MrFortune100
asked on
Active Directoy Design Advice Needed for a School
I am the IT Manager at a school and need some advice on how to re-design/optimize the network and active directory structure.
In the past before VLANs were common, it was a requirement to seperate the Staff and Student domains for security purposes. This resulted in 2 physically seperated lans as well as Active Directory Domains. While this setup gives additional security, it is an outdated concept and generates a lot of administrative overhead.
I would like to merge the Staff and Student Active Directories into a single AD forest. However, I need to prevent that the students will be able to access specific servers as well as any staff workstations. We have Layer 3 VLAN capable switching equipment, so I suppose the best solution is to create seperate VLANs and restrict access between the VLANS. For example:
VLAN 100 = Servers used by Staff and Students
VLAN 200 = Servers only for Staff
VLAN 300 = Staff Workstations
VLAN 400 = Student Workstations
I would then prohibit VLAN 400 to access any resources in VLAN 200 and 300. Would this be the best practice?
For the students we're also using Google Apps and sync the passwords from our Student Domain controller. However, internal security regulations prohibit us from installing Google Apps Password Syncs on any Domain Controller which is used for staff activities.
My question: is there a common way to prevent a certain user group (e.g students in our case) to contact a certain Domain Controller?
Thank you for your appreciated advice & opinions!
In the past before VLANs were common, it was a requirement to seperate the Staff and Student domains for security purposes. This resulted in 2 physically seperated lans as well as Active Directory Domains. While this setup gives additional security, it is an outdated concept and generates a lot of administrative overhead.
I would like to merge the Staff and Student Active Directories into a single AD forest. However, I need to prevent that the students will be able to access specific servers as well as any staff workstations. We have Layer 3 VLAN capable switching equipment, so I suppose the best solution is to create seperate VLANs and restrict access between the VLANS. For example:
VLAN 100 = Servers used by Staff and Students
VLAN 200 = Servers only for Staff
VLAN 300 = Staff Workstations
VLAN 400 = Student Workstations
I would then prohibit VLAN 400 to access any resources in VLAN 200 and 300. Would this be the best practice?
For the students we're also using Google Apps and sync the passwords from our Student Domain controller. However, internal security regulations prohibit us from installing Google Apps Password Syncs on any Domain Controller which is used for staff activities.
My question: is there a common way to prevent a certain user group (e.g students in our case) to contact a certain Domain Controller?
Thank you for your appreciated advice & opinions!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You don't necessarily need a separate AD site for the students LAN.
While you certainly can do this, the biggest effect it will have will be to segregate your DCs. It will reduce the frequency of replication between the RODC and the other DCs.
You can assign the Student LAN subnet to your main site in the "AD Sites & Services" console.
I also remembered about this Technet article which is quite useful.
AD TCP/IP Ports: http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
While you certainly can do this, the biggest effect it will have will be to segregate your DCs. It will reduce the frequency of replication between the RODC and the other DCs.
You can assign the Student LAN subnet to your main site in the "AD Sites & Services" console.
I also remembered about this Technet article which is quite useful.
AD TCP/IP Ports: http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx
ASKER
Thank you very much for your advice!
Glad to have helped.
ASKER
Thank you very much for your advice, much appreciated.
Yes, we have Cisco SG300 switches which support ACLs. The "merge" will not be a problem, I'm setting up everything from scratch over the summer holidays.
Regarding the RODC, do I need to setup a separate AD site for the student LAN?
Thanks for the VLAN and ACL suggestions, this will help me a lot!