I'm wondering if anyone could shed any light on this or advise me on the best way to sort this system out.
I have just inherited a network which by first opinions is a total mess, completely disorganised in all aspects. It is a secondary school with 6th Form has around 500 PC's, 14 servers, 1300 students, 160 staff.
All servers are running 2003 R2, desktop on windows XP.
The first thing I would like to address is the domain structure, there is a parent domain and 2 child domains all on a single site which I find to be A)very confusing B)pointless on a single site and C)Probably doing more harm than good in terms of performance
Ideally I would like to remove the child domains and just have a single parent domain, with 3 DC's and the remaining servers becoming member servers.
As it stands there are 3 DC's on the parent domain, 2 DC's on one child domain and 2 DC's on the other.
Has anyone had any experience of doing this and what would be best practice?
Personally - I'd start from scratch. Leave it as it is for now whilst jiggling servers around to free up some server recources that you can use and start creating a new active directory. But thats just me.
I'd spend a couple of weeks trying to figure out the foibles and if there's any hidden reasons for the setup before changing anything.
Are the child domains for staff \ students? Always interested in various ideas with 2 domains \ subdomains \ trusts but in the end 1 seems to be the path of least resistance. So much stuff needs to be linked up these days splitting across multiple domains just makes life more hassle than it's worth...
The fresh start sounds like a plan, that way you know what you've done (and a good excuse to get the migration to 2008 R2 \ Windows 7 done)
14 servers... time for virtualisation as well?
Sounds like a summer job to me, work out what does what now, work out a plan of attack and then start it in the summer holidays.
First thing I would do it make sure the backups are working then at least if anything fails you can restore.
Then I would start from scratch.
+1 for backups as above - this doesn’t sound like the time to watch things falling apart.
It does sound like you should consider a ground up build - what you have there sounds like something more complex than even most medium sized businesses and is not suitable for a school.
Spend plenty of time planning your new network – you might even want to take Windows Server 8 in mind as it should be with us before the end of the year.
Other than that you should to look at mixing in a few value added features like a VPN for staff or virtual desktops for the students (just so it doesn’t look like you have made massive changes spent loads of money but not actually brought anything worth while to the table).
Wahay! Welcome to the Party! Sounds just like it was when I got here four years ago. Sounds like a great project to get your teeth into.
Words of a brave man taking on a new Server OS on initial release :p
Originally Posted by jamesfed
If Hyper-V in Server 8 is as good as promised we will be going onto it ASAP ;)
Originally Posted by gshaw
With the new world of public Beta and RC testing I think the days of shoddy first releases (expecily now that service packs are mere roll ups of previous updates and hotfixes) are starting to fade away.
The child domains are split to be one handles student logins and home folders and the other one handles all staff logins and home folders, teaching staff and admin.
Originally Posted by gshaw
My plan is to get a single domain with 3 physical Dcs not a fan of virtualising them and then virtualise the remaining 11.
I think like most schools they believe having the admin and academic domains separate it improves security but it's only ever as good a staff passwords so I want it as one.
I'm all for starting from scratch with a new domain and migrate the various roles across although i have never had to do it before its a vanilla windows network though so should be pretty straight forward right? I guess recreating ad, DNs and migrating home directories is the biggest problem.
Is there really no other way to do it without having to start from scratch?
Could I not use ADMT to migrate users and computers from the child domains to the parent? then demote the DC's running on the child domains and place them on the parent domain to just deal with the home directory side of things till they can be moved?
I remember when I first started, we had two seperate domains for admin and curriculum. At the time there was a lot of discussions and debate on this very forum about split domains vs flat. I wanted to flatten the domains and have just one; security on the destop has moved on a bit from the early school network days. Ease of administration was my biggest factor and its worked quite well since we implemented it over two years ago. It's stopped alot of grief with various staff members having two seperate login details. We have machines built differently, curriculum and admin, with CSE in use on the curriculum which with a load of custom GPO's in place locks things down pretty tight. Admin machines don't allow student logins to be used, and desktop backgrounds shout clearly what type of logon is being used. The use of loop back GPO enables a different set of GPO's to be applied depending on the type of machine being used. But, granted, the weakest link will always be the staff, but so far, so good.
The biggest driver was the introduction of lesson monitoring and SIMS in the classroom and the SIMS server originally sat on the admin domain. Trusts where obviously in use to enable this to happen originally, but I really just wanted to Keep It Simple.
Best of luck.
Doing it from scratch is nice, That way everything is fresh and no possible hidden gotchas waiting to pounce.
Originally Posted by Badaz52
You could use ADMT to transfer profiles (no idea if it handles computers in AD) but again nice to go with everything fresh if possible, and its not that hard to move home drives in/for AD. Students will most likely (hopefully) using some type of restricted/mandatory profile so just recreating it won't be too hard. Getting staff to accept new profiles might be a harder subject (which transferring might be of some use) because some might be using their desktops as document storing areas (although if they are redirected already that isn't much of a problem).
I would offer a word of caution though. Was the school network was setup like this, or did it evolve into its current form? If it evolved then there may have been a reason for this, so please ensure you take into account any specific 'quirks' before planning to re-do the entire network.
Of course if it was setup like this orginally then what you are planning would probably be for the best. The easiest way to do it IMO, would be to get the AD setup well in advance on a local VM and you can do this over a period of time without affecting the main network (which if working correctly should not be messed with!). Once you have AD (users etc), DNS and other services setup correctly it is a simple matter to setup physical servers and migrate roles from the VM. Doing it this way will save you a great deal of time and effor in the summer, for as others have said, this will be a summer job, and as long as the VM is setup correctly the backend migration should take about a week to flatten the physical servers, install server O/S, migrate AD, integrate user areas etc. That then leaves you some time to do the desktops, which are always fun!
I seem to remember that allot of school networks were originally set up with two domains admin and curriculum to keep the two separated this was a favorite in the NT4 days. There was a one way trust set up with the curriculum trusting the admin domain.
Its possible that this is a theme of this idea. But I would run with it for a while because sometimes you have to work with things for a while before you are able to see the reasoning. I take it you are not able to speak to anyone that has been involved with the network previously?
Apart from that I have to go with Dos_Box some sound advice there.
I think its wise as people are suggesting to run with it for a while. Don't got in like a Bull in a China shop and try to change everything overnight. Teachers are slow to adapt to change. From experience here; get the current system stable and win the confidence of your users - then plan all the major changes and work them in ensuring you have demonstrated to all the various faculties that what you have in the pipeline is going to benefit them and make it a better place.