Active Directory forest, tree, domains and trust
I work as a computer technician, and amongst other things I set up servers, normally in small single-server enviroment. Now I am in a situation with a customer with several servers seeking my advise for a situation about setting up his domain(s). I am self-tought, so I guess you can say I have some "holes" in my knowledge about the theory on active directory, and thus I actually am not completely sure on what answer I should give on his question.
Case: Small school with about 200 students, which shares about 50 computers. The teaching staff on about 25 teachers has their own computer. In addition to the teacher-staff there are 5 people in the school administration with different roles. He want to make sure all computers are joined to a domain both for security and administration purposes. All students need their own personal home directory, as well as a class-shared directory. The teachers need access to the students class-shared directory. The teachers also need their own staff-shared directory in addition to their personal home directory. But not in any way can the students access the staff-network shared directory. The administration needs to be a very secure network as it will contain sensitive information about the students. The school administration will not need access to the student-shares (but could) , but should have access to the teacher-shares. The school want to do this "the-microsoft-way", and is only using Microsoft products and servers, and have both hardware and software for setting up a complete solution.
Preliminary thoughts: I am thinking that we should set this up as three separated domains, and creating trusts between them; aka: student.school.local, staff.school.local, admin.school.local. This way I could make a one-way trust beetween the domains, to make sure they have access to what they need, but still keeping the domains secure. They will all be in one single location, so I was thinking to separate the networks physically or virtually setting up 3 VLAN's for security reasons.
But I am not sure if this is the "right" way to do this. Maybe this is basic knownledge but like I said I might have some "holes" in my knowledge about this: If I create the three domains like I say, will I also need to have an additional domain controller with the domain "school.local"? Should I use ".local" or ".no"(.com) ? Should I set up the "admin.school.local" as just "school.local", and have the other two as child domains? Do I need ot set up them on different VLAN's at all?
I am not looking for a detailed techical description on how to set up this, but thoughts and advises on what the theory and best practices is saying about this.
From a slightly embarrassed computer techician:-)
Case: Small school with about 200 students, which shares about 50 computers. The teaching staff on about 25 teachers has their own computer. In addition to the teacher-staff there are 5 people in the school administration with different roles. He want to make sure all computers are joined to a domain both for security and administration purposes. All students need their own personal home directory, as well as a class-shared directory. The teachers need access to the students class-shared directory. The teachers also need their own staff-shared directory in addition to their personal home directory. But not in any way can the students access the staff-network shared directory. The administration needs to be a very secure network as it will contain sensitive information about the students. The school administration will not need access to the student-shares (but could) , but should have access to the teacher-shares. The school want to do this "the-microsoft-way", and is only using Microsoft products and servers, and have both hardware and software for setting up a complete solution.
Preliminary thoughts: I am thinking that we should set this up as three separated domains, and creating trusts between them; aka: student.school.local, staff.school.local, admin.school.local. This way I could make a one-way trust beetween the domains, to make sure they have access to what they need, but still keeping the domains secure. They will all be in one single location, so I was thinking to separate the networks physically or virtually setting up 3 VLAN's for security reasons.
But I am not sure if this is the "right" way to do this. Maybe this is basic knownledge but like I said I might have some "holes" in my knowledge about this: If I create the three domains like I say, will I also need to have an additional domain controller with the domain "school.local"? Should I use ".local" or ".no"(.com) ? Should I set up the "admin.school.local" as just "school.local", and have the other two as child domains? Do I need ot set up them on different VLAN's at all?
I am not looking for a detailed techical description on how to set up this, but thoughts and advises on what the theory and best practices is saying about this.
From a slightly embarrassed computer techician:-)
uescomp
You could use 1 DC as primary and a 2nd DC as a backup and instead of setting up 3 domains you could just apply it with security groups to your shared folders, a student group, teacher group, etc. You can assign individual rights to each user's personal folder through a batch file on startup to map their directorys or enforce it through group policy.
What uescomp told..That is probably the best working solution.
Supporting serveral domains and vlan's can be a time eating solution and great change that wizzkids moved the patchcable from one vlan to a walloutlet with a other vlan....Just for the fun of it...
Also the use of .local as localdomain name is advised by Microsoft as far as I know..
This will prevent DNS issues in the future...
For example " school.local" as local domain
Supporting serveral domains and vlan's can be a time eating solution and great change that wizzkids moved the patchcable from one vlan to a walloutlet with a other vlan....Just for the fun of it...
Also the use of .local as localdomain name is advised by Microsoft as far as I know..
This will prevent DNS issues in the future...
For example " school.local" as local domain
ASKER
Thank you for your answers, but I am not completely comfortable with just having it on the same lan. The reason is security.. If one staff or administration username / password were known to a student, he could easily hack the server. And because the admin areas of the server shares will have sensitive information, we will need additional security. To physically separate them or using VLAN will enable me to also control the separated networks using firewalls. Even though the windows security is probably good, the fact that the students can psysically acess the staff-network is regrettably not acceptable. I could maybe have them on a single network if the teachers used some kind of two-factor-authentication system... But that makes it also kind of complicated...
Think from the other side.
If the staff and teachers are leaking there usernames and passwords, than the ICT can't do anything.
It is the same as if some left the doors open.....
So security is an effort from all people and not only the ICT.
If you want to create an special Vlan for higher security, the computer connected to this Vlan should also not to be touched by any students....Is that a scenaro that can be done, is that realistic ??????
The 2 way authentication...PFFF.
Perhaps you can create an authentication with username/password and the use of a special token with pincode for accessing high security folders...
If the staff and teachers are leaking there usernames and passwords, than the ICT can't do anything.
It is the same as if some left the doors open.....
So security is an effort from all people and not only the ICT.
If you want to create an special Vlan for higher security, the computer connected to this Vlan should also not to be touched by any students....Is that a scenaro that can be done, is that realistic ??????
The 2 way authentication...PFFF.
Perhaps you can create an authentication with username/password and the use of a special token with pincode for accessing high security folders...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your response. You are probably right that this security should be sufficient, and that if a student hacks into your server without knowing a teachers password I have bigger problems.
But do you agree that the involved security(-risk) between the students and the staff-server is then equal to the security(-risk) of a server standing on a normal internet-connection without any physical firewall? The only security we rely on is the security of the server itself, and the windows firewall on it. We would say that a server that has sensitive information should be protected by a physical firewall from the internet side... Why is this less important now?
Anyway, thank you for your input. But lets say for the sake of understanding the active directory part of it. Let us say that the networks were on different locations. How would we set up the forest / tree / child domain structure as initially described?
But do you agree that the involved security(-risk) between the students and the staff-server is then equal to the security(-risk) of a server standing on a normal internet-connection without any physical firewall? The only security we rely on is the security of the server itself, and the windows firewall on it. We would say that a server that has sensitive information should be protected by a physical firewall from the internet side... Why is this less important now?
Anyway, thank you for your input. But lets say for the sake of understanding the active directory part of it. Let us say that the networks were on different locations. How would we set up the forest / tree / child domain structure as initially described?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have closed this case, but there are still unaswered questions. Thanks for the advices anyway!