Skip to main content

Adding subdomains to G Suite

This is how I add subdomains (so basically new schools) to out G suite setup. I've got these steps documented on a scruffy set of notes that I've now got in Keep - so time to document them - for myself as much as anyone else!

Steps in order (roughly)

  • Add the new domain
  • Verify the new domain
  • Add MX records to hosting
  • Add SPF record for Google to hosting
  • Turn on email authentication
  • Add DMARC record to hosting
  • Setup custom Directory and restrict students OU to this.
  • Create an admin quarantine for the domain.
  • Configure SPAM setting for the domain.
  • Turn on and off services as appropriate.
  • Map a blank Google Site to the naked domain - if required.
  • Setup some basic groups - allstaff, allusers (for directory) and students with appropriate permissions.
  • Deploy custom wallpapers.
So the steps in a bit of detail:

Add the new domain & Verify ownership

Click on Domains in the admin console:

Add/remove domains followed by "add a domain"
At this point make sure you select the second option.
You will then be prompted to verify ownership. In most cases, this means adding TXT record to wherever you host your DNS.
Click "Verify" and you should get a nice green tick. 

Add MX records

Next to your new domain in your list of domains, there will be a prompt to add MX record. Click on this and the MX records you need to add will be shown. Add these to your web hosting.

SPF/DKIM and DMARC

I did a blog post about these a while back that explains how to set these up. You can find it here.

Setup a custom Directory

We have about 16 organisations as part of out overall G Suite setup, so it's important that individual member organisations can have access to a directory that just has their users if they wish. To do this, create a group called allusers@newdomain.com. Make sure you lock this group down so people cannot join or post to it - it's purely for the directory.
You can use a scheduled GAM task to sync the membership of this group to the OU for this organisation (you need to make a sub-OU structure for the new organisation!).
gam update group allusers@neewdomain.com sync member ou_and_children "OU path in here"
So put this in a batch file and run as a scheduled Windows task. I have a file with many commands like this for different organisations within our setup.
Once you have the group, you can create the custom directory - Apps > G Suite > Directory in the management console:
Select Visibility settings for the OU you want to apply this to. Click "Users in a custom directory" and CREATE NEW.

Give the Directory a name and then search for you alluser groups and select it and click CREATE. 

Save the setting. Note - custom directories taker anything up to a week to start working - so don't expect it to be instant.

Create an admin quarantine for the domain & Configure SPAM setting for the domain.

I've covered this in my blog post here. The one thing I've changed since writing that is that I never bypass internal senders in the SPAM settings. Internal accounts can be compromised as well!

Turn on and off services as appropriate.

What I turn on and off is normally down to the joining school. However, my basic ones I always do:
  • Turn off G+ unless specifically asked for and for any OU with <13-year-olds in it.
  • Turn off YouTube for any OU with <13-year-olds in it.
  • Turn on restricted mode YouTube for students and allow staff OU's to approve videos.
  • Restrict sharing in Drive to within the domain only.
  • Turn off Blogger for student OUs (unless requested).

Map a blank Google Site to the naked domain - if required.

Why pay for a website? Just use a Google Site - its way easier. I create a blank site with a user on the new domain (this is important!). Then in the admin console Apps > G Suite > Sites > Web Address Mapping and click on ADD A NEW WEB ADDRESS
So pick "new Sites", select your new domain, your site name and in the web address - just put www.
You will then be directed to add a CNAME record to your web-hosting. Remember to add a redirect to https://www.yoursitename.com for https://yoursitename.com

Setup basic groups

I always setup a few basic groups like allstaff@yournewdomain.com etc. Just make sure the permissions are set appropriately on the groups. Auto-populate them with a scheduled GAM command as shown in red earlier on.

Wallpapers and other Chrome settings

I generally set up custom wallpapers for both devices and users and put in a few managed bookmarks to get them started. 

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command.
Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message.
Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com
Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file.
Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv
Run:
gam csv mail.csv gam user ~mail delete messages query rfc822msgid:MESSAGEIDHERE doit

The alternative nuke option is:
gam all users delete messages query rfc822msgid:MESSAGEI…

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily.
Classroom Create a spreadsheet of all your domains classes - gam print courses todrive

Create a spreadsheet of a teacher's classes: gam print courses teacher fred@mydomain.com todrive

Bulk create classes:
gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE

where classes.csv is a list of classes you want to make.

Add teachers:
gam csv teachers.csv gam course ~alias add teacher ~teacher

Add students:
gam csv students.csv gam course ~alias add teacher ~student

Sync Students (in this example to a group - but could be an ou/csv file)
gam csv groups.csv gam course ~groupmail sync students g…

How to beat ChromeOS EOL and carry on getting updates

ChromeOS devices are great in loads of ways, but they have built-in obsolescence. Google will stop providing updates at a predetermined time according to the schedule you can find here. So the best you will achieve is 6.5 year if you buy the device on the launch day. In reality, it will be generally much less. It's something to watch as a good deal might not be such a good deal if the device only has two years left.

Once a device reaches its "due" date, you get a red pop up telling you its time to update every time you log in. The update section tells you there are no more updates. Now the device will work fine - for a while. You might get another 6 months use out of it before core services like Gmail stop working. However, if you are prepared to do a little work, you can install the OS of your choice onto the device and carry on using the device and not accept this. If you want ChromeOS, then you can install Cloudready from Neverware. I'll outline the basic steps be…