SKV PROPOSAL TO TLC FOR ACTIVE DIRECTORY SITE IMPLEMENTATION Date: Jan 27,2014 Prepared by: Sainath K.E.V Microsoft Most Valuable Professional
Introduction: SKV Consulting is a Premier Consulting providing Enterprise solutions on designing Microsoft Technologies. SKV follows Microsoft standard frameworks and proven methodologies in designing and implementing the Infrastructure solutions. SKV has successfully performed Enterprise Infrastructure transformations including both Desktop transformations and Server transformations. SKV has proven track record of quality and delivery methodologies and provide value to its customers by reducing the Operations costs and increase the revenue. 1 Summary TLC is built on CISCO and Microsoft stack of Network devices and Servers. There are two physical sites configured which are separated by CISCO Routers and an Hybrid infrastructure configured for Servers and Virtualization stack. Our proposal to TLC with the following services required: 1) Network Infrastructure validation SKV Consulting will perform Layer 2 Network analysis and Layer 3 Network analysis. SKV Consulting will follow industry Operations Frameworks and proven monitoring tools and baselines to provide detail report to TLC Corp. SKV will validate VLAN trunks, aggregation, Bandwidth management and Routing Protocol Design 2) Active Directory Site Validation SKV Consulting will validate Active Directory Site infrastructure and run different Microsoft Tools to examine the Active Directory replication health. SKV Consulting will validate Site design and report the information to TLC Corp. 3) Remote Access SKV Consulting is spread across Australia and require Consultants to have Remote access to the Data Center Servers. Consultants would require RDP access and necessary user accounts with appropriate privileges to run and report the data.
2 Solution Overview Introduction: Existing TLC Data Center is hosted in Sydney and managed by In-House staff. TLC has 2 offices ( Sydney and Melbourne ) each of the sites are hosted on specific datacenters and connected with high speed networks. TLC users access Financial application which is hosted on mission critical servers connected with high speed networks. Users access resources across sites which includes Shared Folders, Backup, Print Services etc. Front End application connects with back end database and requires fast network to support real time data read / write. In this proposal, SKV Corp will perform initial assessment of both Network and Microsoft Active Directory infrastructure and SKV Technology Consultants will run different Health tools and Baseline metrics to validate the environment. TLC is using local ISP for internet connectivity of 4 MBPS link. TLC Sites are configured with Site- Site VPN connection. Each Datacenter is a replica and has the below infrastructure. TLC Network Infrastructure Cisco Catalyst 3560 x 2 Cisco 7600 Router x 2 Cisco Fabric Interconnect x 2 Cisco UCS Blade x 2 Description Network Resiliency and Security Network Routing Management Interface Server virtualization Physical Servers VLAN Descrption Microsoft SQL Server VLAN 1 SQL server installed on HP Pro Server FICO Server VLAN 1 Financial Application running on the server UNIX Server VLAN 1 Hosted on HP Pro Server Hyper-v Server Hosts Virtual Networks Virtualization tier Symantec Backup Server VLAN 1 Backup server Microsoft Infrastructure VLAN Descrption Components Primary Domain Controller VLAN 1 Forest Root Domain Additional Domain Controller VLAN 1 Secondary Domain Controller with DNS
Microsoft Exchange Server VLAN 1 Microsoft Exchange Server 2010 Microsoft SharePoint Server 2010 VLAN 2 Microsoft Sharepoint Services Microsoft System Center Operations Manager VLAN 2 Servers Monitoring Enterprise solution Microsoft System Center Configuration Manager VLAN2 Patch Management and Software Distribution DNS Namespace Description Domain Controllers Local TLC.LOCAL FRD1.TLC. LOCAL FRD2.TLC.LOCAL Global TLC.com Hosted by ISP Solution Diagram:
ISP ISP Router 3750x Router 3750x 3560 3560 3560 3560 VLAN1-Prod VLAN2-Prod VLAN1-Prod VLAN2-Prod Fabric Interconnect 1 Fabric Interconnect 2 Fabric Interconnect 1 Fabric Interconnect 2 Fabric Extender Fabric Extender 10 MBPS WAN Connection Fabric Extender Fabric Extender HYPER-V HYPER-V HYPER-V HYPER-V Production Environment/UCS Blade Production Environment/UCS Blade Production Environment/UCS Blade Production Environment/UCS Blade Hybrid Cloud DC, ADC,Exchange Hybrid Cloud SharePoint,SC OM,SCCM Hybrid Cloud DC, ADC,Exchange Hybrid Cloud SharePoint,SC OM,SCCM SQL Server,Hyperv,UNIX,Symantec Servers SAN Storage replication SAN Storage replication SQL Server,Hyperv,UNIX,Symantec Servers SAN Storage replication SAN Storage replication Sydney Data Center Melbourne Data Center Each Data Center consist of 5 physical servers configured on HP Pro Servers. TLC Corp uses Microsoft Hyper-v as their virtualization stack hosted on Windows Server 2008 R2 Enterprise Operating Systems. There are two VLANs configured to host different Application Servers with a DMZ network configured with Microsoft ForeFront, Blue Coat Servers respectively. The second data center acts as High Availability and DR site with the exact replica of servers configured. Users are located within Sydney and TLC Corp will be expanding their infrastructure base to Tokyo this year. Primary Sydney site hosts Microsoft FSMO roles with Microsoft Exchange 2010 Server and Microsoft System Center Operations Manager 2008 R2 supporting the entire infrastructure for critical alerts and monitoring. Microsoft Hyper-v Server hosts Virtual Servers which communicates with VLAN 1 and VLAN 2 and with the Client network which is out of scope for SKV Consulting to monitor. In addition Physical to Virtual migration is proposed by Customer with the view of Virtualizing the entire Data Center by end of this year.
Scope of Work Following are the requirements gathered after infrastructure analysis and discussion with Architectural group. SKV Tasks: Detail Network Analysis which includes both Layer 2 and Layer 3 will be performed by SKV Consultants. Automated solutions will be proposed based on the assessment Executes different tools and document the analysis Suggest Architectural changes on Network and Microsoft Active directory Sites Phase 1 Start of the Project SKV Project Managers will be involved in discussion with TLC Corp to identify the activities and timeframes. Detailed project plan will be submitted to the TLC Phase 2 Network Assessment SKV Consultants will perform detail analysis of Layer 2 and Layer 3 networks which follows detail discussions with TLC Network Staff to understand their existing infrastructure. Phase 3 Active Directory Assessment SKV Consultants will perform detail analysis of existing Active Directory Site structure and execute Microsoft Tools to record infrastructure details. Discussions will be made with TLC Active Directory Staff
Assumptions: 1. Data center hosting is performed by TLC Employees 2. Configuration of CISCO Switches, VLAN configuration is performed by TLC 3. Provision of Internet Protocol Addresses are provided to SKV Consultants by TLC 4. Firewall exception rules are performed by TLC 5. Server Maintenance is performed by TLC which includes Server Patch Management 6. Storage provisioning is performed by TLC which includes provision of LUNs and Configuration of ISCSI on Windows Servers. 7. Communications between VLANs is provisioned by TLC 8. DR procedures are managed by 3 rd party vendor 9. Private Namespace is hosted by TLC 10. Privileges to logon to DNS Servers / Domain Controllers are provisioned by TLC which includes Group Policy creation and Service accounts provisioning. 11. Network diagram is provided by TLC Corp 12. Access to Network devices which includes Layer 2, Layer 3 are provisioned by TLC 13. Access to execute commands on Network devices are provisioned by TLC 14. Access to all the required Subnets are provisioned by TLC 15. Access to second data center is provisioned by TLC 16. Active Directory infrastructure diagram is provided by TLC 17. Access to execute commands on Domain Controllers are provided by TLC 18. Access to Active Directory Sites and Subnets is provisioned by TLC 19. Access to DNS is provisioned by TLC
20. This document will not provide detail step-step visual information about the configuration of DNS server or Domain Controllers for TLC. 21. This document will not cover step-step information about installing and configuring of Domain Controllers 22. This document will provide best practices to validate the existing Network infrastructure and Active Directory Site Implementation. Network Assessment: SKV will be performing the following Network assessment on TLC Corp Network Monitoring Overview Monitor the Access Layer for Network connectivity. Monitor Voice convergence, Wireless connectivity and verify the logs. Review and validate Default gateway redundancy using dual connection from switches. Validate the convergence and verify only the required access is provisioned for wireless devices. Validate DHCP security to ensure no Snooping occurs, followed by ARP inspection. Test Virtual Router Redundancy Protocol and First Hop Redundancy Protocol (FHRP) for successful failover and redundancy. HSRP election process validation is the key in monitoring, in order to validate the HSRP, SKV consultant should perform VM Live Migration. Report about the layer 2 extensions, VPLS, Fabric Path and TRILL. HSRP election process validation is the key in validation.
Validating Layer 3 switching environment includes verifying for packet manipulation (checksum access). SKV Consultant will validate for Gigabit density and LAN WAN convergence. Validate Trunk Configuration by ensuring 802.1Q trunks are used, set DTP mode to desirable, set DTP mode to encapsulation. Disable Trunks on host ports and set Native VLAN to unused VLAN. Validate Dynamic Trunk Protocol, check for the Permanent trunk mode, validate which is configured as Desirable, verify for ISL encapsulation on the trunk link. The above tests will validate the 3 major layers (Access, Distribution and Core layers). Further monitoring activities will be performed based on the client request. Active Directory Validation SKV will perform below tasks to validate Active Directory Site Infrastructure for TLC. a) Validate Site Objects and report errors to TLC b) Validate Subnet Objects and report errors to TLC c) Validate Site and Subnet Associations and report inconsistencies to TLC d) Validate and verify DNS site information and report misconfigurations to TLC e) Validate Logon requests association against the proper Active Directory Sites f) Validate Site Replication and report back to TLC g) Verify Clients DNS IP address associations
Active Directory Monitoring 1) Ensure the Static IP address are configured on the Domain Controllers, validate the subnet mask and Default gateway configured on the server Strictly no multi home networks on Domain Controllers. 2) Ensure the Network s are opened for various Active directory and DNS communications Protocol and TCP and UDP 389 TCP 636 TCP 3268 TCP 3269 TCP and UDP 88 TCP and UDP 53 TCP and UDP 445 AD and AD DS Usage Directory, Replication, User and Computer Authentication, Group Policy, Trusts Directory, Replication, User and Computer Authentication, Group Policy, Trusts Directory, Replication, User and Computer Authentication, Group Policy, Trusts Directory, Replication, User and Computer Authentication, Group Policy, Trusts User and Computer Authentication, Forest Level Trusts User and Computer Authentication, Name Resolution, Trusts Replication, User and Computer Authentication, Group Policy, Trusts LDAP LDAP SSL LDAP GC LDAP GC SSL Kerberos DNS TCP 25 Replication SMTP TCP 135 Replication RPC, EPM Type of traffic SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
TCP Dynamic Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS TCP 5722 File Replication RPC, DFSR (SYSVOL) UDP 123 Windows Time, Trusts Windows Time TCP and UDP 464 UDP Dynamic UDP 138 Replication, User and Computer Authentication, Trusts Group Policy DFS, Group Policy Kerberos change/set password DCOM, RPC, EPM DFSN, NetLogon, NetBIOS Datagram Service TCP 9389 AD DS Web Services SOAP DHCP UDP 67 and UDP 2535 Note DHCP is not a core AD DS service but it is often present in many AD DS deployments. DHCP, MADCAP UDP 137 TCP 139 User and Computer Authentication, User and Computer Authentication, Replication NetLogon, NetBIOS Name Resolution DFSN, NetBIOS Session Service, NetLogon 3) Verify that the disk partition is formatted with NTFS 4) Verify the DNS Zone TLC.LOCAL and corresponding folders ( MSDCS, TCP, UDP, Sites )are created and populated with a) Kerberos SRV records pointing to Domain Controller b) LDAP record pointing to Domain Controller c) _Kpasswd SRV record pointing to Domain Controller 5) Ensure the Dynamic Updates are configured on the DNS zone 6) Enable Aging and Scavenging on the DNS Server 7) Ensure the Forwarding timeout is set to 6 seconds
8) Ensure the Active Directory DNS zone are replicated across forest, this ensures that clients can find Resource records on either of the Domains. 9) Configure the DNS reverse lookup zones for the specific IP subnets. 10) Ensure the DNS host file on the DNS server should be empty 11) Ensure the recursion timeout must be greater than the forwarding timeout 12) Ensure Replication between sites are using RPC over IP 13) Understand whether the Network is fully routed vs hub and spoke configurations. If the configuration is Hub and Spoke, careful understanding of Networked WAN Sites is required. Site Link bridges are required only for the sites which has Domain Controllers configured. Again careful understanding is required to propose an installation of Domain Controllers in a Physical Site. If there are adjacent sites with different domain, then there is no need to create site link between desperate Domains. 14) Validate BASL ( Bridge All Site Links ) against the network. BASL should be enabled / switched on if the network is routable ( Domain Controllers should be able to communicate with each other ). If the Domain Controllers logs Event ID 1311, ensure that all the sites ( WAN ) / Site links are routable, validate the site link bridges and remove any unrouted WAN links from the AD Sites and Services. 15) For any given Active Directory Site with a Global Catalog, all the GC s should be used for replication. Validation Tools and Analysis: Microsoft Active Directory Sites are designed to map the Physical Infrastructure with Logical Infrastructure and assist logon / Replication within Active Directory Domain Controllers located across multiple regions. Replication is key in managing the data / object consistency across the Domains located within Sites, across sites ( Inter-site ). Please note that replication within sites is always fast when compared to the replication occurring across WAN which uses site link objects. Knowledge Consistency Checker [kcc] Monitoring:
KCC is responsible for creating inbound connections between domain controllers which finally forms a replication topology ( Inter-site). Initial nomination of the Bridgehead server takes upto 2 hours and even in the event of re-nomination ( when customer wants to re-designate Bridgehead Server ), the process takes 2 hours or more to assign a BH server. KCC builds the replication topology with the help of CNAME record and determines inbound and outbound Domain Controller to create the Inbound connections. Intrasite topology is built automatically by KCC, it s a ring topology. Replication between sites are configured with the help of Site Link objects. KCC while building the replication topology contacts the domain controller within the site and the Domain Controller should respond within the 0 failed attempts which is, when KCC polls the Domain Controller, it should respond immediately. For replication between sites, the default time is 2 hours. Domain Controller KCC Initial Replication with intrasite replication partners (5 minutes ) Note: Ensure all the services ( DNS/ DHCP ) starts before KCC starts its initial replication. Test Case 1: SKV consultants to perform negative test case scenarios to verify if the KCC automatically rebuilds the topology by shut down the preferred Bridgehead server and validate if KCC automatically elects the Bridgehead server and rebuilds the topology. Test Case 2: Disable Inter-site topology calculation on the Domain Controller of a given site and re-enable it at a given period. This will ensure the replication load is managed during off peak hours and reduce network traffic. Use the following link http://support.microsoft.com/kb/242780 to disable the intersite topology. Test Case 3: Disable Inter-site topology and manage them manually. This requires Administrators to understand Corporate Network Topology and designate manual Site link connections. This activity also include Administrators to provide redundant manual connections which helps KCC to recalculate if a specific Domain Controller goes down. Tools: RepAdmin
Conclusion: This document explains monitoring guidelines for Network and Active Directory site structure. This document explains different monitoring measures for Layer 2, Layer 3 and general networking for CISCO devices and explains different monitoring metrics for Active Directory site implementation.