Solved

Domain Controller Implementation

Posted on 2013-01-08
10
543 Views
Last Modified: 2013-01-13
I have a domain controller and active directory installed at windows server 2008 with a domain name example.local implemented at our college, and this used for our staff.
I need to add our students and computers at classes to a domain controller.
what is the best scenario to be implement at the college?
is at same forest with a new DC ,sub domain , ect ?
please advise.
i.e.
Hardware and license are available.
0
Comment
Question by:bhajissa
  • 4
  • 3
  • 3
10 Comments
 
LVL 3

Expert Comment

by:Tm-L
ID: 38753921
could you not just add the machines/users to the existing domain or do you want theme to be removed from the staff group in the AD tree? wither way  i would've thought you could still use the same domain and just structure your AD tree accordingly?

Maybe you could explain a bit more, why is it that a sub domain is needed? if your current DC is powerful enough it sound handle it but if not you could load balance with more DCs etc. but still within the same domain, just a matter of configing FSMO roles between all the DCs
0
 
LVL 8

Expert Comment

by:teomcam
ID: 38753966
You got to keep and create all students in the same domain! That is vital unless you have different campuses at different geographical locations!
Please find our college's prodution environment. According to school envrionment we are flexible so far and its working perfectly fine. When you create student OU, also create sub OUs as seen in the screenshot.

Std=Students
Stf=Staff including all teachers and Staff members

domainntreedomain.png
0
 
LVL 3

Expert Comment

by:Tm-L
ID: 38754007
as teomcam has said really, this is how i would do it i under stand why you maybe looking at sub domain but unless you have a good cause for this you really are just looking at adding the machines to the domain and keeping a well structured AD tree.
0
 

Author Comment

by:bhajissa
ID: 38754322
It was only security concerns ,
I don't want to make it easy for the students of trying to get on the staff and teachers domain.
So, I thought if i create a different domain name example2.local and for the student it will be better with keeping the ability for admins from the first domain to manage the second one.
The needs is to have a robust and secure design for the college domains.
0
 
LVL 3

Assisted Solution

by:Tm-L
Tm-L earned 150 total points
ID: 38754582
you can do all of this within a single domain, any configuring permissions/access levels etc. you will be able to lock down the security, and anyone that can break through this security would likely be able to break through multiple domains.

a sub domain would still have inherent issue of being in the same domain so just as accessible so really you would just be making more work for yourself

and a separate domain would cause even more issues if you wanted share resources etc. and it's likely would would end up setting up domain level trust between the two domains which would mean you may as well have built everything within the single domain.

i think you should stick with one domain but research into permissions/AD/access levels and set ups that other in the industry are using.

the only times i have seen a set up with a mixed domain setup has been when using a test network that was accessible site wide and so easier to place on its own domain in that instance.

A good deal of planned should be put into any network, i think you should start drafting documents with information detailing what you want your users to access and how you want them grouped etc. thinking about how you would target users (by class groups/year groups/learner age... etc.) and things of that nature because once you have established the interactions between users and the system and the requirements of the system i think you will find it very much easier to build this network.
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 8

Accepted Solution

by:
teomcam earned 350 total points
ID: 38755936
School environments always a challenge. Students will never stop pushing the borders. Creating another domain will not contribute your security. Put them in seperate OU and limit unneccessary features via Group Policy such as Internet Options in IE. Don't give them local admin rights or any elevated rights. If a particular software needs admin rights then finish it locally or include in the image like we do.
Usually Default Settings of Domain prety safe and will not allow users to interfere and mess with the domain security. As a advice never touch Default Domain Policy. Instead create another policy and link it. Create Groups and spend time on permissoon management as it will directly impact their ability.
Have you thouight about the filtering the harmful internet? If yes, you may start thinking about AD integrated filtering like TMG. Students will try and leech your bandwith if you dont have this or similar solution.
On the client side try to not give local admin rights to the anyone including staff unless its really necessary. That will eliminate a lot of problem.
Implement your DC with the highest Forest Functional and Domain Functional Level whihc will give you way better control on GPO. You may restrict the softwares that students trying to run to mess with your network. Create a seperate Vlan for Wireless and use reservation IP for the client machines and stop IP distribution on the Server Vlan. There  heaps of ways to tell and there will be even more as students will never stop, this is their business and they will do what they have to do, whihc means beign naughty :))
0
 

Author Comment

by:bhajissa
ID: 38762923
I think i will stay with one domain and try to work on group policy side as Tm-L and teomcam mention at their comments.
but, again is there any best practice for deploying AD at college or University with security and GPO's?
0
 
LVL 8

Assisted Solution

by:teomcam
teomcam earned 350 total points
ID: 38764444
According to your environment you may follow or create your own way but single campus, regardless number of users 1 domain with a signle site is enough. Whichmeans just promote your DC with defaults and you will have a single domain with a single site already. Additional domain controller I can say MUST! that means you will need 2nd machine for it. After creating your domain you will run the tests (dcdiag, replications etc) and when you make sure DC, DNS, DHCP operating with no problem, you can start creating your OUs, Groups, staff users and start joining the client machines to the domain. After all you may start creating student users.I highly recommended to not use Antivirus until you complete configuring the DCs! When you make sure everything working fine then deploy Antivirus.
Since you are a school I highly recommend you to have web filter mechanism such as TMG (ISA) to protect the children from harmfull websites and contents.
Other very important thing is do not use the DCs and server for daily task andinstall garbage on them. Basically leave the DCs alone.
0
 

Author Comment

by:bhajissa
ID: 38765338
thanks  teomcam
i have all what you say and well configured already for my staff with fortinet firewall and its running very smoothly without problems , sorry i didn't mention this at beginning,
what i need is extra level of security and GPO's if its possible.
0
 
LVL 8

Expert Comment

by:teomcam
ID: 38768139
GPOs have hundereds of options and its pratically up to you which one is suitable your school's behaviour. A simple example; we disabling Internet Explorer Options menu for the students, disabling control panel etc. Some schools don't prefer that or they use different way.
Always keep student and staff login scipts seperate. You may force single login for students so they cannot login same time with same username (first they must logoff from the previous one). Staff use computers can be restricted to the students so they cannot login on the machines that you dont want or even you can limit their logon hours.
As I said it's really up to your school's policy.
On the client side AV with Proactive and Firewall is very important. We are using Symantec End Point so we are able to control each client's status or take an action remotely. Usually with default settings, it already takes care of the system.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Synchronize a new Active Directory domain with an existing Office 365 tenant
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now