Upgrading a school or college network to Windows 2000/XP pt. 2

Windows 2000 active directory design

First up let me say that I'm assuming everyone reading this has at least a broad understanding of what active directory is, common terms that are thrown about in active directory discussions, and how it pertains to Windows 2000 networking. If this is not the case all I can do is suggest checking out the resources on the Microsoft homepage - http://www.microsoft.com/windows2000/techinfo/default.asp. There is no way I could explain it as well as they could in the time I have so I'll just refer you to the experts for the introduction to Active Directory. In addition I'm also limiting the scope of this discussion to "basic" Active Directory, and not talking about Exchange 2000 or anything else which modifies the schema.  

What I'm going to do here is talk about the ideal AD design, then look at a real world study (the LSFC network) and discuss how that relates to the "ideal" design.

 

One of the main assumptions of Active Directory (AD) is that you will do two things as part of setting it up. The first is that you will plan your active directory layout prior to installing your first server and the second is that you will attempt to simplify any multi-domain NT 4 domain designs.

Another big concept to remember with AD is that it is based on TCP/IP networking and hierarchical Fully Qualified Domain Names for domains rather than the simple "flat" domains found in the NetBIOS based networking NT 4 uses. This means that when dealing with multiple domains, NT 4 domains are completely unrelated objects which stand by themselves, but Windows 2000 AD based domains typically fit into a "tree" structure with the first domain you create being the root of your domain tree and any domains you create subsequently being branch or child domains.

One example of this would be in the domain names used. If I create two NT 4 domains, one named LEARNING and the other RESOURCES, they are stand alone domains, not related to each other in any way. If I create the same domains in Windows 2000 I will probably end up with a root domain named learning.example.com and a child domain named resources.learning.example.com. Notice the relationship?

The typical NT 4 domain based network in a school has at least two domains, one for classroom machines users and resources and the other for administration machines users and resources. It's also quite common to find more domains, containing specialist server systems such as proxy, web or streaming multimedia servers. Under NT 4 there are lots of reasons why it is necessary or at least expedient to create new domains for lots of things.

The perfect Active Directory based design should ideally hold all users, computers and resources within just one domain. Unlike NT 4 based "flat" domains, AD makes storing lots of objects in one domain easier and it makes assigning rights and policies to groups of users, computers or resources easier via the use of Organisational Units (OUs) and Group Policy Objects (GPOs).

So given the information presented above we can see that the typical school or college network might present a bit of a challenge when it comes to migrating from NT4 domains to Windows 2000 ones because straight away we see that a typical school or college network probably has two or three domains, and the ideal Active Directory based network will only have one domain.

When designing an AD layout, remember there are only two technological reasons in AD why you have to have more than one domain.

• You require some groups of users to have a different account or password policy - this is a domain wide setting and if you want some accounts to have different settings than others you require another domain to hold them.
• You have two physical sites which are not linked by a reasonably high speed connection. (If you do have a high speed connection you can use Active Directory Sites within your one domain).

There might, of course, be several political reasons why you might want more than one domain, and there are times where it might be desirable to have more than one domain but these two points above are the only technical points at which you must have more than one domain.

One thing I want to make clear is that designing active directory is an art as much as a science. While there are several firm DOs and several firm DO NOTs, it is perfectly possible for two experienced AD designers to recommend two totally different layouts, both with very good reasons supporting them.

Looking just at the "teaching" half of the system at the moment to keep it simple, a typical moderate sized school network might consist of 150 workstations spread around the place being served by four servers.

• Two that sit in the learning network domain (LearnNet) and handle user accounts, validate logins, share resources and software packages, etc
• One server that hosts the streaming multimedia titles. This typically also does odd jobs such as hosting the intranet. In its own domain (MMNet).
• The final server talks to the outside world and controls email and web access via an email server and a proxy server, for example MS Proxy Server 2.0 and Ipswitch's Imail. Also in its own domain (WebNet).

In this simple but common enough layout there is no need for a second domain after the move to Windows 2000. None of these functions requires a separate domain in order to work. A sensible strategy would be to either upgrade the LearnNet domain or create a complete new Windows 2000 domain and migrate users to it (depending on the suitability of your current servers to run Windows 2000).  You could then upgrade the multimedia and proxy/email servers to windows 2000 and bring them into the domain at your leisure.

At this point, I'd also suggest looking at moving your admin network into the windows 2000 infrastructure, in the future at least even if not right away. From a technical point of view there is no need to have more than one domain just to keep admin and learning stuff separate, you can simply create OUs for each area, so you can keep this in mind when designing your domain namespace, for example calling your new domain "network.school.example.com" rather than "learning.school.example.com" or some other name that may prove limiting at a later time.

In other words, you might not plan to move your admin network over at the moment, but it would be prudent to do nothing in your current planning that would prevent such a move taking place at a later date.

 

In the next part of this article, we'll look at a more complex case study which involves multiple domains: the Luton Sixth Form College network.

in

Top