Real networking over "simple file sharing"

[Paul Adams]

That was exactly the problem (it was hanging on "Applying your user settings"). I assume, it was checking out on the Internet for a domain with my domain name, and when it could not find one, it would eventually come across the internal network domain.

And not via DNS - the Internet DNS server replies, so the client knows it is "good" for name resolution, the backup DNS server entry only gets used in the event that the first one does not respond at all (or gives an error).

In theory you could add a HOSTS entry for the DC, but DNS is not used purely for looking up the DC but for dynamic registration and location of SRV records (which for sure your router and ISP DNS servers will not support).

With Windows NT, NetBIOS & WINS were used as main methods of name resolution and computer browsing - these are now being phased out.
From Windows 2000 onwards, DNS is the primary method of name resolution as it's what the rest of the Internet uses and doesn't rely on broadcasts - NetBIOS broadcasts are the fallback method to locate machines.

So in your case the DNS queries would be sent to locate any suitable domain controller for the domain, which would get "no such name" as the response every time - then the NetBIOS broadcasts would be sent and the client just shouts on the LAN to find any logon server capable of authenticating users, and this is how the client eventually succeeds - after a timeout.

[latrosicarius]

I'm not really sure what the practical reasons are for having a secondary DNS server listed on the client. Would it be to actually have two servers set up to manage Active Directory, and if one fails, the other is a carbon-copy and will pick up the slack?

If so, is there any methodology to continuously update the secondary server, when you modify the Active Directory or permissions of the primary?

[Moby-Dick]

All domain controllers in an active directory run DNS . If you have a backup domain controller , then specifiying it as a secondary domain controller is a good thing

By the sounds of it you've got some reference materials with you , and if so , have a look at the chapter on replication ( essentially it will do it all for you ! )

[Paul Adams]

I'm not really sure what the practical reasons are for having a secondary DNS server listed on the client. Would it be to actually have two servers set up to manage Active Directory, and if one fails, the other is a carbon-copy and will pick up the slack?

If so, is there any methodology to continuously update the secondary server, when you modify the Active Directory or permissions of the primary?

Talking completely outside of AD, primary and secondary DNS servers have been a standard way of providing high availability of a key service for years - you do not want clients and servers being unable to communicate simply because one cannot find the other due to a single server being down.

The way it works is that the client tries name queries to its first DNS server, if it gets a reply then it knows the server is up and is happy - even if the response is "I can't find that name".
If the primary DNS server does not respond in a reasonable amount of time then the secondary DNS server is queried - if it responds then it becomes the preferred name server until either it becomes non-responsive itself or the client is rebooted.


Back to AD, DNS can run as the classic service using regular replication methods as with BIND servers on the Internet, or now "AD-integrated" so the information is actually passed around between the DCs as part of normal replication along with user accounts, servers, etc.
The AD-integrated model gets away from the "single master" problem, as every DC is a peer and can modify the zone data directly then inform the others.

[latrosicarius]

All domain controllers in an active directory run DNS . If you have a backup domain controller , then specifiying it as a secondary domain controller is a good thing

By the sounds of it you've got some reference materials with you , and if so , have a look at the chapter on replication ( essentially it will do it all for you ! )

That sounds pretty logical. I don't have any real reference books or anything (I didn't have a clue about anything more than simple network sharing before this thread), but I will definitly look up Replication. It would be more for curiosity, since there's no way I could actually afford another server right now, since it's just for home use. Thanks for the info though--it really helps to know what terms to search for, like "replication" when I'm trying to make things work.

Talking completely outside of AD, primary and secondary DNS servers have been a standard way of providing high availability of a key service for years - you do not want clients and servers being unable to communicate simply because one cannot find the other due to a single server being down.

The way it works is that the client tries name queries to its first DNS server, if it gets a reply then it knows the server is up and is happy - even if the response is "I can't find that name".
If the primary DNS server does not respond in a reasonable amount of time then the secondary DNS server is queried - if it responds then it becomes the preferred name server until either it becomes non-responsive itself or the client is rebooted.


Back to AD, DNS can run as the classic service using regular replication methods as with BIND servers on the Internet, or now "AD-integrated" so the information is actually passed around between the DCs as part of normal replication along with user accounts, servers, etc.
The AD-integrated model gets away from the "single master" problem, as every DC is a peer and can modify the zone data directly then inform the others.

From an infrastructure architect's point of view, what do you guys think would be the most logical way of designing a network? My thinking is you would have two machines that are identical ("replication", or whatever), whose only roles are DNS+AD.

Then there would be two more machines that each have a RAID controller card with lots of drives in a RAID-5 or 6 array, the only roles for them would be file sharing, but clients would only use one at a time, and the other would just Replicate the primary one. So if one goes down, the client's would still have access to their files.

And all this would probably have to be IN ADDITION to offline backup. I've never used tape backup, but I bet it's very slow :/ .... I'd almost prefer another array of hard drives that are powered down at all times, except when performing nightly backups.

Also, I'm told NTFS volumes currently have to be under 2TB or else you need a special OS. Therefore, if it was a real big business's network, you'd need multiple volumes. This gets into issues such as directory organization, public shares vs. inividual private user shares, etc. I wonder how you can split this up... if you just have each file sharing server acting as a client to the DNS+AD server, which routes all requests from workstations for files to the appropriate shared folder.

Depending on the number of volumes you have, you'd almost have to use tape backup versus hard drives
----
EDIT: wait! 172 gigs of tape backup for only $700 bucks?? I could get a 300GB hard drive for only $120 bucks... never mind tape backup lol... http://www.exabyte.com/
----

As far as the FTP, web, or streaming media roles, I'm not sure whether they should idealy get their own servers, or be grouped in with the file servers.

[Moby-Dick]

file server replication is a different kettle of fish - its possible , but not nessesarily in the way you are thinking of.

Active directory only replicates the directory itself , which contains all the user accounts , printers etc, ( and DNS if its AD integrated )

There is a way of replicating files around an active directory , its call DFS or ditributed filing system , but its not really designed for files that are to be changed by many people.

AD replication when you have slow network links can make things...interesting ( to give you an idea , our AD at work has a little over 500 domain controllers each connected via an ADSL speed link. )

it depends on the size of files you are dealing with , our mail file servers have much less than 2Tb storage , but we dont always deal with a huge ammount of data centrally.

tape backup is gewtting better , some of the new drives can back up a good ammount overnight.

in a large scale network , you'd probaby make use of a SAN ( Storage Area Network )

hope this gives you more food for thought

[latrosicarius]

Hmm, okay thanks. I'm guessing you would rig up a SAN as a subdomain on your main domain? i.e.: if your AD+DNS server is on "homenet.local", your SAN file servers would be on something like "san.homenet.local"? I should look it up more--I still don't quite know the difference between SAN and NAS.

[Moby-Dick]

a SAN (storage area network ) is a complete network designed for just storage , its usually seperate from your conventional network.


two main flavours , FIBRE and iSCSI. Fibre uses optical fibre to connect the disk arrays to the servers , and iSCSI uses Gigabit ethernet.

The servers access the SAN resources as if they were a local disk. At the SAN management end of things , you can present a certian subset of your disk "pool" to a given server , so only that server sees those particular virtual discs.

a NAS is not quite the same , its just a disk share accessable over LAN ( at its most basic ) You'd map a drive to like like any other network resource.

SAN's dont use TCP/IP in the same way , so wouldn't be referenced with a DNS name.

[latrosicarius]

That's very interesting, I'll check it out. I love this kind of IT theory stuff, thanks :-P

BTW, I'll add my network pics to the sticky thread soon. hehe

[Paul Adams]

Moby's got the SAN/NAS thing down to pat as well as replication - one very common use of a SAN is to have clustered servers hooked up to them to access a common set of files (with exclusive access).
This provides high availability of the files, as if an active cluster node goes down or has a problem then the other one takes over the role in as much time as it takes to stop the service (if the first node is still alive) and start it up on the other node.

With volume mount points you can effectively extend storage over and over without a real restriction on space or drive letters.
Though I don't know how secure I would feel having THAT much storage in one place - in terms of "all your eggs in one basket" and also how the hell to back it up (in a reasonable amount of time too).

You are also pretty much spot-on in that DCs should be DCs and nada else - don't try to shoe-horn in SQL Server, Exchange, Live Communication Server, IIS, file sharing, printer serving, etc. onto them.

Personally I would separate and group servers based on their role and what types of clients needed to access them.
Public-facing web/FTP servers would go into a DMZ with a dirty side and a clean side.
Internal servers I would be tempted to put behind a firewall even from the client LAN, so I know the access to them can be controlled and monitored with an Intrusion Detection System (IDS).
If not firewalled, then at least VLAN'd to keep the broadcast chatter down.

AD & DNS go hand-in-hand so they are fine on the same box, DHCP I would either cluster or have in a 60/40 setup (one server handles 60% of the scope, the other 40% in case of failure of one).
For FTP & web (including WSUS) it makes sense to bundle together, load-balanced rather than clustered (check out NLBS) - possibly with an SMTP gateway if needed too.
File & printer sharing are commonly bundled together too - again with clustering to provide the uptime and allow maintenance on the fly.
SQL and Exchange most definitely want their own boxes, and again are commonly clustered as they are so commonly key services.

File replication (FRS) is typically used for servers in different sites connected by a WAN, so the clients can get a local copy of the files without having to drag them over a high-latency low-bandwidth connection.
FRS is the backbone of DFS and yes, it is not meant for frequently-changing files as you can't really devise an algorithm that doesn't end up being "last writer wins" for copies of a file in multiple locations available for editing.

One often-overlooked technology is the Volume Shadow Copy service - the ability to have versions of files effectively backed up for immediate reference at synchronisation points during the day.
Saves getting those backup tapes out when George from Accounts wants the Excel spreadsheet from last week that he just overwrote by mistake.


All this, and you are still at the tip of the Windows iceberg

[latrosicarius]

Wow, Paul... I knew I was just on the tip, but I didn't know how small the tip actually was

I really like the idea of Volume Shadow Copy... it might be an effective way to backup my files without interruption.

What's also a really cool idea (to me at least) is separating out the clients, the file+printer servers, & the servers dealing with external stuff (IIS, SQL, VPN(?), Exchange), all into separate "sub" LANs. This is the stuff I'm talkin' about! Sounds like an awesome way to tweak the network's performance by cutting down on cross chatter like you said. I assume, each sub LAN will idealy need it's own DNS server (and secondary backup) to point the clients out of the sub LAN and into main domain so they can find the AD server(s)?

In terms of Volume Mount Points, this seems like a good idea, especially if the network ever really needs to expand the space on it's public folder (possibly for a video content server). Then, the right way to backup would probably be to have the same number of drives being Shadow Copied to another file server as a backup.

Alas, too bad I don't have an infinite source of funding! I would totally set up a real Pro network for just like 2 clients LOL! The one thing I wouldn't use, though is Exchange--I MUCH prefer webmail (particularly Gmail) to any POP service with a client program (i.e: Outlook). Outlook is useful for its calendar, but Firefox has great extensions that take care of that. hehe.

Why do you guys know so much about this? Are you real IT guys, or do you just enjoy doing it for home use?

[Paul Adams]

I really like the idea of Volume Shadow Copy... it might be an effective way to backup my files without interruption.?

Two main functions of shadow copies are:
i. instant access to previous "snapshotted" versions of files
ii. ability to backup open files, for NTBackup or 3rd party backup tools

Sounds like an awesome way to tweak the network's performance by cutting down on cross chatter like you said. I assume, each sub LAN will idealy need it's own DNS server (and secondary backup) to point the clients out of the sub LAN and into main domain so they can find the AD server(s)?

Performance is debatable, although if you get a saturated switch due to very busy servers connected to it then you can notice an improvement - typically I would recommend it for security more than anything, reducing the attack surface.

Then, the right way to backup would probably be to have the same number of drives being Shadow Copied to another file server as a backup.

But the advantage of tapes is that you can have multiple backups, on a grandfather-father-son system - mirroring to a single set of disks gives only high availability rather than a proper backup.

Why do you guys know so much about this? Are you real IT guys, or do you just enjoy doing it for home use?

Moby-Dick is a very talented guy, very knowledgable about a broad range of IT topics and has "real world" experience of applying that knowledge - so much better than theory.

Me, I just work for Microsoft
Before I started here I worked as an IT Security Analyst in a bank.

[Moby-Dick]

:blush:

I just tinker about with PC's

using exchange for POP mail is rather like using a Forumla 1 race car to drive down to the shops for a pint of milk

Exchange can run a web mail interface as good as , if not better than gmail , and also provides functionality for mobile devices ( push mail in a blackberryesque style ! )

We keep our core servers in their own vlan as we can run that as a gigabit network so that intra-server communications are pretty quick ( that core itself is split between a couple of buildings to give us a little bit of contingency ) Oddly enough our external facing servers are only for receiving mail. We colocate our web servers at a 3rd party site. each VLAN doesn't need its own DC / DNS node , just as long as there is a low ( routing ) cost , high speed route to one , its pretty happy most of the time

[peterb]

If you don't want to go to the expense of buyong a server 2003 license, and any client access licenses you may need, you can set up a Linux box as a SAMBA server, which will act likr a Windows Domain controller.

Its not something I have done myself (set up a domain controller) although I do use SAMBA on a mixed linux/windows network with shared and central filestores on the linux server, which may be sufficient for your needs..

[EtheAv8r]

To get everything you want, File Shareing and Printer Sharing & Spooling, and Scheduled Backups, and an Email Server (Exchange), a home web portal (SharePoint), and Shadow Copies, (great feature, I have 3 teenage daughters and it has recovered 'lost and damaged' homework in a trice without any drama or tears, DNS server, DHCP server (or use your router) and a lot more, that is EASY to set-up and configure, and has a good support community, will run happily on a machine with 1GB RAM, then you should definitely consider Windows Server 2003 Small Business Edition (SBS) as mentioned earlier in the thread. You get a full proper, secure, reliable, easily managed AD in a box with all the bits you will probably ever need. The extended version also adds SQL Server and ISA Server... but I have the Standard version, and am happy with it.

It is what I run at home, and it works pretty well, I have secure access to my email from anywhere via OWA (but I do use very strong passwords). I run a RAID 1 - Mirror just in case of HD failure.

It too is available as a 30/60 day trial (180 day is you have access to MSDN) and is actually a pretty good product from Microsoft....... Worth a look and a 'play' I suggest.

[badass]

If you don't want to go to the expense of buyong a server 2003 license, and any client access licenses you may need, you can set up a Linux box as a SAMBA server, which will act likr a Windows Domain controller.

Its not something I have done myself (set up a domain controller) although I do use SAMBA on a mixed linux/windows network with shared and central filestores on the linux server, which may be sufficient for your needs..

Linux and samba are fine if you just want it to have a few SMB shares. Anything more and you're asking for disaster.
I used to have a linux zealot for a boss that did this setup in several places and it caused constant problems, all of which he blamed on microsoft
The pillock didn't know his arse from his elbow and weas an embarrasment to the IT profession. I hope he dies in an electrical accident involving a toaster running embedded linux and a fork.