bhajissa
asked on
Domain Controller Implementation
I have a domain controller and active directory installed at windows server 2008 with a domain name example.local implemented at our college, and this used for our staff.
I need to add our students and computers at classes to a domain controller.
what is the best scenario to be implement at the college?
is at same forest with a new DC ,sub domain , ect ?
please advise.
i.e.
Hardware and license are available.
I need to add our students and computers at classes to a domain controller.
what is the best scenario to be implement at the college?
is at same forest with a new DC ,sub domain , ect ?
please advise.
i.e.
Hardware and license are available.
You got to keep and create all students in the same domain! That is vital unless you have different campuses at different geographical locations!
Please find our college's prodution environment. According to school envrionment we are flexible so far and its working perfectly fine. When you create student OU, also create sub OUs as seen in the screenshot.
Std=Students
Stf=Staff including all teachers and Staff members
domain.png
Please find our college's prodution environment. According to school envrionment we are flexible so far and its working perfectly fine. When you create student OU, also create sub OUs as seen in the screenshot.
Std=Students
Stf=Staff including all teachers and Staff members
domain.png
as teomcam has said really, this is how i would do it i under stand why you maybe looking at sub domain but unless you have a good cause for this you really are just looking at adding the machines to the domain and keeping a well structured AD tree.
ASKER
It was only security concerns ,
I don't want to make it easy for the students of trying to get on the staff and teachers domain.
So, I thought if i create a different domain name example2.local and for the student it will be better with keeping the ability for admins from the first domain to manage the second one.
The needs is to have a robust and secure design for the college domains.
I don't want to make it easy for the students of trying to get on the staff and teachers domain.
So, I thought if i create a different domain name example2.local and for the student it will be better with keeping the ability for admins from the first domain to manage the second one.
The needs is to have a robust and secure design for the college domains.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think i will stay with one domain and try to work on group policy side as Tm-L and teomcam mention at their comments.
but, again is there any best practice for deploying AD at college or University with security and GPO's?
but, again is there any best practice for deploying AD at college or University with security and GPO's?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks teomcam
i have all what you say and well configured already for my staff with fortinet firewall and its running very smoothly without problems , sorry i didn't mention this at beginning,
what i need is extra level of security and GPO's if its possible.
i have all what you say and well configured already for my staff with fortinet firewall and its running very smoothly without problems , sorry i didn't mention this at beginning,
what i need is extra level of security and GPO's if its possible.
GPOs have hundereds of options and its pratically up to you which one is suitable your school's behaviour. A simple example; we disabling Internet Explorer Options menu for the students, disabling control panel etc. Some schools don't prefer that or they use different way.
Always keep student and staff login scipts seperate. You may force single login for students so they cannot login same time with same username (first they must logoff from the previous one). Staff use computers can be restricted to the students so they cannot login on the machines that you dont want or even you can limit their logon hours.
As I said it's really up to your school's policy.
On the client side AV with Proactive and Firewall is very important. We are using Symantec End Point so we are able to control each client's status or take an action remotely. Usually with default settings, it already takes care of the system.
Always keep student and staff login scipts seperate. You may force single login for students so they cannot login same time with same username (first they must logoff from the previous one). Staff use computers can be restricted to the students so they cannot login on the machines that you dont want or even you can limit their logon hours.
As I said it's really up to your school's policy.
On the client side AV with Proactive and Firewall is very important. We are using Symantec End Point so we are able to control each client's status or take an action remotely. Usually with default settings, it already takes care of the system.
Maybe you could explain a bit more, why is it that a sub domain is needed? if your current DC is powerful enough it sound handle it but if not you could load balance with more DCs etc. but still within the same domain, just a matter of configing FSMO roles between all the DCs