Active Directory forest, tree, domains and trust
Posted on 2011-10-12
I work as a computer technician, and amongst other things I set up servers, normally in small single-server enviroment. Now I am in a situation with a customer with several servers seeking my advise for a situation about setting up his domain(s). I am self-tought, so I guess you can say I have some "holes" in my knowledge about the theory on active directory, and thus I actually am not completely sure on what answer I should give on his question.
Case: Small school with about 200 students, which shares about 50 computers. The teaching staff on about 25 teachers has their own computer. In addition to the teacher-staff there are 5 people in the school administration with different roles. He want to make sure all computers are joined to a domain both for security and administration purposes. All students need their own personal home directory, as well as a class-shared directory. The teachers need access to the students class-shared directory. The teachers also need their own staff-shared directory in addition to their personal home directory. But not in any way can the students access the staff-network shared directory. The administration needs to be a very secure network as it will contain sensitive information about the students. The school administration will not need access to the student-shares (but could) , but should have access to the teacher-shares. The school want to do this "the-microsoft-way", and is only using Microsoft products and servers, and have both hardware and software for setting up a complete solution.
Preliminary thoughts: I am thinking that we should set this up as three separated domains, and creating trusts between them; aka: student.school.local, staff.school.local, admin.school.local. This way I could make a one-way trust beetween the domains, to make sure they have access to what they need, but still keeping the domains secure. They will all be in one single location, so I was thinking to separate the networks physically or virtually setting up 3 VLAN's for security reasons.
But I am not sure if this is the "right" way to do this. Maybe this is basic knownledge but like I said I might have some "holes" in my knowledge about this: If I create the three domains like I say, will I also need to have an additional domain controller with the domain "school.local"? Should I use ".local" or ".no"(.com) ? Should I set up the "admin.school.local" as just "school.local", and have the other two as child domains? Do I need ot set up them on different VLAN's at all?
I am not looking for a detailed techical description on how to set up this, but thoughts and advises on what the theory and best practices is saying about this.
From a slightly embarrassed computer techician:-)