Do you have a seprate domain for admin and curriclum
or do you have everything all in one domain?
We most likely are gonna go all virtual (Hyper-V)
Our support company are recommending to merge them into one network
This is what he has said on the migration steps that I asked him about, has orginally I never said anything about the admin network.
'I was assuming that the domains to be merged, keeping them seperate was the old way of doing it. If we keep a seprate file server VM this is normally sufficient, if we grant an explicant 'deny' right for the admin data it is secure'
We run both sims.net and sims fms for just the finince side
and Secro Factiliy & eportal for the MIS
I think that is right, dont really deal with the admin network alot
So there is a few advantages for doing that, less to go wrong
Only one print server instead of two
Only one domain instead of two
Only one WDS instead of two
Only one WSUS instead of two
Only one DNS System instead of two
Only one DHCP System instead of two
Only one Active Directory System instead of two
Plus problery some others
So what do you think?
And what do you do?
Last edited by pritchardavid; 3rd November 2010 at 07:37 PM.
2 things ...
1 - I have preferred flat networks for some time. It makes little sense to say "but we are trying to protect data" if you the give access via ePortal anyway. As long as you are happy that you are taking the required steps to control sensitive data such as personnel files, etc then fine. Use this as a chance to do a data audit, make sure you know who the data owners are, get a SIRO in place, etc. Also use it to look at consolidating storage and backups.
2 - I don't know the company who is doing this so the following isn't a reflection on them, more a question for any such company .... from the cynical part of me. Perhaps they want to do it as it will earn them more money? Something to consider. Then again, from the day I have had in Reading looking at efficiencies in ICT (blog post over the weekend or look at the Twitter hash tag #ictefficiencies) then even if it does cost more, perhaps it will pay for itself.
Whatever you do, try to make sure you only retire kit when it is end of life ... If a server still has two years to go and you are virtualising it now, that might be a waste of money. Just a thought.
If the vm hosts have both admin and curriculum (two ethernet cables configured to the correct vlan on the switch port)
And IF you can select what vlan on the hyper-v manager for a VM then we could make a VM for the admin file server and configure that to admin vlan only
And then set all other VMs to use use both vlans
Sims is on it own pysical server like it is now
Serco Facility is on its own pysical server like it is now
Both connected to the admin vlan
And maybe upgrade both servers from 2003r2 to 2008r2 (only if there comptable with them, or 2008 if not compatiable with 2008r2)
Does that sound like that would work?
Would you say that would be better than their idea?
Last edited by pritchardavid; 3rd November 2010 at 07:20 PM.
We merged both networks years ago, as it became harder to identify whether a person required an admin or a curriculum machine - so many users have a foot in both camps - teachers take registers and write reports in SIMS, and need to use curriculum software to plan lessons. Do you give them 2 machines, or insist they log off one machine and onto another to do a different job? File permissions keep data secure.
were beginning to merge them as most admin networks are a server and 2-3 workstations. it seems silly too have a domain and all the related roles for 4 computers. We now tend to run the admin server as a vm that is a file store for admin suers and sims server. Its not a dc anymore has no other sql datacabses for wsus/sophos etc just has 2 nics (due to lea requiring admin server to have ip of 10.even.x.100 to send data to them) much simpler setup and the sims server isnt used as a workstation etc so is a simple machine less to go wrong
Dorset (bless) still advocate separate domains - although being part-time it means I dont have to worry about issues on the admin network which are generally more urgent than on the curriculum side. However, they are now sorting out a trust -with firewall - so that teachers can see SIMS and eventually we can sort the data out for the parental engagement bit of the VLE.
My feeling is that a split system is really only done in cases where whoever looks after the admin side doesn't trust whoever looks after the curriculum side to deliver a secure network. If the security is set up by somneone with even half a clue, there is NO security problem with having a combined network.
The only schools I've worked in that had separate networks were those where the LA looked after the admin network in its entirety. You're looking after both, and you've already identified some serious benefits in your first post: really I wouldn't be thinking "why have a single domain", but "why NOT have a single domain".
Last edited by AngryTechnician; 3rd November 2010 at 08:17 PM.
I have worked on both and found that as long as you secure everyting correctly a single Domain is much easier to manage, in fact one of the first things I was asked at my interview for my present position was wether I prefered single or split as they had Admin/Curriculum on seperate Domains and wanted to move these together. To be honest we Virtualised the Curriculum Network first and put in a better backup solution. Then it wasn't to difficult to add in the Admin Systems and P to V the admin Server and move over the admin workstations onto the Curriculum Domain.We did this with some support from an external company as we wanted to do this pretty quickly and support the Admin side more as previously this had been done by the LEA although this was done pretty well we were just trying to bring as much as possible in house.
Well here my Admin Network is actually part of the LEA network so I am limited in what they will allow. Therefore we had to keep a separate admin and curriculum domain. However I have Virtualised both the Network Infrastructure (Procurve VLANs) and the Server Infrastructure (VMWare) for both curriculum and admin domains.
This means I can keep both networks virtually separate (and keep the LEA Happy) whilst actually saving money by collapsing them both onto one physical network and server set up. Money is saved by:
a) reducing the number of switches used (from 30 to 20) thus bringing replacement and electricity costs down
b) reducing the number of servers used
c) being able to tag any network drop as either admin or curriculum - whereas before with the physically separate infrastructures I often had to get new network runs put in just for admin drops so money saved there too.
It works well. I can change any network drop in the school to curriculum or an admin and I can give any server admin or curriculum network access simply at a few clicks of the mouse.
Ideally everything would be on one domain but with very tight security - but the LEA won't allow that.
Merged our admin network into the curriculum summertime, easier to manage, easier for users. Admin network formerly under LEA control but they were pushing for schools to merge them to curriculum as we are all going trust status, sorry we already have gone trust and most schools to follow up here.