Active Directory forest, tree, domains and trust

I work as a computer technician, and amongst other things I set up servers, normally in small single-server enviroment. Now I am in a situation with a customer with several servers seeking my advise for a situation about setting up his domain(s). I am self-tought, so I guess you can say I have some "holes" in my knowledge about the theory on active directory, and thus I actually am not completely sure on what answer I should give on his question.

Case: Small school with about 200 students, which shares about 50 computers. The teaching staff on about 25 teachers has their own computer. In addition to the teacher-staff there are 5 people in the school administration with different roles. He want to make sure all computers are joined to a domain both for security and administration purposes. All students need their own personal home directory, as well as a class-shared directory. The teachers need access to the students class-shared directory. The teachers also need their own staff-shared directory in addition to their personal home directory. But not in any way can the students access the staff-network shared directory. The administration needs to be a very secure network as it will contain sensitive information about the students. The school administration will not need access to the student-shares (but could) , but should have access to the teacher-shares. The school want to do this "the-microsoft-way", and is only using Microsoft products and servers, and have both hardware and software for setting up a complete solution.

Preliminary thoughts: I am thinking that we should set this up as three separated domains, and creating trusts between them; aka:,, This way I could make a one-way trust beetween the domains, to make sure they have access to what they need, but still keeping the domains secure. They will all be in one single location, so I was thinking to separate the networks physically or virtually setting up 3 VLAN's for security reasons.

But I am not sure if this is the "right" way to do this. Maybe this is basic knownledge but like I said I might have some "holes" in my knowledge about this: If I create the three domains like I say, will I also need to have an additional domain controller with the domain "school.local"? Should I use ".local" or ".no"(.com) ? Should I set up the "" as just "school.local", and have the other two as child domains? Do I need ot set up them on different VLAN's at all?

I am not looking for a detailed techical description on how to set up this, but thoughts and advises on what the theory and best practices is saying about this.

From a slightly embarrassed computer techician:-)
Who is Participating?
Myself I don't rely on the windows firewall.
Always use a router/modem with firewall to help me to protect the network and servers from the ugly Internet.

I don't have the knowledge to setup a domain the way you ask...
Perhaps someone other can shine a light on this.

Me self I would setup a single domain.
I would lockdown the pc' by grouppolicies and password's on the bios so that nobody can boot the system..Only to do that from the internal Harddrive.
Also you can create an special AD computer container and and give the students computers a deny at high security shares.
Even when someone from staff or teachers logon to a student computer they don't have access to the high security shares.
They can only access the Security shares from computers that are not accessable/used by students..

You could use 1 DC as primary and a 2nd DC as a backup and instead of setting up 3 domains you could just apply it with security groups to your shared folders, a student group, teacher group, etc.  You can assign individual rights to each user's personal folder through a batch file on startup to map their directorys or enforce it through group policy.
What uescomp told..That is probably the best working solution.

Supporting serveral domains and vlan's can be a time eating solution and great change that wizzkids moved the patchcable from one vlan to a walloutlet with a other vlan....Just for the fun of it...

Also the use of .local as localdomain name is advised by Microsoft as far as I know..
This will prevent DNS issues in the future...
For example " school.local" as local domain

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

tommyeriksenAuthor Commented:
Thank you for your answers, but I am not completely comfortable with just having it on the same lan. The reason is security.. If one staff or administration username / password were known to a student, he could easily hack the server. And because the admin areas of the server shares will have sensitive information, we will need additional security. To physically separate them or using VLAN will enable me to also control the separated networks using firewalls. Even though the windows security is probably good, the fact that the students can psysically acess the staff-network is regrettably not acceptable. I could maybe have them on a single network if the teachers used some kind of two-factor-authentication system... But that makes it also kind of complicated...
Think from the other side.
If the staff and teachers are leaking there usernames and passwords, than the ICT can't do anything.

It is the same as if some left the doors open.....

So security is an effort from all people and not only the ICT.

If you want to create an special Vlan for higher security, the computer connected to this Vlan should also not to be touched by any students....Is that a scenaro that can be done, is that realistic ??????

The 2 way authentication...PFFF.
Perhaps you can create an authentication with username/password and the use of a special token with pincode for accessing high security folders...

Software onbekend is correct, It should be stated clearly to teachers/administrators about their username and password to keep it to themselves and it is their own responsibility to keep students/other teachers from knowing it.  This includes methods of passwords taped to the monitor or the super secret place (under the keyboard).  

I guess I am wondering what kind of users you are working with such as age group of the students if your worried about students hacking the server.  Depending on the age group I do know what you mean where kids attempt to get places where they shouldnt be but thats where the permissions come in.

All in all I don't think you have anything to be worried about.  I would make a statement about not sharing their passwords and the problems that can arise if they do, I make new employees sign off on a user policy agreement stating that systems are monitored and not do abuse the system, confidentiality etc.  If they gave out their password and damage was done that is the same as damage to company property in which they will be responsible for.  If a student hacks into your server without knowing a teachers passwords I think you have bigger problems.
tommyeriksenAuthor Commented:
Thank you all for your response. You are probably right that this security should be sufficient, and that if a student hacks into your server without knowing a teachers password I have bigger problems.

But do you agree that the involved security(-risk) between the students and the staff-server is then equal to the security(-risk) of a server standing on a normal internet-connection without any physical firewall? The only security we rely on is the security of the server itself, and the windows firewall on it. We would say that a server that has sensitive information should be protected by a physical firewall from the internet side... Why is this less important now?

Anyway, thank you for your input. But lets say for the sake of understanding the active directory part of it. Let us say that the networks were on different locations. How would we set up the forest / tree / child domain structure as initially described?
tommyeriksenAuthor Commented:
I have closed this case, but there are still unaswered questions. Thanks for the advices anyway!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.