| |
ENVIRONMENT
The DC Public Library (DCPL) network consists of one main site (Martin
Luther King Library-IT Division) and more than 23 remote sites. The sites
are spread around Washington DC, Maryland and Virginia and are connected
by either T1 or DSL lines. There are more than 400 users in the main site
and around 100 in all remote sites. The network is made up of around 80
machines in the main site and 1-5 machines in every remote site. Most of
these machines are used by multiple users. Additionally, each site has 10-50
machines used for anonymous access to the Internet. The network was divided,
for security reasons, into three domains. Two domains are used to service
the actual library employees, and one is used for library visitors. All
the IP addresses were static and the network had one WINS server that acted
as a backup server as well. The network security was controlled by means
of NT Policies and rooming profiles. All the administrators had access to
all the resources on the network and there was no hierarchy for them to
control "who can administrate what". Furthermore, the administrators had
no means to systematize and organize users, computers, and groups into administrative
entities, which caused a lot of problems when trying to process any administrative
task (Example: Deploying a new software or service pack).
CHALLENGE
Migrate the environment from a static Windows NT 4.0 to a more
dynamic Windows 2000 Network and facilitate DCPL's Administrators day
to day work and extend their ability to manipulate network objects. 3H
Technology (3H) was tasked to accomplish the following goals:
- Develop a plan to migrate the network from Windows NT to native Windows
2000 mode
- Design an Active Directory Structure to help facilitate day to day administration
- Utilize Active Directory and Windows 2000 DNS to allow automatic name
registration
- Add a DHCP server to the network and integrate it with dynamic name
registration to reduce the effort of adding new workstations and configuring
their IP properties
- Organize users, groups, printers and computers in logical units for
easier administration
- Design a plan for deputizing administrative work among several administrators.
The solution should take logical separation of tasks into consideration
- Add 46 new workstations with Windows 2000 Professional and a complete
suite of proprietary software that allows the users to query available
books and place requests
- Design and implement a method of using active directory to push new
software updates and service packs to all Windows 2000 users
- Design a security solution to control user's access to workstations
and network resources. The solution should restrict both Windows 2000
Professional and Windows NT users.
- Add a NAS (Network Attached Storage) device to the network to be used
as a file server.
SOLUTION
3H performed a network survey of DCPL's network. The survey was
followed by a Q&A session with DCPL's Engineers about the network and
their routine administration duties. 3H installed a new server as a domain
controller and transferred all the user accounts to the new server. The
new server was used as a base for a small Windows 2000 network that contained
an Active Directory Domain controller, a DNS server and a DCPL server.
The DNS server was configured to integrate with the DHCP server and register
all PC's Server's IP addresses dynamically. The registration was configured
to happen automatically upon receiving the address from the DHCP server.
At this stage, 3H began to design the layout of DCPL Active Directory.
The design adhered to the following:· Due to security reasons and the
way business flow was managed in DCPL, the three domains were kept as
a base for the design but were integrated in all project aspects.· The
three domains were made part of the DCPL Active Directory tree (see below for diagram).· Each department had its own OU (Organizational Unit)
under its respective domain. Some of the OU were linked to Group Policy
Objects to control user's access to resources and to enforce essential
systems configuration.
- A Remote Installation Server was built and joined to the new domain
to facilitate software deployment. Moreover, additional Group Policy Objects
were created to allow users to push software updates and service packs
to the assigned OUs. An older NT Policy was also modified to meet the
new requirements and was put in place to control security for non Windows
2000 Professional users.
- Organizational Units were used as a structure for Delegation of Control.
Certain Administrators were given permissions to manage the entire network
and the rest of the administrators were assigned to few specific OUs.
This way, more privileged administrators were able to delegate network
maintenance responsibility.
- Different Active Directory Sites were created for remote sites and were
all linked to the main default site. The site creation was based on the
link speed and the geographical location of the site. This helped to control
replication traffic and to maintain connectivity for all users.
- A fault tolerant NAS (Network Attached Storage) device was connected
to the network and used to store users' files. Additionally, the engineers
planed for a simple backup solution that incorporates with the NAS device
After implementing the above Active Directory design as a foundation for
the migration, the engineers pushed a pre-created Windows 2000 Professional
image to all the new workstations. The image contained all the necessary
applications and was tuned specifically to meet both users and administrators
needs. Deploying the Windows 2000 Professional image to the workstations through
a push saved a lot of time and minimized the total cost of the migration.
The pre-created image was also stored on the network for the DCPL Administrators
to be able to use to upgrade older NT Workstation machines. The migration
was completed by surveying the changes and helping DCPL Engineers get
familiar with all the changes made to the network.
|
|
DC Public Library