Professional Documents
Culture Documents
Introduction:
SKV Consulting is a Premier Consulting providing Enterprise solutions on designing Microsoft
Technologies. SKV follows Microsoft standard frameworks and proven methodologies in designing
and implementing the Infrastructure solutions.
SKV has successfully performed Enterprise Infrastructure transformations including both Desktop
transformations and Server transformations. SKV has proven track record of quality and delivery
methodologies and provide value to its customers by reducing the Operations costs and increase the
revenue.
Summary
TLC is built on CISCO and Microsoft stack of Network devices and Servers. There are two physical
sites configured which are separated by CISCO Routers and an Hybrid infrastructure configured for
Servers and Virtualization stack.
Our proposal to TLC with the following services required:
1) Network Infrastructure validation
SKV Consulting will perform Layer 2 Network analysis and Layer 3 Network analysis. SKV Consulting will follow
industry Operations Frameworks and proven monitoring tools and baselines to provide detail report to TLC Corp.
SKV will validate VLAN trunks, Port aggregation, Bandwidth management and Routing Protocol Design
2) Active Directory Site Validation
SKV Consulting will validate Active Directory Site infrastructure and run different Microsoft Tools to examine the
Active Directory replication health. SKV Consulting will validate Site design and report the information to TLC
Corp.
3) Remote Access
SKV Consulting is spread across Australia and require Consultants to have Remote access to the Data Center
Servers. Consultants would require RDP access and necessary user accounts with appropriate privileges to run
and report the data.
Solution Overview
Introduction:
Existing TLC Data Center is hosted in Sydney and managed by In-House staff. TLC has 2 offices (
Sydney and Melbourne ) each of the sites are hosted on specific datacenters and connected with high
speed networks.
TLC users access Financial application which is hosted on mission critical servers connected with
high speed networks. Users access resources across sites which includes Shared Folders, Backup,
Print Services etc. Front End application connects with back end database and requires fast network
to support real time data read / write.
In this proposal, SKV Corp will perform initial assessment of both Network and Microsoft Active
Directory infrastructure and SKV Technology Consultants will run different Health tools and
Baseline metrics to validate the environment.
TLC is using local ISP for internet connectivity of 4 MBPS link. TLC Sites are configured with SiteSite VPN connection. Each Datacenter is a replica and has the below infrastructure.
Description
Network Resiliency and Security
Network Routing
Management Interface
Server virtualization
Physical Servers
Microsoft SQL Server
FICO Server
VLAN
VLAN 1
VLAN 1
UNIX Server
Hyper-v Server
Symantec Backup Server
VLAN 1
Hosts Virtual Networks
VLAN 1
Descrption
SQL server installed on HP Pro Server
Financial Application running on the
server
Hosted on HP Pro Server
Virtualization tier
Backup server
Microsoft Infrastructure
Components
Primary Domain Controller
Additional Domain Controller
VLAN
Descrption
VLAN 1
VLAN 1
VLAN 1
VLAN 2
VLAN 2
DNS Namespace
Local
Description
TLC.LOCAL
Global
TLC.com
Solution Diagram:
VLAN2
Domain Controllers
FRD1.TLC. LOCAL
FRD2.TLC.LOCAL
Hosted by ISP
ISP
ISP
Router 3750x
Router 3750x
3560
3560
VLAN2-Prod
VLAN1-Prod
Fabric Interconnect 1
Fabric Interconnect 2
Port
Port
Port
HYPER-V
Production
Environment/UCS Blade
SharePoint,SC
OM,SCCM
DC,
ADC,Exchange
Hybrid Cloud
Production
Environment/UCS Blade
SharePoint,SC
OM,SCCM
DC,
ADC,Exchange
Hybrid Cloud
Port
HYPER-V
HYPER-V
HYPER-V
Production
Environment/UCS Blade
Fabric Interconnect 2
Port
Fabric
Extender
10 MBPS
WAN
Connection
Port
Production
Environment/UCS Blade
Fabric Interconnect 1
Fabric
Extender
Fabric
Extender
Fabric
Extender
Port
SQL Server,Hyperv,UNIX,Symantec
Servers
3560
VLAN2-Prod
VLAN1-Prod
Port
3560
Hybrid Cloud
SQL Server,Hyperv,UNIX,Symantec
Servers
Hybrid Cloud
Each Data Center consist of 5 physical servers configured on HP Pro Servers. TLC Corp uses
Microsoft Hyper-v as their virtualization stack hosted on Windows Server 2008 R2 Enterprise
Operating Systems. There are two VLANs configured to host different Application Servers with a DMZ
network configured with Microsoft ForeFront , Blue Coat Servers respectively. The second data
center acts as High Availability and DR site with the exact replica of servers configured.
Users are located within Sydney and TLC Corp will be expanding their infrastructure base to Tokyo
this year. Primary Sydney site hosts Microsoft FSMO roles with Microsoft Exchange 2010 Server and
Microsoft System Center Operations Manager 2008 R2 supporting the entire infrastructure for
critical alerts and monitoring.
Microsoft Hyper-v Server hosts Virtual Servers which communicates with VLAN 1 and VLAN 2 and
with the Client network which is out of scope for SKV Consulting to monitor. In addition Physical to
Virtual migration is proposed by Customer with the view of Virtualizing the entire Data Center by
end of this year.
Scope of Work
Following are the requirements gathered after infrastructure analysis and discussion with
Architectural group.
SKV Tasks:
Detail Network Analysis which includes both Layer 2 and Layer 3 will be performed by SKV
Consultants.
Automated solutions will be proposed based on the assessment
Executes different tools and document the analysis
Suggest Architectural changes on Network and Microsoft Active directory Sites
Assumptions:
1. Data center hosting is performed by TLC Employees
2. Configuration of CISCO Switches, VLAN configuration is performed by TLC
3. Provision of Internet Protocol Addresses are provided to SKV Consultants by TLC
4. Firewall exception rules are performed by TLC
5. Server Maintenance is performed by TLC which includes Server Patch Management
6. Storage provisioning is performed by TLC which includes provision of LUNs and Configuration
of ISCSI on Windows Servers.
7. Communications between VLANs is provisioned by TLC
8. DR procedures are managed by 3rd party vendor
9. Private Namespace is hosted by TLC
10. Privileges to logon to DNS Servers / Domain Controllers are provisioned by TLC which
includes Group Policy creation and Service accounts provisioning.
11. Network diagram is provided by TLC Corp
12. Access to Network devices which includes Layer 2 , Layer 3 are provisioned by TLC
13. Access to execute commands on Network devices are provisioned by TLC
14. Access to all the required Subnets are provisioned by TLC
15. Access to second data center is provisioned by TLC
16. Active Directory infrastructure diagram is provided by TLC
17. Access to execute commands on Domain Controllers are provided by TLC
18. Access to Active Directory Sites and Subnets is provisioned by TLC
19. Access to DNS is provisioned by TLC
20. This document will not provide detail step-step visual information about the configuration of
DNS server or Domain Controllers for TLC.
21. This document will not cover step-step information about installing and configuring of Domain
Controllers
22. This document will provide best practices to validate the existing Network infrastructure and
Active Directory Site Implementation.
Network Assessment:
SKV will be performing the following Network assessment on TLC Corp
Monitor the Access Layer for Network connectivity. Monitor Voice convergence, Wireless
connectivity and verify the logs. Review and validate Default gateway redundancy using dual
connection from switches.
Validate the convergence and verify only the required access is provisioned for wireless
devices. Validate DHCP security to ensure no Snooping occurs, followed by ARP inspection.
Test Virtual Router Redundancy Protocol and First Hop Redundancy Protocol (FHRP) for
successful failover and redundancy. HSRP election process validation is the key in
monitoring, in order to validate the HSRP, SKV consultant should perform VM Live Migration.
Report about the layer 2 extensions, VPLS, Fabric Path and TRILL. HSRP election process
validation is the key in validation.
Validate Trunk Configuration by ensuring 802.1Q trunks are used, set DTP mode to
desirable, set DTP mode to encapsulation.
Disable Trunks on host ports and set Native VLAN to unused VLAN.
Validate Dynamic Trunk Protocol, check for the Permanent trunk mode, validate Port which is
configured as Desirable, verify for ISL encapsulation on the trunk link.
The above tests will validate the 3 major layers (Access, Distribution and Core layers). Further
monitoring activities will be performed based on the client request.
Protocol and
Port
AD and AD DS Usage
Type of traffic
TCP and
UDP 389
TCP 636
TCP 3268
TCP 3269
TCP and
UDP 88
Kerberos
TCP and
UDP 53
DNS
TCP and
UDP 445
TCP 25
Replication
SMTP
TCP 135
Replication
RPC, EPM
TCP
Dynamic
TCP 5722
File Replication
UDP 123
Windows Time
TCP and
UDP 464
UDP
Dynamic
Group Policy
UDP 138
TCP 9389
AD DS Web Services
SOAP
DHCP
UDP 67 and
UDP 2535
Note
DHCP is not a core AD DS service but
it is often present in many AD DS
deployments.
DHCP, MADCAP
UDP 137
TCP 139
8) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients
can find Resource records on either of the Domains.
9) Configure the DNS reverse lookup zones for the specific IP subnets.
10) Ensure the DNS host file on the DNS server should be empty
11) Ensure the recursion timeout must be greater than the forwarding timeout
12) Ensure Replication between sites are using RPC over IP
13) Understand whether the Network is fully routed vs hub and spoke configurations. If the
configuration is Hub and Spoke, careful understanding of Networked WAN Sites is required.
Site Link bridges are required only for the sites which has Domain Controllers configured.
Again careful understanding is required to propose an installation of Domain Controllers in a
Physical Site. If there are adjacent sites with different domain, then there is no need to create
site link between desperate Domains.
14) Validate BASL ( Bridge All Site Links ) against the network. BASL should be enabled /
switched on if the network is routable ( Domain Controllers should be able to communicate
with each other ). If the Domain Controllers logs Event ID 1311, ensure that all the sites (
WAN ) / Site links are routable , validate the site link bridges and remove any unrouted WAN
links from the AD Sites and Services.
15) For any given Active Directory Site with a Global Catalog, all the GCs should be used for
replication.
KCC is responsible for creating inbound connections between domain controllers which finally forms
a replication topology ( Inter-site). Initial nomination of the Bridgehead server takes upto 2 hours
and even in the event of re-nomination ( when customer wants to re-designate Bridgehead Server ) ,
the process takes 2 hours or more to assign a BH server. KCC builds the replication topology with
the help of CNAME record and determines inbound and outbound Domain Controller to create the
Inbound connections.
Intrasite topology is built automatically by KCC, its a ring topology. Replication between sites are
configured with the help of Site Link objects. KCC while building the replication topology contacts
the domain controller within the site and the Domain Controller should respond within the 0 failed
attempts which is, when KCC polls the Domain Controller, it should respond immediately. For
replication between sites, the default time is 2 hours.
Note: Ensure all the services ( DNS/ DHCP ) starts before KCC starts its initial replication.
Test Case 1:
SKV consultants to perform negative test case scenarios to verify if the KCC automatically rebuilds
the topology by shut down the preferred Bridgehead server and validate if KCC automatically elects
the Bridgehead server and rebuilds the topology.
Test Case 2:
Disable Inter-site topology calculation on the Domain Controller of a given site and re-enable it at a
given period. This will ensure the replication load is managed during off peak hours and reduce
network traffic. Use the following link http://support.microsoft.com/kb/242780 to disable the intersite topology.
Test Case 3:
Disable Inter-site topology and manage them manually. This requires Administrators to understand
Corporate Network Topology and designate manual Site link connections. This activity also include
Administrators to provide redundant manual connections which helps KCC to recalculate if a
specific Domain Controller goes down.
Tools: RepAdmin
Conclusion: This document explains monitoring guidelines for Network and Active Directory site
structure. This document explains different monitoring measures for Layer 2 , Layer 3 and general
networking for CISCO devices and explains different monitoring metrics for Active Directory site
implementation.