Advice on AD Forest / E-mail for a University/School?

I'm looking into and researching opinions on Active Directory /Exchange for a University (around a thousand students, couple hundred staff) . Obviously this is something that needs to be well thought out and planned in advance, but I'm looking to get opinions on some aspects of the planning.

1. Do you need separate forests or domains to separate people within the school (Staff, Faculty, Students, Alumni)? Is there any added security benefit? Or would a single-domain model with separate Organizational Units for logical structure and Group Policy/GPOs be sufficient for keeping things organized and safe?

2. Does a single e-mail system comprised of all involved with the school work, if the same federated domain is used for their e-mail addresses? Or is it usually split/separated (whether on-premise e-mail or cloud-based)?

3. Should Active Directory permissions be messed with as far as schema security for hiding attributes/values from Authenticated Users in the domain, as all those involved with the school pretty much has an issued AD account.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
One domain is sufficient for this in regards to security. You can completely lock down everything based on NTFS/ACL's. Adding another forest and or child domains just complicates things and it is not needed. As for Exchange you can lock the students down via ABP (address book policies), or if you wanted to have different sending smtp domains this is also possible.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Don S.Commented:
I guess it all depends on how secure is secure.  You can assume that all student users potentially will try to compromise the network.  You can also assume that all teaching staff users will do the same (If not the staff members themselves, then by letting their "good" students use their credentials to do something.  So, assuming some level of security compromise will happen, one approach is to limit how much can be accessed by the compromised user/system.  Security in depth.  That concept dictates separating networks, separating authentication, good password policies on everything including routers, switches, MFPs, HVAC systems, Cameras, Door locks, telephony systems, etc.  The more the separation, the more security in depth that you have.  Also, unfortunately, the more managing those systems becomes cumbersome.  So deciding how much security is enough and how much system management and accessibility hassle is too much is typically decided at a different level at each organization.  You CAN run it with one domain and one network, and that MAY fit your organization.  Or you may find that simplified structure provides too many avenues of attack and decide to separate some things to give you more depth (limit your exposure).  No one right or wrong answer here.  The trend the past few years has been to simplify, but recently, as a result of attacks. hacks, compromises making much bigger news, there has been a reversal of that somewhat even to the point of recommending air gapping (disconnecting from all networks) critical systems.
garryshapeAuthor Commented:
Thanks for the wisdom here, it helps!. wish me luck
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.