Answer the question
In order to leave comments, you need to log in
How to raise a new infrastructure from scratch and combine three buildings of an educational institution into one network?
Good afternoon. I am a beginner system administrator. I was given a serious task: to raise a new infrastructure from scratch and combine three buildings of the educational institution into one network. We define that building A is the main one, B and Csecondary. Windows Server 2008 (DC,DHCP,DNS), Windows Server 2008 (TMG 2010), Windows 2003 (Mail, Website) are now installed in the main building, and all this is on old hardware. There are currently no servers in other buildings. (New servers purchased 2 per chassis). Clarification of the problem: It is necessary that users of one corpus can log in to other corpus under the same login and password, and also have access to resources in other corpus. At the moment there is no network between the buildings, but it will be done using a VPN or with the help of a provider. Internet speed between buildings up to 100 Mbps.
In my opinion, the process of creating a new infrastructure should start from the main building. Put the network in order, think over the network topology, it is possible to configure VLANs in the network (200+ PCs), think about how VPN will be implemented, raise a new domain and forest, smoothly transfer current servers to new ones. The next step is connecting the main building to the secondary (VPN), raising a domain there, including this domain in an existing new forest , and setting up trust relationships between domains. Same thing with the third building. BUTmanagement wants to do the opposite. The first step is to raise domains and new forests in buildings B and C, after rebuilding the infrastructure in the main building, raise the VPN and somehow connect all three forests into one. I doubt this approach. Will it be possible to set up a trust relationship between domains that are in different forests without hemorrhoids? What are the pros and cons of these approaches? And how will it all work? Thanks in advance for your advice!
Addition: Thanks to everyone for the answers, perhaps I did not correctly describe the situation, I'll try to clarify. The distance between the buildings is about 5-6 km (stretching something is not an option). Most likely, you will have to connect through a provider, the Internet speed for educational institutions is 100 Mbps (and most likely they will not increase). As for the authorities, they need to do everything quickly and efficiently. The technical side of the whole procedure is poorly understood.
Now about three domains and the total number of computers: in the main building we have 200 PCs, in the second about 120 and in the third about 80. The idea was that all user authorizations would take place in the cases on local servers and not run through the Internet to the main server (at least password caching), if for example the link between the cases would fall, then the work in the cases would not be interrupted. You also need a single authorization for all cases + access to data. (from here the idea to put servers in all buildings)
At the moment, there is no infrastructure in two buildings, a router and switches. Everything is there from scratch. In the main building, with the help of VLAN, they wanted to separate the administration from the students and the accounting department + reduce broadcast traffic. There are also plans to organize Wi-fi throughout the main building for teachers and students (separate VLAN?)
The administrator, unfortunately, I am the only one in three buildings and there is no place to wait for technical assistance (but 2 enikey workers), if you invite specialists, then why should I? (the boss's logic) Let's continue, about servers, 6 new servers were purchased under the project, which were not distributed by me into cases. If they can be distributed more intelligently, then please tell me how to do it. For me, the most important thing is the stability of this system. (About a backup DC - this is by itself) And yet, in your opinion, in this situation, is it better to put all the servers in the main building and start the infrastructure from here, or divide the server equipment into 3 buildings ???
Answer the question
In order to leave comments, you need to log in
He did the same in medicine.
Punch a direct link. Saves a lot of nerves. If in the same area, then the optics are unambiguous, do not even hesitate, if in different areas, then L2 through the provider.
Forget about the speed of 100Mbps, this is the last century. Make gigabit right away, it will also save your nerves and in three years you won’t have to redo it.
And, excuse me, why do you need three domains for three buildings? This is bullshit. Do you have different websites on them? Does each building have its own system administrator? Or what? What is it for?
And another question, why the hell are two servers for each case? What's on these servers? Why should they be in different buildings?
For 200+ PCs of one domain, more than enough, you make the host of the infrastructure in the main building, DNS, DHCP, there is also a backup DC on another server.
The main thing is a reliable, capacious transport infrastructure, and on it everything else is much simpler and easier to do.
If the points, then it looks like this (provided that you are in the same territory):
1. Single-mode optics for 16 fibers from secondary to the main body.
2. In the main, an optical gigabit switch of the core level
3. In the secondary, gigabit switches of the network level, with an optical port
4. In the main, put all the servers.
5. In the main, raise the DC, the backup DC, the file server and everything else you need.
And that's it, no hemorrhoids with forests and trust and vpn.
Forests are needed when you already have whole branches in different districts and cities, with their own politicians, etc.
And on 200 computers such a fence is the height of incompetence.
Tell your superiors that if your network is processing students' personal data, you must use strictly defined information security facilities with the correct FSTEC and FSB certificates that cost a lot of money.
It would be nice to call a non-novice administrator at least for a consultation.
If the buildings are within sight, why vpn, if you can simply combine them with ordinary links?
Simple work on the territory of the institution can be carried out. It is possible to throw even air gigabit whenever possible.
I will support comrade DastiX
about the lack of need for scaffolding. One domain is enough for your structure.
I will also add that you set a task in the spirit: "Let's set up two servers each, make VLAN and VPN and a bunch of buzzwords !". You need to dance on requirements, not on technology. You put two servers. Fine. What will they do? What tasks to solve?
Want VLAN'y - it is good. For what? What do you plan to do with vlans? What problem to solve?
Same question for VPN. You still don’t have a physical link between the cases, and it’s not even clear how it will be implemented, but you are already thinking about VPN.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question