How to properly deploy multiple computer labs and have room for future expansion?

I am currently the only computer guy at a high school (small budget). Currently, there is no real infrastructure in place. There are just office computers connected to a consumer grade router that leads to the Internet via DSL.

The school will be setting up some new computer labs (~100 new computers) with a new broadband line for student use. The school is looking to have each student (hundreds) with his or her own account accessible from any computer, they want the labs firewalled, the Internet content filtered against inappropriate material, and everything else that would go with that.

This is the part where it gets a bit hectic for me. Originally, I'm just there to do basic troubleshooting for the office computers and staff laptops which isn't a problem for me. However, setting up and deploying a real network infrastructure is where I feel I'm a bit in over my head. The school understands this as they should probably have someone with more experience deploying and setting up a networked Windows environment but you make do with what you have.

I think this is a valuable opportunity to get some experience with Windows server and experience with possibly more advanced network hardware as my most advanced network experience lies at home with a bunch of Linux computers networked together. I don't have a more senior person for help so I'm pretty much on my own.

I have an idea of what I need to get done but I need help on the specifics.

1. What types of computers are robust enough to standup against abuse? I need a computer that has a lockable chassis to prevent people from opening up the system and mucking around. I also need a kensington lock to prevent people from just walking out with a computer. I've been looking into Dell Optiflex 360s and am hoping to get a good price via educational institute discount but I can't find specific details about a lockable chassis.

2. What types of ways can I utilize automation to reduce my maintenance overhead? I can imagine it'll be a nightmare managing ~100 computers if I go about it the same way I do with the office computers. I would like to remotely install OS, distribute applications, lockdown the computers against fiddling and virus, etc so that I don't have to physically go to every computer when I need to do something. I believe Windows Server can help with a lot of this via group policy but is there anything else I'm missing?

3. I've been looking into Cisco for network hardware as I'll need a switch for each lab and an edge router of some sort for the whole network. I'll also need a firewall in place protecting everything. As I have no specific experience in this I'm having trouble picking the right switch, router, firewall model to suit my needs but I'm guessing I'll need low end switches, routers, and firewalls.

4. How many servers will I need? I'm guessing so far 2: Windows Server for Active Directory and a backup server. Do I need another separate server for file serving user documents?

5. Are there any resources online that I can look at to help me in my situation? Forums, articles, people in similar situations, guides, etc?

6. It's also likely in the future the school is looking to have each teacher and staff be given a user account so they can go to any computer and access their documents. They'll also probably be looking to add an Exchange server so everyone has a school e-mail account and be able to access their own e-mails through Outlook on their accounts. I need to make sure anything I do now with regards to the network leaves room for future expansion and integration with the office. Are there any potential pitfalls I should be aware of?

7. Any other advice?

UPDATE 1 Well I've been researching a ton of information lately about all the various aspects of what I'll need to do and I sure am learning a lot. The answers to my questions have definitely pointed me in the right direction. As I dig deeper into things like picking the right hardware, remote management solutions, locking down systems, etc I'm finding I'll probably be asking more questions about more specific things later but for now I think I'm on the right track.

If I could I'd pick multiple posts as the "correct answer" as I felt more than 1 post here helped me.

Solution 1:

Reaching back to my days managing school labs here are some of my suggestions:

1. We would just get whatever mid level machine was available at the time, and as Oskar Duveborn has said get computer desks with lockable cages. We used the kind that would just clamp the top and bottom down, then we would use the built in lock to lock down the case and run a simple flexible chain through a fixure we superglued to the chassis and around the desk. Really what these are are deterents but even in the tech school where the kids had access to bolt cutter, welding tools, etc. I think we only had 2 or 3 breakins to the cases in the 3 years I was there. Basically just buy something reasonable and a few spares and expect the machines to be broken into no matter what you do - but don't let that be a reason to not put any deterrents in (for example we found a PB&J sandwiching in a CDROM Drive ones...)

2. We used ghost and PXE booting to reimage the machines. Build up a master image once - redo it yearly, or quartly, or bi-yearly and you are good to go. Also Group Policy is your friend! If you get into complex software pushes I would look into MS SCCM ( I think that is the name of it now.)

3. For your size I would skip the router and just use the firewall as a "router" (It's really natting across legs but the end effect is the same). You would probably need something in the ASA 5520 range also for a school I would invest int he SCS Module to do web filtering. Also learn how to do VLANs and put each lab into it's own vlan admins in another and servers in yet another.

4. If you can swing a second server go for it, otherwise you should be alright hosting AD, DNS, DHCP, and Files on the same machine. Please stay AWAY from SBS ... pleeasse. Make sure you have a good tape backup system. BackupExec and ArcServe are probably the friendliest for someone new to this stuff.

5. Honestly, google will be your best friend

6. I think if you follow the advice you get from here, and go get some books on AD, Networking, Cisco you should end up with a design that will work very well for you and leave room for future expantion.

7. Good luck, read alot, get some books. and setup one lab first play around learn and model things before you give it the blessing. Possibly if school is in session talk to the teachers (comp sci/ science mostly) and see if you can get a couple of trusted students to come in and try and break things.

Oh and one more thing. Set the machines to boot from PXE, then HD and disable all other boot options, then put a BIOS password on the machines, that way the kids can't boot from cd/usb and be able to undo all your hard work securing the systems!

Solution 2:

2 : For a computer lab, I'd definitely suggest going for a thin client environment.

You'd have to spend more money on servers, but on the other hand you'll probably be spending a lot less on client computers. Of course you'd also have to evaluate other factors such as licensing costs in order to determine if this approach would be convenient for your school.

If there's no choice and you can't go for a thin client environment, try to deploy a fully automated cloning solution like Symantec Ghost Solution Suite. Also take Kyle's advice and install DeepFreeze or any other similar product on every PC (for a computer lab on a high school, that's a must).

5 : For a good inspiration, take a look a the USITE/Crerar project. That's certainly another kind of environment, but perhaps you can borrow some good ideas about other important aspects of a lab, like physical layout.

6 : Hosting your own mail services doesn't seem like a good idea in the context that you've described. I'd recommend Google Apps for Education instead.