Announcement

Collapse
No announcement yet.

Absolute network mess - don't know where to start and what's best.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Absolute network mess - don't know where to start and what's best.

    Hi,

    What a mess is all I can say, I have been at this company for a little while and I have had enough, needs to be all changed as it's all wrong. let me explain the current setup.

    We have three offices.
    Each office has 40 users, 120 users in total.

    110 users, use a hosted insurance system, what I mean by this is the following:

    The users emails, word, excel and all documentation is on a hosted citrix environment by a third party company. The users simply login their machines in the morning, go to a web page, type in the hosted company credentials, login and get cracking. (hope this makes sense - basically, local machine is used as a dumb terminal)

    10 users are not on this system, they carry out documents internally and have an exchange server.

    Site setup.

    Site A (internal department in this office)
    • 40 users (10 users using local exchange)
    • Cisco router 2mb leased line
    • Sonicwall 2040 pro with enhanced OS. (DHCP SERVER)
    • 40 x XP pro machines.
    • Netgear gig switches.
    • AD in place.
    • Domain name = jameshallam.co.uk.local - DOMAIN01
    • 1 x 2003 standard server carries out the following
      • GC DC
      • Exchange 2003
      • file server
      • application server (internal CRM s/w 10 users)
      • DNS
    • 1 x 2000 standard - DNS
    • 1 x 2003 standard - intranet server running MOSS 2007 (still testing)
    • internal IP range 151.45.1.1/24 (yes, I know, HOW WRONG)

    We do a lot of scan to emails, therefore, we have many MFP's who use the exchange server as a relay to send out the scans as emails.

    Site B
    • 40 users
    • Cisco router 2mb leased line
    • Sonicwall 2040 pro with enhanced OS. (DHCP SERVER)
    • 40 x XP pro machines.
    • Netgear gig switches.
    • NO AD, workgroup.
    • NO servers
    • internal IP range 192.168.1.1/24

    Site C
    • 40 users
    • SDSL MAX bonding router.
    • Welltech firewall.
    • 40 x XP pro machines.
    • Netgear gig switches.
    • Domain name = jameshallam.local - JAMESHALLAM
    • 1 x 2003 standard server carries out the following
      • GC DC
      • AD
      • DNS
      • DHCP
    • 1 x 2000 standard - DNS
    • internal IP range 10.1.30.1/24

    VPN's

    Links between offices.

    LAN TO LAN from Site A to Site B. No link to Site C. Would like to put this in place

    Query

    First of all, thank you if you have read this far, really appreciated and any input will be incredibly gratefully received.

    Second of all, yes, what a mess.

    Where do I get started, my main concern is I suppose, ensuring that the users who work with the internal exchange server don't have any problems once I change the network.

    As you can see, every office is completely different, Site A not only having rubbish fault tolerance but also an incorrect internal IP range, bad bad.!!!

    Ideally, we should have two DC's per office, and then if required, dedicated servers for what they will be doing.

    Site A - The IP range needs to be resolved, however, if I change it, it's really going to screw up with the exchange server.

    Ideally, I would like the following,

    1. DC1 - AD , DNS, DHCP
    2. DC2- AD, DNS, DHCP
    3. Exchange
    4. File Server
    5. Application server
    6. IP range 10.1.10.1/24

    Obviously I would need to redo the VPN, change things on the phone system as between site A and B it uses VOIP.

    Regarding the domain names, obviously I have one office being jameshallam.co.uk.local and another being jameshallam.local - what would you do here?

    Site B (have a domain instead of workgroup)
    1. DC1 - AD , DNS, DHCP
    2. DC2- AD, DNS, DHCP
    3. 10.1.20.1/24

    Site C
    1. DC1 - AD , DNS, DHCP
    2. DC2- AD, DNS, DHCP
    3. 10.1.30.1/24

    Additional stuff

    I would like to then implement sites within AD and configure that accordingly, so users can login at either office, using their credentials - not a problem


    Once again, thank you for reading all this, really appreciated, I know I can get an external company to come in and do this, but there is nothing better than seeing peoples real opinions (such as yours) and implementing this yourself, posting the solution and thus, hopefully helping someone else in a similar environment.

    Any suggestions, comments or anything would be really helpful in order to fix this mess and get it standard throughout the group.

  • #2
    Re: Absolute network mess - don't know where to start and what's best.

    Ok, one comment and one suggestion:

    Comment: It's not wrong or bad to use publicly routable ip addresses on your internal network. It may be unusual and unorthodox, but it's not wrong. Most times I hear this it's from people who don't understand RFC1918 and the reason why it was implemented. RFC1918 was not implemented as a security measure to "hide" internal networks, it was implemented to stave off the depletion of the TCP/IP V4 address space. The security aspect it introduced was a strictly unintended benefit. That being said, I do understand your desire to standardize each network.

    Suggestion: I would suggest you build a new domain (starting with the head office) and migrate your users and resources to the new domain. The domain would consist of 3 sites with a DC, GC, and DNS server in each site. Exchange server should be in the main site. Since the current sites are not part of the same domain you sholud be able to plan and implement a new domain with very little impact to productivity. The biggest challenge will be in re-addressing each site. Make sure to document the addressing scheme and plan it well beforehand. You can temporarily set up the new domain using a new ip range until you're ready to re-address the current devices and migrate your users to the new domain.

    Comment


    • #3
      Re: Absolute network mess - don't know where to start and what's best.

      Allright, so I have two comments:

      Comment: It may be a mess now, but persevere and you'll get it under control and to your liking. When you're done you'll have a great sense of accomplishment and satisfaction.

      Also, although you might be tempted to, don't knock the previous IT person who made this mess. We all don't have the same skills and knowledge and it's likely the previous person did the best they could. There's no honor in smack talking your predecessor. You'll get everything fixed in time and you'll be able to go home at the end of the day and be proud of what you see in the mirror.

      OK, that's enough of my soapbox.

      Comment


      • #4
        Re: Absolute network mess - don't know where to start and what's best.

        Thanks for the soapbox.

        Thankfully, I was brought up as a happy individual who likes everyone and gets well with pretty much anyone , treat everyone how you would like to be treated.....

        As for the previous IT guy, not once have I knocked him down and would do, not in my nature, there is no complaining or anything in the post in regards to the individual, he is a legend, excellent guy, original role was a junior accountant then he moved to the IT role back in the 90's, now he has his own business doing something completely different.

        The reason for the mess is quite simple, as a company expands dramatically, it's very hard to keep a tab on everything, as an IT guy and the only IT person, you get pulled in all directions.

        The growth of the business has not been organic but through acquisitions, which means different setups and different styles, simple as that

        Now that everything is in one roof, the time to make everything uniform is right and hence I would like to carry this out.

        We all have different skill sets and knowledge, there is no one right path of doing things, we all see things differently and implement things in alternative ways, nevertheless, the end result is normally the same.

        Solution

        So you think a completely new domain should be implemented in all sites?

        Regarding exchange, I would then demote that server to only carry out exchange, however, the exchange box would effectively be on a new domain with new internal IP's there will be some issues, will figure it out though.

        The firewall will need flattering down and redoing, will make a backup of the config file just in case.

        In regards to documentation, certainly, incredibly required, without a doubt, I document pretty much everything now and have created network diagrams, I will create some of what I would like it to be and hopefully add it on here, I am sure many people have and will come across a similar scenario.

        Thanks again,

        Gabi

        Comment


        • #5
          Re: Absolute network mess - don't know where to start and what's best.

          Yes, I think creating a new domain and then migrating users and resources to the new domain is the best way to go in the long run. I would recommend building a new Exchange server at the main site and then migrating the users and mailboxes from the current Exchange site when you're ready to migrate that site. You'll wind up using the ADMT for much of the migration, so download it and start reading the documentation.

          You're probably going to get lots of feedback here regarding your post so check back often and keep us posted on your progress.

          Comment


          • #6
            Re: Absolute network mess - don't know where to start and what's best.

            Hi there,

            Thanks for the reply,

            The idea is to resolve my issue, but also to help others, therefore more than glad to keep things posted, I will document it

            Erm, just a quick one, you say a new exchange server, which sounds smashing, no problem at all with that, however, in regards to licensing, is there an issue associated with that? as it would be a waste to buy another license and not use it, this I am hoping, to install it on a new box, using the same license?

            Thanks again for your information and help,

            G.

            Comment


            • #7
              Re: Absolute network mess - don't know where to start and what's best.

              That's a good question and I don't have the answer. Ultimately you'll decommission the old server, so the idea that you could transfer the server license and user cals to the new server sounds good in theory but I don't know if it's in line with Microsoft. I would wait to see what others say and also poke around Microsoft's web site to see if you can find a definitive answer.

              Comment


              • #8
                Re: Absolute network mess - don't know where to start and what's best.

                Thanks for your honesty. I don't see the problem, however, I can see there being an issue by microsoft.

                I quite like your avatar

                Looking forward to this project and the other hundreds that I have

                Thanks very much,

                G.

                Comment


                • #9
                  Re: Absolute network mess - don't know where to start and what's best.

                  Glad to help.

                  Comment


                  • #10
                    Re: Absolute network mess - don't know where to start and what's best.

                    This post has been found very interesting and educational. Well done both.

                    Just a comment regarding VPNs, see if you can install/purchase another Sonicwall Pro 2040 enhanced. I use these as well for site VPNs and they are superb. Once a VP is set up, all traffic destined for the sites (subnets) just route automatically without issues. They also allow you to use the Global VPN client, so you can VPN to the sonicwall from outside and then MSTSC in to your network.

                    Comment


                    • #11
                      Re: Absolute network mess - don't know where to start and what's best.

                      Virtual,

                      Thank you for your reply.

                      Unfortunately the company that doesnt have a sonicwall is an acquisition and part of the contract was to allow the previous IT company to manage their full VOIp phone system and internet.

                      Just got an email back from them saying, to create a VPN with the sonicwall pro, it would cost 200 + VAT. Rip off.

                      Anyhow, I have installed the AD package to visio, so have captured the current structure in Visio which is excellent, I will save those and do a before and after.

                      I will create my new design and explain why and what I have done and post it here before implementation.

                      I'm still quite worried regarding the exchange server, a swift approach seems feasible, as the exchange domain will stay the same. I think I will rename the actual domain to something completely different. The business structure is somewhat complex and weird, I think I will use the holding business name and start from fresh.

                      Unfortunately I have not been able to find the relevant information regarding the licensing, as to what is required when rebuilding a machine. Will find out and provide feedback soon.

                      Glad this is educational, the whole intention was to receive help and provide help for others.

                      Thanks,

                      Gabi.

                      Comment


                      • #12
                        Re: Absolute network mess - don't know where to start and what's best.

                        Hi there,

                        I have created some images of what I would like to implement.

                        http://www.jameshallam.co.uk/networkDesign/

                        The link below demonstrates the information.

                        The images are quite large, can be reduced if you like,

                        Please provide any feedback or any suggestions.

                        They will be running a 2003 network.

                        Thanks,

                        Gabi.

                        Comment


                        • #13
                          Re: Absolute network mess - don't know where to start and what's best.

                          The default gateways will presumably be routers that you've not included in the server list? (based on the fact that their IPs don't match those of the servers you've mentioned). Good to see you're not planning to route through a DC

                          How do you intend for users in the remote offices to access Exchange - through OWA? If you intend for them to use Outlook, then depending on the number of users you may find that your WAN link doesn't deliever the necessary bandwidth (also dependant on what sort of WAN link).
                          Gareth Howells

                          BSc (Hons), MBCS, MCP, MCDST, ICCE

                          Any advice is given in good faith and without warranty.

                          Please give reputation points if somebody has helped you.

                          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                          Comment


                          • #14
                            Re: Absolute network mess - don't know where to start and what's best.

                            Impressive. I can see that a lot of thought has gone into this. My only question/concern is:

                            Do you have a specific reason for creating child domains instead of having each office as a different site in the same root domain? the reason I ask is that the additional internal AD/DNS infrastructure that is needed/created by your model doesn't seem justified or needed unless you have very specific reasons for it. IMHO opinion, keep it simple. Just because you CAN make something complex doesn't mean you SHOULD.

                            As far as your ip scheme, it looks like you'll be using a /24 subnet mask. IMHO, I would use a /16 subnet mask for these reasons:

                            You'll have a larger address space as you never know what the future needs will be. 254 addresses may seem like a lot now, but maybe not in three years.
                            Also, using a /16 allows you to identify the network in octets 1 and 2 (10.10.x.x, 10.20.x.x, etc.) and allows you to use the third octect to classify your devices like: 10.10.1.x for routers, 10.10.2.x for switches, 10.10.3.x for servers, etc., etc.

                            Comment


                            • #15
                              Re: Absolute network mess - don't know where to start and what's best.

                              Originally posted by joeqwerty View Post
                              IMHO, I would use a /16 subnet mask for these reasons
                              Good suggestion Batman.
                              Gareth Howells

                              BSc (Hons), MBCS, MCP, MCDST, ICCE

                              Any advice is given in good faith and without warranty.

                              Please give reputation points if somebody has helped you.

                              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                              Comment

                              Working...
                              X