Reliable and failover IT infrastructure in a secondary school with virtualization and DFS

For a secondary industrial school in the centre of Prague, we implemented the renewal and extension of a previous server solution that had been in operation for at least 10 years. As the number of pupils started to increase rapidly from 2020, it was no longer sustainable to maintain the original concept and it was necessary to switch to another solution, which we successfully implemented.

Schools
General

For a secondary industrial school in the centre of Prague, we implemented the renewal and extension of a previous server solution that had been in operation for at least 10 years. As the number of pupils started to increase rapidly from 2020, it was no longer sustainable to maintain the original concept and it was necessary to switch to another solution, which we successfully implemented.

Challenges

  1. The original server solution was a single server with VMware ESXi 5.0 hypervisor installed.
  2. Only a single application server with all important applications such as asset management, accounting, school registry in a single location, without separation of user access.
  3. There was only one domain server that also functioned as a file server (FileServer).
  4. The client was using travel profiles and when communication with the domain server failed, it was not possible to work on the PC (the desktop and all data disappeared) until communication with the server was restored.
  5. When logging out a large number of pupils at the same time, due to slow writing to the server, the travel profiles crashed and the data from the local PC to the server was synchronized incorrectly.

Objectives

  1. Switch to a more modern and open virtualization solution without paying high licensing fees.
  2. Split key applications into separate virtual servers or containers and separate unrelated data between applications for increased security.
  3. Implement at least two domain servers and delegate work with files, Active Directory, DNS, etc. to a secondary domain controller or file server in the event of a failure.
  4. Separate domain controller system functions from user data, i.e. create dedicated file servers.
  5. Solve problems with travel profile outages and thus the inability to work on the domain PC.

Solution

To solve the project we chose to purchase new hardware from Supermicro, two new servers, on which we installed the Proxmox VE hypervisor - a great alternative to VMware, which is also open-source, so there is no need to pay for licenses.

We installed a total of 2 basic virtual servers on each of the Proxmox VEs, i.e. a domain controller and a file server. Between these servers we then created a domain namespace, called a namespace, in which we further configured sharing and replication between the servers (DFS service). This means that if one of the domain servers or file servers is unavailable, the user will not know the difference because their work is referenced to the namespace, not to a specific (FQDN/IP) server address.

Example: User files are stored on the user's network storage in the domain namespace at \\moje.domena.cz\data\%username%. In the event of a failure of the primary file server, the user will not lose his data and will not notice the failure in any way. The programs and files he works with are not opened or saved with reference to a specific IP address of the file server (such as the connected network drive K:\), but use the virtual path of the domain namespace. Both file and domain servers coexist in this namespace and are constantly synchronizing with each other.

Next, as part of our solution, we evenly distributed the load on each of the Proxmox VE hypervisors and created the necessary number of virtual servers and application containers. As a result, this means that the school registry processing application has its own virtual server with limited user access for only those users who need access by nature of their job function. The same is true for the accounting application, which also has its own virtual server and restricted access only for accountants.

Result

The client (school) has been using the implemented solution since 2021 and up to now there has not been a single complaint about a failure in working with files or with the travel profile. This is even when we know that one of the file and domain servers has been shut down during business hours for testing and maintenance.

The school has hundreds of PCs that are actively used for teaching during the day, and thanks to the load distribution, there has not been a single problem with synchronizing the travel profile from the local PC to the server. On the other hand, there has been a significant reduction in user account login time, i.e. synchronisation of the travel profile from the server to the local PC, from minutes to seconds.

By dividing each application that fulfills its specific purpose into its own virtual servers or containers, we have limited user permissions to the minimum necessary. Thus, from the original state, when everyone could access all data in one place, we have divided the accesses so that accountants can access only the accounting server with their user account from a specific PC in the domain and no one else can work with the accounting application. The same is true for other applications.

A huge advantage of virtualization with Proxmox VE is the possibility of regular backups of virtual machines or creating temporary snapshots of the current state of the server and all the data in it. In practice, this means that if one of the privileged users accidentally performs an intervention that leads to corruption of the application data, we are able to restore the previous state in a matter of seconds or minutes. For example, if an unexpected error occurs when updating the school registry and the application stops working properly, we can use the saved snapshot to restore the original state before the update within a few seconds and let the manufacturer of the application check the update error or find its own solution.

Conclusion

The implemented solution has been used by the customer for several years and the solution fulfils its function reliably. Thanks to the tests we have carried out, we have found that the implemented infrastructure is really resistant to failures and users do not experience any limitations in the performance of their work activities. Teachers and students are very satisfied with the speed of data transfer when synchronizing their travel profiles, and wherever they log in within the school building, they always have their working environment available within a few moments.

By separating each specific application, we have prevented potential misuse by any user, thereby increasing security and reducing the scope for manipulation of sensitive data to selected users who can more easily audit data access.

If you too are looking for a solution that is resilient to sudden failure, whether due to software or hardware failure, do not hesitate to contact us. We will be happy to help you find the optimal solution to suit your requirements.

More stories

See how we helped other schools.

How Microsoft 365 simplified the work of a small accounting firm

Small and medium-sized businesses are often looking for a simple and secure solution for central document management and communication. Microsoft 365 Business Premium enabled a small accounting firm with four employees to fully digitize processes - from invoices and documents to internal communications - while ensuring data security and clear access control.

View story

Managing user accounts and company devices from the cloud and employee lifecycle

The Tokyo-based global software firm planned its structural changes with access to the global market. This also meant major changes in many areas of the company's management. One of these was controlling user access and gaining a simple overview of which employee had what permissions and which applications they could access.

View story