While you may have some measures in place to allow for failures of your network and servers within that network, how much have you really thought about it? 在许多解决方案中,总有一些东西被忽视或错过,仅仅是因为人们有一种普遍的心态:“我们可能永远都不需要它”。. 由于简单的任务不完整或被忽略,IT解决方案很容易完全中断,这种想法非常可怕!
每个企业都有许多业务关键型应用程序,但每个企业都应该考虑备份通用服务器和应用程序, making highly available and taking extra care of are the below:
域控制器
DHCP服务器
DNS服务器
Exchange server (If a cloud email solution is not in use)
虚拟主机 (VMWare ESX or Hyper-v)
上面提到的服务器都应该能够完全失败,而不会对您的业务操作造成严重影响. 只要配置是正确的,每种都有两个就足以允许失败,但是什么是正确的配置?
域控制器
对于域控制器来说, you should configure them to act as a single entity which is very achievable. 所有Active 目录数据可以在多个域控制器之间共享,如果其中一个发生故障,您的业务可以正常运行.
DNS和DHCP服务器
A well known feature of the Windows Server OS is DHCP, this can be configured across multiple servers and placing the service on a domain controller is usually a good idea. If you place this service on both domain controllers, clients will still receive an IP address in the event of a failure. 有一些配置需要手动复制,但如果发生故障,DHCP的关键操作将继续在您的网络上运行. DNS services also lie under the same principals as DHCP and can be configured in the same way.
Exchange服务器
Microsoft Exchange支持多种方式的高可用性配置,训练有素的专家应该始终配置这种高可用性环境. Databases can be shared across multiple servers so in the event that one server fails, you can activate the database on another server without issue and your mail will continue to flow. 在当今世界, 我个人建议使用混合的Office365解决方案或完整的Office365解决方案,因为它的服务非常可靠, takes up a lot less of your IT teams time and can be cheaper to use in the long run.
虚拟主机
这是一个大问题, 有些人可能认为每个服务器有两个就足够了,他们已经考虑到了一切,但事实并非如此! You may have two virtual servers which are domain controllers, DHCP servers and DNS服务器s but what if the physical host fails? 在这种情况下,您需要考虑将辅助服务器放置在单独的辅助主机上,该辅助主机在发生故障时具有足够的资源来承担主主机的负载,反之亦然. 根据我的经验,在高可用性方面,VMWare的性能要比Hyper-v好得多,我总是推荐VMWare胜过Hyper-v.
So now we have covered the generic critical servers, what about your network? In order to have a fully redundant solution, you have to have a robust network that can handle equipment outages at any time. Here are the key factors to think about when designing and implementing a redundant network solution:
HA防火墙集群
开关叠加
端口通道
DHCP (If this service is not on a server)
多个互联网电路
In order for the above to work effectively, 您需要有正确的配置,否则即使您有正确的设备,您的网络也不会像预期的那样运行. Here is a breakdown on what you should consider:
HA防火墙集群
Creating a firewall cluster can be a very complex task depending on the manufacturer and the model in which you are using. I would always recommend a well known brand such as Cisco or Watchguard who have very reliable HA solutions available. The firewall should have rules in place to allow for a failure and traffic to still flow through. 这意味着规则应该允许流量通过辅助防火墙,就像它允许主防火墙一样,这似乎是一项简单的任务,但它可能非常复杂. With different private and public interfaces, you will need multiple public IP addresses or internet circuits to allow for such configurations. HSRP是一个非常好的特性,您应该考虑使用它,因为它将允许您的任何公共可访问服务在硬件故障的情况下保持可访问性. 这样做的原因是您的公共DNS记录将指向用于特定服务的一个公共IP地址, if this IP is able to "float" across both firewalls then it will always be accessible. IP只是一个开始,因为在IP后面有多个防火墙规则来NAT流量和允许或拒绝流量, 只要私有/局域网接口被赋予与主防火墙私有/局域网接口相同的访问权限,那么您应该不会看到问题.
开关叠加
Switch stacks are an amazing feature which allow multiple physical switches to become a single entity. This means that if one switch in the stack was to fail, you would still have access to the network. 不幸的是,最终用户总是会出现单点故障,除非他们有两根网线连接到他们的PC,或者有有线和无线连接的选择. 这样做的原因是一根电缆到交换机上的一个接口,即使交换机是堆栈的一部分, if it goes down the end user's PC will fail to connect to the network. 无线解决方案非常适合作为访问网络的备份方法,但奇怪的是,通常不以这种方式配置. 至于服务器, 通常情况下,他们将有两个网络接口,您可以将其配置为bond/team,然后将它们连接到堆栈中的单独交换机,这允许冗余. Overall when configuring switch stacks, 您必须记住,对于冗余来说,这是一个无用的配置,除非您将客户端连接到堆栈中的单独交换机.
端口通道
Also known as etherchannels and trunked ports, port channels allow for multiple interfaces on a switch, firewall or router to act as a single interface. 端口通道的配置允许一个接口下降,两个设备之间仍然有一个连接. 这些对于防火墙和核心交换机之间的链接以及网络上所有交换机之间的链接都是至关重要的. The reason for this is that if you only have one single cable/connection on the only link out to the internet, then all it takes is that link to fail to cause a total outage.
DHCP
As discussed earlier on in this article, DHCP是客户端接入网络所必需的,可以在防火墙、交换机等网络设备上配置. 如果您在网络设备上配置了DHCP服务器,那么您需要确保配置了第二个DHCP服务器,该服务器复制了相同的DHCP池和豁免. If you do not have this then a single piece of equipment failing could take your entire network offline.
多个互联网电路
你应该有多个互联网电路连接到你所在的大楼和你的基础设施所在的大楼. 如果一行出了故障, you would not lose connection to the internet providing the correct failover configuration was in place internally. To determine whether you configuration allows for an internet line to fail, consider HSRP or if you are unable to use HSRP then at least have a NAT rule for the failover public IP.
总的来说,您需要确保每个设备都有其提供的服务的备份,并且需要确保每个设备都以冗余的方式配置. 有便宜和昂贵的方法来做到这一点,昂贵的选择通常是当设备发生故障时很少看到中断的选择, I would always recommend the more costly option.
