AD network design advice.. 1

[strangetimes]

Hi

I am taking a new job in the new year as systems manager of a school network. 1300 users, 200 curriculum and around 80 admin machines (win9x), running from 5 NT servers.

We have decided to rebuild the network from scratch to a win2000 native environment rather than upgrade because it has sort of grown with the school and is stretched at the seams, even though it works! At present there are 2 seperate domains. The machines will all be able to run 2000 ok after a few ram upgrades, my only concern is the initial security design.

The admin staff and teachers need to be able to log on to ADMIN and CURRICULUM but the pupils MUST only be able to see and log onto CURRICULUM. (Some kids can be and like to be real destructive..No floppy's or CD's for this lot!) With this in mind:

Would two sererate forests be needed with appropriate trusts for teachers and admin to access both domains, "admin.school" & "curriculum.school" if neccesary split at the E1 with a dual lan router? (The most sensitive information will be held on admin)

Or

Would a tree suffice with "school" & "curriculum.school as the domains". Is security good enough in a tree?

Or

Can anyone suggest a better plan for this type of network?

Everyone will need remote access at some point in the near future, and Exchange server will be installed soon.

I've got a few months to plan and test but a few more ideas to chew on would be much appreciated along with the studying.

Thanks

strangetimes
MCP CCNA CCAI NET+

 

[jwarmuth]

I don't really see the need to have seperate domains at all. Unless you have specific software needs that weren't explained.

If you only need to seperate students from teachers, you can do so with file rights and group policies.

I would suggest creating one single domain, but divide the users into two groups; teachers and students. You can then apply group policies to the groups to restrict or grant access to resources and features of the desktop OS's( you don't want teh students being able to access the control panel, so disable it via a group policy). Likewise with the file rights.

You can lock down the workstations hard with ADS and W2K on the desktop. I would suggest you buy a good book specifically on ADS to help you understand just how much you can do with it!
Jeff Warmuth
MCSE, CNE
ICQ 129152989

 

[doomhamur]

I agree with jwarmuth, a single domain is all that is needed with w2kpro and AD. I would suggest Active Directory Black Book ISBN: 1-57610-256-4. It is very good and easy to follow. make sure to use OU's (Organizational Units) and to apply as many settings as possible in the Group Policy. Dont use any of the tabs in the user properties unless absolutley necessary.

Setup your GPO's before you move any students to the new domain. After you move the user acounts, just move them to the appropriate OU and the policy will be applied to them the next time they logon.

Separate the student and staff data onto different servers and use the GPO to deny access to the staff systems for the students (you can remove run, control panel and specify what programs they can use).

Good luck,

Doomhamur

 

[AjayM]

I had a similiar list of "needs" from a different problem and through AD and group policy I was able to severly lock down this particular machine (it's a Terminal server/Citrix machine in the DMZ area). So not only are users severly limited to what they can do, for instance when a user clicks on the "Start" button, they have the option to log off or go to programs where only the programs I specified are located. They can't right click the task bar (to get into something like task manager), they can't right click "My Computer", Network Neighborhood is gone, browsing the network is gone from My Computer, etc.

Then I've also done the same with the machine account, so even if a domain/enterprise admin logs on there is very limited amount of stuff they can do, even to the point where they wouldn't be able to hose up the machine much past a quick re-configure (and I can block all of that off as well if I wanted to).

So to go along with what the others have said, I'd stick with a single domain and manage security through permissions and GP and create a strong security policy for the teachers (complex passwords that change fairly often, etc). A double forrest setup would work, but would add complexity without really adding a lot of security once you have a 2-way trust established (students in theory would still be able to see the other forrest, it would be up to permissions to block off the access). A 1-way trust could work (for a dual forrest setup), but you would be trading some functionality for it, for instance the teachers who have to access the Admin forrest wouldn't be able to do it from Curriculum member computers.

Andrew

 

[strangetimes]

AjayM wrote:
"A 1-way trust could work (for a dual forrest setup), but you would be trading some functionality for it, for instance the teachers who have to access the Admin forrest wouldn't be able to do it from Curriculum member computers."

That might have to be the way to go in our case, the teachers can't be trusted to log off, or they log on theirselves for pupils who forget their passwords! They just don't take network security seriously in general. There is a huge 'quirky' database on the admin network (that anyone working in UK education can tell you about..), that CAN NOT fall into 15 year old script kiddies (or indeed anyones) hands.

Thanks for the ideas so far anyway, plenty to muse over.

strangetimes
MCP CCNA CCAI NET+

 

[strangetimes]

And before anyone writes back to explain to me that a 15 year old script kiddie will get in to delete the database if he wants to anyway, I know ..(the admin machines need a LAN ID to access the database). If Steve Gibson (grc.com) has problems stopping them I hold little hope..;-)

strangetimes
MCP CCNA CCAI NET+