Download presentation
Presentation is loading. Please wait.
1
IT Partners October 25th, 2002 WinAthena
Paul B. Hill 12/4/2018
2
Project Goals A campus wide domain to foster collaboration, teaching, and access to institutional data Uses existing Kerberos infrastructure, AFS, Moira, Data Warehouse, … Expect wide usage before NT4 is phased out by Microsoft 12/4/2018
3
Description The WinAthena system should provide a scalable, customizable system for managing Windows workstations and servers at MIT FOR MORE INFO... 12/4/2018
4
Status Servers in continuous operation since Spring of 2001
In use by several groups today New departments and groups on a case-by-case decision at this time 12/4/2018
5
New Technology PXE, RIS, RIPREP Group Policies MSI ActiveDirectory
- Remote installation of the operating system (Portable Execution Environment, Remote Installation, Remote Image Preperation) Group Policies Management of computer settings via a mixture of central IS and departmental administrators MSI Microsoft Installer Service enables the distribution of software using Group Policies ActiveDirectory 12/4/2018
6
MIT Standards being adopted
Kerberos Authentication used across departments and applications Single sign-on Moira Lists and Groups used across departments and applications AFS File system used by Athena and Web.mit.edu 12/4/2018
7
What the user sees Identifying a WinAthena machine
Ctrl-Alt-Del should show a screen that has a “log on to” entry for “ATHENA.MIT.EDU (Kerberos Realm)” Use your normal MIT username and password You must have changed your ATHENA password since February of 2001 12/4/2018
8
Your password and cross-realm authentication
All WinAthena authentications rely on cross-realm authentication Initial authentication is made to the Athena realm Users native Windows passwords are set to a unique 127 character random string 12/4/2018
9
Applications that don’t support Kerberos
Microsoft Exchange 5.5 and 2000 Outlook 2000, XP, 10, … Microsoft’s FTP Microsoft’s Macintosh File and Print Services Many versions of Microsoft SQL Server 12/4/2018
10
How to use those applications in our environment
Set your Windows password to a value that you know, or manually synchronize it with your Athena Kerberos password This page also lets you reset your Windows password to a random value 12/4/2018
11
Getting a computer into the Domain
Multiple methods Remote Installation (RIS) Remote Image Preparation (RIPREP) Joining an existing machine Ghost Drive Image historical 12/4/2018
12
RIS Performs a complete OS installation Reformats the hard disk
Gives everyone a known stable state to start from Appropriate for new hardware Reformats the hard disk Can support multiple partitions Currently installs Win2k with SP3 12/4/2018
13
RIS Disadvantages Reformats the drive destroying all existing applications and data Does not install any application software Image needs maintenance as newer hardware drivers are required 12/4/2018
14
Ghost / Drive Image These products have been used by many departments running NT4 domains Well understood by several departments Creates machine with OS and applications installed 12/4/2018
15
Ghost/Drive Image disadvantages
Simple cloned image that must be joined to the domain after installation All of the hardware must be very similar Multiple images required for each new model of hardware 12/4/2018
16
RIPREP Think of this as a hybrid of RIS and Ghost
Installation over the network Joins the domain Image supports multiple hardware models Applications can also be installed 12/4/2018
17
RIPREP disadvantages Reformats the drive and only supports a single partition No dual boot Requires IS to host the image Requires driver maintenance and testing against a growing number of hardware models 12/4/2018
18
Joining existing installations
Highly desired by many users No reformat No down time No data loss No application loss 12/4/2018
19
Disadvantages of “Joining”
Machine starts in an unknown state May be corrupted before joining May or may not work Not very supportable May be unsecured 12/4/2018
20
Computers, Moira, and Active Directory
Computers in a Win2k or .NET Domain have an identity, just like users do Moira is used to manage some of this information Moira data is propagated to Active Directory 12/4/2018
21
Steps before RIS, RIPREP or Joining
Get the data into Moira Machine needs MIT hostname and IP address What container or OU will the machine be placed into? Adcontmgr or Stella A container admin can add a machine to his or her container 12/4/2018
22
Reinstallation issues
To reinstall or rejoin a machine Do not delete or modify in Moira You only need to delete the machine’s object entry in Active Directory AD Container Management or web form: 12/4/2018
23
Default Software Installed
We do not modify the Microsoft Operating System or their utilities Group Policies are used to assign software, a minimal set is required: Active State Perl distribution Used for scripting for some of our maintenance tasks Pismere.msi package ADContMgr.msi package 12/4/2018
24
Pismere MSI package MIT Kerberos libraries and utilities
AFS client and utilities Selfmaint service EventSysLogger service Moira clients WinZephyr and utilities Klpr 12/4/2018
25
Your user profile Only roaming profiles are supported
All roaming profiles are kept in AFS H: is your AFS home directory Z: is the root of AFS The profile is split between two subdirectories in H: 12/4/2018
26
.winprofile and WinData
The profile is split between these directories .winprofile contents is always downloaded during login WinData is redirected, files are transferred over the network as needed after login 12/4/2018
27
.winprofile StartMenu Desktop Cookies NTUser.DAT NTUser.pol 12/4/2018
28
WinData My Documents Application Data Favorites 12/4/2018
29
Hints and tricks Do not store large files on your desktop, use shortcuts on the desktop Place shortcuts in your My Documents folder using UNC file names 12/4/2018
30
Web publishing You can publish static content to the web using the copy command or saving files using the GUI Create a www shortcut in My Documents pointing to your AFS www directory 12/4/2018
31
AFS quotas Check your AFS quota Fs help Fs quota h:.
We don’t have the Athena quota command Fs help 12/4/2018
32
AFS locker utilities Add Attach Addmenu
These are not persistent across logins, use scripts with these commands 12/4/2018
33
Moira utilities Moira MMC
Moira, listmaint, mailmaint, stella, blanche, stanley, chfn, chpobox AD Container Management 12/4/2018
34
Active Directory tools
AD Container Management Talks to Moira and AD AD Users and Computers Only aware of AD 12/4/2018
35
Active Directory Access
Do not write directly to AD to create groups or security descripters The data will get over-written Make these changes in Moira AD access requires Kerberos authentication to the directory, SSL is disabled 12/4/2018
36
Printing Publishing a printer in Active Directory 12/4/2018
37
Member Servers Departments should consider a departmental file and print server within the domain to provide departmental services Member servers may include other application servers 12/4/2018
38
Group Policies Group policy objects (GPOs) apply settings to multiple machines Whole container Subset of container (ACLs/groups) Multiple containers can link to same GPO Microsoft has many documents Specific to WinAthena: Only computer configuration is useful Administrative templates/WinAthena settings 12/4/2018
39
WIN Domain default policies
Documentation Non-overridable Installs Pismere, ResKit, Perl, Adcontmgr Startup/shutdown/logon/logoff scripts Kerberos & DNS information Overridable Minor cosmetic settings (no autoplay etc) Sync Administrator password to Athena Messenger service is manual 12/4/2018
40
Using Group Policies to deploy software
Microsoft Installer (MSI) GP can assign MSIs to machines Versioning/upgrades Transforms: Install to a non-default location (e.g., share point) Install a subset of the package (e.g., Office) How-to 12/4/2018
41
Placing machines on ACL to restrict access to software
Machines may be placed on Groups in Moira Apply to NTFS / AD Do not yet propagate to AFS Always use Moira groups for machine ACLs… even for just one machine SID dependency 12/4/2018
42
Automatic Groups and Containers
When a container is created a Moira group is created Use moira tools or adcontmgr to view the name Usually named “cnt-foo” for container Machines/foo As objects are added to the container the objects are also added to the Moira group 12/4/2018
43
Using Group Policies to execute scripts
Startup: Computer Configuration/Windows Settings/Scripts Shutdown: Computer Configuration/Windows Settings/Scripts Logon: Computer Configuration/Administrative Templates/System/Run these programs at user logon Non-GP scripting: Logon: AllUsers’ Startup folder Scheduled: Selfmaint 12/4/2018
44
Microsoft Updates Microsoft Auto-Update WinAthena Updates
Quick and easy Not Regression Tested WinAthena Updates Hotfixes: Selfmaint runs AutoHotfixer Service Packs: pushed out as MSIs via GP RIS images updated to include them 12/4/2018
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.