How to become a good system administrator: managing a computer lab in a school

With regards to not being allowed to do certain things ie installing applications or changing backgrounds, etc why dont you use windows xp pro and get a program for each computer called deepfreeze.

http://www.faronics.com/

Then make the accounts that the students can use limited and password protect the admin accounts.

Here is a program :

http://www.thenakedpcstore.com/jermar/short_list.html

Look at this :

http://support.microsoft.com/kb/280687

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/93252.asp

http://www.xploiter.com/tambu/regwack.html

With regards to switching O/S, you need to do dual booting on whichever machines you want more then one operating system :

http://windows.about.com/cs/dualboot/

If you want them on a single drive you would most likely have to partition your hard drive on that machine :

http://pcbuyersguide.com/software/system/dual-booting.html

http://geodsoft.com/howto/dualboot/

http://www.brienposey.com/kb/issues_to_consider_when_dual_booting_between_win2k_and_winnt.asp

http://forums.extremeoverclocking.com/archive/index.php/t-13450.html

Partition Programs :

Partition Magic 8.0:

http://www.satellite-store.net/p22/Par-2.dwt

http://www.powerquest.com/partitionmagic/

Ranish Partition:

http://www.ranish.com/part/

http://www.pcworld.com/downloads/file_description/0,fid,6170,00.asp

http://www.pcanswers.co.uk/downloads/default.asp?pagetypeid=2&articleid=4364&subsectionid=604&subsubsectionid=376

If you are using windows xp ( I am not sure about windows 2000 ) you can use the disk manager instead of either of the above 2 suggestions. This you can find in control panel --> Admin tools --> computer Management --> Disk management.

With regards to un wanted sites and spyware etc I would make these suggestions :

Use zone alarm as a firewall , you can configure it to block porn sites, gambling sites, etc. Read here :

http://forum.maxthon.com/forum/lofiversion/index.php/t12881.html

Download here :

http://www.download.com/ZoneAlarm-Security-Suite/3000-10435_4-10367378.html?tag=lst-0-1

Also if you go to Internet Explorer --> Tools --> Options and then click on the security tab, then click on restricted sites  --> then click on the sites button, you can add sites into there which you want IE to block. That will take a lot of effort as there are many sites with regards to porn, spyware etc.

The other alternative is to use some software like net nanny.

Download from here :

http://www.download.com/Pornblocker/3000-2144_4-10207376.html?tag=lst-0-1

http://www.download.com/3120-20_4-0.html?qt=block+porn&tg=dl-2001

Then there is the anti spy ware programs :

spy sweeper from www.webroot.com

microsofts anti spyware from --    http://www.microsoft.com/athome/security/spyware/software/default.mspx

Ad aware  --  http://www.lavasoft.de/support/download/

Then onto virus applications :

AVG ( You should be able to get the free edition ) -- www.grisoft.com  

sophos --  www.sophos.com

you can also use free online virus scanners :

http://housecall.trendmicro.com/

With regards to controlling pc's remotely sysinternals has software to do that :

http://www.sysinternals.com/

www.vnc.com

www.tightvnc.com

http://www.dameware.com/

I hope this gives you enough useful information !

kind regards

Gecko

FYI: Altiris does much of the above.  I'm not selling it, just trying to minimize administration and patch management of controlling software.

We use Altiris also and it is a great solution.

What I would also recommend though is VMware or Virtual PC.  You could lock down the orginal OS so that it can never be changed or messed with.  Then have VMware start as the only app and then the students can pick the environment they want.  Linux Windows  so on.  Also it has a snapshot and revert so when the student leaves or restarts the machine it automatically reverts to the orginal virus free and perfect way it was before.

yeah, concur with gpriceee, altris is nice for ease of management, but it might be hard to convice the accountants that it's viable tool to work into your budget.

The easy solution for you on the windows side is to get windows active directory server up and running and add as many of the machines as you can to a single domain, then you can use GPO's Group Policy Objects to control a number of the actions that you want to restrict and isolate out the sections of your network (shared drives, etc) that you want to restrict access to.

You can also use the nice built in remote desktop feature to control each machine from your single admin box and run updates from your one location rather than running around to each machine. I'm not sure how viable that is when mixed with multiple linux distro's but in a pure ms environment, it works resonably nicely on a limited budget.

You might also consider something like Norton Antiviru's Corporate Edition because it allows you to control each client machine from a single server so rather than running the typical liveupdate on each machine, you run it only on the designated server, and you can schedule regular scans en masse.

For your deploys of software such as office, visual studio, photoshop, whatever, unless you can shell out for a management solution, you're pretty much SOL because most of these installs require you to actively participate by entering license codes and agreeeing to EULA's.  

One nice thing tip is that if you have the space, make an image of each CD for the app you need to install, put it on a network share along with a text file of the serial and rather than dragging a CD around to each workstation, install it off the network share so you just line up a row of machines and walk down the line 5-10 at a time, or better yet, sit at your station and just remote desktop to each and use the network image to install the software, entering serial numbers and clicking Next as you need to.  Not that it makes life super easy, but easier. And after you finish a whole lab, i gaurantee you'll have the CD key for MS Office memorized :)

one tip on the dual boot with windows/linux. You might want to install windows first, then when you install linux, leave the NTLDR (windows boot loader) and MBR (Master Boot Record) just to avoid problems on the windows side. and i hope to avoid a flame war, but i perfer the GRUB boot loader for linux. personal opinion, it's a little nicer, just make sure you don't install it on the MBR or you'll have issues with windows.

this isn't a cheap and easy problem. It can be cheap, but then it isn't easy, and it can be easy, but then it isn't cheap. best of luck,

I would go with deep freeze, and norton ghost....

YAY ! Someone who finally agree's with me to a certain extent lol :) I agree with the deep freeze and norton ghost :D

Thank you all for your valuable ideas and comments. You make this brainstorm possible.

About the guys who suggested Altiris, it seems to be a great product, unfortunately it's really very, very expensive! I requested a cost estimation to a local reseller and the cost was about USD$30,000.00! Besides, it only works for Windows environments, and we in the lab need to use other OSes like Linux.

I'm starting to think the best solution will be a mixture of several of your contributions. For example, it really attracted my attention the VMWare Virtual Machines. There's a product, VMWare ACE, that seems to be precisely designed to academic institutions. Nevertheless, VMWare by itself won't be enough. I'm also interested on the Domain Controllers and Active Directory Server. Then, for remote controlling perhaps the suggested VNC, and AVG Corporate or Norton Antivirus Corporate for automated patching. However, all these won't be enough either.

There's still the software applications delpoyment problem. Somebody (outside this forum) suggested me to jump to the wagon of thin clients. I don't know the technology, but this guy suggested Windows Terminal Services (2003 Server), Citrix or New Moon for doing this. What do you guys think? Could it be possible to put all these different technologies in a blender and get a good solution for my problem?

Please keep posting!

Regards.

If I was you I would also make a pointer to this question from the linux section / area of this forum so that people who are more familiar with linux can help point you in a good direction with regards to this :)

>>  Could it be possible to put all these different technologies in a blender and get a good solution for my problem?

I would say yes, it would just take a lot of research and personal preferences to figure out what you like the most in terms of combinations of different software :)

I used to have to do this too for a training environment and later for a QA Lab.
Here is my solution.

Build your perfect PC and use Ghost or Drive Image.  You can make images of the various configurations and once done, drop them back on the drives for whatever configuration is desired.  With the cheap version, you just hook up a second hard disk or use say a DVD to drop the Image.

You could use Symantec Ghost Corporate and have the images on the server.  Boot to PXE (The Network) or to floppy and have it automatically pull the images to all the machines at once.

Another great product is a Logicube Solitaire Turbo.  I have the 1 with the keyboard, but you can use the basic one.  I just make an image to it, go to a machine, select which image I want to drop and do it.

For you, I would suggest the Ghost Corporate as you can do all the machines at the same time.

Gecko,

I'm posting some pointers in other experts areas linking to this question.

SamCCarthy,

I can't stop thinking about this issue: which one could be a better solution, using clone images of the perfect PC using Ghost, or using clone virtual machines of the perfect VM using VMWare. In orther words, what's better, physical PCs or virtual machines?

For a Windows environment - I would recommend us Symantec's "Ghost" product with multicasting.  So you get one machine the way you want it and update all 20 machines at the same time using Ghost's multicasting ability.  You wind up with 20 identical machines with no junk from creative students.  Fast, easy, cheap.  This is what we use in our corporate education group.

For Unix environments you can create what's called a jumpstart disk.  Slap in the CD and go.  

http://www.ofb.net/~jheiss/js/jumpstart_disk.html

http://www.daemonsecurity.com/pxe/jumpstart.html

There are probably some scripts that could be run from a central console to get all the servers back to square 1.  

A few ideas for you...

For Linux you could run off of a bootable Linux live CD like knoppix.org it installs in 5 mins and uninstalls even faster
You could also go with Linux thin clients, ltsp.org is  good also look at nomachine.com
Or look into RedHat's Kickstart it lets you automate a Red Hat Linux installation

An alternative to expensive vmware is qemu http://fabrice.bellard.free.fr/qemu/ it's free and works well on decent hardware.

For automating windows installs I use  http://unattended.sourceforge.net/ with excellent results, it's free opensource.
You can automate both OS and application installs with unattended.

This is how it's done:
Windows machines, ghost them. If the hardware on the PC's is identical, then any M$ os that you put on them should work wonderfully. If you have XP and varying hardware, you can still use one (XP)image for all machines. If you have varying hardware, and win9x, NT, or win2k, you will need an image for each type of hardware, espically if there are different chipset's on the motherboards. win2k is forgiving to a cerain degree, but not enough.
Vm-ware is wonderful as well. You can also install vmware using ghost if your running windows as the host OS. Linux can use a kickstart disc to "ghost" pc's this is very simple to do, well with RedHat it is. http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/custom-guide/ch-kickstart2.html (old doc but still very accurate)

Samba can be a free alternative to purchasing M$ server products. Samba and openLdap can be used as ActiveDirectory replacement.
M$ also has a vm-ware alternative Virtual-PC http://www.microsoft.com/windows/virtualpc/default.mspx
Schools sometimes get special deals with software manufactuers, write to them and see if your school might qualify- if they even offer it... M$ has something worth looking into
sales@vmware.com
http://www.microsoft.com/education/SchoolAgreement.aspx
http://bochs.sourceforge.net/ (free but I have no experience with it)

Now you've go your imaging. You need to make a new image with each update, or software addition. The computers can be wipped daily, and re-imaged daily. This is what they do in most library computers on a campus. You get one logon to each pc, typically that pc's name and some static password, that account has Guest Group rights, or User Group rights at best. I'm not sure if you need to lock down the linux pc's... if certain commands require root access try to make them use Sudo and create a very restrictive sudoers file (type visudo as root) http://www.linuxhomenetworking.com/linux-hn/addusers.htm  http://www.courtesan.com/sudo/man/sudoers.html

You can use a boot loader to switch between OS's on the PC's here is a great turtorial on how to do so http://btmgr.webframe.org/
As long as your ghosting properly, and copying the MBR right, there is no reason you can't get multiple OS's installed at once using ghost- You would be partitioning the drives but that's about it. SmartBootmanager can be re-run if the ghost doesn't work quite right.

Then you have to maintain an up2date ghost image, and you can actaully ghost all the PC's at once using multicast (be sure to disable any span tree portfast settings on your cisco switches) and you can have 100 PC's imaged in 15 minutes with multicast.
-rich

there is a piece of software my school uses that will not write changes to the harddrive, it is called "Deep Freeze" from Farconics (http://www.faronics.com/), and basically every time the computer is restarted, it goes back to when deep freeze was first installed (or whenever you told it to roll back to), its kinda like system restore, only on a daily basis and doesnt require a long drawn out process to get it, in fact, its like it doesnt even write the changes to the harddrive at all and there is no way for anyone to know its even running, but it can be easily disabled

this will only work for windows based operating systems

for linux, it all depends on what they are doing with it, if they are not needing to save anything on harddrives, give them bootable linux distributions on CDS, like knoppix, or something like that, so that it doesnt touch the harddrives on the system, it simply boots from a cd, and once you shutdown, take the cd away and its the same everytime you boot it up

or if you must, set up one linux partition and have the students save whatever work they do in linux onto that one partition, or run a network server with the files on it


and to make your reformats easier, use Norton Ghost or something similar

for virusscan, there is no real need, cause once you turn off the computers, the virus is gone, although ondemand scanning with something like AVG would be a nice touch

--adam

here's your solution
install Windows XP Pro on ALL the computers
now you can use the group policy editor to allow/disallow everything from running certain programs to installing stuff, etc etc
then have a VM application on each computer in case you want to use an OS other than Win XP

ah, rich makes a really good point, if your school is part of MSDN AA (Academic Allience) http://msdn.microsoft.com/academic/ you can get access to most if not all of the software you'll need on the MS side, including Virtual PC, at little extra hit to your own budget. Check around with the different departments/schools and see if anyone is participating. At the uni i used to work at the EE dept. was able to "borrow" the license from the Comp Sci deptartment, which is technically in a toally different school (Letters, Arts and Sciences rather than Engineering).

A note on the VMs though, you'll see a performance hit, same as if you are running anything intensive over a live linux distro like knoppix. For a uni class that's only an hour long, the extra five minutes boot time might be a bit too long, and you should have big enough hard drives that making a dual boot system and then imagine it like everyone has been saying is probably a better idea for you. One thing might be to consider a Novell / Suse-like linux distro that is a little easier to centrally manage.

Experts,

First of all, Rich, I am somewhat confused, because first you recommended "Ghosting" the PCs, and then you said VMWare was the best solution. I understand this two choices are mutually-exclusive.

Now, my academic institute certainly doesn't have much money to spend, but if needed, they are willing to do an extra-effort. About Microsoft Academic Alliance, my institute is NOT part of such agreement. My institute has several licences of Windows Server 2003 Enterprise, but they were not  purchased with any special agreement. We are not (and neither will be) part of any agreement with Microsoft.

About the guys that have been recommending DeepFreeze, Ghost and VMWare: please remember that one of the most important problems I have to solve, is application availability. If a create a Ghost Image (GI) or a Virtual Machine (VM) of my "ideal PC configuration", and then I replicate it through the laboratory, the problem is that if a new application is needed to be installed, I have to re-replicate  the GIs or VMs again... don't I (in such case, it's time-consuming)? Could this be solved with Terminal Services and/or Citrix or New Moon? If so, what happens with Norton Ghost? can Ghost coexist with Terminal Services? I'm asking you this because I'd prefer that all the applications could be automatically deployed to the client workstations without having to do it manually... although I don't know if such a thing is possible.

About VMWare: I also agree that VMWare is very flexible since I can have many different OSes installed in my PC without having to deal with annoying and unstable dual boots. The problem is when I have a VM with XP, and the host OS is XP, then I have Windows XP inside Windows XP... that's kinda weird and feels it doesn't make sense.... and which VMWare product is better for me? Workstation, GSX Server or ACE?

Please keep it coming!

Regards.

I was unclear- If I had the $$$/Funding I'd go with a vm-ware like setup. It's really not much different than a ghosted setup, but the vm-ware boot manager is much better than others I've used in a seperatly partitioned harddrive. You have a nice GUI where you can select win2k, winxp or other. And In another thread I indicated I'd run all pc's with linux as the hosting OS, and then place vm-ware running M$'s os's as the guest os's (to save on licensing and money overall) Like you say, running M$ to then run VM-ware running M$ makes no real sense.

I can understand your delima of needing to install one single app on 20 plus machines on short notice, and the way I see it is this. For adding a single app to 20 pc's it's probaly faster to just sit down in front of them to do so. Ghosting or copying vm images would take to long...
You will have to put in the time to install the application to one pc, get it all up2date while your at it if need be. Then run sysprep, and when the machine shut's down, ghost the disk, or copy the VMDK files (if using vm-ware)- we'll stick to the ghost solution. Now it takes 10-15 minutes to copy a 4gig windows xp install off a hd to a windows share at 100mb/FD using ghost.
It takes 10-15 minutes to copy those images onto "X" amount of pc's using ghost multicast. It takes another 5-10 minutes to rename the pc's and join them to a domain we'll say.
15minutes to ghost an image
15minutes to image 20+ pc's using multicast
10minutes each to setup (these are all maximum assumed times) that's like 3 hours just to run through the sysprep utility alone plus the 30 minutes to ghost
And if you had to do that for each OS, that's crazy...

You may consider getting everyone a dumb-terminal to a citrix or terminal service server. You can actually save money by using linux to connect to the TS/Citrix servers using the
Rdesktop application. We use this at a small public library we helped out with a few months ago, they've not had a problem for 4 months. Rdesktop is great.

I'm sorry to keep confusing you ;) but TS/Citrix sounds like a good solution.
You can use ghost to make a TS server (or citrix server). You have to license the seat's for TS (i'm not an citrix guy, not sure about it)
If there is information that users need to store or keep, I'd recommend having them store it on another server, or on a seperate partition on the PC in their own home directory or personal folders. You should re-image the TS server on a regular basis to keep it up todate and clean and clear of spy-ware. http://sourceforge.net/projects/rdesktop/ is the develpment page for Rdesktop installation. With TS or Citrix, memory and processor power are going to be the biggest factors for preformance. The clients do relitivly no work.
-rich (the flip-flopper) rumble

I disagree with Terminal Services as a solution completly.  First of all this doesn't fix his main issue.

1. Running multiple OS's.  "Install the appropriate operating system (OS) that is needed or instructed by the teachers, according to the classes that are going to take place in my lab. This can vary from Windows 2000 Professional, Windows XP Professional or even several distributions (distros) of Linux."

2. Or deploying his applications as needed although would simplify this task.

Also then he is completely reliant on this one box.  If he doesn't lock it down properly and someone messes up something or he has a hardware failure the entire lab is affected and down until he can get it back up.

In his current situation he only loses one of his 20 desktops.

Bottom line you need a line of one of two solutions.
1. Deployment package for the applications and a deployment solution for the operating system.
2. Deployment package for the applications and VMware to control your OS environment.

Some recommendations.  Make some standards.  Like we will only use Window XP for a windows OS, don't know why you would need XP or 2000.  XP should do just fine.  For Linux standardize on one also.

Also have you thought about licensing?
Now, my academic institute certainly doesn't have much money to spend, but if needed, they are willing to do an extra-effort. About Microsoft Academic Alliance, my institute is NOT part of such agreement. My institute has several licenses of Windows Server 2003 Enterprise, but they were not  purchased with any special agreement. We are not (and neither will be) part of any agreement with Microsoft.

Do you actually own a separate license for all the Microsoft OS's you are installing for these PC's?  This is another reason to standardize or obtain an agreement.

I just thought his question title is :

"How to become a good system administrator: managing a computer lab in a school"

I just wanted to be a smart A$$ and say, practise, practise and more practise, not to mention experience and other things :D *GRINS*

Well anyhoo, I hope the suggestions above helped you out :D

Kind regards

~GO