SLAC Windows Infrastructure

1
SLAC Windows Infrastructure

• Brian Scott
• May 2003

2
Windows Environment

• 1700 Windows computer accounts
• 3600 Windows user accounts
• 91 standard Dell desktop hardware

3
Old NT Environment
4
New Windows 2000 Environment
Single forest and domain with multiple domain
controllers (DC). FSMO rolls reside in SLACs
DCs. Global catalog replicated to remote DCs.
5
Windows 2000 Active Directory

• Finished rollout of Active Directory in September
  2002
• Choices
• Migration tools and SID history
• Double ACL all resources
• Re-ACL to new domain and cutover
• In-place Upgrade

6
Upgrade Path 1 Migration Tools/SID

• Go to Native Mode
• Use migration tools to migrate user and machine
  accounts (NetIQ, Quest, ADMT)
• Rely on SID history for access to old resources
• Log into SLAC (NT) and WIN (XP)

7
Upgrade Path 1 Migration Tools/SID

• Pros
• Easily reversible
• Cons
• Migration tools not working as expected
• Many migration steps and overhead
• Things will break
• Migration spans 1 year

8
Upgrade Path 2 Double ACL

• Go to Native Mode
• Double ACL all resources with ACL migration tool
• Continue to double ACL manually after migration
  with any addition or change
• Log into SLAC (NT) and WIN (XP)

9
Upgrade Path 2 Double ACL

• Pros
• Easily reversible
• Cons
• Need to re-ACL resource domains
• Very confusing, things will break
• Migration spans 1 year

10
Upgrade Path 3 Re-ACL/Big Bang!

• Go to Native Mode
• Re-ACL for new domain
• One day everyone logs into new domain (WIN), NT,
  W2K and XP alike

11
Upgrade Path 3 Re-ACL/Big Bang!

• Pros
• Migrate over a weekend
• Cons
• Not easily reversible
• Re-ACL resource domains
• Things will break
• Chaos for a 1-2 weeks

12
Upgrade Path 4 In-place Upgrade

• In-place Upgrade
• Go to mixed-mode after 3-4 months, upgrade to
  Native mode
• Log into SLAC (NT and XP) or use UPN
  win.slac.stanford.edu (XP)

13
Upgrade Path 4 In-place Upgrade

• Pros
• No re-ACL
• No new domain
• No migration Tools
• Less likely to break
• Less overhead
• Cons
• Not native mode
• Will need to migrate off of upgraded DC at some
  point
• No nested groups

14
Windows 2000 Active Directory

• Chose in-place upgrade over going straight to
  Native Mode
• Upgrade was fast (few hours) and no accounts
  needed to be migrated
• Environment supports XP, Windows 2000 and Windows
  NT
• All SLAC Windows accounts are in Active Directory
  and managed by SCS Help Desk

15
Windows XP and 2000 Server OS

• Operating System installation via Boot CD
• Boot CD provides automated installation of the OS
  using Windows Preinstallation Environment
  (Windows PE) and Visual Basic
• Two versions of CD
• OS install files stored on the network
• OS install files stored on CD

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
Software Delivery and GPOs

• Software rolled out to workstations via Group
  Policy Objects (GPOs) rather than SMS
• No clear decision from Microsoft on software
  delivery
• Rollout via SMS could take 24 hours or longer
• Little or no documentation from MS on GPO usage
• Software repackaged as MSIs
• Created MSI wrapper for GPO installs
• All software that was part of boot-floppy
  installations now installed via GPOs
• Office XP, SMS, Realplayer, Acrobat, Hypersnap,
  WS_FTP, TeraTerm, GS Tools and Aladdin Expander,
  etc
• SMS used for software and hardware inventory and
  remote access to desktops

22
Minimum Standard for Joining Domain

• Software rolled out immediately upon joining SLAC
  domain via GPO
• XP Service Pack 1
• InoculateIT Anti-virus
• Registry Seed
• Office XP
• SMS

23
SUS Hotfix Delivery

• Microsoft Windows XP hotfixes rolled out via
  Microsoft System Update Services (SUS)
• Rollout schedule is monthly
• During month users can install themselves
• Over the last few days of the month for those
  that have not applied hotfixes themselves,
  hotfixes are installed automatically
• Immediate rollout available for urgent hotfixes
• Servers patched once a month as well

24
Windows 2000 Environment

• Utilize Dell hardware (1550,1650,2550,2650,6300)
• Print services reside on central print servers
• Central account domain in SLAC
• User and Machine accounts in department OUs
• Administration delegated to departments
• Centralized WINS Servers
• Delegated DNS zone win.slac.stanford.edu running
  as Integrated Zone on DCs
• Remote access via PPTP/VPN and ICA/Citrix
• Anti-virus via CA ETrust InoculateIT
• Recently finished migration of IIS to Windows 2000

25
Monitoring Solution

• Implementing new monitoring solution. Recent
  purchase of NetIQ Appmanager and NetIQ
  Administration Suite
• Current monitoring solution, network ping and
  manual health checks
• Reviewed HP Network Node Manager, MOM, Quest
  Software and NetIQ
• NetIQ is extensible using VB Script and Perl
• Integrates with Telalert

26
NetIQ
27
NetIQ GPO
28
NetIQ File and Storage Admin
29
Windows Environment

• Implement new backup solution.
• Current solution, Veritas Backup Exec
• Reviewing Legato, Veritas Netbackup, TSM, etc
• May look to disk for main backups and off-site
  storage via tapes
• Look to implement SAN based backup architecture
• Upgrade of Citrix Metaframe 1.8 on NT TSE to
  Citrix XPe on Windows 2000 underway

30
Windows Storage at SLAC
31
Windows Storage

• Dell SAN solution utilized
• Storage Outages
• 2 Storage outages in 2001 lasted total of 6 days
• Recent outage in March 2003 lasted 28 hours

32
Dell Storage System
Backup
StorageTech L180
33
1st Tier and 2nd Tier

• 1st Tier Storage
• The 1st tier storage offering would always be
  kept small enough that data can be restored
  within 4 hours after a catastrophic failure.
  Provide high-end functionality such as
  non-disruptive upgrades and point-in-time copy.
• 2nd Tier Storage
• The 2nd tier storage offering would take full
  advantage of reliable low-cost storage
  technology. Recovery times after a major failure
  may be days rather than hours. 2nd tier system
  would be comparable to current storage system.

34
Quotas

• In order to help facilitate future storage
  planning, a quota system will be proposed
• Increases of storage capacity would be allowed on
  an as needed basis.
• Allow regular planning discussions surrounding
  storage best practices.

35
Storage Evaluation

• Completed storage evaluation March 2002
• Looked at NAS, SAN and Direct Attached
• Reviewed
• Sun
• Hitachi
• EMC
• IBM
• Compaq
• Network Appliance
• StorageTek

36
Storage

• Purchased Hitachi 9980
• Recently migrated ALL Windows data onto Hitachi
  solution
• Hitachi 9980
• Brocade 3800
• Emulex 2GB HBAs
• Hitachi Dynamic Link Manager
• Hitachis ShadowImage (point-in-time copy)
• In the process of purchasing Tier 2 Solution
• Evaluating usual suspects
• Will migrate most of information onto tier 2

37
New Storage Solution
38
Reporting Storage Trends

• Purchased Veritas StorageCentral SRM Tools for
  end-users to better understand and control their
  storage needs
• Files being stored
• Usage of those files
• Growth of repository
• Size of repository
• Active e-mail sent with information
• Currently being tested for rollout

39
Veritas StorageCentral
40
Exchange

• Current production system is Exchange 5.5
• Exchange 2000 is production for Windows
  Administrators
• Waiting for additional storage before rolling out
  Exchange 2000
• Exchange 2000 will reside on Hitachi 9980 solution

41
Exchange 2000

• Hitachi solution will take snapshots of the
  Exchange database every 24 hours
• In the event of corrupted data, snaphot volume
  will be mounted and logs played to recover e-mail
• Anticipated outage less than 4 hours

42
Over the next year

• Authentication
• Provide single user name and password to user
• Single place to change user name and password
• Integrate Unix, Windows, PeopleSoft, Oracle,
  Remedy, etc
• Implement new Extra Private Network (EPN)
• Utilize firewall technology to protect core
  business information (PeopleSoft, Oracle
  databases, etc)
• Migrate Windows NT infrastructure to Active
  Directory (incorporated with Authentication
  project)
• Implement similar firewall technology to segment
  business community utilizing the SSRLs Beamline
• New Backup Architecture
• Content Management System

43
Future Direction of EPN Architecture