I’m very intrigued by unified communications (UC) lately. Along with the cloud and Software as a Service (SaaS), I think these technologies will change the look and feel of modern network architecture.
We are all familiar with communication. We can communicate verbally, writing a letter, newspapers, books, bulletin boards and even sending smoke signals. Analog phone signals have been around for quite a while, but the last twenty years phones have moved from analog systems to Digital systems. Today we look around and we see many new ways to communicate. We now communicate through text messaging, cell communication, email communication, Instant Messaging (IM), remote online meetings and many more ways.
With digital media something changed. It caught newspapers by surprise. The music industry is also struggling. For hundreds of years one communication media could not interconnect with another communication media. With the information age this has change the game and changing the way we think about information. For example, look at a newspaper. A newspaper is valuable because of the information it contains not because of the paper it’s printed on. The paper is actually like the shrink wrap that contains the products we buy from the store. No paper, no information.
Yet the digital age changed the paper was able to permit newpapers to control information. There is more demand for more varied information than ever in the history of human kind. Newspapers should be more valuable and popular than ever before. Yet today newspapers are going out of business all over the country. Why is that?
The reason is that up until the information age communication media were independent technology silos that couldn’t communicate with one another. Take a newspaper. Nobody could copy a newspaper and sell the information for less than what the newspaper publisher could sell it for. Because of this it was possible to put the media onto paper without losing control of the information. This suddenly changed with the information age, information could be copied off a paper and republished through a newsletter, email or a website for less than the cost of a printed newspaper.
So the newspapers suddenly lost control of their information. Now we can lift information right off the paper or ignore paper media altogether. Why buy information on paper for 50 cents when we can get it digitally for a nickel. Information has become a commodity much like water. It’s not that the information the newspaper sells isn’t valuable. Instead it’s just become cheaper to buy the same information in a new way. Economics teaches us that if two apples that are exactly the same are presented for sale, the lower priced apple will sell first. The same is true for information.
Unified Communications is all about allowing different communication technology silos to communicate with each other. For example a voice message from a cell phone can be automatically stored on an email server and reviewed from an email client. An IM chat can become a way to exchange documents or begin an online video meeting between friends or business colleagues. Instead of seeing information as the media it’s exchanged on, like the newspaper, we need to see information for what it is. Quality always wins out if the price is the same.
So with a UC system, now after reviewing an email, you can check from the email if the person is online. Then send a chat to see if they are available. If they are, you can make a phone call from a computer to a cell phone all using one unified messaging tool. It’s not out of the question that in the future verbal communication will be provided not by your cell phone carrier but your hosting provider. We are already seeing PBX systems in the office place being replaced by digital services devices that speak both TCP/IP and VOIP. With a little competition maybe cell phone company customer service will go up and unused cell phone minutes will become a thing of the past.
For the modern network architect UC is an interesting problem. This new technology needs to be integrated into the overall design of the business technology infrastructure. In the future UC systems will integrate communications technologies like email and phone systems into business systems like CRM and ERP. Potentially each system hosted off premise and by a hosting service. Instead of capital expenditures for new technology projects, adding new technology will just be simple operations expenditures. We used to see new technology rollouts required months even years of planning. With a UC platform new technical services could be provided without the infrastructure changes we’ve traditionally seen. Almost like a commodity in the way we buy more power or more water today.
It will be interesting to see where these technologies go and what the network of the future will look like. It may also be a little scary as our industry change.]]>
I’ve noticed some questions about how to run a Help desk. So I wrote up a quick article about IT Operations roles.
So what does a standard IT department look like? We all are familiar with calling the help desk when there’s a failure. Working in an IT department and one realizes that there is much more to managing an IT department than just the help desk technician on the phone. By understanding the standard IT management and support practices the modern network architect can build more effective network infrastructure.
In general operations roles are made up of those who manage the daily systems of the network and those who fix problems found on the network. The management of the network infrastructure is the role of Operations and is headed up by the operations manager. The Facilities team falls under Operations and manages the day to day hardware and software of the company’s network infrastructure. Incident management, also under operations, manages the resolution of failures across the networks that are known issues. Problem Management resolves unknown issues across the infrastructure. Event Management is the early warning system for the network designed to catch problems before an actual failure on the system occur.
Over 18 years ago there was no automated event management system. Review entailed watching the autoexec.bat file for errors when the system booted. The manually checking disk space, memory allocation and log files on the system. The first two hours of a shift were spent reviewing log files and researching (without the internet) the possible meanings for the error. Networks systems caught on quickly though and soon networks became too large to manage manually. Event management systems automated this process. Managed Services Systems have a central focus on the event management system. Making the types of SLA’s we see in cloud system possible. Working with the facilities team the event management team allows small teams to manage 100′s even 1000′s of servers.
There are two teams that manage failures on the network.
At first you might ask, how can an incident be resolved if it’s not fixed?
Well here’s a typical example:
A failing server is rebooted.
At first it’s running fine, but after a day or two begins to slow and fail.
Later it’s discovered that memory is not being deleted from RAM after an operation is completed. (Called a Memory leak) Rebooting clears the memory and the system runs fine. Yet inevitably the RAM again fills because the software is still not releasing memory. The system begins slows down until it once again begins failing.
In the case of this example, Incident’s job is to reboot the server to get the system up and running. Problem Management’s job is to review the memory dump to verify the memory leak. The conflict is that the memory dump requires time before rebooting the system. Incident presses for the reboot, while problem management presses for time to download the memory dump.
Booting a server may bring the system operational again, but does not address the root cause of the problem. Eventually the problem will happen again. Incident management is not concerned with the root cause of the problem only in getting the system back online. Problem Management is focused on stopping the incident from happening again. This conflict of interest puts the two teams in constant conflict with one another. This is an expected conflict in a healthy operations team and the operations manager is the ultimate referee.
The incident group is broken into support levels sometimes call tiers. The first tier level is a triage level. The tier 1 support technician will try to identify the problem in order to
These teams will investigate known issues to find a solution to the problem. The tier 3 support technicians have the deepest level of training in the specific technology. The tier 3 team is responsible for final resolution of all Incidents
Tier 3 support may put together a major incident team. To resolve the incident tier 3 team’s responsibility includes contacting anyone and everyone to resolve the Incident. This includes contacting outside vendors and manufacturers of software and hardware technical support teams. Major incident teams are put together to coordinate, document and manage this final stage of the Incident process.
Resolving the incident means bringing the system back online and functional. Once the incident is resolved, the incident team’s job is complete. For Problem Management the job is just begun. Resolved major incidents are discussed by the operations management team to determine if the major incident is a known issue? If not the Incident becomes a problem and is taken over by the Problem management team.
Problem management’s job is to find the root cause for each problem ticket. Problem management teams spend time looking at the hardware, software, drivers and other possible causes. The teams will bring in other members from the manufacturers who developed the components that failed. Once a problem is determined the cause, symptoms, fix and/or work-a-round is documented. The solution to the problem is placed into the Incident team database. The incident team will now have access to solve the known issue without escalating the problem to the top tier levels.
In this way an IT department maintains the network. Day to day management is handled by the facilities team. Incidents are failures that are managed by the Incident team. Incidents are managed through three levels of support. Problems are failures without a known cause. Problem management determines the cause, the solution and records this in the incident support database. Finally the entire team is management by the Operations Manager.
These are the typical core roles within the Network infrastructure Operations team.]]>
The file server role is one of the simplest roles on the network. Yet sometimes this simple role becomes very complex when we add in security principles. The modern network architect needs to understand how to do it right or get really good at troubleshooting complex security issues.
Imagine an indoor mall. The parking lot is a huge community location. Anyone can park their bike or their car. There are very simple community rules but also very limited access to product and resources protected by the mall. Walking into the mall is still a place where most people still have access and are welcome. The rules inside the mall are stricter than in the parking lot, but are still fairly lax. As long as you don’t play in the fountains most people are welcome.
Walk deeper into the mall and the access changes. The rules seem to be stricter as a person gets closer to the actual products and assets protected and sold within the mall. The closer one approaches these assets that the mall protects, the more rules there are. Additionally with these rules there is more enforcement and punishment when rules are broken. Each inner door in the mall marks where security access heightens. At the same time, not so restrictive that people feel uncomfortable when shopping or working. Yet go even deeper into the employee areas and there are even more rules, more restrictions and harsher penalties that are more frequently enforced.
In a modern network, the security model is very similar. Full access to the corporate data is only given after a full verification of who you are. Limited access like read access to specific companywide documentation is available to everyone. Full access requires more trust as well as more security checks. Yet if designed well will hardly be noticeable. Well-designed security allows full organizational productivity. The people in the mall hardly notice the security unless they start breaking the rule. The same is true for a well-designed network. Each employee should have all the access to data that their role requires, while restricting data that isn’t required.
As simple as this may sound, I find myself cleaning up after certified network professionals who don’t understand how to build highly secure networks. In its simplest form there are three building blocks.
File level security assumes a micro level of security management. In a mall, the jewelry store might use the equivalent of file level security. Jewelry is expensive, small and easy to walk out with and varies in value. Jewelry stores will go bankrupt if 10% of their inventory is lost. Therefore tracking each and every piece of jewelry is very appropriate. For most businesses though this level of security is not practical or effective.
Folder level Security is a more macro level of management. In a retail store under this model every piece of inventory has the same security procedure for keeping it secure. So rather than track every shoe lace and staple, the store builds a security model where everything is tracked the same way. Entry and access to the folder is important in this model.
Share level Security is like the door and security camera. The Share identifies who is an employee and who is not. Based on this, access to the store layout is granted based on this first evaluation. Even if you are the owner, if the share sees you as a customer or non-employee, there is no access to the employee sections of the store. Share level security is independent of file and folder security. What this means is that share level security does not consult file and folder security to determine share access. So may refuse access even when file level security allows full access.
Many security breaches happen because administrators have no idea how Share Level security works. So they give full access to all corporate shares. Giving full access to corporate shares is often the reason why someone in the internal network sees something in HR that they shouldn’t be seeing. By giving all users full access to all shares in the company, accidental breeches happen. Without closing the share permission, HR and other highly secure areas are at an extra level of security risk from accidental internal breaches. The Modern Network Architect needs to understand how file, folder and share access rights can protect the company from these types of accidental breeches.]]>
We are all familiar with core business technologies. These are the technologies that keep the business running. Each department within a business will have a database of information that maintains the competitive advantage of the business. These are the core business systems. If these systems fail the competitive advantage of the company may be lost. Sometimes when these systems are compromised the end result could be bankruptcy. Edge systems are the systems the modern network architect uses to provide layered security boundaries around these core business systems.
Modern network architecture defines edge systems as independent systems that sit on the outside periphery or edge of the network. These systems do not run on the physical boxes of the core business systems. These systems block all packets except known and approved packets, from entering the subnets where the core business systems function. Edge system logic blocks traffic and assumes all incoming traffic is dangerous unless proven otherwise. The data packet must prove it is safe before it can pass through an edge system. Typically we think of edge systems protecting from spam, system overloads, sneaky viruses attached to an email or outright attacks on the core company infrastructure.
Some edge system examples:
An edge server will act as an additional check of the data packet before that packet is passed on to the core business systems of the organization.
An edge system can be very simple or very complex. The simplest systems may only perform a network address translation (NAT). A more complex system would move safe packets through multiple subnets, signature validation and other integrity checks, Scanning encrypted data packets and even replacing the entire protocol stack, then replacing with a new protocol before passing the packet to the next system. These complex edge systems occur just before entry or inside a DMZ. A DMZ, named after the De-Militarized Zones used during the cold war, is a physical or logical sub-network that contains and exposes an organization’s external services to an untrusted network.
DMZ’s come in many shapes and sizes. The classic DMZ manages at least 3 subnets. (Trusted, untrusted and DMZ). The trick for the packet is moving from one rail to the next. This move often requires a NAT to move from one subnet to the other. Before the NAT can happen, the packet needs to be authenticated and approved. Modern DMZ’s used multiple systems for packet authentication. Using a Public Key Infrastructure (PKI) for authentication the DMZ will utilize multiple levels of encryption and authentication. These encryption types include signing, authentication, data encryption and tunneling protocols.
When a packet comes into the DMZ the packet it is only accepted if it has been approved by a third party source. A simple approval occurs when the Edge System confirms the packet by reading the “signature”. The signature can only be read by decrypting the signature using the keys managed by the PKI system.
Edge systems protect core data within the business system. The edge system uses a traditional DMZ infrastructure. Then the edge system augments the DMZ infrastructure through various security techniques. To reduce the complexity of managing the routing systems within the DMZ, other tools such as PKI, packet signing, tunneling, authentication, data encryption and gateway technologies are used. An edge system takes the old DMZ infrastructure and adds a complex series of security systems that improve the reliability and security of the core business systems.]]>
Over the years working as a Seattle IT consultant I’ve spent time in many different network infrastructure environments. After more technical interview that I can remember there are certain questions that are usually always asked. The most common question is, “What are the five FSMO roles.” I do remember one interview in particular where I interviewed 5 separate network administrators and the network architect. Each administrator asked me the same question. What are the 5 FSMO roles in an Windows AD network. The architect told me later that he had planned to ask me the same question.
After questioning his system admins on the questions they had asked he realized how many times I’d been asked the same question. He started the interview telling me that he would not be asking me what the five active directory FSMO roles were. In this article on modern network architecture I’d like to ask you if you can name the five FSMO roles and what they do?
In case you had to go look them up, let’s go over them real quickly.
Active directory is a database of network objects organized by AD components. Those components are sites, forests, domains and organizational units. From windows 2000 to windows 2008 the definitions for each of these have changed. The domain was once a security boundary with it’s own security system. The Forest was just a way to manage and maintain the “shares” between the domains. Now the Forest is the security boundary using Kerberos to manage domain security as well as shares between the domains and manages connections between forests as well.
There are 2 forest FISMO roles and 3 Domain FISMO roles. For every active directory domain these roles are duplication within each domain. Meaning that while there are only two forest roles in any forest there are three domain roles in every domain in the forest.
Schema Master – Remember that Active directory (AD) is a database of all the objects in the network. A schema is a description of the fields in the database. The schema master is the only role that can add or change fields and field descriptions in active directory.
Domain Naming Master – Unique names are essential across the forest. When two objects have the same name, then AD has no idea what object to make assignments to. Unique naming starts with the domain. The domain naming master’s job is to ensure that each domain name, and hence every forest object is named uniquely. (All domains within the domain include the domain name in their object name. As long as the domain name is unique everything else in the name can be the same, yet in the forest the name is still unique. Hence unique domain names keep all names inside the forest unique.)
Infrastructure Master – The infrastructure master tracks and maintains a list of the security principals from other domains that are members of groups within its own domain.
RID Master – Each object within the domain requires a unique Relative-ID (RID). The RID must be known across the forest. RID masters in coordination with other RID Masters across the forest build a list of RIDs (a RID Pool) for the domain. As objects are created, RIDs are assigned from the RID pool by the RID Master.
PDC emulator – The primary domain controller (PDC) emulator operations master processes all password updates.
The interesting thing is that unless a system administrator uses these roles they are seldom very familiar with the roles. Since Windows 2000 the roles have changed, so often the System Administrator asking the question doesn’t always know the real answer. When they contradict you it’s important to understand that you may be right, but you need this guy to save face to get the job. Rather than either of you losing face, say something like, “I’ll have to check that again, I was pretty sure that role changed with 2008. I’ll have to go back and check that.” Often they’ll back down and go check themselves.
Understanding the role does make a difference when the network starts failing. If suddenly you can’t create new objects in a specific domain, probably the RID Master has run out of RIDs and is unable to create another RID Pool. Without a RID, no new objects can be created in the domain. When a role fails will stop working. Knowing what will fail is a good way to remember what each role does. Walking through the troubleshooting scenarios will help you understand each role much more accurately.
So next time you are part of the interview process, whether the interviewer or interviewee consider boning up on the FSMO roles for active directory.
Oh by the way, here’s an interesting question, what AD object is used to manage slow network connections?]]>
In earlier blogs we talked about the need for the modern network architect to be able to anticipate new technologies in their designs. Somehow the architect needs to look into the future. What if there was a technology that was coming down the pike that completely turned the network upside down. Recently I’ve been studying the next version of Microsoft Lync. From what I can see this software is going to change the way users communicate across the network.
When I was designing my first NT 4.0 network I suggested that I wanted to specialize in wireless network infrastructure design. I was told by other network architects that I’d go broke. When I began working on my first virtual server systems, we were building test environments for software development. After remembering how Red Alert took out 1000′s of my client’s computer labs and production servers. I suggested that we should start planning when virtual servers would be used as production servers. I even insisted that virtual servers should even replace production web servers. Again I was laughed at for the suggestion. It’s with the same idea, I’m suggesting that production Lync servers will change the way colleagues inside the company communicate and businesses form collaboration partnerships with other companies.
If you’ve noticed communication technologies the last 10 years there’s a lot more ways to communicate today with colleagues than ever before. The problem has always been that each communication system has its own way of connecting with users and storing information. Sharing information across communication technologies has for many businesses been more trouble than it might be worth. With Lync everything is changing. Lync is a technology platform that is designed to integrate communication technology in a centrally managed portal. With lync one communication technology can share storage resources with other communication technologies. In doing this the user can access the stored data from any communication technologies interface.
An example is Unified messaging on an Exchange server. Unified messaging allows phone messages to be forwarded to your exchange server. Interesting technology, but how many system administrators have implemented it? Does your company have an IM (Internet messaging) system that saves chat texts to your Exchange server? How about remote online meetings that can be schedule through outlook? If you have the BPOS suite of services you may have, but most businesses don’t add or turn on these features to their systems.
One of the most interesting aspects about the newest Lync versions is its integration with VOIP technologies. Lync can actually replace an organizations PBX system. Phone calls will be able to be made from a computer to any phone or IP device inside or outside the network irrespective of geographic location. Instead of having a phone on the desktop, calls will be made from user to users and the actual device used will not be important. Users will be able to communicate no matter where they are or whether they are communicating at the moment on a phone or computer.
How do remote users, outside the firewall connect to your data? Once again Lync has a solution that is more secure and more reliable. The features and benefits of a wireless VPN or other more complex remote technologies become less and less important because the security benefits of these systems are incorporated into the Lync offering.
This has huge implication for business and for the telecom industry. Imagine you were a telecom company and the business world reduced their handset purchases by 50%? Then telecom customers signed up with Lync hosting providers that could run the telephony requirements of the company through a Hosted Lync server site. Telecom companies are looking probably looking very seriously at this technology in order to provide it to their own customers.
As a systems architect phones and various communication systems are becoming part of the network architecture. What will you doing to integrate your systems with this type of technology?]]>
In any network architecture project there is a triple constraint: Scope, Time and resources. If a project is failing then probably one or more of these three variables are out of balance. Saving a project means putting all three variables in some type of balance. It’s ironic that as a project fails more and more energy is put into the wrong variable. Almost like pumping water into the hold of a sinking ship. How many project leaders are sinking their project by focusing on only one of the three variables?
I’ve noticed that the technologies that are profitable for the company also reduce the cost of doing business. These technologies change the balance between these variable in a positive way. For example: reducing production (time) always affects either scope or resources. Ford realized that by focusing resources (money and employee time) on the assembly line and reducing scope (painting the Model-t “… any color as long as it was black”) he could increase the number of cars built each minute. Through a combination of technology and business process the assembly line increased the number of cars built per hour at a cost that did not significantly increase the cost to produce each car. At that time the only limit on company profitability was the number of cars that could be produced.
All technological innovation is like this. Lewis and Clark took 13 months to walk across the country. Add technology, like rail lines and locomotives and time is shortened. Why walk when there are trains? Who would ride a train, when planes are faster and more comfortable? An interesting thing to notice is that as a technology matures it also becomes more efficient. In the Lewis and Clark example, a new technology ended the need for walking and cut down the trip by more than half. Now new transportation technology has replaced trains and changes travel time from months to hours. Profitable technologies allow the exploitation of time, scope and/or resources.
Triple Constraint Variables
Time: Time is a measurement of “Now” versus when the project is to be completed. Milestones are associated with a measurement of time between now and completion. Each milestone is associated with the tasks that make up the project. The timing is successful when the tasks are completed at the predicted milestone.
Scope: Scope is associated with what is to be accomplished. What will be accomplished is broken down into smaller and smaller increments called tasks. Tasks have a predictable order, priority and milestone associated with them. Successful tasks are matched with time milestones.
Resources: Resources boil down to costs. What will it cost to have a task completed? This is complicated by time. It’s not enough to calculate the cost of performing the task, but completing the task on time. Success occurs when the actual cost associated with the task matches the predicted cost and time associated with that task.
The changing of any one variable will always affect the other two. Increase the timing of the project and either scope can increase or the cost of resources can decrease. Increase resources and either time can be reduced or scope can be increased. Finally increase scope and either time must increase or resources must increase. The company makes money when technology is architected such that the cost of using the technology has a positive reduction in time or resources.
Henry ford spent more resources on assembly line technology and men to run the assembly line. Yet In the process reduced costs and produced more automobiles. The problem is that the other competitors soon recognized that they needed assembly lines to compete. Soon the competitive advantage was lost. Unless Ford built further competitive advantages, before his competitors caught up, Ford would fall behind. In Ford’s day the assembly line was far less efficient than it is today. 100 years later, when the production lines run at full speed they are efficient, but produce far more product than can ever be sold. Spending money to make assembly lines faster will no longer improve the bottom line for individual car manufacturers.
Today technology is the same way. For our clients to be more competitive means these advantages must be architected into the design. The purpose of change is to save the company money or make the company more productive. Replacing technology with more efficient technology, just isn’t enough anymore. If we look at network architecture now we are seeing waves of technology bringing in new change. Yet most of those waves are replacing less efficient systems that do the same thing. As an Example: When designing a network that includes cell phone access is that really new technology? How much different is cell phone access to a network from an analog modem connections 40 years ago? The only difference is now we can do in minutes what may have taken hours before. True innovation doesn’t mean making the assembly line faster. It means replacing the need for an assembly line. Until we can do that, we need to remember that change affects the triple constraint in either positive or negative ways.
When evaluating new technologies ask the question, which variables will change? Time, scope or resources…