Unity Migration Blog

With things slowing down with fall installs, I was able to get back to some older projects. FYI, Yesterday we had 88 new WolfPrep machines installed, and in the last 7 Days, 1068.

SSLBridge

Back in October, 2006 I thought that I had found a remote access solution for SMB filesystems that would solve all of our problems, and fold the napkins nicely, too. I installed SSLBridge this week, and fear I must call it a "miss." The AJAX interface is beautiful, but it seems to be very dependent on netbios naming, and choked on our servers that report their names using full DNS syntax. It also seemed hard coded to use NTLM/NTLMv2 and never negotiate kerberos. Too bad.

WINS

At the last staff meeting, we decided we needed to deliver consistent WINS information to all the clients/servers as long as we needed WINS at all. You can have redundant WINS Servers, so I've got it installed on DC00 and DC01 so we have fault tolderance, and they are replicating information to each other.

You don't seem to be able to set WINS info via GPO, just via DHCP. I ran a wee script to set the WINS server info on our hosts, but a reboot is required so most of them haven't updated yet.

I plan to adjust the "PXE-All" QIP template, add the WINS info to WolfPrep.

Drupal.unity.ad.ncsu.edu

I got drupal working with Unity authentication, rich text editing, and have started learning how to craft a n "online book." It rocks -- I'm so excited. Check out drupal.unity.ad.ncsu.edu
I plan to look at some of the calendar/event (sign up for classes seems in the bag), bug tracking, and project management modules.

Hey folks,

I'd like to reawaken our discussion of Windows Share +/- NTFS file permissions for Friday's pilot meeting.

I won't duplicate the old blog post with a repeat of the background info, but would appreciate it if you'd review it before Friday's meeting so we could discuss our "best practice" stance.

Some Microsoft documentation is suggesting different practices, see http://microsys.unity.ncsu.edu/blog/index.php?title=gpo_creation_problem_solved&more=1&c=1&tb=1&pb=1 for context.

I met with Dennis this morning to give him an overview of Microsys staff, functions and challenges. You can a short summary here:

Microsys Overview

He was receptive. He sees his role as a communications facilitator between Sam and staff. He is interested in representing what we do back to Sam. He expressed sympathy for the amount of effort required in a migration when systems must run in parallel.

Dennis would like a slightly more technical overview, of how the pieces like authenticaion, printing, application distribution down to the desktop fit in together. I told him I would schedule something with the group after I get back.

App Building Ownership
If you're working on an app, either take ownership of an existing Remedy call or make a new one. The person building an app is responsible for updating the Remedy call and communicating via Remedy and the forums.

Apache and File Distribution
Instead of using WRAP for web authentication, use John's group policy reports as an example of how to use mod-auth-sspi. This allows web authentication and access control that is integrated with AD groups and users. The downside is that it only runs on Windows. To configure access control, either set up a conf file for Apache to use or create an htaccess file in the directory that is to be controlled. It is a little more secure to use a conf file. This solution will allow for pass-through authentication: web > AD > MIT Kerberos.

Side note: We should link the Apache configs on Web00 to dotITD.

DC03 Sluggishness
Group policies are not propogating. Gpupdate /force isn't working.
Decision: Firewall will remain off on domain controllers. Testing will only be done in the test domain.

Application Layout
Decision: Rename Applications\Freeware to Other
If you can find an author name such as "Simon..." then use it.
If the software is from SourceForge then put it under SourceForge.

Decision: We will not maintain separate product directories for a given product if multiple platform versions are available. All of the platforms will reside in a single product directory and the directory name will not include the platform.

Decision: We will organize each product directory with the following subdirectories:

Source - This directory only contains unaltered vendor files. If you receive a CD/DVD as the original media, make an ISO file and save it in the Source directory. If the software comes as a zip, exe, or other type of package, save that file in the Source directory. Do not be uncompress the files. If multiple platforms are available, name the ISO, ZIP, or other files accordingly. If no platform is included, the file is assumed to be for i386.

Dist - This directory contains the uncompressed working files that are used to distribute software to clients. If the directory is called "Dist", assume the platform is i386. If the distribution files are for another platform, create a separate "Dist" directory and include the platform:
"Dist-x64".

Configure - Use the Configure directory to store customized files, transforms, scripts. Serial numbers can also be stored in the Configure directory. This allows permissions to be opened to the other directories but locked down so people can not get to the license or other sensitive information.

Updates - Store service packes, patches, and other vendor-supplied files here.

Printing Dog & Pony by John
Here are some rough notes. I appoligize if something is missing or unclear. I was trying to listen, understand, and type all at the same time and it was after 4:00 pm. :-)

Samba's role in Windows printing is only to convertf MS RPC calls to LPR. It pretends to be a Windows print server.

Print Management MMC Plugin
Use this to manage many printing tasks and configurations. To manage our printer server, click on Print Servers > Add Server > print00.unity.ad.ncsu.edu

The interface includes all of the things a Windows print server would have except drivers.

For each printer, Location is populated. This information lives on print00 in a local SAM account.

It has ports... but ports really don't do anything and can be ignored.

Driver Naming
The name of printer and queue were used to name print drivers. Each printer has its own config file even if same model of printer. This allows for distinct configurations.

Deploying Printers
Do this from "Print Management" and NOT group policy management. If the GPO is configured, it only creates a 1-way link. Printers will get installed but cannot be automatically removed. Print Managment overcomes this.

New Print Drivers
Browse to print00.unity.ad.ncsu.edu. "Add Printer". You can't use the add printer wizard because it uses native Windows code.

Managing the Server
Print00 can be managed from MMC's "Computer Management" if you click on local > connect to another computer > print00.

The Event Viewer currently not populated but there is a Samba utility to populate this.

The Public share is whered to e PPD files reside.

You can create local groups on the server and add domain accounts. Access granted this way is limited to Samba resources, not to the entire server.

Services - you can hook Windows services to linux.

Basic server installation information: RHEL was configured with Jack's kickstart mechanism. Installation instructions are in the Linux wiki.

Logs
SSH to print00.
Browse to /var/log/samba
Files are arranged by client workstation.

Managing Queues
Use the Server Status Page to manage queues.

Scripts
http://svn.unity.ncsu.edu/svn/itdmicrosys/samba/trunk/
Stores scripts and such. The script to add drivers is here. Debbie volunteered to create an AutoIT script to make things easier.

John is eventually looking at virtualizing print services.

John is looking into mounting /AFS in AD similar to /DFS. If this works, we will "rule the world".

Progress Reports
Post by Thursday.

Andy: Posted. He is the good one. ;-)

Joe: DC03 close but not yet finished. Trouble getting in through Raritan. WSUS - dredging different resources for producing reports, see documentation section of WSUS.

Barriers
joe: change vlan from 99 (dealing with port 20) get prompted to pay, management ports on DC2; no problem if it was on vlan 10; has contacted comtech. Trouble getting in through raritan on DC03.

Q&A
Make software installs local that are now networked? Concern is size in image, though performance better local on some like Solidworks. Andy: prefers local. Patrick: Delivery time of apps longer, but better than worrying about server load long-term. Joe: Performance better local, updates more of a pain. Question: how big are the hard drives on our older workstations in production? Debbie has asked David for that info.
ArcGIS is already local, main product is about 1GB. Others, Solidworks is local, SAS (1.2 GB) (net), Maple (local) or Matlab (net) (1 GB). SAS hotfixes are critical and harder to maintain; chaining required to make things go. Policies should be able to help. Acceptable to have most apps delivered local and if performance/manageability are right, then net is fine for an exception.

Renaming apps to software? Not for 2 weeks now. Want to collapse ISO images soon, fix permissions. Not clear if have to make new policy object or use ADSI edit for policies that distribute software.

In application software layout, change ncsu to itd to allow potentially different configs using same installer files.

Discussion

coming soon

Dog & Pony

Operating System Deployment Overview
(Andy provided the slides as printouts)

WAIK, comes as img, rename to iso and can burn it, is in dfs
os files, drivers, apps can reside in its share on the network
boot from a client, gets to share, you get your OS install
imgx utility used to manage WIM image files
SIM creates scripts, like unattend.txt and unattended.xml for Vista
WDS is RIS replacement
all was released jan/feb timeframe
replaces SMS OS deployment kit, SMS may enhance it in future
pilot CD using SMS is using this framework
all SMS does is distribute files instead of having on share on a server

windows pe, used to have to pay now it is free
it's windows vista kernel stripped, 'only' 97 mb
Use Vista production disk and run 'make my WinPE' from there
Been around for years, used by vendors
can use it for password recovery, troubleshooting etc, now encouraged as a solution
same drivers & config work because it is windows
can run from a ram disk
has wmi, can run vbs, etc

WIM
like a ghost image or partimg except file-based
allows you to do lots of things offline to make changes you don't have to boot to it
change files, folders, apply service packs, patches, drivers, etc
no hal or hardware info stored in image
don't have to wipe c: to apply WIM image. could refresh OS.

BDD
set of scripts that automate installation from start to finish
you can specify properties to set it the way you want
zero touch requires SMS
lite touch does not
we are using zero touch but it is the same exact script as lite touch. Difference is lite touch is deployed from a share rather than sms.
set of vbs scripts, one to partition, one to inject drivers, install OS, etc

WDS
not needed to use WAIK
much improved RIS
you install RIS and then an updater turns it into WDS
supposed to deal with SATA and USB changes better than RIS
does not do multicast
Longhorn beta it does multicast, has some neato tools to go with
PXE service is sorta separate, not required
PXE server can point clients to WDS, not tied into Microsoft PXE

imagex
command line
all-encompassing way to make.edit.deploy WIM files
like ghost executable
can capture, deploy but best is mount/unmount - can mount it as a drive and do as you will

deployment workbench
in bdd
gui framework to manage everything

[demo]
managing drivers- don't have to make new image, just ID driver they need, point to source directory, t figures out what to copy to the share and manages (includes version, shows PnP IDs, inf file)
can put different drivers in different groups
generates xml report of all the drivers, pnp IDs, etc, easy to publish to web to show clients what drivers are currently included
will name computer according to our naming conventions
can tell which driver set to apply to an image, which product keys, etc (different builds)
can add custom tasks at any point, it has stages reminscent of WolfPrep
has a database, you could do like lab templates, ie, if it is this group of IPs you get this stuff - or anything you can get out of WMI; can apply an image based on an attribute of the computer
[/demo]

installation squence
can backup before you reinstall, may be interesting for faculty/staff upgrades
customizations out taken out of OS install process
tweaks, other installs done with group policies
can run application installs after the os is installed
build restore image

cool features
should only have to maintain a single image, even for dual-processor
not sure if database requires mssql or if we can use mysql, that would be the only thing that is not free

imagex will let you control compression settings

------------------

WSUS 3.0
on client computers, WUAUCLT /a flushes it so you can start afresh
under all computers, there are groups
has reporting about os, sp level, what has not been installed (updates)
[demo]
Aside: both DCs are in VLAN 12
can select classifications of things to include, could push out microsoft drivers, for example
can also select for a particular microsoft product
can choose critical, security updates, update rollups or all updates
sends short summary via email to joe
[/demo]
there is a script to cleanup database that could be scheduled to run monthly (ie purge French service packs)
tells you who failed, not why they failed to get an update
all management tools now through mmc and not iis
clients access the updates via IIS according to docs so we are still running IIS, looking into this to see if still accurate
can you manually add an update that isn't released by microsoft (like a hotfix)? Joe will investigate
mostly group policy -- file in Microsys locker called wsus.reg that configures certain settings for Windows Update, and puts computers in "Unassigned Computers" by default. can run then run command line wuacult script to get a client machine going
can approve updates/hold them, can see what's pending reboot

Decisions

• For app layout, Andy will change /ncsu to /itd to allow potentially different configs using same installer files.
• AD Pilot will be ready when the Reviewer's Guide is ready - each person will identify things they want people to test and will create that page in the guide, this will make it clear what infrastructure has to be there and what is left to be done. We all agreed to work diligently on this so that we can ship at the earliest date (when things are done). We will each take care of our own areas initially.

brought to you by Debbie and w.bloggar

Software Directory
I have not had time to reconfigure and rename the Applications directory as we discussed last week. We decided to name the directories with customized files "NCSU". I'd like to change this to "ITD".

AFS Attributes
The ncsuAFSPath attribute was set on all existing user accounts. New accounts also are having the attribute populated.

OS Deployment
I have done some more research on Microsoft's new OS deployment technologies in preparation for the dog & pony I am supposed to be presenting on 5/11. I believe it will be possible to perform a fully automated OS installation without SMS. We should only require the Microsoft Windows Automated Installation Kit (WAIK) and Solution Accelerator for Business Desktop Deployment 2007 (BDD) -- both of which are FREE products. I need to tweak the sysprep.inf file but I was able to initate the installation using PXE and Windows Deployment Services (WDS), have an image applied to the workstation, and reboot into sysprep mini-setup. As for the dog & pony, I would like to explain the basics of the tools and technologies available rather than talk about SMS.

WiX
I have been learning about the Windows Installer XML (WiX) toolset. It is a product available on SourceForge orginally developed by Microsoft. WiX allows you to create an MSI installer from an XML file. WiX is not something that campus administrators would want to use to repackage applications into MSI format. It is intended to be used mainly by software developers to create installers for their products. You need a good understanding of the inner workings of Microsoft Installer. What it may be useful for in our environment is to create simple MSIs that either make minor changes or call other silent installers without having to open up a repackaging program.

Pilot Requirements
I have been working on a messy Word document to collect my thoughts about pilot infrastructure requirements. It's getting late and I'll post something more organized tomorrow morning.

Status of my deliverables from last week

Tip: You can make things appear blue by using the "ins" button within the blog editor. You can also make them blue and strong by combining the tags.

Andy: FlexLM on license00 for autodesk
Done. Thanks goes to Ed for taking care of this. He posted the details HERE. I created a local account on LICENSE00 (helee2) for him. This account is to be used to configure the FlexLM license manager as apps are being built.

Andy: Doublecheck to see whether if 2 clients have netbios on, and unique names for the first 15 chars, can we add the 2nd workstation to the domain?
Done. Details were posted HERE.

Andy: Generate list of applications for Fall in a web page
Done. The page is HERE. There is an Excel spreadsheed in the web directory. The HTML file is generated simply by using Excel's "Save as HTML". It isn't pretty and doesn't use our template... but it is easy to update. If you want to update the list, modify and save the Excel file then save the file as HTML called ApplicationList.html. The page title isn't being displayed correctly on our home page. I was going to check with John and see which special characters Excel is using.

Andy: Tweak code to populate AFShomedir in AD
Done. The code is commented out for now and I have only included the AFS path. I'll add more attributes based on the outcome of today's meeting. Once the schema is updated, I'll begin populating the new attributes. I'll need to run a bulk update at some point to add the attributes to the existing accounts.

Andy: Dog & Pony: Accounts & passwords resets, user directories, focus on troubleshooting (30 min)
Post outline on Monday.
Done.
The outline was posted on Monday. I have spent most of my time this week preparing this and documenting account details.

Andy: SMS following week, high level overview
Haven't had time to think about this.

Agenda Items I'd Like to Discuss

AD Testing & Experimentation Procedures
I believe we are at the point where developmental/experimental changes should not be done using our main environment. I'd like to propose setting up a small test domain with 2 domain controllers and 1 utility server. This environment would be used to test things like firewalls, schema extensions before applying them to the UNITY domain.

There are 2 main reasons for this:
-Changes to the UNITY domain are affecting people working on other things.
-It will be beneficial to declare our accounts to be stable and almost ready for production. Comtech is interested in using them very soon and we cannot help them out if we aren't confident that our infrastructure is stable.

To begin with, I'd propose the test domain to be configured this way:
-Separate domain in separate forest. This will allow us to test forest wide changes and trusts.
-Configure the DCs as they are configured in the UNITY domain and mimic the domain layout where possible. Do not install things on the domain controller that wouldn't be installed on DC00 or DC01.
-Use the utility server for everything else. It should have Apache, SSL, and other services. We may need a 2nd utility server to run IIS.
-We don't have to replicate everything in the UNITY domain. As we all know, it's nearly impossible to keep things the same.

Training & Departmental AD Experience
I'll provide more details at the meeting.

Well, I didn't get this in yesterday, as we were hoping to institutionalize, so perhaps this is a weakly report. :-)

I've got the OID numbers for adding to the schema at this afternoon's pilot meeting. No feedback online about the proposed extensions, so we'll cover that during the meeting.

I still have not put the tests to see if the schedular service has died into production, but this should be ready "any time." I'm working on checking a server's virus defs to see if they match the version on the parent server, which I think will also be a good thing to monitor via a script.

Andy found that the group policy sync status page didn't show an error, even with group policies FUBAR. It looks like the WMI calls that I was using to check the version on disk vs. in AD didn't worry about FRS issues, so only read one SYSVOL. I'm planning on add FRS replication checks to help protect us from this.

I've forwarded the security issues with OpenAFS to Tom, so he's aware that we need to bump to the 1.5 release.

I've put the AD to Remedy Group Sync source code into public subversion on https://svn.unity.ncsu.edu/svn/itdmicrosys World can read an Microsys can write. My hope is to really start collaborating with the WolfTech folks and other EDU folks so we can increase human happiness, and reduce the number of scripts I carry on my to-do list. :-) There *is* an old password in the source code, but don't panic, it hasn't been live for some time.

Work continues on migrating the wolfprep server to new hardware/software/database so that I can take the ip to template lookups OFF of uni04nt.

I have not had time to pursue installing Drupal on wolfjeers this week.

Some items I'd like to brainstorm and discuss

• Do we need to schedule an Open Meeting(tm) for this year, and is it necessary to have our AD pilot ready to go before this happens?
• Best practices for communication and coordination intra-microsys
• Netbios

Here is the revised agenda template for the Friday planning meetings.

Agenda Template

Progress Reports
Reminder: Post progress reports by Thursday on blog or in email to Microsys

Outstanding Issues
Barriers to completing things

Q & A
Questions and answers about specific items

Brainstorming & Discussion
Discussion about specific items, goals or direction, brainstorming on ideas/solutions
Topics should be identified in advance by posting before the end of Thursday

Dog + Pony
Presentations planned for the current meeting. The topic should have been posted the previous Monday and feedback should have been given by the previous Wednesday staff meeting.

Future Dog + Pony Planning
Identify desirable presentations, schedule them

Review:

• Decisions
  Ensure everyone is on the same page about decisions made during the meeting
• Deliverables
  Assign deliverables and/or ensure everyone is on the same page about what will be done
• Goals
  Identify and review larger goals/principles

Prioritize work
Identify dependencies and organize work by importance/urgency

Agenda for next week
Identify agenda items for the next week

As decided in our 2/9/2007 meeting, I've renamed the following accounts in unity.ad.ncsu.edu to conform to the desired naming conventions:

• itd-scripter --> itd.scripter
• itd-web-server --> itd.web-server
• wolf-copy --> itd.wolfcopy
• wp-manage --> itd.wp-manage

I've reset the scheduled tasks on scripts00 and restarted apache on web00 to use these new account names, but we need to be on the alert for issues that may creep in from this change.