Solved

Active Directoy Design Advice Needed for a School

Posted on 2014-04-25
5
333 Views
Last Modified: 2014-05-02
I am the IT Manager at a school and need some advice on how to re-design/optimize the network and active directory structure.

In the past before VLANs were common, it was a requirement to seperate the Staff and Student domains for security purposes.  This resulted in 2 physically seperated lans as well as Active Directory Domains.  While this setup gives additional security, it is an outdated concept and generates a lot of administrative overhead.

I would like to merge the Staff and Student Active Directories into a single AD forest.  However, I need to prevent that the students will be able to access specific servers as well as any staff workstations.  We have Layer 3 VLAN capable switching equipment, so I suppose the best solution is to create seperate VLANs and restrict access between the VLANS.  For example:

VLAN 100 = Servers used by Staff and Students
VLAN 200 = Servers only for Staff
VLAN 300 = Staff Workstations
VLAN 400 = Student Workstations

I would then prohibit VLAN 400 to access any resources in VLAN 200 and 300.   Would this be the best practice?

For the students we're also using Google Apps and sync the passwords from our Student Domain controller.  However, internal security regulations prohibit us from installing Google Apps Password Syncs on any Domain Controller which is used for staff activities.

My question:  is there a common way to prevent a certain user group (e.g students in our case) to contact a certain Domain Controller?  

Thank you for your appreciated advice & opinions!
0
Comment
Question by:MrFortune100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
Red-King earned 500 total points
ID: 40022275
It sounds like you've got your hands full there.

I'd agree in taking the VLAN approach. It gives you much more control over your network.
Check if your Layer 3 switch can apply ACLs to the IP traffic. This way you can restrict access between the VLANs.

I'm not sure about the procedure for migrating the 2 domains into a single forest but I'm sure you'll be able to find a guide for that.

Regarding the Domain Controller for the  students, I would configure a RODC (Read Only Domain Controller) in VLAN400.
This RODC would receive AD schema updates from your other DCs but wouldn't be able to update AD itself.
You would need to ensure that the ACLs allow traffic from VLAN200 to VLAN400 but not from VLAN400 to VLAN200

To help focus your security planning it might be helpful to think of your VLANs as;

VLAN 100 = General Servers
VLAN 200 = Secure Servers
VLAN 300 = Secure Access Workstations
VLAN 400 = General Access Workstations
VLAN 500 = IT Workstations

You can then think of your ACLS as;
IT Workstations can access everything (VLAN 500 -> All VLANs)
General can access General (VLAN 100 <-> VLAN 400)
Secure can access Secure (VLAN 200 <-> VLAN 300)
Secure Servers can access General Servers (VLAN 200 -> VLAN 100)
Secure Servers can access General Workstations (VLAN 200 -> VLAN 400)
General Servers cannot access Secure Servers (VLAN 100 x VLAN 200)
General Workstations cannot access Secure Servers (VLAN 400 x VLAN 200)
General Workstations cannot access Secure Workstations (VLAN 400 x VLAN 300)
Secure Workstations cannot access General Workstations (VLAN 300 x VLAN 400)

You could also add a Wifi VLAN in the future which you would treat as either the General Workstations or as a new  even more restricted category such as guest users.

Rory
0
 

Author Comment

by:MrFortune100
ID: 40024790
Dear Rory,

Thank you very much for your advice, much appreciated.  

Yes, we have Cisco SG300 switches which support ACLs.  The "merge" will not be a problem, I'm setting up everything from scratch over the summer holidays.

Regarding the RODC, do I need to setup a separate AD site for the student LAN?

Thanks for the VLAN and ACL suggestions, this will help me a lot!
0
 
LVL 9

Expert Comment

by:Red-King
ID: 40027043
You don't necessarily need a separate AD site for the students LAN.
While you certainly can do this, the biggest effect it will have will be to segregate your DCs. It will reduce the frequency of replication between the RODC and the other DCs.
You can assign the Student LAN subnet to your main site in the "AD Sites & Services" console.

I also remembered about this Technet article which is quite useful.
AD TCP/IP Ports: http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
0
 

Author Closing Comment

by:MrFortune100
ID: 40036513
Thank you very much for your advice!
0
 
LVL 9

Expert Comment

by:Red-King
ID: 40036544
Glad to have helped.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question