upgrading a old small network

ronorono GSEC, GCIH, GMON - Blue teamPosts: 119Member ■■□□□□□□□□

I have a question regarding upgrading a old small network with 9 physical servers running windows server 2008 R2.

Long story made short: This network has started from being a small office with a few users and computers connected to a hub and growing over the last 10 years to get a small office with 60 users, few printers, servers running database, Exchange, file/print, AD and so on connected together to a few HP switches with no VLANs. No plan for network/AD design has been made before deployment and is still the same situation today. There are many issues with this network both with AD errors e.g. name conflicts, DHCP, Exchange errors (OOF,Calender, Autodiscover errors) and the owner has "fixed" the problem every time (lastly very often)calling IT consultants who fix the problems temporary and with no documentation of what they have done and the result is that the problems are showing up again after few weeks/months. The owner is getting tired of this and asked me if I want to take the job to upgrade/redesign the network. I'm thinking of the following to fix this network:

AD domain:
- buy new/reuse the old servers and upgrade the NOS to WK2012 R2 and install roles on them like: AD, DNS, DHCP on one server, DB on a server, Exchange another one, file+ print and maybe intranet (internal company website which implies IIS) on other and IIS for some external websites on other server which it will be located in DMZ. My fix here is to separates the roles of NOS for every role(s) the server had.
- define a new domain name, creating OUs for servers, computers, users, printers ...
- reconfigure Exchange on premises or upgrade to exchange 2016 or suggest going for Office 365 if the owner agrees with that.

- choose a private ip addresses range for use internally
- use VLAN for each department (not so many)
- buy some new switches or use ones that support VLAN and routing-on-stick (or check if the in place firewall supports routing between VLANS)
- clear spaghetti cable in the server rack.

Did I forget something or I'm doing something wrong in this repair-job?:)

Any further comments from people having experience which match this scenario are very welcome.

Thank you!
Mess with the best,Die like the rest!


  • OctalDumpOctalDump Posts: 1,722Member
    9 physical servers? I'd look at virtualisation. Depending on how virtualisation is done, you can get more out of each license, which allows you to better isolate services so that you aren't worrying about conflicts, or that taking down server x will take down half a dozen services.

    As far as the network goes, figure out which bits actually need to talk to each other. A proper DMZ with firewalls might be achievable. Going beyond that is probably going to add complexity without much more benefit.

    I think it also makes sense to explore cloud hosted options. Office 365 might save a lot of money/time/frustration in the long run. But that depends on how they actually work.

    One other thing to be aware of is the temptation to over engineer. You need to strike a balance between robust and manageable.

    And before you start, have a plan, including roll back plans for everything, and whatever time you quote make sure that it includes the time to implement and to roll back, because sometimes you don't realise that things aren't working until the last moment. Under promise and over deliver.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • ronorono GSEC, GCIH, GMON - Blue team Posts: 119Member ■■□□□□□□□□
    thank you for your input OctalDump. With virtualization I eliminate the VLAN hassle which is done internally.
    Mess with the best,Die like the rest!
  • tmtextmtex Posts: 326Member
    Why have Departmental Vlans. Is there some type of security needed ?
  • ronorono GSEC, GCIH, GMON - Blue team Posts: 119Member ■■□□□□□□□□
    I think is a best practice to allways use VLANs from security point of view. Think like ...if one self-replicating virus it will infect a computer in a network with no vlans then all computers will get infected while if Vlans used, only the computers in that particular vlan get infected. This one of the benefits of many...once I took a Cisco course (ccnet) the teacher said following when he get asked when to use vlans and not to?: "Always!" icon_lol.gif
    Mess with the best,Die like the rest!
  • AndersonSmithAndersonSmith Posts: 471Member ■■■□□□□□□□
    With only 60 users on your network VLANs would really be a bit of an overkill. You don't want to make things more difficult than you have to (Think KISS principle). You're right about VLANs being best practice from a security point of view, but in a a network that small it's just really not needed and may complicate the configuration/add extra work for yourself and more troubleshooting when something goes wrong. And depending on how the VLAN is configured (I'm assuming you'll need each office's VLANs to communicate with each other), it may not offer much if any protection from a self-replicating virus. Still, if it's something you're willing to invest the time and effort in and if there's a potential for quite a bit more growth in the company then it might be worth looking in to. Good luck!
    All the best,

    "Everything that has a beginning has an end"
Sign In or Register to comment.