Best way to move user and computer accounts to new child domain?

Best way to move user and computer accounts to new child domain?: Posted by Ola Theander on August 25th, 2005; Dear subscribers

I'm helping a small school with their network and we have recently invested
in some new equipment and I would like some suggestions about the tasks
ahead. Until now the network has been very simple with a single Active
Directory domain server (W2K) and a number of client computers running Win
XP Pro and users in the domain. It hasn't been structured in any way i.e.
both the staffs', teachers' and the students' accounts and computers has
been members of this single domain, e.g. assume the domain is "school.com".

Now we have invested in two additional servers and proper firewall and we
would like to partition the network in two internal sections,
administrative/teachers and students, and one connection to the internet,
i.e. three sections total. In this new design I will have the original
server and one of the new ones running in one section serving the
administrative and teacher co-workers and the other internal section will
have one server serving the students. The thing is that I'm not sure which
way is the best way to organize the domain considering these upcoming
changes. Should I create a child domain, e.g. students.school.com, or should
I create a completely separate domain that has nothing in common with the
original domain? Or maybe there is yet another way?

For the design of the network there are a few things to consider. First, the
reason for doing this operation is to improve the security and separation of
the schools administrative system from the network containing the students.
This in turn would allow us to have a less strict policy enforced on the
student computers. The situation is complicated by the fact that the
teachers need to work in both the administrative/teacher network as well as
in the student net and preferably have some kind of access to their accounts
in the administrative net. They will most likely use the
administrative/teacher net as their main network where they will develop new
working material etc. which will be used in the student net. At the same
time it's vital that the students won't have access to the administrative
net. To solve this I'm considering to use Remote Desktop Access (RDA)
through the firewall, i.e. when the teachers is using a computer in the
student net they use RDA to access their own computer in the administrative
net. Any suggestions would be greatly appreciated.

There are some Windows features that we use today and would prefer to be
able to use in the future if possible:

- Roaming profiles, every user account have a roaming profile, i.e. the
Desktop, My Documents and Application Data is transparently stored on the
main server. When the user logs on to a new computer they have access to all
of their documents, favourites etc.

- The users' Profile is stored on the server, i.e. additional configuration
data not covered by the Roaming profile is stored on the main server.

- Remote Installation Services, when I need to reinstall the client
computers I boot them using the network card boot (PXE) and the server
provides an installation image, i.e. the installation is completely
automated.

- Software, e.g. Office, is distributed using Group Policies (GPO).

The first two features are the ones that worry me the most since they
require access to the main server which will from the teachers' point of
view be on the wrong side of the firewall when they are in the student net.
If I use a child domain for the student net I assume that they would still
be able to log on using a single account in both the administrative/teacher
and student nets, but the profile will in both nets be stored on the server
in the admin net which will of course not be accessible from the student
net. Maybe I use RDA to solve this but any suggestions would be most
welcome.

Are there any other known consequences when moving student accounts to the
new child domain, i.e. I assume that I in some way can move accounts (users
and computers) from the main domain to the child domain? I would like
achieve that the student accounts are valid in the students.school.com
domain but not on a computer in the school.com domain.

Any help and suggestions on this issue would be greatly appreciated.

Kind regards, Ola Theander

Similar Posts

domain User accounts - will this work? (Windows CRM) by ~Jij
User in parent domain could be in a child domain ?? (Windows Server) by USER
Can't add parent domain accounts to child domain groups (Windows Server) by andy
Move users, groups, and computer accounts to new forest. (Windows 2003) by Lichlord
Promoting a child domain controller in a new child domain (Windows 2003) by harrison