Wireless Networks Thread, Joining 2 school domains in Technical; Hi all,
I am looking for thoughts, opinions and input on an idea that has been brought up recently by ...
10th September 2010, 08:25 PM #1
- Rep Power
Joining 2 school domains
I am looking for thoughts, opinions and input on an idea that has been brought up recently by 2 schools on our site. The scenario is as follows:
There are 2 schools on our site, with a fibre link between the 2 (untested and unused for many years) the 2 schools have pupils that have lessons at both schools and therefore the idea has been brought up that it would be great if a student from School A could login at School B and vice-versa, using the same login credentials, and access the same shares etc. 1 school is a CC3, win2k3 domain, the other a win2k3 (vanilla). Both schools have showed willingness to go ahead with such a project, however, an initial meeting hasn't been planned yet, I am merely doing some research in preparation for such a time.
Having never tried to achieve this before, I am looking for guidance, input and general thoughts from anyone who has knowledge or considered this before. My initial thoughts are that this is surely achievable, but by no means a small task. Presumably 1 domain would have to be a sub domain or would a trust relationship be sufficient?
I haven't done much research in to this yet but will be doing so over the next few weeks, however, I thought the best place to start would be with the lovely folks at EduGeek!
Many thanks in advance for your input.
10th September 2010, 08:41 PM #2
I work at a school that run a trust between two win2k3 domains and it is not too bad the only problem you will have is when you have a network issue that brakes the trust. all our shares and my docs are linked to the main server at the other site
I dont know if this can help you at all:
How Domain and Forest Trusts Work: Domain and Forest Trusts
it could be a hard task depending on how the systems are allready setup
Last edited by willtech; 10th September 2010 at 08:58 PM.
10th September 2010, 09:59 PM #3
We are going through the same thing with our admin and curriculum networks - Dorset County recommend a trust so that is the way we are going -seems fairly straightforward
10th September 2010, 10:58 PM #4
Don't take this as the final word by any means, but CC3 may inadvertently get in the way and I suspect most of the problems will be for Vanilla folk trying to logon to workstations in the CC3 school. No domain drop-down on the logon screen for starters, and although I think you can put the MS Gina back I suspect the issues won't stop there. The Group Policy RM have abstracted away behind their management console is one of the potentially "interesting" bits (what User policy does Vanilla user get on a CC3 workstation and vice versa?)
1 school is a CC3, win2k3 domain, the other a win2k3 (vanilla)
10th September 2010, 11:05 PM #5
This difference is why I think a trust would be better than a full integration - in fact I am not sure it would be possible to integrate them. But a trust should be able to be configured to do what you want, I would have thought?
Originally Posted by PiqueABoo
11th September 2010, 12:41 AM #6
Disclaimer: It's been quite a while and I'm not 100% clear what they want to achieve but there are two typical scenarios in trusts:
But a trust should be able to be configured to do what you want, I would have thought?
Potentially Easy: domainA\Fred logs on to domainA computer and accesses resources in both domains.
Potentially Hard: domainA\Fred logs on to domainB computer and accesses resources in both domains.
For the hard one you have to worry about what User policy Fred gets to do all that desktop lockdown we all have. They're not in domainB's active directory where domainB's user policy is linked so won't get any when logging on there without some effort. The default trick used to be to pick up all the policy that applies to average domainB user and link it to domainB computers, and with a forest trust the system automagically applies that linked policy to Fred via loopback processing. You also have to add more loopback policy to add extra drive mappings etc. to resources back in domainA. This might just work if you're lucky when domainB is a CC3 (or for that matter any other seriously developed vanilla that never expected to have to accomodate this) but I'd expect a bit of a battle I might not win.
In this specific scenario I'm much happier contemplating making the trust, but Fred has accounts in both domains i.e. you add mappings back to domainA when they log on to domainB as domainB\Fred account. But I wouldn't want to do that either - doing this kind of thing between separately managed organisations often gets bogged down in politics and then thrown away after a while.
If it's between new or revamped vanillas that's different and approaches like willtech's might be viable, but I can't see that ever working with a CC3 and vanilla.
It can all get a bit hideous really and AIUI peripatetic students are one of the very significant factors in RBC/whatever VLEs [will they survive given the Incredible Disappearing HT Grants] and other keep-your-stuff-in-the-sky campaigns i.e. so it's all there in a familiar guise wherever you are.
PS:"domain' really means single-domain-forest in the above.
12th September 2010, 04:21 PM #7
Personally I would just dump both networks and start fresh with a single domain, since one of the sites already has cc3 on it, that will most likely cause issues and this way you won't need to have to worry about two way domain trust issues.
13th September 2010, 09:48 AM #8
It is possible to merge non cc3 to cc3, but you'll need a very good understanding of how the CC3 GPO's work. Also, have you thought about moving the smaller/less working domain onto the larger/more working domain and then only having one domain to manage. We use a unified approach here and it really does save time and headache.
19th September 2010, 10:38 AM #9
- Rep Power
Many thanks for all your input.
I think the way forward with this is to use a trust relationship between the 2 sites. Unfortunately, removing CC3 from 1 site or adding the non-CC3 site to our CC3 domain, are just not options unfortunately. All my problems would be solved if I could implement Server 2K8 at both sites and use RODC.
Thanks again and I will keep you updated on any progress that we make.
By Michael in forum Internet Related/Filtering/Firewall
Last Post: 27th February 2010, 01:55 PM
By z4ydi in forum Learning Network Manager
Last Post: 4th June 2009, 03:01 PM
By docboggle in forum East Midlands Broadband Consortium (EMBC)
Last Post: 27th April 2009, 10:36 AM
By sqdge in forum Windows
Last Post: 5th September 2007, 11:40 AM
By chrbb in forum Windows
Last Post: 28th February 2007, 09:19 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)