5 Locations, 1 Server, best solution?

[Krueger81]

Hello,

The current situation is this:

5 Locations using Sonicwall SSL Portal to connect to their "Main Office" to access their files. The speeds are an issue as they mainly work with Auto CAD. Files are slow to transfer. reference files don't transfer yada yada yada.

All their PCs are on a workgroup at the moment and I was toying with the idea of throwing them onto a domain due to file permission/security issues at the moment.

What is the best solution to get them all to talk to the main location without having any permission issues.

We have talked about WAN Accelerators, having a server at each location for authentication purposes and so on

Any insight is greatly appreciate.

Thanks
Phil

 

[imagoon]

Generally put the servers local to the heavy users... Do all 5 sites have CAD usage? Also working in a Workgroup can work but it is an absolute management nightmare most of the good solutions won't even work in that environment. Before you drop a wad of cash on WAN accelerators draw up which sites need "high speed" vs others that can work without it.

Once you have that you can design a good solution to the problem such as using Windows 2008R2 DFS-Replication etc to move files out to the sites that need them while still being able to easily backing up at one location.

Having worked on sites where local access at times "wasn't fast enough" I can't imagine trying to do CAD over an SSL portal.

 

[Krueger81]

The Server is at the location with the highest internet speeds. We have two Comcast Lines coming into the office at 50/5 a piece one location uses one line ther other 4 locations use the other evenly splitting the users.

All sites have CAD usage yes ;( All sites have an internet connection of at least 2up/2down but obivously that may not be enough or the files are just that damn big especially when there aremany users trying to access files at the same time.

The problem I read about DFS is that youif you have the same file open at the same time only the last changes get saved? Is that correct.

Currently users use the portal to map their "X" drive and then just use Total Commander for file copying... (I KNOW)

Thanks
Phil

 

[drebo]

Typically, you will have local servers. If you need multiple people editing the same file, you'll want to use some sort of revision management system. SharePoint is an easy-to-use one that's also free.

A domain is a good idea for a number of reasons.

You'll also want to set up some sort of site-to-site VPN solution. My recommendation would be some form of provider-based VPN solution, such as an MPLS network. However, IPSec can work, though I would not recommend SonicWall.

 

[imagoon]

The Server is at the location with the highest internet speeds. We have two Comcast Lines coming into the office at 50/5 a piece one location uses one line ther other 4 locations use the other evenly splitting the users.

All sites have CAD usage yes ;( All sites have an internet connection of at least 2up/2down but obivously that may not be enough or the files are just that damn big especially when there aremany users trying to access files at the same time.

The problem I read about DFS is that youif you have the same file open at the same time only the last changes get saved? Is that correct.

Currently users use the portal to map their "X" drive and then just use Total Commander for file copying... (I KNOW)

Thanks
Phil

The DFS thing is true if they are editing the same CAD file at multiple sites. DFS will not propagate and file that is +t (temp, 0x100) on NTFS so the .dwl / .dwl2 files are never copied. On the same site CAD will see it is in use and act normally.

If the CAD files are generally site specific you can use DFSR mostly as a backup method. I have used it pretty well in the cases where the sites were generally working on their own files and not each others.

I would highly recommend local servers. You get some pretty cheap basic ones.

 

[Krueger81]

Typically, you will have local servers. If you need multiple people editing the same file, you'll want to use some sort of revision management system. SharePoint is an easy-to-use one that's also free.

A domain is a good idea for a number of reasons.

You'll also want to set up some sort of site-to-site VPN solution. My recommendation would be some form of provider-based VPN solution, such as an MPLS network. However, IPSec can work, though I would not recommend SonicWall.

Sonicwall = Crap ?

Cost of a Decent MPLS network?

They had local servers at each location before for authentication purposes. Unfortunately the IT guy there took them out and went the workgroup/sonicwall SSL Way

If I have a server at each location a VPN is needed anyway for File/AD Replication to work correctly right?

Thanks
Phil

 

[imagoon]

Sonicwall = Crap ?

Cost of a Decent MPLS network?

They had local servers at each location before for authentication purposes. Unfortunately the IT guy there took them out and went the workgroup/sonicwall SSL Way

If I have a server at each location a VPN is needed anyway for File/AD Replication to work correctly right?

Thanks
Phil

Yes you would still need the SSL gear. You should thank the old IT guy, he gave you a project to fix up his mess, potentially giving you a job. Why anyone would go AD -> workgroup (at 5 sites even... everyone loved WINS am I right?) is beyond me.

 

[Emulex]

windows 8 REMOTEFX or VDI acceleration with nvidia.

plus a crapton of bandwidth. nothing would remote vdi'ing autocad fun at all.

 

[imagoon]

windows 8 REMOTEFX or VDI acceleration with nvidia.

plus a crapton of bandwidth. nothing would remote vdi'ing autocad fun at all.

Considering my CAD guys could bring 3.46ghz quad xeons with 24 gig of ram with a 2 gig nVidia card to its knees regularly, I am not sure how well remotefx / VDI would work lol.

 

[ViviTheMage]

How large are the files?

Do the users work with the same files regularly?

If you only have 2/2 at each location, your only decent options are WAN Accelerators (We went with riverbed, love it so far), or getting local servers, and backing them up to a central server.

Those would be my two plans of attack.

And yes, get them back in AD...wtf @ WINS, haha.

 

[Krueger81]

How large are the files?

Do the users work with the same files regularly?

If you only have 2/2 at each location, your only decent options are WAN Accelerators (We went with riverbed, love it so far), or getting local servers, and backing them up to a central server.

Those would be my two plans of attack.

And yes, get them back in AD...wtf @ WINS, haha.

They claim they use the same files in more the. One location. Luckily the way they are opening things now it tells them if files are open.

If we put a server at each location for authentication purposes how would they all end up on the same domain? Obviously with a VPN of some sort correct ?

Is there any way to keep files on each server and have them replicate at the end of the night ?

 

[imagoon]

They claim they use the same files in more the. One location. Luckily the way they are opening things now it tells them if files are open.

If we put a server at each location for authentication purposes how would they all end up on the same domain? Obviously with a VPN of some sort correct ?

Is there any way to keep files on each server and have them replicate at the end of the night ?

1) same domain, Using active directory. Sites and services specifically. Also for just authentication there is little reason for a server at each site. The main reason you do it is to serve files. Authentication with an AD domain can run over a 128k baud line with out issues for lots of users.
2) DFSR, RSYNC, FRS, XCOPY, ROBOCOPY (ie tons of ways based on your needs)

Not to be rude but you don't sound very literate in networking, vpn or Windows technologies. You may want to hire someone, as taking this on is not hard for an experienced admin but if you have never done it before, there are a ton of stumbling blocks and places where bad decisions will ruin your day.

You really need to design a list of wants/goals and convert that in to a scope of work.

 

[imagoon]

Ok, after a PM:

This is of course all my opinion:

#1 "We need access to everything." This is never true. If they do, no type of replication tech is going to handle multiple remotely opened files [well]. Get them to define realistic goals.

I would personally place 2 servers at "HQ". 1 File server that also does AD, 1 'AD' server that holds the FSMO roles. Have it handle DHCP also.

1 file server at sites that need it.

Caveats to watch for: In order for AD to work: You must design DHCP, DNS, sites and services up correctly. DNS on workstations need to point at AD DNS servers etc. DHCP needs to push these settings etc. Sites and services handle where the servers go for files etc if you run DFS.

This is not detailed... The MS book on doing this is a few hundred pages long so don't take it as a guide.

Likely the previous admin had it messed up. Thinking going AD -> workgroup is a prime example of his... qualifications.

-edit-

Forgot the file thing:

I would then push out DFSR on 2008R2 that would replicate the site files back to the main office for backups. Bonus points if you can limit the access each office needs (IE is site1 only needs CAD files for 'site 1', then make a replicated share for "site 1" and only push those files out the to site 1 server)

 

[ViviTheMage]

Site to site vpn's done via cisco routers would be enough to get them all on the same AD, with a AD server at each location, they all have log ins, even if the network is down. They also have their local files.

Then centrally back everything nightly, depending on how badly that data needs to be backed up, it could be weekly. imagoon listed a lot of great ways to do this as well.

I am going to have to agree with imagoon...some of the options should seem pretty obvious, unless you are way over your head...hire someone if this is indeed for business applications.

EDIT : if everoyne does indeed need to access files simaltaniously ... one file server centrally located, with a back up server on site, and hopefuly remote back ups past that point.

I would also set up some sort of WAN Acceleration like riverbed/waas/wan acceleration (assuming your application/data is acceleratable).

 

[Krueger81]

Ok, after a PM:

This is of course all my opinion:

#1 "We need access to everything." This is never true. If they do, no type of replication tech is going to handle multiple remotely opened files [well]. Get them to define realistic goals.

I would personally place 2 servers at "HQ". 1 File server that also does AD, 1 'AD' server that holds the FSMO roles. Have it handle DHCP also.

1 file server at sites that need it.

Caveats to watch for: In order for AD to work: You must design DHCP, DNS, sites and services up correctly. DNS on workstations need to point at AD DNS servers etc. DHCP needs to push these settings etc. Sites and services handle where the servers go for files etc if you run DFS.

This is not detailed... The MS book on doing this is a few hundred pages long so don't take it as a guide.

Likely the previous admin had it messed up. Thinking going AD -> workgroup is a prime example of his... qualifications.

-edit-

Forgot the file thing:

I would then push out DFSR on 2008R2 that would replicate the site files back to the main office for backups. Bonus points if you can limit the access each office needs (IE is site1 only needs CAD files for 'site 1', then make a replicated share for "site 1" and only push those files out the to site 1 server)

Unfortunately limiting each site to what they have access to isnt going to work as site A and Site B may be working on the same project within AutoCad ;(

Other then adding an AD Server to each location for authentication purposes is there a way to authenticate over a Site to Site VPN or is that too much network traffic?

Thanks
Phil

 

[Krueger81]

this is kinda what I was thinking

please let me know if I am completely looking at this the wrong way. Should be fairly simple to get accomplished right?

http://i962.photobucket.com/albums/ae110/krueger81/networkmap.jpg

 

[imagoon]

Most likely you will not need a DC at each site (unless the connection like to drop a lot.) It will save some busy work getting them all set up. The big issue I see is handling all the CAD files. If they really can't coordinate to prevent conflicts (and really when you think about it, they have to now, because if bob on site a opened the file and cindy on B opened the same file and they both edited it locally and saved it, the last person to work that day overwrites the other persons work. This leads me to believe they could handle this) I am not sure what would work well. DFSR can put local copies out there for working but if 2 people work at the same time the files will get shoved in to the conflict folder.

However for a basic "AD" setup what you have written would work fine. You could get away with 2 AD servers though. Home office and the largest, longest lasting off site as the secondary. DNS / DHCP at all locations works but you could likely get away with just DNS on the 2 mentioned AD servers. If you wanted to get fancy you can do only one DHCP server that served all 6 locations. Makes management a bit easier, but takes a little more to get set up.

 

[BoT]

check out Microsoft DirectAccess
it is a feature in windows server 2008 r2. it does require AD and there some more requirements that you should look at before you dive in if you decide to go that route but basically each client computer would automatically connect to the server as soon as it is connected to the internet.
http://www.microsoft.com/en-us/server-cloud/windows-server/directaccess.aspx

 

[Krueger81]

check out Microsoft DirectAccess
it is a feature in windows server 2008 r2. it does require AD and there some more requirements that you should look at before you dive in if you decide to go that route but basically each client computer would automatically connect to the server as soon as it is connected to the internet.
http://www.microsoft.com/en-us/server-cloud/windows-server/directaccess.aspx

They are still using Windows XP Pro Machines at some locations and I am not sure if they are ready to fork out cash to go Windows 7 on everything just yet. They are slowly moving this way but you know it's all about the Benjamins ;(

 

[Krueger81]

Most likely you will not need a DC at each site (unless the connection like to drop a lot.) It will save some busy work getting them all set up. The big issue I see is handling all the CAD files. If they really can't coordinate to prevent conflicts (and really when you think about it, they have to now, because if bob on site a opened the file and cindy on B opened the same file and they both edited it locally and saved it, the last person to work that day overwrites the other persons work. This leads me to believe they could handle this) I am not sure what would work well. DFSR can put local copies out there for working but if 2 people work at the same time the files will get shoved in to the conflict folder.

However for a basic "AD" setup what you have written would work fine. You could get away with 2 AD servers though. Home office and the largest, longest lasting off site as the secondary. DNS / DHCP at all locations works but you could likely get away with just DNS on the 2 mentioned AD servers. If you wanted to get fancy you can do only one DHCP server that served all 6 locations. Makes management a bit easier, but takes a little more to get set up.

OK got the servers down now... Will a site to site VPN be sufficient enough to handle their CAD Files as well as all the other network chatter like DNS/DHCP ? Depends on the internet connection I know but in the past they were complaining about speeds not sure if the site to site had something to do with that. I would imagine there is a limit on what a VPN Connection can throughput?

Thanks
Phil

 

[imagoon]

OK got the servers down now... Will a site to site VPN be sufficient enough to handle their CAD Files as well as all the other network chatter like DNS/DHCP ? Depends on the internet connection I know but in the past they were complaining about speeds not sure if the site to site had something to do with that. I would imagine there is a limit on what a VPN Connection can throughput?

Thanks
Phil

Once you get DFS-R running, you would have local copies at the sites so they would have CAD file access at local network speeds.

 

[Krueger81]

Once you get DFS-R running, you would have local copies at the sites so they would have CAD file access at local network speeds.

The company doesn't want to go back to servers at each location...

So Site to Site VPN to each location then have the primary and only Domain controller be at the main site? Authentication should be fine through Site to Site as long as DNS is set correctly right?

The primary objective is to just have one server. that's how they want it for some odd reason ...

 

[imagoon]

The company doesn't want to go back to servers at each location...

So Site to Site VPN to each location then have the primary and only Domain controller be at the main site? Authentication should be fine through Site to Site as long as DNS is set correctly right?

The primary objective is to just have one server. that's how they want it for some odd reason ...

Then at this point I wouldn't touch it. If they want poor performance, then let it be. You do not need AD servers at each site to do AD. Simply make sure DHCP and DNS are set up properly and authentication will work over the VPN connection.

--edit--
This is where you need to go back and really define a scope of work. At this point it doesn't sound like you have a real scope that has been approved by management. If you can give me a scope, I can help you better rather than looking like I am flailing around .

So on that note: What are your goals? Please list them.

I see: "I want AD" and "Speeds suck." Since they don't want to setup multiple servers, for speed the best you can do is WAN accelerators such as Riverbeds and they are rarely going to do much better than 1.5x performance. The newer versions of Autocad actually compress the .dwg files so you may not even see an improvement. The accelerators can't improve compressed data (much.) They also tend to cost more than local servers.

 

[Krueger81]

Just wanted to give everyone an update on this. I've been with the company a little over two months now and have done the following:

- Switched everyone back to a domain. Authenticating back to our main server in our central location.

- installed Riverbed Accelerators ( ouch @ $$$$). These were purchased before I took the job

I still have one location that has internet issues where their download and upload speeds are less then 1 Mpbs but I think that has something to do with the local ISP.

Now my questions:

In each sonicwall I am broadcasting the primary DNS as our Servers Static IP. (i.E 192.168.1.5), when people access the internet does it route internet traffic through the VPN Tunnel and then back to the location where it came from? or is that DNS Setting just for DNS queries/AD AUthentication to the server?

Sorry this is probably a simple question but it's been bothering me and I cant come p with a concrete asnwer.

Thanks
Phil

 

[imagoon]

Assuming you have split tunnels setup correctly, only the DNS/ad auth / internal network ranges will hit the home office servers, the rest goes out the split.