Question Need Help Setting up and Configuring Domain

[DieKartoffel]

This will probably be a long thread, but I'm really just not sure where to begin.

We're getting our active directory up to date at the school that I work at, and we'd like to start linking the computers to a domain. What we'd like is for students or staff members to be able to log into any computer in the district with their email and password. Is this possible? If so, I'll list the requirements we need below.

1. Students and staff members must be able to log into any computer in the district with their email address and password.
2. Desktops profiles and the like should be stored on the server and not on the local computers.
3. Different groups need to access different things. For example, staff members should be able to access any application while students should only be able to access applications approved for their specific school.
4. Building on that last point, we want custom groups like that, such as a staff group, HS group, MS group, and ES group. What I'm trying to say is if a middle schooler logged in, their desktop would show the middle school logo as the background and they'd be able to run apps approved for the middle school, but none for the hs or es. I also want to restrict things like them running cmd and things like that.
5. There should also be an administrator profile or group that can access and modify everything.

I'm sure I'm leaving things out, but that's what we need to start with. I've heard that you can manage a single group policy on the server. Can I also do it with groups somehow like how mmc can do it on individual computers? Also, what would I need to do to prepare the individual computers for this? I really have no idea where to begin, so if anybody has experience with this, I'd appreciate any help you could give me.

I'm also not sure how things like updates and things like that would work or how I'd install or remove apps. Would those have to already be on an image that's on the computers?

I have actually managed to make the server store some user profiles on it instead of the local computers during the tiny bit of testing that I did, but that's about it.

 

[Eximo]

This is quite the undertaking from scratch. Has the whole school just been using workgroups?

You will need to setup a system as domain controller, preferably some flavor of Windows Server, even more preferably Core without a GUI. Each PC would have to join the domain. You can then set up group policies.

On a Windows domain the simplest method for distributing software is SMS / SCCM (it has a new name which I always forget, but looking that up should get you started) You'll want to look into the Microsoft Deployment Toolkit, which would also let you do remote OS installation if you wanted to, but also set up a standard image that will join itself to the domain once the image has been copied over. You'll have to configure PXE boot on any system you want to be able to image itself with no OS. (There are actually so many options here that don't involve Microsoft, depends on what you are comfortable with trying and maintaining)

Yes, you would be able to create network wide user accounts. There are additional steps if you want that to be useful though, like setting up roaming profiles so their files follow them around. Ideal for more robust networks.


Many schools use a desktop snapshot so that changes made to a standard PC image are reverted everyday (also gets students/staff into the habit of saving their personal work to network/cloud directories) You don't have to apply this universally (you can control it with policy groups), as the teachers and staff would probably want to be able to save things on their local machines.

A lot of this isn't free, but there are discount programs for schools (potentially free) specifically that you can apply to through grants.

I don't think anyone has a step by step guide for you to follow, but you can likely piece one together by examining each topic. I would put any such effort measured in months of testing amongst computer savvy people, a small pilot group of staff, a large pilot group (including one student lab or something), then universal deployment.

 

[DieKartoffel]

This is quite the undertaking from scratch. Has the whole school just been using workgroups?

You will need to setup a system as domain controller, preferably some flavor of Windows Server, even more preferably Core without a GUI. Each PC would have to join the domain. You can then set up group policies.

On a Windows domain the simplest method for distributing software is SMS / SCCM (it has a new name which I always forget, but looking that up should get you started) You'll want to look into the Microsoft Deployment Toolkit, which would also let you do remote OS installation if you wanted to, but also set up a standard image that will join itself to the domain once the image has been copied over. You'll have to configure PXE boot on any system you want to be able to image itself with no OS. (There are actually so many options here that don't involve Microsoft, depends on what you are comfortable with trying and maintaining)

Yes, you would be able to create network wide user accounts. There are additional steps if you want that to be useful though, like setting up roaming profiles so their files follow them around. Ideal for more robust networks.


Many schools use a desktop snapshot so that changes made to a standard PC image are reverted everyday (also gets students/staff into the habit of saving their personal work to network/cloud directories) You don't have to apply this universally (you can control it with policy groups), as the teachers and staff would probably want to be able to save things on their local machines.

A lot of this isn't free, but there are discount programs for schools (potentially free) specifically that you can apply to through grants.

I don't think anyone has a step by step guide for you to follow, but you can likely piece one together by examining each topic. I would put any such effort measured in months of testing amongst computer savvy people, a small pilot group of staff, a large pilot group (including one student lab or something), then universal deployment.

Thanks for that reply!

Yes, the whole school has just been using workgroups. I don't particularly like that, but it's what I inherited and what I've tried to improve. As of now, each computer has a program called Deep Freeze on it that restores the computer to the saved state upon a reboot. The image I've made is also used as a master that includes a profile for each school and staff members, and we use scripts to make the necessary changes when we image them. I also do use mmc to control the restrictions for each user. It works pretty well, but I feel like having them all linked to a domain would be easier. The students store all of their stuff in Google Drive right now.

We actually already have a domain controller set up, but nobody's ever tried getting it up to date before I started here. It's running Windows Server 2012 Standard, and it's a GUI version. I've been working on getting all of the staff members and students added to it.

I guess I should ask, do you think this would be worth it for us to try? Nobody here particularly cares if we use it, but I thought it may be easier. I've been using PsExec and Powershell to basically do everything remotely anyway, like updating the restrictions, uninstalling/installing software, etc.

 

[Eximo]

I would start on the small scale with just yourself and a second user account. See how it goes and what it would potentially cost. Either way you gain the experience and if it can make your job easier, implement in stages.

2012 is a little dated, 2016 is getting a little old too, so Server 2019 perhaps, if everything is compatible anyway, you'll need to verify all your potential clients are supported. You could try Server 2022, but I don't really like jumping on the latest version unless I have to. Same with SQL. As the experts say, unless you want to be upgrading at every bug fix, best to stick with an older version.

 

[ex_bubblehead]

For a school?

Call in certified experts. Setting up a domain is not something you do overnight, without a very clear plan well beforehand. Everything must be mapped out, in exquisite detail before you even think about configuring AD. This part can take months. You only get one chance when setting it up and if you miss something or make a mistake in the design you start over, from scratch. No "we'll fix it in the mix".

 

[Math Geek]

MCSA is the name of the MS certification for how to configure and run an environment like you are looking to do. MS has retired them now but you should still easily be able to get a book on the topic.

it's obviously not an overnight lesson as it is in depth and has many tangents to explore (it's one college semester to get the basics and another to get the more advanced stuff). but short of hiring someone who already knows how to do it, you will have to learn it all yourself over time.

as others noted, start small and work on a teacher domain since they will be able to handle glitches and improper access and such better than the kids. once you have that all working and know how to set it up, then you start adding the other parts of the domain. i hope you have some help cause just entering the accounts for every teacher/student at every school and level is going to be a task in itself. i don't think it can be automated and has to be done one by one.

server 2016 is likely the way to start which is what the MCSA book will start walking you through what it can do and how to use each feature if you even need it.

i don't remember it being a problem setting up the common desktop and program access for each domain at all. that was rather trivial once everything was set up and running (has been a couple years since i took the classes myself and not used it much since). security is of course the biggest concern and honestly needs someone who truly understands that aspect of the set-up to make sure it is locked down.

 

[USAFRet]

This will probably be a long thread, but I'm really just not sure where to begin.

You begin, by turning yourself into the Project Manager.

Interview and hire some competent local consultants.

You can't teach yourself to do a project of this size as your first project.

 

[DieKartoffel]

Thanks for all of the replies! You've really helped me quite a lot already. I'll definitely look into some MCSA books, and we should be able to call in an expert at some point. Of course, this is still kind of a "We'll see about it" thing, so I'm definitely not expecting this to be done overnight. However, hearing how difficult it is to set it up, I think I will look into getting help. At least now I have a starting point, which I'm very grateful for.

 

[Math Geek]

You begin, by turning yourself into the Project Manager.

Interview and hire some competent local consultants.

You can't teach yourself to do a project of this size as your first project.

i'd def have to agree here. you're trying to do the largest/hardest project with no training. this is not entry level in any way. the lead on this is the guy who's been doing it for 20 years already and can direct traffic with the dozen others who will be doing most of the grunt work!!

 

[Math Geek]

Thanks for all of the replies! You've really helped me quite a lot already. I'll definitely look into some MCSA books, and we should be able to call in an expert at some point. Of course, this is still kind of a "We'll see about it" thing, so I'm definitely not expecting this to be done overnight. However, hearing how difficult it is to set it up, I think I will look into getting help. At least now I have a starting point, which I'm very grateful for.

not just MCSA but you need to look deeply into active directory. that's what controls the accounts, permission and so on which is the core of your goal overall. MCSA book should get you the "intro to windows server" knowledge and then the next step is deep diving into the specific features you need to truly master for it to work

good luck however you decide to go about it!!

side note" it takes windows PRO to connect to a domain, so that cost has to be factored in if your pc's only have home versions installed. look into education version if needed, might be cheaper and it has all the pro and enterprise features included. it's designed for learning about windows but it'll do in a pinch