Roaming Computing System (Windows Edition) 3.5 - Administration Guide

Miscellaneous Administration

Starting and Stopping the System
Administrative Accounts
Connecting to the server's underlying file system / operating system from any workstation
Regular Administration Tasks
Managing Domain User Accounts
Restricted Groups
Email
Server Updates Affecting Users
Settings You Must Not Change
Changing Windows Workstation Names
Physically moving a system from one location to another

Troubleshooting
Backup
Manual Software Application Updates
Software Application Tips And Tricks

Firefox

Firefox Migration

Openoffice
Thunderbird

Shared Calendar
Thunderbird Migration

Multimedia Support

Miscellaneous Administration

Starting and Stopping the System

Turning Off

You can turn off in any order:

workstations - Start → Shutdown
server - press power button on the front, briefly, then wait for it to shut itself down
firewall - press power button on the front, briefly, then wait for it to shut itself down
modem - if they have a switch, turn the switch off, otherwise remove the power cable
hubs - remove their power cable

Turning On

Turn on in the following order:

hubs - re-connect their power cable
modem - if they have a switch, turn the switch on, otherwise re-connect the power cable
firewall - press power button on the front, wait a minute or so
server - press power button on the front, wait a couple of minutes
workstations

Administrative Domain Accounts

You have a domain administrator account called winadmin and a domain user account called winuser. Use these domain accounts rather than machine accounts. If you have to give out the domain administrator account to someone temporarily, it is subsequently easier to change this once, rather than change the administrator account on every workstation.

Connecting to the server's underlying file system / operating system from any workstation

To login to the server at the command-line from a Windows workstation use PuTTY via Start → Programs → Internet → PuTTY → PuTTY. Enter server into 'Host Name (or IP address) and choose Open. You can paste commands into the PuTTY terminal by copying in the usual then way just pressing the right-mouse button within PuTTY. To copy text from a PuTTY terminal just highlight the text, it is then automatically in the paste buffer and can be pasted elsewhere.

(Beware, when pasting from guides at thegoldenear.org, PuTTY on windows will include a carriage return at the end of a command where as ssh on linux will not. Some of the commands in these guides assume you don't use a carriage return when pasting them so that the line can be edited before hitting [Enter].

To login to the server at the command-line from a Linux workstation use ssh, using the command ssh root@server.

To transfer files between a Windows workstation and the server at its operating system level use WinSCP on the workstation via Start → Programs → Internet → WinSCP.

To transfer files between a Linux workstation and the server at its operating system level use any of the FTP programs such as FileZilla or gFTP.

Regular Administration Tasks

Workstations

These must all be performed whilst logged in as an administrative user.

To free up space on C:

Use CCleaner (Start → Programs → Accessories → CCleaner) to remove:

Windows' backup of security update / hotfix files. Make sure that Windows → Advanced → Hotfix uninstallers is selected. This deletes C:\Windows\$nt... directories.
Empty the recycle bins (C:\RECYCLER, Windows Explorer's Tools → Folder Options → View → Advanced settings → Hide protected operating system files (Recommended) must be turned off before you can see anything in them.

(only as a last resort, because of the risk of making a mistake) manually delete Windows Service Pack uninstall files' directories, those in blue at %WINDIR% (CCleaner doesn't delete these).
(only as a last resort) manually delete Windows' cache of security update files by deleting the directory %WINDIR%\SoftwareDistribution\Download.
? Microsoft Office uses 464MB in C:\MSOcache
? C:\windows\ie7updates and C:\windows\ie8updates are worth looking at as another directory that might be able to be deleted

Defragment each workstation's C: and D: partitions. Start → Programs → Accessories → System Tools → Disk Defragmenter. You need to be an administrative user to do this. This will speed up the computer but probably isn't worth running more often than every couple of months.

User Profiles

On a Windows workstation, System Properties → Advanced → User Profiles → Settings will tell you the weight of each profile and allow you to delete them. From the server, at the command-line, du --max-depth=1 -h /home/samba/profiles | sort -rn will tell you the weight of each person's profile.

People can have bigger profiles on their workstations than the profile uses up on the server because not everything roams - Local Settings. Perhaps it's worth hosing the local profile once a year or something.

On a Windows workstation, whilst logged in as a user, the Application Data directory is at %APPDATA%. From the server, at the command-line, this would be /home/samba/profiles/<username>/Application Data/ This is the most likley place where excess files will accumulate.

Areas where data accumulates in a user profile that can potentially be considered for removal:

Firefox profile
Thunderbird profile
%APPDATA%\google\picasa2\db3
QuickBooks downloads updates to C:\Documents and Settings\All Users\Application Data\Intuit\
%APPDATA%\OpenOffice.org2/user/backup
At least for winadmin, C:\Documents and Settings\winadmin\Application Data\Sun\Java\ where there can be directories for each JRE update such as jre1.6.0_07 with jre1.6.0_07.msi

Files saved to the desktop are copied back and forth between the server and worksttion when logging on and off, so are strongly discouraged. To check on the weight of a person's desktop, from the server, at the command-line, use du --max-depth=1 -h /home/samba/profiles/<username>/Desktop | sort -rn.

if they somehow gained an additional firefox profile it won't be configured for its cache on D: - /home/samba/profiles//Application Data/Mozilla/Firefox/Profiles\ may have more than one profile directory '.default' or '.user chosen name'. Check contents of user.js.

Server

Check there is enough free disk space on each partition: df -h.
Check the backup system is working - as long as there exists backup-general-* and backup-home-* for each day and they're 0 bytes large then everything should be OK. If they're larger than zero bytes then look at what's in them.
Perform a filesystem check on the backup disk:

Unmount the backup disk, in case it is already mounted: umount /media/backup
Do filesystem check: e2fsck -p /dev/<disk partition reference i.e. sdb1>

General

Check the 'postmaster' and 'abuse' mailboxes.
If you have a bandwidth cap on your Internet usage set by your ISP, check how much you've downloaded in this period. For Zen Internet this is available at https://portal.zen.co.uk/Pages/Wizards/WizardLauncher.aspx?ID=UsageAllowanceWizard.
Is VPN access working so that remote administration can be performed?

Managing Domain User Accounts

Delete A User's Domain Account

Delete their account, with either:

You should be able to do so from within Windows
From the command-line on the server:

Remove Samba account: net rpc user delete <username> - Note that this doesn't delete their home directory (H:, or /home/<username>)
Delete home directory: rm -rf /home/<username> - note there are dire consequences of getting this wrong so do so with great care
Delete Windows profile: rm -rf /home/samba/profiles/<username>

Archive a deleted user's files

Move their files to the ex-staff directory in the archive area, if you already have one. This moves their home directory files (H:) and their Windows profile (containing such things as their Windows desktop, browser bookmarks, etcetera). Their email remains in place.

Make a directory for the user:
mkdir /home/<organisation>/restricted/archive/ex-staff/<username>

Archive their home directory:
mv /home/<username>/* /home/<organisation>/restricted/archive/ex-staff/<username>/

Make a directory for their Windows profile:
mkdir /home/<organisation>/restricted/archive/ex-staff/<username>/windows-profile/

Archive their Windows profile:
mv /home/samba/profiles/<username>/* /home/<organisation>/restricted/archive/ex-staff/<username>/windows-profile/

Restricted Groups

R: is where you can have directories where access is restricted to specific groups of people. For example R:\finance is only accessible by members of the finance group. You can add whichever such groups you choose.

To create a new restricted directory and group use Twix: R → F.

To add a person to a specific restricted group use Twix: R → O.

To remove a person from a specific restricted group use Twix: R → P.

Email

Mailboxes, Aliases and Forwardings

Manage mailboxes, aliases and forwardings using MailManager at http://server/mailmanager/login.php.

Auto-replies

Manage auto replies using Goldfish at http://server/goldfish/.

Domain Mapping

If you want to forward mail from a mailbox at one domain to a mailbox at another, create the domain then create each mailbox and a forwarding for that mailbox.

Don't do whle domain mapping. MailManager doesn't support it because "You will in the first step accept email for anybody in @domain1. Then the aliasing is done. And if Postfix finds that the user doesn't exist in domain2 it will generate a bounce. As spammers tend to guess email addresses you will become a source for backscatter. So that's really a problem. My recommendation: don't use it like this. Instead use an alias for every user in domain1. Even if it's tedious.".

Server Updates Affecting Users

Samba

It's OK to restart Samba (at the command-line you use /etc/init.d/samba restart) when people are logged in with documents open, even if they have unsaved work. You should, though, ask people to not save work for a moment whilst you restart Samba. If you restart Samba then people try to save unsaved work too soon, before Samba is properly restarted, OpenOffice, for example, will say "Error saving the document <document name>: General Error. General input/output error." but allow you to try saving again; where as GIMP will automatically wait until the Samba share is available again and then save; Thunderbird won't be affected at all unless you are using local folders and have located them on a network share.

Networking

ifdown eth0

ifup eth0

Settings You Must Not Change

Server

DNS domain - it's 'localdomain' (Debian's default). The mail server relies on this remaining the same.
Hostname - it's 'server'. The mail server relies on this remaining the same.
Samba's name or domain name(?) setting - this will require workstations to have to re-join the domain
IP address - it's 10.0.0.10. Don't change it, but if you really need to change it to another inthe same subnet then you need to change it in here too:

On the server

The server's /etc/network/interfaces
The server's /etc/resolv.conf (TODO: do we change it WRT /etc/resolvconf if resolvconf is installed?)
The server's /etc/postfix/main.cf
The server's Samba - see xania.org/200809/samba-problems-after-ip-change

/etc/init.d/samba stop
rm /var/cache/samba/browse.dat
rm /var/lib/samba/wins.dat
/etc/init.d/samba start

On the firewall

The firewall's static hosts, such as server → 10.0.0.10
The firewall's DHCP Server's WINS address

The winuser account password - it's used by WPKG Client [TODO: maybe we should have a dedicated WPKG account instead]

Changing Windows Workstation Names

You cannot change a workstation's name direcly. You must first disconnect from the domain by swapping the domain name for a workgroup name; give the winadmin or root account so as to leave the domain; restart the workstation; change the name; restart again; reconnect to the domain.

Physically moving a system from one location to another

It should be straight forward but you should expect something to go wrong as it invariably will.

For the server and workstations, moving involves turning them off properly, disconnecting all cables and reconnecting in the same manner at the other end. This should be straight forward for anyone to do as cables for everything can't be connected into the wrong socket. Just make sure you carefully pack up all cables together so that nothing is misplaced or broken. Obviously, treat computers with care in transit, but don't worry excessively as they can take a few knocks.

For hubs, the network cables probably don't need to be reconnected in any specific order, but even if they do it will only be one of the cables and you can see that by checking first if one is connected to a socket marked 'uplink'.

For the firewall, there are two network cables which need to specifically connect back into the same connectors from which they were removed. Some settings on the firewall will need to change if your static Internet address is going to change, which it probably is.

Keep backup disks seperate in case the server gets lost or stolen.

Take great care with laser printers as they are extremely fragile. It's probably worth removing toner cartridge(s) during transit.

You either connect to the Internet through your own modem or you're attached to an intranet provided by someone else and they have their own modem. Changes to your method of connecting to the Internet will need to be reflected in the firewall and modem.

Change of SMTP server for outgoing email. If you're piggy backing someone else's Internet connection you can ask them for the SMTP server name, or you can find out yourself. To find out yourself, use traceroute, or GRC's Shields up!, to find your external IP address. then do a whois lookup on that IP address to find who it is (you'll get, say, 'netname: BULLDOG-CHT', where 'Role:' is who owns them, 'Cable and Wireless Access Ltd', a Google search on 'bulldog smtp' reveals their SMTP address.

Troubleshooting

Server

The most common complaint with the server is the assumption that email isn't going in or out. You can leave the server logged in running one or more of these commands to show incoming and outgoing mail:

tail -f /var/log/syslog
tail -f /var/log/mail.log

If the server crashes it will leave complex messages on the screen. usually you can restart the server with ctrl+alt+del. Try this but if it fails to get the server to respond, by saying it is shutting down, then power cycle it. The messages on the screen will be available in the logs (/var/log/syslog and /var/log/messages) for whomever wants to look.

User Accounts

If someone is having trouble logging on, can they log on elsewhere? can others logon on the machine they're having trouble with? The most common reason for not being able to logon is theer not being enough room on the workstation's C: to copy the user's profile there, for example the user may have large files on their desktop or excessive files in %APPDATA%.

Workstations

If files are deleted from a user's desktop they go to the local recycle bin in C:\RECYCLER\S-1-5-21-xxxxxxxxxx-xxxxxxxxx-xxxxxxxx-xxxx.

WPKG

WPKG logs to %TEMP%, the system temp location, in a file called wpkg-<machine name>.log

Backup

The server backs up to a directly connected USB-attached hard disk. You connect the disk and leave it over-night, replacing it with another disk the next day. The backup runs at 02:00. You do not need to issue any commands, everything is automatic. If there were any errors they are written to a log file (in /var/log/hotswap-backup/) [though they should be emailed to the administrator].

The disk uses a Unix filesystem (ext3) so can only be read on those Windows workstations that have Ext2 IFS installed (at least one of your workstations should have). The data is saved directly to the backup disk, it is not zipped up. To access Ext2 IFS's configuration use Control Panel → IFS drives.

Note that because the backup system successively copies files from the server without first removing them from the backup disk, the size of the backup will grow over time and at a faster rate than the space used on the server. Files on the server will be deleted whilst a copy remains on the backup disk. For this reason you may want to delete everything off the backup disk periodically.

Restore

If you connect the disk to the server, whilst logged in as root, you can read it by issuing the command: mount /media/backup. The disk's contents will then be available in the /media/backup directory.

You can connect the disk to any Windows workstation with the ext2IFS software installed and read the files. It might be that only one workstation has this, or maybe all do.

If you connect the disk to a Linux workstation its contents will appear automatically.

These are some useful places you may need to access on the backup disk:

S: - home/<your organisation name>/shared. Permissions are such that you can read these files.
R: - home/<your organisation name>/restricted. Permissions are such that you can read these files.
H: - home/<person's name>. Permissions are set so only the owner can read them unless you override those permissions.
Each person's email - home/vmail/<your organisation's domain name>/<mailbox name>/Maildir.
T: - home/<your organisation name>/database

Note

Backup Disk Inode Size

The current version 1.11a of the Ext2IFS driver for reading the backup disk under Windows only mounts volumes with an inode size of 128 bytes. Recent versions of Linux's mkfs.ext3 will format the disk with an inode size of 256 bytes and when attached to Windows it will say it can't read the disk and ask if it is to be formatted.

To fix existing disks, format them again using mkfs.ext3 -I 128 /dev/<disk partition reference i.e. sdb1> (which will delete everything on the disk) and name them again using e2label /dev/<disk partition reference i.e. sdb1> backup.

You can find the inode size of an existing partition using tune2fs -l /dev/<disk partition reference i.e. sdb1>, amongst the information will be something like Inode size: 256.

Troubleshooting Issues With The Backup Disk Under Windows

If the disk isn't accessable under Windows, download and use the mountdiag.exe tool as described at http://www.fs-driver.org/troubleshoot.html. It should give you a descriptive message about why the disk isn't accessable.

Manual Software Application Updates

Typicallly updates are managed through WPKG but if you want to update the system manually some of the software applications make this really easy. If there is any risk of breaking the system they will be described here.

Adobe Reader

OpenOffice

Firefox

Login to a workstation as administrator or into the domain as winadmin
From within Firefox choose Help → Check for Updates
If it says, for example, "Updates Available - An update for Firefox is available: Firefox 2.0.0.6" you can choose "Download & Install Now >>"

Thunderbird

Login to a workstation as administrator
From within Thunderbird choose Help → Check for Updates
If it says, for example, "Updates Available - An update for Thunderbird is available: Thunderbird 2.0.0.6" you can choose "Download & Install Now >>"

Quickbooks

You should run the Quickbooks updater manually once a month.

F-Prot

F-Prot updates itself automatically.

Java Runtime Environment

Control Panel → Java → Update → Update Now.

The newly installed version will automatically become the default in Firefox.

This creates an additional installed copy to those versions already installed and so uses up an additional 70MB or more each time

[TODO: In OpenOffice, it isn't selected, does that mean anything?]

Software Application Tips And Tricks

Firefox

Firefox Migration

If you setup a new Firefox profile for someone you can migrate their old saved settings to the new by copying over these files. Note that this will over-rule any existing settings in the new Firefox profile.

Firefox 3

Saved passwords

signons3.txt
key3.db
cert8.db

Bookmarks and history - in order to merge old bookmarks with new, you need to export the old bookmarks as a HTML or JSON file from within Firefox then import them into the new profile.

places.sqlite
places.sqlite-journal - this file may not be present

Cookies, including login information, session data, and preferences: cookies.sqlite
Permissions; preferences about which sites you allow or prohibit to set cookies, to display images, to open popup windows and to initiate extensions installation: permissions.sqlite
User-added preferences: user.js - you probably wouldn't migrate this
Preferences: prefs.js - you probably wouldn't migrate this

OpenOffice

There are various extensions available at extensions.services.openoffice.org.

Deleting a User's OpenOffice Profile

Make sure OpenOffice isn't open first (check the system tray by the clock, close down the icon there if there is one)
Delete the person's OpenOffice profile at C:\documents and settings\<username>\Application Data\OpenOffice.org\ (an easy way to get there is to right-click on the Start Menu and choose 'Explore'; or, in the Windows Explorer's location bar, go to '%APPDATA%' (without the single quotes))
OpenOffice will then need configuring again. This can be forced to automatically take place by deleting the directory 'C:\documents and settings\fiona\RCS34-CONFIG-DONE'.
Logout then login again

Repeated "unexpected error"

Issue: when running OpenOffice it can say "due to an unexpected error, OpenOffice.org crashed" it lists documents to be recovered, of which there are none, you choose OK and it returns to its opening window, where upon you choose an application and it crashes again with the previous message.

Solution:

Delete the user's OpenOffice profile (see above)
Uninstall the program
Delete all files in C:\Program Files\OpenOffice
Restart the workstation so that OpenOffice is reinstalled

Error loading BASIC of document file

Issue: Whenever a file is opened you get the error message:
Error loading BASIC of document file :///C:/Documents%20and%20Settings/fiona/Application%20Data/OpenOffice.org/3/user/basic/dialog.xlc/:
General Error.
General input/output error.

Solution: Delete the user's OpenOffice profile (see above)

Thunderbird

If you want a message inserted at the bottom of everyone's email, save it somewhere on S: so that staff can link to it from within Thunderbird as a signature.

If people coming from Microsoft Outlook are missing particular aspects of Outlook's behaviour it's worth checking out Emulate Microsoft email clients to see if they can be catered for.

Shared Calendar

There isn't yet a standard for sharing calendar data, so various providers have each worked out their own. This is why Lightning, the calendar component in Thunderbird, doesn't offer this by itself.

You can use Google Calendar as the 'backend'. You setup a calendar at Google and then Lighting is able to connect to it, showing the contents of the Google Calendar inside Lightning (you don't need to go to Google's web interface to use the calendar, though you can if you wish).

There are a couple of ways of going about this. Either each person could have a Google Calendar, and every person could see everyone else's Google Calendar in their Lightning calendar. Or you could setup a single Google Calendar for the organisation and everyone sees just that one calendar in their Lightning calendar, also having their own existing individual Lightning calendar.

There are two ways of setting up the Google Calendar. If each person is to have a Google Calendar then either each person could have a seperate individual Google account; or the organisation could have a Google Apps for Domains account, and within that a seperate account for each individual. If you're having just the one organisation Google Calendar then you probably want to just have the one Google account.

The Thunderbird Extension Provider for Google Calendar is required to enable read and write syncing between Lightning and Google Calendar.

Thunderbird Migration

If you setup a new Thunderbird profile for someone you can migrate their old saved settings to the new by copying over these files. Note that this will over-rule any existing settings in the new Thunderbird profile.

NOTE: THIS LIST IS CURRENTLY INCOMPLETE! See kb.mozillazine.org/Profile_folder_-_Thunderbird#Files and http://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird.

Address Books

Personal Address Book: abook.mab
Collected Addresses: history.mab

Multimedia Support

Our intention is to have a single media player on the system that plays all media types, rather than a plethora of media players each for a different media format (for example Windows Media Player, Real Player and Quicktime). In theory our single Media Player is Windows Media Player. However in practice that isn't possible so we also have to use Media Player Classic for playing some files in the web browser. We would very much have liked to have VLC as our main media player but it has lacked some necessary features, such as decent playlist support. In future we envision using VLC and Songbird. Obviously Adobe Flash Player will be used in the browser when playing Flash video.

Applications installed for playing multimedia:

Windows Media Player
K-Lite Codec Pack (Standard) (includes Media Player Classic)
Ogg Codec Pack
Firefox Windows Media Player Plugin

Support for Various Multimedia Formats:

FEATURE					STAND-ALONE FILES							IN BROWSER
DVD movie				Windows Media Player with plugin
RealAudio				Doesn't play								Doesn't play
RealVideo				Doesn't play								Doesn't play
Quicktime				Doesn't play								Doesn't play
FLV
MP3
Ogg Theora
Ogg Vorbis
Windows Media Video (WMV)
Flash content (.SWF, .FLV)											Adobe Flash Player
Xvid
DivX

To be tidied up:

- we want support for Real and QuickTime files in the web browser and on disk. We have K-Lite with MPC, QT Lite and Real Alternative Lite. We need MPC for playing Real Media and QT files on disk. Tho supposedly QT files can be played on disk when you have K-Lite installed but I don't know which version as it doesn't work with our version. 

- Real Alternative's "RealMedia DirectShow splitter does not work with streaming content. You must use the included Media Player Classic to play streaming content" but we already have MPC so can install Real Alternative Lite
- Real Alternative and Real Alternative Lite allow files on disk to be played in any DirectShow enabled player but this DirectoShow support doesn;t owrk for streaming files, for this you need MPC. Either you have MPC already and you install Real Alternative Lite, or you install Real Alternative.
- probably need RealMedia Splitter to play Real files in WMP

- QT Lite says it is only for playing in the browser - but is that only becaue it doesn't include MPC?
	- QT ActiveX plugin
	- browser plugin - this is the apple quicktime plugin
- QuickTime Alternative claims to include 'QuickTime DirectShow filter' where as QT Lite claims to include 'QuickTime ActiveX plugin' and yet QT Lite claims the only difference between it and QuickTime Alternative is that it doen't include MPC
- QuickTime Alternative
	- quicktime actvex plugin
	- quicktime browser plugin
- QT Lite with .mov files on disk - they play in MPC. WMP won't play them. Without MPC, files on disk won't play at all. So if you already have MPC you can use QT Lite rather than QuickTime Alternative
- codecguide.com / QT Lite says that MPC is able to play quicktime files on disk but if you want to play quicktime files on disk in WMP you need to additionally have K-lite installed, for its directshow filters - but which version of K-Lite?
- QT files with streaming QT content - is played by Quicktime browser plugin

- Windows Media Player in Firefox: http://kb.mozillazine.org/Windows_Media_Player