1 / 19

DESY Windows 2003 domain – features, migration and caveats

DESY Windows 2003 domain – features, migration and caveats. Reinhard Baltrusch, DESY IT. Situation. The windows project, starting in march 2002 with the goal to build a new, active directory based Windows domain for DESY spanned over both sites, is officially ending this month.

gudrun
Download Presentation

DESY Windows 2003 domain – features, migration and caveats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DESY Windows 2003 domain – features, migration and caveats Reinhard Baltrusch, DESY IT HEPiX Brookhaven 19.10.2004

  2. Situation • The windows project, starting in march 2002 with the goal to build a new, active directory based Windows domain for DESY spanned over both sites, is officially ending this month. • Migration to the new domain win.desy.de starts in january 2004 and is still going ahead. Today the relation between computers which are daily online in the old domain DESYNT and the new domain is ca. 50:50. • First problems in production naturally comes along and must be solved. • Meanwhile new services waits for implementation and XP Service Pack 2 has to be rollout in real-time not only for security reasons. HEPiX Brookhaven 19.10.2004

  3. Established Hardware • Totally new, more stable hardware (fail-safe HP/Compaq ProLiant server systems, no standard PCs). • Better capabilities for remote control and monitoring, independent from operating system (Remote Inside Board / Integrated Lights Outs, Insight Manager). • Introduction of new server technology : HP Blade systems • Introduction of new SAN systems : HP-MSA1000 • Server systems collectively (both sites, HH + ZN) : • 10 HP ProLiant DL380 G2/G3 (2U) • 8 HP ProLiant DL360 G3 (1U) • 14 HP Proliant BL20p G2 (Blades) • 2 HP Storageworks Modular SAN Array 1000 (gross 7 TB file space) • 1 HP Storageworks Smart Array Cluster Storage (14 x 72 GB drives) HEPiX Brookhaven 19.10.2004

  4. Hardware in the CC in Hamburg HEPiX Brookhaven 19.10.2004

  5. Introduced services and software • Logon service (3 domain controller with Active Directory) • Home and Group directories (backup, quotas, Volume Shadow Copies) • Distributed File System (Dfs, Active Directory integrated) • Remote Installation Service (RIS) for allocation of an adapted Windows XP installation over the network (with the option to install predefined applications through the integrable NetInstall service) • Software Update Service (SUS, Windows Update) to automatically update the operating system (security updates, hot fixes); Shavlik HFNetChkPro 4.3.0 is used to update central server systems. • Allocation of McAfee VirusScan Enterprise 7.10, update over the AutoUpdate Architect • Software deployment with NetInstall 5.7 (software packages : IT application support and IPP CAD support) • Web services (group webs, WebDAV, personal homepages) • Transaction server (Registry events, scheduled tasks) • Insight-Manager (monitoring of HP hardware, not only in win.desy.de) • License server / Terminal server license service HEPiX Brookhaven 19.10.2004

  6. Active Directory structure HEPiX Brookhaven 19.10.2004

  7. Connections to other systems / services • Print server with Samba 3.05 (member of domain, printer published in Active Directory) • File services for NFS on Samba 3.07 (member of domain) • Asset Management System connection (Peregrine, procedure to scan systems, MMCs) • Platform adapter for the new DESY user registry • SAP-ITS server support (Windows 2003, special update procedure) • NetApp 6.3.3 server for CAD systems (member of domain, domain Dfs path integration) • Sharepoint Portal server and SQL server for Solid Edge (CAD system, server support, license service) • Several domain Dfs path integrations for group server HEPiX Brookhaven 19.10.2004

  8. Migration to win.desy.de • Migration is coordinated by IT user support together with the DESY groups; escorting offers are workshops for group administrators, end- user trainings, different flyers and special documentations. • To support quick migration progress, IT personal (trainees) is coming on-site to install PCs (over RIS or DVD) and migrate user data. • Some groups migrate slowly for themselves, at first small working groups and non critical parts of their computers and users. • Different dependencies require and force migration spanned over some groups and the two sites (CAD system migration and other centralized service migrations). • In several DESY groups migration is completed / saturated (greatest group : Hasylab). • User accounts in win.desy.de : 1938 • Computer accounts in win.desy.de : 1563 (there from 1331 RIS installations, 18 Samba server) • Namespaces/Organizational units : 60 HEPiX Brookhaven 19.10.2004

  9. Migration to win.desy.de (II) HEPiX Brookhaven 19.10.2004

  10. Migration to win.desy.de (III) HEPiX Brookhaven 19.10.2004

  11. Following services and software integrations • Exchange 2003 • Terminal services • ePolicy Orchestrator 3.5 (VirusScan management) • MOM • Sharepoint services • PKI HEPiX Brookhaven 19.10.2004

  12. Exchange 2003 • Hardware is in place : • Server : 4 backend server (4 node cluster), 3 frontend server, 1 test server (all HP BL 20p) • Storage : HP MSA 1000 with 1 TB filespace • At the moment tests outside the production domain (clustering, installation and configuration) • Plan is to introduce E2K3 in win.desy.de at the beginning of 2005 • Migration from Exchange 5.5 (75 GB database) has to be planned HEPiX Brookhaven 19.10.2004

  13. Terminal Services • Hardware for Zeuthen is in place (7 HP Proliant DL360) • 1 Terminal server cluster (1 x 2 nodes) for public use in Zeuthen • 1 Terminal server cluster (1 x 4 nodes) for special applications (PITZ) • In Hamburg procurement is planned, also different kinds of Terminal services are required (linux users, secure environment, special applications). Hardware will be again HP Blades HEPiX Brookhaven 19.10.2004

  14. Caveats • Homedirectory interruptions • Quotamanagement • Name resolution • Laptop support • Service Pack 2 HEPiX Brookhaven 19.10.2004

  15. Homedirectory problems • Various serious interruptions (unexpected reboot of one cluster node, additional failover difficulty based on name resolution problems), other server systems and XP clients were affected more or less. • Some things stress the system and especially the file system (VSS, Northern Storage Suite Quota Server, TSM, data migration). • Stabilization through memory expansion (1 GB -> 4 GB), gigabit Ethernet connection and configuration changes. • After some time the problem is still there, but only with short interruptions (max. 1 minute). Failover runs faster, clients react more tolerant. • The most suspect, the quota software from Northern Parklife were deactivated, falling back to native quota functionality. Northern Parklife place a debugging driver at our disposal. • HP-Support advices at first firmware and driver updates for the server. • Now for five weeks no more interruptions happened, but we do some additional actions : upgrade of the controller firmware in the MSA 1000 and stabilization of the VSS through a MS Patch. HEPiX Brookhaven 19.10.2004

  16. Quotamanagement • Northern Storage Suite Quota Server (Northern Parklife) • Two possible quota mechanism : • 1. ACL based (on transgression write deny rights will be set) • 2. kernel driver based (better performance, no ACL conflicts). • Quick transgression warnings will be send by the messenger service (NetBIOS resolution is necessary). • In some cases a higher quota consumption is counted as really used, thereby false quota warnings going out. • In complement to the native MS quota the setting quota value is not shown as space of the users home drive (instead whole space of the server volume). • Quota information over an enhancement of the explorer menu does not work in case of a Dfs path for the home drive (\\win.desy.de\home). • The folder „My Documents“, redirected to the home drive, has its own recycle bin (deleted files increase the quota consumption). HEPiX Brookhaven 19.10.2004

  17. Name resolution • Microsoft recommends to avoid the usage of WINS in a native Active Directory domain, DNS should be used for name resolution. • We try it, but in several cases WINS seems to be necessary (Dfs targets, previous versions, messenger service, Exchange etc.). • XP clients reacting strange on resolution problems over DNS on disconnections and needs some hardening • DNS (and DHCP) configuration must be perfect in the domain, on server (DNS zone : win.desy.de) and client (desy.de) and at least on the central DNS and DHCP system (VitalQIP). • Service Pack 2 seems to be helpfully for resolution problems concerning Dfs links and their targets. HEPiX Brookhaven 19.10.2004

  18. Laptop support • More and more Laptops are used instead of desktops, the kind of usage is changing and for effective usage a better knowledge of functionality is advisable (e.g. power management). • Other support mechanisms are required (different connection possibilities, offline files, security, updates, caching credentials). • Offline synchronization is a helpful thing, but also can be irritating (if there is no connection to target). • User must be in most cases member of local administrator group (changing configuration while traveling). • Service Pack 2 makes some things better, but not easier (Firewall, Popup-Blocker etc.). HEPiX Brookhaven 19.10.2004

  19. Windows XP Service Pack 2 • Over 550 bugs and security holes will be fixed (http://support.microsoft.com/default.aspx?kbid=811113). • Addtional security enhancements : Advanced Firewall, Popup-Blocker and Add-On-Manager as part of the Internet Explorer. • Known problems with applications mainly relating to activated Windows Firewall and other security settings (http://support.microsoft.com/default.aspx?scid=kb;de;842242&Product=windowsxpsp2). • Some applications requires an update or a new version to run under SP2 (e.g. OpenAfs client 1.3.70) and particular hardware needs driver updates or patches from the vendor (e.g. newer Intel processors). • It is a good idea to run an anti-spyware program before installing SP2 (Dell recommendation), but how you do that while rolling out SP2 e.g. over SUS ? • We block the Service Pack 2 installation by policy (effective for 240 days) and try to use the time to plan the rollout and see what we can do with over 200 new group policy settings. HEPiX Brookhaven 19.10.2004

More Related