Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Domain Controller Implementation

Posted on 2013-01-08
10
Medium Priority
?
559 Views
Last Modified: 2013-01-13
I have a domain controller and active directory installed at windows server 2008 with a domain name example.local implemented at our college, and this used for our staff.
I need to add our students and computers at classes to a domain controller.
what is the best scenario to be implement at the college?
is at same forest with a new DC ,sub domain , ect ?
please advise.
i.e.
Hardware and license are available.
0
Comment
Question by:bhajissa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 3

Expert Comment

by:Tm-L
ID: 38753921
could you not just add the machines/users to the existing domain or do you want theme to be removed from the staff group in the AD tree? wither way  i would've thought you could still use the same domain and just structure your AD tree accordingly?

Maybe you could explain a bit more, why is it that a sub domain is needed? if your current DC is powerful enough it sound handle it but if not you could load balance with more DCs etc. but still within the same domain, just a matter of configing FSMO roles between all the DCs
0
 
LVL 8

Expert Comment

by:teomcam
ID: 38753966
You got to keep and create all students in the same domain! That is vital unless you have different campuses at different geographical locations!
Please find our college's prodution environment. According to school envrionment we are flexible so far and its working perfectly fine. When you create student OU, also create sub OUs as seen in the screenshot.

Std=Students
Stf=Staff including all teachers and Staff members

domainntreedomain.png
0
 
LVL 3

Expert Comment

by:Tm-L
ID: 38754007
as teomcam has said really, this is how i would do it i under stand why you maybe looking at sub domain but unless you have a good cause for this you really are just looking at adding the machines to the domain and keeping a well structured AD tree.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:bhajissa
ID: 38754322
It was only security concerns ,
I don't want to make it easy for the students of trying to get on the staff and teachers domain.
So, I thought if i create a different domain name example2.local and for the student it will be better with keeping the ability for admins from the first domain to manage the second one.
The needs is to have a robust and secure design for the college domains.
0
 
LVL 3

Assisted Solution

by:Tm-L
Tm-L earned 450 total points
ID: 38754582
you can do all of this within a single domain, any configuring permissions/access levels etc. you will be able to lock down the security, and anyone that can break through this security would likely be able to break through multiple domains.

a sub domain would still have inherent issue of being in the same domain so just as accessible so really you would just be making more work for yourself

and a separate domain would cause even more issues if you wanted share resources etc. and it's likely would would end up setting up domain level trust between the two domains which would mean you may as well have built everything within the single domain.

i think you should stick with one domain but research into permissions/AD/access levels and set ups that other in the industry are using.

the only times i have seen a set up with a mixed domain setup has been when using a test network that was accessible site wide and so easier to place on its own domain in that instance.

A good deal of planned should be put into any network, i think you should start drafting documents with information detailing what you want your users to access and how you want them grouped etc. thinking about how you would target users (by class groups/year groups/learner age... etc.) and things of that nature because once you have established the interactions between users and the system and the requirements of the system i think you will find it very much easier to build this network.
0
 
LVL 8

Accepted Solution

by:
teomcam earned 1050 total points
ID: 38755936
School environments always a challenge. Students will never stop pushing the borders. Creating another domain will not contribute your security. Put them in seperate OU and limit unneccessary features via Group Policy such as Internet Options in IE. Don't give them local admin rights or any elevated rights. If a particular software needs admin rights then finish it locally or include in the image like we do.
Usually Default Settings of Domain prety safe and will not allow users to interfere and mess with the domain security. As a advice never touch Default Domain Policy. Instead create another policy and link it. Create Groups and spend time on permissoon management as it will directly impact their ability.
Have you thouight about the filtering the harmful internet? If yes, you may start thinking about AD integrated filtering like TMG. Students will try and leech your bandwith if you dont have this or similar solution.
On the client side try to not give local admin rights to the anyone including staff unless its really necessary. That will eliminate a lot of problem.
Implement your DC with the highest Forest Functional and Domain Functional Level whihc will give you way better control on GPO. You may restrict the softwares that students trying to run to mess with your network. Create a seperate Vlan for Wireless and use reservation IP for the client machines and stop IP distribution on the Server Vlan. There  heaps of ways to tell and there will be even more as students will never stop, this is their business and they will do what they have to do, whihc means beign naughty :))
0
 

Author Comment

by:bhajissa
ID: 38762923
I think i will stay with one domain and try to work on group policy side as Tm-L and teomcam mention at their comments.
but, again is there any best practice for deploying AD at college or University with security and GPO's?
0
 
LVL 8

Assisted Solution

by:teomcam
teomcam earned 1050 total points
ID: 38764444
According to your environment you may follow or create your own way but single campus, regardless number of users 1 domain with a signle site is enough. Whichmeans just promote your DC with defaults and you will have a single domain with a single site already. Additional domain controller I can say MUST! that means you will need 2nd machine for it. After creating your domain you will run the tests (dcdiag, replications etc) and when you make sure DC, DNS, DHCP operating with no problem, you can start creating your OUs, Groups, staff users and start joining the client machines to the domain. After all you may start creating student users.I highly recommended to not use Antivirus until you complete configuring the DCs! When you make sure everything working fine then deploy Antivirus.
Since you are a school I highly recommend you to have web filter mechanism such as TMG (ISA) to protect the children from harmfull websites and contents.
Other very important thing is do not use the DCs and server for daily task andinstall garbage on them. Basically leave the DCs alone.
0
 

Author Comment

by:bhajissa
ID: 38765338
thanks  teomcam
i have all what you say and well configured already for my staff with fortinet firewall and its running very smoothly without problems , sorry i didn't mention this at beginning,
what i need is extra level of security and GPO's if its possible.
0
 
LVL 8

Expert Comment

by:teomcam
ID: 38768139
GPOs have hundereds of options and its pratically up to you which one is suitable your school's behaviour. A simple example; we disabling Internet Explorer Options menu for the students, disabling control panel etc. Some schools don't prefer that or they use different way.
Always keep student and staff login scipts seperate. You may force single login for students so they cannot login same time with same username (first they must logoff from the previous one). Staff use computers can be restricted to the students so they cannot login on the machines that you dont want or even you can limit their logon hours.
As I said it's really up to your school's policy.
On the client side AV with Proactive and Firewall is very important. We are using Symantec End Point so we are able to control each client's status or take an action remotely. Usually with default settings, it already takes care of the system.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question