7

I am currently the only computer guy at a high school (small budget). Currently, there is no real infrastructure in place. There are just office computers connected to a consumer grade router that leads to the Internet via DSL.

The school will be setting up some new computer labs (~100 new computers) with a new broadband line for student use. The school is looking to have each student (hundreds) with his or her own account accessible from any computer, they want the labs firewalled, the Internet content filtered against inappropriate material, and everything else that would go with that.

This is the part where it gets a bit hectic for me. Originally, I'm just there to do basic troubleshooting for the office computers and staff laptops which isn't a problem for me. However, setting up and deploying a real network infrastructure is where I feel I'm a bit in over my head. The school understands this as they should probably have someone with more experience deploying and setting up a networked Windows environment but you make do with what you have.

I think this is a valuable opportunity to get some experience with Windows server and experience with possibly more advanced network hardware as my most advanced network experience lies at home with a bunch of Linux computers networked together. I don't have a more senior person for help so I'm pretty much on my own.

I have an idea of what I need to get done but I need help on the specifics.

  1. What types of computers are robust enough to standup against abuse? I need a computer that has a lockable chassis to prevent people from opening up the system and mucking around. I also need a kensington lock to prevent people from just walking out with a computer. I've been looking into Dell Optiflex 360s and am hoping to get a good price via educational institute discount but I can't find specific details about a lockable chassis.

  2. What types of ways can I utilize automation to reduce my maintenance overhead? I can imagine it'll be a nightmare managing ~100 computers if I go about it the same way I do with the office computers. I would like to remotely install OS, distribute applications, lockdown the computers against fiddling and virus, etc so that I don't have to physically go to every computer when I need to do something. I believe Windows Server can help with a lot of this via group policy but is there anything else I'm missing?

  3. I've been looking into Cisco for network hardware as I'll need a switch for each lab and an edge router of some sort for the whole network. I'll also need a firewall in place protecting everything. As I have no specific experience in this I'm having trouble picking the right switch, router, firewall model to suit my needs but I'm guessing I'll need low end switches, routers, and firewalls.

  4. How many servers will I need? I'm guessing so far 2: Windows Server for Active Directory and a backup server. Do I need another separate server for file serving user documents?

  5. Are there any resources online that I can look at to help me in my situation? Forums, articles, people in similar situations, guides, etc?

  6. It's also likely in the future the school is looking to have each teacher and staff be given a user account so they can go to any computer and access their documents. They'll also probably be looking to add an Exchange server so everyone has a school e-mail account and be able to access their own e-mails through Outlook on their accounts. I need to make sure anything I do now with regards to the network leaves room for future expansion and integration with the office. Are there any potential pitfalls I should be aware of?

  7. Any other advice?

UPDATE 1 Well I've been researching a ton of information lately about all the various aspects of what I'll need to do and I sure am learning a lot. The answers to my questions have definitely pointed me in the right direction. As I dig deeper into things like picking the right hardware, remote management solutions, locking down systems, etc I'm finding I'll probably be asking more questions about more specific things later but for now I think I'm on the right track.

If I could I'd pick multiple posts as the "correct answer" as I felt more than 1 post here helped me.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208

6 Answers6

4

Reaching back to my days managing school labs here are some of my suggestions:

  1. We would just get whatever mid level machine was available at the time, and as Oskar Duveborn has said get computer desks with lockable cages. We used the kind that would just clamp the top and bottom down, then we would use the built in lock to lock down the case and run a simple flexible chain through a fixure we superglued to the chassis and around the desk. Really what these are are deterents but even in the tech school where the kids had access to bolt cutter, welding tools, etc. I think we only had 2 or 3 breakins to the cases in the 3 years I was there. Basically just buy something reasonable and a few spares and expect the machines to be broken into no matter what you do - but don't let that be a reason to not put any deterrents in (for example we found a PB&J sandwiching in a CDROM Drive ones...)

  2. We used ghost and PXE booting to reimage the machines. Build up a master image once - redo it yearly, or quartly, or bi-yearly and you are good to go. Also Group Policy is your friend! If you get into complex software pushes I would look into MS SCCM ( I think that is the name of it now.)

  3. For your size I would skip the router and just use the firewall as a "router" (It's really natting across legs but the end effect is the same). You would probably need something in the ASA 5520 range also for a school I would invest int he SCS Module to do web filtering. Also learn how to do VLANs and put each lab into it's own vlan admins in another and servers in yet another.

  4. If you can swing a second server go for it, otherwise you should be alright hosting AD, DNS, DHCP, and Files on the same machine. Please stay AWAY from SBS ... pleeasse. Make sure you have a good tape backup system. BackupExec and ArcServe are probably the friendliest for someone new to this stuff.

  5. Honestly, google will be your best friend

  6. I think if you follow the advice you get from here, and go get some books on AD, Networking, Cisco you should end up with a design that will work very well for you and leave room for future expantion.

  7. Good luck, read alot, get some books. and setup one lab first play around learn and model things before you give it the blessing. Possibly if school is in session talk to the teachers (comp sci/ science mostly) and see if you can get a couple of trusted students to come in and try and break things.

Oh and one more thing. Set the machines to boot from PXE, then HD and disable all other boot options, then put a BIOS password on the machines, that way the kids can't boot from cd/usb and be able to undo all your hard work securing the systems!

Zypher
  • 36,995
  • 5
  • 52
  • 95
  • Upvoted for staying away from SBS. This is nowhere close to a small business environment. This is absolutely an enterprise environment, and SBS would just plain not work for you if you bought it. You claim you will have over 100 new computers, and probably even more users. SBS maxes out at 75 users or computers, if I am recalling correctly. – phuzion Aug 20 '09 at 01:07
  • 2
    Good catch locking down BIOS Setup - though doing it manually on 100+ pcs isn't something I'd enjoy, check into whoever is chosen to deliver the machines if they can do this before delivery for some small fee ^^ – Oskar Duveborn Aug 21 '09 at 05:22
  • Yep ... that's how i broke deep freeze in high school :). The only vendor i can speak to is Dell - the Dell Management Console can push our 1) The boot order and 2) the BIOS password on their machines. – Zypher Aug 21 '09 at 14:20
3

2 : For a computer lab, I'd definitely suggest going for a thin client environment.

You'd have to spend more money on servers, but on the other hand you'll probably be spending a lot less on client computers. Of course you'd also have to evaluate other factors such as licensing costs in order to determine if this approach would be convenient for your school.

If there's no choice and you can't go for a thin client environment, try to deploy a fully automated cloning solution like Symantec Ghost Solution Suite. Also take Kyle's advice and install DeepFreeze or any other similar product on every PC (for a computer lab on a high school, that's a must).

5 : For a good inspiration, take a look a the USITE/Crerar project. That's certainly another kind of environment, but perhaps you can borrow some good ideas about other important aspects of a lab, like physical layout.

6 : Hosting your own mail services doesn't seem like a good idea in the context that you've described. I'd recommend Google Apps for Education instead.

mfriedman
  • 1,959
  • 1
  • 13
  • 14
2
  1. Sturdy computers are either extremely expensive or do not exist. A cage for it on the other hand is usually very sturdy and not too expensive. The cage with a lock will prevent both tampering and theft and will nicely have the computer mounted to or beneath the desk. A kensington wire is sadly way too easy to just cut with some decent tools.

  2. Microsoft Zero Touch-strategy would give you automated deployment through a number of products, though in this case Lite-Touch would be a more realistic goal when it comes to tools and skills. It's still "the Microsoft way" hence rather involved and at times complicated (and often expensive ;) Old-school (ahem, "traditional") imaging applications could provide easy nighly re-imaging of the computers instead. But if it's a Microsoft environment that's suppose to be deployed - I would spend the time needed for some consulting from a partner about how to approach the problem. Where I live this is usually free.

  3. Going all out Microsoft, ISA Server / Forefront TMG is both easy and powerful for securing the perimeter, inspecting the actual traffic, doing fine-grained internet access-control on a user-basis and providing internet content caching.

  4. I'd say 2 basic infrastructure servers providing Active Directory as DCs, DNS, DHCP (unless you put that role onto some other network device), Certificate Authority and so on. Then whatever else you need, like a third for file sharing and a fourth for printer sharing - or merge them into a single server though I'd recommend against that due to printers mostly being evil in nature, file-sharing not so much. A backup server seems useful, there are no other existing stuff at the location or on remote that could do backup though?

When it comes to Microsoft stuff, try to stay current. Right now I'd roll out the latest right away, that is Windows 7 and Server 2008 R2. That will make future expansion and more advanced management slightly easier.

Think of what approach to use on the schoolroom computers. Should students be allowed to tinker as they want by being administrators? If so that will require a completely different approach than if they are only allowed to use already installed applications.

To lock down such computers by central policy , look at the built-in AppLocker which in its latest incarnation FINALLY is actually useful and will only allow launch of approved applications. Software Restriction Policies as it's been called in the past has had some really problematic limits preventing it from being used where really needed.

Other Microsoft technologies to look out for is SteadyState (previously Shared Computer Toolkit) though I haven't tested it myself so I have no idea how well it scales upwards from an administration standpoint - I'd actually say look for the other answers on third-party products for wiping and reloading the computer each night, especially specifically targeted at schools. But a few hours with some skilled Microsoft evangelist might change that.

If going all-out Microsoft, look at Domain Isolation (also "built-in") to prevent someone who gains access to the physical network to actually do much with any Windows host - as they'll be more secure and only talking to authorized nodes using ipsec, ignoring anything else. Requires some extra thought for instance print servers needing exceptions to talk to printers and so on.

Oskar Duveborn
  • 10,740
  • 3
  • 32
  • 48
2

Recommendation for Question number #2.
I can't remember the name of the particular product, but at a school I worked at we used software that re-imaged the computer every night. So the entire thing was over written with the image. Then there would be a network share for the user's documents. This will make your life so much easier, if someone messes something up, you can either force reimage it or put on Out of Order sign on it until the next morning :-)

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • Actually, I think it would reimage on every boot, and they were rebooted automatically every night. – Kyle Brandt Aug 19 '09 at 20:12
  • 2
    Probably Deep Freeze (http://www.faronics.com/) at least when I was in school/college that was THE product to use. Microsoft has one now i forget it's name though ... IMHO not nearly up to the task yet. – Zypher Aug 19 '09 at 20:26
  • Zypher, Yup, I think that was it. – Kyle Brandt Aug 19 '09 at 20:34
1

1 Computers

The Dells that you mention are probably a good solution, since your goal isn't necessarily exceptional performance as affordability and homogeneity. I see a chassis flange on this page - http://www.dell.com/us/en/enterprise/desktops/desktop-optiplex-360/pd.aspx?refid=desktop-optiplex-360&cs=555&s=biz

2 Remote installation and maintenance

I assume you're using Windows Vista or 7. If you've got money, go for a Ghost-type solution. If not, I'd recommend CloneZilla, which I use on our laptops here. It's simple to create an image, and the server edition can be used for mass-wipings.

3 Switches

Cisco is expensive, unless you can get edu discounts. For extreme low-end, I'd recommend Netgear GB switches, though don't get the 48 port models, as they overheat. If you need 48 ports, do the step up and get 3COM 48 port switches. Essentially, you need smart switches with the ability to do dot1q vlan tagging. Even if you don't need it now, you will thank me later.

4 Servers

You can get by with two, although I would recommend that your backup server function as a domain controller as well. You don't ever want just one windows DC. Plus one server for your exchange mail, too.

5 Resources

Google is your friend. A quick search led me to this: http://www.educause.edu/ which sounds great. I'm sure you'll be able to find more, and if I find any, I'll update the post

6 Future expansion

Use open standards as much as possible, buy devices with upgradable firmware, and keep your eyes open so you have a year or so advanced warning of changes.

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
0

I can't advocate giving . real computers anymore in this day and age. Build your lab as DaaS, with a good self-hosted cloud back-end. See the marvels at -> www.sun.com/vdi/ Result: +1 Flexibility, +1 Indestructibility. cheers, R.