We are closely associated with another school, and it's likely that in the next few years the number of students and staff moving between the two schools will increase. The principal (who is the principal of both schools) has laid down the challenge to make the ICT systems co-operate more between the two sites so that students and staff can work at whichever site they need to without having to mess around too much. This includes colaboration with e-mail systems etc. as well to avoid having different addresses for people etc.
At the moment both sites are totally seperate, and have everything they need on an individual basis. We are linked via the KCN network, which I think can be utilised with the help of Kent LEA to create a VPN link between the two schools if necessary, so that's the physical link sorted if we need to use it, but what's the best way to make two networks co-operate? To my mind there are a few ways.
1) Construct one domain with domain controllers at both schools kept in sync through the WAN link. Local storage at each school for that school students, and create OUs in active directory for both schools students and machines to allow them to be managed by a different set of policies. If it's done correctly, then a majority of the time all the resources will be served locally, it's only going to be when they logon on the other site that data will travel over the WAN. Potential problems: DNS/DHCP issues and the fact we run drastically different software at both sites.
2) Get both networks to trust each other through the WAN link. That way they could log onto either network from either site by selecting it in the domain drop down box. Potential problems: DNS/DHCP issues again and people not remembering to select the correct site from the drop down box. Also could be issues with dragging group policies over the WAN etc.
3) Something fancy with terminal services allowing machines to terminal service into the other site? No idea how this could work, but just an idea I had!
4) Keep seperate networks, and just use memory sticks etc. Obviously the easiest option, but causes the most problems with students having two accounts one for each school.
There are other issues at play here, such as the learning platform, shared resources, finance system etc. which all need to work between the two schools. The finance system already does, we remote desktop into a machine at their end to use it, not ideal really but it works, but at the moment the other site has the microsoft learning gateway for its learning platform, we have just entered into a contract or Viglen Its Learning. Both sites run exchange for e-mail. The other site runs Ranger, we run RM at the moment, but that is set to change this August, but to what we don't know at the moment, because it really depends on how we decide to create colaboration between the two schools.
The other issue at play is the other school in question is in a fully managed service contract at the moment, we are not a fully managed service and have no intentions of ending up as one. I think the contactor for the service contract will assist us with this, as they have been apointed by the school, and thus take the instructions from the school with terms to what they want to do with the ICT in the school.
Has anyone got any suggestions for the best way of achieving what we've been asked, because at the moment I'm floudering in a decisionless wonderland and really don't know what to suggest to people as a way forwards!
Have 2 Different IP Ranges for Example for school A: 10.0.0.1 - 10.0.3.254 subnet mask: 255.255.252.0 School b: 10.0.4.0 - 10.0.7.254 subent mask: 255.255.252.0
One domain for both sites. Have 2 DC's on each site.
In AD split it up into school A & school B - Put each user and compute in each OU at the school they are based at the majority of the time.
Have file servers based on each site each user will use the right server based upon the school they are based.
DNS & DHCP on both sites
The terminal service is easy just set the thin clients to point at the servers IP on the other site.
Having worked in a forest of 10 schools it does work if done properly.
are both schools using Ken LEA as an ISP? if so they might be able to sort something so you dont even need a VPN.
A quick and easier solution would be to VPN the sites and setup a terminal server on both sites. Make special network account on both sites and configure it so that it launches a terminal session to the other site as soon as you logon. Then they can logon to the other sites terminal server.
Last edited by FN-GM; 18th March 2009 at 05:45 PM.
Option 1 and what FN-GM would be the nicest way of doing things, the only barriers might be the co-operation between both sets of IT staff (resistance?), also you may have to schedule replicate stuff like file servers - accessing that over the WAN (unless you have a very fast WAN link) can be an utter nightmare.
The best option depends on how attached you are to your existing setups and how much of a rebuild you are willing to do. The nicest option would of course be a single forest with a seporate tree for each school. As you are in a larger grid linking the sites may be very easy if the provider is willing to set it up properly. Each tree would be on a seporate AD site and AD could easily replicate across the two sites. This would require rebuilding the entire system at both schools from scratch and probably recreating the accounts or a rather complex migration plan from the original domains across a trust to the new ones. This would allow you to keep the accounts and email boxes but would take a lot of doing.
The other option which would require less rebuilding would be the trusts between the two existing domains. You could possibly setup a 2k8 branch office server for each domain at the alternate site which would cache all of the policies and accounts from the alternate sites in a readonly form. The only issue then between sites would be the documents which may or may not be feasible to access across the WAN link as replication could be troublesome for large amounts of quickly changing data.
Most of the scaleing type questions rely on your ISPs infrastructure. If it is a large internaly routed network with 100mbit links to schools or even 10mbit then depending on the amount of user crossover if a direct link can be established this may be sufficient to do the documents remotely and just do the authentication locally for speed.