Can you verify my proposed install

[ericargyle]

Hey guys,

Can you verify my proposed install? I am replacing ancient Novell Netware servers with Windows Server 2008 R2 DCs and FileServers. My environment consists of two campuses with a 100MB Opt-e-man link between them. I have already pieced out filstructure and permissions for user data, I am now in the process of planning the actual introduction of the new servers.

The servers are all HP. Each campus has a DL360 and a DL370 x5660 with 36GB RAM. I would like to set up the DC as east-dc.local and east-fs.local. I will be running DHCP on this as a class B, and my scope will be

172.17.6.2 to 172.17.30.254

255.255.240.0 subnet

DNS will also be running locally. Currently all DHCP and DNS is being done through the Sonicwall. I know, it's unfortunate. I inherited this.

Secondly I would like to set up a DC as west-dc.local and west-fs.local. I will be running DHCP on this as a class B, and my scope will be

172.16.6.2 to 172.16.30.254

255.255.240.0 subnet

File servers at both campuses will be configured as vanilla file servers on server-core. Shares will be made per user per campus.

On the East AD, I'm going to structure the AD so that it looks like this:

East (top level OU), Staff (under East), Students (under East), and Teachers (under East). West (top level OU), Staff (under West), Students (under West), and Teachers (under West). I do this per school to make sure shares are created at the desired physical location.

I'm going to set up AD Replication between the 2 DCs, however, they will not be primary and secondary, they will still be their own individual DCs, as I don't want cross campus authentication, however, I do want them to be able to log in when at the opposite school. This should do that cleanly, while only mapping their minimal data home directories cross campus.

Scripts are written for all users, and templates are set up. Printers will be added post clean install and user testing.

There are additional, less Windows Server specific things, like print auditing, and some WSUS I'll set up later.

From an onlookers perspective, does that all look like it will work cleanly? Anything to keep in consideration? Thanks.

Edited February 24, 2011 by ericargyle

[cluberti]

You'd probably be better off with two AD sites (one DC in each site) and separate them by IP subnet (a /21 at each site, rather than a campus-wide /20). You can set up DFS on the fileservers if you need data replication, otherwise what you're doing is fine. The architectural design of the network itself (for hosting AD) is overly complicated given other options that will work just as well, but what you have will work. Unless you're talking about thousands of seats in each particular portion of campus, splitting them physically makes little sense long-term. Let logical site representation segment logon and replication traffic, not physical design.

[ericargyle]

Thanks Cluberti. I really, desperately would have loved them to be on the same domain, ie: campus.local, but how do I dictate different physical workstations to connect to the appropriate DC? Ideally, someone at West, should authenticate and pull DHCP from West DC, and east should pull authenticate and pull DHCP from EAST DC. Only reason this even matters, is because the gateway will be different to get out. Otherwise, I'm open to design ideas you can point me to, or explain in greater detail.

Thanks again.

[DK10]

if you setup proper sites and subnets in ad people should get pushed to the proper closest DC for authentication.

also if you're actually needing that much IP space you might want to consider at least 2 DCs in each location in case one goes down for whatever reason.