We have about 1600 active nodes and 6000 students in our network and we have a great Cisco backbone, we have 8 faculties (they have sites and wireless access points) and 10 centers like hospital.
We need to organize our network with MS AD, in the first step having a root AD with a powerful server can be our solution but to our research I think we need a hierarchical AD, we should have a forest (shahed.ac.ir) and 18 trees for sub-centers (like: eng.shaed.ac.ir) .
Also we are going to use squid server for caching and its delay pools to share internet (40mb) and NTLM authentication.
What do you think of this plan? Can this solution be appropriate for our network?
We need to have a LOM for this solution (AD), what is the most important thing for this plan (cpu, ram, hard … of servers)? (We are going to buy HP DL380)
Please help me.
-
i'll leave AD part of this question to experts, but for traffic shaping: if you plan to allow access to the internet over other protocols than http - i think it's better to use generic traffic shaping [ htb / hfsc ] provided by linux to share the bandwidth in a fair way. – pQd Dec 25 '09 at 19:19
-
we need AD to have a user for everyone in the uni , that can be mail user , network - printing - ftp - squid user , what do you offer me for that ? – Ansari Dec 25 '09 at 19:24
-
this or other implementation of ldap... but i cannot really advice on this... i have experiance with AD/ldap only on much smaller scale. – pQd Dec 25 '09 at 19:27
-
i asked this question from samba team , they answered me "in this case AD can be the best advice with squid" – Ansari Dec 25 '09 at 19:30
-
sure - squid is fine but i'm just saying that for limiting traffic - linux QoS mechanisms will shape the traffic that cannot be directed over squid – pQd Dec 25 '09 at 20:04
-
ok , what do you think if we use AD+squid(for caching and athentication)+generic traffic shaping by linux ? – Ansari Dec 25 '09 at 20:11
-
it should work fine. – pQd Dec 25 '09 at 20:49
-
tnx , i will start it – Ansari Dec 26 '09 at 07:19
-
can you solve this one ? http://serverfault.com/questions/97568/integration-of-active-directory-squid-and-traffic-shaper – Ansari Dec 27 '09 at 18:50
2 Answers
You don't want, and likely don't need multiple Active Directory domains to manage. Basically, you always want to avoid multi-domain AD deployments if you can help it. (And you really want to avoid multi-forest deployments...)
In a Windows 2000 or Windows 2003 Active Directory, one used multiple domains when there were different groups of users who needed different password policies. Windows 2008 Active Directory can have granular password policies and eliminates this need.
In Windows 2000 - 2008 Active Directory, using multiple domains to partition the AD database into smaller units of replication is also a valid reason. An Active Directory with under 10,000 users isn't really all that large. You likely don't need to use multiple domains for partitioning of replication.
Having usernames read a certain way (i.e. user@shahed.ac.ir versus user@eng.shaed.ac.ir) can be accomplished in a single domain with alternative User Principal Name (UPN) suffixes and isn't a valid reason for deploying a multi-domain infrastructure.
Using Squid and NTLM authentication is a perfectly valid solution for authenticating Internet access. Sizing of your Squid server computers and Active Directory domain controller computers isn't something that Server Fault can reasonably do with the information you've given above. Microsoft has an Active Directory Sizing Tool, but it hasn't been updated in several years (either for updated versions of Windows or updated server hardware specs).
- 141,881
- 20
- 196
- 331
-
tnx , one of reasons i have for separate AD is we have an agent in every faculty and they can add , remove , change users , if we have one AD , how you can handel this ? – Ansari Dec 26 '09 at 07:21
-
Delegation of control in Active Directory provides the mechanism you're looking for. Have a look at http://technet.microsoft.com/en-us/library/cc778807(WS.10).aspx for a good introduction. You are able to modify the default permissions on OU hierarchies in your Active Directory to create areas where delegated adminitrators can, for example, manage user accounts, reset passwords, or modify group membership. – Evan Anderson Dec 26 '09 at 11:00
-
can you solve this one ? http://serverfault.com/questions/97568/integration-of-active-directory-squid-and-traffic-shaper – Ansari Dec 27 '09 at 18:50
In a setting like this you really need to think much more about identity management than you need to think about the actual user directory mechanism itself. They all can scale to this size trivially.
You should ask yourself about account life-cycles and business rules around account provisioning and roles in your organization. How are accounts going to be created, modified, and deleted? You're not planning on doing it by hand, are you?
As far as your border goes, I'm a fan of freebsd; I'd probably use a simple pair of pf firewalls with carp to do failover, and a transparent proxy for reducing network utilization as much as possible.
- 11,944
- 6
- 42
- 51
-
-
Adding and removing the accounts is the easy part. Knowing which accounts to add and remove and modify is hard. This site http://www.go4expert.com/forums/showthread.php?t=10609 has an example of how to manage users using vbscript. I suspect you can use ordinary ldap user management tools as well, though I'm not 100% sure. – chris Dec 26 '09 at 16:48
-
Scripting AD user management is reasonably easy. In a COM scripting environment (like VBScript or JScript) the ADSI API (which uses LDAP as its wire protocol) is an easy choice. You can certainly leverage LDAP-based provisioning tools, though. The oddest thing about AD versus other LDAP environments that I've found is that AD doesn't support anonymous binds out-of-the-box. – Evan Anderson Dec 26 '09 at 22:38
-
Right -- I imagine the actual user management part of the process is easy. The hard part is getting all the parties involved to agree to the policy and process of user management. – chris Dec 27 '09 at 01:28
-
can you solve this one ? http://serverfault.com/questions/97568/integration-of-active-directory-squid-and-traffic-shaper – Ansari Dec 27 '09 at 18:35