Aces High Bulletin Board
General Forums => The O' Club => Topic started by: eskimo2 on May 25, 2005, 06:58:00 PM
-
My situation,
I am the computer teacher at a K-8 Catholic school. I am also the network administrator, website administrator, technology fix-it guy, etc. I have no formal computer training; I’ve learned a lot about Windows, MS Office, website construction, networks, etc. Our server and network were built and installed by a local company in 2002 right after I was hired. Students and teachers have accounts that let them access their files from any of the school’s 75 computers. The server runs Windows 2000 Server.
The more I learn about our network design, login protocol and data storage protocols, the more I realize how screwed up it is. There have been a number of problems from day one, that won’t go away until it is redesigned. I want to redo much of it over the summer. I don’t have a clue how to write scripts that determine where and how specific users’ data is stored, login scripts, etc. (I’m not even sure that “script” is the correct term.)
My question is this, what would be the best way to go about learning what I need to know?
Could I learn what I want to know in a single specific college course?
Is there a specific website that describes how to do the kinds of things that I need to know (that does not assume that I already know much about server administration)?
Would I be better off being trained one on one by someone who has such knowledge?
Thanks,
eskimo
-
Check around Amazon.Com and the sort for Windows 2000 Server Administrator type books. Guides on Networking Essentials is good too.
Are you looking to badge up into a MSCE rating too?
I don't beleive anyone that claims to be an expert in this stuff. It just changes too damn quick
-
Originally posted by LePaul
Check around Amazon.Com and the sort for Windows 2000 Server Administrator type books. Guides on Networking Essentials is good too.
Are you looking to badge up into a MSCE rating too?
I don't beleive anyone that claims to be an expert in this stuff. It just changes too damn quick
I actually have about six Microsoft technical manuals that might cover this stuff, I think. Someone left them; I think that they were pretty spendy. The problem is that they are thicker than phone books. I’m leery of anything by Microsoft simply because their help files suck. I can’t recall the last time I solved a problem with MS Help; they seem like they are written by the government. These books look just as dry. I guess that I should at least look at them again.
Is there anything not written by MS that is worthwhile?
I could care less about a ratings or badges; I just want to be able to fix a few specific things.
eskimo
-
Do you want to modify particular aspects of the existing network, or recreate it all from scratch?
The school networks I've seen can mostly be described as "screwy", partly because of all the seurity that has been built into them (you do not want kids having free access, they will delete anything they can, in my experience)
Can you give an idea of what exactly you want to change?
-
I took a Windows 2K server course a year ago, it was essentially the same as being MCSP certified in Win2K server. My professor had his MCSE, and wanted us to know W2K. So, you can learn W2K server in a single college course - with hands on experience in the course.
BUT, There are a lot of other things that come into play. Is the server the only server, or will there be one or two. IE: Domain Controller (where people login to, and sets the topography for the domain - servers that do what and login to the domain), DHCP server to assign IPs, storage area, mail server, etc.
Except for the mail server, they can be the same box - just need the power and HDD space for the things you need to do.
There's also network security and a lot of other stuff you really need to know well and get covered - beyond W2K server. Firewalls, anti-virus at all systems and servers, and a lot of other problems you need to prevent before they can ever happen.
If you are going for a complete redesign and implementation of the network, you need a lot. If you are looking to just remedy a few key problems and leave the rest intact, you only need to know and be able to work on that.
-SW
-
get this:
http://azureus.sourceforge.net/
Then go here:
http://www.bitme.org.
Good hunting!
What you are doing is way to involved to handle via this message board. It's time you bone up and take on one battle at a time. if you can talk them into paying for training then go for it. If not, refer to the above.http://azureus.sourceforge.net/ (http://) www.bitme.org. (http://www.bitme.org)
-
Originally posted by Nashwan
Do you want to modify particular aspects of the existing network, or recreate it all from scratch?
The school networks I've seen can mostly be described as "screwy", partly because of all the seurity that has been built into them (you do not want kids having free access, they will delete anything they can, in my experience)
Can you give an idea of what exactly you want to change?
I want to modify what is existing. We have one server that does everything, holds all data from all accounts, handles login, email, website, grading program, Semantic anti virus, etc. It’s a dual 60 GB; (has 2 parallel 60 GB HDs in case one fails).
Right now every user has a profile folder and a document folder. The profiles are the big problem. When users login, everything in their profile is sent to their PC. The profiles have all kinds of crap in them; all programs that they use keep settings in their profiles. A few classroom teachers installed Hotbars on their classroom PCs, Hotbar can dump several MB of junk into students’ profiles, Sun (Java?) is another bad one and can also dump in several MB of unnecessary data. Internet Explorer keeps its cookies and favorites in the profiles, I don’t mind this because its never that big, but if a student resets their desktop background in IE, it gets stored in their IE profile folder as a dang bitmap, I’ve seen them push 4 MB. Students can’t reset their desktop backgrounds by right clicking on the desktop; they get a message that they don’t have permission to change properties, but they can in IE. Desktops are also stored in their profiles. I have a rule that they can only have shortcuts on their desktops, but if they have a folder or file its hard for me to tell. Temp and auto recover files are also stored in their profiles. The profiles become a problem when I have a class (24 to 30 students) log in at once, the server sends them all of their profiles. It can send about one MB a second (or better); so it can take a few minutes to get everyone logged in. Many of my classes are only 30 minutes, so several minutes is pretty unacceptable (especially for BS unnecessary data). Other users in the school who have an open file (like a MS Word doc) will experience a freeze while a class logs in. I’d like to get the login data per student well under 1 MB each. I would like all of the BS non-essential data to be stored on the student’s PC in a temporary user folder, not on the server. All 400+ student account folders are stored in on “student” folder; I’d like to have them in sub folders by grade level, possibly with different permissions and limits per grade. Some accounts are screwed up and all files are stored in their profiles. Others have permission issues and are inconsistent with the bulk of the students; I can’t access these folders or even tell how big they are without taking ownership and screwing things up.
Permissions and security are the areas that work pretty well. There is a common drive that only teachers have permissions to write to, student can read only. I have an Intranet site on this drive that has hundreds of my web page lessons and rubrics (what to do assignment check lists). A few classroom teachers also have their own pages and there is a common picture and sounds folder for all to access. There is a common drive that all can read and write to, this is where I have students turn in their assignments. It’s the one thing that they can screw up that’s not their own, but they seldom do.
Really, my concern is with the student accounts, I need to trim the fat and make them consistent.
eskimo
-
Originally posted by AKS\/\/ulfe
I took a Windows 2K server course a year ago, it was essentially the same as being MCSP certified in Win2K server. My professor had his MCSE, and wanted us to know W2K. So, you can learn W2K server in a single college course - with hands on experience in the course.
BUT, There are a lot of other things that come into play. Is the server the only server, or will there be one or two. IE: Domain Controller (where people login to, and sets the topography for the domain - servers that do what and login to the domain), DHCP server to assign IPs, storage area, mail server, etc.
Except for the mail server, they can be the same box - just need the power and HDD space for the things you need to do.
There's also network security and a lot of other stuff you really need to know well and get covered - beyond W2K server. Firewalls, anti-virus at all systems and servers, and a lot of other problems you need to prevent before they can ever happen.
If you are going for a complete redesign and implementation of the network, you need a lot. If you are looking to just remedy a few key problems and leave the rest intact, you only need to know and be able to work on that.
-SW
After reading what I wrote above, do you think I will be able to learn what I want in one Windows 200 server course?
eskimo
-
Originally posted by rabbidrabbit
get this:
http://azureus.sourceforge.net/
Then go here:
http://www.bitme.org.
Good hunting!
What you are doing is way to involved to handle via this message board. It's time you bone up and take on one battle at a time. if you can talk them into paying for training then go for it. If not, refer to the above.http://azureus.sourceforge.net/ (http://) www.bitme.org. (http://www.bitme.org)
I’m not sure what these links have to do with what I’m asking?
The bitme thing requires a password and is by invite only; I don’t even know what it is.
My principal would most likely pay for a course, my question is: is that the best way of going about learning what I want to know?
eskimo
-
Get a hold of the Windows 2000 Server resource kit and use TechNet it will give you many examples and in a lot of cases the "how to"
what it sounds like, you are describing are roaming profiles...
from a course stand point,
you need to look at the following to start with
Implementing Microsoft Windows 2000 Professional and Server (5 days)
http://www.microsoft.com/learning/syllabi/en-us/2152cfinal.mspx
Microsoft Windows 2000 Network and Operating System Essentials (3 Days)
http://www.microsoft.com/learning/syllabi/en-us/2151bfinal.mspx
Designing a Microsoft Windows 2000 Directory Services Infrastructure (3 Days)
http://www.microsoft.com/learning/syllabi/en-us/1561Bfinal.mspx
Cheers
-
Eskimo;
you need a program called "VM ware" (http://www.vmware.com/products/desktop/ws_features.html) .
What it is; is an virtualisation/emulation program. Let me explain a bit further: You install the program onto a WIndows machine. It then offersw up virtual hardware; such as motherboard; chip; RAM and so forth; to which you install an operative system; such as Windows, Mac, Linux what ever. Once you've built this virtual machine; you then have your practise/test envioroment.
In my own case (I'm a system administrator for Copenhagen city hall); I have an IBM portable with 1 gig RAM. On this portable; using VM ware; I've got a domain controller; a file/print server and two XP pro clients all running on virtual machines. In this way I have a complete model of my working enviroment; and can experiment to my hearts content with AD set up; user admin; scripting; group policies; MSI development or what ever.
I can really recommend it.
-
Azureus is a bitttorrent client. If you sign up at bitme.org, which is a elearning bittorrent site you can find all of the classes you can think of. Thats the cheap way out of getting the education you need to do the job.
The other recommendations are good too but I must warn you about messing with things without a backup. For that matter do you guys backup this server daily? Sounds like your majorly screwed if not.
-
If you are looking to trim the user accounts, a W2K class really won't help. It will allow you to better control the network and to do things via Windows 2000 server, but the accounts are something you have to log into manually and clean up.
If I were you, since this is the end of the school year, it would probably make sense to start fresh and delete the student accounts. Keep one, just so you have a template for how to do the rest.
A W2K server class should teach you everything straight from the MCSE training kit for W2K... from installation to advanced administration. If it doesn't teach you from that book, it's not worth taking.
You could pick up the MCSE MS W2K server and look through it. If you feel you need a class, it can't hurt to take it.
-SW
-
Right now every user has a profile folder and a document folder. The profiles are the big problem. When users login, everything in their profile is sent to their PC. The profiles have all kinds of crap in them; all programs that they use keep settings in their profiles. A few classroom teachers installed Hotbars on their classroom PCs, Hotbar can dump several MB of junk into students’ profiles, Sun (Java?) is another bad one and can also dump in several MB of unnecessary data. Internet Explorer keeps its cookies and favorites in the profiles, I don’t mind this because its never that big, but if a student resets their desktop background in IE, it gets stored in their IE profile folder as a dang bitmap, I’ve seen them push 4 MB. Students can’t reset their desktop backgrounds by right clicking on the desktop; they get a message that they don’t have permission to change properties, but they can in IE. Desktops are also stored in their profiles. I have a rule that they can only have shortcuts on their desktops, but if they have a folder or file its hard for me to tell. Temp and auto recover files are also stored in their profiles. The profiles become a problem when I have a class (24 to 30 students) log in at once, the server sends them all of their profiles. It can send about one MB a second (or better); so it can take a few minutes to get everyone logged in. Many of my classes are only 30 minutes, so several minutes is pretty unacceptable (especially for BS unnecessary data). Other users in the school who have an open file (like a MS Word doc) will experience a freeze while a class logs in. I’d like to get the login data per student well under 1 MB each.
Have you thought about mandatory profiles?
A mandatory means the user can't change it. You can set up a single mandatory profile for all the users, it doesn't write the temp data etc back up to the server, meaning each user gets exactly the same profile each time they log in, and any changes they make are lost.
Saves a lot of hassle in my experience.
It also stops people saving stuff to the desktop. If they do, it's simply lost. (Teach them to save data in their network folder)
I would like all of the BS non-essential data to be stored on the student’s PC in a temporary user folder, not on the server.
Mandatory profiles will acomplish this. You won't get down to 1mb per student with roaming profiles, though, the most basic profile is still over 3mb. But I've seen this system working in a school with 200+ computers, and it doesn't result in long delays. However, that's on a 100 Mb network, and it sounds like yours is 10 Mb. If so, that's the first thing you should upgrade.
Also look at getting a second server (even if it's just another pc acting as a server). A second domain controller will spread the load at logon, even if it isn't storing users home folders.
It doesn't even really need any redundancy in the second server. If it's just a domain controller, you don't lose much if it dies.
All 400+ student account folders are stored in on “student” folder; I’d like to have them in sub folders by grade level, possibly with different permissions and limits per grade.
That means either writing a script to modify them, or doing them by hand. Scripting is the way to go in a school, because you have a lot of new accouts to create every year.
Some accounts are screwed up and all files are stored in their profiles.
A mandatory profile will cure this, but you are going to have to sort out where the data is and move it, or the student/teacher will lose things.
But when you've got a mandatory profile in place, you no longer need to worry about stuff like this. Any changes the user makes to the desktop or settings will dissapear when they log off.
Others have permission issues and are inconsistent with the bulk of the students; I can’t access these folders or even tell how big they are without taking ownership and screwing things up.
If you can't access them as administrator, you have 2 options, take ownership of them, give yourself access, then let the students take ownership back, or log on as the student, grant admin access, then stop the student changing permissions again (students shouldn't have full control permissions over their own folders/shares)
You don't have to worry too much about setting up new profiles, because it's something you can do on a per user basis. Set up a new account to test the profile, apply it to a few users to test when you think it's ready, roll it out to everyone when you're sure it's ready.
As to training, in my experience it's usually too general, and gives you an overview of everything, whereas you need more in depth knowledge of profiles and active directory scripting. The profiles shouldln't be too hard, scripting can be.
-
good advice Nashwan but I think you are mistaken on the domain controller issue. I agree having a second one is a good idea and he could use a utility to automatically backup critical folders to it as well for redundancy sake.
"Also look at getting a second server (even if it's just another pc acting as a server). A second domain controller will spread the load at logon, even if it isn't storing users home folders.
It doesn't even really need any redundancy in the second server. If it's just a domain controller, you don't lose much if it dies. "
Win2k handles domain controllers just like nt4 did. You have a primary and a backup. In win2k you can have a bunch of backups but thats a potential CF when the primary goes down. Also, win2k does not use the terms primary and secondary but it functions just the same. You can have as many secondary domain controllers as you want but they will share no load. Only one machine at a time handles the domain load and it handles it exclusively. Worse yet, if the primary goes down hard it will not fail over. then you have no domain controller until you get the primary up and running again. So, just watch out for the pitfalls.
-
Win2k handles domain controllers just like nt4 did. You have a primary and a backup. In win2k you can have a bunch of backups but thats a potential CF when the primary goes down. Also, win2k does not use the terms primary and secondary but it functions just the same. You can have as many secondary domain controllers as you want but they will share no load. Only one machine at a time handles the domain load and it handles it exclusively.
No, if you have several domain controllers they do spread the logon load, with some users logging on to one, some to another (try making changes to a profile on one of them, and you will see). What you are describing sounds like mixed mode, I think.
Worse yet, if the primary goes down hard it will not fail over. then you have no domain controller until you get the primary up and running again. So, just watch out for the pitfalls.
If you are in a situation with a single domain controller, adding a second will not make the first more likely to fail, and will not make things worse if the first does fail (in fact, it makes things easier)
I'm not saying get rid of the redundancy on the existing server, but adding a second without redundancy is still better than not having a second at all.
-
In software development, one of the constants is that it always seems easier to just rewrite something from scratch then it is to figure out the exact issue and fix it. The problem is, you lose the benefits of mature code, fixes that were put in to address specific things that maybe you weren't aware of, etc.
The description you gave of the network doesn't sound half bad compared to some I've seen. I've got a net admin friend that recently took over a network that was 20 PCs running various flavors of unpatched windows, using a linksys home router to connect to the internet. The one 'server' on the network was a Windows 98 machine with file sharing turned on. Sure, it all worked, but there was no security, no protection against external threats, no backup policy was in place, etc etc etc.
First, I'd evaluate just how much of what you see is actually a problem. How big is the actual transaction when a student activates their profile? Second, consider modifying the group policies. You should be able to lock down things like IE allowing them to save backgrounds. If worse comes to worse, you can just delete any file named "Internet Explorer Wallpaper.bmp" on the server. I assume that it would just handle the missing wallpaper gracefully, but that might be worth a limited scale experiment first.
Is the network 100 megabit? If not, upgrading the routers might be the cheapest way to fix any performance issues.
Basically, figure out the actual problems and whether there's a solution to them before you nuke and pave. That's just my suggestion.
-
First, I agree with adding an additional server. Basically, its suicidal to run everything on one machine without any sort of backup. Sooner or latter you will be screwed.
In my direct experience with domain controllers they do not share the load. This information is a couple years old and may have been fixed recently. I'll give you and example. I had a domain controller set up for a client. It did not handle end users since all of the machines in the domain were web/DB and video streaming servers. I added a second machine as a domain controller as backup. One day the first box bit it with bad ram. The box simply froze and we ended up pulling the plug. From that point on no domain functions worked. Active Directory would allow no new machines to join the network, no DNS changes etc... The Domain was simply frozen. If you shut down any machine in the domain it could not rejoin when you tried to relog on. teh only fix to recover the domain was to replace the RAM and manually fail over the domain to the second box. If you shut down the main domain controller gracefully it would pass the domain over to the second box however a hard crash would lock out the domain until you got the old controller back up and running and did a manual failover. I do not have direct experience with user profiles but the domain was entirely locked out under hard crash of the machine designated as primary.
-
There are a number of things that can stop people logging on when a domain controller fails. Especially if it's the first domain controller on the domain, which will have all the operations master roles by default. (and that's not even counting dhcp or dns issues, raoming profiles etc)
But domain controllers do spread the logon load (even under NT backup domain controllers did, iirc)
Granted a cheap second server probably won't keep the network running if the first goes down, it will need to handle DNS, possibly DHCP etc, and if it isn't storing users network folders, it's not much use if they can logon anyway.
But a cheap second server will spread the logon load, with some people logging on to the first server, some to the second (at random, no need to point people at the different servers)
It's only usefull if the profiles are sorted out, though. If people still have unique roaming profiles you will run into more trouble with a second domain controller.
-
Thanks guys,
There’s lots of good advice here.
I should have clarified our back-up. We have a tape drive (it looks like an 8mm camera tape but they cost about $100 each). I back it up every day by cycling through 10 tapes every two weeks; I leave one at home in case a meteor takes our computer lab.
I am planning on making the change sometime this summer; I want to build a new login system and student accounts and manually transfer all student data to the new accounts. After I’m sure that everything is smooth, I’ll delete the old accounts.
As far as a second server goes, we do not have the money. We have one of the best computer labs, servers and network in the area. I really can’t ask for more if we don’t absolutely need it.
Nashwan: “Have you thought about mandatory profiles?”
Not until today; my server knowledge is absolutely limited to our current server and network arrangement. From what you describe, however, mandatory profiles are exactly what I want and was hoping was possible. A single simple unchangeable profile would really speed things up. I could teach them how to find their data folders; heck I’ve taught third graders to map their own drives because several of their accounts keep forgetting how to find a key drive.
My big question is: can I let our teachers keep their roaming profiles, and put the students on mandatory profiles within the same network and login script? It would also be nice if I could have one profile per grade level so that I could place desktop shortcuts to programs and folders that we are currently using/studying. Can this be done?
Right now when a new user is added, a profile and documents folder is created, will implementing mandatory profiles eliminate this, or do I need a new method of adding new users?
It sounds like I need to learn how to write scripts. What’s a good way to go about this and how heavy duty might the prerequisites be?
Am I correct that I could focus specifically on scriptwriting and mandatory profiles to achieve/learn what I want? Or is there another key area as well?
Thanks,
eskimo
-
A single simple unchangeable profile would really speed things up. I could teach them how to find their data folders; heck I’ve taught third graders to map their own drives because several of their accounts keep forgetting how to find a key drive.
You can assign a network folder to each user as part of their account info, it's automatically mapped every time they log on. (Look on the profile tab of their account info, and select Connect to )
My big question is: can I let our teachers keep their roaming profiles, and put the students on mandatory profiles within the same network and login script?
You should be able to, unless you are using the logon script to assign the profile (don't know if that's actually possible).
The profile path for each user is part of their account info, so it can be set on a per user basis, so you can manually asign a mandatory profile to any user (without affecting any other user)
However, if you've got a lot of user accounts, it can take some time (although a lot less than a minute per user) to do it manually.
It all depends what current method you use for automation. How do you create new users at the begining of the year?
It would also be nice if I could have one profile per grade level so that I could place desktop shortcuts to programs and folders that we are currently using/studying. Can this be done?
Yes. Again, though, the amount of effort required depends on how your system is currently automated.
What you really need to look at is active directory scripting. It's possible to create a batch file that takes a spreadsheet with all the pupil names, creates an account for each, assigns a profile, creates a network folder, shares it, applies the correct permissions (for admin, teachers and pupils to have access), etc.
Basically if done properly you run a single batch file at the start of the year and it sets all the users up for you.
It's not actually that hard if you have some experience of programming/scripting, the active directory commands are not that complex, but you will need either training or a decent manual.
Right now when a new user is added, a profile and documents folder is created, will implementing mandatory profiles eliminate this, or do I need a new method of adding new users?
How is it done now? With a script? If so, it should be fairly easy to modify.
It sounds like I need to learn how to write scripts. What’s a good way to go about this and how heavy duty might the prerequisites be?
I don't know, scripting has never been my thing, and the only way I've ever done any is when I absolutely have to (and then it takes me 5 times longer than someone who knows what they're doing).
What I've found easiest is to use a basic programme to read the variables in from a csv file, then use the programme to write a batch file, which calls the commands to create the account, folders, change permissions etc.
If you've got any basic programming experience you are half way there.
Am I correct that I could focus specifically on scriptwriting and mandatory profiles to achieve/learn what I want? Or is there another key area as well?
From what you've described so far, profiles and scripting are all you need.
Scripting isn't strictly necessary, if you don't have too many user accounts.
How are the profiles of users set up now? go into active directory and have a look at the current profile paths etc and get a feel for the way the system works now, and you'll have a better idea of how to make it work better. Try creating a new dummy user and play around with their profile to see what works.
-
Thanks Nashwan,
After work today I created a test account and a Mandatory Profile. I found a “How To” at a Microsoft site. I couldn’t follow the directions to a T because an impossible step came up near the beginning. I’m pretty sure I found a way around it though and got it to work. The profile is under 700 KB, most of it is a “Ntuser.dat” file that I changed to a “Ntuser.man” file. After reading online it looks like it would pay to study how to modify it with the Registry Editor. It doesn’t seem like it would need to be that big for something that just looks after a few icons and mapped drives. I did type in the username and password for 13 PCs in my lab, I then walked down the line and tapped “Enter” to log them on at nearly the same time; by the time I got to the end, most of the machines had logged on. Three or four of them took over 20 seconds, but it was way faster than I have ever seen. This is definitely the way to go and should really boost productivity/work time for my students. I have a long way to go, but am very encouraged.
I now see that I’ll be able to do what I want without touching the teacher’s accounts. It also looks as if I can create one mandatory profile per grade and put all of the students in folders by grade level, as I wished.
The company/guy who built and installed our server used a spreadsheet/batch files and made a script so that they would all be created automatically. About 5% of the accounts that he created behave differently and have a few problems. He showed me how to create a new user account and I have added all new users one at a time that way since then. These new users, however, behave and have the same problems that the 5% problem accounts that he created. They can’t find the printers automatically, and they have a few permissions issues. There is also the problem of some accounts forgetting drives. The drive that they often lose is one that I created where students turn in their work; all users can read and write to it. Basically I right click on the students group, choose > add > new user; then type in name etc. The next stage is to adjust the properties, assign groups, profile path, login.bat, folder drive location, etc. Many times I have compared a new user’s properties to an older one’s, side by side. I’ve gone through every possible tab and option and made everything exactly the same, yet the new ones are different. One insignificant difference, the old users use Windows classic view, while the new ones use XP’s more colorful one. I can’t image what I missed. The profiles are clearly different, however. Administrators do not have rights to view or modify these folders. Something is screwy.
There is one new significant problem that I have to work past with the Mandatory Profiles: When an MS Office program is started it goes through some kind of new user set-up thing and tries to install some BS; it then asks for a username to be used in online workgroups or something. It takes about 15 seconds. I never paid attention to it because it only happens the first time a new user uses an MS application. With the Mandatory Profile account test though, it went through this every time the application opened. Right now this is the most significant detriment to Mandatory Profiles, but I’m sure there’s a way to turn that silly thing off.
eskimo