[unisog] Active Directory design school environment

thenile at ziplip.com thenile at ziplip.com
Wed Nov 12 01:24:43 GMT 2003


Hi Antonio,

The resaon why AD is because the current network is an NT network and porting to AD should make it more secure and make our life easier with the Group policies on the student's machine....

The current setup is pretty bad, the students are located on a different vlan than the staff and there is a one way trust relationship between the students and the staff domains. However, the students servers(PDC and Exchange) have had dual NICs for years between the staff and the students network which is pretty insecure. The reason to have dual NICS was to provide the teachers with access to the students home folders and to be able to share the GAL.

I am fairly new to NT/AD so I am not sure what the best design would be. I had in mind isolating the servers on Vlan A, the staff on Vlan B and the students on Vlan C but I am not sure what is a good AD structure for the whole thing making it as secure as possible, removing the dual nics and still be able to access the students home folders and share the GAL. Having  a different domain for students or having a different OU within the same domain ....


Cheers,

Jad



> -----Original Message-----
> From: Antonio Quesada [mailto:aquesada at guc.usg.edu]
> Sent: Tuesday, November 11, 2003, 12:34 PM
> To: unisog at sans.org
> Subject: Re: [unisog] Active Directory design school environment
> 
> IMHO, the best design shall begin with the question:
> 
> Why AD? In fact, why MS Server?
> 
> I am not trying to bash MS.  I really think it is a question that shall be
> asked. 
> 
> If you already have, and also have an answer, 
> a good starting point might be to put the students in a separate container
> from the
> staff and the faculty (and maybe the same for staff & faculty). 
> 
> And also, you mention Cisco ACLs, how about networking your servers in it's
> own network connected to a 
> separate interface in your FW/Router, separate from the Inet and your inside
> network, that way you can get 
> a log of what is going thru such interface. 
> 
> Just an idea, 
> Be Well!
> 
> Antonio Quesada
> Network Manager
> Gwinnett University Center
> 678-407-5093
> 



More information about the unisog mailing list