Re: Two Server Setup Question.
- From: Gareth <Gareth@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 13 Jul 2006 03:45:02 -0700
Hi,
We are currently deploying a VPN scenario for a local LEA. Corporate IT (The
company that supply the metro VPN) insists that the admin and curriculum
networks be sepearated by VLAN, however they have accepted a secure logon via
VPN between the admin and curriculum networks. This enables the teachers
homed on the curriculum network (Where all the teaching materials are
located) to have access to the admin servers for online registration etc
Once application process has been completed the teacher logs off the vpn or
the session times out reducing the risk of a student accessing the admin data.
Regards
Gareth
"Dennis Chung [MVP]" wrote:
Hi Purtech,.
Dave has a point. Both designs will work for you.
What I don't understand is how a child domain works - particularly with
Authentication. Actually...now that I think about it... so
teacher@xxxxxxxxxx who is a admin/account operator of lab.school.org does
not have admin privileges in the school.org domain, right?
But administrator in the school.org domain does, have admin right to
lab.school.org, right?
Yes, adminstrator@xxxxxxxxxx has admin rights over lab.school.org because
the first administrator is also an enterprise admin. And enterprise admin is
the king.
Well, its going to take very long to tell you howa child domain works. But
we create child domain normally to seperate/setup security boundaries in the
domain. There are several concerns though and as usual, pros and cons to
every design. Yes, teacher@xxxxxxxxxx will be able to login to
lab.school.org and be able to control accounts related things. However,
because within the same forest, the domains trusts each other, anyone in
lab.school.org can logon to any workstation within the school.org forest
provided they have rights which by default yes.
Another way of doing this is what Dave suggested, which tend to be better in
terms of security if you are talking about setting up school.org and perhaps
maybe lab.org. In this case, it gets a little more complicated because each
one holds 1 forest 1 domain. No trust relationship exists. Having said that,
teacher@xxxxxxxxxx has no control over lab.org. You need to establish an
external trust from school.org to lab.org (outgoing external trust-single
direction). This means teacher@xxxxxxxxxx can go to lab.org, but students
within lab.org cannot go to school.org because there no trust established in
that direction.
After this, you add teacher@xxxxxxxxxx to lab.org and make teache the
account operator or lab.org. There.. you're done...
Alternatively, don't do trust. Get your teachers to remember two ids and
passwords. 1 for each domain. ;-)
Dave - in the other post - said he would just create to separate domains.
school.org and school2.org I suppose. Is this more secure?
To help Dave answer, yes it is.
--
Best Regards,
Dennis Chung
MCP, MCSA (2k3/Security), MCSE (2000/2003)
MCDBA, MCTS (SQL 2005), MCITP (SQL 2005 - DBA)
Microsoft Certified Trainer, Microsoft MVP - Windows
Microsoft Windows & SQL Server Advisory Panel Member
MS IT Academy - Mentor (APAC)
MS Vista & Office12 Influencer Lead (APAC)
Founder: Singapore Windows User Group (http://sgWindowsGroup.org)
"Purtech" <mikek(remove)@hlit.net> wrote in message
news:ecBoaobpGHA.2400@xxxxxxxxxxxxxxxxxxxxxxx
Excellent Dennis.
What I don't understand is how a child domain works - particularly with
Authentication. Actually...now that I think about it... so
teacher@xxxxxxxxxx who is a admin/account operator of lab.school.org does
not have admin privileges in the school.org domain, right?
But administrator in the school.org domain does, have admin right to
lab.school.org, right?
Also:
There are about 20 computers in the lab and about 10-15 in admin. I have
two switches. Would two separate VLAN's or two subnets be appropriate. I
don't think broadcast traffic is a big issue with this setup and these
switches.
Dave - in the other post - said he would just create to separate domains.
school.org and school2.org I suppose. Is this more secure?
Thanks!
"Dennis Chung [MVP]" <dennis@xxxxxxxx> wrote in message
news:eK9HVZVpGHA.2256@xxxxxxxxxxxxxxxxxxxxxxx
There are several scenarios you can create from there.
Assuming these followings;
Teacher has an account in school.org. But here, the teacher is a normal
user. Limited rights, just normal user. This can also be administration.
After that domain is up and the teacher has a normal account, say
teacher@xxxxxxxxxxx
You go on to build another child domain, lab.school.org
Put the teacher@xxxxxxxxxx as a domain admin / account operator in
lab.school.org.
Of course domain design wise will be like that.
But observing that you mention the new server will be school.org, and
your old server be lab.school.org. You have a few stage here to deal
with.
Stage 1. Assuming your current old server is housing school.org. You need
to put your new server as school.org. You need to make the new server a
dc. Before you can add a w2k3 dc into a w2k domain, you need to perform
adprep. Go to support.microsoft.com and search for the adprep command to
extend the schema. Then you dcpromo to make the w2k3 box a DC.
Subsequent, leave it for about 30 mins.
Stage 2. You need to remove the old server and make it the DC for
lab.school.org. DCpromo your old server to remove it as a domain
controller. Remember to deal with your DNS/DHCP to reflect the new DC
else your clients will not be able to find the w2k3 DC. After dcpromo,
it'll be a normal member server of the domain.
Stage 3. Now you can put your old server as the dc for lab.school.org as
a DC by doing dcpromo.
Stage 4. In lab.school.org, you specify that TEacher@xxxxxxxxxx is a
member of lab.school.org\domain admin or account operators group.
Then i guess you're more or less done. :-)
--
Best Regards,
Dennis Chung
MCP, MCSA (2k3/Security), MCSE (2000/2003)
MCDBA, MCTS (SQL 2005), MCITP (SQL 2005 - DBA)
Microsoft Certified Trainer, Microsoft MVP - Windows
Microsoft Windows & SQL Server Advisory Panel Member
MS IT Academy - Mentor (APAC)
MS Vista & Office12 Influencer Lead (APAC)
Founder: Singapore Windows User Group (http://sgWindowsGroup.org)
"Purtech" <mikek(remove)@hlit.net> wrote in message
news:%23avhV%23RpGHA.1440@xxxxxxxxxxxxxxxxxxxxxxx
A school currently has one 2000 server. Single domain. Lets says
school.org.
They want to add a second server and upgrade both to Windows 2003
Standard.
They want the newer second server to be in administration, and the older
server to be in a computer lab.
They want administration and lab to have separate log in controls. The
teacher in charge of the lab server can add and removed student log ins.
However, he will have limited access to the administration server.
First: should I create two separate domains? administration.school.org
and lab.school.org. Or just create a lab.school.org under school.org?
They will not grow past this for years.
Thanks for you help.
- References:
- Two Server Setup Question.
- From: Purtech
- Re: Two Server Setup Question.
- From: Dennis Chung [MVP]
- Re: Two Server Setup Question.
- From: Purtech
- Re: Two Server Setup Question.
- From: Dennis Chung [MVP]
- Two Server Setup Question.
- Prev by Date: Re: Two Server Setup Question.
- Next by Date: Re: Printer Server Best Practice
- Previous by thread: Re: Two Server Setup Question.
- Next by thread: Re: Two Server Setup Question.
- Index(es):
Relevant Pages
|
