Windows 2000 Server Advice

[Nashwan]

Win2k handles domain controllers just like nt4 did. You have a primary and a backup. In win2k you can have a bunch of backups but thats a potential CF when the primary goes down. Also, win2k does not use the terms primary and secondary but it functions just the same. You can have as many secondary domain controllers as you want but they will share no load. Only one machine at a time handles the domain load and it handles it exclusively.

No, if you have several domain controllers they do spread the logon load, with some users logging on to one, some to another (try making changes to a profile on one of them, and you will see). What you are describing sounds like mixed mode, I think.

Worse yet, if the primary goes down hard it will not fail over. then you have no domain controller until you get the primary up and running again. So, just watch out for the pitfalls.

If you are in a situation with a single domain controller, adding a second will not make the first more likely to fail, and will not make things worse if the first does fail (in fact, it makes things easier)

I'm not saying get rid of the redundancy on the existing server, but adding a second without redundancy is still better than not having a second at all.

[Chairboy]

In software development, one of the constants is that it always seems easier to just rewrite something from scratch then it is to figure out the exact issue and fix it.  The problem is, you lose the benefits of mature code, fixes that were put in to address specific things that maybe you weren't aware of, etc.

The description you gave of the network doesn't sound half bad compared to some I've seen.  I've got a net admin friend that recently took over a network that was 20 PCs running various flavors of unpatched windows, using a linksys home router to connect to the internet.  The one 'server' on the network was a Windows 98 machine with file sharing turned on.  Sure, it all worked, but there was no security, no protection against external threats, no backup policy was in place, etc etc etc.

First, I'd evaluate just how much of what you see is actually a problem.  How big is the actual transaction when a student activates their profile?  Second, consider modifying the group policies.  You should be able to lock down things like IE allowing them to save backgrounds.  If worse comes to worse, you can just delete any file named "Internet Explorer Wallpaper.bmp"  on the server.  I assume that it would just handle the missing wallpaper gracefully, but that might be worth a limited scale experiment first.

Is the network 100 megabit?  If not, upgrading the routers might be the cheapest way to fix any performance issues.

Basically, figure out the actual problems and whether there's a solution to them before you nuke and pave.  That's just my suggestion.

[rabbidrabbit]

First, I agree with adding an additional server.  Basically, its suicidal to run everything on one machine without any sort of backup.  Sooner or latter you will be screwed.

In my direct experience with domain controllers they do not share the load.  This information is a couple years old and may have been fixed recently.  I'll give you and example.  I had a domain controller set up for a client.  It did not handle end users since all of the machines in the domain were web/DB and video streaming servers.  I added a second machine as a domain controller as backup.  One day the first box bit it with bad ram.  The box simply froze and we ended up pulling the plug.  From that point on no domain functions worked.  Active Directory would allow no new machines to join the network, no DNS changes etc... The Domain was simply frozen.  If you shut down any machine in the domain it could not rejoin when you tried to relog on.  teh only fix to recover the domain was to replace the RAM and manually fail over the domain to the second box.  If you shut down the main domain controller gracefully it would pass the domain over to the second box however a hard crash would lock out the domain until you got the old controller back up and running and did a manual failover.  I do not have direct experience with user profiles but the domain was entirely locked out under  hard  crash of the machine designated as primary.

[Nashwan]

There are a number of things that can stop people logging on when a domain controller fails. Especially if it's the first domain controller on the domain, which will have all the operations master roles by default. (and that's not even counting dhcp or dns issues, raoming profiles etc)

But domain controllers do spread the logon load (even under NT backup domain controllers did, iirc)

Granted a cheap second server probably won't keep the network running if the first goes down, it will  need to handle DNS, possibly DHCP etc, and if it isn't storing users network folders, it's not much use if they can logon anyway.

But a cheap second server will spread the logon load, with some people logging on to the first server, some to the second (at random, no need to point people at the different servers)

It's only usefull if the profiles are sorted out, though. If people still have unique roaming profiles you will run into more trouble with a second domain controller.

[eskimo2]

Thanks guys,

There’s lots of good advice here.
I should have clarified our back-up.  We have a tape drive (it looks like an 8mm camera tape but they cost about $100 each).  I back it up every day by cycling through 10 tapes every two weeks; I leave one at home in case a meteor takes our computer lab.

I am planning on making the change sometime this summer; I want to build a new login system and student accounts and manually transfer all student data to the new accounts.  After I’m sure that everything is smooth, I’ll delete the old accounts.  

As far as a second server goes, we do not have the money.  We have one of the best computer labs, servers and network in the area.  I really can’t ask for more if we don’t absolutely need it.  

Nashwan: “Have you thought about mandatory profiles?”

Not until today; my server knowledge is absolutely limited to our current server and network arrangement.  From what you describe, however, mandatory profiles are exactly what I want and was hoping was possible.  A single simple unchangeable profile would really speed things up.  I could teach them how to find their data folders; heck I’ve taught third graders to map their own drives because several of their accounts keep forgetting how to find a key drive.

My big question is: can I let our teachers keep their roaming profiles, and put the students on mandatory profiles within the same network and login script?  It would also be nice if I could have one profile per grade level so that I could place desktop shortcuts to programs and folders that we are currently using/studying.  Can this be done?

Right now when a new user is added, a profile and documents folder is created, will implementing mandatory profiles eliminate this, or do I need a new method of adding new users?

It sounds like I need to learn how to write scripts.  What’s a good way to go about this and how heavy duty might the prerequisites be?

Am I correct that I could focus specifically on scriptwriting and mandatory profiles to achieve/learn what I want?  Or is there another key area as well?

Thanks,

eskimo

[Nashwan]

A single simple unchangeable profile would really speed things up. I could teach them how to find their data folders; heck I’ve taught third graders to map their own drives because several of their accounts keep forgetting how to find a key drive.

You can assign a network folder to each user as part of their account info, it's automatically mapped every time they log on. (Look on the profile tab of their account info, and select Connect to )

My big question is: can I let our teachers keep their roaming profiles, and put the students on mandatory profiles within the same network and login script?

You should be able to, unless you are using the logon script to assign the profile (don't know if that's actually possible).

The profile path for each user is part of their account info, so it can be set on a per user basis, so you can manually asign a mandatory profile to any user (without affecting any other user)

However, if you've got a lot of user accounts, it can take some time (although a lot less than a minute per user) to do it manually.

It all depends what current method you use for automation. How do you create new users at the begining of the year?

It would also be nice if I could have one profile per grade level so that I could place desktop shortcuts to programs and folders that we are currently using/studying. Can this be done?

Yes. Again, though, the amount of effort required depends on how your system is currently automated.

What you really need to look at is active directory scripting. It's possible to create a batch file that takes a spreadsheet with all the pupil names, creates an account for each, assigns a profile, creates a network folder, shares it, applies the correct permissions (for admin, teachers and pupils to have access), etc.

Basically if done properly you run a single batch file at the start of the year and it sets all the users up for you.

It's not actually that hard if you have some experience of programming/scripting, the active directory commands are not that complex, but you will need either training or a decent manual.

Right now when a new user is added, a profile and documents folder is created, will implementing mandatory profiles eliminate this, or do I need a new method of adding new users?

How is it done now? With a script? If so, it should be fairly easy to modify.

It sounds like I need to learn how to write scripts. What’s a good way to go about this and how heavy duty might the prerequisites be?

I don't know, scripting has never been my thing, and the only way I've ever done any is when I absolutely have to (and then it takes me 5 times longer than someone who knows what they're doing).

What I've found easiest is to use a basic programme to read the variables in from a csv file, then use the programme to write a batch file, which calls the commands to create the account, folders, change permissions etc.

If you've got any basic programming experience you are half way there.

Am I correct that I could focus specifically on scriptwriting and mandatory profiles to achieve/learn what I want? Or is there another key area as well?

From what you've described so far, profiles and scripting are all you need.

Scripting isn't strictly necessary, if you don't have too many user accounts.

How are the profiles of users set up now? go into active directory and have a look at the current profile paths etc and get a feel for the way the system works now, and you'll have a better idea of how to make it work better. Try creating a new dummy user and play around with their profile to see what works.

[eskimo2]

Thanks Nashwan,

After work today I created a test account and a Mandatory Profile.  I found a “How To” at a Microsoft site.  I couldn’t follow the directions to a T because an impossible step came up near the beginning.  I’m pretty sure I found a way around it though and got it to work.  The profile is under 700 KB, most of it is a “Ntuser.dat” file that I changed to a “Ntuser.man” file.  After reading online it looks like it would pay to study how to modify it with the Registry Editor.  It doesn’t seem like it would need to be that big for something that just looks after a few icons and mapped drives.  I did type in the username and password for 13 PCs in my lab, I then walked down the line and tapped “Enter” to log them on at nearly the same time; by the time I got to the end, most of the machines had logged on.  Three or four of them took over 20 seconds, but it was way faster than I have ever seen.  This is definitely the way to go and should really boost productivity/work time for my students.  I have a long way to go, but am very encouraged.

I now see that I’ll be able to do what I want without touching the teacher’s accounts.  It also looks as if I can create one mandatory profile per grade and put all of the students in folders by grade level, as I wished.  

The company/guy who built and installed our server used a spreadsheet/batch files and made a script so that they would all be created automatically.  About 5% of the accounts that he created behave differently and have a few problems.  He showed me how to create a new user account and I have added all new users one at a time that way since then.  These new users, however, behave and have the same problems that the 5% problem accounts that he created.  They can’t find the printers automatically, and they have a few permissions issues.  There is also the problem of some accounts forgetting drives.  The drive that they often lose is one that I created where students turn in their work; all users can read and write to it.  Basically I right click on the students group, choose > add > new user; then type in name etc.  The next stage is to adjust the properties, assign groups, profile path, login.bat, folder drive location, etc.  Many times I have compared a new user’s properties to an older one’s, side by side.  I’ve gone through every possible tab and option and made everything exactly the same, yet the new ones are different.  One insignificant difference, the old users use Windows classic view, while the new ones use XP’s more colorful one.  I can’t image what I missed.  The profiles are clearly different, however.  Administrators do not have rights to view or modify these folders.  Something is screwy.

There is one new significant problem that I have to work past with the Mandatory Profiles:  When an MS Office program is started it goes through some kind of new user set-up thing and tries to install some BS; it then asks for a username to be used in online workgroups or something.  It takes about 15 seconds.  I never paid attention to it because it only happens the first time a new user uses an MS application.  With the Mandatory Profile account test though, it went through this every time the application opened.  Right now this is the most significant detriment to Mandatory Profiles, but I’m sure there’s a way to turn that silly thing off.

eskimo