For the Secondary Technical School in the center of Prague, we have implemented the renewal and expansion of the previous server solution, which had been in operation for at least 10 years. Due to the fact that since 2020 the school began to rapidly increase the number of students, it was no longer sustainable to maintain the original concept and it was necessary to switch to another solution, which we successfully implemented.

Challenges

1) The original server solution was a single server with a VMware ESXi 5.0 hypervisor installed.

2) Only one application server with all the important applications such as asset management, accounting or school registry in one place, without separation of user access.

3) Only a single domain server, which also functioned as a file server.

4) The customer was using roaming profiles and in the event of a communication failure with the domain server, it was not possible to work on the PC (the desktop and all data disappeared) until communication with the server was restored.

5) When a larger number of students were logging out at the same time, the roaming profiles used to crash due to slow writing to the server and incorrect data synchronization from the local PC to the server.

Aims

1) Move to a more modern and open solution of virtualization and avoid paying high license fees.

2) Divide key applications into separate virtual servers or containers and separate unrelated data between applications, thus increasing security.

3) Implement at least two domain servers and in case of an outage, delegate work with files, Active Directory, DNS, etc., to a secondary domain controller or file server.

4) Separate the system functions of the domain controller from user data, i.e. create dedicated file servers.

5) Solve problems with outages of roaming profiles and thus the inability to work on a domain PC.

Solution

For this project, we chose to buy new hardware from the manufacturer Supermicro, namely two new servers, on which we installed the Proxmox VE hypervisor, which is a great alternative to VMware and is also developed as open-source, so it is not necessary to pay for licenses.

We installed a total of 2 basic virtual servers on each of the Proxmox VE, i.e. a domain controller and a file server. We then created a domain namespace between these servers, in which we further configured sharing and replication between servers (DFS). This means that if one of the domain servers or file servers is not available, the user will not be able to tell the difference because his/her work is referred to the namespace, not to the specific (FQDN/IP) address of the server.

Example: User files are stored on the user’s network storage in the domain namespace at moje.domena.czdata%username%. This means that in the event of an outage of the primary file server, the user does not lose his/her data and does not notice the outage, because the programs and files he/she works with are not opened or saved as e.g. the connected network drive K: with a link to a specific IP address of the file server, but is referred to the virtual path of the domain namespace. Both file and domain servers coexist in this namespace and are constantly synchronized with each other.

Furthermore, as part of our solution, we evenly distributed the load on each of the Proxmox VE hypervisors and created the necessary number of virtual servers and containers for the applications. The result of this is that the application for processing the school register has its own virtual server with limited user access only for those users who need the access by the nature of their job function. The same applies to the accounting application, which also has its own virtual server and limited access only for accountants. Etc.

Result

The customer (school) has been using the implemented solution since 2021 and to date there has not been a single report or complaint about an outage when working with files or with a roaming profile. This was the case even when one of the file and domain servers was shut down during working hours for testing and maintenance.

The school has hundreds of PCs that are actively used in lessons during the day, and thanks to the load distribution, there was not a single problem with the synchronization of the roaming profile from the local PC to the server. On the other hand, the time it takes to log in a user account, i.e. the synchronization of the roaming profile from the server to the local PC, has been significantly reduced from minutes to seconds.

By dividing each application that fulfills its specific purpose into its own virtual servers or containers, we have limited user permissions to the necessary minimum. As opposed to the original state when everyone could access all data in one place, we have structured the accesses so that accountants can access only the accounting server from a specific PC in the domain through their user account and no one else can work with the accounting application. The same applies to other applications.

A huge advantage of virtualization with Proxmox VE is the possibility of regular backups of virtual machines or the creation of temporary snapshots of the current state of the server and all data in it. In practice, this means that if one of the privileged users accidentally makes an intervention that leads to damage to the application data, we are able to restore the previous state in a matter of seconds, max. minutes. For example, if an unexpected error occurs during the update of the school register and it stops working properly, we can, for example, return to the original state within a few seconds thanks to the saved snapshot and have the possible update error checked by the manufacturer of this application or find our own solution.

Conclusion

The implemented solution has been used by the customer for several years and this solution fulfills its function reliably. Thanks to the tests carried out, we found out that the implemented infrastructure is really resistant to outages and users do not feel any limitations in the performance of their work activities. Teachers as well as students are satisfied with the data transfer speed when synchronizing their roaming profiles, and no matter where they log in within the school building, they always have their work environment available in a few moments.

By increasing security through separating each specific application, we have prevented potential misuse by any user and thus reduced the range of options for tampering with sensitive data to selected users, who can be more easily audited for access to data.

If you are looking for a solution that will be resistant to sudden outage, whether due to software or hardware failure, do not hesitate to contact us and we will be happy to offer you an optimal solution that will meet your requirements.