Hi,
We have about 1600 active nodes and 6000 students in our network and we have a great Cisco backbone, we have 8 faculties (they have sites and wireless access points) and 10 centers like hospital.
We need to organize our network with MS AD, in the first step having a root AD with a powerful server can be our solution but to our research I think we need a hierarchical AD, we should have a forest (shahed.ac.ir) and 18 trees for sub-centers (like: eng.shaed.ac.ir) .
Also we are going to use squid server for caching and its delay pools to share internet (40mb) and NTLM authentication.
What do you think of this plan? Can this solution be appropriate for our network?
We need to have a LOM for this solution (AD), what is the most important thing for this plan (cpu, ram, hard … of servers)? (We are going to buy HP DL380)
Please help me.
-
You don't want, and likely don't need multiple Active Directory domains to manage. Basically, you always want to avoid multi-domain AD deployments if you can help it. (And you really want to avoid multi-forest deployments...)
In a Windows 2000 or Windows 2003 Active Directory, one used multiple domains when there were different groups of users who needed different password policies. Windows 2008 Active Directory can have granular password policies and eliminates this need.
In Windows 2000 - 2008 Active Directory, using multiple domains to partition the AD database into smaller units of replication is also a valid reason. An Active Directory with under 10,000 users isn't really all that large. You likely don't need to use multiple domains for partitioning of replication.
Having usernames read a certain way (i.e. user@shahed.ac.ir versus user@eng.shaed.ac.ir) can be accomplished in a single domain with alternative User Principal Name (UPN) suffixes and isn't a valid reason for deploying a multi-domain infrastructure.
Using Squid and NTLM authentication is a perfectly valid solution for authenticating Internet access. Sizing of your Squid server computers and Active Directory domain controller computers isn't something that Server Fault can reasonably do with the information you've given above. Microsoft has an Active Directory Sizing Tool, but it hasn't been updated in several years (either for updated versions of Windows or updated server hardware specs).
Ansari : tnx , one of reasons i have for separate AD is we have an agent in every faculty and they can add , remove , change users , if we have one AD , how you can handel this ?Evan Anderson : Delegation of control in Active Directory provides the mechanism you're looking for. Have a look at http://technet.microsoft.com/en-us/library/cc778807(WS.10).aspx for a good introduction. You are able to modify the default permissions on OU hierarchies in your Active Directory to create areas where delegated adminitrators can, for example, manage user accounts, reset passwords, or modify group membership.Ansari : can you solve this one ? http://serverfault.com/questions/97568/integration-of-active-directory-squid-and-traffic-shaperFrom Evan Anderson -
In a setting like this you really need to think much more about identity management than you need to think about the actual user directory mechanism itself. They all can scale to this size trivially.
You should ask yourself about account life-cycles and business rules around account provisioning and roles in your organization. How are accounts going to be created, modified, and deleted? You're not planning on doing it by hand, are you?
As far as your border goes, I'm a fan of freebsd; I'd probably use a simple pair of pf firewalls with carp to do failover, and a transparent proxy for reducing network utilization as much as possible.
Ansari : tnx , do you have anything interesting for AD automation ?chris : Adding and removing the accounts is the easy part. Knowing which accounts to add and remove and modify is hard. This site http://www.go4expert.com/forums/showthread.php?t=10609 has an example of how to manage users using vbscript. I suspect you can use ordinary ldap user management tools as well, though I'm not 100% sure.Evan Anderson : Scripting AD user management is reasonably easy. In a COM scripting environment (like VBScript or JScript) the ADSI API (which uses LDAP as its wire protocol) is an easy choice. You can certainly leverage LDAP-based provisioning tools, though. The oddest thing about AD versus other LDAP environments that I've found is that AD doesn't support anonymous binds out-of-the-box.chris : Right -- I imagine the actual user management part of the process is easy. The hard part is getting all the parties involved to agree to the policy and process of user management.Ansari : can you solve this one ? http://serverfault.com/questions/97568/integration-of-active-directory-squid-and-traffic-shaperFrom chris
0 comments:
Post a Comment