Centralized Desktop Deployment and Management Institute of Computer Science - Masaryk University Mgr. Kamil Malinka, Ph.D. malinka@ics.muni.cz Outline • System Administration Dpt. • Central Management Service • Description • Identity Management • Technical solutions • Terms of services • Visit to Central Computer Study • DEMO System Administration Dpt. • Primary focus on MS Windows technologies • 188 MS Windows servers, 2228 desktops, 61 Linux servers • Centralized desktop management • MS O365 – university workgroup solution • Support services Central Management Service • More than 40 000 active students, 5000 employees • Dozens of localities such as faculties, institutes, departments, offices etc. • Goals: • Transparent and straightforward working environment for all students and employees • Unified IT environment • Access to the centralized IT resources • Definition of administration rights and rules • Central point toprovide all practices and technologies to the interested localities Central Management Service • Based on the experience with technologies used in the University Computer Centre • University Computer Network (UCN) • Enabling effective administration • Unified working environment for students and employees across the university • Three different purposes: university computer study rooms, classrooms and employees’ workstations Main benefits • Higher security and uniformity of provided services • Constantly up-to-date environment without the need for any user interaction • Professional tools • Unified environment of the MS Windows OS • Standardized set of installed software • Centralized printing • Unified logon So what you really get… • Unattended installation of workstations (including drivers, no OS images) • Regular update of centrally provided OS • Regular update of centrally provided software (around 25 standard + 100 specialized) • Granting access to troubleshooting tools • Remote access to the workstations • Monitoring • Connection to the centralized printing systems = uniform payment using an ISIC card (via SUPO account) and standardized printing environment • Special modes for exams • And more… later in technical solutions Localities • Currently deployed over a half of the organization units of MU • The rector’s office • Institute of Computer Science • Faculty of Science • Faculty of Law • Faculty of Arts • Faculty of Education • Faculty of Social Studies • Technology Transfer Office • University Campus Bohunice • Faculty of Medicine localities • University Computer Centre • University Centre Telč • Accomodation and Catering Services of MU Division of localities • Study Rooms, Classrooms • roaming profiles, access to shared storages and printing devices, basic set of software and selected software related to their subject of study • Employees’ workstations • access to the SW associated with their work requirements (economic software, asset management, etc.). • local storagespace, access to central storages, printing devices, remote desktops, network backup storage, local profiles Design • 4 main parts: • Identity management • OPSI – unattended OS installation • Active directory • Specialized technical solutions Identity Management UCN ZAM doména FSS doména PHIL doména LAW doména ucn-server1.ucn.muni.cz 147.251.16.66 ucn-server2.ucn.muni.cz 147.251.16.68 ups-server1.ups.ucn.muni.cz 147.251.12.26 ups-server2.ups.ucn.muni.cz 147.251.12.28 VMware law-server1.law.ucn.muni.cz 147.251.16.66 law-server2.law.ucn.muni.cz 147.251.16.68 VMware phil-server1.phil.ucn.muni.cz 147.251.96.33 phil-server2.phil.ucn.muni.cz 147.251.19.69 VMware fss-server1.fss.ucn.muni.cz 147.251.107.225 fss-server2.fss.ucn.muni.cz 147.251.19.68 VMware zam-server1.zam.ucn.muni.cz 147.251.143.141 HYPER-V (Blount) zam-server2.zam.ucn.muni.cz 147.251.19.79 VMware ups-server3.ups.ucn.muni.cz 147.251.12.30 law-server3.law.ucn.muni.cz 147.251.162.22 phil-server3.phil.ucn.muni.cz 147.251.96.36 fss-server3.fss.ucn.muni.cz 147.251.19.85 VMware zam-server3.zam.ucn.muni.cz 147.251.143.142 HYPER-V (Blount) Ancalagon-l1n1 147.251.16.90 Ancalagon-l1n2 147.251.16.91 Ancalagon-l2n1 147.251.16.93 Ancalagon-l2n2 147.251.16.94 Failover cluster Ancalagon-l1 147.251.16.89 Failover cluster Ancalagon-l2 147.251.16.92 File system nfs1.ucn.muni.cz - 147.251.16.81 nfs2.ucn.muni.cz - 147.251.16.82 nfs3.ucn.muni.cz - 147.251.16.83 nfs4.ucn.muni.cz - 147.251.16.84 File system nfs5.ucn.muni.cz - 147.251.16.85 nfs6.ucn.muni.cz - 147.251.16.86 nfs7.ucn.muni.cz - 147.251.16.87 nfs8.ucn.muni.cz - 147.251.16.88 Profilový Cluster 147.251.16.64/27 UPS doména 147.251.12.16/28 Domain Controllers UCN 147.251.16.64/27 Sahula.ucn.muni.cz 147.251.12.108 Watchmen.ucn.muni.cz 147.251.12.121 HYPER-V (Oups) Bradley.ucn.muni.cz 147.251.12.146 HYPER-V (Winkle) DIY.ICS.MUNI.CZ 147.251.6.124 VMware Cameras.ucn.muni.cz 147.251.16.102 VMware Fingus.ucn.muni.cz - 147.251.12.38 Oups.ucn.muni.cz - 147.251.12.36 Winkle.ucn.muni.cz - 147.251.12.37 Chump.ucn.muni.cz - 147.251.37.36 Ooya.ucn.muni.cz - 147.251.15.34 Blount.ucn.muni.cz - 147.251.15.41 GEOMATIC.UPS.UCN.MUNI.CZ 147.251.33.30 MONTGOMERY.UCN.MUNI.CZ 147.251.12.125 HYPER-V (Oups) SP2010.UCN.MUNI.CZ 147.251.6.153 TEAMCITY.UCN.MUNI.CZ 147.251.12.122 HYPER-V (Fingus) devserver.ucn.muni.cz 147.251.16.136 HYPER-V (Fingus) Tserver.ucn.muni.cz - 147.251.12.100 Tserver1.ucn.muni.cz - 147.251.12.101 Tserver2.ucn.muni.cz - 147.251.12.102 Tserver3.ucn.muni.cz - 147.251.12.103 Tserver4.ucn.muni.cz - 147.251.12.104 Tserver5.ucn.muni.cz - 147.251.12.105 Tszam.ics.muni.cz ULMO.UCN.MUNI.CZ 147.251.12.115 HYPER-V (Winkle) VENDY.UCN.MUNI.CZ 147.251.16.190 HYPER-V (Fingus) MONTGOMERY-DEV.UCN.MUNI.CZ 147.251.12.107 HYPER-V (Oups) ucn-server3.ucn.muni.cz 147.251.16.76 ucn-server4.muni.cz 147.251.16.78 Vývojárske servery Terminálové servery Hyper-V Host servery Prevádzkové servery Linux servery PSERVER.UCN.MUNI.CZ - 147.251.19.76 PSERVERFF.UCN.MUNI.CZ – 147.251.6.152 PSERVERFI.UCN.MUNI.CZ – 147.251.19.80 PSERVERFSS.UCN.MUNI.CZ – 147.251.19.77 PSERVERLAW.UCN.MUNI.CZ – 147.251.19.75 PSERVERSCI.UCN.MUNI.CZ – 147.251.19.71 PSERVERUKB.UCN.MUNI.CZ – 147.251.19.81 PSERVERTELC.UCN.MUNI.CZ – 147.251.37.39 PRINTMAN-ST.ECON.MUNI.CZ - 147.251.189.41 Inštalácie OS ALIA.UCN.MUNI.CZ 147.251.19.70 VMware OPSI.UCN.MUNI.CZ 147.251.12.112 VMware ALTARIEL1.UCN.MUNI.CZ 147.251.12.148 ANDREA.UCN.MUNI.CZ 147.251.37.40 HYPER-V (Chump) BOINC.UCN.MUNI.CZ - 147.251.12.126 HYPER-V (Oups) HELPDESK.UCN.MUNI.CZ - 147.251.12.99 HYPER-V (Fingus) THALION.UCN.MUNI.CZ - 147.251.19.73 , 147.251.16.97 VMware PATTON.UCN.MUNI.CZ 147.251.12.150 HYPER-V (Winkle) UPS-SERVER4.UPS.UCN.MUNI.CZ 147.251.37.38 HYPER-V (Chump) WSUS.UCN.MUNI.CZ 147.251.12.110 HYPER-V (Winkle) PSERVERPED.UCN.MUNI.CZ – 147.251.192.40 VMware ALTARIEL2.UCN.MUNI.CZ 147.251.12.149 147.251.19.64/27 147.251.19.64/27 147.251.19.64/27 147.251.162.16/28 STAFF doména staff-server1.staff.ucn.muni.cz 147.251.63.68 VMware staff-server2.staff.ucn.muni.cz 147.251.63.69 VMware staff-server3.staff.ucn.muni.cz 147.251.63.70 147.251.63.64/28 PLAYGROUND.UCN.MUNI.CZ 147.251.12.116 HYPER-V (Winkle) KAREL.UCN.MUNI.CZ 147.251.12.111 Technical solutions • Unattended Installation of operating systems • Software Distribution • User Profile Administration • Central Datastores • Remote Wake-up and Shutdown • Examination Modes • Monitoring of Localities Unattended Installation of operating systems • Automated tool OPSI based on the boot of operating system via network • https://alia.ucn.muni.cz • Support for Windows 8.1, 7 a XP (all updates included) and full driver installation, disk operations • Preinstall steps – BIOS and network configuration (DHCP) • Post install scripts – join to domain, security settings (filesystem,…), cleaning after installation, etc. • Domain settings - workstation’s security settings, SW installation, grants access to printing solutions and user profiles, etc. • DEMO Software Distribution • Basic set– identical for all localities, contains all commonly used software, centraly updated • Extended set– typically SW equipment requested by specific localities for lecturing purposes, updated according to an agreement between UCN domain administrators and local administrators • Implementation via GPO (.msi, scripts) • Installation after restart User Profile Administration • Homogeneity of the user’s working environment independent of the classroom and workstation • Local profiles vs. roaming profiles • Clustered storages: • NFS1-8 – 2TB each, 1GB per user Central Datastores • Accessible via network repositories shared from server • TEMP directory - fully accessible to all users • Applications directory- read-only, includes applications that do not require installation on the client side • User Profile that contains all user settings • University SAMBA server – 20GB per employee • Support for scientists – big data, grids Remote Wake-up and Shutdown • Centrally controlled wake-up, turn-on and shutdown of workstations according to a prearranged schedule • Wake on LAN option • Service windows during night Examination Modes • “Questionnaire” mode • Workstation logs in with a special account and launches an answer sheet from IS MU, students have no access to the internet, their own data or the installed applications • “Exam” mode • Workstations are disconnected from the network, students do not have access to their own data, but all installed software is fully available Monitoring of Localities • Gathering information about users and workstations, entries of students into the study rooms, bans, etc. • Real time solution • Frank v2.0 Remote access • Need for remote user support and remote user access • Windows remote desktop • User access • Team Viewer • Admin access • help.ics.muni.cz • Manually or installed as service Terms of Service • System Administration Department of the Institute of Computer Science) provides the following activities: • Management of authentication via UCO and secondary password • Management, monitoring and backup of servers • Management of workstations’ unattended installations • Management of the basic set of software • Local distribution of hotfixes and updates for Microsoft products • Local distribution of updates for Eset anti-virus products • Availability of printing devices using the Active Directory • Management of student profiles • Management of host profiles in order to grant access of the • UCN and ICS services (Eduroam, VPN,... ) to MU visitors • Provision of information concerning the security state of the • IT infrastructure – security audit • Troubleshooting – solution of serious and critical software problems on workstations • General consultations concerning the area of IT Terms of Service • Local administration departments are responsible for: • Management of the extended set of software, which is not distributed • Centrally reaction to the UCN administrators’ requests • Reporting of occurring problems to the UCN administrators • Management of the network infrastructure of local workstations and servers • Complaints related to the locality’s hardware Visit to Central University Study Room DEMO • Active directory • SW management via GPOs • OPSI Thank you for your attention. Mgr. Kamil Malinka, Ph.D. malinka@ics.muni.cz