Solved

Domain Controller Implementation

Posted on 2013-01-08
10
550 Views
Last Modified: 2013-01-13
I have a domain controller and active directory installed at windows server 2008 with a domain name example.local implemented at our college, and this used for our staff.
I need to add our students and computers at classes to a domain controller.
what is the best scenario to be implement at the college?
is at same forest with a new DC ,sub domain , ect ?
please advise.
i.e.
Hardware and license are available.
0
Comment
Question by:bhajissa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 3

Expert Comment

by:Tm-L
ID: 38753921
could you not just add the machines/users to the existing domain or do you want theme to be removed from the staff group in the AD tree? wither way  i would've thought you could still use the same domain and just structure your AD tree accordingly?

Maybe you could explain a bit more, why is it that a sub domain is needed? if your current DC is powerful enough it sound handle it but if not you could load balance with more DCs etc. but still within the same domain, just a matter of configing FSMO roles between all the DCs
0
 
LVL 8

Expert Comment

by:teomcam
ID: 38753966
You got to keep and create all students in the same domain! That is vital unless you have different campuses at different geographical locations!
Please find our college's prodution environment. According to school envrionment we are flexible so far and its working perfectly fine. When you create student OU, also create sub OUs as seen in the screenshot.

Std=Students
Stf=Staff including all teachers and Staff members

domainntreedomain.png
0
 
LVL 3

Expert Comment

by:Tm-L
ID: 38754007
as teomcam has said really, this is how i would do it i under stand why you maybe looking at sub domain but unless you have a good cause for this you really are just looking at adding the machines to the domain and keeping a well structured AD tree.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:bhajissa
ID: 38754322
It was only security concerns ,
I don't want to make it easy for the students of trying to get on the staff and teachers domain.
So, I thought if i create a different domain name example2.local and for the student it will be better with keeping the ability for admins from the first domain to manage the second one.
The needs is to have a robust and secure design for the college domains.
0
 
LVL 3

Assisted Solution

by:Tm-L
Tm-L earned 150 total points
ID: 38754582
you can do all of this within a single domain, any configuring permissions/access levels etc. you will be able to lock down the security, and anyone that can break through this security would likely be able to break through multiple domains.

a sub domain would still have inherent issue of being in the same domain so just as accessible so really you would just be making more work for yourself

and a separate domain would cause even more issues if you wanted share resources etc. and it's likely would would end up setting up domain level trust between the two domains which would mean you may as well have built everything within the single domain.

i think you should stick with one domain but research into permissions/AD/access levels and set ups that other in the industry are using.

the only times i have seen a set up with a mixed domain setup has been when using a test network that was accessible site wide and so easier to place on its own domain in that instance.

A good deal of planned should be put into any network, i think you should start drafting documents with information detailing what you want your users to access and how you want them grouped etc. thinking about how you would target users (by class groups/year groups/learner age... etc.) and things of that nature because once you have established the interactions between users and the system and the requirements of the system i think you will find it very much easier to build this network.
0
 
LVL 8

Accepted Solution

by:
teomcam earned 350 total points
ID: 38755936
School environments always a challenge. Students will never stop pushing the borders. Creating another domain will not contribute your security. Put them in seperate OU and limit unneccessary features via Group Policy such as Internet Options in IE. Don't give them local admin rights or any elevated rights. If a particular software needs admin rights then finish it locally or include in the image like we do.
Usually Default Settings of Domain prety safe and will not allow users to interfere and mess with the domain security. As a advice never touch Default Domain Policy. Instead create another policy and link it. Create Groups and spend time on permissoon management as it will directly impact their ability.
Have you thouight about the filtering the harmful internet? If yes, you may start thinking about AD integrated filtering like TMG. Students will try and leech your bandwith if you dont have this or similar solution.
On the client side try to not give local admin rights to the anyone including staff unless its really necessary. That will eliminate a lot of problem.
Implement your DC with the highest Forest Functional and Domain Functional Level whihc will give you way better control on GPO. You may restrict the softwares that students trying to run to mess with your network. Create a seperate Vlan for Wireless and use reservation IP for the client machines and stop IP distribution on the Server Vlan. There  heaps of ways to tell and there will be even more as students will never stop, this is their business and they will do what they have to do, whihc means beign naughty :))
0
 

Author Comment

by:bhajissa
ID: 38762923
I think i will stay with one domain and try to work on group policy side as Tm-L and teomcam mention at their comments.
but, again is there any best practice for deploying AD at college or University with security and GPO's?
0
 
LVL 8

Assisted Solution

by:teomcam
teomcam earned 350 total points
ID: 38764444
According to your environment you may follow or create your own way but single campus, regardless number of users 1 domain with a signle site is enough. Whichmeans just promote your DC with defaults and you will have a single domain with a single site already. Additional domain controller I can say MUST! that means you will need 2nd machine for it. After creating your domain you will run the tests (dcdiag, replications etc) and when you make sure DC, DNS, DHCP operating with no problem, you can start creating your OUs, Groups, staff users and start joining the client machines to the domain. After all you may start creating student users.I highly recommended to not use Antivirus until you complete configuring the DCs! When you make sure everything working fine then deploy Antivirus.
Since you are a school I highly recommend you to have web filter mechanism such as TMG (ISA) to protect the children from harmfull websites and contents.
Other very important thing is do not use the DCs and server for daily task andinstall garbage on them. Basically leave the DCs alone.
0
 

Author Comment

by:bhajissa
ID: 38765338
thanks  teomcam
i have all what you say and well configured already for my staff with fortinet firewall and its running very smoothly without problems , sorry i didn't mention this at beginning,
what i need is extra level of security and GPO's if its possible.
0
 
LVL 8

Expert Comment

by:teomcam
ID: 38768139
GPOs have hundereds of options and its pratically up to you which one is suitable your school's behaviour. A simple example; we disabling Internet Explorer Options menu for the students, disabling control panel etc. Some schools don't prefer that or they use different way.
Always keep student and staff login scipts seperate. You may force single login for students so they cannot login same time with same username (first they must logoff from the previous one). Staff use computers can be restricted to the students so they cannot login on the machines that you dont want or even you can limit their logon hours.
As I said it's really up to your school's policy.
On the client side AV with Proactive and Firewall is very important. We are using Symantec End Point so we are able to control each client's status or take an action remotely. Usually with default settings, it already takes care of the system.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question