Roaming Computing System (Windows Edition) 3.4 - Administration Guide
Miscellaneous Administration
Starting and Stopping the System
Turning Off
You can turn off in any order:
- workstations - Start → Shutdown
- server - press power button on the front, briefly, then wait for it to shut itself down
- firewall - press power button on the front, briefly, then wait for it to shut itself down
- modem - if they have a switch, turn the switch off, otherwise remove the power cable
- hubs - remove their power cable
Turning On
Turn on in the following order:
- hubs - re-connect their power cable
- modem - if they have a switch, turn the switch on, otherwise re-connect the power cable
- firewall - press power button on the front, wait a minute or so
- server - press power button on the front, wait a couple of minutes
- workstations
Administrative Domain Accounts
You have a domain administrator account called winadmin and a domain user account called winuser. Use these domain accounts rather than machine accounts. If you have to give out the domain administrator account to someone temporarily, it is subsequently easier to change this once, rather than change the administrator account on every workstation.
Connecting to the server's underlying file system / operating system from any workstation
To login to the server at the command-line from a Windows workstation use PuTTY via Start → Programs → Internet → PuTTY → PuTTY. Enter server into 'Host Name (or IP address) and choose Open. You can paste commands into the PuTTY terminal by copying in the usual then way just pressing the right-mouse button within PuTTY. To copy text from a PuTTY terminal just highlight the text, it is then automatically in the paste buffer and can be pasted elsewhere.
(Beware, when pasting from guides at thegoldenear.org, PuTTY on windows will include a carriage return at the end of a command where as ssh on linux will not. Some of the commands in these guides assume you don't use a carriage return when pasting them so that the line can be edited before hitting [Enter].
To login to the server at the command-line from a Linux workstation use ssh, using the command ssh root@server.
To transfer files between a Windows workstation and the server at its operating system level use WinSCP on the workstation via Start → Programs → Internet → WinSCP.
To transfer files between a Linux workstation and the server at its operating system level use any of the FTP programs such as FileZilla or gFTP.
Regular Administration Tasks
Workstations
- Defragment each workstation's C: and D: partitions. Start → Programs → Accessories → System Tools → Disk Defragmenter. You need to be an administrative user to do this. This will speed up the computer but probably isn't worth running more often than every couple of months.
- To free up space on C:, use CCleaner to remove Windows' backup of security update files. Login as an administrative user and use Start → Programs → Accessories → CCleaner.
- To free up space on C: (but only as a last resort) manually delete Windows' cache of security update files by deleting the directory %WINDIR%\SoftwareDistribution\Download
- If you have a bandwidth cap on your Internet usage set by your ISP, check. For Zen Internet this is available at https://portal.zen.co.uk/Pages/Wizards/WizardLauncher.aspx?ID=UsageAllowanceWizard.
Server
- Check there is enough free disk space on each partition, using
df -h. - Check the backup system is working - as long as there exists backup-general-* and backup-home-* for each day and they're 0 bytes large then everything should be OK. If they're larger than zero bytes then look at what's in them.
- Perform a filesystem check on the backup disk:
- Unmount the backup disk, in case it is already mounted:
umount /media/backup - Do filesystem check:
e2fsck -p /dev/<disk partition reference i.e. sdb1>
General
- Check the 'postmaster' and 'abuse' mailboxes.
- Is VPN access working so that remote administration can be performed?
Managing Domain User Accounts
Delete A User's Domain Account
Delete their account, with either:
- You should be able to do so from within Windows
- From the command-line on the server:
- Remove Samba account:
net rpc user delete <username>- Note that this doesn't delete their home directory (H:, or /home/<username>) - Delete home directory:
rm -rf /home/<username>- note there are dire consequences of getting this wrong so do so with great care - Delete Windows profile:
rm -rf /home/samba/profiles/<username>
Archive a deleted user's files
Move their files to the ex-staff directory in the archive area, if you already have one. This moves their home directory files (H:) and their Windows profile (containing such things as their Windows desktop, browser bookmarks, etcetera). Their email remains in place.
Make a directory for the user:
mkdir /home/<organisation>/restricted/archive/ex-staff/<username>
Archive their home directory:
mv /home/<username>/* /home/<organisation>/restricted/archive/ex-staff/<username>/
Make a directory for their Windows profile:
mkdir /home/<organisation>/restricted/archive/ex-staff/<username>/windows-profile/
Archive their Windows profile:
mv /home/samba/profiles/<username>/* /home/<organisation>/restricted/archive/ex-staff/<username>/windows-profile/
Restricted Groups
R: is where you can have directories where access is restricted to specific groups of people. For example R:\finance is only accessible by members of the finance group. You can add whichever such groups you choose.
To create a new restricted directory and group use Twix: R → F.
To add a person to a specific restricted group use Twix: R → O.
To remove a person from a specific restricted group use Twix: R → P.
Mailboxes, Aliases and Forwardings
Manage mailboxes, aliases and forwardings using MailManager at http://server/mailmanager/login.php.
Auto-replies
Manage auto replies using Goldfish at http://server/goldfish/.
Domain Mapping
If you want to forward mail from a mailbox at one domain to a mailbox at another, create the domain then create each mailbox and a forwarding for that mailbox.
Don't do whle domain mapping. MailManager doesn't support it because "You will in the first step accept email for anybody in @domain1. Then the aliasing is done. And if Postfix finds that the user doesn't exist in domain2 it will generate a bounce. As spammers tend to guess email addresses you will become a source for backscatter. So that's really a problem. My recommendation: don't use it like this. Instead use an alias for every user in domain1. Even if it's tedious.".
Server Updates Affecting Users
Samba
It's OK to restart Samba (at the command-line you use /etc/init.d/samba restart) when people are logged in with documents open, even if they have unsaved work. You should, though, ask people to not save work for a moment whilst you restart Samba. If you restart Samba then people try to save unsaved work too soon, before Samba is properly restarted, OpenOffice, for example, will say "Error saving the document <document name>: General Error. General input/output error." but allow you to try saving again; where as GIMP will automatically wait until the Samba share is available again and then save; Thunderbird won't be affected at all unless you are using local folders and have located them on a network share.
Networking
ifdown eth0
ifup eth0
Settings You Must Not Change
Server
- DNS domain - it's 'localdomain' (Debian's default). The mail server relies on this remaining the same.
- Hostname - it's 'server'. The mail server relies on this remaining the same.
- Samba's name or domain name(?) setting - this will require workstations to have to re-join the domain
- IP address - it's 10.0.0.10. Don't change it, but if you really need to change it to another inthe same subnet then you need to change it in here too:
- On the server
- The server's /etc/network/interfaces
- The server's /etc/resolv.conf (TODO: do we change it WRT /etc/resolvconf if resolvconf is installed?)
- The server's /etc/postfix/main.cf
- The server's Samba - see xania.org/200809/samba-problems-after-ip-change
/etc/init.d/samba stoprm /var/cache/samba/browse.datrm /var/lib/samba/wins.dat/etc/init.d/samba start- On the firewall
- The firewall's static hosts, such as server → 10.0.0.10
- The firewall's DHCP Server's WINS address
- The winuser account password - it's used by WPKG Client [TODO: maybe we should have a dedicated WPKG account instead]
Changing Windows Workstation Names
You cannot change a workstation's name direcly. You must first disconnect from the domain by swapping the domain name for a workgroup name; give the winadmin or root account so as to leave the domain; restart the workstation; change the name; restart again; reconnect to the domain.
Physically moving a system from one location to another
It should be straight forward but you should expect something to go wrong as it invariably will.
For the server and workstations, moving involves turning them off properly, disconnecting all cables and reconnecting in the same manner at the other end. This should be straight forward for anyone to do as cables for everything can't be connected into the wrong socket. Just make sure you carefully pack up all cables together so that nothing is misplaced or broken. Obviously, treat computers with care in transit, but don't worry excessively as they can take a few knocks.
For hubs, the network cables probably don't need to be reconnected in any specific order, but even if they do it will only be one of the cables and you can see that by checking first if one is connected to a socket marked 'uplink'.
For the firewall, there are two network cables which need to specifically connect back into the same connectors from which they were removed. Some settings on the firewall will need to change if your static Internet address is going to change, which it probably is.
Keep backup disks seperate in case the server gets lost or stolen.
Take great care with laser printers as they are extremely fragile. It's probably worth removing toner cartridge(s) during transit.
You either connect to the Internet through your own modem or you're attached to an intranet provided by someone else and they have their own modem. Changes to your method of connecting to the Internet will need to be reflected in the firewall and modem.
Change of SMTP server for outgoing email. If you're piggy backing someone else's Internet connection you can ask them for the SMTP server name, or you can find out yourself. To find out yourself, use traceroute, or GRC's Shields up!, to find your external IP address. then do a whois lookup on that IP address to find who it is (you'll get, say, 'netname: BULLDOG-CHT', where 'Role:' is who owns them, 'Cable and Wireless Access Ltd', a Google search on 'bulldog smtp' reveals their SMTP address.
Troubleshooting
Server
The most common complaint with the server is the assumption that email isn't going in or out. You can leave the server logged in running one or more of these commands to show incoming and outgoing mail:
tail -f /var/log/syslogtail -f /var/log/mail.log
If the server crashes it will leave complex messages on the screen. usually you can restart the server with ctrl+alt+del. Try this but if it fails to get the server to respond, by saying it is shutting down, then power cycle it. The messages on the screen will be available in the logs (/var/log/syslog and /var/log/messages) for whomever wants to look.
User Accounts
If someone is having trouble logging on, can they log on elsewhere? can others logon on the machine they're having trouble with? The most common reason for not being able to logon is theer not being enough room on the workstation's C: to copy the user's profile there, for example the user may have large files on their desktop or excessive files in %APPDATA%.
Workstations
If files are deleted from a user's desktop they go to the local recycle bin in C:\RECYCLER\S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxx-xxxx.
WPKG
WPKG logs to %TEMP%, the system temp location, in a file called wpkg-<machine name>.log
Backup
Backup
The server backs up to a directly connected USB-attached hard disk. You connect the disk and leave it over-night, replacing it with another disk the next day. The backup runs at 02:00. You do not need to issue any commands, everything is automatic. If there were any errors they are written to a log file (in /var/log/hotswap-backup/) [though they should be emailed to the administrator].
The disk uses a Unix filesystem (ext3) so can only be read on those Windows workstations that have Ext2 IFS installed (at least one of your workstations should have). The data is saved directly to the backup disk, it is not zipped up. To access Ext2 IFS's configuration use Control Panel → IFS drives.
Note that because the backup system successively copies files from the server without first removing them from the backup disk, the size of the backup will grow over time and at a faster rate than the space used on the server. Files on the server will be deleted whilst a copy remains on the backup disk. For this reason you may want to delete everything off the backup disk periodically.
Restore
If you connect the disk to the server, whilst logged in as root, you can read it by issuing the command: mount /media/backup. The disk's contents will then be available in the /media/backup directory.
If you connect the disk to a Linux workstation its contents will appear automatically.
These are some useful places you may need to access on the backup disk:
- S: - home/<your organisation name>/shared. Permissions are such that you can read these files.
- H: - home/<person's name>. Permissions are set so only the owner can read them unless you override those permissions.
- Email - home/vmail/<your organisation's domain name>/<mailbox name>/Maildir.
Note
Backup Disk Inode Size
The current version 1.11a of the Ext2IFS driver for reading the backup disk under Windows only mounts volumes with an inode size of 128 bytes. Recent versions of Linux's mkfs.ext3 will format the disk with an inode size of 256 bytes and when attached to Windows it will say it can't read the disk and ask if it is to be formatted.
To fix existing disks, format them again using mkfs.ext3 -I 128 /dev/<disk partition reference i.e. sdb1> (which will delete everything on the disk) and name them again using e2label /dev/<disk partition reference i.e. sdb1> backup.
You can find the inode size of an existing partition using tune2fs -l /dev/<disk partition reference i.e. sdb1>, amongst the information will be something like Inode size: 256.
Troubleshooting Issues With The Backup Disk Under Windows
If the disk isn't accessable under Windows, download and use the mountdiag.exe tool as described at http://www.fs-driver.org/troubleshoot.html. It should give you a descriptive message about why the disk isn't accessable.
Manual Software Application Updates
Typicallly updates are managed through WPKG but if you want to update the system manually some of the software applications make this really easy. If there is any risk of breaking the system they will be described here.
Adobe Reader
OpenOffice
Firefox
- Login to a workstation as administrator or into the domain as winadmin
- From within Firefox choose Help → Check for Updates
- If it says, for example, "Updates Available - An update for Firefox is available: Firefox 2.0.0.6" you can choose "Download & Install Now >>"
Thunderbird
- Login to a workstation as administrator
- From within Thunderbird choose Help → Check for Updates
- If it says, for example, "Updates Available - An update for Thunderbird is available: Thunderbird 2.0.0.6" you can choose "Download & Install Now >>"
Quickbooks
You should run the Quickbooks updater manually once a month.
F-Prot
F-Prot updates itself automatically.
Java Runtime Environment
Control Panel → Java → Update → Update Now.
The newly installed version will automatically become the default in Firefox.
This creates an additional installed copy to those versions already installed and so uses up an additional 70MB or more each time
[TODO: In OpenOffice, it isn't selected, does that mean anything?]
Software Application Tips And Tricks
Firefox
If you setup a new Firefox profile for someone you can migrate their old saved settings to the new by copying over these files. Note that this will over-rule any existing settings in the new Firefox profile.
Firefox 3
- Saved passwords
- signons3.txt
- key3.db
- cert8.db
- Bookmarks and history - in order to merge old bookmarks with new, you need to export the old bookmarks as a HTML or JSON file from within Firefox then import them into the new profile.
- places.sqlite
- places.sqlite-journal - this file may not be present
- Cookies, including login information, session data, and preferences: cookies.sqlite
- Permissions; preferences about which sites you allow or prohibit to set cookies, to display images, to open popup windows and to initiate extensions installation: permissions.sqlite
- User-added preferences: user.js - you probably wouldn't migrate this
- Preferences: prefs.js - you probably wouldn't migrate this
OpenOffice
There are various extensions available at extensions.services.openoffice.org.
Deleting a User's OpenOffice Profile
- Make sure OpenOffice isn't open first (check the system tray by the clock, close down the icon there if there is one)
- Delete the person's OpenOffice profile at C:\documents and settings\<username>\Application Data\OpenOffice.org\ (an easy way to get there is to right-click on the Start Menu and choose 'Explore'; or, in the Windows Explorer's location bar, go to '%APPDATA%' (without the single quotes))
- OpenOffice will then need configuring again. This can be forced to automatically take place by deleting the directory 'C:\documents and settings\fiona\RCS34-CONFIG-DONE'.
- Logout then login again
Repeated "unexpected error"
Issue: when running OpenOffice it can say "due to an unexpected error, OpenOffice.org crashed" it lists documents to be recovered, of which there are none, you choose OK and it returns to its opening window, where upon you choose an application and it crashes again with the previous message.
Solution:
- Delete the user's OpenOffice profile (see above)
- Uninstall the program
- Delete all files in C:\Program Files\OpenOffice
- Restart the workstation so that OpenOffice is reinstalled
Error loading BASIC of document file
Issue: Whenever a file is opened you get the error message:
Error loading BASIC of document file :///C:/Documents%20and%20Settings/fiona/Application%20Data/OpenOffice.org/3/user/basic/dialog.xlc/:
General Error.
General input/output error.
Solution: Delete the user's OpenOffice profile (see above)
Thunderbird
If you want a message inserted at the bottom of everyone's email, save it somewhere on S: so that staff can link to it from within thunderbird as a signature.
If people coming from Microsoft Outlook are missing particular aspects of Outlook's behaviour it's worth checking out Emulate Microsoft email clients to see if they can be catered for.
Multimedia Support
Our intention is to have a single media player on the system that plays all media types, rather than a plethora of media players each for a different media format (for example Windows Media Player, Real Player and Quicktime). In theory our single Media Player is Windows Media Player. However in practice that isn't possible so we also have to use Media Player Classic for playing some files in the web browser. We would very much have liked to have VLC as our main media player but it has lacked some necessary features, such as decent playlist support. In future we envision using VLC and Songbird. Obviously Adobe Flash Player will be used in the browser when playing Flash video.
Applications installed for playing multimedia:
- Windows Media Player
- K-Lite Codec Pack (Standard) (includes Media Player Classic)
- Ogg Codec Pack
- Firefox Windows Media Player Plugin
Support for Various Multimedia Formats:
FEATURE STAND-ALONE FILES IN BROWSER DVD movie Windows Media Player with plugin RealAudio Doesn't play Doesn't play RealVideo Doesn't play Doesn't play Quicktime Doesn't play Doesn't play FLV MP3 Ogg Theora Ogg Vorbis Windows Media Video (WMV) Flash content (.SWF, .FLV) Adobe Flash Player Xvid DivX
To be tidied up:
- we want support for Real and QuickTime files in the web browser and on disk. We have K-Lite with MPC, QT Lite and Real Alternative Lite. We need MPC for playing Real Media and QT files on disk. Tho supposedly QT files can be played on disk when you have K-Lite installed but I don't know which version as it doesn't work with our version. - Real Alternative's "RealMedia DirectShow splitter does not work with streaming content. You must use the included Media Player Classic to play streaming content" but we already have MPC so can install Real Alternative Lite - Real Alternative and Real Alternative Lite allow files on disk to be played in any DirectShow enabled player but this DirectoShow support doesn;t owrk for streaming files, for this you need MPC. Either you have MPC already and you install Real Alternative Lite, or you install Real Alternative. - probably need RealMedia Splitter to play Real files in WMP - QT Lite says it is only for playing in the browser - but is that only becaue it doesn't include MPC? - QT ActiveX plugin - browser plugin - this is the apple quicktime plugin - QuickTime Alternative claims to include 'QuickTime DirectShow filter' where as QT Lite claims to include 'QuickTime ActiveX plugin' and yet QT Lite claims the only difference between it and QuickTime Alternative is that it doen't include MPC - QuickTime Alternative - quicktime actvex plugin - quicktime browser plugin - QT Lite with .mov files on disk - they play in MPC. WMP won't play them. Without MPC, files on disk won't play at all. So if you already have MPC you can use QT Lite rather than QuickTime Alternative - codecguide.com / QT Lite says that MPC is able to play quicktime files on disk but if you want to play quicktime files on disk in WMP you need to additionally have K-lite installed, for its directshow filters - but which version of K-Lite? - QT files with streaming QT content - is played by Quicktime browser plugin - Windows Media Player in Firefox: http://kb.mozillazine.org/Windows_Media_Player