Summary
Rock Island-Milan School District oversees 14 schools in the Rock Island and Milan areas of Illinois. When it came time to replace their aging Active Directory庐 hardware, Rock Island embarked on a search for the best directory service for their infrastructure. They needed a solution that could manage Macs, strengthen control over their networks, and integrate with G Suite and Office 365. In their search, they found Directory-as-a-Service庐, and discovered a solution that would modernize their IT operations.
| Organization: | Rock Island – Milan School District |
| Size: | 6,500 Students, 1,000 Staff |
| Location: | Rock Island and Milan, IL |
| Problem: | Aging Active Directory Hardware, Weak Network Access Control, Autonomous Macs |
| Goal: | Secure Network Access, Centralize System Management |
Background
Rock Island was at a crossroads. They needed to either update their existing Active Directory instance or upgrade to something new 鈥 and that meant it was time for Mike MacKenna, Infrastructure and Security Administrator, and Troy Bevans, Director of IT, to survey their options. They started with the status quo: Microsoft庐.
Mike told us, 鈥淢ost of our infrastructure was running Windows Server 2008 R2 鈥 six or seven year old servers. So we were in a position where we looked at Microsoft volume licensing and Client Access Licenses (CALs), and how much it would cost to get a volume license agreement. For five years, I want to say it was around $30k.鈥
鈥淪o our first option was to reinvest with Active Directory and get a whole lot of Microsoft licensing. But we had Macs and free file storage coming down the pipe from Google.鈥
鈥淭here was so much new cloud-based infrastructure that was getting good reviews. So, it just seemed like the right point for us to completely revamp everything.鈥
The Challenge
Rock Island could have justified sticking with Active Directory if the only problem was outdated hardware and expensive licensing, but AD also left them wanting more when it came to managing network access. Mike and Troy explain:
Mike:
鈥淲e started with separate SSIDs to try and keep faculty on one VLAN and students on another. The problem we had with shared keys was eventually the password would get out and you would see faculty members on student networks and students on faculty networks. So we were losing the ability to keep connections in appropriate containers for the different policies.鈥
Troy:
鈥淎lso, students would discover the passphrases to get on to our wireless networks and would constantly consume the bandwidth. We wanted a way for everyone to have their own credentials and authenticate individually. So when we heard about 探花大神鈥檚 RADIUS-as-a-Service it looked really intriguing to us.鈥
The other major challenge for Rock Island was Mac management.
Mike:
鈥淥ur Macs were autonomous, and while we wanted to get them into a directory structure, we didn鈥檛 want to buy CALs for Windows servers.鈥
The Solution
Rock Island came across 探花大神 as they searched for a comprehensive directory solution.
Mike:
鈥淲e were looking for a way to unify the different platforms with a single directory structure and at the same time solve our need for RADIUS. In our search, we stumbled across 探花大神. We did some initial testing. We were impressed with it then and we have been ever since.鈥
鈥淲e looked at some alternatives. But they were more expensive and complicated than 探花大神鈥檚 implementation. We didn鈥檛 need all of that.鈥
鈥淭he more we looked into 探花大神, it fit the bill for everything we needed all in one nice package.鈥
Implementation
WiFi Access Through RADIUS
Troy:
鈥淲e have two implementations of 探花大神. We have a staff implementation and a student implementation. We don鈥檛 have the cloud RADIUS service with the students. For the teachers, they can just log in with their credentials. We have 14 schools and they just move from school to school, using their RADIUS credentials, and they can access the WiFi.鈥
Mike:
鈥淲e don鈥檛 need it for students because those are hardline machines. For their personal devices, we just push on to a quarantine public network anyway. So the need for RADIUS really comes down to wireless devices for faculty that have access to our applications and internal resources. For those devices, we want to know exactly who it is on the device and what they鈥檙e accessing. 探花大神 has been able to accommodate us from that standpoint. So we have definitely been happy with the RADIUS implementation.鈥
“I forget that I’m authenticating when I walk into the building and it just works.”
Users and Systems
Troy:
鈥淭he way we have been integrating a machine is by using some scripts that Mr. MacKenna wrote. We basically just run the script and it installs everything we require. We use the Chocolatey package manager to push things out, and when we get it, 探花大神 binds the machine. That works very well. With the faculty, we鈥檙e only doing one person per machine so that way if they leave we can just take their rights away. But with the students, we use pGina, so they can authenticate against the entire LDAP directory.鈥
Student System Access (Libraries and Computer Labs)
Mike:
鈥淔or students, we only have 300 machines but we have 1,700 students, and nobody wants to keep track of which student is going to use which machine. So our first thought was to set up 1,700 accounts to every machine. Windows didn鈥檛 care for it that much.鈥
鈥淲e talked to 探花大神鈥檚 Customer Success Team and they gave us the following guidance based upon their work with other .edu鈥檚 in our similar situation. They said, 鈥業n our testing, more than a couple hundred accounts within Windows gets a little unwieldy.鈥 Their recommendation was to leverage pGina on our student-Windows systems, which is an open source authentication module for Windows which enabled us to point these systems directly at 探花大神鈥檚 LDAP service.鈥
鈥淪o now the way we have it set up is, any student sits down at a machine, and they type their credentials on the Windows system. If they have never logged into that particular machine before, it generates their profile and they have an account on there moving forward. We use Google in the back end, so they鈥檙e essentially logging into Google and straight away they鈥檙e working with their own Google Docs.鈥
G Suite and Office 365 Integration
Troy:
鈥淥f course, every school is going to use Google. 探花大神 integration with Google means users have one less password that they have to remember. They just have to use the 探花大神 password to log in. We also use Office 365, which has been working for us in the same way.鈥
鈥淭o see that 探花大神 integrated well with Google was another piece that seemed to fit into the puzzle.鈥
The Result
From AD to the Cloud
Mike:
鈥淲e鈥檙e in the process of moving off of Active Directory entirely. We鈥檝e taken pretty much all of our student devices and things like that off of Active Directory. So, we鈥檝e already started to minimize our server footprint, internal boxes, and also CALs from that perspective.鈥
鈥淲e still have some legacy stuff out there that we haven鈥檛 rolled over yet with some of our faculty resources, like thin clients that are at the end of their life. But we鈥檙e definitely headed there.鈥
Troy:
鈥淲e don鈥檛 even use file servers anymore. Since we鈥檙e a school district, we have unlimited storage space on Google. We鈥檙e using a program called ExpanDrive, and testing Drive File Stream. Both of these will map a drive letter to your Google Drive, so we store everything there. When somebody logs into their machine with 探花大神, it鈥檚 the same credentials to enter into Google, where they are saving all of their documents. Then we use Spanning Backup to ensure everything is backed up so we can restore it instantly when we need to.鈥
“It’s a nice system.”
Achieving Simplicity
Mike:
鈥淲e鈥檝e managed users in and out of Active Directory with Powershell scripts before, but we also did a lot of it manually as well and it’s cumbersome as far as how many OU鈥檚 [organizational units] we had to use and making sure things are in the right place.鈥
鈥淲hereas 探花大神 seems to be able to do that a lot more dynamically and quickly than Active Directory. Plus, we had a couple of domain controller meltdowns at one point, and that could be a show stopper. Whereas with the 探花大神 system, we haven鈥檛 had any of those kinds of issues and it has been rather quick for us.鈥
“Things seem less complex than they used to be.”
Saving Time and Money
Mike:
鈥淭he simplicity that 探花大神 offers has really been the time saver. We鈥檙e not dealing with constantly looking at replication and if things back up correctly and all this other stuff that we had to deal with in order to maintain our Active Directory implementation. So that frees us up to do things that we really want to.鈥
鈥淲e really like 探花大神. We think it鈥檚 very unique. I鈥檝e often wondered why Microsoft didn鈥檛 come up with something like this. They鈥檙e still sort of trailing behind. But we鈥檝e been very happy with 探花大神 and I would be willing to recommend it to another school.鈥
Troy:
“We were at a point where we needed to decide if funds were going to be allocated to upgrade our aging servers, including hardware and software requirements. However, after making the decision to go with 探花大神, we actually saved money, which allowed us to make some much needed workstation purchases for the district. Additionally, I do not have to allocate resources to manage the servers any longer, which provides more time for us to serve the district.”
“It’s a very forward thinking model. 探花大神 really embraces the whole cloud.”