Embed Size (px)
Citation preview
eXtreme eXtreme DeploymentDeployment
Distributing and Configuring Distributing and Configuring 450 Student Notebooks in 450 Student Notebooks in
Five HoursFive Hours
E. Axel Larsson & Russell E. Axel Larsson & Russell SpragueSprague
Drew UniversityDrew University
Drew University Computer Drew University Computer InitiativeInitiative
Started 20 years ago in 1984.Started 20 years ago in 1984. First liberal arts university to give all First liberal arts university to give all
students computers.students computers. Switched to laptops in 1988.Switched to laptops in 1988. Around 600 computers purchased per Around 600 computers purchased per
year.year. Computers a major part of the curriculum.Computers a major part of the curriculum.
Educational software delivered over the Educational software delivered over the network.network.
Laptops often brought to class.Laptops often brought to class.
Campus NetworkingCampus Networking
A residential network drop was not in A residential network drop was not in all student rooms until Fall 1998.all student rooms until Fall 1998. Students accessed email, campus Students accessed email, campus
directory, and other services on a central directory, and other services on a central VMS machine via a digital phone system.VMS machine via a digital phone system.
““Client software” consisted of MS Client software” consisted of MS Kermit / Kermit 95.Kermit / Kermit 95.
Campus networking extended to “one Campus networking extended to “one port per pillow” from 1997-1998.port per pillow” from 1997-1998.
Campus Networking Campus Networking (cont’d)(cont’d)
Novell eDirectory is the primary Novell eDirectory is the primary campus directory service.campus directory service.
Single-password access to most Single-password access to most services. Single-sign-on when possible. services. Single-sign-on when possible. File/print, e-mail, web proxy, etc.File/print, e-mail, web proxy, etc. Novell iChain for web applications Novell iChain for web applications
(webmail, Blackboard, etc.)(webmail, Blackboard, etc.) Identity-based services.Identity-based services.
Departmental space.Departmental space. Space for courses, based upon Space for courses, based upon
enrollments.enrollments.
Campus Networking Campus Networking (cont’d)(cont’d)
Clients prior to 2002Clients prior to 2002 Win 9x clients only. No support for Win Win 9x clients only. No support for Win
NT, 2K on end-user machines.NT, 2K on end-user machines. Novell Client software only.Novell Client software only. No need to join workstations to a No need to join workstations to a
Windows domain.Windows domain. No need to manage local accounts on No need to manage local accounts on
the workstations.the workstations.
Campus Networking Campus Networking (cont’d)(cont’d)
Management of workstationsManagement of workstations Novell ZENWorks for DesktopsNovell ZENWorks for Desktops
Application launcher delivers apps to users “on Application launcher delivers apps to users “on demand”.demand”.
““Force run” apps deliver needed patches and Force run” apps deliver needed patches and updates.updates.
Limited use of user policies and 95/98 Limited use of user policies and 95/98 workstation policies.workstation policies.
Limited deployment of Win2K in labsLimited deployment of Win2K in labs ZENWorks “dynamic local user” feature to ZENWorks “dynamic local user” feature to
manage local user accounts.manage local user accounts. Limited ability to manage DLU on a per-Limited ability to manage DLU on a per-
workstation basis. Other deployment difficulties.workstation basis. Other deployment difficulties.
First use of Windows XPFirst use of Windows XP
August of 2002 on student laptopsAugust of 2002 on student laptops Used a local administrator account.Used a local administrator account. Students logged in as “Students logged in as “Drew UserDrew User” in ” in
Windows.Windows. Students logged in as themselves in Students logged in as themselves in
Novell eDirectory.Novell eDirectory. Machines weren’t customized to the Machines weren’t customized to the
student owner.student owner. Very similar to the way a 9x machine is Very similar to the way a 9x machine is
set up.set up.
Problems with this setupProblems with this setup
Lack of security.Lack of security. Users unintentionally locking themselves Users unintentionally locking themselves
out.out. Not using the same name for both logins.Not using the same name for both logins. Not in domain.Not in domain. Harder to manage.Harder to manage. Cannot utilize all features of Windows XP.Cannot utilize all features of Windows XP.
File sharing.File sharing. Separate user profiles for separate users.Separate user profiles for separate users.
Active Directory @ DrewActive Directory @ Drew
First campus Active Directory domain in First campus Active Directory domain in 2002.2002. Mirrors eDirectory tree. All users and groups Mirrors eDirectory tree. All users and groups
(except course groups) synchronized between (except course groups) synchronized between eDir and AD using Novell DirXML.eDir and AD using Novell DirXML.
Password synchronization provided by Novell Password synchronization provided by Novell DirXML Windows Password Sync product.DirXML Windows Password Sync product.
Windows XP workstations created in the Windows XP workstations created in the domain. domain.
Users log into eDirectory and an AD domain Users log into eDirectory and an AD domain account when logging into XP workstations.account when logging into XP workstations.
Initial use of Active Initial use of Active DirectoryDirectory
Microsoft’s Sysprep tool.Microsoft’s Sysprep tool. Used with faculty/staff desktops and Used with faculty/staff desktops and
updated laptop configuration.updated laptop configuration. Machines run through mini-setup.Machines run through mini-setup. Process executed by CNS staff, not Process executed by CNS staff, not
the end user.the end user. Configuration found to be far superior Configuration found to be far superior
than using a generic account.than using a generic account.
Problems with using Problems with using Sysprep for student Sysprep for student
handouthandout Required a level of access to domain.Required a level of access to domain. No enforceable way to mandate No enforceable way to mandate
naming convention.naming convention. Needed to give the owner Needed to give the owner
administrative access and administrative access and Administrator password.Administrator password.
While user-friendly, a manual While user-friendly, a manual process susceptible to user error.process susceptible to user error.
Alternatives consideredAlternatives considered
Manually provisioning every Manually provisioning every machine.machine.
Using Altiris Deployment Solution.Using Altiris Deployment Solution. Using ZENworks.Using ZENworks. Other commercial imaging Other commercial imaging
packages.packages. Having vendor customize each Having vendor customize each
machine.machine.
Our conclusion: rolling our Our conclusion: rolling our own solutionown solution
Requirements:Requirements: Standard image placed on every machine by Standard image placed on every machine by
the vendor.the vendor. ““Just in time” personalization for every user.Just in time” personalization for every user. User friendly, wizard based.User friendly, wizard based. Reproducing at least all that Sysprep does.Reproducing at least all that Sysprep does. Modular and re-usable.Modular and re-usable. Integrates with uTrack, our existing home-Integrates with uTrack, our existing home-
grown asset tracking package (SQL Server grown asset tracking package (SQL Server based).based).
Using Existing SkillsUsing Existing Skills Experience with web-based applications.Experience with web-based applications.
Lots of experience developing database Lots of experience developing database driven web applications in PHP, Perl, and driven web applications in PHP, Perl, and Python.Python.
Very little in house experience with Very little in house experience with Windows application development.Windows application development.
Limited time-frame mandated skill Limited time-frame mandated skill reuse.reuse. 3 weeks to design and develop the complete 3 weeks to design and develop the complete
solution.solution. Decided upon a web based client.Decided upon a web based client.
Backend Tech. Backend Tech. RequirementsRequirements
Had to talk to an existing database for Had to talk to an existing database for computer inventory tracking (uTrack)computer inventory tracking (uTrack) MS SQL Server based.MS SQL Server based. ODBC accessible.ODBC accessible.
Active DirectoryActive Directory Accessible via LDAP, but some of the Accessible via LDAP, but some of the
attributes are really only usable via attributes are really only usable via Microsoft’s ADSI (i.e. Microsoft’s ADSI (i.e. ntSecurityDescriptor)ntSecurityDescriptor)
Result: Windows server backend.Result: Windows server backend.
Deployment Server Tech.Deployment Server Tech.
Windows Server 2003Windows Server 2003 Apache web server exposing an XML-RPC Apache web server exposing an XML-RPC
interface (SSL wrapped) to deployment interface (SSL wrapped) to deployment clients.clients.
XML-RPC methods written in PHP.XML-RPC methods written in PHP. PHP ODBC support to talk to the uTrack PHP ODBC support to talk to the uTrack
inventory database.inventory database. PHP COM bindings enabled the use of PHP COM bindings enabled the use of
ADSI for talking to AD from within PHP ADSI for talking to AD from within PHP scripts.scripts.
Deployment Server TasksDeployment Server Tasks Provides updated versions of the XD client Provides updated versions of the XD client
components to clients.components to clients. Provides an XML-RPC interface to the clients in Provides an XML-RPC interface to the clients in
order to:order to: Query the inventory database for computer Query the inventory database for computer
ownership.ownership. Query AD for information about computer objects.Query AD for information about computer objects. Securely store workstation Administrator passwords.Securely store workstation Administrator passwords.
Provides a web-based admin interface to the Provides a web-based admin interface to the helpdesk.helpdesk. Add and remove PCs from the domain and deployment Add and remove PCs from the domain and deployment
database.database.
Client TechnologyClient Technology Presents a browser based interface.Presents a browser based interface.
Full screen IE browser.Full screen IE browser. Local self-contained Apache serves up the UI.Local self-contained Apache serves up the UI. Just presents the UI. No ActiveX controls. Just presents the UI. No ActiveX controls.
The PHP scripts (under Apache) actually touch The PHP scripts (under Apache) actually touch the PC.the PC.
Local self-contained Apache/PHPLocal self-contained Apache/PHP Use a combination of COM and simple Use a combination of COM and simple
command line utilities to configure the PC.command line utilities to configure the PC. Local Apache serves up pages to the local PC Local Apache serves up pages to the local PC
only, and only runs during deployment only, and only runs during deployment (Apache runtime).(Apache runtime).
Client TasksClient Tasks
Use the BIOS asset tag information to query Use the BIOS asset tag information to query the deployment server for owner the deployment server for owner information.information.
Set the computer name.Set the computer name. Change the SID. (calls Sysinternals NewSID)Change the SID. (calls Sysinternals NewSID) Join the domain.Join the domain. Add the computer owner’s domain account Add the computer owner’s domain account
as a local administrator.as a local administrator. Setting the Administrator password; escrow.Setting the Administrator password; escrow.
The ProcessThe Process Most students receive their Most students receive their
notebooks at an annual computer notebooks at an annual computer handout event.handout event. One day event. 450+ computers One day event. 450+ computers
distributed in 5 hours.distributed in 5 hours. Up to six stations operating at once Up to six stations operating at once
accessing a web-based application.accessing a web-based application. Notebook and printer serial numbers are Notebook and printer serial numbers are
barcode scanned into the form.barcode scanned into the form. Inventory database is updated.Inventory database is updated. Computer object created in Active Directory.Computer object created in Active Directory. Contract printed and signed.Contract printed and signed. Student returns to their room and boots Student returns to their room and boots
their PC for the first time…their PC for the first time…
eXtreme Deployment in eXtreme Deployment in actionaction
User is User is prompted prompted with data with data about the about the computer computer from the from the database.database.
eXtreme Deployment in eXtreme Deployment in action (cont’d)action (cont’d)
User is User is prompted prompted to join to join the the computer computer to the to the domain.domain.
eXtreme Deployment in eXtreme Deployment in action (cont’d)action (cont’d)
User is User is presented presented with the with the AdministratAdministrator account’s or account’s password.password.
ResultsResults 2003 handout a success2003 handout a success Students deployed from dorms or Students deployed from dorms or
the loungethe lounge Over 450 computers deployed in 5 Over 450 computers deployed in 5
hourshours
Continued use of eXtreme Continued use of eXtreme DeploymentDeployment
Used with all Windows XP Used with all Windows XP configurationsconfigurations
Helpful ability to update layersHelpful ability to update layers Ease of obtaining Administrator Ease of obtaining Administrator
password securelypassword securely
Questions?Questions?
