I'm soon to be installing a new server in a Primary school (to replace their 2003 server) and upgrading all the machines with Windows 7 (although some will still have XP). 2008 R2 will be going on the server and as I've no direct experience of this I could really do with some general advice on the best way to go about setting things up, so it does what's needed. i've listed below my initial requirements/concerns so any help is appreciated.
Just one thing though.... Please, please, please can you stick to my requirements - It's just a small Primary school, with non-ICT technical staff and my technician visit once a fortnight, so nothing that's high maintenance or likely to go wrong! Also they will be getting Windows 7 and 2008-R2, so advice for purchasing other systems is not helpful! Hope you all understand and appreciate!!!!
- Need Windows 7 and XP clients to be able to login - All staff and junior classes to have individual logons / infant classes to have single class logon - Any user to be able to login to any workstation (My issue here is I've seen Win7 be quite awkward about security permissions on who logs in where - Just need this simple and reliable) - Staff to be able to use their laptops off the network at home - Locked desktops, with "Programs" folder on the desktop, that is stored on the server with program shortcuts - Printers that default based on the PCs location in the school - ie. ICT suite printers print in ICT suite, if using one in the staffroom it prints to the staffroom printer.... Unsure entirely how to achieve this in Win 7 - Private and shared user directories on the network... Again I'm only used to Netuse scripts from an NT box - Policies in force for different users - Profiles so that desktops, settings etc the same where-ever the user works
... I'm sure I'll think of more as the thread progresses! Many thanks for your help!
I would start off by promoting the server as a domain controller, so then you can use Active Directory to make new users, groups etc. Then you will need to install DHCP so the clients can get IP addresses when you join them to the domain. When you have joined the computers to the domain, the user accounts you created in Active Directory will be able to log on to any machine. Create OU's to store the users so you can apply policies using Group Policy afterwards.
I would set up mandatory profiles for the students, then you can control what is on the desktop, start menu etc easily. Use Folder Redirection for the staff so they can have their own desktop etc. Make everyone a home drive and allow the staff ones to be syncronized so they can use their laptops at home.
You can install the printer drivers on the server using Print Management and deploy them through Group Policy, where you can set default printers for their locations (so long as you have the computers in different OU's in Active Directory).
You can assign Policies for users / computers in OU's in Group Policy
#1 - No problem AD on Server 2008 R2 will work fine with both Windows 7 and XP
#2 - At our primarys we created individual domain accounts for Years 2-6 with a set and locked password (password sheet in the staff shared drive to check up on if needed) FSU and Year 1 have a single domain account with no password. Make sure you tick the box which blocks password resets though to make sure this works!
#3 - Never seen this problem before - on occasion we've had a problem with Windows 7 where the PC forgets the cached credentials but it happens once in a blue moon.
#4 - We do the same - create a folder redirection with only read permissions to a folder on your server with all the application shortcuts in.
#5 - Wish I knew to! Although if you have a play around with the printer deployment tools in print manager you should get by well enough.
#6 - This is what you want to read - Folder Redirection Overview easy enough to setup just make sure you stick to best pratice or it will break for sure.
#7 - All handled by Group Policy and ordered using Active Directory Organisational units.
Lay out your directory so that you have
---IT Class Room
This will allow you to apply policys at various levels using the group policy management console.
#8 - Don't expect it to work between Windows XP and Windows 7 but user profile redirection will handle most of what you need.
Any ideas as to how many users/PCs you are supporting as well? Would give an idea to server spec.
There are many of us running networks as you describe.
It sounds as if you have an existing network with the Server 2003 server as DC; is this correct?
What logins do your staff and students have at present?
My network had a single 2003 server until 18 months ago. We bought and installed a 2008 server, adding it to the domain and making it a DC. We retained the old server and it remains a DC with the domain level raised to 2008.
In the course of this, we moved some of our shared drives from the old to the new... Simply by using backup and restore which retained folder permissions. Aftr the move we had to re-establish the shares and the share permissions.
Our pupils use a single shared mandatory profile with individual logins and home drives and can't change the desktop. I have added a shortcut to the pupil desktop to a folder in our public share called "today's Lesson". The teachers use this to pop in shortcuts or documents for their lesson. They clear it out themselves and it works really well.
Staff use roaming profiles.
I have my notes which I took when we added the new server. PM me your email if you would like a copy... I'm happy to expand on anything about our network too.
Don't attempt to Merge your exisiting with your New. Just start from fresh, get the data you need (recommend doing a full Image backup of your current server, Macrium Reflect is what we use often as its a complete copy of your server). You don't get opportunities like this that often if you work full time there, so make the most of it.
Start from complete fresh.
Trying to stick to your requirements.
Need Windows 7 and XP clients to be able to login
I suppose this would help. Problem is that your having a mixed enviroment which is a bit of a pain, especially when it comes to profiles as the profile type for XP and 7 are completely different. You'll get used to the expression "it's a v2 profile" fairly quickly. Are you using XP x86 or x64? Same for Windows 7, x86 or x64?
You'll find that your folder redirections will be tricky as sharing favourites and silly things like that across the two operating systems can be a bit flakey even If you set it up in the way Microsoft wants you to.
In Server 2008R2 you can redirect every profile folder, unlike in Server 2003, however these new redirects only apply to Windows 7, not XP. So when they login to an XP machine and save a favourite in IE, that only saves to the XP profile and not the Windows 7.
Unfortunately, there doesn't seem to be a reliable fix to this unless your good at powershell/vbscript as you can transfer favourites across profiles as a scheduled task, but you need to have a decent script to do this and your permissions need to be spot on.
The most important issue are your documents. The document redirect applies for both XP and Windows 7, which is handy as their documents will be available on both operating systems, but with the introduction of the "libraries" in Windows 7, you need to test your redirection to ensure documents are visible in both XP and 7. Redirecting to the Users home directory is the way to go with a mixed network. You set these redirections up in Group Policy and set their home directory in AD.
All staff and junior classes to have individual logons / infant classes to have single class logon
Easy to do. Wisesoft has a good tool for bulk imports of users, just make sure you have excel installed.
Being a Primary school I setup the Class logins to save to a location where the teachers of the nursery and foundation classes can access the work done by the pupils. We are talking very young kids, ideally we just want them to press save, don't want them going through file structures.
Junior Children Save Locations -- \\server\users\pupils\yearofentry\Username eg.. \\dc01\users\pupils\yoe2012\JSmith
Class Login Save locations -- \\server\users\pupils\classlogins\Class eg.. \\dc01\users\pupils\classlogins\Class1
--Teachers of your lower school then get a mapped drive to the "\\dc01\users\pupils\classlogins\" area. Teachers can then review and tidy up this drive as they wish. Ensure your permissions are setup correctly of course.
Any user to be able to login to any workstation (My issue here is I've seen Win7 be quite awkward about security permissions on who logs in where - Just need this simple and reliable)
Your talking a mixed network, unfortunately you sacrificed the word "simple" when you tried to merge XP and 7.
Any user will be able to login to any machine as long as they have a username to login with. Security permissions aren't really a factor here. As long as their redirections are setup correctly.
The only way to keep it all really simple is to say no to data safety, have no redirection and tell people their responsible for all the data on the network.. Yeh.. We are talking about teachers here. They are a.. interesting bunch.
Staff to be able to use their laptops off the network at home
You can be really clever, slightly clever or just keep it all simple.
Really Clever would be using VPNs and they can access all their resources in and out of school. Since your talking of a primary school, your firewall is probably controlled by your local authority or something like that. So this is out the question.
Slightly clever would be setting up offline files (which since you have a mixed network would be suicide. If it was just windows 7, you would be fine) and a proxy script that ensures the correct proxy settings are set up relative to the location they are. In school, they get proxy, outside they get no proxy (allowing it to work at home)
Simple would be to keep them off the domain but give them access to the shared resources. Need to have a script that asks if they are in school or not, they answer yes to being in school, the script sets the proxy, authenticates with the server with a generic user and maps their drives and printers. They say they are at home, the script does the opposite. Removes any mapped drives and printers and turns off the proxy.
Locked desktops, with "Programs" folder on the desktop, that is stored on the server with program shortcuts
Group Policy - Start Menu and Desktop Redirection. Applies to both XP and Windows 7.
If you have XP x86 clients and Windows x64 clients, you will need to have two different start menus and desktops. The links you distrubute out for XP x86 clients will be a path to C:\program files\developer\start.exe, for x64 machines this would need to be C:\program files (x86)\developer\start.exe. Two different links that will work on one and not the other.
On your server you would have
Redirect All users desktops to the same location
For windows XP - \\server\desktops\windowsxp\
For Windows 7 - \\server\desktops\windows7\
You need to know a decent amount of stuff about group policy in order for the correct policy to apply to the correct computers.
Really Clever - Working with WMI filtering
Semi Clever - Working with secruity group filtering
Simple - In AD, you put XP machines and 7 machines in two totally different organisation units (OU) and apply the right group policy to the right place, this will mean replicating policies. Makes it a little messy but its easy.
Printers that default based on the PCs location in the school - ie. ICT suite printers print in ICT suite, if using one in the staffroom it prints to the staffroom printer.... Unsure entirely how to achieve this in Win 7-
Group Policy Preferences
You will need to ensure the Group Policy preferences hotfix is installed on Windows XP for it to work on those machines, but in group policy in Windows Server 2008R2, preferences are the easiest, fastest and most secure way to do this.
Can make your own IF statements, like IF this machine is part of THIS Secruity Group AND/OR This User Then map this printer and put as default. etc.
It's easy to do and it has an easy to use GUI.
Private and shared user directories on the network... Again I'm only used to Netuse scripts from an NT box
Group Policy Preferences also does your map drives.
- Policies in force for different users
Standard Group Policy. Make sure you know what your Active Directory structure is going to look like then apply policies to the relevant areas.
Staff and Pupils should be in their own OUs and you apply a staff restrictions policy to staff and a seperate pupil restrictions policy to the pupils.
Click and Drag.
Profiles so that desktops, settings etc the same where-ever the user works
Hardest Bit. Two Operating Systems using totally different profiles.
Windows 7 to Windows 7 a typical roaming profile would be more than enough. 7 to XP though and vice versa. Your favourites and net apps are going to need some extra cleverness to sort out, unless someone knows of an easy way.
Mentioned a lot of this in the first part, but this takes a lot of testing for it to work perfectly, as by default, they are not designed to work. This is why Vista came out, as Microsoft now can talk about a merge network of their latest two operating systems Windows 7 and Vista, ignoring XP. Vista and 7 work ok together.
Figure out your folder structure and your Active Directory Structure.
Your naming conventions for your machines, your security groups.
I've built fresh networks for over a dozen primaries and a couple middles as well as a College. Server builds is what our team does, so these problems are things we have experienced along the way.
Hope this helps. Any problems, just message me or something. I'm happy to talk through things with you.
I solved problem of win 7 printers, sort of. I installed the printer locally first i.e local logon not network logon and set as default.
That way every user who logs on at that station gets the local printer.
The trick here is to ensure the driver(s) you choose are not just compatible with your clients, but your server operating system as well.
In 2008R2, you can stick in x86 drivers and x64 drivers and the clients will automatically take the drivers they need in order for the machines to work. However, sometimes you can have all sorts of issues where you put in the x64 driver and then when you try the x86 the server o/s simply gives you a load of rubbish saying sorry this cannot be the right driver and your left staring at the screening shouting "but it is, you fool!"
Like Palellam said installing on the clients first is a good plan as you can do the tests there. Though again, you might stubble across issues when you set up the printer shares on the server. Server 2008 R2 is x64 only, so your printers need to have that driver.
HPs tend to be the biggest headache I have found, especially the popular 2600 series. Those things hate mixed networks.