Windows 2003 Server Network - Advice needed

[Neil M]

I need some expert advice. This is our following setup;
1x Windows 2000 Server (Staff), 1x Novell Server (Learners), 1x Antivirus
Server (W2000 Srv)

I am attempting to upgrade it all, we're getting rid of Novell and going for
2 seperate Windows 2003 Servers; one for the Learners, one for the Staff.
Oh and a new Windows 2003 Exchange Server for Staff emails.
My questions are these (if anyone can help);

1) Would it be advisable to use two seperate Domains, one for the Learners,
one for the Staff and then link them
(so each logon process is seperate) - if so how?
2) How would I link the Exchange server to the Staff server
3) Is there any extra software (eg: Windows ISA?) that can allow me to
switch internet off on any account on the learner servers (will we need
another server to handle this or can this be done via Windows Server 2003)
4) Does Exchange 2003 allow Webmail whereas the staff can view their
accounts from home using just a web browser and logon details.
5) I'm also going to change all the desktops to XP Pro, but I need to allow
certain members of staff to add/remove learner accounts easily - can this be
done from the desktops in anyway.
6) Whats the main differences between Windows 2003 Server and Windows 2003
Server SBS - I have read up on it but wondered if there is any main
advantage over just using Windows 2003 Server.

Any help or advice at this stage would be grateful.
I would like to post here but are grateful if anyone can help me personally
as well.

Thanks,


Neil

 

[Kurt]

Those are a LOAD of questions. I would suggest you do a bit more research
before you attempt what you're suggesting. Designing and implementing a
domain structure is up to the engineer that designs it - after due
consideration - with a good working knowledge of how Windows domains
function. For all of the information you're asking for, you might consider
buying a book or two on AD and Exchange. I can tell you that what you are
doing will take a lot of planning and a lot of time to implement. It is
likely to be less than successful if you don't do it right, and your
organization could potentially be down for an extended period of time if the
whole thing fails to work as you hope.

That said:

1) A single domain model is just fine for even the largest organizations -
See OU's, delegation.

2) Exchange is AD Integrated.

3) There are many ways to control Internet access - usually you'd use a
firewall that requires a login to access the Internet - then you could
restrict individual access

4) Yes.

5) Administrators and/or delegated account managers can manage domain user
accounts - either with an MMC snap-in on workstations or via RDP for
administration - both without having to have physical access to the DC.

6) Basically you need to read the MS blurb. IMHO, SBS is fascist. There are
plenty of restrictions. But the price is compelling. Once again, you'll need
to buy what is right for your organization. SBS will "wizard" you through
the installation of a domain and Exchange. But don't let that fool you into
thinking it will just magically work when you click the last "OK" button.

....kurt

 

[chrispsg]

Kurt makes some very good points. In addition, installing exchange on a
domain controller is not best practice. Before you begin I would read
this:

http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/messsyst.mspx

psg

 

[Kurt]

psg is right! Some of us have experienced the horrors of trying to migrate
an NT4 domain and Exchange 5.5 when Exchange was installed on the PDC. But
if you install 2K3 Small Business, that's exactly what it does. In fairness
to MS, it's a "package". Not very upgradable or configurable - but it
basically sets itself up. You just have to have somebody around to
administer it once it's installed!

 

[Neil M]

right after all my reading and that i feel SBS is probably not the way to
go, so i'm gonna go for pure Windows 2003 Servers (x2) and 1x 2003 Exchange
Server

Although now I have a problem with domains, would it be better to have two
seperate domains on the same network (one for staff, one for learners) or
join them both.
The Tutors need to admin the learners accounts though - I know I can put the
admin program on their desktop machines and give them rights to do this but
my question is can they only view/.change/add certain account folders (eg:
Accounts / Learners not Accounts / Staff) thats if the accounts can be held
in folders much like Windows 2000 Server.

Thanks for the advice so far, I will probably be picking at all your brains
as and when I think of potential problems.
And you will all be happy to know I am going for the MCSE soon so I can
share my expertise with others at a later date.

Thanks.

Neil

 

[chrispsg]

Neil,

I would stick with one domain. You can use delegation to have certain
users administer certain OU's.

I would only split the two domains if you feel you need explicit
separation of administration of Active Directory.

In your case I would use delegation and then read up on using
Restricted Groups via group policy. This will ensure another low level
admin or attacker does not add them self to your more powerful groups.

psg

 

[Neil M]

Ok thanks. I will bear that in mind.
Another thing with administration and active directory - if Exchange links
via AO how do you physically link the exchange AO to the Windows 2003 Server
AO (which will be the main one for us to run)

I know it sounds a silly question but what is the procedure to link the two?

Regards


Neil

 

[Kurt]

"Active Directory" (AD) must be prepared in advance of installing Exchange
using a tool called "forestprep" that adds the hooks and hives for the
mailboxes. When Exchange is installed, it expects to find an
"exchange-ready" domain.

....kurt