Who does CC3 installs on networks? In Durham I think it's the LEA (being ITSS). If a commission needs doing they have to do it (as far as I'm aware). This costs money and still takes a few days - I reckon you could set your vanilla servers up in a couple of days (Obviously with the right amount of preparation).
> Who does CC3 installs on networks?
Uh? If a system support buck stops with me then I'm going to do my best to ensure that system is put together in a consistent way by someone with a clue.
No, its easier to migrate all servers at once, you have to think carefully about how your going to do things before you start. This is how we did ours,
its a girls grammer school in Wallington, 1200+ pupils, 400+ curriculum laptops, only around 150 curriculum desktops, 100 staff laptops, 2 dc servers, 2 member servers and 2 admin servers, one bromcom server.
We started off by moving certain ict rooms over to vanilla clients, this was usefull because it enabled us to setup and test tools such as Italc and steadystate. It also enabled us to make deployment images in advance for these rooms.
We had a 2008 server installed and configured with Windows deployment services running on it.
Before the holiday period/upgrade time we took one pc/laptop of each type and ensured we had either a working wds image or a ghost image for each one.
Backup everything from all domain controllers, as these are the servers that have to be completely wiped and reinstalled from scratch. backup to usb drives as well as tape its quicker.
Make sure you have printer driver disks ready, note ip address of servers and printers down, have pre configured scripts ready for printers.
We copied our user accounts to a tempory domain controller (temp domain) using the free migration tool from microsoft. We then wiped both DC servers and installed 2003 server on these systems, then copied the accounts across using the free tool from microsoft.
Problems and issues,
staff users had a folder redirection issue, fixed with a update to client machines something to do with IE7 causing problems.
Certain desktops would not work with wds due to the motherboard not supporting vista, solved by using a bartpe disk and imageX instead.
Staff laptops taking ages to startup due to steadystate, this is due to the harddrive controller on the motherboard, still no fix, so have disabled steadystate on staff laptops if they moan.
No major issues really due to planning and hard work and backing our own ability rather than having a cheesy salesman selling us junk.
Last edited by Jose; 17th December 2008 at 06:07 PM. Reason: errors
Jose, I think your method reflects a healthy degree of both skill and realism.
CC3 and ClassLink are, as far as I'm concerned, fine for people that want very limited flexibility or perhaps (read disclaimer that follows before flaming me!) have limited technical expertise. Disclaimer: I know some CC3 network managers that are highly skilled, but I also know some that might struggle using a pocket calculator - I'm not judging YOU and it is for YOU to decide where YOU slot in!
Personally I cannot stand these products as they don't quite deliver what they claim to. Ross, you will find I'm NOT starting a flame war as I'm criticsing both!
All such products operate mostly the same, although under the bonnet things'd obviously be very different. Still, they all tend to "extend" existing AD and Microsoft technology. Honestly, group policies are easy to set up from scratch and running as others refer to it a "vanilla" network is a doddle.
There should be no reason why a "vanilla" network isn't at very least as stable, while I believe it should also end up being more secure.
Your TCO comments made me smile, given that no CC3 or ClassLink advocate actually came up with the goods, but instead simply threw in a few references to TCO to scare people into submission. Do the maths and then come talk to me so we can compare my cheap apples with your over-priced ones.
On the networks I support we don't use any of those products (we removed CC3 and ClassLink from a few). Staff members on thses networks are locked down to the point that they cannot simply install software of their choice, unless it is software approved for usage on the network. In that case all staff members can install/re-install any software title relevant to them (within licensing limitations) within moments.
We repackage all software titles as part of our evaluation process.
Our teachers mostly use SynchonEyes as classroom management software, although on a few sites they use Italc. IT Support uses Ultr@VNC. (You will notice I refer to IT Support, because there is a huge chasm between ICT and IT as far as I'm concerned, with IT being real-world IMHO).
We exclusively use VBScripts because it is a simple and straightforward language to get to grips with. Using nothing but GPO's, we limit what drives are visible to students and we can even remove the ability to access USB mass storage devices using nothing but GPO's.
By the way, if you're looking for a rather excellent collection of scripts, go visit Win32 Scripting.... Everything you need to get up and running - why re-invent the wheel?
To my experience, CC3 and similar products try to obtain stability by removing flexibility and tries to implement a one-size-fits-all solution. Any decision to remove such products is one I will applaud.
Having said that, I will also caution you to test, test and test again before going live with any implementation. In fact, you ought to have a lab network in place permanently so you can test everything there first, even well after a migration.
Document everything to an infinate level and ensure your change management processes are able to cope with what you will be doing. This is vital if you are planning on having a graceful escape route in place. Also, it'd be foolish NOT to plan an escape route!
Decide on naming conventions that clearly incorporate version control. StaffSecurityGPO_v1 at a glance tells you who the policy should apply to, what it's intended purpose is and what the version number is.
Backup GPO's religiously before making any changes using Microsoft's Group Policy Management Tool and ALWAYS increment the version numbers following a change. That's your escape route should you have made any mistakes.
And once you've documented and tested everything, you'll also have excellent references to refer to when running your new stable network.
I'll finish off this post with 2 more pieces of advice:
NEVER make any changes to ANYTHING after lunchtime on a Friday and if it aint broke, don't fix it.
Great posts Jose and tamarside, Very helpful.
I will be purchasing a "clean" server sometime soon and will use this to start building the secondary domain without the rm nasties on it and will look at migrating all existing users, folder and apps over the next two years starting in the summer.
Jose: when you built your secondary domain to rid yourself of cc3 did you have MS Exchange installed on your network and if so how did you get this to function on a secondary domain?
The utility to which Jose refers to is ExMerge, which is actually brilliantly simple!. It works in either a one step or two step mode, but I suggest you use the two step method.
Essentially it'll export all your Exchange mailboxes to .PST's then you can have it import those .PST's to Exchange on the new domain.
Of course it doesn't work with Exchange 2007, so be warned!
Having created an OU outside of the Establishment structure, and blocking inheritance, we still find that the user GPOs are still being applied (ie RM User Types such as Standard / Advanced Staff). In reality we actually wanted the security settings to be taken across, but we are experiencing such strange issues we kind of want a fresh start!
Did you have any problems using the same user accounts for both RM and Vanilla? If you did, how did you get around them?
Perhaps I'm wrong, but I've never understood the widespread CC3 "block inheritance" meme, because if you make a new OU off the AD root then computers in there will only be inheriting Default Domain policy - RM haven't done anything scary in there.
Anyway, to stop CC3 user policy applying when CC3 users log on to vanilla machines: Set the computer GPO policy for the vanilla machines to use loopback-replace and then link any user GPOs you want to your vanilla computer OU. If you need different GPOs for different user groups logging on the vanillas, you'll have to security filter them.
Naah.. if a complete vanilla from scratch configuration (GPOs and everything else) takes significantly less than 2 months, it's not finished to a reasonable standard or you've imported lots of configuration from elsewhere.Honestly, group policies are easy to set up from scratch
Edit: Or there's more than one of you.
Last edited by PiqueABoo; 11th January 2009 at 11:45 PM.
as the other guy said, just use loopback processing to create user policies.
In my personal opinion it does not take 2 months to setup a new nework domain.
Our Servers were up and running within days and we just had to rejoin machines to the new domain, configure network printers etc.
I hope you are not put off your project by certain people who think everything is difficult when its not
I have always been of the mind that RM networks are right for some schools and not for others and it is upto the school to decide the way to go.
When it comes to it schools choose what is right for them and nobody has right to say that is wrong choice as long as that choice is based on informed decision.
@Jose I agree for me it should take about 8 weeks (two months) to setup a vanillia network that is ready, sturdy and bug free.
There are currently 1 users browsing this thread. (0 members and 1 guests)