I'm looking into and researching opinions on Active Directory /Exchange for a University (around a thousand students, couple hundred staff) . Obviously this is something that needs to be well thought out and planned in advance, but I'm looking to get opinions on some aspects of the planning.
1. Do you need separate forests or domains to separate people within the school (Staff, Faculty, Students, Alumni)? Is there any added security benefit? Or would a single-domain model with separate Organizational Units for logical structure and Group Policy/GPOs be sufficient for keeping things organized and safe?
2. Does a single e-mail system comprised of all involved with the school work, if the same federated domain is used for their e-mail addresses? Or is it usually split/separated (whether on-premise e-mail or cloud-based)?
3. Should Active Directory permissions be messed with as far as schema security for hiding attributes/values from Authenticated Users in the domain, as all those involved with the school pretty much has an issued AD account.