I need help with the design of of m 1

[gdo]

I need help with the design of of my local domain.

Windows Server 2000 (2)

There's two different server. One for administration, and the second one for students and teachers...

So students and teachers are on same domain 'school.int' (same server), and administration is on 'administration.int'.

Is there anyway to rearrange the tree in the AD in order to get two different ways on workstation to log on to 'school.int' (domain)?

For example when logging on a workstation the choices would be 'this Computer (computername)' or 'teachers.school.int' or 'students.school.int'.

Does this have something to do with OUs or do I need another server in the tree (one for students and one for teachers)? Because I need all the workstations to be on the teachers domain and also the students domain... but a workstation can only be configured to connect to a single domain at a time...

Or any suggestion on how I should set this up?

thanks for any help or suggestions... greatly apreciated.

gdo

 

[wbg34]

I would choose 1 server to be the DC that controls the domain school.int. Have the other server join the domain as a member server. Create three User Groups (Administration, students, teachers)and add the appropriate users to each group. One one server create the shares for the administration and deny access to those shares for students and teachers. On the other server set up shares for teachers and students and deny access to those shares for administration. Create a login script that maps the shares based on which group the user is a member of. Have all workstations login to the one domain.

 

[gdo]

Thanks for your help.

Now I was told that three VLAN will be setup this week with a new switch... That is one for administration, one for teachers and one for students.

So how do I go from that. Do I need three servers? Or can I still keep one member server for the two other VLAN (Teachers and Students)?

I've only dealt with one server - one domain until now... so this is new stuff to me.

Thanks again for helping.

 

[wbg34]

Vlan is a function of the switch and you should still be fine going with one domain as long as the port which your server is connected to has access to all the VLANs.

 

[gdo]

would it be safer to keep one server only for students and put the teachers on the administration server?

 

[gurner]

You could go the two domain method but 1 is definatly better

You could configure OU GPOs (Organisational Unit Group Policy Objects) in conjunction with logon scripts, NTFS File Permissions, Network Shares, e.t.c.

 

[gdo]

Thanks for helping!

I don't understand why it would be better just on one server. What would be the advantages?

 

[gurner]

The advantages are the cost, hardware and administration

If however you already have 2 servers than that will give you a proven redundancy option by having them both DCs on the same domain.

and have them replicate amoungst themselves

If you organise the domain into OUs in the ActiveDirectory then you can centrally administer their various rights and resources rather than having to move to different machines each time.

And they would probably rather just logon normally rather than have to pick a domain from a drop down (users are 90% stupid, 90% fussy and 100% of them keep us in work)

 

[STLT11]

I work for a UK school and we have the same scenario. The education dept. setup an administration server on one domain. All PCs on this domain have fixed IP addresses. Only members of staff who use our administration system use this server.

We then have a curriculum server for students and general staff/teachers etc. This server is on a separate domain. All workstations in the classrooms that use this server are setup on DHCP (we have excluded a specific range of IP addresses for the admin machines… read on).

The PCs that are attached to our admin network as mentioned earlier have static IP addresses for the administration domain. They also have a static IP address for the curriculum domain (one of the ones blocked out in the DHCP). We then setup a trucst between the administration and the curriculum server.

This allows members of our administration network to log onto both the curriculum and administration network. But because the curriculum workstations don’t have an IP address for the administration network, the curriculum PCs can only log onto the curriculum network.

 

[gdo]

STLT11 it sounds like something that would work out well here...

What makes it possible to register a workstation to more than one domain? How do you proceed? Is it due to the trust relationship? Because right now the choices are always one domain and (this computer)...

 

[wbg34]

I guess I dont understand what the benefit of this kind of setup would be. It sounds like an administration nightmare. Pretty much everything in your network setup would be easier and cheaper to setup and maintain using one domain and two seperate OU's.