+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Wireless Networks Thread, Having separate Domains and Subnets in Technical; Hi, We have recently got a new Principal at our school who wants me to write a report on the ...
  1. #1
    gollops's Avatar
    Join Date
    Oct 2007
    Location
    Croydon
    Posts
    13
    Thank Post
    5
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Having separate Domains and Subnets

    Hi,
    We have recently got a new Principal at our school who wants me to write a report on the pros and cons of seperating our domain into admin and curriculum, and or having sperate subnets.
    We are a small independent school with around 350 students and around 200 machinesand the network was all set up when I got here.

    Have read a few posts on this site on schools merging their networks but not the other way round. It is something I know very little about, I was wondering if anyone could give me a few ideas or point me in the direction of some useful info so that I can write something that will give the impression I know what I'm talking about.
    Thanks

    Judy

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    The official advice from MS is not to maintain split domains with trusts any more, but to amalgamate them and use granular permissions within the forest to control rights. Splitting them does add a lot of complexity if there are resources crossing the boundaries.

  3. Thanks to powdarrmonkey from:

    gollops (28th November 2008)

  4. #3

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    So long as you're running Windows 2000/2003 Server or later and Windows 2000/XP on your workstations then you're safe to have one single domain. Active Directory allows you to create security groups which you then allocate to the relevant shares. This gives you control who has access to what resources.

  5. #4

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    500
    Thank Post
    18
    Thanked 31 Times in 30 Posts
    Rep Power
    21
    We are in the process of merging our networks from the same kind of setup that you are looking at going to. When I started at the school they had 2 physically seperate networks, 2 domains, 2 seperate ADs, 2 seperate usernames/password etc.... It doubles my work load having to maintain 2 seperate networks - so there is a con for you.

    Like powdarrmonkey says splitting them does cause complexity there are resources crossing the boundaries. One example we have is E-Mail. Our Exchange server sits on the curriculum network. All works fine until their password expires and they can't logon to it - but they do know this has happened because they don't get the "you password is about to expire" dialog.

    The reason it is why it is here was becuase of security concerns, but with proper use of permissions there is no real reason for seperation.

    BTW - are you in Croydon, South London?

  6. Thanks to adamf from:

    gollops (27th November 2008)

  7. #5
    gollops's Avatar
    Join Date
    Oct 2007
    Location
    Croydon
    Posts
    13
    Thank Post
    5
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Yes,that Croydon!
    Many thanks for your reply

  8. #6


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    148
    One issue with 2 subnets is all traffic must go via a layer 3 device to be routed to the other network.

    Advantage is you have control via ACLs of exactly what crosses the boundry.

    Disadvantage is it is a potential bottleneck as all traffic must pass through the single point.

  9. #7
    Jamman960's Avatar
    Join Date
    Sep 2007
    Location
    London/Kent
    Posts
    988
    Thank Post
    186
    Thanked 194 Times in 156 Posts
    Rep Power
    46
    Having entirely seperate networks is much more secure but its overkill for schools. As long as the permissions/security groups and group policys are in place you won't have any issues with students gaining access to areas they shouldn't.

    File permissions wise I usually ensure that any staff only areas have deny acl's for students even though they don't really need them - at least then even if a student is a member of one of the groups allowed access they'll be denied because they are part of the student group.

  10. #8
    gollops's Avatar
    Join Date
    Oct 2007
    Location
    Croydon
    Posts
    13
    Thank Post
    5
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Many thanks, do you know where I can access the advice re. split/amalgamated domains have not found anything on the internet so far?

  11. #9

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,235
    Thank Post
    55
    Thanked 278 Times in 186 Posts
    Rep Power
    134
    Of course - the other problem is that the separation between "Admin" and "curriculum" is blurry at best - I have found that pretty much, people want to sit at a PC and be able to work, be it in the MIS system, office stuff or educational programs - not a problem for Admin staff who usually have an office - but often a problem for middle & senior management on the teaching side.

  12. #10

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,932
    Thank Post
    1,339
    Thanked 1,781 Times in 1,105 Posts
    Blog Entries
    19
    Rep Power
    594
    A search on the site for 'flat network' should bring up the previously discussed threads which include links to British Standards for security on networks that can apply as well as possible alternatives.

  13. #11

    Join Date
    Feb 2008
    Location
    Wiltshire
    Posts
    882
    Thank Post
    274
    Thanked 139 Times in 112 Posts
    Blog Entries
    27
    Rep Power
    42
    We're looking to merge Domains early next year. Taking up a lot of administration time have seperate Domains, when they all shared the same physical network anyway.

    With SIMS now being used for Electronic Registration I've set up a trust between the Domains for the time being, and am starting to plan merging the Domains. Makes SIMS pointless being seperate now and with Learning Gateways, etc, etc in the offering I just want to keep things simple.

    Get your AD structure right and permissions correct and security should never be an issue.

    Pete

  14. #12

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,786
    Thank Post
    1,789
    Thanked 2,180 Times in 1,615 Posts
    Rep Power
    771
    Have PM'd you with details that may help

  15. #13

    Join Date
    Nov 2008
    Location
    Staffordshire
    Posts
    24
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by j17sparky View Post
    One issue with 2 subnets is all traffic must go via a layer 3 device to be routed to the other network.

    Advantage is you have control via ACLs of exactly what crosses the boundry.

    Disadvantage is it is a potential bottleneck as all traffic must pass through the single point.
    Unless you use layer 3 switches. TBH, you really don't need two entirely seperate networks, permissions on folder shares...etc will be plenty good enough I would imagine?

    There are very few advantages with having more than one domain. The only one coming to mind at the moment is that it's less easy to accidentally give everyone permissions to do something, for example. WHATEVER\domain users...etc.

    As from 2008, Vista...etc, everything is more geared up towards a single domain. I don't see any reason at all why you would want to go from a single domain to multiple domains, you're just creating a lot of needless work for yourself and you will ultimately end up with two networks to administer instead of one!

  16. #14
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,002
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108
    We are merging too finally a week on wednesday. For all sorts of reasons including E-registration etc. It is a pain to mange 2 physically seperate networks as you end up doing most things twice. Also I dont have to keep explaining to the staff that X is only available on admin or curric etc.

  17. #15

    Join Date
    Nov 2008
    Location
    Staffordshire
    Posts
    24
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by ChrisH View Post
    It is a pain to mange 2 physically seperate networks as you end up doing most things twice. Also I dont have to keep explaining to the staff that X is only available on admin or curric etc.
    Exactly or why X password has expired and now they're not both the same...etc.

    Imagine having a single domain where everything you used integrated with LDAP. Imagine changing your password once.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. 3 separate Printer problems..
    By Little-Miss in forum Hardware
    Replies: 1
    Last Post: 3rd October 2008, 06:19 PM
  2. Internet across subnets
    By Sunderwood in forum Windows
    Replies: 6
    Last Post: 23rd June 2008, 05:20 PM
  3. VLANs/ Subnets help
    By Ste_Harve in forum Wireless Networks
    Replies: 19
    Last Post: 25th June 2007, 12:42 PM
  4. AD Subnets and DHCP
    By Gatt in forum Wireless Networks
    Replies: 9
    Last Post: 2nd March 2007, 11:22 AM
  5. Replies: 8
    Last Post: 28th June 2006, 09:06 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •