Download
introducing mcs talks infrastructure architecture n.
Skip this Video
Loading SlideShow in 5 Seconds..
Introducing... MCS Talks Infrastructure Architecture PowerPoint Presentation
Download Presentation
Introducing... MCS Talks Infrastructure Architecture

Introducing... MCS Talks Infrastructure Architecture

162 Views Download Presentation
Download Presentation

Introducing... MCS Talks Infrastructure Architecture

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Introducing...MCS Talks Infrastructure Architecture Mark Aslett – Consultant Microsoft Consulting Services MCS Talks Infrastructure Architecture

  2. Live Meeting Information... • Feedback Panel • Questions & Answers • Blog - http://blogs.technet.com/MCSTalks

  3. Introducing MCS Talks... • Series Objectives: Share Microsoft Consulting Services field experience of designing and architecting Microsoft based infrastructure solutions • Core topics: • Infrastructure Architecture - today • Core Infrastructure (AD, DNS etc) • Messaging • Security • Identity • Desktop • Management • Operations • SharePoint • Application Virtualization

  4. Contoso Network Infrastructure Glasgow LAN London LAN 100MB 1GB Ireland 1000 Users Development 1MB to 8MB ADSL Glasgow 25,000 Users Manufacturing Manchester 25,000 Users Call Centre London 6,000 Users Head Office 10MB Remote VPN Users 3,000 Manchester LAN 1MB 2MB 1GB York 100 Users 1MB India 1500 Users Development Bristol Fail Over Data Centre Manchester Data Centre 10MB Newcastle 350 Users 10MB 1MB 1MB 1MB 512KB 512KB 1MB Edinburgh 400 Users Birmingham 750 Users Reading 350 Users Exeter 500 Users Oxford 250 Users Tokyo 10 Users Paris 20 Users New York 30 Users

  5. Session 1: Infrastructure Architecture Jason Heyes – ArchitectKevin Sangwell – Architect MCS Talks Infrastructure Architecture

  6. Will newer HW alleviate growth needs? Does backing up mean we are prepared? Will newer versions of the software increase operational efficiency? By adding more people will we be able to get more operational reach? Are we compliant, on which layer… application, network? Will more management tools increase our control? Or our operational quality? Will more security tools decrease our threats ? When we develop an application, does it consume from our existing operational best practices? By having a single network directory do we simplify application access? Integration complexity is not solved by tools You can take all of these actions and only increase complexity !!!

  7. Core InfrastructureOptimisation Model IT and Security Process $580/PC $1,320/PC $230/PC • None • No PC life cycle strategy • No policy based PC mgt • Many hw, swconfig • Standardization • Defined PC lifecycle • Limited policy based PC mgt • Many software configs • Stds Compliance • Defined PC life cycle, • stds enforcement • Full policy based PC mgt • Minimal hw, swconfigs • Fully Automated • Dynamic physical / virtual compute • Mobile device mgmt • Automated quarantine of unhealthy PCs • Federated identity • Across platforms and organisations • Threat mgmt • Across client and server edge • Automtd risk assesment • Business / IT defined SLAs • Backup and restore of clients with SLAs • Proactive sys mgmt • Capacity planning Identity and Access Management • Multiple Directories • Many auth. directories • No dir synchronization • Manual user provisioning • Automated provisioning • Single Sign-on • Auto password reset • Auto user provisioning Desktop, Device, and Server Management • Single directory for Auth • One authentication dir. • Minimal PC Security • Anti-virus • Manual patching • No enforced sec. compliance • Limited PC Security • PC firewall • Auto patching • Comprehensive Security • Anti Spyware • Enforced security compliance+ Network Access Control Security and Networking • No system-wide mgmt • Poor sys mgt tool coverage • Duplicate mgmt tools • Manual sw, patch deploymt • Limited sys mgmt • Single sys mgt tool • Software packaging • Software distribution • Comprehensive sys mgt • Hw, sw inventories • Hw, sw reporting • Auto/targeted sw dist. Data Protection and Recovery Basic Standardized Rationalized Dynamic

  8. IO Improves IT EfficiencyAccomplish More with the Same Resources Basic Standardized Rationalized 700 PCs managed per IT FTE 600 500 400 60% 300 20% 200 20% 100 0 Organization 76 $1,320 172 $580 442 $230 Avg PC’s per/IT FTE IT Labor/PC Source: IDC data analyzed by Microsoft 2006

  9. Perform an IO self assessment http://www.microsoft.com/optimization/tools/overview.mspx

  10. A Different Approach Is Needed An approach that… • Holistic • Addresses existing complexity • Creates an integrated, uniform environment • Adopts to proven Best Practices • Recognises Role Based Productivity • Prioritises and sequences IT projects in a structured, systematic manner People Process Technology Operational habits are what deliver results

  11. Architecture Considerations

  12. Architecture Considerations Remote Office

  13. Remote Office Challenges • WAN performance/reliability • Provisioning new services/applications/servers • Management headaches • Remote user support • User experience • Data security • Space • Cost

  14. DCs in Remote Offices

  15. Server Core and HyperV • New Hardware? • Still have to patch child partitions • Still the same # workloads/servers to manage • Need to have good business continuity plan to minimize impact of single point of failure • Ensure IT Staff skill set is updated to manage Server Core and virtualized environment

  16. Fileshares • Local Fileserver • Great user experience • Difficult to backup & manage • Solution • Server Core in branch • DFS-R implemented hub & spoke • Many Win2K3 DFS-R challenges gone in Win2K8 • Backups from replicated copy on corp server • SMB 2.0 performance benefits • Vista client + Win2K8 server

  17. Architecture Considerations Network Access Protection

  18. Addressing Network Health Problems

  19. NAP Enforcement Options • DHCP: easiest to implement, but easiest to workaround • VPN: more secure than DHCP, but have to use WS2008 RRAS (may displace current VPN solution), subject to industry trends • 802.1x: Design complexity to manage for multiple network user types • IPSEC: Recommended enforcement

  20. IPSec Enforcement

  21. Architecture Considerations VirtualiZation

  22. Virtualized Infrastructure Management Presentation Virtualization Application Virtualization Desktop Virtualization Server Virtualization

  23. Alternative Desktop Deployment Models SAN SAN RDP Remote boot Remote boot Servers Windows Server OS Blade PC RDP RDP RDP RDP RDP Servers

  24. Attributes of Alternative Desktop Models Strength Neutral Weakness

  25. Presentation Virtualization • What problems does Presentation Virtualization solve? • Application needs to pull large amounts of data from central database? • Incompatibilities between desktop OS and application? • Characteristics • Run an application in one location, control from another • Allows data to be centralised rather than distributed on desktops • Cost of managing applications is reduced

  26. Presentation VirtualizationCore Scenario Internet DMZ Corp LAN Terminal Server Internal Firewall External Firewall Home Terminal Server Internet HTTPS / 443 Hotel Terminal Services Gateway E-Mail Server

  27. Application Virtualization • What problems does Application Virtualization solve? • Application to application incompatibility • Makes application deployment easier – no need to test for application conflicts • Characteristics • Removes application configuration from the OS layer • Each application runs in its own protected runtime environment, isolated from each other • Applications can run on clients without being installed • Allows administration from central location

  28. Application Virtualization Microsoft System Center Application Virtualization Management Server Microsoft System Center Application Virtualization Streaming Server Microsoft Application Virtualization Standalone Mode

  29. Host Virtualization • What problems does Host Virtualization solve? • Optimise server investments by consolidating multiple server roles onto a single physical box • Business Continuity Management – everything that was on a server is now in a couple of files – can make it highly portable • Dynamic datacentre – ensure resources are appropriately used • Test & Development

  30. Virtualization 2010 • Information Week Oct. 2007 • “The [virtualization field] is nowhere near saturated. IDC estimates that only 17% of the worldwide server market will be virtualized by 2010, up from 5% in 2005.”

  31. Hyper-V: Windows Server Virtualization • What is it? • Hypervisor based virtualization platform • Windows Server 2008 x64 Edition technology • Standards based • Requirements • Windows Server 2008 x64 Editions • Hardware assisted virtualization • AMD AMD-V or Intel VT

  32. Architecture Considerations Security

  33. Security challenges being faced today • Challenges • Complex management of access rights • Provisioning / de-provisioning • Internal Staff • Partner/external staff • Perimeter Protection • Controlling confidential data • Some Answers • Federation • Role-based management • Rights-Management

  34. Sharing Identities Between Organisations and Applications • Traditional Approaches • NT Trust (rarely seen) • Shadow accounts • Proxy accounts • Problems • NT Trusts are realtime but not granular enough • Shadow accounts have to be created and administered • Proxy accounts break audit rules and are by definition unsecure

  35. Federated Rights Management Company A Company B AD AD ResourceFederationServer Federation Trust AccountFederationServer RMS WebSSO

  36. Information Protection is Business Critical • Sharing of information is not optional! • Conducting business requires collaboration • Traditional information protection methods are location-based • Firewalls, access control/encryption • Other challenges • Hard to manage/administer • Difficult to set a consistent policy • Difficult to audit • Can still result in information loss or leakage

  37. Identity-based Information Protection • Persistent protection for sensitive/confidential data • Controls access to information across the information lifecycle • Allows only authorized access based on trusted identity • Secures transmission and storage of sensitive information wherever it goes – policies embedded into the content; documents encrypted with 128 bit encryption • Embeds digital usage policies (print, view, edit, expiration etc.) in to the content to help prevent misuse after delivery Persistent Protection Access Permissions Use Right Permissions Encryption Policy

  38. Architecture Considerations High Availability

  39. Some Approaches • No Single Point of Failure • Redundancy in application or infrastructure? • Application: AD, Exchange, SQL Server 2008 • Infrastructure (MSCS): SQL Server 2005, File/Print Servers, Hyper-V • Microsoft Clustering Services (MSCS) • Beware of non-cluster friendly apps • ILM, SCOM, SCCM, ISA • Could boot from SAN • NLB clustering • ISA, IIS, SharePoint, RO SQL

  40. 8 Node Cluster (Windows 2003) Active Node Switch Fabric Active Node Active Node Active Node Disk Subsystem Active Node Clients Passive Node Passive Node Disk Controller Passive Node

  41. 16 Node Cluster (Windows 2008) Active Node Active Node Switch Fabric Active Node Active Node Active Node Active Node Active Node Active Node Disk Subsystem Active Node Active Node Passive Node Passive Node Passive Node Passive Node Disk Controller Passive Node Passive Node

  42. Windows Server 2008 Clustering • Cluster HCL is gone • Cluster validation tool which you can run • Hardware needs to have Windows Server 2008 logo • Microsoft Support simplified • Geo-clusters simplified • Multi-subnet • IPv6 Support • Task-based wizards

  43. Architecture Considerations DataCentre Consolidation

  44. Step 0: Choosing the building blocksBuild a balanced system • Windows Server 2008 x64 Edition EE/DTC • Server Core Installation • Quad processor/Quad Core (16 cores) • AMD-V or Intel VT • Memory • 2 GB per core minimum (32 GB) • 4 GB per core recommended (64 GB) • Storage • 4 Gb Fibre Channel • Networking • 1 Gb/E NIC (onboard) for VM management/cluster heartbeat/migration • 1 quad-port Gb/E PCI-E for VMs

  45. Step 1: Ensure you have Active Directory Domain Controller Ethernet

  46. Step 2: Building a Virtualization Farm Domain Controller Virtualization Farm 1 (14 + 2 Servers) Ethernet

  47. Step 3: Adding Storage Domain Controller Virtualization Farm 1 (14 + 2 Servers) SAN 32 connections Ethernet Fibre Channel Switch

  48. Step 4: Bare Metal Provisioning with System Center Configuration Manager Domain Controller System Center Configuration Manager Virtualization Farm 1 (14 + 2 Servers) SAN 32 connections Ethernet Fibre Channel Switch

  49. Step 5: Virtual Machine Provisioning with System Center Virtual Machine Manager Domain Controller System Center Configuration Manager Virtualization Farm 1 (14 + 2 Servers) SAN System Center Virtual Machine Manager 32 connections Ethernet Fibre Channel Switch

  50. Step 6: Health Monitoring with System Center Operations Manager Domain Controller System Center Configuration Manager Virtualization Farm 1 (14 + 2 Servers) SAN System Center Virtual Machine Manager 32 connections Ethernet Fibre Channel Switch System Center Operations Manager