The Most Convoluted Network EVER!
-
So a buddy of mine who works at an [educational place] just started at [a retailer], and he was telling me a bit about their network. I will not name the school but it's one of the local ones to my area.
So some of the basics:
This school bought a large block of public IPs back in the late 80s. I want to say it was a Class A sized block. Anyways, for YEARS they ran everything at the school on public IPs. Printers, workstations, servers, etc. They also used some sort of MAC Address reservation system. Apparently most of their infrastructure is still like this...don't worry, it gets better.
For their wifi setup, this is how it authenticates:
Computer connects to network and gets what I believe was referred to as a "landing IP". This grabs the MAC address and then checks it against the list of computers in AD. If it's there, it authenticates. Next it prompts for RADIUS credentials and then also authenticates SEPARATELY against credentials in AD. Once it authenticates by MAC, it changes IP. Once it goes by creds, it changes again! Once it passes this, it is on the network.
Now for the backbone of their network...
So you'd think they have a pretty good AD setup, right? Well, they've got Server 2008, 2008 R2, and 2012 for their AD, which means it's at a 2008 level. However, LDAP is handled by a SOLARIS server! HOLY CRAP! Their Windows AD ties into the Solaris server for user accounts, etc. Oh wait, it gets better. DNS isn't handled by Windows either. They've got BIND setup on a Linux server, which also ties into Windows AD.
So my co-worker is explaining all this to me and my head is just continuing to spin more and more. I asked him why they didn't just consolidate and move everything to one platform on Windows and let everything work AS IT'S INTENDED TO?! He said that the current admin likes it this way and doesn't want to change. The way he described it, this admin is close to retirement. I said it sounds like this admin has made their production network his personal lab to play around and try stuff. Let's say he didn't comment yay or nay but kind of just bit his lip and nodded.
I asked him what would happen if there was ever some major outage! I said how the sheer complexity, almost all of which is totally unnecessary, could cause some catastrophic downtimes. He said "yup, pretty much". I also commented how it sounds like the main admin has set it up in a way so as to ensure his own job security. Same response with the biting of the lip.
Has anyone ever heard of a weirder setup?! I've seen a lot in my short career but this one takes the cake!
What's the weirdest setup you've ever seen?
Thanks,
A.J. -
Why are these things intended to be on one platform and why is that platform Windows? All of these things were invented originally for Unix, not for Windows, and plus the licensing is much more free with Linux than Windows, instead I'd suggest they just get rid of the last Windows server.
-
@tonyshowoff said:
Why are these things intended to be on one platform and why is that platform Windows? All of these things were invented originally for Unix, not for Windows, and plus the licensing is much more free with Linux than Windows, instead I'd suggest they just get rid of the last Windows server.
Well that's part of my point. If they WANT to do everything on Linux/Unix, fine. If they want to do everything on Windows, fine. But why are they insisting on mixing everything like this?! Pick a system and stick with it!
-
@thanksajdotcom said:
Well that's part of my point. If they WANT to do everything on Linux/Unix, fine. If they want to do everything on Windows, fine. But why are they insisting on mixing everything like this?! Pick a system and stick with it!
Mixing often can get you better results and things you want from one system that's not available on another. In the same way people may have a Windows laptop but then have an iPhone, this means their home is a mixed environment as well. Also in production in the enterprise, yes consistency is important, but redundancy and availability is too. I can run the same version of Unix/Linux for decades, but really I can only use the same version of Windows until EOL and even by that time it's heavily obsolete, since I cannot update the kernel on Windows, I can update the libraries (except for some third party ones), etc.
However, certain tasks are better on Windows or there may be protocols or whatever which may only be available on Windows or are just better supported for now. This could easily lead someone to create a mild mixed environment until something else catches up or whatever technology that forced them to use Windows (for example), goes away.
In other words, if I need a single Windows server to deal with some single issue, why spend thousands of dollars every few years just on licenses alone so all of them can be Windows? Lest we forget all the time it takes to update Windows environments, in some cases also requiring new hardware. I can't run Windows Server 2012 on my old ProLiant very well (if at all), but Linux will work solid. And it'll be easy to update things if I have to even if years have passed, however upgrading from Windows 2000 to Server 2012 is not really an option, and certainly cannot be done in place.
-
This doesn't sound all that bizarre... Most large schools, that I've seen, have a combination of *nix and Windows technologies. The Wireless authentication is a bit odd, since most of that can be handled with RADIUS without the re-allocation of IP addresses. Although at the same time it is similar to how my grad school did their scheme. A guest network, which you would then use to authenticate to a secured/private network.
-
Plus Windows requires a higher density of admins. Generally you only get 10 - 30 servers per Windows admin, with the trend towards the low side. UNIX you tend to get 35 - 100 servers per admins with the trend towards ~50.
Snowflakes of course, in DevOps, the numbers don't matter.
-
@thanksajdotcom said:
So you'd think they have a pretty good AD setup, right? Well, they've got Server 2008, 2008 R2, and 2012 for their AD, which means it's at a 2008 level. However, LDAP is handled by a SOLARIS server! HOLY CRAP! Their Windows AD ties into the Solaris server for user accounts, etc. Oh wait, it gets better. DNS isn't handled by Windows either. They've got BIND setup on a Linux server, which also ties into Windows AD.
That's because OpenLDAP and BIND are 10000x faster than Windows in a wide disparate network.
Remember, AD follows standards of LDAP and BIND, it's pretty good about it too. There isn't any reason why you can't use it, other than having lazy Windows admins who don't know how to integrate it. When you have potentially thousands of devices requesting access, there is no reason why they should be tied down to one technology when things like BIND run so much faster than Windows DNS.
-
You all forget that it is AJ, the thief, that stated in the other thread to just use the DNS and DHCP because it did not matter if you had CALs or not.
-
@JaredBusch said:
You all forget that it is AJ, the thief, that stated in the other thread to just use the DNS and DHCP because it did not matter if you had CALs or not.
A thread about licensing? Please link
-
What's wrong? Mixing Linux and Windows is normal. Bind is great, heck you can use Zone Trasnfers and get the Windows DNS much faster and without the need for CALs for all the clients.
What's Wrong with who handles LDAP. Windows AD is just another form of it, This isn't unusual to share them between systems.
Also what they are doing with IPv4 address is exactly what IPV6 is meant to accomplish.
-
Also posting that we works at [very specific school] and [very specific retailer] is too much info online. You could be getting him in trouble for this post.
-
@thecreativeone91 said:
Also posting that we works at [redacted personal info] is too much info online. You could be getting him in trouble for this post.
Seriously, you've completely identified an innocent coworker. Anyone working at the only [that school] in the area would know pretty much instantly who it is. And the retailer would have little issue identifying him too.
-
@tonyshowoff said:
A thread about licensing? Please link
The thread was not about licensing. It evolved to that form a pertino discussion I think.
-
@tonyshowoff said:
@JaredBusch said:
You all forget that it is AJ, the thief, that stated in the other thread to just use the DNS and DHCP because it did not matter if you had CALs or not.
A thread about licensing? Please link
-
Thread has been modded to protect AJ's buddy's personal identify. Please no one copy any of the previously mentioned very private information. Identifying your own employer or yourself you are allowed to do. Please no one identify innocent third parties who aren't here to request redaction.
-
@JaredBusch said:
You all forget that it is AJ, the thief, that stated in the other thread to just use the DNS and DHCP because it did not matter if you had CALs or not.
STFU @JaredBusch.
-
Our business has two separate divisions, one is adult entertainment and the other is MSP, additionally we partly own some actual stores. I never even talk about where any of these things are located (except I've mentioned we run our adult entertainment stuff out of the Netherlands, nothing more), and I never mention names of anything, for a good reason. Primarily because I don't want any other business I'm involved with to be connected with adult entertainment, since that's off putting to people, but also just in case, because I may piss off someone online and if they know what these sites or businesses are, it could become a bad situation. If I were you AJ I'd never mention working at where you do, instead I'd say "office retailer" or something. I'll talk all day long about the technology we use, but you'll never find a post of me saying where it's used at, I'm even hesitant talking about it in PM with people, lest they bring it up, even by accident in public, though AFK/IRL in person I do mention names sometimes.
PS I'm not the one who down voted you, in fact the STFU made me laugh out loud, but full disclosure, him calling you a thief also made me lol.
-
Mixing networks is completely normal. While this IS a complex network, it does not appear to be ridiculously complex. If the primary concern is around having both Windows and UNIX in the same network, I don't see anything wrong there, at least not at this level.
Sure, with lots of analysis, we might determine cost savings or feature advantages by going down to just Windows or UNIX, but we'd need a lot more information to make that determination. Tons of companies have both. Large networks are complex things. The way an SMB works is little related to how an enterprise works.
-
@tonyshowoff said:
Our business has two separate divisions, one is adult entertainment and the other is MSP, additionally we partly own some actual stores. I never even talk about where any of these things are located (except I've mentioned we run our adult entertainment stuff out of the Netherlands, nothing more), and I never mention names of anything, for a good reason.
Heck, I don't even put my current employer on Linkedin or Facebook for good reason. Don't just my real name much of anywhere either.
-
@thecreativeone91 said:
@tonyshowoff said:
Our business has two separate divisions, one is adult entertainment and the other is MSP, additionally we partly own some actual stores. I never even talk about where any of these things are located (except I've mentioned we run our adult entertainment stuff out of the Netherlands, nothing more), and I never mention names of anything, for a good reason.
Heck, I don't even put my current employer on Linkedin or Facebook for good reason. Don't just my real name much of anywhere either.
Made the mistake of using my real name on SW, but I've been switching over to this handle everywhere else, too late to switch on SW I think.