Contact Form    |   Email    |    Site Map
RSS

On Building a Good Image

Last year I coordinated the largest 1:1 laptop initiative in the state of Alaska while working for the North Slope Borough School District. I'm pleased to report Lower Yukon School District has hired me as a technical consultant to setup and configure their new equipment using lessons I've learned from my experience.

The Lower Yukon School District (LYSD) is comprised of 11 schools and a central office located in Mountain Village, Alaska. I was hired because LYSD uses Microsoft's Active Directory, but needs to control user profiles for several hundred Apple computers recently purchased.

How most networks are managed

IT administrators may be responsible for hundreds and sometimes thousands of computers. The only reasonable method for deploying large number of computers involves creating a "perfected" install of the operating system and licensed software, then capturing an image of its hard-drive. This same "image" is then used to clone all other computers before deploying them on the network.

Cloning computers will inevitably save IT administrators an enormous amount of time. However, remotely managing user profiles on your network is even more important.

As an example: say a principal notices that students are displaying personal desktop pictures inappropriate for the classroom and asks the technology director to do something about it. A director could employ a small army of techs to personally check the profiles on each computer, but server side management is definitely a quicker, more efficient, and cost effective solution.

Setting up a client-server relationship between Active Directory, Open Directory, and the client is called the "golden triangle" of networking, and is a multi-step process.

Creating a perfected image

In most instances creating a perfected image is a process that takes several revisions as the network develops, but there are techniques for fine-tuning your image so it responds better to server side management.

There are two ways to create management for the end user (client).

  1. Include the preferences as part of the operating system.
  2. Push the preferences down from a server.

A finely tuned image that performs well on a network will be light-weight, stripped down, and nothing more than a basic operating system with minimal pre-defined or permanent preferences. You should avoid including preferences as part of the image because they are difficult to remove if or circumvent at a later time.

A client should receive and/or recognize server side preferences from the following locations:

  1. New managed preference files provided during each log-in to the network.
  2. Cached managed preference files from the last log-in to the network.

When the computer is no longer on the network these mobile preferences (cached) will travel with the user and continue to define settings. For instance, a student will still not be able to change the desktop picture to something personal even though they may be vacationing in Hawaii.

The goal is to make management seamless, automatic to the end user, and refreshed each and every log-in to the network and/or cached for reference when not on the network. This allows IT administrators to make one setting change on the server and have it affect potentially thousands of clients.

When building an Apple image (pre-configured operating system + software) for LYSD I also worked toward the following:

  1. Image functions on all district owned equipment (desktop, laptop, Intel, PPC).
  2. Image sports the latest Apple and third party software updates.
  3. Image includes all district owned software pre-configured for functionality at all locations.

I was able to develop two perfected images (one for Intel processors and another for PPC) and capture them using NetBoot for the cloning process. I was then able to setup an imaging center that would allow me to clone several machines at a time using a router, high speed switch, and an Apple server configured with NetBoot.

Building servers for user management

Building a perfected image without an Active Directory and Open Directory environment to test managed profiles is guess work at best. Therefore, I proceeded to build an Apple server that met the following requirements:

  1. Create a relationship between Microsoft's Active Directory, Apple's Open Directory, and the client.
  2. Create managed preferences to all Active Directory groups suitable for an educational environment.

I've worked side by side with several Apple engineers building "golden triangle" servers for the North Slope, and had to rebuild those same servers throughout the school year on my own on more than one occasion. Stepping through this process several times I've documented the procedure quite well.

Scripts and custom installs

When cloning computers chances are additional settings are necessary unless you have a genius script. I wanted to provide a script for LYSD that automates all network and directory settings so no further action was required after imaging.

I designed a script the LYSD that does the following:

  1. It gives the computer a unique name using the last six digits of the MAC address + a three letter symbol (where xxx can be anything you like).
  2. It binds the computer to Active Directory.
  3. It binds the computer to Open Directory.
  4. The Active Directory group called "staff" will be granted local administrative privileges.
  5. All users of the computer will use mobile accounts.

This script is automatically injected into a machine in the final imaging step and runs on first reboot. I also created a custom installer that injects the same script using a wizard most people are accustomed to seeing when installing standard software.

Testing

With an image built, a functional server, and scripts to automate the setup process the next step is to test as thoroughly as possible.

So, using several user accounts I tested as follows:

  1. Log-in using various student, teacher, staff, and admin accounts all tied to various groups.
  2. Each log-in I check Macintosh HD > Library > Manged preferences to ensure new user prefs are provided.
  3. We enable root user and delete profiles and MCX cache before each new test.

The easiest way to check preferences and view binary XML files is by using Property List Editor (PLE) provided in Apple's Developer Tools. These tools are available on the Mac OS X server installation DVD.

If you think you do not have any issues then chances are you are not testing enough. You should test with as many scenarios as you can possibly imagine: turn off the wireless, take the computer home, try to install software, use a DVD player to watch a movie and/or burn files, try a student account, teacher account, an admin account and notice the differences.

Many IT managers believe they are above "user management" on their own computers, but they are really missing the big picture. There is no better way to see the flaws in your management than to use it. The best way to make students, staff, and administrators productive is to use what they use, and fine-tune as you go.

Summary

Hardly anything works perfectly your first try and building an image for the LYSD was no exception. We had to battle a sketchy VPN connection back to the collocation facility, we had difficulty binding new images to the network, and our script was timing-out as a result of a time difference between our servers and the client machines. However, once we worked through these issues the process went by quickly as we imaged, scripted, and tested our way to success.

The LYSD is now setup for success and we provided a solution for them to get the most out of their network, and skip a lot of trial an error, and enable them to focus on what teacher's do best - racing the car instead of working on the engine.

0 Comments | RSS