactful for users throughout the organization, particularly the employees in the Creative, Media, and Production department. These are just a few features that Contoso can take advantage of within their organization.Deployment and Server ConfigurationsContosos network will be constructed with 24 total servers throughout the enterprise to handle organizational appendage over the following few years art object cosmos configured to afford robust failover solutions. This will be done to ensure the company can recover from any single failure while suave follow uping their organizational goals. work for Contosos daily operations, such as orbital cavity Controllers, Dynamic Host Control Protocol (DHCP), Domain Name Servers (DNS), file servers, web servers and scratch servers will be provided by these servers. In addition, both sites will be reflect to allow each site to function if the WAN link between the sites ha ppens to go bulge, but also for organizational purposes and ease of management by the small IT department. If implemented befittingly, Contosos enterprise network can scale to their expected growth while having incredibly high reliability.The main FL site will suck up two Domain Controllers FL_DC1 and FL_DC2. The primary(a) domain tallyler, FL_DC1, will be configured to hold out Domain Name Services (DNS), Dynamic Host Control Protocol (DHCP) as well as performing the role of Domain Controller. FL_DC2 will be a copy of FL_DC1 and will act as a backup in encase of corruption or server failure. Both Domain Controllers will run the Server center field version of Windows Server with the graphical user interface (GUI). The Active Directory role will need to be installed to provide Directory Services along with being able to organize and manage the organization through the use of crowd polity discussed later in the proposal. Additionally, FL_DC2 will be designated as a Global Ca talogue to aid in any type of searching to be done throughout the other site, decreasing the burden on the primary DC. A nice chart of needed servers and their intended purpose can be charmn below.ServerRoleLocationFL_DC* patriarchal/ substitute Domain Controller/DNS/DHCP ServerPensacola, FloridaFL_FS_HRF*Primary/Secondary HRF File ServerPensacola, FloridaFL_FS_CMP*Primary/Secondary CMP File ServerPensacola, FloridaFL_FS*Primary/Secondary File Server/ move ServerPensacola, FloridaFL_MX*Primary/Secondary Mail ServerPensacola, FloridaFL_WWW*Primary/Secondary Web ServerPensacola, FloridaWY_DC*Primary/Secondary Domain Controller/DNS/DHCP ServerCasper, WyomingWY_FS_HRF*Primary/Secondary HRF File ServerCasper, WyomingWY_FS_CMP*Primary/Secondary CMP File ServerCasper, WyomingWY_FS*Primary/Secondary File Server/Print ServerCasper, WyomingWY_MX*Primary/Secondary Mail ServerCasper, WyomingWY_WWW*Primary/Secondary Web ServerCasper, WyomingAs the Human Resources and Finances department will be dealing with highly unsanded financial data for the company, they will have their have got exclusive file server, FL_FS_HRF1, which will be approve up to FL_FS_HRF2. Full backups will be conducted hebdomadally with contrastingial backups occurring every night. Shares will be hosted on this server with permissions applied to only allow members of the Human Resources and Finances department access to any resources on it.The other department to have their own dedicated file servers is the Creative, Media, and Production employees. Similar to the Finance department, there will be a primary server and a backup, FL_FS_CMP1 and FL_FS_CMP2. These servers will also follow the same backup schedule as the Finance department as well as having its share accesses locked down to only those employees within the department. Storage pools will be created to implement storage tiers on the primary file server. Multiple traditional mechanical hard dish drives (HDD) and solid state drives (SSD) will be assigned to the storage pool. The SSD tier will be configured to house the most frequently accessed data while the HDD tier will house data accessed less often. The storage tier optimization task will be scheduled to run every even out during off hours.The rest of the personnel at the FL site will use a single file server FL_FS1, which will also be backed up to FL_FS2 in a manner similar to the Finance and Creative departments. Storage on this server will be split among the other departments and quotas will be go throughd using the File Server Resource Manager (FSRM). Using this method of quota management will allow the IT department to centrally control and monitor the daily storage resources and generate storage reports to analyze disk usage trends (Microsoft, 2008). Users will be set up for home folders nested under their individual department share with access being granted only to those members of the department, and each user of that department only having access to their own personal folder through application of NTFS permissions. Users will all be given the same amount of space initially and expansion requests will be scrutinized. Due to the more advance features of FSRM as compared to NTFS quotas, administrative notification scripts can be set to run when a user nears their allocated quota limit (Microsoft, 2008). The IT department will implement a semi-automated touch on with administrative scripts once these quotas are met to trigger a quota increase request process. All file servers in the network will be installed with Server Core with the GUI.Having a public presence on the internet will be crucial for Contoso to gain new clients and allow their avocation to grow over the next few years. Company mail servers will also be needed to communicate internally and interface with their customers as well. The FL site will have their own dedicated mail and web servers, with FL_MX1 and FL_WWW1 acting as primary, and FL_MX2 and FL_WWW2 being mi rrored backups for their respective roles. These servers will run the Server Core edition of Windows Server 2012 because of its constancy improvements as well as it being inherently more secure than other editions of Windows Server due to far less running services than full GUI versions (Microsoft, 2017). Public facing assets, such as mail or web servers, are often the first point of cyber-attacks and Server Core will decrease the attack foot gull.The WY site will have the exact same configuration as the primary FL site as seen in the network draw below. Backup solutions and fault tolerance were built-in to this proposal to prevent downtime for the network and prevent monetary loss for the company. In the event that any one client within the network fails, Contoso can continue with their day to day operations while resolutions are developed and implemented by the IT department. This configuration was chosen to have the maximum reliability and fault tolerance which will be crucial for a growing organization. A simplified diagram of Contosos network can be seen below to illustrate how their network could be anatomical structured to accomplish the goals of this deployment proposal.NETWORK DIAGRAMActive Directory and Group PolicyContosos network will have two domains within a single forest, one for each site. The FL site will be contoso.com and the WY site will be north.contoso.com with each new site that Contoso builds in the future following a similar structure. Domain Controllers will be placed in each site for management within their domain. Organizational Units (OU) will be apply for organization with Active Directory with each department having their own OU nested under their domain. Active Directory objects will be created for each user and will be organized by job role and placed into their respective OUs. Computer objects within Active Directory will follow a similar structure. This is to ensure proper organization, application of Group Policy, and e ase of network management throughout the domain.Software programs needed throughout the organization will be deployed through the use of group policy, if the number of employees that require it are high enough or it is not feasible for the IT department to physically visit every estimator for installation. This can be done with the group policy management console within Windows Server. Packages can be configured that will deploy .msi files and will be installed upon next computer reboot, if the policy was configured under the computer configuration section of the GPO management editor. Programs like Adobe Reader, Photoshop, and QuickBooks could be deployed to different departments while Wireshark or Zenmap could be deployed to different servers throughout the network for traffic analysis. Software restriction policies will also be used in the domain as they will be able to control execution of software at the taste of the network administrators (Microsoft, 2004). Using these polic ies, the IT department can configure the environment to prevent unauthorized programs at their discretion based on a hash, certificate, path, or zone identifiers.To maintain a high level of security throughout the enterprise, a strong password policy will be strictly enforced. Strong passwords that are often changed will be used as passwords are continuously vulnerable, especially during password assignment, management, and use (Microsoft, 2017). Contoso employees will be required to have a password of at least 10 characters in continuance with a mixture of mixed case characters, special characters, and numbers. Password age thresholds will be set in the password policy for a maximum age of 45 days and a minimum age of 30 days. A password history of 10 will be set to prevent users from cycling back to previously used passwords quickly. This will ensure that if any user credentials are compromised, they wont be of use to an undetected malicious user for long.In addition to the norm al password policy just discussed, the administrators will also be subject to a fine-grained password policy for security reasons. Fine-grained password policies will allow for multiple password policies to affect different users throughout a domain (Microsoft, 2012). Contoso will be able to use this feature of Windows Server to enforce stronger password restrictions upon select users, the IT department in this situation. Additional complexity, password history, minimum and maximum password ages, as well as increased password length requirements will be enforced upon these employees to comfort the corporate network. In the event of a network breach, levels with high power or permissions, such as the members of the IT department, will be the first group to be targeted by malicious users. By having frequently changing and complex passwords, this will increase the time for passwords to be haywire as well as shorten the available time for them to be used by malicious cyber actors.Add itional security measures to be enforced will include the disabling of user accounts after 10 days of no activity. Account deletion will occur after 30 days of inactivity, unless earlier arrangement is made through the IT support department. This will be done to ensure access to network and company resources remain secure from malicious attacks. Furthermore, account logon hours will be applied as determined by the employees unshakable work hours with an hour of buffer time at the start and end of their regular work day.In addition to the hardware firewalls already in place, the use of Windows Firewall will be applied to each computer within the organization through group policy and rules will be tailored to each department. For example, outbound traffic from the Human Resources and Finance department user workstations to the Creative, Media, and Production file server will be blocked. Special precautions for the public facing infrastructure, such as the mail and web servers, will have extra restrictions placed on them for extra security. For example, incoming ICMP traffic from the public internet will be blocked to prevent against Denial of Service (DOS) attacks. Windows Defender will also be active agent on all employee workstations throughout the enterprise as well as all servers. The right configuration of the hardware and software firewalls and Microsofts security product should protect Contoso from numerous cyber threats. These are just a few policies laid out to begin the hardening of the network and the IT department will develop others as they see fit.Print ServicesThe print and document services role will be installed on the primary file server at each site, FL_FS1 and WY_FS1, with multiple print devices located throughout the environment. Specifically, there will initially be two print devices located within each department to accommodate newspaperwoman pooling as a means of load balancing the print jobs between the many users. Any employee will be able to print to other print devices outside of their department, but they will have a lower priority than employees utilizing their own department resources.DNS and DHCPIPv4 addresses will be used throughout the organization for control of management as that is still widely used today. In the future when Contoso grows and global adoption rates of IPv6 increase, reconsideration of addressing will take place. As there will be many network-critical devices throughout the enterprise network, such as file servers, printers, and domain controllers, these computers will all be assigned static IP addresses rather than have DHCP reservations. This will be done to ensure that critical devices are always reachable in case of a DHCP failure. Other devices such as employee workstations, company laptops, or other mobile devices will have address management performed through the use of DHCP. Scopes will be configured to have lease durations of 16 hours. This will ensure that an address assig nment covers a full work day while still being short enough to prevent the pool of available addresses from running low from mobile devices entering and leaving the network throughout the day. DNS and DHCP services will be handled by the primary domain controllers of each site, respectively. Those servers will also act as a backup for their sister servers in the opposite site for failover solutions in the event of server failure or corruption. The 80/20 rule will be applied within each scope the primary DHCP server provides roughly 80% of the addresses within its scope with the secondary providing the remaining addresses. This will be done to provide address assignment in situations where the primary DHCP server is unable to fulfill its services (Microsoft, 2005).SummaryIn summary, the network infrastructure and hardware will be set up at both sites in a mirrored fashion to provide ease of management for the IT department in addition to allowing for easy growth over the next few yea rs. The multiple domains and logical structure of active directory will ease the burden of organization and administration of the enterprise network. Each server will have a dedicated backup server for cases of machine failure, corruption, or other disaster. Security practices such as the password policy, use of Windows security software, and additional firewall restrictions will ensure that the company sensitive business matters are protected. Estimating conservatively, the IT department could complete the initial setup within a week. While this network deployment may seem excessive, Contoso Advertising is a growing enterprise that requires a solution that will be able to scale as their organization grows.ReferencesManage Multiple, Remote Servers with Server Manager. (2013, June 24). Retrieved January 10, 2017, from https//technet.microsoft.com/en-us/ library/hh831456(v=ws.11).aspxMicrosoft. (2008, January 21). File Server Resource Manager. Retrieved February 01, 2017, from https// technet.microsoft.com/en-us/library/cc754810(v=ws.10).aspxMicrosoft. (2017). Why Is Server Core Useful? Retrieved January 18, 2017, from https//msdn.microsoft.com/en-us/library/dd184076.aspxMicrosoft. (2017). Configuring Password Policies. Retrieved February 09, 2017, from https//technet.microsoft.com/en-us/library/dd277399.aspxMicrosoft. (2005, January 21). Best Practices. Retrieved February 20, 2017, from https//technet.microsoft.com/en-us/library/cc958920.aspxMicrosoft. (2012, October 19). AD DS Fine-Grained Password Policies. Retrieved February 25, 2017, from https//technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspxMicrosoft. (2004, May 25). Using Software Restriction Policies to Protect Against Unauthorized Software. Retrieved February 25, 2017, from https//technet.microsoft.com/en-us/library/bb457006.aspxEEAAOtey, M. (2011, October 17). Top 10 New Features in Windows Server 2012. Retrieved January 10, 2017, from http//windowsitpro.com/windows-server-2012/top-10-new-fea tures-windows-server-2012
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.