LinkBack URL
About LinkBacksCapita are all for it ... They want more teachers logging into and using SIMS.net.
They also really want people to use their VLE too ... so that might have something to do with them wanting a single network.
Capita are all for it ... They want more teachers logging into and using SIMS.net.
They also really want people to use their VLE too ... so that might have something to do with them wanting a single network.
Yeah- it was .ICT who told us that we "would have to" merge the two networks...what's that song? "One way or another, we're gonna get ya"!
Paul :-)
One way to make staff security conscious is to tell them that if they leave themselves logged on, pupils will have access to all their personal details including bank A/C numbers! Of course, I wouldn't let this happen but teachers don't have to know that! It's only when it affects them personally that they MIGHT do something about it.
At the end of the day, if SMT say they want it, I'll have to deliver. So here's another question:
If my curriculum server is a domain controller and my admin server is a domain controller and they are running differently named domains, how do I bring the admin one onto the same domain as the curriculum one?
Export your users onto the curriculum domain, demote the admin DC, join it to the curriculum network and promote it to a DC (assuming you want to use it as one). Easy as...Originally Posted by mark_wood
We run a merged network here, its been merged since the NT4 box dissapeared 4 years ago i believe, we never have any problems, ACLs are your best friendso far (touch wood) in the 2 1/2 years ive been here there has been no security breaches.
I agree - go for it!
When I came here three years ago, there were two separate networks. It was for purely historical reasons - originally (years ago) admin had a small network, and teachers and pupils had standalones. The standalones were joined to form the curriculum network.
I asked our LEA if they had any objections - they hadn't.
The way I do it is to allow admin staff access to shares that the teachers use. Only some teachers (those who need it) have access to admin shares.
GPO's limit the desktop, and mapped drives pointing to the relevant shares. The admin staff have a very bland GPO, giving them almost free control over their desktops. Teachers have a much stricter GPO locking down their desktop do it's similar to the pupils.
The shares are controlled with NTFS permissions.
I did it by just doing a double backup of the old admin server, before blowing it away, reinstalling and joining it to the existing curriculum domain as another DC. Then just restore all the admin data and set up shares for the admin staff.
It may be harder for you, but that approach was the easist for me. It took me five days in the holidays.
We had two networks.
When we moved from "old sims" to Facility CMIS, I decided that rather than go through an upgrade/install of a Windows 2000 domain for our admin and continue with seperate networks, that it made sense to make our new CMIS box a member server of our existing curriculum windows 2000 AD setup and migrate our admin staff user details.
It goes without saying that there were some people who objected. One through a complete lack of understanding of how network security works, and another because "we don't want that...". Would you be supprised to know that these two people were the head and second in the ICT department!!!
I went ahead with the change because of various reasons, a few of which were:
1) Staff would now be able to prep materials on the computers in their office, and have them available to use in the classroom.
2) I didn't have to manage 2 separate networks. I know that you shouldn't make a decision on the basis of what is easier for you, but the less time I have to spend admining a system then the more time I can commit to helping students and staff.
3) The one that all head teachers love, it saved money. We only had to buy one new server, for the MIS setup. If we had kept with the old way of doing things we would have needed a second new server because our existing NT4 box didn't have the specs to run server 2000.
We are on two networks. We have more and more teachers in offices which we are connecting to the curriculum network, operating SIMS through the trust. Having a network password AND a SIMS password is confusing enough without them having separate admin and curric passwords too!
Andy.
@ jcs808,
Your story sounds familiar. We have a number of teachers who also do admin work, and were always walking the corridors looking for admin then curriculum computers.
The head was always against it. I resorted to writing a 2 page essay on the benefits of joining them (teachers able to do their admin work on the same machine, less admin overhead for me, admin staff able to access teachers docs) and a description of how the security would work. He took one look at it and accepted it straight away, after a year of opposition.
Seperate!
For 'getting access from any room' we have sims.net and parsql (our registration system) accessible from any machine.
The Sims database runs on the admin server which has a second network card linked to cirriculum. A trust relationship has been setup between the 2 domains and the only thing accessible on the admin server is the 'shared' folder which contains on the sims/pars stuff. Ofcourse this is only accessible to users that are part of the cirricdomain\staff group.
As for staff leaving themselves logged in, idle time for locking + logout?
My two cents...
Single physical network (natch)
Single/multiple subnets (as required) but not designated to either admin or curric
VLAN (as required) to control traffic flow, but not particularly for security
Single AD forest, admin domain is forest root, curric domain as additional domain in the same forest.
Having both domains in the same forest means you can get away with a single Exchange server. Also, the trust relationship is implicit so cross domain permissions can easily be set up.
Having seperate domains means you can think clearly about what links are required between admin and curriculum, then set them up specifically, rather than worrying about what security you need to put in place to prevent inappropriate access to admin work.
Workstations are generally in the admin domain for office staff/smt and the rest are on the curric domain. Users can log into either domain from any workstation because of the implicit trust relationship however.
SIMS.NET and FMS will both happily run from curric workstations, and the SQL server takes care of security
Single AV & WSUS server can service the entire site
You still have the concern of Staff attitude or lack of it towards security ajb.
In reference to staff leaving themselves logged in, why not put a screensaver which times out after x minutes (for us 5) and locks the workstation, into the staff gpo?
Works for us!
Thanks for all of your inputs. I can't see what the advantage of having two domains running in the same forest over just the single domain. (Taking into account I've never done this.) If a trust is setup between the two domains, then either is accessible anyway. Why not just have the one?
because trusts can be one way.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
