Directory Design for a School Network
Novell Cool Solutions: Trench
Digg This -
Posted: 12 Jul 2002
I am redesigning our edu tree and am wondering what to do because reading Novell's recommendations for NDS design, I should not use dedicated containers. What bothers me is that we have about 1200 user accounts (which are updated every course) and I do not know where to put them. These student accounts will be using different computers all the time, so I cannot put them into the, let's say, departmental containers. It makes no sense. After a lot of thinking, my idea is to put all users in one container, which gives our tree something like the following layout:
EDU (tree) DRN (location) USERS (ou)------------APPL (application-ou)------------ RES (resources ou) File Servers (leaf) Applications(leaf) LIB (ou)--------------ART(ou)--etc Printers (leaf) User Groups(leaf) Workstation Objects---Workstation Objects Teachers (ou)--Students(ou) users (leaf) CourseYear (ou) users (leaf)
My idea is that in this design users have:
- fast access to applications
- Ease of administration for workstation objects
- Users can login anywhere (Contextless Login)
- Because printers are assigned to workstation object, the user will have the right printer
But, how about when this tree grows. It's difficult for me to see how it will develop in the future. In the near future this tree will merge with three similar trees, could there be a partitioning problem? We make use of ZENworks which also has impact on this design, I somewhat designed this tree around ZENworks, is that a problem?
Is it better to bring up the resource containers (LIB, ART etc) one level higher? In these containers i will put the workstation objects with the workstation Policy objects. The workstations have policies for printers etc.
We use the following network resources:
- NetWare 4.2
- ZENworks for Desktops 2
- Windows NT 4 workstations
We use the following design...
In our school, students are divided into "tag" groups according to the year of enrollment. This means their login account can last them for their five years at high school. (You could substitute course containers?) In the tree, there are five tag containers of about 300 students and about fifteen Lab containers of between 6 and 32 workstations in each location. Contextless logins required.
O=STUDENT server policy (server) OU=APPS app01 ... app50 OU=TAG02 (launcher property, user app search this container) student001 ... student298 policy (container) search set to container policy (user) OU=LAB01 (launcher property, w/s app search this container) user (used only for w/s import) printer workstation01 ... workstation20 policy (container) search set to container policy (workstation)
In a typical login...
Student01 logging in on workstation01 in Lab01 gets the following...
- apps and policies associated only with the Tag02 student container. (the search is short because the student object will search only as far as its own container )
- apps ,policies and printer associated with the Lab01 container. (the search is short because the workstation object will search only as far as its own container)
For example, all students get MSOffice and IE as user apps irrespective of location. however, they get cad apps in the drawing lab and NWprman with the local printer showing.
We use a single user container for all our student accounts ... approximately 4500 of them.
Our students are primarily enrolled as either Business School, IT, or Postgrad and each have their own set of labs (>20 and >300 PCs in total); we control access via User Groups, Workstation Groups and ZEN policies. Printing is controlled by PCounter.
We used to use uimport to create accounts each trimester/semester, but now use jrbimprt - which is just fantastic.
Single container seems to work fine, even crossing our WAN (which admittedly is a 33mb ATM link) - all probably wouldn't work well without ZEN though.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com