Tower Server and Network Opinions
-
Hey, after speaking with @scottalanmiller yesterday I have been looking around for a tower system that can run a website, virtual desktops, database, and active directory.
I found the Lenovo TD350 with five hot swap drives. The specs of the machine are two Intel Xeon E5 2620 v3 2.4 Ghz processors, 64 GB of ECC RAM, four 2TB hot swap drives set in RAID 5, a single 240GB SSD (for ESXi) and a AMD FirePro W700 for VDI enhancement.
The networking for the system is already set in stone. Using a set of Cisco Meraki MX 64s at two locations we are able to create a VPN to the locations so managing low-level system architecture is easy from two locations.
The site where the server is located at already has an on-site natural gas powered generator with 22 second delay from power failure, in sight of this we already have a smart APC battery backup unit that will provide power for the dual redundant server as the generator is powering up.
Software is pretty simple; vSphere 6 for the host OS (installed on the SSD), a couple Windows 10 Pro licensees for VDI, vSphere 6 Essentials, Windows Server 2012 R2 for active directory, CentOS 7 running NGINX for website, CentOS 7 for Redis database, and a couple other guest machines as the small company grows.
What are your opinions on this setup?
-
Definitely don't consider using RAID 5. With four drives, RAID 10 is the only reasonable option.
And I'd not consider Lenovo. It's the only one of the "big" vendors I would not let in the door. They are dangerous, reckless and unashamed enemies of their customers.
Stick to HP, Dell, Oracle, real IBM, Cisco, SuperMicro (and it's rebrands) and Fujitsu for servers. Don't stray from those names. Lenovo I would avoid completely. http://mangolassi.it/tags/lenovo
Realistically in the SMB market, HPE, Dell and SuperMicro are the only brands you can practically choose from.
-
As for the RAID, anything and everything you could want to know about RAID choices is collected and updated on this page: http://www.mangolassi.it/topic/121/raid-link-blast
-
@scottalanmiller Your entire post makes a lot of sense, as for not going with Lenovo what is your biggest fear of them?
-
@christophergault said:
a single 240GB SSD (for ESXi)
You would never put a hypervisor on an SSD. They should be put on an SD card, this is both a general industry best practice as well as VMware's official best practice. If you were to avoid the SD card for some reason (don't) you would only do so to use the cheapest, slowest SATA drives in RAID 1 that you could get, never SSD. Every penny spent on those drives is lost as the speed of the hypervisor drive has no effect on the system.
-
@scottalanmiller Damn, I still have allot to learn about all this...
-
@christophergault said:
@scottalanmiller Your entire post makes a lot of sense, as for not going with Lenovo what is your biggest fear of them?
That you can't trust them. They have established themselves as the people you should be guarding against. You need you server vendor to be your partner, not your enemy. Lenovo is an all out enemy. In the past 1.5 years we have caught them running scam contests, installing malware designed to potentially steal your private data, putting on fake root certificates, putting code into the firmware to put malware back after you have removed it, getting their malware into the only available drives for their machines so that it cannot be avoided, etc.
And that's all on top of the recommendation before they did those things that their servers were of inferior quality and rarely of good enough quality to use. They just aren't cheap enough even if they weren't your enemy. But you can never trust Lenovo in your shop. They've established that they are the hackers you are trying to keep out.
-
Why VMware? Of the four enterprise hypervisors, VMware is the only one I'd start by almost ruling out. The other three are free and more featureful. VMware costs a fortune and cripples you out of the gate. It would be an exceptionally special case where I would even put VMware into the list to consider. Not that their software and support are not top notch, it is just that in a field of four products, they routinely come in fourth in nearly every aspect while being the only non-free option. So paying a premium to get crippled rarely works out well.
http://www.mangolassi.it/topic/5082/is-the-time-for-vmware-in-the-smb-over
-
@christophergault said:
The site where the server is located at already has an on-site natural gas powered generator with 22 second delay from power failure, in sight of this we already have a smart APC battery backup unit that will provide power for the dual redundant server as the generator is powering up.
Two UPS, right? You should have one UPS per power bar. Otherwise the UPS becomes a very risky single point of failure. The cost of high availability power is one of the biggest drivers to moving out of on premises hosting because it is just so costly to do power well without huge scale. But without it, lots of highly available servers doesn't provide the reliability expected.
-
If you want high end server hardware (like HPE or Dell) but want entry level prices (like SuperMicro or Lenovo) look to xByte (add appearing on the right currently) as they provide refurbed enterprise Dell gear, full warranty for a fraction of the price of new and bring a lot of experience and expertise to the table along with it. And they are active here in MangoLassi so you don't even have to reach out to them through another channel, you can talk to them right here on the community. They even have their own forum category here.
-
@scottalanmiller Sounds like Lenovo needs a beating haha, I heard Dell has allot of bloat ware however...
-
@christophergault said:
@scottalanmiller Sounds like Lenovo needs a beating haha, I heard Dell has allot of bloat ware however...
Well.... a couple things about the bloatware...
- It only applies to consumer equipment, not stuff we would see in IT. Just stuff for home.
- It only applies to things like consumer laptops and desktops, not servers of any type.
- You never accept anything setup or installed from your server vendor as a basic practice, so no matter what they install on there it should not matter as you would never see it.
http://mangolassi.it/topic/5474/never-let-the-vendor-set-up-a-server
-
Nine years of posting daily about this stuff results in having an already written article and long already hashed out discussions on every topic that you can imagine. It's amazing how many industry best practices that were never mentioned prior to SW and ML coming into existence are pretty well documented and established now.
-
@scottalanmiller That makes sense, however my father (owner of the business) has had a bad experience with Dell and has used Lenovo in the past and loves them. What could we do about the potential "Lenvo hacking" if we end up going with the TD350...
-
Not having the vendor set up your server goes far beyond installing the hypervisor. You would never let them set up the BIOS, RAID or any setting on the machine whatsoever. You need to be confident that you have documented every step and can reliably repeat every step to go from spare parts to working server to back to your original configuration. And you need to know what that configuration is. This is one of the things that drives me crazy with Dell's website - it forces you to give them configuration details that make no sense for them to have.
-
@christophergault said:
@scottalanmiller That makes sense, however my father (owner of the business) has had a bad experience with Dell and has used Lenovo in the past and loves them. What could we do about the potential "Lenvo hacking" if we end up going with the TD350...
Nothing really. It was built into the BIOS and you have to trust them to give you a clean image, which you can't.
They made a point to say it only affected some laptops, but then it was found to affect others so who knows what was and wasn't affected.
-
@johnhooks Well that is great, what type of private data have they been caught for stealing?
-
@christophergault said:
@johnhooks Well that is great, what type of private data have they been caught for stealing?
I don't know if anyone really knows what they captured. But if I remember correctly a lot was sent unencrypted. Is that correct @scottalanmiller?
-
@christophergault said:
What could we do about the potential "Lenvo hacking" if we end up going with the TD350...
Nothing. It's like asking "what can we do about letting a thief into the bank". You are letting a thief in. Sure, you can watch him, but you've intentionally let someone into the place you are trying to protect knowing that they will steal from you if you slip up. What's worse, is that you are hiring them to be the guard. So you are paying them to be the guard, trusting them to be the guard, but you know that they are the thief and you are just hoping that you guard the guard so well that the guard can't steal from you.
In any IT circle, once you have malware on your machine it is compromised and the only sure way back is scorched earth - meaning ground up rebuild. Because Lenovo has been doing very shady hardware level tricks to get around even that and has only been caught a few times suggests that they are still doing it, will keep doing it and are getting better and better at not getting caught.
Ask him if he feels that any data that passes through this server is not something he wants to voluntarily send to China. Not that Lenovo will get your data, but it kind of has to be assumed that they can and they are only putting in that capability for a reason.
So... does he want a Chinese backdoor to his company? I presume the bank accounts will be exposed here, for example. And customer data. And customer products.
-
@christophergault said:
@johnhooks Well that is great, what type of private data have they been caught for stealing?
None, if they got it they got away with it. They hijacked network data so in theory, they have gotten or have had the option to get absolutely everything.
