Question:
office365 hosted exchange. topic for idea's and mention for encryption for HIPPA/PHI
I know there are third-party/outside solutions that will scrub the outbound emails and if any criteria is met, it will push it to a secure site for authentication to be read by recipient.
Solutions?
@scottalanmiller said:
@ntoxicator said:
As this would not be a local disk on the Windows server and it would be considered a network location and windows server would have a hard time applying file/folder permissions for users/groups?
Huh? It would be a local disk. The AD system has nothing to do with "applying" permissions.
I understand.
In reference to AD, I was meaning the windows server in itself. This would be the file folder share permissions and the NTFS read/write permissions. Now, these are typically applied to local disks on the actual server.
The NAS setup with SMB share would be new to me. But, yes I understand it
I would need NAS with AD integration, so I can streamline and secure the SMB share over the network (Set of users who can access this share).
Then I would need FS (file system) permissions on the SMB share (on the NAS). Which would also rely on AD user/group
So in my logic and what I was trying to explain before. Is that I would 100% need a device with AD integration for an SMB setup, since this SMB share is NOT local disk on the actual windows server. Since I would not be able to to the NTFS & share permissions directly on that server....
Yes -- I read some information awhile back on Spiceworks.
@scottalanmiller said:
@ntoxicator said:
Unless I can create SMB share and present this network path \\location\share to the Domain Controller (net use). And then configure the seperate GPO policy for this sub-set of users @ satellite office. to which will make their folder redirection and roaming profile save to that new network location? Let windows server handle the file permissions on that SMB drive?
Why would you not be able to do that?
For some reason, I was under impression. When there is a SMB share, you have to use AD to be able to properly setup file folder permissions on the SMB folder. As this would not be a local disk on the Windows server and it would be considered a network location and windows server would have a hard time applying file/folder permissions for users/groups?
@scottalanmiller said:
@ntoxicator said:
Having 2 SAN's configured (sync storage). Would just help if one of them failed, I could quickly swap out the iSCSI pool and SR pointers within XenServer Control Panel and get us back online.
Yeah.... that's insanely silly. Just drop the original Synology and you'll save money, go faster and be safer. All wins. The only rational answer is to remove the Synology completely. Anything is, I'd have to say, insane. Why would any money be spent to do something that isn't any good?
It was a bad decision on that. Full circle then (1-year ago), when I was asking for new servers to create a Xenserver HA setup.
@scottalanmiller said:
@ntoxicator said:
We actually have 2 Synology rack-mounts. The idea was to pool them together using the Synology HA / sync and its heartbeat setup.
One of the places where NAS and SAN isn't something that you can fudge. I believe that the HA is for the NAS functionality only. But in both cases, it doesn't apply to use for VMs, so does not exist for you at all.
Gotcha - and i completely understand that now :). The HA would apply to the storage units themselves, and not to the running VM's. As latency and time it takes... we would still have downtime while I would have to re-associate storage pool / SR's and virtual disks to the VM's on xenserver node.
I see the bigger picture on that aspect now after it all being laid out to me.
Thank you - -and yes your correct. I was referring to it by its actual product name/description. As the Product is a Synology 1U rackmount server/NAS. But, as @scottalanmiller pointed out. Since I 100% indeed have it configured as block-level storage for iSCSI; its therefore a SAN
We actually have 2 Synology rack-mounts. The idea was to pool them together using the Synology HA / sync and its heartbeat setup. However, this was not fully implemented due to storage size on the original Synology storage unit. management complained about time it would take to migrate data to the new unit. As i would have to format the originating and setup as new before that could happen. But still would have single point of failure (back at the XenServer). I did however migrate the smaller Virtual Machines to the new Synology SAN storage and the block-level storage (Faster disks). So its just the domain controller VM and its data still sitting on the original Synology network storage device.
Having 2 SAN's configured (sync storage). Would just help if one of them failed, I could quickly swap out the iSCSI pool and SR pointers within XenServer Control Panel and get us back online. however, yes it is known if the single xenserver host failed -- we are shit out of luck. Management knows this.
I'm thinking of just a NAS unit. Probably a 2-disk unit in RAID-1. Again, I see a synology product here? I can create SMB2 shares on this, however I'm sure I will have to tie into AD using LDAP connector for it to work properly (because SMB share).
Unless I can create SMB share and present this network path \\location\share to the Domain Controller (net use). And then configure the seperate GPO policy for this sub-set of users @ satellite office. to which will make their folder redirection and roaming profile save to that new network location? Let windows server handle the file permissions on that SMB drive?
Just saying, The data being saved/written. Its all being saved to a virtualized disk pointed to the Guest Operating System (Windows Server).
But regardless, its data. When the time comes when we have to migrate to a new server setup -- it will just take time to migrate the windows server VM
As this Windows Server VM (Domain Controller). This single VM, has ALL the 1.5TB of storage that sits on one of the Virtualized Disks. As presented to XS through the storage repository as an ISCSI disk (pool).
Moving from the ISCSI disk pool NAS storage, and migrating data to a physical node using DRBD would take time. Although maybe not as slow as I'm assuming it might be.
Exactly.. I know its risky and I've hammered management about this and hence migrate to a new setup. To be more resilient towards any point of failure. As now its a waiting game.
Ok, I'll keep using SAN. As I know before NAS and SAN use to be very different in terms. However, in my usage case due to block level storage, its indeed a SAN.
Well, all things to be answered have been taken care of here. As it originally started off as DFS questions.
Yeah this goes back to the discussion in other thread on XenServer and DRBD vs SAN
The primary office we have with over 100 users, I built this configuration 3 years ago
1 single XenServer & a Synology rack mount NAS
using iSCSI to present the disks to XenServer SR
Back at the time of this setup.. same as always with this company I work for. Management is a mess and decisions are not thought out. Everything is 'do it quickly'. I hammered them 3 years ago asking any future growth or plans... now, 3 years later. they want to grow the company to 500 or more employee's by year 2020.
Where are they saving to now? Into My Documents (Documents?)
But the Roaming profiles (AppData folder) comes in handy as users complain if they lose their Bookmarks in google chrome... and their windows sticky notes...
Yes -- users save to My Documents (Documents), Pictures folder, Desktop. etc. The folder redirection works very nicely. As 90% of users connect and launch remote applications through a Terminal Server wrapper (use to use RDWeb). But i've deployed 2X Gateway (Parallels 2X). That way our clients billing software does not need to be installed and maintained on over 100 workstations. I can install it on a terminal server and push it out over network to all users.
Thats how I do it.
Topology / setup:
Xenserver node --
Within XenServer you specify a SR (storage repository). Here, I setup iSCSI storage. This was 3 years ago at time of initial setup. I now wish I used NFS (more viewability into actually files on stor)
on XS - I added a Virtual Disk to the Virtual Machine. Guest Operating System (Windows Server 2008 R2) Sees this disk as local to it..
Reason I ask if this is best practice.... Is, now if we are to migrate to a new XenServer setup. All this data on the VM and its attached virtual disk will have to be moved. Will take long time over GigE.
So its safe and okay to keep growing storage this way? But I'm sure @scottalanmiller will chime in as well. Even adding another server for SMB network storage location would further complicate. Hence, why to keep all storage localized to physical machines/disks and the DRBD options 
So, just a thought... and I'll take the beating after the fact.
Have I been doing this all wrong the entire time? meaning, the current setup we've had for 3+ years on our network?
Have a windows 2008 R2 VM (AD, GPO, win time)
On this windows server. I attached local storage (Presented through xenserver).
On this local storage (its local to operating system, but presented through xenserver as a SR -- iSCSI NAS storage).
So on this local storage; I have all the folder/file structures and also shared network locations. Within GPO, I specified the network location path for the User Profile and folder redirection settings...
in best practice scenerio's... or for larger envinronments
Is it best to just have separate network storage and SMB shares for these? rather than it all be saved back to the VM localized storage?
As you've mentioned, and opened my eyes to the NAS idea for this satellite office
Satellite office has ~20 users
Primary office has 100 users at the moment & growing...
So just looking for input on best practice scenario. As our office is using the folder redirection & Roaming profiles....
I dont really see any time that we will get away from this.. I'm trying to see if I would be able to 'draw a line' and get away from it. But our users are not very computer savvy at times (ironic, being that they have to sit at computer entire day to perform billing on behalf of clients).
We would have to re-train the users to save all the files to a specified network drive. But the Roaming profiles (AppData folder) comes in handy as users complain if they lose their Bookmarks in google chrome... and their windows sticky notes...also their outlook .OST (exchange cached). Users rely on outlook. I do not see many users using office365 for 100% of their use. as many users have access to multiple employee inboxes or a corporate inbox. Office365 (to my knowledge) you cannot view more than 1 mailbox. Unless you goto cogwheel and specify view another users box.
**edited and added further details
Understood. I just want to crawl into a hole today, lol. No excuse, but dealing with sinus infection since friday.
lol @ sarcasm.
Was not letting me include the whack whack when replying on this thread. That is what I was saying.
I guess when I type I also must be lazy and too vague and not descriptive enough with my definition and usage of UNC
UNC file path location {"\network\location\share"}
Not letting me do 'whack whack'
@scottalanmiller said:
Thanks scott. makes sense and I understand.
So again, just have to spec out a 2U server (I assume 2U). With the required disk space which would hold us out for 5+ years. I am going to say we would well over 5TB+ to be safe.
Could use 600GB or larger SAS drives with hardware raid controller. Or some enterprise level 7200RPM drives? I'm unsure how folks feel about those.
Thanks for the input
Reason mentioning onsite server was because we have a MAPS account which has server licenses, so cost is $0 right now; as the money has already been spent. (was spent)
So, I would just configure a NAS and present it BACK to the primary domain controller (over VPN UNC share)?
The fact is, CEO and management complaining users are not able to work efficiently enough. As all data right now is going over the VPN tunnel. Looking to mitigate this, so the new users at this remote site will have their folder redirection and roaming profile stored locally at that location.
Then the only data going over VPN would be the AD authentication and GPO's.
so -- the advice is to setup a local NAS, create file shares. Then at the Primary domain controller, attach the UNC share? I thought I couldnt do folder redirection and roaming profiles on network attached storage?
Thank you for all the awesome details here..
Company does not like downtime.. if we have to make employee's go home; costs company thousands. As its high volume work; billing services... collecting money for clients as well as a in house call center.
Have VM's for 2X (Parallels 2X Gateway) hosting apps company wide.
Just weighing the benefits. I just for some reason like the Idea of a SAN for storage.
Yes, I know would need 2 XenServer hosts & 2 SAN units. EMC would be awesome... How is it now under DELL though?
Or just do DRDB on XenServer using the HA-Lizard for 6.5; would this be fast enough? Probably spec out 2U server with 10-12 Drives with a hardware RAID controller... SSD Caching??
Why HA you ask? Well, don't want a single point of failure. Could have a single server hosting all the VM's. But then at high risk of any failure. Can have redundant PSU's and split power... But if the server happens to have a hardware failure. Then we are down until replacement. With a Secondary server, the VM's would roll-over.
I suppose this is why I was looking at Scale Computing; As its a already built solution/package deal with support.
So What is it that K12 environments use for user profiles and user data? Being that no user files are saved to workstations.
Is it my older teachings and methods to use Folder Redirection and roaming profiles? This is documented in 2008 R2 tech setups. I've used it on numerous setups and folder redirection has worked beautifully.
It would be a nightmare with employee turnover and the amount of times we shift employees around office to different desks to store data on individual machines.
I'm assuming look into a way of user home drives? I would think this would be messier approach?
You guys make me feel like a f[moderated]ing idiot at times.... simple direction is great or maybe some hand holding at times with my point of view and logic? Its like a pissing contest on here...
Ok so explain this to me, as I'm obviously hitting a wall.
These were existing employee's at existing office, which now subside within the satellite office.
I would have to move their User folder file, and profile folder to a new network location.
Simply would I be able to attach this NAS network drive to the current PDC and then from there create a group policy for this new set of users which points to this new network file path? Then I can copy their user profile folders to this new network path.... keeping their existing user data and settings?