Merging Admin and Curriculum 2003 Domains

[pjm1974]

We have 2 2003 domains on 2 different ip ranges and physically speparated (different switches in same cabinets) each with an DSL connection, Admin through our CC and Curriculum through a local ISP (split in one 8MB router)

Our CC is providing a single hugely improved broadband link through the local ISP (our Curriculum network). All high schools in CC are to get the link but we are unique in that our Admin network is very heavily used, 150+ PCs and every member of staff has an account.

Because the broadband link comes into Curriculum and I built it (know it inside out and the Admin domain was the 1st 2003 domain built by county before I took the job and has "issues"!), my plan was to migrate all users and files shares from Admin into Curriculum. Do away with any non student user accounts on Curriculum and merge and data they had stored on either domain together.

Issues:
1. the remaining single domain would named CURRICULUM, when I'd prefer it to be named after our school (as our admin domain is).
2. Staff would have to stop using current admin login details and use their Curriculum logins, which most of them have but only a few use.
3. Each member of teaching staff's laptops (provided to use for Lesson Monitor) would have to be reconfigured from Admin to Curriculum domain before start of school in sept.
4. some decision on what to do about shared H drived which exists on both domains (one for shared data for students and one for staff only)

Having looked through technet resources and threads here I wonder if I am thinking about it the right way.

Could I keep the Curriculum domain but change it's name to that of the Admin domain thus saving a lot of work educating users and reconfiguring staff laptops (and admin workstations)? If so in what order should I do it: start by renaming Curriculum domain, then use Migration tool to move users or the other way around?

Any advice much appreciated

[leco]

Assuming that all that is changing is one ISP, why is it felt necessary to merge the domains? Another assumption, that you are using a private IP range, could this range not just be transferred to the new connection?

It just seems a huge upheaval that is not actually required. Having admin on a physically separate network/domain makes sense from a security view point.

Just a thought, feel free to ignore me if I'm talking rubbish.

[kiran]

I think its a very positive move to merge domains!! Security implications can be managed - and the network can be secured with Group Policy objects and VLANS and a whole host of other things.

It also helps with stuff like rolling out your MIS across the whole school!

For the name thing - you could :
1. Start off with a new network - and start afresh;
2. Stick with the domain being curriculum - [although I wouldn't - it might confuse people!]
3. Try something like this: http://www.petri.co.il/windows_2003_domain_rename.htm


Go for it!

[ajbritton]

Tend to agree with Leco. Opinions vary on the issue of using single domains in school. I personnally still favour two as this gives better isolation of systems and data on the admin network.

If you want to consolidate (there is no way to 'merge' sadly), you will either have to recreate AD objects (user acounts, groups, computer accounts) or use the AD Migration Tool (ADMT - now at V3.something) to 'clone' the objects into the target domain. Whatever you do, it's a fair old job. You may want to consider a whole new domain and migrate AD objects from both existing domains into a new one.

[pjm1974]

leco: It's not an option to keep 2 seperate domains

ajbritton/kiran:I am purchasing one new server to host all student and staff home directories, but don't want to have to create a brand new domain and migrate using ADMT) from both my admin and curriculum domains, surely this would be a longer process since I'd have to rejoin every domain pc to new domain too?!

Having looked through options I think I will use ADMT to migrate curriculum user to new server.
Then migrate AD and data from Admin domain to Curriculum domain. Then demote my admin dc and domain
Then work on domain renaming of Curriculum

Can you see this order of attack presenting any problems?

[leco]

leco: It's not an option to keep 2 seperate domains

Sorry about that - sad indeed.

Can you see this order of attack presenting any problems?

Sorry again, can't help with this as I've never done it.

[jack0w]

leco: It's not an option to keep 2 seperate domains

ajbritton/kiran:I am purchasing one new server to host all student and staff home directories, but don't want to have to create a brand new domain and migrate using ADMT) from both my admin and curriculum domains, surely this would be a longer process since I'd have to rejoin every domain pc to new domain too?!

Having looked through options I think I will use ADMT to migrate curriculum user to new server.
Then migrate AD and data from Admin domain to Curriculum domain. Then demote my admin dc and domain
Then work on domain renaming of Curriculum

Can you see this order of attack presenting any problems?

We were in a similar position to you about a year ago. In the end we opted to create a brand new domain, at least that way we could ensure there were no historic gremlins!

We built our new domain in parallel to our existing two network during term time, and then during the Easter holiday we migrated Teaching Staff/Student accounts from the Curriculum network to the new domain and the Support Staff accounts from the Admin network. To get around having to rejoin all the computers to the domain (since we have a network of over 500 computers which would have been a huge task!) we just migrated the computer accounts from their original domain to the new one.

With preparation done before the holiday period we were able to pull it off in just over a week which included rebuilding all of our servers which were being assigned different roles in our new domain.

Its definitely doable, just make sure you have everything planned out before you start - that way there shouldn't be too much that would trip you up!

[pjm1974]

I'm considering changing to an entirely new domain name for Curriculum rather than re-use the old Admin one (as I had earlier planned) in case there is some association on the old admin domain name after migrating it's users and data via ADMT?

Rendom claims to handle the domain name change on worstation computers after a couple of reboots (I realise my admin domain computers will have to taken out of domain and added to the new one in any case) in any case.

[jack0w]

Sounds like a good idea to me, we were strongly advised against renaming a domain and to be honest I'm glad we took the time to set everything up ourselves. Was really worth the time spent.

Going on memory here, we had to create a trust between our new domain and our existing domains in order to migrate the users, groups and computer accounts with ADMT, we migrated the data using robocopy to preserve the permissions and finally we used the exchange migration tool to move our mailboxes across.

Hope this is of some use to you!

[kiran]

I would start from fresh - at least you know what's happening and you know you've done it right - and its clean start!!

Hope everything goes well - let us of know if you have any more problems!

[Gibbo]

The thing which always concerns me when flattening a network is the weakest link - the staff.

Admin machines are usually out of the classroom, in areas where pupils would not normally have any access.

If you're allowing what's normally on the restricted admin network to be available on the curriculum you have the security risk of staff leaving machines logged on, and it could result in far more work for you to keep the network secure. The number of staff who use their kid's names as passwords frightens me! Pupils may need three passwords to gain access to confidential data, but I think the physical barrier of not having access to the machines far outweighs the benefits of a flat network.

[kiran]

I think its a matter of training - if I see a workstation unlocked I tell that person! Reminding staff and forcing 10 minute screensavers lockouts is always a good way!

[jack0w]

We're currently locking computers used by staff after 10 minutes inactivity as well.

In order to make our staff understand how important it is to lock the computer before walking away from it we did a demonstration of how simple and quick it would be for anyone to open search, enter a students name and bring up lots of private/sensitive information. This was enough to shock them into doing it!

Although if we ever do see an unlocked, unattended computer we lock the computer immediately, and the issue is taken up by the head with the relevant member of staff since this is a violation of our AUP.