CINFINITY
Branch Office Infrastructure
Identifying and Resolving The Real Problems
Aidan Finn
MCSE, MVP
Systems and Infrastructure Manager
afinn@cinfinity.ie
http://www.cinfinity.ie

ABOUT ME
• Working in IT since 1996: consulting,
contracting and administration
• Worked in large infrastructures, e.g.
government, finance and transport
• MCSE, MVP and leader of Windows User
Group
• Systems and Infrastructure Manager at C
Infinity

ABOUT C INFINITY
• In operation for 2 years
• Provides professional outsourcing services
• Data security services:
– Secure online backup
– Laptop and USB device encryption
• Managed server hosting:
– Using the best data centre in Ireland (Data
Electronics)
– Enterprise class equipment and support
– Enterprise class management and services

AGENDA
• Why is branch office infrastructure difficult
and expensive?
• Identifying the real enemies
• Resolving the issues using current
technologies
• What is possible with Windows 7 Enterprise
and Windows Server 2008 R2?
• The SOHO

SOME QUICK QUESTIONS
• How many CD’s for Windows Server 2003 R2?
a) 1
b) 2
c) 3
d) 4
• What are some of the features added in
Windows Server 2003 R2?

BEFORE YOU ATTACK A PROBLEM
Tsun Tzu, The Art Of War:
“If you know your enemy and know yourself, you
need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every
victory gained you will also suffer a defeat.\"

BOI DIFFICULTIES
• Servers in every office
• Sharing information is slow
• Security is not sufficient
• Administrator time is wasted
• IT is seen as a non-contributing cost centre
that delays business
• Politics

BOI AMBITIONS
• Reduce server numbers and complexity
• Use server skills in central offices
• Provide collaboration systems that work
• Increase security
• Change the business view of IT
• Politics: I’ll come to that later

ENEMY #1
Q) Users in a branch office complain about slow
cross-WAN application performance. What do
you? What do you do?
A) We throw more bandwidth at it.
WRONG!

REVEALING ENEMY #1

NETWORK LATENCY
Give Me Data
Ack

LATENCY VS BANDWIDTH
• Adding bandwidth:
– Does not change the laws of physics. A packet still
takes the same time to transmit between A and B
– Only allows more people to have the same bad
performance.
• Removing latency:
– Bypasses the effect of physics on interactive
applications.
– Doesn’t reduce bandwidth requirements.

NEXT GENERATION TCP
• Introduced with Windows Vista and Windows
Server 2008
– Compound TCP: Fewer ACK’s
– Auto Scaling Receive Side Window: Larger data packets
– GPO Controlled QoS: Manage bandwidth usage
– SMBv2
– Explorer metadata cached
• Continues with Windows 7 and Windows Server
2008 R2
• Updated independent study by the Tolly Group
with lots of metric comparisons:
http://tinyurl.com/ddrqdx
• See chapter in Mastering Windows Server 2008:
Essential Technologies

LATENCY STILL LIMITS US
• Next Generation TCP and SMBv2 improve things
• 100% server centralisation still not possible
• Hardware solutions:
– Riverbed Steelhead
– Citrix WanScaler
• Block level optimisation of TCP traffic
• Expensive
• Scalable
• They work: e.g. UK Royal Navy command system

REAL ENEMY #2

COMPLEXITY
• There are servers in every office. Costs:
– Administrative
– Licensing
– Hardware
– Networking
– Power
– Maintenance
• Backups are not easy – are they being done?
• Applications of all kinds
• Licensing is a nightmare
• Uncontrolled and unaudited security

SERVER CONSOLIDATION
Use fewer physical servers:
• Does not mean install more applications on one
installation
• Use x64 and more RAM for greater loads, e.g.
Exchange 2007 and IIS7
• Use virtualisation, e.g. Hyper-V, to deploy fewer
physical machines
• Control VM mushrooming using VMM 2008
• Reduced power, hardware, maintenance, racking
costs

SERVER CENTRALISATION
Have fewer servers in the Branch Office:
• Deploy servers in HQ and regional head
quarters
• Place servers near expertise
• Reduce the risk of physical attack
• More reliable backup and recovery
• Reduced DR site costs and complexity
• Easier for users to share data

CENTRALISATION IS NOT FOR ALL
• Not always possible
• Regulators
• Data Protection
• Local law enforcement, e.g. Italy

BRANCH OFFICE SERVERS
• Branch office virtualisation
• Manage using System Center
– Ops Mgr for health and performance
– DPM for centralised backup
– ConfigMgr for configuration, patching and audit
– VMM for virtualisation
• Lack of Physical Security: Read Only Domain
Controllers / BitLocker*
• Look at branch office blade servers, e.g. IBM
Blade Centre S* or HP C7000

BRANCH OFFICE BUDGET APPROACH
• DFS Namespace and DFS Replication to
replicate file shares for centralised backup
• WSUS for patching
• Consider the System Center Enterprise CAL (4
for the price of 2) for System Center

BRANCH OFFICE VIA OUTSOURCING
• MS Business Productivity Online Suite (BPOS)
– Exchange
– SharePoint
– Microsoft Live Meeting
– Microsoft Communications Server
– Integrate with WAN Active Directory for centralised management
• Managed Server Hosting
– Use existing local expertise for a “pay as you go” approach
– Find one that offers services, not “tin”
• Secure Online Backup
– Don’t rely on the receptionist to change tapes and send them
offsite
– Seek regulatory compliance and scalability (storage and recovery)

COLLABORATION
• Data is scattered all over the WAN
• Access control is complicated
• Backup is a nightmare
• Users can’t find data
• Email becomes the real sharing tool
– Slow
– Many versions
– Information is lost
• Business becomes inefficient

CENTRALISE DATA
• Centralised servers and optimal TCP enable
this
• Use fewer, but higher spec SQL servers
• Use fewer file servers
• Centralise application servers
• Consider SaaS and Cloud Computing:
– The future is now!
– Remove the need for unwanted servers on your network
• Use SharePoint

SHAREPOINT
• Use centralised and/or regional SharePoint
farms
• Scalable collaboration solution
• Document control, workflow, basic
applications, surveys, blogs, RSS, wiki,
Exchange integration, shared contacts, digital
form libraries, etc
• Browser based and WAN friendly

ACCESSING CENTRALISED DATA
• WAN latency solutions
• Use web based architectures
• This presents an opportunity to simplify
complexity at the desktop
• Replace the PC with the terminal

TERMINAL SERVICES
• All applications and data in fewer data centres
• RDP client, web interface, application
publishing, secure remote access (better than
VPN)
• Printing: Easy Print
• Consider Citrix or similar for extended features
• In some ways TS is simpler, some it’s more
complex

TERMINAL SERVICES COMPLEXITY
• Terminal Services relies on compatible
applications – See App-V (requires SA)
• Simple Helpdesk can require change control
• Change can become slow
• Much different client experience for users
• Might be useful for some, but not all

VIRTUAL DESKTOP INFRASTRUCTURE
• VDI
• Run desktop OS in a virtual machine in the data
centre
• User client connects to desktop via broker
• Dedicated or pooled VM’s
• Required VECD licensing from MS
• Currently VMware, Provision Networks and Citrix
• Same boundaries as desktop OS
• Consumes more resources than Terminal Services

PC’S
• Make use of what you have: Active Directory –
OU’s, Group Policy and delegation
• Have you deployed Terminal Services or VDI?
• Manage PC’s using Configuration Manager 2007:
complete management
• Otherwise use free WSUS and WDS
• Look at free solutions, e.g. PSTools and MS
Baseline Security Analyser
• Software Assurance Microsoft Desktop
Optimization Pack (MDOP)

SECURITY
• All IT security starts at the front door
– Who has the most access in your building?
– Is it easier for me to walk in the door or get past your firewall?
• Centralise as many servers/applications as
possible
– Less physical insecurities
– Less logical insecurities
• Employ BitLocker on vulnerable servers
• Keep reliable and encrypted offsite backups
• Use access auditing, e.g. OpsMgr 2007 ACS

DIRECTORS AND ADMINISTRATORS
They always want security exemptions:
• Have the most access to sensitive data
• Should have the greatest security
• Get exceptions for directors in writing from
directors
– Cover your a**
– Make them think twice about the importance of this
• Play hardball with political branches, e.g.
Firewall and seperate forest.

ACTIVE DIRECTORY DESIGN
• A domain is not a security boundary –
contrary to Windows 2000 AD training.
• If you cannot trust someone – put them in
different forest.

LAPTOPS
• Sometimes feels like no one has heard about
device encryption and Data Protection
– Software Assurance: BitLocker
– 3rd Party: SafeBoot, Iron Mountain DataDefense
• Road Warriors: look at secure online data
backup, e.g. Iron Mountain Connected

ADMINISTRATORS
• Too many people doing the same job
– Look at AD design and delegation model
• The wrong people doing the wrong job
– Juniors managing servers or domain controllers
• Centralisation
– Allows the right people to manage servers
– Refocus branch staff towards local services
• Employ Optimised Infrastructure

USE WHAT YOU HAVE
You already have them so use them:
• Active Directory – OU’s, Group Policy and
delegation
• Folder redirection and offline files
• On the file servers: Turn on Volume Shadow
Copy and educate power users
• WSUS: patch deployment
• WDS: OS deployment
• Free stuff: MDT, BDD, WAIK

PRINTERS
• I hate printers and I think I’m not alone
• Too many helpdesk calls
• Standardise your brands and models
– Use vendor’s management software
• Print Management Console:
– Deploy printers via Group Policy
– Centrally monitor via console

REMOVE IT FROM THE EQUATION
• Allow users to help themselves
• Self-Service:
– OS deployment using WDS / Configuration Manager 2007
– Software deployment using App-V
– Replace operational backups with VSS
– Sharing/Collaboration using SharePoint
• Key is to do two types of training:
– Pilot with power users – win them over
– General training and document handover with users – reuse
existing MS materials

OPTIMISED INFRASTRUCTURE
Build automation into the network:
• Configuration Manager: build, deploy
software to, patch and audit PC’s and servers
• Operations Manager: Manage health and
security
This stuff does work, e.g.
• 3 people managing 170+ servers
• 2-3 hours a day of maintenance

CHANGE BUSINESS OPINION OF IT
• Reduce costs and complexity with
centralisation and virtualisation
• Increase collaboration by centralising data
• Increase fault tolerance with centralised and
reliable backups
• Increase responsiveness to business with
SharePoint, OS Deployment and App-V
• You’ll see how future technologies add more

BEFORE YOU PLAN ANYTHING
• Win management support by working with
them
• Gather business requirements – don’t build
something that needs to be changed
• Consult company lawyers
– Local/International regulatory compliance
– Employment law
• Beware of the unions
– You’d be surprised what will start a walkout!

WHAT ARE MICROSOFT DOING?
• Windows Server 2008 R2 – successor to
Windows Server 2008
• Windows 7 – successor to Windows Vista
• Work better together:
– Windows 7 Enterprise (SA Only)/Windows 7 Ultimate and
Windows Server 2008 R2 offer remote computing and WAN
optimisation
– Federated Search
– BranchCache
– RemoteAccess
– Remote Desktop Services
– BitLocker To Go

THE FINAL ENEMY

COMPANY POLITICS
• Prepare to challenge “fiefdoms” on your network
• All sense of reason and logic out the window
• Use financial arguments - technology does not
win
– A branch office with unskilled workers once wanted Domain
Admin
– I gave them a solution: firewalled network, their own forest, their
own Internet link and firewalls, their own applications, systems
management, etc
– I won
• Be ready for fighting “vertical battles”
• If I had the solution, I would be ....

... HERE

THANK YOU
• This is where I hand over to the lads ...

CINFINITY
The experts in data protection and infrastructure hosting services
Aidan Finn
afinn@cinfinity.ie
http://www.cinfinity.ie
My Blog: http://joeelway.spaces.live.com