icky3000's questions

I need to set up a plan for organizing permissions for sysadmins in a 200-server Windows 2003/2008 network. The servers exist in 5 separate forests that are connected via 2-way trusts.

At the moment, I'm mostly focused on how best to organize the groups. All sysadmins have a single admin account in one of the forests (forest A) and I wish for them to use this account to manage everything.

As I understand it, the usual best practice is to:

1. Give access to resources to domain local groups in the local forest where they exist. I've done this by creating groups like ForestB\MemberServerAdmins, ForestB\DCDNSAdmins, ForestC\ExchangeReadOnlyAdmins, etc and I've delegated access to these groups from the various applications.

2. Organize users by role into global groups in forest A and then place those global groups into the domain local groups as necessary. I guess this might be done, for instance, by department where you have a group like ForestA\Operations and they get access to some but not all of the resource groups and another group like ForestA\Admins and they get access to all of the resources groups. That's just an example.

The problem is, we really need to assign these permissions to resources on an individual basis. We're a smaller company and I don't have batches of users that necessarily need all of the same permissions. This makes step #2 above seem not to work for us. The solution I'm left with is to create global groups in ForestA that have basically the same names as the various resource groups like this:

ForestA\ForestB MemberServer Admins

ForestA\ForestB DCDNSAdmins

ForestA\ForestC ExchangeReadOnlyAdmins

and then place individual admin accounts into those groups.

I get the flexibility this two-group solution has for assigning resources but does it make sense to set things up this way? I like it because then I can manage all permissions in ForestA and easily look at any admin account to see which groups they are in to determine what they have access to. Still, I'm not sure this is the best route?

We're using iSCSI storage and have two dedicated VLANs for iSCSi. We didn't implement jumbo frames initially. I'd like to turn it on now. I understand I need to turn it on for the NICs that connect to the iSCSI VLANs and on the switch ports they connect to and then do the same for the SAN itself. My question is about the timing of all of this. I've got 4 iSCSI boxes and 30 servers connecting to them. Can I make the change at different times without causing big trouble? For instance, if I go through and set all the NICs to jumbo frames first and then do the switches and then the storage, will I have issues if iSCSI traffic is moving at the same time? For obvious reasons, I'd prefer not to shut down all iSCSi traffic first. I think I can reasonably coordinate this work with the network guys to do it all in one evening and plan to enable flow control on the switch ports at the same time. Advice?

I have a Windows 2008 server running Hyper-V. There are 6 NICs on the server configured like this:

• NIC01 & NIC02: teamed administrative interface (RDP, mgmt, etc)
• NIC03: connected to iSCSI VLAN #1
• NIC04: connected to iSCSI VLAN #2
• NIC05: dedicated to one virtual switch for VMs
• NIC06: dedicated to another virtual switch for VMs

The iSCSI NICs are used obviously for storage to host the VMs. I put half the VMs on the host on the switch assigned to NIC05 and the other half on the switch assigned to NIC06. We have multiple production networks that the VMs could appear on so the switch ports that NIC05 & NIC06 are connected to are trunked and we then tag the NIC on the VM for the appropriate VLAN. No clustering on this host.

Now I wish to assign some iSCSI storage direct to a VM. As I see it I have 2 options:

1. Add the iSCSI VLANs to the trunked ports (NIC05 and NIC06), add two NICs to the VM that needs iSCSI storage, and tag them for the iSCSI VLANs

2. Create two additional virtual switches on the host. Assign one to NIC03 and one to NIC04. Add two NICs to the VM that needs iSCSI storage and let them share that path to the SAN with the host.

I'm wondering about how much overhead the VLAN tagging in Hyper-V has and haven't seen any discussion about that. I'm also a bit concerned that something funky on the iSCSI-connected VM could saturate the iSCSI NICs or cause some other problem that could threaten storage access for the entire host which would be bad.

Any thoughts or suggestions? How do you configure your hosts when VMs connect direct to iSCSI?