Infrastructure Transformation: Windows Server RDS, Zero Trust & Automation

🚀 Executive Summary

Legacy Infrastructure Overview

The Challenge: The Maryana Group, operating 10+ retail and distribution branches across two countries, was crippled by legacy IT debt. They relied on decentralized, unsyncronized desktop databases, expensive proprietary hardware VPNs (Sophos/Cyberoam) that constantly dropped connections, and a fragmented security posture lacking centralized identity management. The Solution: I led a comprehensive, multi-year infrastructure modernization initiative. I centralized all core financial ERPs onto a hardened Windows Server 2019 Remote Desktop Services (RDS) deployment, ripped out the legacy hardware VPNs in favor of a Zero Trust Mesh Network (Tailscale), and introduced deep observability with Prometheus. The Impact:

Massive Cost Reductions: Eliminated over ~$2,500 in annual proprietary hardware support and licensing fees.
Operational Velocity: Eradicated data synchronization delays, resulting in a 30% reduction in cross-branch financial reconciliation time.
Uptime & Security: Achieved near 100% availability for the central Tally Prime ERP, strictly governed by Active Directory Role-Based Access Controls (RBAC).

📅 Timeline of Transformation

Pre-2019Decentralized Chaos · Local Desktop DBs · High Hardware VPN Costs · Manual Updates

2019 - 2020Server Centralization · Active Directory Deployment · Strict RBAC · GPO Security

2021 - 2022Mass ERP Migration · Onyx Pro to Tally Prime · Windows Server 2019 RDS RemoteApp

2023 - PresentZero Trust Overhaul · Software-Defined Tailscale Mesh · Prometheus / Grafana Observability

The architectural evolution from fragile legacy systems to a robust, fully monitored Zero Trust network.

Phase 1: Identity & Centralization (2019–2020)

The Move to Windows Server Architecture The foundational priority was establishing a single source of truth for identity and data out of the sprawling, unmanaged peer-to-peer workgroups.

Active Directory Domain Services: Deployed a primary Domain Controller to centralize user authentication across the headquarters.
Security Foundation: Enforced strict Group Policies (GPOs) encompassing password complexity constraints, automatic screen lock timeouts, and the strict prevention of unauthorized USB mass storage devices to prevent data exfiltration.
File Services: Deprecated isolated desktop shares in favor of a centralized DFS (Distributed File System) with granular NTFS permissions governed by AD security groups.

Phase 2: The High-Risk ERP Migration (2021-2022)

Moving from Onyx to Tally Prime Centralization The most critical—and highest risk—phase of the transformation was migrating the core financial engine. The previous architecture involved syncing separate local databases via slow, unreliable batch scripts.

Architecture: Deployed a powerful Windows Server 2019 host dedicated to Remote Desktop Services (RDS). Specifically, we utilized RemoteApp to stream the Tally Prime application seamlessly to remote branch desktops, making the heavy ERP feel like a local application.
Storage & Redundancy: Configured bare-metal hardware RAID 1 (mirroring) arrays utilizing enterprise-grade SSDs to ensure maximum IOPS for the accounting software and instant failover in the event of drive failure.
License Optimization: Architected custom RDS connection brokers and session timeout policies to aggressively manage “Tally Virtual User” (TVU) concurrent licenses, preventing costly licensing bottlenecks during peak retail hours.

Tally Prime Remote Desktop Services Live active Tally Prime streaming sessions heavily managed via the RDS Server Manager console.

Phase 3: The Zero Trust Pivot & Visibility (2023)

Ripping out Hardware VPNs for Software-Defined Networking Managing site-to-site IPsec tunnels via physical Cyberoam/Sophos edge routers was a logistical nightmare. Every new store opening required flying hardware out and configuring static IPs.

Tailscale Mesh: I championed and executed a total migration to a software-defined mesh network using Tailscale. This shifted the security perimeter from to the device itself.
Granular Access Control: Implemented strict Tailscale Access Control Lists (ACLs). An inventory scanner at Branch A was no longer blindly trusted on the HQ network; it could only talk to the specific port required by the inventory server.
Eliminated Hardware Costs: By utilizing Tailscale on commodity hardware, we bypassed the need to renew exorbitant annual firewall licensing subsciptions.

Branch Network Topology

Radial network topology: 10+ branch offices connected via encrypted Tailscale mesh tunnels to the central Muscat HQ, monitored by Prometheus/Grafana.

Deep Observability: Prometheus & Grafana

A modern, distributed infrastructure requires profound visibility to detect issues before they impact retail checkout lines. I deployed a Linux-based open-source monitoring stack to observe the entire Windows and Linux fleet.

Prometheus: Configured to scrape latency, CPU pressure, and RDS concurrent connection metrics from all nodes via WMI exporters.
Grafana: Built aggressive, real-time visual dashboards that trigger webhook alerts to my phone the moment packet loss or tunnel latency exceeds critical thresholds.

Tailscale Grafana Dashboard The custom Grafana dashboard tracking sub-millisecond latency and UDP packet health across the international branch network.

🛠️ Engineering Deep Dive: PowerShell Automation

A massive, centralized server generates massive, centralized backups. To solve the critical issue of “backup bloat” slowly consuming the expensive RAID SSD array and threatening to crash the server, I authored robust PowerShell automation scripts.

Instead of unreliable third-party GUI software, these strict PowerShell constraints run silently via the Windows Task Scheduler, ensuring compliance with data retention policies while strictly managing disk space.

# Core Logic Snippet: Automated 14-Day Rolling Backup Deletion
$TargetFolder = "D:\Encrypted_Backups\TallyPrime_Daily_Dumps"
$RetentionDays = 14

# Calculate threshold strictly from current system time
$ThresholdDate = (Get-Date).AddDays(-$RetentionDays)

# Safely isolate files older than exactly 14 days
$OldFiles = Get-ChildItem $TargetFolder -Recurse | 
            Where-Object { $_.LastWriteTime -lt $ThresholdDate }

# Iterate, aggressively log to rotating file, and force delete memory
foreach ($File in $OldFiles) {
    Try {
        $LogEntry = "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') | DELETED: $($File.FullName) | Size: $($File.Length / 1MB) MB"
        Write-Output $LogEntry | Out-File "C:\Admin_Logs\BackupCleanup.log" -Append
        Remove-Item $File.FullName -Force -ErrorAction Stop
    } Catch {
        # Catch locked file errors without halting entire script execution
        Write-Error "Failed to delete $($File.Name): $_" | Out-File "C:\Admin_Logs\Backup_Errors.log" -Append
    }
}

Ultimate Business Outcome

This overarching transformation fundamentally shifted the IT department from a reactive, chaotic “cost center” into a highly predictable, strategic business asset.

By aggressively modernizing via Tailscale and Windows Server RDS, we achieved an architecture that is simultaneously highly locked-down (Zero Trust) while remaining incredibly fluid and fault-tolerant. The centralization of the ERP empowered the executive team to pull real-time, cross-border financial reconciliation reports instantly—a logistical feat that was completely impossible under the legacy decentralized architecture.