DNM1: Data Center Virtualization
Data Center Virtualization
Augusta Crissy
Proof-of-Concept Design Template
Dakota Remenyi
Dakota Remenyi
[Date]
Version 1.0
PAGE 1
DNM1: Data Center Virtualization Design Document
Proof-of-Concept Design Template
CONTENTS
A.
Systems Analysis of Current ENvironment ......................................................................................................3
B.
Virtualization Solution ......................................................................................................................................3
C.
Security .............................................................................................................................................................5
C.1.
Virus Scan System ............................................................................................................................................5
C.2.
Firewall Rules ...................................................................................................................................................5
C.3.
Access Control Lists .........................................................................................................................................5
C.4.
Security Groups.................................................................................................................................................6
C.5.
Information Security Management....................................................................................................................6
D.
Implementation Process ....................................................................................................................................7
E.
Performance Tuning ..........................................................................................................................................9
F.
Load Balancing ............................................................................................................................................... 11
G.
Proof-of-Concept Implementation Build ........................................................................................................ 11
G.1.
Phase 1 ............................................................................................................................................................ 11
G.2.
Phase 2 ............................................................................................................................................................ 11
G.3.
Phase 3 ............................................................................................................................................................ 11
G.4.
phase 4 ............................................................................................................................................................ 11
PAGE 2
DNM1: Data Center Virtualization Design Document
Proof-of-Concept Design Template
A. SYSTEMS ANALYSIS OF CURRENT ENVIRONMENT
Augusta Crissy (AC) is in the market to expand their datacenter by integrating it with the cloud as a hybrid
solution to support future demand. While the current datacenter has enough resources to meet the current demand, it
has multiple limitations to meet future demand.
Some of the current limitations include:



Single – non-clustered servers; therefore, maintenance and unplanned upgrades cannot failover or initiate
connection draining when issues arise. The clustered setup would allow high availability of applications
and databases by allowing them to be moved between servers without affecting end-user’s performance.
The current datacenter consists of 100 4u rack mounted servers all running Windows Server 2016. The
current setup contains 32 processors, 256gb of RAM and 1tb storage each. The servers have enough
resources to maintain their current load but could be upgraded to match the spec sheet and allowing for
more virtualization. A typical server rack can hold 36U to 40U. There could be 8 Dell 940xa boxes
mounted per rack requiring just over 12 racks. Where the servers sit in accordance with the HVAC should
be readjusted due to more resources causing more heat.
The Windows server OS doesn’t currently have hypervisor installed, which limits Augusta Crissy
capability to virtualize their datacenter allowing them to optimize their resources. Installing hypervisor
software allows the servers to virtualize without the need to buy more physical devices.
Augusta Crissy is examining solutions for a local hybrid cloud datacenter, while this could work, the
industry is encouraging the idea to forget about ownership of resources and lease them instead. Augusta
Crissy should use a Cloud Service Provider such as AWS to connect to “the cloud”. Many of these Cloud
Service Providers have services that help you lift and shift your applications to the cloud, such as AWS
snowball. Alternatively, another option is to expand a domain into the cloud via a direct connection or
over a VPN. However, I will continue with the proof of concept to showcase a local hybrid datacenter.
B. VIRTUALIZATION SOLUTION
To demonstrate a virtualized environment Proof of Concept, a single VMWare ESXi hypervisor will be used. The
ESXi server is has enough resources to support running 4 Windows virtual machines and one virtual router. The
network will be setup using ESXi default virtual switch (vSwitch0) and additional port groups, otherwise known as
VLAN networks, to support the infrastructure.
The Virtual switch setup is as follows:

vSwitch0
o Two uplinks to external
o Five port groups
 Management group (default)
 Vlan-Pfsense-WAN
 CIDR: 172.16.0.1/24
 VLAN ID: 0
 Vlan-Pfsense-LAN
 CIDR: 172.17.0.1/24
 VLAN ID: 10
 Vlan-SysAdmin
 CIDR: 172.18.0.1/24
 VLAN: 20
 Vlan-Dev
 CIDR: 172.19.0.1/24
 VLAN ID: 30
PAGE 3
DNM1: Data Center Virtualization Design Document
Proof-of-Concept Design Template
The following Virtual machines will be deployed:



PfSense router
o Name: PfSense
o VM OS: FreeBSD 11
o Specs: 1 cpu | 1gb RAM | 8 VHD | 2 nics
 NIC 1: connected to WAN External DHCP assigned
 NIC 2: connected to LAN - IP: 172.17.0.1/24
1 Windows Server 2019 Standard
o Name: DC1
o VM Generation 2
o Specs: 1 cpu | 4gb RAM | 40gb VHDX | 2 nics
 NIC 1: connected to VLAN-Dev – IP: 172.19.0.2/24
 NIC 2: connected to VLAN-SysAdmin – IP: 172.18.0.2/24
o ISO: <datastore>\iso\Windows_Server_2019_Eval.iso
o Roles Installed:
 Active Directory Domain Services – Domain: augustacrissy.lab
 DHCP: Scope 1 for Vlan-dev & Scope 2 for VLAN-SysAdmin
 DNS
1 Windows 10 Desktop
o Name: W10
o Specs: 1 cpu | 4gb RAM | 32 gb | 3 nics
o NIC 1: Connected to Vlan-Dev
 IP: 172.19.0.3/24
o NIC 2: connected to Vlan-SysAdmin
 IP: 172.18.0.3/24
o NIC 3: Connected to pfsense LAN
 IP: 172.17.0.3/24
o ISO: <datastore>\iso\Windows10_EnterpriseEval.iso
 2 Windows Server 2019 Datacenter Edition
o Name: Data1, Data2
o VM Generation: 1
o Specs: 1 cpu | 4gb RAM | 40gb VHD | 4 nics
o NIC 1 and 2 are teamed
 IP: DHCP Assigned by external network
 NIC 1: connected to external interface
 NIC 2: connected to external interface
 NIC 3: connected to VLAN-SysAdmin
 DATA 1 IP: 172.18.0.4/24
 DATA 2 IP: 172.18.0.5/24

NIC 4: connected to VLAN-Dev
 DATA 1 IP: 172.19.0.4/24
 DATA 2 IP: 172.19.0.5/24
o ISO: <datastore>\iso\Windows_Server_2019_Eval.iso
o Roles Installed:
 Internet Information Service (ISS)
 Remote Access Role
 VPN
o DHCP Relay to Vlan-SysAdmin
 Network Load Balancer
o Assigned to NIC 4 on both servers
PAGE 4
DNM1: Data Center Virtualization Design Document
Proof-of-Concept Design Template
C. SECURITY
Please see below for the plan.
C.1. VIRUS SCAN SYSTEM
The environment isn’t very diverse and is only utilizing Windows based OSs for servers and clients. We’ll
utilize the built-in malware protection agent. We’ll set domain policies at the Active Directory level to dictate
how often scans trigger, what is scanned, and file path exclusions to increase productivity. User Access
Control (UAC) will be enabled and enforced to further protect from malicious acts. UAC will prompt for
credentials whenever a user attempts to install or run an application that requires elevated privileges.
C.2. FIREWALL RULES
Utilizing Active Directory, the Windows Firewall group policies will be enforced. The centralized policy will be
configured to restrict ports and protocols for each device role. Different roles may require different firewall policies.
As an example, a web server will need ports 80/443 requests opened and a VPN server would need 1723 ports open
to allow remote user to connect. Telnet will be denied on all endpoints as its not required for communication and can
be easily sniffed for clear-text credentials.
C.3. ACCESS CONTROL LISTS
A mentioned previously UAC will be enforced to only allow appropriate behavior from one account to the next.
This also reduces the risk of an attack such as “pass-the-hash.” While it might not eliminate risk, the standard user
that surfs the web, email, and performs daily tasks is the most susceptible to the risk – which means the chances of
an unauthorized user gaining access to a user with elevated credentials to install software or RDP to another server is
highly unlikely. It’s worth mentioning that the other servers will only have elevated users in the administrator’s
group on business-critical systems.
As an example, Jane Smith is a Server administrator that needs access to Domain Controllers and Servers regularly,
however she does not need admin access to her workstation. Jane will be issued several accounts; a user account for
accessing email and the internet and other daily tasks for her workstation, a General Admin account for
administrating and maintaining servers and a Domain Admin account to administer and maintain Domain
Controllers. Only authorized users based on privilege will be added to each box administrators’ group by domain
policy.
This above-mentioned policy is known as the Principle of Least Privilege. ISO 27002 defines the Principle of Least
Privilege as “the general approach favored for protection, rather than unlimited access and superuser rights without
careful consideration. As such users should only get access to the network and network services they need to use or
know about for their job.” ISO 27002 also mentions to need of routine auditing of group policies to maintain a level
of IT hygiene. More information about the principle of least privilege and auditing can be found via the link on the
reference page. The logs should be sent to some centralized collector such an a SIEM where another team can
monitor for alerts based off domain policy. All new network configuration should be monitored and documented
using a change management processes; the process will ensure changes do not affect other resources in the
infrastructure and allows roll back if necessary.
To prevent network collisions and bottlenecks, networks VLANs will be used with the collision detection protocol
on the switches. This allows different networks to be segmented and coexist on the same switch or switches. The
recommend configurations is to add a minimal of four VLANs: Data, Development, Administration and Resource
PAGE 5
DNM1: Data Center Virtualization Design Document
Proof-of-Concept Design Template
Management. This greatly reduces amount of “talking” on a network at any given time – reducing the chance of a
collision.
- The data VLAN allows for PROD data traffic for end-user consumption, such as email, web traffic and file access.
- The DEV VLAN isolates dev ops engineers to their own segment to prevent them from affecting the production
network unless they have another authorized account that they can get to via elevated credentials.
-The Administration VLAN allows Administrators to perform their duties and restricts users from being able to
access servers from the management level.
-The Resource Management VLAN allows for services and their accounts to perform their routine processes across
their partner resources.
This could be the cluster communication quorum traffic the is monitored by the cluster services or the heartbeat
broadcast between network load balanced servers. Another use for the Resource Management VLAN is to allow
Virtual Machines to be migrated from one host to another without bottlenecking bandwidth on other VLANs.
C.4. SECURITY GROUPS
As mentioned earlier, to ensure “appropriate level access” accounts are unable to access unassigned systems,
Domain Policy will enforce Restricted Groups and restrictive Interactive logon policies will be in place (UAC). The
restricted polices will contain the elevated identities in designated AD Security groups controlled and managed by
the security team. Adding users to groups via policy reduces the amount of administrative overhead when employees
are hired, change positions, or leave. The users can be moved in/out of the security groups by just modifying the
Group Policy which will refresh all servers on the network that are part of the domain policy OU.
C.5. INFORMATION SECURITY MANAGEMENT
An Information Security Management System will be utilized to govern policies, processes, procedures,
infrastructure, and services dependency functions. The ISM will incorporate best practices from SOC, ISO
27001 & 27002 series, and if necessary, PCI. This system is designed to maintain daily operations and keep
the business healthy by providing guidelines on confidentiality, integrity, and availability to Augusta Crissy’s
data and systems. Besides environmental disasters and outages, ISMS should include process on how to handle
breaches or attacks from both internal and external members.
PAGE 6
DNM1: Data Center Virtualization Design Document
Proof-of-Concept Design Template
D. IMPLEMENTATION PROCESS (ZOOM IN)
Discuss the implementation phases and project implementation milestones for the proposal, including the
dependencies of each phase and milestone.
Phase 1: Implement VLANs
During phase one, the network will be set up within the ESXI host, so the hosts can be later added.

Under the Ports groups
o Create four port groups
 VLan-Dev
 Vlan-SysAdmin,

Vlan-pfSense-WAN

Vlan-pfSenseLAN
Attach all of them to vSwitch0. The configured VLANS allows traffic from each VLAN to be isolated and unable to
communicated to the other VLANs.
Phase 2: Build pfSense Router
The pfSense router route traffic from the WAN to the LAN when needed. The router will be build via a virtual
machine and will be created by selecting the Other as the Guest OS family and FreeBSD 11 (64-bit) as the Guest OS
version. See Figure D-3. (Rubicon, 2020)
PAGE 7
DNM1: Data Center Virtualization Design Document
Proof-of-Concept Design Template
Figure D-3: Selecting pfsense OS family and version

During the VM creation…
o Add an additional network interface | select Vlan-pfSense-WAN
o Vlan-pfSenseLAN for the second.
o Attach the ISO from datastore and boot the VM.
o Follow any default options and prompts.
o After the initial set up, detach the ISO and reboot the system.
o Setup the WAN and LAN interfaces based on the guidance provided above.
Phase 3: Build Domain Controller

Create a new Virtual Machine using “Windows as the Guest OS family and Windows Server 2016 or Higher
(64-bit) as the Guest OS version.”
o Select Windows Server 2019 Standard with User Experience.
o Setup the password and change the computer name.
o Install VMTools.
o Setup the WAN and LAN interfaces based on what’s outlined above
o Install Active Directory | Select DNS and DHCP roles
Active Directory role is now installed but not configured. Before configuring the AD roles, statically assign an IP to
the server.
PAGE 8
DNM1: Data Center Virtualization Design Document
Proof-of-Concept Design Template
To configure the AD roles…

In Server Manager | promote this server to a domain controller.
o Add it as the first domain of augustacrissy.lab.
o Reboot
Next steps…

Login as Administrator
o Open DHCP Console and activate it
o Create two scopes for VLAN-Dev (172.19.0.0/24) and VLAN-SysAdmin (172.18.0.0/24).
Phase 4: Build Datacenters Servers 1 & 2 and Windows 10 Desktop.

Create two new Virtual Machines using the Windows as the Guest OS family and Windows Server 2016 or
Higher (64-bit) as the Guest OS version.
o Select the Windows Server 2019 Datacenter with User Experience.
o Set the password and change the computer name.
o Setup the WAN and LAN interfaces based on what’s outlined above.
o Install VMTools
o Join them to the augustacrissy.lab domain
Install the following roles, Internet Information Service, Remote Access Role (Microsoft ,2020) and Network Load
Balancer. (Parvez, 2020). Both servers will have their first two NIC’s teamed using Address Hash mode. (More,
2020).



No additional configuration is needed for the IIS roles
Setup the NLB to cluster both servers over the VLAN-Dev network interface in unicast mode
Use the Routing and Remote Management wizard will walk through setting up the VPN configuration.
Configure the IP range for VPN clients to use in the Routing and Remote Access console :
Windows 10 machines:

Create a new Virtual Machine using the Windows as the Guest OS family and Windows 10 (64-bit) as the
Guest OS version.
o Setup the password and change the computer name.
o Setup the WAN and LAN interfaces based on what’s outlined above.
o Install VMTools and Join it to the augustacrissy.lab domain
E. PERFORMANCE TUNING
AC needs to successfully perform asset management and performance monitoring to have a successful
virtualized datacenter. As it expands, it’s possible that it can get difficult to track and monitor new and
current systems. I suggest tracking and monitoring assets in VMware using the PowerCLI module for
PowerShell. The module can either be installed via powershell or directly installed and moved to the
PowerShell folder. Below are several ways that performance monitoring could be tracked.
PAGE 9
DNM1: Data Center Virtualization Design Document
1)
Proof-of-Concept Design Template
Install-module Vmware.Powercli
a. https://www.altaro.com/vmware/how-to-generate-a-vsphere-report-using-powershell/
i. Reporting options include ways to generate html pages for easy reading (Fenech,2016).
ii. https://www.altaro.com/vmware/how-to-generate-a-vsphere-report-usingpowershell/
2) Allan Renouf created another open-sourced project that allowed verbose outputting to include the Esxi
and its configurations, which can be found below.
a. https://github.com/alanrenouf/vCheck-vSphere
3) VMware provides best practices guidelines which can be downloaded below. Following their best
practices will ensure that the ESXI hosts are configured properly and are at optimal functionality and
secure.
4) Running reports for the Hosts is a good way to get inventory and overall performance, but it can be
beneficial to setup performance monitoring within the virtual machines themselves. This will be able to
track applications performance and other resources the VM could be using.
a. To setup performance monitoring on Windows, open Performance Monitoring and then build a
custom monitor with counters (Chen, 2014). A few counters categories to include are:
i. PhysicalDisk: Monitors the VHD. Recommended counters are:
 Idle Time – no less than 60%
 Average Disk sec/read – measures IO latency; no higher than 20ms
 Average Disk sec/write – no higher than 20ms
 Current Disk Queue Length – no higher than 2
ii. Memory: Tracks total memory utilized & potential memory leaks. Some recommended
counters are:
 Available Mbytes: 10% of memory available is suggested
 Pages/sec: Less than 1000 - A number higher than that, are signs of excessive
paging, which typically indicates a memory leak problem exists.
 Memory / Cache Bytes – indicates the amount of memory being used for the
file system cache. If the value is > than 300MB; that could indicate that there
may be a sign of a disk bottleneck.
iii. Network Interface - Monitor’s network latency. Recommended counters include the
following:
 Bytes Total/sec – measures the transfer rates. A high transfer rate could be an
application is consuming all the bandwidth. Keeping the transfer rate below
40% is typically in a healthy state.
 Output Queue Length – measures output packet lengths. Keep in mind the
lower the number the better, above 2 being critical
iv. Paging File - If the paging file is too large, it is recommended to add additional RAM to
the VM.
 % Usage – no higher than 10%, otherwise the VM will suffer disk input/output
performance.
PAGE 10
DNM1: Data Center Virtualization Design Document
Proof-of-Concept Design Template
F. LOAD BALANCING
As previously stated in the sections above – it will be vital to load balance the datacenter servers to ensure
network performance it optimal. If configured properly, the NLB will distribute traffic as even as possibly
thereby reducing the likelihood of network latency.
To monitor the network load balancer, disable or drain a node in the cluster, then attempt to access the
website from the Windows 10 client. If you’re still able to reach the website that’s hosted, then the NLB is
working as expected. It should be noted that sticky sessions / cookies should be disabled. If they aren’t, the
NLB still may attempt to forward traffic to a host that is down.
G. PROOF-OF-CONCEPT IMPLEMENTATION BUILD
Provide a separate screenshot of each implementation phase completed in the lab environment, including a brief
explanation of the process.
Note: You can complete each phase as you build your proof-of-concept solution in the lab environment. Please add
sections as necessary if you have more than four phases.
G.1. PHASE 1
Provide a screenshot and a brief summary/title of the first implementation phase.
G.2. PHASE 2
Provide a screenshot and a brief summary/title of the second implementation phase.
G.3. PHASE 3
Provide a screenshot and a brief summary/title of the third implementation phase.
G.4. PHASE 4
Provide a screenshot and a brief summary/title of the fourth implementation phase.
**Please add additional sections as necessary.**
PAGE 11
DNM1: Data Center Virtualization Design Document
PAGE 12
Proof-of-Concept Design Template