How would you guys approach this MS Server 03 to 08 upgrade?

tdean

Ok Boys, heres one for ya.....Network upgrade time!!! We have 3 sites (one rarely used) Everthing is at 1 site now, the whole virtual infrastructure...2 DC's, DHCP, dns spread out over different machines. fsmo roles were, but now consolidated. Seperate servers for "profiles"... roaming profiles, apps, fileshares etc etc... a mess.

Currently, everything is run from "Site A." When i say that, we have a huge DB app suite (NextGen) that everyone uses. "Site B" connects to it via thin clients and term servers, across an EVPL circuit (Many thanks to TE's it_consultant). We are hosting this off site in a month or so. "Site B" is always complaining about slowness etc.

I have set up the VPN's etc to the remote hosting site. My plan is to kind of segregate the 2 sites AND upgrade from 2003 to 2008... Im upgrading both sites to vSphere 5 from 3.5. Site B is finally getting their own SAN and Term servers and they have their own internet connection that they can access the offsite DB. I would like to set up the 2008 remote app thing for our term server users to simplify things for them so they dont have multiple rdp connections on their desktop. im not sure how to migrate our current roaming profiles b/c they are set up so only users have access. how can i do all this this without disrupting current lan? basically AD is a mess and i would like to start from scratch... also no GPO's in place. can i import only current users and groups? how do i set up seperate dhcp scopes? Set up authorization server or stub zone? Any info is appreciated.

ptilsen

RDP to RDSH or XenApp server is still the correct solution, IMO. You probably don't want to setup AD from scratch. If Group Policy is really so bad that you don't even want to fix it, you would be better off create a new high-level OU with blocked inheritance, then create your new structure under that. Create test GPOs and test accounts that are copies of existing production accounts to test the user experience, then move production accounts when ready.

All that said, we'd probably need a more thorough overview of the current network and where you're really trying to go here. Do you have a network diagram or any more information you can provide?

tdean

ptilsen wrote: »

RDP to RDSH or XenApp server is still the correct solution, IMO. You probably don't want to setup AD from scratch. If Group Policy is really so bad that you don't even want to fix it, you would be better off create a new high-level OU with blocked inheritance, then create your new structure under that. Create test GPOs and test accounts that are copies of existing production accounts to test the user experience, then move production accounts when ready.

All that said, we'd probably need a more thorough overview of the current network and where you're really trying to go here. Do you have a network diagram or any more information you can provide?

Hi ptilsen,

So you think the rdp method i am planning is ok? with 2008? I mean, doesnt the remote app function give the users an almost "Citrix" front end? We dont have the budget for anything Citrix unfortunately, thats kind of why we're in this situation.

As far as GPO's... there really arent any. Thats why i'd like to build from scratch. they are using vbs scripts etc for drive mapping and printers. i'd like to eliminate that and use GP to its fullest. I will have to rebuild the groups etc... the previous company put 50% of the users int he "admin" group when they ran into problems.

the network is very simple now... its just going to be (for the most part) 1a and 1b, each with their own term servers and SAN. the VNX device also can be used as a NAS, so file sharing servers are being decomm'd. I'm just wondering how i can work on this without upsetting the current structure. Also, what is the best way to have the new site authenticate?

ptilsen

Are site A and B both very large? What data and applications are shared between them? I'm not sure segregating the equipment into two sites makes sense, but it all depends on what's happening. Remote Desktop oftentimes offers a cheaper, even better way to give branch offices access to the same set of data and applications. But again, it all depends on the specifics. If A and B are doing very different things, giving each their own servers might make the most sense.

To migrate the roaming or redirected profiles, your best bet is to use robocopy /copyall /e to copy the data, including all file security, to the new location outside of business hours. You then change the scripts, profiles, and/or GPOs to point to the new location.

RemoteApp is analogous to a feature that has been a part of Citrix for a long time. However, I'm not clear on what you're trying to accomplish with it. If the users are on thin clients and use multiple applications, Remote App does not offer a compelling advantage over a full remote desktop session. It is a good experience for workstations that you want to quickly and easily deploy an RDSH-server-based application to, since it can function very much like it's installed on the workstation, but without the storage, installation, and maintenance overhead of actually installing it. It can also save on bandwidth, in some cases.

But anyway, with thin clients, you should just point them to a new RDSH farm for full desktop sessions. With workstations, you should deploy RemoteApp MSI packages using group policy.

tdean

Ok, let me be more specific... we are a medical practice. 90% of what the users need is an application suite called "NextGen." All doctors, nurses, medical assistants etc... and they are usually logged in on more than one thin client b/c they bounce around from one exam room to the other etc. (everyone in the co has roaming profiles, i dont think that is necessary, i'd like to tighten that u with an OU??) we are fairly small... probably 100 users at each location. the big thing here is that we are moving NextGen off site. So, rather than having Site B go across the EVPL and go out Site A's internet connection (and probably saturating it) i set up a second vpn from site B to the offsite host and would like them to hit their own term servers. the other apps they use are specific to each group and i'd be able to reinstall on the new servers... basically, the only thing i would keep at Site A is the Exchange server i'd be setting up.
the remote app idea was to simplify things so they dont get confused with 2-3 rdp connections on their thin client desktops b/c they will have to authenticate on our network, then the offiste to get to NextGen there.

Did i explain that better?

ptilsen

That makes a bit more sense.

Is Next Gen going to be hosted on an RDS server you control joined to your domain, or is it provided by another company? Or is it just the server side being hosted, with the client application still sitting on your servers? Is your plan to put RemoteApps on their RDSH desktops so that their thins simply connect to the RDSH servers?

It sounds like you'll want your RDSH server farm and a single DC/fileserver at the two main branches, with DFS replication any common file shares, if there are any. However, you may still have bandwidth problems with client mail access. Outlook RPC access to Exchange is extremely bandwidth intense, as is any files sharing between the branches. Having nothing but thins at one branch and doing RDP to the other might actually be less bandwidth than doing Outlook client access over the WAN link to site A.

Alternatively, you could setup a DAG and client access farm to have Exchange be locally available. That would more or less limit email bandwidth to the messages entering inboxes. Since client access becomes local, Outlook users are no longer connecting over the WAN to access emails.

tdean

well, we're still trying to figure out how much control we're going to have. The entire thing is hosted off site, server and app. we get lots of govt incentive $$ to do so b/c of all the new hipaa laws etc. we're using 172.22.x.x scheme, they are 172.18.x.x. Yes, that was my plan to simplify things (if possible)... remember, there are people that dont even know what "logging in" means. They dont know what their desktop is.... i dont know how they've got this far to be honest.

do you think i should do a full AD install at Site B? How do i work on this without having it interfere with the current setup? Just disable the vNetwork on the vSphere device? I would like to reconfig DHCP also, we have a router doing it now, i'd like to move that... i forget, to use 2 subnets do i set up dhcp relay on one? as for common files, the VNX device works as a NAS also, so i can eliminate a server or 2.

anyway, the mail thing is the very least of the issues, b/c it is currently hosted offsite.. just a pop3 web mail.

ptilsen

Do you have Visio?

it_consultant

tdean wrote: »

Ok, let me be more specific... we are a medical practice. 90% of what the users need is an application suite called "NextGen." All doctors, nurses, medical assistants etc... and they are usually logged in on more than one thin client b/c they bounce around from one exam room to the other etc. (everyone in the co has roaming profiles, i dont think that is necessary, i'd like to tighten that u with an OU??) we are fairly small... probably 100 users at each location. the big thing here is that we are moving NextGen off site. So, rather than having Site B go across the EVPL and go out Site A's internet connection (and probably saturating it) i set up a second vpn from site B to the offsite host and would like them to hit their own term servers. the other apps they use are specific to each group and i'd be able to reinstall on the new servers... basically, the only thing i would keep at Site A is the Exchange server i'd be setting up.
the remote app idea was to simplify things so they dont get confused with 2-3 rdp connections on their thin client desktops b/c they will have to authenticate on our network, then the offiste to get to NextGen there.

Did i explain that better?

Did you ever get all of your EVPL problems cleared up?

From my experience NextGen works like total crap through a terminal server. Citrix is better because it offers some more advanced acceleration and graphics. Makes for a much better experience. Additionally - if your providers work off site (in hospitals, etc) you can set up clientless VPN connections so your providers can use NextGen on any old computer without needing to worry about whether they will be allowed to install the VPN client or not.

tdean

Hi guys... ptilsen, i will see what i can do abotu a Visio for you, but its really super basic... 2 sites connected by evpl, each one with 2 vpn's and each will have 2 term servers.

it_consultant, sorry it looks like i abandoned the evpl thread, i got super sick for ~3 weeks and by the time i was felling better, i figured i should just let it go. It seems the issues have disappeared on their own... i dont know how or why, but no one is getting any of the same protocol errors anymore.