Looking for best practices advice for WD MyCloud EX2 on Win 2012 environment


#1

I’ve started working with a Windows Server 2012 environment which has a My Cloud EX2. The server has a few Virtual Machines on Hyper-V: one domain controller, one for accounting app, miscellaneous Win10… They have around 8-10 users and have been sharing files on the MyCloud in public shares. They now want to implement group/user security. The EX2 is not joined to AD domain nor is it running as iSCSI.

I would have expected the MyCloud to serve as a backup and the files be shared from the server giving permissions to the AD users.

1.Would that be the typical setup? (I’m thinking I should set it up like this. File server traffic and storage demands are small)

  1. Under what conditions would it be advisable to join the MyCloud to the windows domain and share the primary data files from it?

  2. Under what conditions would it be advisable to set up the MyCloud as iSCSI drive and share the primary data files from it?

Thanks for the help.


#2

Here are my 5 cents worth of thoughts…

Scary stuff to be an IT guy within an 8-10 user group. It is difficult to change an existing environment since you may end up taking away features and privileges if you ever decide to increase security.

I have no idea how dangerous it would be to have cloud services to your EX2 through WD servers but if they have been using public shares, I’m guessing that these files were not very important. I am also guessing that they have been using the WD tools to download, upload, sync, play movies if any and so on. If this is so it would be difficult to take this away from them.

First of all whether or not a domain controller would work or fit in this scenario as a domain controller that responds to security authentication requests (logging in, checking permissions, etc) within a “Windows domain”, as they might be using mobile phones, laptops to get access to data on the EX2.

Check how adding the EX2 to the domain controller would affect the WD cloud services and make your decision then.

  1. A typical setup. In the old days it was mandatory to have a single server entry point with a windows server locked behind a NAT, firewall and VPN and even then it wasn’t enough protection, but that was then. With cloud services, mobile phones, iPads and more, it is a toss up on how best to serve up data. It all depends on how sensitive your data is and how your various tools on the various platforms can use the data served. eg. Document stored in the ex2 cloud? or document stored on the Windows Server?

  2. Good question on under what circumstances would you share the share the primary data files from the main server. How important are the files? do they contain customer data? credit card information? How often are the primary data needed off-site? do programs need access to the data? Do you need to create a single access point for your data?
    A. if the data contains highly sensitive data like Credit Cards info, then the answer should be “never” since you are going through WD servers to access the EX2.

  3. ISCSI is great for desktop and laptops that has limited space for mounting hard disk. It creates and simulates a local hard drive that is instantly available on boot up for a “single user” and is great for applications that needs a local hard drive.
    ISCSI can be used on the server to expand the storage capacity creating multiple local hard drives from multiple EX2 if you want you can connect them all together using server software spanning or raid 0 (Stripe), of which the EX2 can be mirrored. However if you already have a Windows server that can connect real physical hard drives, this is not the best method of expanding your server storage because of the ethernet bandwidth. Attaching a bunch of hard drives via an esata enclosure will provide you with greater storage speed.

In the old days, the data drives the application. A SQL server serving data to a accounting webpage or application so having a centralized Window Server fits the bill.

Today, the over the counter application seems to serve the data. Such as an accounting application (spreadsheet) needs to store the data in a file format that is easily accessible in the clouds. So to do this, you need sharable file folders between your users. The app that provides that kind of accessibility, now drives how you store and share that data; i.e. WD Cloud tools to open Pages/Numbers on the iPhone.

Good luck…


#3

Thanks for your thoughts, Raphael.

I’m not worried really. It’s the client’s idea to add security to the shares. He’s also willing to tell the users “this is what it is”. So, my job is advising about problems and risks and what it takes to deal with them. After that, it really is his decision. Although one can keep, poking and saying “I told you about that” when the time comes. :slight_smile:

They got the EX2 mostly as an external backup solution and don’t really use the “cloud” sharing feature, media streaming, etc. Remote access would be setup through RDP. In your post I gather you are paying a lot of attention to the EX2 cloud sharing, streaming, phone access, but that will be minimally used, if at all.

If they use laptops those would have to be domain joined and users have Windows AD permissions. All data “sharing” wil be under AD permissions control.

After looking a bit more at the situation I feel It’s best to setup shares of business data from the server and use the EX2 primarily as an external backup and maybe off-loading some archival/unused data off of the server. iSCSI is probably not needed, either, like you suggest.

Right now, one thing I have left to look at is exactly what features come with joining the EX2 to the AD domain and how it works. Things like,

  1. The AD users are imported (and/or synchonized) to the EX2. Now, are the EX2 shares permissions still managed through the EX2 admin console or through WIndows permissions?

  2. Will the EX2 network interface register in the domain DNS using the domain suffix, presuming one can specivy it? eg. WDMyCloudEX2.clientdomain.com

  3. I also need to find out what will happen to the EX2 data, shares and their permissions if I join it to the domain. I expect data not to be affected (although I wil back up beforehand), but that permissions would have to be recreated using AD users (even if native EX2 user accounts still remain)

Thanks for the answer again, and any additional info on these last items.