This project was completed a few years ago. The next case study will walk through how we evolved this same environment even further in the years that followed.

The Situation

A Melbourne architectural firm with 17 staff contacted us for a second opinion on their IT environment. They had growing concerns about stability, risk, and a general lack of clarity, but budget constraints ruled out a full infrastructure replacement. They needed a practical, staged approach that made the best use of as much of their existing equipment as possible.

Over the years, storage kept running out, and the environment grew reactively:

• One physical server running Windows Server 2016

• No virtualisation

• The server was configured for AD, DNS, DHCP, File, & Print services

• The server had only two disks in a RAID-1 array, presented as a single C: drive. Operating system and company data stored together

• When the server’s storage hit capacity, a small two-bay NAS was added and the PROJECTS share was moved to it

• About a year later, both the server and the NAS were nearly full

• A portable USB disk was then connected to the server and the FINANCIAL and SUPPORT shares were moved onto it

• A second NAS existed for backups, but it no longer had the capacity to protect the entire environment

The comms rack was cluttered, devices were stacked on top of each other, and the previous MSP had provided no documentation. This left the managing director with no visibility into how the environment worked, what depended on what, or where the real risks were.

The Problem

We performed a structured audit/discovery and several issues were immediately obvious.

Immediate issues

Storage exhaustion and poor design had led to:

• Data scattered across the server, NAS, and USB disk

• Frequent manual clean-ups by staff, increasing the risk of accidental deletions

• Backups that were incomplete due to lack of capacity

Underlying risks

A deeper assessment revealed issues the company was unaware of:

• A single point of failure for all business services. Only one domain controller. If it failed, the entire domain would need to be rebuilt

• RAID-1 used to store production data. OS and business data stored on the same array, meaning corruption or ransomware on the OS volume would also take out company data

• No security groups. Every staff member could access every folder

• An outdated operating system with limited support remaining

• No VLAN segmentation. The entire network operated on a flat broadcast domain, reducing performance and increasing the impact of any breach by allowing unrestricted lateral movement

• Poor credential management. Excessive administrative rights, inconsistent password practices, and old accounts still active

Collectively, these issues created significant operational, security, and business-continuity risks.

Our Approach

We commonly see environments that have evolved through years of quick fixes. They function but they become fragile and unsafe.

Our plan was to:

1. Introduce redundancy immediately

2. Consolidate data into a reliable structure

3. Modernise the system using existing hardware where possible

4. Create a stable foundation that could be expanded in later years

This restored stability without forcing unnecessary spending.

The Solution

1. Introduce redundancy

We deployed a small Windows Server 2022 machine and joined it to the domain. Its sole purpose was to become a second domain controller and provide redundancy for AD, DNS, DHCP, and print services.

2. Provide temporary consolidated storage

A high-capacity temporary NAS was supplied and used to store all data, while the main server was upgraded, ensuring all staff could continue working without interruption.

3. Rebuild and modernise the main server

We upgraded the server with five new disks configured as RAID-5 with a hot spare, then rebuilt it with Windows Server 2022.

Hyper-V was enabled, and a virtual Windows Server 2022 machine was created and promoted to domain controller. All company data was migrated from the temporary NAS to the new RAID array.

4. Introduce proper network segmentation (VLANs)

We redesigned the internal network to separate key traffic types , without requiring new switch hardware:

• Created VLANs for servers, workstations, and management

• Updated existing network switch configurations to support VLAN tagging

• Cleaned up unused ports and tightened switch security

• Adjusted DHCP scopes to align with the new network layout

This improved performance and significantly reduced the potential for lateral movement.

5. Clean up and secure credentials

We performed a full credential audit and remediation:

• Removed unnecessary administrative rights

• Standardised password requirements

• Separated privileged accounts from day-to-day user accounts

• Reset legacy or unknown credentials

• Audited and corrected all service account permissions

This eliminated years of privilege creep and improved overall security posture.

6. Retire unsafe hardware

Both NAS units and the external USB disk were fully decommissioned.

7. Deploy a proper backup system

A modern backup appliance was installed with:

• Hourly backups of both physical servers and the virtual machine

• Full data protection

• Cloud replication

• Compliance with the 3-2-1 backup rule

In the event of hardware failure, a backup image could be powered on immediately.

8. Fix data access and permissions

We implemented security groups and role-based access, permanently resolving the “everyone has access to everything” configuration.

The Outcome

Our client was left with a stable, secure, and supportable environment:

• A rebuilt server running a fully supported operating system

• Redundant domain controllers

• A resilient RAID-5 storage array with a hot spare

• Consistent, hourly backups stored onsite and in the cloud

• Instant recovery capability

• Clean, role-based data access

• Proper VLAN segmentation

• No more scattered or overloaded storage devices

• A clear platform for future upgrades

Importantly, most of the improvement came from re-engineering and correctly configuring the existing systems, not purchasing entirely new infrastructure.

The only new hardware required was a set of additional server disks, a small secondary server for redundancy, and a modern backup appliance. Everything else, the stabilisation, the segmentation, the credential cleanup, the consolidation, and the redesign was achieved through proper planning and engineering rather than expensive replacements.

All work was completed in stages outside business hours, resulting in zero downtime for staff.

Key Lessons for BUSINESSES

1. Old systems fail quietly before they fail loudly.
   Storage issues, outdated operating systems, and single points of failure build up over years

2. Most problems aren’t solved by buying new equipment.
   This entire environment was stabilised mainly through proper planning, configuration, and consolidation, not a complete hardware refresh.

3. Backups must be complete, not “good enough.”
   If your backup system can’t capture everything, it isn’t a backup system.

4. Flat networks increase the blast radius of an incident.
   VLANs and segmentation are essential even for small teams.

5. Poor credential practices are more dangerous than old hardware.
   Excessive admin rights and legacy accounts create unnecessary risk.

6. Staged work avoids business disruption.
   With the right plan, major infrastructure change can be done with zero downtime.

Worried your IT environment has similar hidden risks?

Many businesses run systems that have quietly grown fragile over the years. A short assessment can reveal whether you’re secure, stable, and ready for the future or unknowingly exposed.

If you’d like clarity on where you stand, we can help you understand your options and what’s practical for your budget.