Need to split my network

  • Thread starter Thread starter Jim Mc
  • Start date Start date
J

Jim Mc

In the very near future we've got to move several web and email
servers from our in-house network to colocation. We'll still have a
LAN with Internet connectivity via T1, but we need to move the public
servers offsite due to the heavy bandwidth needs of the web servers.
I'm pretty new to AD, so I'm looking for the best setup as we proceed.

Current setup:

One NT4 domain. The web & email servers are multihomed, with public
addresses on one NIC and RFC1918 addresses connecting to our internal
network on the other NIC. Not very secure, but it should be 'fixed'
when the public servers are moved.

Current servers:

1. NT4 PDC - with file and print shares
2. NT4 BDC - doesn't do much but act as BDC
3. Win2k member server - file shares, DHCP, resolving MS DNS server
for our LAN users

4. Win2k member server - web server, BIND DNS server
5. Win2k member server - email server, BIND DNS server
6. NT4 member server - web server

Machines 4-6 will be moved to colocation.

Biggest obstacle, for the moment anyway, is that we have an
intranet/extranet web site on machine #4 that employees log into using
their NT4 network accounts. On machine #5, the email server also uses
NT4 accounts to authenticate employees for POP3 mail retrieval. When
the servers are moved, I may need to create a new domain, and new
accounts, or maybe there's another solution? The two user logins --
one for mail/extranet and one for the local LAN is going to be a PITA
unless there's a way to synch them. Otherwise, we'll have to create
accounts in both domains whenever we hire a new employee.

Tonight I plan on rebuilding the NT4 web server with Win2k and perhaps
also set it up as a DC in a new AD domain for the colocated network.
The LAN domain will also be upgraded to Win2k AD. Perhaps sooner than
later if it makes this whole transition easier.

Looking for advice on how to do this and how best to organize the AD
to make account maintenance easiest.

Thanks.
 
Hi Jim,

I agree that having servers connected to the internet and to internal
network is not a great idea and it is good that you are moving your web
servers to an offsite location. Instead of answering your questions one by
one I would give you a idea on how I would have done things.

1. I would move my external web servers to an offsite location to my ISP, if
this is required because of bandwidth usage
2. I would build a new web server (or used one of existing ones) for
intranet and place it in the internal LAN
3. I would keep mail server on my location, but I would move it to internal
LAN and publish it trough the firewall (much safer). If you will put it in
an offsite location, then you will have to have a way to administer it (user
accounts and such..)
4. Of course If you are planning to upgrade your domain to Windows 2000
consider using Windows 2000 DNS servers as they are natural choice for AD.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
 
On Sun, 28 Sep 2003 09:10:17 +0200, "Matjaz Ladava [MVP]"

Thank you for the advice.
Hi Jim,

I agree that having servers connected to the internet and to internal
network is not a great idea and it is good that you are moving your web
servers to an offsite location. Instead of answering your questions one by
one I would give you a idea on how I would have done things.

1. I would move my external web servers to an offsite location to my ISP, if
this is required because of bandwidth usage
Click to expand...

That's happening. No looking back.
2. I would build a new web server (or used one of existing ones) for
intranet and place it in the internal LAN
Click to expand...

Not so easy. Most of the (web) applications running on that server
are used for maintenance of the web sites (many, many web sites) and
databases that run on the web servers being moved. I could come up
with an alternative means of authenticating our employees, but that
still means two passwords. Not to mention possibly revamping quite a
few web applictaions to use a new authentication mechanism.
3. I would keep mail server on my location, but I would move it to internal
LAN and publish it trough the firewall (much safer). If you will put it in
an offsite location, then you will have to have a way to administer it (user
accounts and such..)
Click to expand...

I thought of that. And while I'm not opposed to keeping a mail server
here for our internal use, there are still a couple of obstacles.
Number one is that the mail server is used by several other companies
besides our own. That traffic, which includes webmail access _must_
be moved off to colo. Partly due to the bandwidth requirements, but
also for security reasons. This means that I'll need to install and
maintain a second mail server solely for our company use. Secondly,
we're beginning to implement some fairly complex antispam and
antivirus controls for email. If I have a second in-house mail
server, then I'll either lose those controls for our own email, or
else have to duplicate them here.
4. Of course If you are planning to upgrade your domain to Windows 2000
consider using Windows 2000 DNS servers as they are natural choice for AD.
Click to expand...

For the in-house AD, sure. And probably a Win2k DNS server for the
colocated AD. But I'm not getting rid of BIND for the public DNS,
although I may move it onto servers running FreeBSD or Linux.
 
Then you will have to have multiple passwords in either side :-(. I would
try to get rid of those other companies, and make my own mail server and
keep it on location.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
 
Back
Top