BUILDING A SAFE, SECURE & FRIENDLY DOMAIN USING WINDOWS 2003 AD Part 3
BY:  Ian Trump

20 March 2009

WINDOWS  SERVER #2

Building servers is always fun and challenging and the best thing to hone your server building skills is; to build another server. As mentioned in my musings in the earlier parts of these documents we can do this one of two ways: The traditional new/old/re-cycled physical server as server #2 or the virtual server, using VM ware or even Microsoft. Microsoft has released some impressive virtual server products and intendeds to launch this as a built in feature with Windows Server 2008. MS Virtual Server and MS Virtual PC provide excellent virtual tools to create virtual servers and complete test environments. I don’t recommend that you install this on the Domain Controller an “always on” workstation or some other decently powered box will be fine.

The reason I am dead set against installing virtual server technology on the main Domain, File & Print and Exchange Server is performance and stability. Virtual Server Technology requires a great deal of RAM, IIS meta-base extensions and CPU clock cycles to run Virtual Servers. This will impact the performance of the server to a great extent and cause potential headaches for end users.

I really advocate for an IT workstation with Virtual Services installed or a 2nd Server in the environment. In the MS SBS Server world there are “issues” with 2nd Servers and you need to have a serious discussion about expansion plans.

Windows Small Business Server has its own type of Client Access License (CAL) that is different and costs slightly more than CALs for the usual editions of the Windows Server operating system. However, the SBS CAL encompasses the user CALs for Windows Server, Exchange Server and SQL Server, and hence is less expensive than buying all the other CALs individually.

Windows Small Business Server has the following design restrictions the most important of which is highlighted in bold:

Windows Small Business Server 2008 will only be available for the x86-64 (64-bit) architecture. This is due to the requirements of Exchange Server 2007, whose production version is 64-bit only. The 32-bit version of Exchange Server 2007 is only supported for testing and non-production scenarios.

Only the Remote Desktop for Administration mode is available because Small Business Server always runs on the domain controller, and only two simultaneous RDP sessions are allowed. Terminal Services in application sharing mode needs to be run on a second server on the network. This however is possible with SBS 2008 Premium edition which includes a Windows Server 2008 license for running the second server.

To remove these restrictions and upgrade to regular editions of Windows Server, Exchange Server, SQL Server and ISA Server, there is a Windows Small Business Server 2003 R2 Transition Pack.

What this means is that if you are using Microsoft SBS there are a lot of services running on your network all on one box. I also take issue with the claim of 75 users; to be honest if you have 75 users running File & Print, MS Exchange, Share Point, and ISA all on one box I don’t think there is a hardware platform on earth that can keep up to these demands once you add Anti-virus and some sort of backup software solution, these are A LOT of services to have on one box.  I am more than a little sceptical and believe that most systems are one OS or application patch away from IT Armageddon.

It is prudent to look at a 2nd server or high end workstation running a virtual server to provide backend services for the network and to address patching & testing requirements on the  network and provide some measure of business continuity comfort if the primary server fails.

Many IT departments have, as core responsibilities, backup, patches and updates, and anti-virus software updates.   For smaller networks with 2 to 10 workstations and a server or two; backup, patching and updating can be accomplished in an afternoon. After  10+ workstations or laptops and a couple of servers it becomes a little bit more challenging to manage this. Let’s start with Backup Issues:

BACKUP? THERE IS NO BACKUP

Earlier a few paragraphs I argued that 75 users on one server performing File & Print, MS Exchange, Share Point, and ISA was a potential performance problem; enter the grim reality of backup and we now have a potentially serious problem on our hands.  The first issue is the user shares and business department shares. Depending on your document archive policy (What document archive policy?) you may well have every piece of business information since you started your business on your servers. This is a problem as every night (more about backup strategy later) it get’s backed up (Or Not as the case may be).  Every day, month, year users add data to the system, it is not unreasonable to think that much of this data is not even relevant to the current business operations but it is on the server “live”. If you’re backup like many people is set to do a full backup every night you are putting a huge amount of ancient data onto media. For the sake of argument let’s ball park that in four years of business the users have generated 75 GB’s (18.75GB per year) of data, 10 GB or so is currently relevant to the business and 65GB’s are content that should be archived.

Enter email and the exchange server into the equation and we can easily double this amount again depending on the email box and retention policy (What email box and retention policy?) This estimate in four years for this business is 150GB’s of user generated data, which does not seem unreasonable to me; let’s add an additional 15GB for the OS logs and IIS directories and Windows itself. What is unfortunately unreasonable is the time window, speed and performance impact on the server that this information can be moved to media. The cost of maintaining tape, and a backup solution of a 165 GB’s of uncompressed data is going to cost you some money and once you add the software to run it all it may cost as much as your server. The solution which Microsoft has provided (NT Backup) does not allow for the individual backup of mailboxes and one of the 2nd most common restore requests is for the deleted mail box contents (Curse the day a user showed someone how to use shift, delete)  Take a good look at your deleted items retention policy in the management console of MS Exchange, this can be a huge life saver.

Another backup issue vexing IT Support Crews are locked files; some users leave the office in a great stampede with work “in progress” which in IT speak means files open on the server; again the Microsoft solution does not have the ability to close (even temporarily) the files for backup so in progress work is sometimes the most vulnerable in the enterprise to corruption, overwrite and begin missed by the backup.

COMPLAINT LINE FORMS HERE

A huge increase in disk storage capacity and a proportional decrease in Hard Drive cost have produced some interesting solutions to the backup problem.  Tape and Tape Drives have failed to follow the economies produced in the Hard Drive industry and as a result; even the most basic server system has incredible storage capacity but to add offline (Tape) Backup capacity equal to the disk can exceed the budget of the server.  There is no excuse for not insisting on RAID I or RAID V disk arrays for storage as SATA II has this capability built in. There is also no excuse for not doubling up on the drives to provide some local archival and storage capability. Local copying and compression of files takes considerably less time when performed on the server between disk arrays adding separate controllers can even speed up this process. I strongly suggest looking at a backup bat file script which is triggered as a scheduled task,  in that script you may want to look at Robo copy (A great utility that can work around locked files) and gzip as compression application (add a password for encryption as a command line option) as great options to create disk to disk backups on the same server.  Offsite storage can be accomplished by copying this archive copy to a USB memory stick or HDD and which is then placed into the care of a trustworthy off site backup process. Keep in mind that un-compressing the backup file is a VERY intensive operation and would have tremendous impact on the server

A word about locked files; this is a sticky area which can really be a dangerous one and you need to define the relationship of IT to the business first before setting out a policy. If users are leaving files open all the time and their files “work in progress” are  not being backed up, you need to let them know and you need to let your managers know that the latest stuff is not being backed up. That’s as far as you go unless you have (in writing) the ability and mandate to “execute a complete backup no matter what the impediment”.  You can force log off using Windows GPO’s at a certain time and you can also use “net stop server” to shut the server down; but this is not a subtle move and could break stuff like the ever so delicate windows outlook .pst files if they are located on network shares.

A 1 GB backbone between two decent servers (or workstations) makes  sense for facilitating a backup to another set of disk drives and moving the compression of the backup  to a separate, hopefully less hard working then our File & Print and MS Exchange SERVER-1. This is my main concern as we look at a small business architecture which provides for the best performance, redundant and flexible business options. I like to think that a restore function should not impact users negatively and by having the compression and (when required) de-compression on a separate box is a way to provide great service.