Good afternoon. The situation is that in a large organization with several buildings and about 1000 machines, there is no organization whatsoever - local administrators on all machines, maintenance on their own, and so on. The operating systems for all PCs are Win XP (with a few leftovers), Win7 Prof, and Win10 Prof, and the IP addresses for this horde are registered manually. Servers have been purchased, with one for each building, to be deployed with Windows Server with AD, DHCP, and other features. The task is to use these servers for each building to make centralized management with distribution of addresses via DHCP and remote management.

To do this, we need to configure automatic receipt of DHCP to all PCs within the building with IP address reservation and differentiate the ranges according to offices and groups of offices. We also need to remotely connect to a PC in the domain, install OS+software remotely with a PXE server and software that displays IP and other identification data on the desktop to identify the PC for users. Finally, we need to account for user traffic, including HTTPS.

One solution could be to use Windows Server as a router for all this and use CISCO L3 switches for each building. However, more experienced colleagues should be consulted for advice on how to tackle this issue. The goal is full control and management of user PCs remotely from a single point.

To protect against unregistered PCs, it is recommended to filter MAC addresses at the switch or router level.

You are currently learning about DHCP-snooping and DHCP-relay. The first step would be to set up the switches with these features. It is advisable to implement it across subnets and VLANs, if applicable. Any switches that cannot support these functionalities should be replaced. Afterwards, it's important to configure both primary and backup DHCP servers with a shared IP address database. So, what's next on your agenda?

emphasis on the importance of implementing DHCP-snooping and DHCP-relay on switches, and suggested the need to prioritize this task.

Firstly, eliminate all DLINK devices from the network as they are not reliable.

For a better network performance, divide it into larger segments with at least 25 addresses on the 24th subnet mask, even if it serves only a small number of users.

The core of the network should have a microt device, preferably ccr1036, or a crs326 as a second option. Older models like 1xx-2xx should be avoided as they are outdated.

The microt in the core should handle DHCP while the uplink manages DHCP server. It's advisable to use Windows Server for DNS and enable dynamic updates.

VLAN is not necessary for peer-to-peer networks.

Remote management is best done via Radmin by domain name instead of IP address. If needed, purchasing licenses could help in network management.

Regarding PXE, read up on WDS (Windows Deployment Services).

Accounting for user traffic is possible but may not be worth the effort. If there are multiple providers, setting up queues and configuring routing would suffice. To control social media access, read about mikrotik layer 7 https, but it's better to use separate hardware to avoid processing overload.

Protecting against unauthorized connections can be done by binding DHCP to MAC addresses, though this defeats the purpose of DHCP.

It's important to note that being excessively economical may not lead to a good outcome.

My recommendation would be to hire a contractor, as it will result in faster and cheaper outcomes. If you possess the necessary knowledge, then it is possible for one person to manage in a month or two, depending on the specific tasks. This can also be a great opportunity to gain new knowledge. Alternatively, you could seek the advice of colleagues, although choosing a solution without prior knowledge will be difficult, and implementing it will be even more challenging. From my experience, having 1000 hosts in one broadcast domain is not a problem, as long as there is the desire and skill.

Now onto the questions:

1. Why is redundancy important?
2. What is the purpose of segmenting IP by cabinet?
3. Is there a preference for using RDP based on the computer name or the IP provided by the user?
4. What are the recommended volumes for OS/BY operation? Also, does AD allow remote software installation, and does MS have a deployment service?
5. Bginfo from Mark Rusinovich is a suitable option.
6. There are proxy servers available for traffic accounting and control, but MS has complicated its decision-making. What are the communication channels and control levels like?

In summary, if you want a properly configured and functional solution, it's best to hire specialists. If you prefer to tackle the task alone, then acquiring knowledge is essential.

To address these issues, the deployment of Windows Server with Active Directory (AD), Dynamic Host Configuration Protocol (DHCP), and other essential features provides a strong foundation for centralized management. These servers, one for each building, can be leveraged to distribute IP addresses via DHCP and enable remote management. This will bring standardization, security, and centralized control to the network infrastructure.

Configuring DHCP to automatically distribute addresses to all PCs within each building is crucial. Implementing IP address reservations to differentiate ranges based on office locations and groups will allow for better resource allocation and easier management. This will streamline the process of assigning and tracking IP addresses within the organization, providing clarity and control over the network structure.

Remote management capabilities will provide numerous benefits, including the ability to troubleshoot, perform maintenance, and install operating systems and software on PCs within the domain, all from a centralized location. The use of a Preboot Execution Environment (PXE) server for remote OS deployment can greatly simplify and expedite the process of provisioning and updating PCs. Additionally, deploying software that displays IP and other identification data on the desktop will aid in user identification and can be valuable for troubleshooting and maintenance tasks.

When it comes to user traffic, including HTTPS, it's important to implement robust monitoring and management systems. This may involve the use of network monitoring tools and firewalls to track and control network traffic, ensure compliance with security policies, and protect against unauthorized access or malicious activities.

The recommendation to filter MAC addresses at the switch or router level is a critical security measure. By controlling access based on MAC addresses, the organization can ensure that only authorized devices are able to connect to the network, thereby reducing the risk of unauthorized access and potential security breaches.
The proposed solution involving the use of Windows Server as a router and CISCO L3 switches for each building, combined with the centralized management capabilities, presents a comprehensive approach to achieving full control and management of user PCs remotely from a single point. This infrastructure setup will help streamline operations, enhance security, and align with industry best practices for effective IT management in a large-scale organization.