This presentation discusses the problems faced with managing a branch office infrastructure. It looks at current technologies for resolving these issues and gives a quick introduction of what to expect in the near future with Windows 7 and Windows Server 2008 R2.
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Branch Office Infrastructure
1. CINFINITY
Branch Office Infrastructure
Identifying and Resolving The Real Problems
Aidan Finn
MCSE, MVP
Systems and Infrastructure Manager
afinn@cinfinity.ie
http://www.cinfinity.ie
2. ABOUT ME
• Working in IT since 1996: consulting,
contracting and administration
• Worked in large infrastructures, e.g.
government, finance and transport
• MCSE, MVP and leader of Windows User
Group
• Systems and Infrastructure Manager at C
Infinity
3. ABOUT C INFINITY
• In operation for 2 years
• Provides professional outsourcing services
• Data security services:
– Secure online backup
– Laptop and USB device encryption
• Managed server hosting:
– Using the best data centre in Ireland (Data
Electronics)
– Enterprise class equipment and support
– Enterprise class management and services
4. AGENDA
• Why is branch office infrastructure difficult
and expensive?
• Identifying the real enemies
• Resolving the issues using current
technologies
• What is possible with Windows 7 Enterprise
and Windows Server 2008 R2?
• The SOHO
5. SOME QUICK QUESTIONS
• How many CD’s for Windows Server 2003 R2?
a) 1
b) 2
c) 3
d) 4
• What are some of the features added in
Windows Server 2003 R2?
6. BEFORE YOU ATTACK A PROBLEM
Tsun Tzu, The Art Of War:
“If you know your enemy and know yourself, you
need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every
victory gained you will also suffer a defeat.quot;
7. BOI DIFFICULTIES
• Servers in every office
• Sharing information is slow
• Security is not sufficient
• Administrator time is wasted
• IT is seen as a non-contributing cost centre
that delays business
• Politics
8. BOI AMBITIONS
• Reduce server numbers and complexity
• Use server skills in central offices
• Provide collaboration systems that work
• Increase security
• Change the business view of IT
• Politics: I’ll come to that later
9. ENEMY #1
Q) Users in a branch office complain about slow
cross-WAN application performance. What do
you? What do you do?
A) We throw more bandwidth at it.
WRONG!
12. LATENCY VS BANDWIDTH
• Adding bandwidth:
– Does not change the laws of physics. A packet still
takes the same time to transmit between A and B
– Only allows more people to have the same bad
performance.
• Removing latency:
– Bypasses the effect of physics on interactive
applications.
– Doesn’t reduce bandwidth requirements.
13. NEXT GENERATION TCP
• Introduced with Windows Vista and Windows
Server 2008
– Compound TCP: Fewer ACK’s
– Auto Scaling Receive Side Window: Larger data packets
– GPO Controlled QoS: Manage bandwidth usage
– SMBv2
– Explorer metadata cached
• Continues with Windows 7 and Windows Server
2008 R2
• Updated independent study by the Tolly Group
with lots of metric comparisons:
http://tinyurl.com/ddrqdx
• See chapter in Mastering Windows Server 2008:
Essential Technologies
14. LATENCY STILL LIMITS US
• Next Generation TCP and SMBv2 improve things
• 100% server centralisation still not possible
• Hardware solutions:
– Riverbed Steelhead
– Citrix WanScaler
• Block level optimisation of TCP traffic
• Expensive
• Scalable
• They work: e.g. UK Royal Navy command system
16. COMPLEXITY
• There are servers in every office. Costs:
– Administrative
– Licensing
– Hardware
– Networking
– Power
– Maintenance
• Backups are not easy – are they being done?
• Applications of all kinds
• Licensing is a nightmare
• Uncontrolled and unaudited security
17. SERVER CONSOLIDATION
Use fewer physical servers:
• Does not mean install more applications on one
installation
• Use x64 and more RAM for greater loads, e.g.
Exchange 2007 and IIS7
• Use virtualisation, e.g. Hyper-V, to deploy fewer
physical machines
• Control VM mushrooming using VMM 2008
• Reduced power, hardware, maintenance, racking
costs
18. SERVER CENTRALISATION
Have fewer servers in the Branch Office:
• Deploy servers in HQ and regional head
quarters
• Place servers near expertise
• Reduce the risk of physical attack
• More reliable backup and recovery
• Reduced DR site costs and complexity
• Easier for users to share data
19. CENTRALISATION IS NOT FOR ALL
• Not always possible
• Regulators
• Data Protection
• Local law enforcement, e.g. Italy
20. BRANCH OFFICE SERVERS
• Branch office virtualisation
• Manage using System Center
– Ops Mgr for health and performance
– DPM for centralised backup
– ConfigMgr for configuration, patching and audit
– VMM for virtualisation
• Lack of Physical Security: Read Only Domain
Controllers / BitLocker*
• Look at branch office blade servers, e.g. IBM
Blade Centre S* or HP C7000
21. BRANCH OFFICE BUDGET APPROACH
• DFS Namespace and DFS Replication to
replicate file shares for centralised backup
• WSUS for patching
• Consider the System Center Enterprise CAL (4
for the price of 2) for System Center
22. BRANCH OFFICE VIA OUTSOURCING
• MS Business Productivity Online Suite (BPOS)
– Exchange
– SharePoint
– Microsoft Live Meeting
– Microsoft Communications Server
– Integrate with WAN Active Directory for centralised management
• Managed Server Hosting
– Use existing local expertise for a “pay as you go” approach
– Find one that offers services, not “tin”
• Secure Online Backup
– Don’t rely on the receptionist to change tapes and send them
offsite
– Seek regulatory compliance and scalability (storage and recovery)
23. COLLABORATION
• Data is scattered all over the WAN
• Access control is complicated
• Backup is a nightmare
• Users can’t find data
• Email becomes the real sharing tool
– Slow
– Many versions
– Information is lost
• Business becomes inefficient
24. CENTRALISE DATA
• Centralised servers and optimal TCP enable
this
• Use fewer, but higher spec SQL servers
• Use fewer file servers
• Centralise application servers
• Consider SaaS and Cloud Computing:
– The future is now!
– Remove the need for unwanted servers on your network
• Use SharePoint
25. SHAREPOINT
• Use centralised and/or regional SharePoint
farms
• Scalable collaboration solution
• Document control, workflow, basic
applications, surveys, blogs, RSS, wiki,
Exchange integration, shared contacts, digital
form libraries, etc
• Browser based and WAN friendly
26. ACCESSING CENTRALISED DATA
• WAN latency solutions
• Use web based architectures
• This presents an opportunity to simplify
complexity at the desktop
• Replace the PC with the terminal
27. TERMINAL SERVICES
• All applications and data in fewer data centres
• RDP client, web interface, application
publishing, secure remote access (better than
VPN)
• Printing: Easy Print
• Consider Citrix or similar for extended features
• In some ways TS is simpler, some it’s more
complex
28. TERMINAL SERVICES COMPLEXITY
• Terminal Services relies on compatible
applications – See App-V (requires SA)
• Simple Helpdesk can require change control
• Change can become slow
• Much different client experience for users
• Might be useful for some, but not all
29. VIRTUAL DESKTOP INFRASTRUCTURE
• VDI
• Run desktop OS in a virtual machine in the data
centre
• User client connects to desktop via broker
• Dedicated or pooled VM’s
• Required VECD licensing from MS
• Currently VMware, Provision Networks and Citrix
• Same boundaries as desktop OS
• Consumes more resources than Terminal Services
30. PC’S
• Make use of what you have: Active Directory –
OU’s, Group Policy and delegation
• Have you deployed Terminal Services or VDI?
• Manage PC’s using Configuration Manager 2007:
complete management
• Otherwise use free WSUS and WDS
• Look at free solutions, e.g. PSTools and MS
Baseline Security Analyser
• Software Assurance Microsoft Desktop
Optimization Pack (MDOP)
31. SECURITY
• All IT security starts at the front door
– Who has the most access in your building?
– Is it easier for me to walk in the door or get past your firewall?
• Centralise as many servers/applications as
possible
– Less physical insecurities
– Less logical insecurities
• Employ BitLocker on vulnerable servers
• Keep reliable and encrypted offsite backups
• Use access auditing, e.g. OpsMgr 2007 ACS
32. DIRECTORS AND ADMINISTRATORS
They always want security exemptions:
• Have the most access to sensitive data
• Should have the greatest security
• Get exceptions for directors in writing from
directors
– Cover your a**
– Make them think twice about the importance of this
• Play hardball with political branches, e.g.
Firewall and seperate forest.
33. ACTIVE DIRECTORY DESIGN
• A domain is not a security boundary –
contrary to Windows 2000 AD training.
• If you cannot trust someone – put them in
different forest.
34. LAPTOPS
• Sometimes feels like no one has heard about
device encryption and Data Protection
– Software Assurance: BitLocker
– 3rd Party: SafeBoot, Iron Mountain DataDefense
• Road Warriors: look at secure online data
backup, e.g. Iron Mountain Connected
35. ADMINISTRATORS
• Too many people doing the same job
– Look at AD design and delegation model
• The wrong people doing the wrong job
– Juniors managing servers or domain controllers
• Centralisation
– Allows the right people to manage servers
– Refocus branch staff towards local services
• Employ Optimised Infrastructure
36. USE WHAT YOU HAVE
You already have them so use them:
• Active Directory – OU’s, Group Policy and
delegation
• Folder redirection and offline files
• On the file servers: Turn on Volume Shadow
Copy and educate power users
• WSUS: patch deployment
• WDS: OS deployment
• Free stuff: MDT, BDD, WAIK
37. PRINTERS
• I hate printers and I think I’m not alone
• Too many helpdesk calls
• Standardise your brands and models
– Use vendor’s management software
• Print Management Console:
– Deploy printers via Group Policy
– Centrally monitor via console
38. REMOVE IT FROM THE EQUATION
• Allow users to help themselves
• Self-Service:
– OS deployment using WDS / Configuration Manager 2007
– Software deployment using App-V
– Replace operational backups with VSS
– Sharing/Collaboration using SharePoint
• Key is to do two types of training:
– Pilot with power users – win them over
– General training and document handover with users – reuse
existing MS materials
39. OPTIMISED INFRASTRUCTURE
Build automation into the network:
• Configuration Manager: build, deploy
software to, patch and audit PC’s and servers
• Operations Manager: Manage health and
security
This stuff does work, e.g.
• 3 people managing 170+ servers
• 2-3 hours a day of maintenance
40. CHANGE BUSINESS OPINION OF IT
• Reduce costs and complexity with
centralisation and virtualisation
• Increase collaboration by centralising data
• Increase fault tolerance with centralised and
reliable backups
• Increase responsiveness to business with
SharePoint, OS Deployment and App-V
• You’ll see how future technologies add more
41. BEFORE YOU PLAN ANYTHING
• Win management support by working with
them
• Gather business requirements – don’t build
something that needs to be changed
• Consult company lawyers
– Local/International regulatory compliance
– Employment law
• Beware of the unions
– You’d be surprised what will start a walkout!
42. WHAT ARE MICROSOFT DOING?
• Windows Server 2008 R2 – successor to
Windows Server 2008
• Windows 7 – successor to Windows Vista
• Work better together:
– Windows 7 Enterprise (SA Only)/Windows 7 Ultimate and
Windows Server 2008 R2 offer remote computing and WAN
optimisation
– Federated Search
– BranchCache
– RemoteAccess
– Remote Desktop Services
– BitLocker To Go
44. COMPANY POLITICS
• Prepare to challenge “fiefdoms” on your network
• All sense of reason and logic out the window
• Use financial arguments - technology does not
win
– A branch office with unskilled workers once wanted Domain
Admin
– I gave them a solution: firewalled network, their own forest, their
own Internet link and firewalls, their own applications, systems
management, etc
– I won
• Be ready for fighting “vertical battles”
• If I had the solution, I would be ....
47. CINFINITY
The experts in data protection and infrastructure hosting services
Aidan Finn
afinn@cinfinity.ie
http://www.cinfinity.ie
My Blog: http://joeelway.spaces.live.com