+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Server 2008 R2 Thread, Help setting up new education domain in Technical; Hello all, This is my first post and I hoping that some of you can point me in the right ...
  1. #1

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Help setting up new education domain

    Hello all,

    This is my first post and I hoping that some of you can point me in the right direction as I don't quite know what the normal requirements would be for a domain in an education environment.

    I have been asked to help with an upgrade for a small school. It currently has 20 computers running windows 7 home and one network printer. Each computer has the latest student edition of office installed. The network is only being used for training students on microsoft office and web applications, nothing else.

    What they would like is for each computer to be upgraded to windows 7 professional and connected to their new server running 2008 r2.

    I have installed the os on the server and set up the ad to have 3 main ou's, computers, students and staff. Within students I then created ou's for each intake year 2011 and 2012 at the minute.

    The point I am now is group policies, mapping drives, folder redirection and roaming profiles. I have a few questions I'm hoping I can get some help with.

    How tightly do you lock down the work station using gpo's?

    Do you differentiate between staff and students or leave them the same and let admins have all the rights?

    Does anyone use folder redirection and roaming profiles? I see the point in folder redirection for backup but if you are very restrictive on the staff and students is there much point in their profile roaming?

    For backups I intend to have 2 external usb drives swapping each night, would this be acceptable?

    The workstations currently have office installed, for different reasons I can't wipe these machines before connecting them to the domain. Does anyone know of any problems I might encountered once I connect them to the domain and use folder redirection?

    Thanks in advance

  2. #2

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Quote Originally Posted by cheeseslice View Post
    How tightly do you lock down the work station using gpo's? Do you differentiate between staff and students or leave them the same and let admins have all the rights?
    It's generally a good idea to lock down the workstations as much as possible to stop users running random executables, that sort of thing. Staff and students should be in separate OUs for admin purposes (you might want a shared file area which only staff can access, for instance), but there's no need for staff to have admin rights to any machines - you'll probably find that the teachers are as bad as the children for installing software that you don't want on the network.

    I see the point in folder redirection for backup but if you are very restrictive on the staff and students is there much point in their profile roaming?
    Probably not, folder redirection is probably the best solution.

    For backups I intend to have 2 external usb drives swapping each night, would this be acceptable?
    That's probably just fine - you might want to encrypt the disks if you're taking them offsite, just in case you loose one.

    The workstations currently have office installed, for different reasons I can't wipe these machines before connecting them to the domain.
    How are you upgrading from Home to Pro, by running Anytime Upgrade on each machine at £100 a time? As an educational institution you'll probably find that you can get much better pricing than that for Windows and Office - contact a Microsoft reseller to find out. If you're just running a web browser and MS Office on the machines anyway, it might be cheaper to run Office via a Remote Desktop Services server - at educational pricing that would only set you back about £30 per workstation Client Access License (CAL).

  3. #3
    superfletch's Avatar
    Join Date
    Nov 2007
    Location
    South
    Posts
    445
    Thank Post
    153
    Thanked 77 Times in 61 Posts
    Rep Power
    32
    Quote Originally Posted by cheeseslice View Post
    How tightly do you lock down the work station using gpo's?
    This can vary depending on the age of the pupils - I'd have thought most of the secondary techs on here can give you some good advice about what to lock down / not, if it is a primary then you'll probably need to be less stringent about things like accessing command prompt etc.

    Quote Originally Posted by cheeseslice View Post
    Do you differentiate between staff and students or leave them the same and let admins have all the rights?
    Yes - differentiate as this will help for applying permissions to important or sensitive shared folders.


    Quote Originally Posted by cheeseslice View Post
    Does anyone use folder redirection and roaming profiles? I see the point in folder redirection for backup but if you are very restrictive on the staff and students is there much point in their profile roaming?
    I usually use a mandatory (fixed) profile which is different for staff / students with just My Docs redirected, but again other people will be able to offer more advice.


    Quote Originally Posted by cheeseslice View Post
    For backups I intend to have 2 external usb drives swapping each night, would this be acceptable?
    This will depend on the importance attached to the data being backed up and how well the backup is actually implemented. For instance who will be responsible for it and what happens if they aren't in? What happens with the second HDD when it isn't in use (where is it kept etc). Personally 2 USB HDDs wouldn't cut it for me, but it does depend what you are backing up.


    Quote Originally Posted by cheeseslice View Post
    The workstations currently have office installed, for different reasons I can't wipe these machines before connecting them to the domain. Does anyone know of any problems I might encountered once I connect them to the domain and use folder redirection?
    Whatever the reason is that you can't wipe them is probably the same thing that will cause you problems later. (Out of pure interest - why can't you wipe them)? If you could wipe them it would surely better to do this and have a clean (not upgraded version of W7 pro installed).


    edit - Agree with dhicks that if your doing anytime upgrade it could be more expensive than it needs to be.



    Good luck with it, and welcome to edugeek.
    Last edited by superfletch; 20th April 2011 at 12:50 PM.

  4. #4

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    thanks for the quick replies.

    I should have said in my original post that I actually have an ou called users, with staff and students below that.

    For the mapped drives I had thought about using a group policy linked to users to map everything and then excluding students from the drives that I don't want them to see. Or would it be best to have completely separate policies do you think?

    Once the server is up and running and everything is connected they are on their own, they don't have any IT support at all so I would imagine one of the teachers will be taking control.

    The backups are purely for coursework. The server only has 2x250gb sata in raid1, the external drives are 1Tb. I had just thought about doing a full backup each evening.

    As far as wiping the machines goes there are a few issues. My intention was to wipe all of them before hand so that everything was fresh but I only found out that the machines were bought with 7 home pre-installed, no discs were included. So I have no way of wiping the machines.

    As far as I know they bought the upgrades online and had 20 discs sent out with 20 different keys, I think they paid £30 per machine. I had thought about WDS for this but more than likely it will be a lot less hassle to just put in the discs and let them run.

    Just as a matter of interest, what way do you rebuild a machine?

    I was going to set up group policies to install software but there are so few machines and so little software I don't know if it would be worth the effort.

    I was thinking that it might be best to create an image of a machine with everything installed and let them use that to wipe the computer when something goes wrong, though there is no money for 3rd party imaging software.

    I will probably offer to do some remote administration for them but at the minute they don't have a static ip so that is something else they need to get sorted. I take it most people on this forum would work on site? I'm thinking a vpn connection to their server is probably going to be the best bet.

  5. #5
    superfletch's Avatar
    Join Date
    Nov 2007
    Location
    South
    Posts
    445
    Thank Post
    153
    Thanked 77 Times in 61 Posts
    Rep Power
    32
    Quote Originally Posted by cheeseslice View Post
    they don't have any IT support at all so I would imagine one of the teachers will be taking control.

    The backups are purely for coursework. The server only has 2x250gb sata in raid1, the external drives are 1Tb. I had just thought about doing a full backup each evening.
    Sounds quite important to me (although not quite up there with finance or personnel data), I doubt the backup regime will be rigorously adhered to if it is left to staff. Do you have the ability to enable shadow copies?

    Quote Originally Posted by cheeseslice View Post
    I was thinking that it might be best to create an image of a machine with everything installed and let them use that to wipe the computer when something goes wrong, though there is no money for 3rd party imaging software.
    I'd deploy the machine this way ideally as it is just such a timesaver, for something thats free look into FOG fogproject.org (you can easily stick it on an old workstation rather than an actual server) I set my first one of these up last week and it was a breeze.

    Quote Originally Posted by cheeseslice View Post
    I will probably offer to do some remote administration for them but at the minute they don't have a static ip so that is something else they need to get sorted. I take it most people on this forum would work on site? I'm thinking a vpn connection to their server is probably going to be the best bet.
    Static IP can usually be achieved by talking to the local RBC (broadband supplier), but for remote access without one what about LogMeIn ?
    Last edited by superfletch; 20th April 2011 at 01:37 PM.

  6. #6


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    7,059
    Thank Post
    232
    Thanked 926 Times in 795 Posts
    Rep Power
    309
    i see no problem with doing a gpo mapped drives best way i would of though is have a common one applied at the users ou level so say sahred drive resources etc and a 2nd one applied to the staff ou for teachers shared etc

    as long as the new disks for pro have a code it dosent matter about the old os they have a sticker so any windows 7 dvd will work (though you may need to delete ei.cfg from the sources folder so you can select the eddition to install so pen drive is usually easier than dvd).

    As to imaging i tend to use wds/mdt these days its free simple well documented and works just on your sysprep file leave the key blank and type it in at each pc a pain but probably the simplest option. Again user reinstall can be done via wds/mdt if you put the time in with win7 ive found if you rebuild a pc it will usually pick up teh name it had before if it was built with wds to start with.

    I dont work on 1 site but all sites have a static ip and i sue logmen or similar to remote admin the server then if i need to remote a workstation vnc/rdp

    if you really really cant format the pcs set one up in home as you want and it is possible using the waik kit to take an ofline sysprepped image of a pc and version change upwards so home basic>premium>pro>ultimate its a total faf but i have used it before as a last resort

  7. #7

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    sted, can I just clarify what you are saying.

    I could download a windows 7 trial, distribute that using wds. then distribute the 7 pro upgrade using wds too?

    or can I download a windows 7 trial and just use the upgrade key to activate it?

    As far as assigning software using policies, do you think it would be worthwhile on such a small network? from what I understand of it the most they will do once everything is up and running is maybe update java and flash from time to time.

    I meant to ask about wsus too. I have read that it's a bad idea to run wsus on a dc and this server isn't exactly high end. Would it be best to just set automatic updates indvidually on the machines?

    Thanks again for all the replies

  8. #8


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    7,059
    Thank Post
    232
    Thanked 926 Times in 795 Posts
    Rep Power
    309
    if you have a ky yo can download win7 media from ms i believe (i know you can via technet but i think its there for general public) and as long as you have a code (upgrade keys if they are anytime upgrade i have no idea ive only used oem/mak) you should be fine regardless of wether you install via wds/usb/dvd.

    ideally you run as little as possible on a dc but ive got wsus running on 10+ as a company probably 50+ and no issues that i can think of

  9. #9

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I'll have to check and see exactly what it is that they have purchased. If I can I will do a fresh install it would probably make things easier in the long run.

    superfletch, I had a look at that fogproject, thanks. I had thought about logmein, especially as it will allow me to use my iphone if something simple needs checked while I am out and about. I have enquired about a static ip and their isp wants £5 a month so I'll have to give them that choice.

    I have been scouring forums for easy maintenance options and I have read a few people talking about "rm boot manager" it allows you to create an image on each workstation that can then be restored from a boot manager menu. Would anyone know of a free alternative to this? Having this would make things far easier, short of the hard drive failing they could restore a machine very quickly without having to go near the server.

  10. #10
    superfletch's Avatar
    Join Date
    Nov 2007
    Location
    South
    Posts
    445
    Thank Post
    153
    Thanked 77 Times in 61 Posts
    Rep Power
    32
    You might be able to use a free service like dynamic dns to get around the static IP thing (presuming that whatever service you need to get at will work using a hostname rather than an IP).

    To use dynamic dns you'll usually need some control over the Broadband router in order to implement it properly and I know a lot of RBC's don't allow this. However I think there is a application available from the dynamic dns website that you can install on an individual computer effectively giving that machine a static hostname on the internet.

    I did a really short guide to using FOG in an isolated environment (loosely based on the doc in the FOG wiki) if you want it PM me and I'll email it.
    Last edited by superfletch; 20th April 2011 at 03:02 PM.

  11. Thanks to superfletch from:

    cheeseslice (22nd April 2011)

  12. #11

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Sorry to keep adding questions on to this thread but I forgot to ask something about folder redirection.

    so I have a file and ad structure that looks like this:

    users

    -staff

    -students
    -2012
    -2011

    I thought it best to do this so that students could easily be removed after they leave. Is it best to have it like this and then have a separate group policy for each year to set the folder redirection or is there an easy way to have it automatically recognise the structure.

    At the minute the only way I can see would be to set it for each year group e.g. \\dc01\studentwork$\2011\%username%\
    Last edited by cheeseslice; 20th April 2011 at 03:52 PM. Reason: fat fingers

  13. #12

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,279
    Thank Post
    115
    Thanked 247 Times in 197 Posts
    Blog Entries
    1
    Rep Power
    76
    Before I say anything else: Your current thoughts on how to do this are exactly what I would do. However in this case there are some unknowns that might shape the best approach.

    How is the school's use of ICT going to evolve and what age group are the students? If they are never going to go beyond 20 machines, and it is appropriate for them to use unmanaged Hotmail like services, then is a domain necessary? Would having a centralised backup location, recovery image, settings controlled through LGPOs and personal Windows Live accounts suffice? You could create a pre-configure generic student accounts on each machine, and the staff could assign students->accounts. The students would sync their work to Live, and at the end of the course the accounts reset. The PCs could be set (as per default) the machines to pick up and install Windows updates automatically, and use Security Essentials to protect form malware. The standard Adobe plugins might present a challenge, but a logmein account should enable you to sort that out with a monthly 'visit. In order to keep the machines functioning you'd need to ensure none of the staff had admin rights though.


    The following on Images and Backup should be useful in both domain and workgroup environments:

    Microsoft Backup Best Practice: "to back up computers in small or branch offices with a 100Mbps or faster lan configure a server with sufficient disk storage for backups from each computers. Then schedule automatic backups to store files to a shared folder on the server. Alternatively,you can use a NAS." taken form the Windows 7 Resource Kit (I cannot recommend this book enough the chapters on User Data management are essential reading for W7 admins)

    For OS image management, Windows Recover Environment is included in Windows 7. You can store a Windows image on the recovery partition to enable restoration to your initial configuration. Useful links: What is ImageX? and Deploy a System Recovery Image

    For initial deployment to multiple machines you'd need to use "sysprep /genralize" before taking the master image.

    Final point: all should be documented, and along with the passwords (the AD recover password is probably the most vital) the full recovery instructions handed over to a the Head so they can recover in the event you are ever knocked down by the Clapham omnibus.
    Last edited by psydii; 20th April 2011 at 04:40 PM.

  14. #13

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,279
    Thank Post
    115
    Thanked 247 Times in 197 Posts
    Blog Entries
    1
    Rep Power
    76
    Quote Originally Posted by cheeseslice View Post
    ....
    I thought it best to do this so that students could easily be removed after they leave. Is it best to have it like this and then have a separate group policy for each year to set the folder redirection or is there an easy way to have it automatically recognise the structure.

    At the minute the only way I can see would be to set it for each year group e.g. \\dc01\studentwork$\2011\%username%\
    assuming that you've set "\\dc01\studentwork$\2011\%username%" as the Home Directory in the user's properties, perhaps a value of " %HOMESHARE%%HOMEPATH%" in group policy would do what you want?

  15. #14

    Join Date
    Apr 2011
    Posts
    52
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Before I say anything else: Your current thoughts on how to do this are exactly what I would do. However in this case there are some unknowns that might shape the best approach.

    Quote Originally Posted by psydii View Post
    How is the school's use of ICT going to evolve and what age group are the students?
    As far as I am aware they are going to have around 150 students a year that are going to be taking the courses that will be run on these computers. Their initial requirements were a system that would keep all users work secure and independent, the work would be backed up, users could log onto any machine, there would be shared folders where templates could be stored and accessed by staff and students. Eventually they plan on making use of sharepoint but that is a bit away. Email is provided by an online company so they will never need exchange.

    Each student will only be using word and excel documents so I have been asked to set a quota of 100mb for each student's user area. I am assuming that as students leave their accounts will be backed up and deleted to free up space. The server is only running 2x250gb in raid 1 so they don't have a lot to spare. I have partitioned this in half, for os and data.

    I have never heard of imageX before, I am going to have do some reading on this. Have you used it? What I would like to do is create an image to the local hard drive of each machine once I have the entire network configured and working, that should speed things up dramatically when a machine becomes corrupt.

    I have been doing a bit of reading this afternoon on using windows 7 upgrade media to do a clean install, apparently it is possible to do with a few registry hacks but I don't know how easy it would be to do using wds. I'll have to see the state of the machines before I make any decisions.

    My aim is to have as much as possible configured on the server before I arrive to minimize the amount of time I am going to spend on site. I much prefer working without and audience looking at their watches!

  16. #15

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,279
    Thank Post
    115
    Thanked 247 Times in 197 Posts
    Blog Entries
    1
    Rep Power
    76
    I'm just doing my research on W7 so haven't used ImageX in anger yet, but there seems to be a lot of good documentation out there.

    However tightly you choose to lock down, what is crucial (generally) are: Timely Security updates, Timely and strong Anti-Malware protection, and good internet content filters (ideally analysing traffic at multiple layers). Nobody gets Admin rights. Even those staff who may be responsible for adding users, you can use delegation for this.

    Unless you are unreasonably lucky, you are not going to get the combination perfect first time, and there will likely be a fair bit of tweaking of filters, and GPO settings to be done after the system goes live, even if you have met their original stated requirements to the letter. So you may find yourself spending a little more time on site that you are planning.

    I don't know your background and given the strength of your approach so far it is quite likely that you know this already, but Windows 7 Known Folders, redirection, Windows Search (on server and client) and offline files are much more inter-dependant than in XP. It is very important that you understand how they interact before committing to a GPO/user data shared folders design. Personally I have not found a better overall resource than Chapter 15 of the Windows 7 Resource Kit.


    I realised that I posted links to the Vista version of one of the documents earlier, so I went on a hunt here are the W7 ones:
    ImageX Technical Reference
    Deploy a System Recovery Image
    Folder Redirection Overview
    File Sharing and Offline Files Enhancements
    Windows Browse and Organize Features
    What's New in Folder Redirection and User Profiles
    Managing Roaming User Data Deployment Guide (Vista, but mostly still valid)

    Best of luck.

  17. Thanks to psydii from:

    cheeseslice (22nd April 2011)



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Setting up two different email domains with same domain?!?!
    By reggiep in forum How do you do....it?
    Replies: 3
    Last Post: 13th July 2009, 10:54 AM
  2. Replies: 7
    Last Post: 18th June 2007, 02:53 PM
  3. Setting up the Password Policy on domain.
    By tosca925 in forum Windows
    Replies: 5
    Last Post: 13th June 2007, 09:28 PM
  4. Setting Up New Server and New Domain
    By Zoom7000 in forum Windows
    Replies: 14
    Last Post: 2nd June 2007, 09:16 PM
  5. Help with setting up a domain on a Donated HP Netserver
    By tickmike in forum Wireless Networks
    Replies: 11
    Last Post: 13th July 2006, 11:28 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •