russdev (20th April 2012)
Long time lurker, first time poster!
I recently got a Network manager gig, after 7 years as a technician.
I know how networks 'work' and I have been able to understand why we have done what we have done etc.
I am now faced with an alien network. Im not sure if it is just me - but the way it is set up does not reflect what I have done before, it does not seem to lock down Windows at all. RDC/CMD are available to all. Im not sure how profiles are set up, and it seems to be running very slowly.
I have been given a large pot of money. Enough (more then!) to build the school a better network. I need to replace PCs around rooms to the tune of 50 odd, an IT room of 36 as well. As that is pretty much the large majority of machines (exc laptops which Im leaving for the moment) I thought about getting some new servers and starting from scratch. Reading some other threads, people generally say if you can do it - its the best option.
So this is my plan:
Server 2008 R2 servers running hyper V - hosting a couple of DCs (on different hosts) exchange, SIMs and a print server
1 file storage server
Windows 7 SP1 clients throughout the school with office 2010 and have WSUS inplace to do windows update.
I want to use just GP to lock things down (trial and error I think?) and use GP to send out software. We do have impero, which is a nice bit of kit for wider management.
Does that sound like a plan? Any thoughts on specs for the servers?
Also - Im thinking of rolling out mandatory profiles across the school and using folder redirection to link back to a standard staff/student start menu/desktop.
Can someone explain if this is the right way to do it? And if so what do I lose by not having roaming profiles?
Thanks in advance!
russdev (20th April 2012)
You don't actually mention what you already have.
What are the servers running, what are the clients running etc. No point starting fresh if you are for example already on Windows 7 clients and Server 2008 (as logn as it is 64bit) or R2 unless there is an obvious problem that exists.
Don't chaneg things to fast you will upset everyone, basically take between now and half term to work out what you have and how it is working, then form a plan for the summer and take it to your line manager.
When I started doing school ITSupport I was convinced that everything should be locked down as tight as possible on the clients. After several years my attitude to this has relaxed considerably - it is much more important to have the network (switches/firewall etc) and the servers secure. Security through GPO on the clients is important, but don't go ovekkill on it because it can introduce a lot of problems an annoy users. GPO to install software is worth concentrating on, as is mandatory profiles - try and keep things consistent.
We have a mixed XP/Win7 (one room, some laptops) environment here. 4 servers, 2 2003 (one that appears to do everything including file storage) + 2 DCs (2003) which are about 8 years old. There is a nice new 2008R2 brought in by the guy before me, but he did'nt stay long enough to crack on.
The school is ready for change - the SMT/HoD brought me in under a new headteacher with the knowledge that things were going to happen quickly and that they were funding the changes because they want it to happen, as long as I justify what I am doing in an educational context they are happy, and as I say - I am not new to this, I have been senior tech at last 2 high schools since before there were network managers... and in comparison this network is tiny...
These plans are for the summer btw, Im having 3 weeks of paternity at June ht, so need to get started now
Would look at getting rid of xp clients to make things easier to manage by having all on windows 7.
If you have microsoft schools agreement that gives cheap licences - setup 2008R2 data center edition on your decent/new servers - this will allow you unlimited hyper v virtual servers - pretty straightforward to setup.
Setup new virtual DCs on 2008 R2 - when they have replicated ok then you can move roles off your old DCs and retire them.
Basically aim for 2008 R2 on servers - win 7 on clients and take it from there.
Impero is useful for installing software/updates that don't have msi's by logging on to several machines at once and running mimic scripts.
Also you get can rid of profiles altogether for students - will just setup a local profile when they logon first time to a machine - redirect desktop, start menu etc.
Last edited by maark; 20th April 2012 at 12:49 PM.
russdev (22nd August 2012)
Sounds more or less like a good plan.
Things to consider:
* Switching - have you got a redundant core or is your core switch a SPOF?
* Virtualization - best to keep one DC physical - doesn't need much in the way of spec, so can probably re-use an old server once it's decommissioned, but you can have problems with failover clusters without a DC up - and if all your DCs are virtual, you get into a bit of a chicken-and-egg situation. It can be gotten around, but easier to avoid it altogether - plus you don't want all your eggs in one basket. Bit heavy on the egg-metaphors, this advice, but I'm just trying to lay some groundwork advice down
* Consider setting up two new admin accounts when you start - one so you're not using "administrator" as a log in (and oyu can rename guest to administrator to use it as a honey trap) and another one to give to programs wanting admin privileges to run services etc. Give this last one a long KeePass generated string of garbage. Having it separate from the domain admin account oyu use frees you up to change your domain admin password more easily.
* Look at Microsoft EES if you haven't already, could be well worth it depending on circumstances
* Also look at Live@edu for your email
* Consider System Center stuff for software deployment etc. - quite indepth but also cheap for schools
* And hell yes stop them installing software and using command - cannot believe that is still open.
Most of all, write down what you're doing as you're doing it, for your own benefit - if you're doing a big job like this you will soon lose track of everything you've done even a fortnight before!
Good luck, and enjoy
I was thinking about starting a new domain. As Im going to be rebuilding all bar 30 machines anyways, this means I can crack on with testing when I get new servers in, and means I cant mess up the current domain??
Only problem I forsee is exisiting users with laptops. These wont be in over the summer, and Im loathed to require them to be in just to join them to new domain, any thoughts anyone? Also what is the best way laptops can be set up at the moment? Don't want to go down the sync route, I want their storage to be local only, but still want GP restrictions to secure them...
What email do you use now?
Exchange is good but can be a pain to setup - i would look at google apps for mail - syncs with active directory better than live@edu and you won't have to worry about backups.
Ive set up exchange in last 2 schools, this one uses the LA's software which is basically squirrel mail or IMAP.
Still think Im going to go for exchange 2010 tbh but will look at google apps. I just like to be in control of our core services.
Watch it with Exchange... Exchange 2010 can be a monster!
Live@edu is being replaced by Office365 for edu and I understand should be available by the time you're looking at transferring. That has much better sync with ad and some other nice bits. I have to agree about Exchange 2010, it's a monster and can be a complete pita, much preferred our old Exchange 2003.
There are currently 1 users browsing this thread. (0 members and 1 guests)