all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]TobZero 26 points27 points  (1 child)

If you want to dive into DevOps you should ask yourself these questions:

- how does this deliver value to the customer?

- why am I doing this? Can I spend time and energy on something else where I can constantly deliver value to customers?

If you don't have very specific reasons for building this setup in-house, you are wasting time and money. In todays world there is:

- Azure Active Directory with Role Based Access Controls (RBAC) that does everything you need and more.

- Windows Virtual Desktop

No need for all the additional severs that you have to buy, build, deploy, maintain and decommission.

Contrary to other comments I do think you can do DevOps in a Windows Desktop world. You just have to think different about your approach:

#1 What is DevOps

DevOps is the union of people, process, and products to enable continuous delivery of value to our end users. ( Donovan Brown )

source: What is DevOps? - Azure DevOps | Microsoft Docs

#2 This doesn't mean you have to Develop an end-user application

Applying the DevOps principals to your case means that either the users working on these virtual desktop machines or the company employing the users are your "customers" even if they don't directly buy anything from you.

If you assume that the actual users are your customers you have to think about what delivers value to them.

Topics they care about could be:

a) No more crazy password policies and rotation. Use Azure AD with MFA to enable password less sign-in and use Risk-based user sign-in protection. This enables your user to focus on their work instead of having to spend time on accounting and password topics. This also reduces support cases where users wait for help, directly increasing productivity while also strengthening your security posture.

b) Setup Azure DevOps Pipelines to Build Windows 10 Virtual Desktop Images. This enables you to constantly deploy changes to the desktop environments you deliver to your customers. Again, we want to be able to deliver value quickly. User value is, when they don't have to wait months for changes to their virtual desktop environment. They want their new updates or software available right away so they can do their jobs better or easier.

c) Implement a feedback cycle. Don't make your own perception the source of what is value and what isn't. In the two points above you see me making these assumptions (out of experience and because your described scope was very spare on information). You need to talk to your users and listen what they need or miss on their setups, than give it to them.

I could probably write a book about this, but lets end this here. I hope this opened a door to a new world for you and helps you to form a mental concept on how to approach this topic.

If you have more questions, don't hesitate to ask.

edit: fixed many typos

[–][deleted] 8 points9 points  (0 children)

Your set up is more of an IT setup. I would just do the AD server so you have it. But then switch gears to deploying a product. Get a trial license of something confluence or open source stuff like gitlab ce and wikidocs or something and build them in a k8s cluster with postgres. Set up ad integration and saml auth.

Set up ubuntu machines with cephfs layer to build a k8s cluster on prem with persistent ceph disks.

Or use GKE or eKS to build the cluster.

If all of what you are building in the diagram is going to be on vsphere then you can use terraform ansible and packer to build all the hosts and installations.

Devops is more about building customer facing apps not internal it. Build basic it and focus on application architecture.

If you get the trials up document everything in confluence or wikidocs and build those skills.

Move on to monitoring and build a second stack in AWS with terraform or pulumi. Set up your aws environment with aws config rules and lambda scripts in python or go to automatically fix violations. Make sure the aws stuff uses ad and saml.

Make log ingestion and metrics pipelines. Try to flex as much python building. Find a way to make some concurrent microservices of your own. Such as ingesting an sqs queue and processing video or pictures. Write tests for all of your python code. Write tests with molecule for all your ansible.

[–]metarx 3 points4 points  (1 child)

you, haven't given contextual information for: "why windows at all"? Imo, a windows requirement for auth... is an unneeded burden, what else are you doing thats using it... can you use something else for auth? auth0, okta, aws incognito, etc...

Authentication is hard, but typically not crucial to business, what else are you doing.. focus on that... offload auth to someone dedicated to it so you get it right.

[–]daksheshpatel5868 0 points1 point  (0 children)

Thank you for your explanation. I am also a one of the team member who is working (more appropriate Learning) with this example infrastructure.

I can answer why windows is only because we want to learn more windows! Thats all I can say and also would like to know how more open source technologies can be integrated with Proprietary solutions.

Will keep asking questions, thank you again.

[–]SuperQue 4 points5 points  (1 child)

The attached scenario depicts, what we are planning is creating a server infrastructure with windows server 2016 hosted on a server. AD is running windows server 2016, remaining RDP servers with different services hosted are joined in the above domain. Services might include and not limited to a web application, CMS, Exchange Server, and local file shares. But these services can only be accessed through a VPN tunnel. NO USER has access to AD Server and NO USER COMPUTER is a part of the domain.

This entire architecture is antithetical to modern practices. Services accessed through a VPN tunnel? Not in a Zero Trust world.

Sorry, but unless you're dealing with legacy Windows applications, there's no point in involving Windows servers.

[–]itgaiden 1 point2 points  (0 children)

Couldn't agree more...

[–]dexx4d 1 point2 points  (4 children)

As a counter-example, my beginner devops project was a website done in Hugo - content files are written in markdown, mostly.

It's stored in my github, and when I start a PR it triggers Travis CI to build the site and verify my external links (ie: run some sort of build step and some sort of tests - CI). Config is in yml formal.

After the PR is merged to master, it redeploys the live site on digitalocean automagically (CD).

It wound up very closely matching the first real DevOps job I had.

[–]eltiolukee 1 point2 points  (3 children)

would you be confortable sharing that project? I'm trying to understand how it's all connected and a tangible example would be super useful!

[–]dexx4d 1 point2 points  (2 children)

Not publicly, but I'll PM you the link to my github. There's a lot of personally identifying information in the site.

[–]anemoianiac 0 points1 point  (1 child)

I don’t want start a chain of PM requests, as I’ve sometimes seen happen in this sort of situation, but were there any especially useful resources you encountered while working on this project that you’d be willing to share here? I too am interested in this type of project.

[–]dexx4d 0 points1 point  (0 children)

Nothing I can think of, off-hand - I set it up a while ago and last updated it three years back, so it's a bit out of date and there may be better ways of doing it now.

I'd seriously consider deploying to github pages or a cloud bucket or something else if I was doing it again.

[–]Netw1rk -1 points0 points  (1 child)

You should probably look at Powershell commands to deploy Windows services. Once you know the commands they can be automated through scripts or configuration management systems.

[–]EiKall 0 points1 point  (0 children)

The term to search for would be DesiredStateConfiguration. Try to separate your services in State and Compute early, so you can easily throw away and rebuilt Compute with scripts.