+ Post New Thread
Results 1 to 4 of 4
Network and Classroom Management Thread, Possibly taking over network: Need advice in Technical; ...
  1. #1

    Join Date
    Oct 2012
    Posts
    78
    Thank Post
    26
    Thanked 6 Times in 5 Posts
    Rep Power
    11

    Possibly taking over network: Need advice

    Two years ago, we began a move from a fragmented, Windows-based environment to an Apple environment. During that move, our former server died and we were forced to purchase a new server on which the old setup was simply migrated. The network was kept as a .local domain. Yes, I hear your groaning and will address this as our login process with our Macs is glacial and unreliable

    We currently run two Windows domain controllers that are virtualized on a single server. One of those runs Exchange, DHCP and DNS, while the other runs file and printer sharing, AD and DNS. All teachers and students as well as most staff members have migrated to Apple computers, and those that need Windows, run Parallels. Only the business manager and her assistant as well as the school nurse run PC痴. Most of the faculty and staff Macs are bound to AD with plans to bind all of them this summer, as we are eliminating the use of local accounts altogether.

    On the Apple side, we run a single Mac Mini Server with 16 GB of RAM. This device also runs profile manager for approximately 400 devices and hosts our Open Directory against which our students authenticate to a Lightspeed Bottle Rocket. I run a small WebDAV folder for student books off this server as well. Student devices all have local accounts. We have the Mac Mini set up in a magic triangle and most devices are bound to the open directory as well. Our faculty and staff members are embedded in OD groups so their devices can receive settings from WGM. I know Apple, in favor of PM, is demoting WGM, so it is not a permanent solution. We are definitely eying Casper Suite in the next year or so in order to manage devices, so we will reduce the load on that server quite a bit.

    In the interests of cost savings, I am pushing to have the school drop our Exchange server in favor of Google Apps, which, from my experience, works a bit more seamlessly with Apple Devices. This would save us $10K/year in licensing and SLA fees alone.

    Questions:

    1. If we do this, would we need to destroy everything and rebuild our AD or would we be OK to rename our domain using our FQDN since we no longer have to worry about the Exchange server?
    2. Also, we are moving from a .com to a .org domain, so I知 curious as to if any of you have migrated to Google apps and have experience redirecting mail from one domain to the next.
    3. I have another Mac Mini server that is used as our configurator. I知 considering using it for an OD replica, as it is in a static location and is unused otherwise. Is this possible or even a good idea?


    I知 hoping this thread will give me some other ideas so feel free to ask questions and give advice. I can稚 guarantee I値l heed it, or even listen to it, but given that I知 pretty much a network newb, experienced voices are welcome.
    Last edited by Jwzg; 26th March 2014 at 04:39 PM.

  2. #2

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 286 Times in 218 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by Jwzg View Post
    1. If we do this, would we need to destroy everything and rebuild our AD or would we be OK to rename our domain using our FQDN since we no longer have to worry about the Exchange server?
    2. Also, we are moving from a .com to a .org domain, so I知 curious as to if any of you have migrated to Google apps and have experience redirecting mail from one domain to the next.
    3. I have another Mac Mini server that is used as our configurator. I知 considering using it for an OD replica, as it is in a static location and is unused otherwise. Is this possible or even a good idea?
    If I were in your position, I would most likely look at completely re-building your domain and your VM servers. As it stands, you have a double whammy of a .local domain along with Domain Controllers that are doing double duty as Exchange and file/print servers - making a domren a more complex and risky task. The title of your post was "Possibly taking over the network", so I'm going to assume that you will also be taking over the network (switches, proxies, etc.) and not just the server environment and will provide recommendations based on that assumption.

    1. Reconfigure your Network - If you are currently on a flat network, you will want to consider creating VLANs (static and DHCP). I would advise a VLAN for each of the following. This will give you far more control over your network and allow you to set per VLAN (subnet) web filtering as well.
      • Network Switches, Routers, Proxies
      • Servers
      • Admin Staff
      • IT Staff
      • Per WiFI SSID (if you have 5 SSIDs, use 5 VLANs)
      • Per computer lab (or per building or zone)
      • VOiP zones (one will suffice for a small number of devices)
      • Printers
      • Security (if you use IP security system)
    2. Build a new domain - Rather than a Domain Rename, build two new virtual DCs with the new domain name. You may want to use a sub-domain of your FQDN rather than the FQDN itself depending on your expertise with DNS and DNS forwarding, etc. Don't try to migrate user accounts, etc. Build these DCs new and create the structure in a way that works for you (example showing our structure attached). Now re-create the GPOs that you require, which is a good opportunity to ensure you have no unneeded policies and re-think the policies that you need now (since you have few PCs now, you will likely need far fewer GPOs). Once the structure is complete, re-create all of your User groups that will be needed in the new domain and create the user accounts for IT and Admin and a test account for different staff and student types to use for testing. Now make sure that your DHCP (consider your VLANs) and DNS are configured as required and that you create your DNS forwarding rules and bring across any DNS entries from your old DNS server that will be required. Bind a client to your new domain to test it.
      Domain structure.png
    3. Build new File and Print Server(s) - Now that you have a working domain and some test users, you should build a new File and Print server. You can split these roles up if you want, but it isn't required (it can be handy if the print service ever stops and you need to restart the server because it refuses to restart - been there, done that). Again, don't migrate any data across at this point in time. Bind the new server(s) to your new domain and setup all of your printers on the new server and install whatever print management software you use (Papercut works well). Also, create some test shares (and configure DFS if you are using more than one file server). Now create a GPO with one or more shares and printer assignments and assign it to a user group then test this with a client computer bound to the domain and login with one of your test users in the group assigned the shares and printers. All working - then create the directory structure and top level folders for the network shares you will be migrating across later, including the user group permissions.
    4. Migrate Exchange Server - We use Google Apps, but I wouldn't say its more compatible with iOS. We've experienced many issues in the past particularly when Google decided to ditch ActiveSync. Getting passwords to sync was also a major pain and their GAPS solution doesn't work reliably in our experience. You might want to consider Office 365 if you are already on a license agreement with MS for Office, CALs, SQL Server, etc. You will probably find a migration from Exchange to Office 365 a bit easier or more supported than to Google Apps, including getting SSO working. You would also have the option of using the new Office apps for the iPad. Just a thought.
    5. Migrate Users and Data - Finally, the next to last step in the domain rename will be to migrate all users from your existing AD to your new DCs as well as all of the data on the file server(s). I recommend exporting your existing users into CSV format, editing the domain and other details needed, then importing them manually into the new DC. These tools will help:
      Script Active Directory User Creation tool 1.2
      Script Update AD Users in Bulk from Excel Spreadsheet
      Bulk AD Users

      I would advise using robocopy or similar to migrate your user data. You will not want to bring across ACLs and permissions, but have the files inherit the ACLs and permissions from the new shares you have created.
    6. Update all systems with new domain - At this point, your DCs, email, and file/print servers have been created and migrated, but you will likely still have many other systems that need to be updated to use the new domain. For server, you will need to unbind them from the old domain and bind them to the new. Systems such as the Lightspeed will have to be updated, etc. You should identify all systems that need to be updated in this manner before you ever begin this whole project, then think about it well because you probably forgot something (e.g. updating DNS servers on your internal systems, and your external DNS hosting). Make sure that Kerberos and DNS are working as expected on your Mac server following the domain change.


    It goes without saying that you should back up everything well before beginning all of this and it is advisable to do it during the holidays with much advanced notice to users as you will need some forced downtime so no one can update any files you are trying to migrate. It's a big project, but once it is done your team will know the network inside and out and you will be able to make it dance and sing.

    As for the Mac side of things, I haven't found a need for an OD replica. Just clone the main server periodically and you can then restore it quickly if you have a failure. In fact, if you go with Casper Suite, you won't need an OD master at all anymore.

  3. 2 Thanks to seawolf:

    Jwzg (31st March 2014), mac_shinobi (19th April 2014)

  4. #3

    Join Date
    Oct 2012
    Posts
    78
    Thank Post
    26
    Thanked 6 Times in 5 Posts
    Rep Power
    11

    Possibly taking over network: Need advice

    Talk to me a little about the issues involved in having a .local domain other than the lag time with logging on with Macs due to the mDNS issues. Seems our IT services provider doesn't think it's a big deal. I understand some of the issues but articulating them is another matter.
    Last edited by Jwzg; 19th April 2014 at 04:16 AM.

  5. #4

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 286 Times in 218 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by Jwzg View Post
    Talk to me a little about the issues involved in having a .local domain other than the lag time with logging on with Macs due to the mDNS issues. Seems our IT services provider doesn't think it's a big deal. I understand some of the issues but articulating them is another matter.
    Brand new Active Directory - From scratch



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 17
    Last Post: 1st April 2014, 04:11 PM
  2. New network setup advice needed!
    By Neptune in forum Windows Server 2008 R2
    Replies: 9
    Last Post: 6th November 2013, 02:45 PM
  3. Replies: 19
    Last Post: 4th February 2008, 10:08 AM
  4. Wireles Network cards - advice needed
    By pooley in forum Wireless Networks
    Replies: 14
    Last Post: 5th February 2006, 01:34 PM
  5. VOIP over Network
    By shane_southampton in forum Wireless Networks
    Replies: 2
    Last Post: 22nd September 2005, 02:23 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •