MASARYKUNIVERSITY FACULTY}w¡¢£¤¥¦§¨  OF INFORMATICS !"#$%&'()+,-./012345

Formalisation of the Central Management Service and broadening of the Solution for Unattended Installation

MASTER’STHESIS

Matej Antol

Brno, autumn 2013 Declaration

Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Matej Antol

Advisor: Mgr. Kamil Malinka, Ph.D.

ii Acknowledgement

I would like to thank my work advisor, Mgr. Kamil Malinka, Ph.D., for his scientific and professional advisement. I would also like to thank Jaro, Radim, Martin and Nika for their time, help, opinion and advice. Finally, I would like to thank Dávid, Hanka and my parents for their support during my whole studies.

iii Abstract

This thesis is divided into two main parts. The first part consists of a description of the Central Management Service provided by the In- stitute of Computer Science. The purpose of the Service is to unify the working environment and support for various localities at Masaryk University. The aim of this part of the thesis is to create a formalized document describing the Service, define the terms of service and in- troduce its technical solutions. The second part consists of a description, analysis, design and implementation of the upgrade of the system for unattended OS in- stallation. This system is currently used as part of the Service, and its state is no longer sufficient in terms of the requested functionalities and their scope. The aim of this part of the thesis is the implementa- tion of the new system with all the required functionalities.

iv Keywords

ICS, Service of Central Management, unattended installation, OPSI, terms of service, remote OS installation.

v Contents

1 Introduction ...... 1 1.1 Content of chapters ...... 1 2 Central management as a part of IT ...... 3 2.1 Central management of localities at Masaryk University 3 2.2 Unattended installation of operating systems ...... 4 3 Central Management Service at Masaryk University . . . . 6 3.1 Description of the Central Management Service . . . . 6 3.1.1 Institute of Computer Science ...... 8 3.1.2 Technical departments and their competencies . 9 3.1.3 Windows domain ucn.muni.cz ...... 10 3.1.4 Localities managed by the Central Management Service ...... 11 3.1.5 Lifecycle of the workstation in the Central Man- agement Service ...... 12 3.2 Formalization of the Central Management Service . . . 15 3.2.1 Overview of the created document ...... 16 3.2.2 Additional materials ...... 19 3.3 Summary ...... 20 4 Solution for Unattended Installation ...... 21 4.1 Description of the Solution for Unattended Installa- tion in the Central Management Service ...... 21 4.1.1 Current technical system for unattended instal- lation ...... 22 4.1.2 Process of the OPSI netboot product installation 23 4.1.3 Netboot products ...... 25 4.2 Alternative technologies and tools for unattended OS installation ...... 28 4.2.1 Microsoft System Center Configuration Man- ager (SCCM) ...... 29 4.2.2 Unattended with Unattended GUI ...... 30 4.2.3 Automated Network Installations (ANI) . . . . 31 4.3 Analysis and design of the new Solution for Unattended Installation ...... 32 4.3.1 Analysis of the current unattended installation system ...... 32

vi 4.3.2 Design of the new Solution ...... 33 4.4 Implementation of the designed Solution for Unattended Installation ...... 35 4.4.1 Upgrade to the OPSI version 4.0.3.2 ...... 35 4.4.2 Carrying cluster ...... 35 4.4.3 OPSI testing environment ...... 35 4.4.4 Former OPSI server in the upgraded solution . . 36 4.4.5 Synchronization of the OPSI servers ...... 36 4.4.6 Installation process speed optimization . . . . . 39 4.4.7 Support of the SSD discs and two partition di- vision ...... 40 4.4.8 Operating Systems deployment outside the UCN domain ...... 41 4.4.9 Software deployment outside the UCN domain 41 4.4.10 Kill Disk netboot product ...... 42 4.5 Summary ...... 42 5 Conclusion ...... 43 6 Literature ...... 44 A Appendices ...... 47 A.1 Description of the Central Management Service . . . . 48 A.2 Popis služby centrální správy ...... 64 A.3 Information poster: Computer study rooms and class- rooms on MU ...... 79 A.4 Information poster: Univerzitní poˇcítaˇcovéstudovny a uˇcebnyMU ...... 80 A.5 Process of addition of a new workstation ...... 81 A.6 Process of workstation removal ...... 82 A.7 Process of the OS installation via OPSI system . . . . . 83

vii 1 Introduction

The scope of study of Information Technologies are systems used for storage, retrieval, processing and transporting various types of data. It can be divided into two main parts: the first one, concerning the physical equipment – hardware, and the second one, covering the logic and instructions run on this equipment – software. This thesis focuses on the software solutions for remote adminis- tration of larger IT units with emphasis on administration of work- stations. These are deployed in various localities belonging to the structures of Masaryk University, possessing similar technical and usage characteristics. The solutions, approaches and tools described in this thesis were developed in order to provide an easily manageable homogenous working and studying environment. The maintenance of such an en- vironment requires vast, reliable and secure tools and technologies. On the other hand, the unification of technical environment through- out the university provides a number of benefits for both users and technical employees managing this environment. The thesis is divided into two main parts. The first part describes the general approach to the centrally oriented management on Ma- saryk University. The aim of this part of the thesis is to create a set of documents and materials describing this approach in both a technical and a practical way. The second part is a detailed description, analysis and upgrade of one of the core technical solutions, which ensures the remote unat- tended installation of operating systems via the university network. The thesis has been created in cooperation with the Institute of Computer Science.

1.1 Content of chapters

The second chapter of this thesis introduces central management as a part of the information technologies. It describes its position and significance in today’s business dependent on modern information technologies. Central management is then further described as a nec- essary component of the IT infrastructure on Masaryk University.

1 1. INTRODUCTION

There can also be found reasons for its documentation and formal- ization, introducing the third chapter of the thesis. The last section is introduces one of the technical solutions for the central management service, which is processed in the fourth chapter of this thesis. The third chapter is divided into two parts. The first part is the general description of the current Central Management Service and its environment. The service is described in the context of the IT in- frastructure of Masaryk University and its requirements. The second part consists of a description of the resultant formalized document created as a subject of this thesis and minor materials derived from this document. The fourth chapter of this thesis deals with one of the core solu- tions of the central management service. The reasons for the use of unattended installation tools are presented in the context of the cen- tralized administration approach on Masaryk University. Selected tools for unattended installation are presented and described. Based on the presented requirements and state-of-the-art technologies, an upgraded version of the Solution for Unattended Installation is de- signed. The fifth chapter concludes the thesis, briefly describing all the achieved results. The appendices contain the created documents concerning Cen- tral Management Service.

2 2 Central management as a part of IT

Central management can be understood as both service and technol- ogy area of IT. Nowadays, it is one of the main IT areas, concerning administration of greater heterogeneous units serving similar pur- poses. With the spread of IT technologies into everyday work in most businesses, a need for their effective administration arose. The pur- pose of central management systems is therefore the administration of these technologies in larger businesses, such as companies, uni- versities or state offices. A management of such scope consists of three main parts, cover- ing the lifecycle of both HW and SW equipment:

• Deployment of IT technologies and infrastructure

• Maintenance of these technologies and infrastructure

• Removal of these technologies and infrastructure

It can also be divided by focus given either on the HW or the SW equipment, or by the provider of the service into self-provided and outsourced IT management.

2.1 Central management of localities at Masaryk University

Masaryk University[1] is an institution consisting of more than 40 000 students, 5 000 employees divided into dozens of localities such as faculties, institutes, centers, departments and offices. Its infrastruc- ture is fully dependent on IT technologies during everyday opera- tions of both working and study purposes. This infrastructure, together with all the IT equipment in the Uni- versities’ possession, has to be efficiently maintained in order to pro- vide transparent and straightforward working environment for all students and employees. Central Management Service has been developed as a service dis- tributed across selected university’s localities[2]. Its main role is to

3 2. CENTRALMANAGEMENTASAPARTOF IT unify the IT environment, allow access to the centralized IT resources, define administration rights and rules and provide all practices and technologies to the interested localities. The problem with the currently available information concerning central management on Masaryk University is that it is incoherent and partially out of date[3]. The objective of the first part of this thesis is therefore the creation of one core document describing the Central Management Service. It should cover three main parts: description of the service, terms of the service (containing roles and duties of all in- terested parties) and the final part describing the technical solutions forming the Service. This document shall be used for mainly for presentation and in- formative purposes. It will serve as an informative material for users (students and employees) and other departments participating in the service provision. A number of less detailed materials should be con- sequently created in order to provide the necessary information to localities and technical departments, using the most appropriate and effective means. It will also serve as a documentation of the provided Service, which is necessary considering its size, impact and number of em- ployees working in its individual sections. It should simplify the comprehension of all supported solutions to all mentioned parties. The created document must be consistent with the dean’s directive concerning the management and use of computer network[4] and computer study rooms’ operating regulations[5]. Majority of these solutions the Service consists of can be consid- ered tools for remote administration. One of the most important so- lutions provided as part of the service is the Solution for Unattended Installation. Its description and upgrade is the subject of the second part of the thesis.

2.2 Unattended installation of operating systems

Over the last two decades, hand in hand with the development of the IT technologies, the significance and use of network infrastruc- ture also arose. This fact enabled the deployment of remote tools for administration, which provided an extreme increase of efficiency

4 2. CENTRALMANAGEMENTASAPARTOF IT and scope of coverage of the IT remote administration. It was also boosted by the increase of the Internet coverage during this time. Today technologies enable various functionalities, means and tools such as HW and SW audits and real-time monitoring, OS and SW deployment and updating over the network, HW failure detec- tion, grouping of users, workstations and administrators into logical organization units, access and rights management and many more. In addition to increasing the efficiency of remote management, these tools are also crucial in areas such as the administrated units’ process transparency, definitions of the roles and rights inside these units and application of safety policies. One of the core solutions aggregated into the Central Manage- ment Service is the Solution for Unattended Installation. Its role is the installation of operating systems on workstations through the university infrastructure, with emphasis on uniformity (in order to guarantee easy administration), security and reliability of the pro- vided system. The problem with the current system is that it has now been in use for more than three years, and its capabilities are no longer suffi- cient for the current needs of the Service. It is also not updated to the current version because of the complexity of the performed adjust- ments. Documentation of some of these adjustments is also lacking. With the growing demand for administration outside of the Win- dows domain, new options for unattended installation are required in order to guarantee standardized and easily manageable environ- ment. Among the requested functionalities are installation of operat- ing systems and software deployment outside the UCN domain. All changes need to be done with the emphasis on further sup- port of all present capabilities in their full range. It is also impor- tant to create a testing environment for further development of the suggested solution. This environment should be as up-to-date and maintenance free as possible.

5 3 Central Management Service at Masaryk Uni- versity

As it was indicated in the previous chapter, centralized adminis- tration of workstations and other IT equipment of various locali- ties of Masaryk University provided by the Institute of Computer Science[6] is known as the Central Management Service.

3.1 Description of the Central Management Service

The purpose of the Central Management Service is the management of university workstations and related infrastructure. The main tool of the Service is the University Computer Network domain, also known as UCN. Its benefits in comparison with various local solu- tions are integrity of the working environment and the same level of security and consistency of the services offered throughout the university’s offices and departments. It also allows optimization and automation of the administration and crisis solution using standard- ized tools. Localities integrated into the central administration allow users to sign in using unified credentials, use unified working environ- ment and a standard set of up-to-date software. A major benefit is provision of the same environment in both classrooms and study rooms. Central administration, however, offers a much larger vari- ety of services and use cases. Remote access to the workstations allows easily accessible re-in- stallation of the operating system on every workstation included in the Service. Related to this approach is the possibility of remote ac- cess to workstations, including tools for their turning on, shutting down and restarting. This led to the creation of time schedules for regular software updates (including the operating systems). The sche- dule is created in order to minimize the size of interruption gaps dur- ing the working process caused by these updates. Remote access to the managed workstations also provides better response during sup- port and solution of occurring crises, tasks and requests. Central management of workstations also provides more efficient

6 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY and transparent management of SW licenses. There is a set of tools used for monitoring of workstations, granting access to their SW and HW audit results and observation of the current state of the comput- ers and logged-in users. One very important part of the Service is provision of regular updates for the basic set of software throughout the whole UCN domain. This is done in two basic regimes: auto- mated, for software distributed in all similar localities in order to ful- fill the intention of unified environment, and on demand, which con- cerns specialized software used during lectures or any other special- ized tasks. Selected applications are provided via terminal servers[7] accessible from the university network. The Service also covers a system for management of attached printers. Users are therefore able to use all printing devices on the managed localities using their ISIC Card and university credentials. Localities included in the Service are also able to use the devel- oped solution for examination period. Workstations in this mode to not allow selected functionalities such us access to email, internet, student profiles or installed software equipment. It is also possible to allow access only to the selected examination websites of the Infor- mation System of Masaryk University (IS MU). An analysis of the Service’s possibilities should consider the role of the service provider. It should also examine the roles of different technical departments managing various different parts of the Solu- tion in order to clarify their roles and interactions. The hierarchy of the UCN domain is also examined, as it is the essential technical system of the Service. For further purposes of de- scription of the Service as a product, it is necessary to analyze its receiver in form of administrated localities, which are grouped by their administrative position in various child domains.

7 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

3.1.1 Institute of Computer Science

Institute of Computer Science (ICS) is an institute of Masaryk Uni- versity (MU). Its main role is research and development of the infor- mation and communication technologies at the university with long term focus on areas of digital libraries, healthcare, distributed sys- tems and high quality multimedia processing. The institute also plays an important role in the maintenance, de- velopment, coordination and services in application of IT technolo- gies at Masaryk University. This includes development of the uni- versity network and its connection to the academic network infras- tructure. ICS also takes part in a number of international projects, research and technology development in various fields of network- ing, supercomputing, internet libraries and more.

ICS management

Operational and Economic Communication Infrastructure Computational and Storage Information Systems Divison User Support Divison Division Division Infrastructure Divison

Financial and Administrative Server and Data Storage Library and Information Contact and Monitoring Security Department Office Administration Department Centre Centre

Technical and Operational Collaborative Systems System Administration Information Systems Complex Services and Training Office Department Department Administration Department

Investment and Public Tender Network Infrastructure Software Development Information Systems Technical Support Department Office Department Department Development

Personnel and Wage Office

Figure 3.1: Institute of Computer Science departments organization

Institute of Computer Science is divided into five specialized di- visions, each consisting of a number of departments or offices[8]. Or- ganization of ICS departments is depicted in Figure 3.1. The depart- ment responsible for administration of the Windows UCN domain (and consequently majority of the university workstations covered by the Central Management Service) is the System Administration Department.

8 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

3.1.2 Technical departments and their competencies UCN domain is administrated by four basic working units with dif- ferent competencies, rights and responsibilities. By these parameters they can be divided into the three levels:

• 1st - Contact and Monitoring center

• 2nd - Technical Support Department, local technical offices and departments

• 3rd - System Administration Department

Contact and Monitoring Centre Contact and Monitoring Centre is a department of Institute of Computer Science. Besides its roles that are not in the scope of this work, the role of the Centre is the first contact and support to all ad- ministrated localities. This department serves as a connection point between the Institute of Computer Science mostly in the role of the provider of the Service, and localities, which possess the role of the customer in this relation. This department has no rights to the ad- ministration tools. Technical Support Department Another department of the Institute, the main task of which is the support of students and employees in localities which are not partially self-supported by local departments. Employees of this de- partment possess corresponding domain rights due to their job de- scription. This includes full access to the managed workstations, ac- tive directory infrastructure and other tools for remote management restricted to administrated localities. Local Technical Offices and Departments Local Technical Offices and Departments is a mutual title for all departments managing localities in the Central Management Service, which do not belong into the infrastructure of the Institute of Com- puter Science, but to the administrated locality itself. Their compe- tencies are similar to those of the Technical Support Department.

9 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

System Administration Department This department is responsible for the high level administration of the whole UCN domain, development of new features, tools and solutions, writing documentation and guidelines for the departments of lower competencies. It also functions as the highest support de- partment, solving issues of the highest importance and impact re- garding the Central Management Service.

3.1.3 Windows domain ucn.muni.cz All the current computers belonging to the Central Management Ser- vice are administrated by the Active Directory computer network system provided by Microsoft[9] as depicted in Figure 3.2. This do- main is called ucn.muni.cz, and it is divided into 6 child domains of different purposes and different levels of centralized administration.

Child domain ups.ucn.muni.cz Subdomain consisting of majority of classrooms and study rooms of Masaryk University without the need for individual child domains. Among these is also the University Computer Centre, which is the greatest of administrated study rooms with the capacity of 150 work- stations.

Child domains phil., law. and fss.ucn.muni.cz These domains were created to fulfill needs of faculties of Arts, Law and Social Studies. They consist of libraries, classrooms, study rooms and working departments belonging to these faculties, and they are locally administrated by their technical departments. Never- theless, there is a strong connection due to the technical capabilities developed in the Central Management Service used by these child domains.

Child domain zam.ucn.muni.cz In this subdomain are located all the offices and working depart- ments belonging to the University Campus in Bohunice. Also, em- ployees’ workstations from the Faculty of Sport Studies can be found here.

10 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

UCN.MUNI.CZ

UPS.UCN.MUNI.CZ ZAM.UCN.MUNI.CZ PHIL.UCN.MUNI.CZ LAW.UCN.MUNI.CZ FSS.UCN.MUNI.CZ STAFF.UCN.MUNI.CZ

Study Rooms Class Rooms Restricted Working PHIL LAW FSS Working places places

University Chemistry Class University Faculty of Sports Technology Library Library Transfer Office Computer Centre Room Computer Centre Studies Class rooms

Faculty of Social Geography Class Faculty of University campus Rectorate of Library ALEPH Studies Room Education Bohunice Study rooms and Employees Masaryk University Class rooms workstations

Faculty of Geologie Class Faculty of Uni. Centre Telč Education Room Arts Class rooms

Faculty of Faculty of Edu- Faculty of Institute of Arts cation Class Room Science Computer Science

Faculty of Uni. Centre Telč University campus Science Class Room Bohunice

Vinařská Dormitory

University campus Bohunice

Figure 3.2: UCN Windows domain

Child domain staff.ucn.muni.cz Child domain staff.ucn.muni.cz is designed to carry working de- partments from the Institute of Computer Science, along with the selected working departments belonging to other MU structures. It is the last created child domain in the UCN infrastructure. It was created due to the necessity of employees’ workstations’ operating systems migration and rearrangement of the UCN domain.

3.1.4 Localities managed by the Central Management Service Localities administrated by the Service can be divided into three main groups:

11 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

• Study rooms

• Classrooms

• Working departments

Both study rooms and classrooms are technically similar, using the same security policies and standardized set of software. The only difference between these two types of localities is the additional soft- ware provided on demand in the administrated Classrooms. On the other hand, working departments are conceptually dif- ferent to the study rooms and classrooms. Software is a combina- tion of the standardized applications and applications demanded by the employee using the workstation. This organization is simi- lar to the software equipment of a standard classroom. More impor- tantly, while considering the unattended installation, the hard drives of these computers are divided into two partitions, which enables redirection of local employee profile to the second partition. This so- lution was designed in order to prevent any data loss in case of OS re-installation or system failure.

3.1.5 Lifecycle of the workstation in the Central Management Service Based on the experience with the administration of the workstations in the UCN domain, necessity of formalization of inter-department cooperation arose. This experience had been projected into a short list of actions occurring in workstations’ lifecycle. These can be di- vided into two independent processes: addition and removal of the workstation in the UCN domain. Analysis of these sequences of tasks should increase both effec- tiveness and speed of their completion and the transparency during the execution. It should also help with prevention of human-caused mistakes in the process such as errors in assets evidences, software license evidences, organization of network connections and active directory organization units.

12 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

- Registration of the WS – DKP code - Creating DHCP, DNS and rev. DNS records ([email protected]) ([email protected]) - Report of licenses pre-installed on the WS - Adding WS into OPSI server ([email protected]) - Moving WS into proper AD OU WS installation & Notification New WS Request of WS WS delivery to

Department network settings ) accepted + acceptance registration + + the employee

adjustment

Technical Technical Support

WS (

Notification of the incoming

WS A A Office

& & Request Order of WS registration

F F + acceptance new WS confirmation +

Request of WS registration WS notification Addition of a new ofaAdditionworkstation the new WS acceptance

acceptance Employee

New WS New WS order preparation, WS acceptance

External External provision contractor

Figure 3.3: Process of addition of a new workstation

Addition of a new workstation (Figure 3.3 1):

• Placement of an order for a new workstation from an external contractor

• Notification of the new incoming workstation to the Technical support department (workstation installation order)

• Acceptance of the new workstation

• Workstation hardware and software registration into the ICS assets evidence

• Hardware workstation installation - Creation of a DHCP registration, creation of a reverse DNS record

• Software installation, licensing of software used on the work- station - Creating OPSI record, managing workstation in MS AD

• Delivery of the workstation to the employee

1. Figure of the process also available in the appendices.

13 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

- Deleting DHCP, DNS and rev. DNS records - Re-registration of the WS – DKP code ([email protected]) ([email protected]) - Removing WS from OPSI server - Report of released licenses from the WS - Removing WS from AD ([email protected]) WS stored in To stock for further use Request of WS WS data deletion & Request ) WS removal registration + + network settings x Department acceptance WS sent to

WS removal adjustment To liquidation (

Technical Technical Support liquidation

A A WS registration

& & removal + F F Office confirmation

Request of the WS registration removal

WS removal notification acceptance

Removal workstation of aRemoval Employee

WS

liquidation

External External contractor

Figure 3.4: Process of the workstation removal

Removal of the workstation (Figure 3.4 2):

• Withdrawal of the workstation from employee

• Hardware workstation uninstallation - Deletion of DHCP and reverse DNS records

• Workstations’ data deletion, report of unused licenses - Removal of the workstation from OPSI and MS AD

• Report of changes in ICS assets evidence

• Displacement of the workstation either to the stock, or to liq- uidation provided by an external contractor

2. Figure of the process also available in the appendices.

14 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY 3.2 Formalization of the Central Management Service

The concept of the centralized administration was announced in 2000, and it went through many changes and updates since then. Because of its wide impact and great number of technical solutions, which were in some cases significantly customized in the process, it be- came necessary to create a formalized description of the service with the definitions of terms and conditions of its provision. This formal- ized definition of the Central Management Service should be used in many adapted forms by: Users Description will be provided on the official website of the Insti- tute of Computer Science in order to inform about the capabilities and possibilities of IT equipment integrated into the Central Man- agement. It will also be used as a source material for selected infor- mational posters. Local technical departments It is necessary to provide local support employees with guide- lines and descriptions of administrated solutions. This document will also assist as a definition of rights and responsibilities during admin- istration of localities, problem reporting and solution. Representatives of the newly integrated localities In this scenario, description will be used as a supporting material during negotiations on the inclusion of new localities. Representatives of the existing localities Some localities are not fully aware of all the advantages resulting from the incorporation to the Central Management Service. The cre- ated document will provide them with the basic information, which will simplify and clarify all future communication and demands. Management of the ICS Management of the ICS can use this material for the purposes of tracking progress and development concerning the Service, includ- ing feedback from localities in the form of results of demanded solu- tions.

15 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

Following section of the thesis consists of detailed description of the created document and minor materials fulfilling all the requested parameters. They can be found in their full forms in the appendices of the thesis.

3.2.1 Overview of the created document Description of the Central Management Service is a document cap- turing current aspects of its focus, usage and technical capabilities. Data contained in this document is also used as an underlay for the other presenting materials such as informative posters and presenta- tions. It is divided into three parts:

• General description of managed localities • Terms of Service • Technical description of the service

General description of managed localities General description of the Central Management Service contains information about origin of the Service, its primary purpose and de- scription of its capabilities. Three target groups of localities are iden- tified and categorized. There can also be found a list of all managed localities. Terms of Service The second part of the document, Terms of the Service, consists of these parts:

• A list of actions belonging to the responsibilities of the System Administration Department • Inclusion of a new locality • The settings of the included segments • Preparation of the software equipment • The responsibilities of the local technical departments, descrip- tion of routine problems solution and reporting definition

16 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

Responsibilities of System Administration Department All localities are managed by two levels of technical departments: Local, which is either Technical Support Department of ICS or local technical department of the administrated locality, and centralized – System Administration Department. In this chapter are listed all the responsibilities of System Administration Department in the context of cooperation of these two levels of management. Inclusion of a new locality New localities can be included into the Central Management Ser- vice in two scenarios, distinguishing localities with the capability of covering its server needs and those without it. In the case of the sec- ond scenario, in which a locality does not possess resources needed for its inclusion, all server equipment is provided by the Institute of Computer Science. The settings of the included segment Network settings of the administrated localities must be both com- patible with the needs of all provided solutions of the Service and se- cure to guarantee its proper functionality and safety. All the required settings and rules are included in this chapter of the document. Preparation of the localities’ software equipment It will be described later in this document that software installed on managed localities is divided into two groups: standardized and local. Local software must be requested by lecturers and employees of the included locality, and it must be done according to the listed conditions. Compliance with these conditions minimizes room for mistakes and misunderstandings caused by the shortage of time set aside for their preparation. The responsibilities of the local technical department The first part of the Terms of the Service describes the role of the System Administration Department in the management of adminis- trated localities. This section describes the responsibilities of the lo- cal technical department, making the line between these two levels of Management. This chapter also contains the description of requested reactions to selected problems occurring on administrated worksta- tions.

17 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

Technical description of the service

The last chapter consists of description of the major Solutions, which are available to the managed localities as a part of the Service. These Solutions are:

• Solution for Unattended Installation

• Solution for Software Distribution

• Solution for User Profiles Administration

• Solution for Central Data Store

• Solution for Remote Wake-up and Shutdown

• Solution for Examination Modes

• Solution for Monitoring of Localities

Solution for Unattended Installation The section describing the system used for remote installation of products on boot, mainly operating systems. Full-scale view of this Solution is the subject of the next chapter of this thesis. Solution for Software Distribution This part consists of the approach of software assignment and installation on various localities of the UCN. There is also a list of standardized set of applications installed in all administrated study rooms and classrooms. Solution for User Profiles Administration Homogeneity of the working environment is partly ensured by migrating student profiles. Organization of the user-accessible orga- nization units on workstations of the UCN domain is described in this section of the document. Solution for Central Data Store In this part is a description of the solution providing data store capacities to all students and employees of Masaryk University.

18 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY

Solution for Remote Wake-up and Shutdown The technical capability to remotely wake-up, shutdown and re- start administrated workstations is an important tool of all adminis- tration departments. It is described with a brief sketch of the neces- sary settings required for its proper function. Solution for Examination Modes This section of the document describes two examination modes available in the computer study rooms and classrooms in the Central Management Service. These were developed in order to provide the lecturers with the means to use the available IT infrastructure during examination period. Solution for Monitoring of Localities Information concerning monitoring technologies which are set on all managed localities.

3.2.2 Additional materials The document described in the previous section also serves as a back- ground material for presentations and posters. A sample of these ma- terials can be found in the appendices of this thesis. Posters Generally, posters containing selected information contained by the document are used to provide information in selected adminis- trated localities. The poster used as an example in the appendices is displayed in the majority of the UCN domain study rooms and classrooms. Presentations Regular meetings are being organized in order to keep local tech- nical support teams informed about current technologies, available solutions and changes in the Central Management Service. They are also necessary during the process of integration of a new locality into the central administration. In order to provide all necessary infor- mation during these meetings, support materials are used, some of which are the presentations concerning the current description of the Central Management Service.

19 3. CENTRAL MANAGEMENT SERVICE AT MASARYK UNIVERSITY 3.3 Summary

The aim of the first part of the thesis was the creation of a formal- ized description of the Central Management Service provided by the Institute of Computer Science. After examining the relevant aspects of the service such as the role of the provider and recipient of the service, the technical pos- sibilities of the administrating departments, a document describing this service was created. Its description is introduced in section Over- view of the created document. Its full form can be found in the ap- pendices of this thesis in both Czech and English language versions.

20 4 Solution for Unattended Installation

As mentioned at the beginning of this thesis, the Central Manage- ment Service is based on the administration of the majority of Masaryk University’s IT infrastructure. For these purposes, a num- ber of technical solutions have been developed, one of which is the Solution for Unattended Installation.

4.1 Description of the Solution for Unattended Installation in the Central Management Service

The present role of the Solution starts after a workstation is con- nected into the university network. Its role is installation of the oper- ating system with pre-selected parameters concerning correct drivers assignment, disk partition and very basic security settings. During this process, every new workstation is added into UCN domain, en- suring fluent transition from OS installation phase to the middle phase of a computer lifecycle – administration by Microsoft Active Directory. The solution is used as an exclusive tool for addition of worksta- tions to the UCN domain. It also provides a number of tools used for monitoring of workstations and for erasing their hard drives. It is ac- cessible to selected technical employees and domain administrators via a web application. This solution therefore provides two basic functionalities:

• Unattended installation of operating systems on supported workstations

• Adding computers to the UCN domain for further automated administration

21 4. SOLUTIONFOR UNATTENDED INSTALLATION

4.1.1 Current technical system for unattended installation The current Solution for Unattended Installation is provided using a system called Open PC Server Integration (OPSI)[10] version 4.0.2.1. OPSI is an open source Linux-based client management system, which has by now been used as the main and only software fulfilling the scope of the Solution for Unattended Installation. It is capable of installation of operating systems and software via network, either using either the tftp LAN boot, or the pre-installed OPSI client on the administrated workstation. Among its basic purposes are also func- tions like SW and HW audit, initiation of remote memory checks and hard drive deletion. System is operated via web application depicted in Figure 4.1.

Figure 4.1: OPSI web application

Unattended OS installation supported by OPSI is based on the boot of a Windows OS image[11] via network. In the first step, work- station boots a Unix-based operating system from the network lo- cality determined by the BIOS and DHCP configuration. This sys- tem initiates the download of the desired image and installation of

22 4. SOLUTIONFOR UNATTENDED INSTALLATION

the appropriate Windows operating system (or any other supported product). The whole process is performed by series of configuration scripts. These adjust the most important settings in the context of the Central Management Service. Once the installation of the operating system is concluded, a flu- ent transition to the integration into the infrastructure begins. This process sets the workstations’ security settings, delegates the main- tained applications and grants access to printing solutions and user profiles. The server carrying the OPSI system in the UCN domain is alia.ucn.muni.cz. Product version of product 4.0.2.1 has been installed here, and it has been the only fully-functioning server working as the core system of the solution for unattended installation. The operat- ing system of the alia server running the OPSI server is Debian GNU 6.0.7[12]. Basic functionalities of applied version 4.0.2.1 of the OPSI system are:

• Automatic OS installation

• Automatic software distribution (not stable)

• Hardware inventory

As the OPSI is an open source system, it can be controlled both via provided web application and direct access to the OPSI server. It is configured by a series of scripts and configuration files, which can be found within the application installation files in two basic directories:

• /opt/pcbin/install

• /var/lib/opsi

4.1.2 Process of the OPSI netboot product installation There are two types of software products installed via OPSI: netboot products and local boot products. Netboot product is a general term for software installed during a workstation’s boot period (namely

23 4. SOLUTIONFOR UNATTENDED INSTALLATION

operating systems and minor service applications). Local boot prod- ucts are applications which can be installed during the workstation’s runtime, and their installation is managed by the OPSI client.

The installation process of every netboot product (Figure 4.2 1) is dependent on the proper server, network and client configuration:

• The proper name and MAC address of the installed clients need to be set on the server.

• Network configuration requires permission of TFTP, SAMBA and RPC communication between the OPSI installation server and client workstations.

• Client configuration consists only of proper BIOS setting (boot order first device set on LAN). OPSI Version 4.0.2.1 also does not support UEFI mode, which has to be forbidden in order to guarantee proper function of the unattended installation.

Assign product deployment to

Web the client Application

Preparation of a Provision of Provision of Netboot product + Unix-based OS, Windows

installation setup.py installfiles OPSI Server

Execution of: Start of the HW Inventory Installation of Client Drivers installation Reboot ) Unix-based OS Partition division Reboot Windows PE downloading Success Boot from Request of

Workstation Install Installation of ( x x Windows DHCP server LAN Windows PE + requested OS Failure Boot from installfiles data request Client HDD x Deploy installed Installation process of the OPSI Netboot product Windows OS

Provision of IP address, PXE Boot server and image

directory DHCP Server

Figure 4.2: Process of the OS installation

1. Process of the OS installation figure also available in the appendices.

24 4. SOLUTIONFOR UNATTENDED INSTALLATION

After the creation of a new client in the web administration, se- lection of requested netboot product and verification of the proper settings of corresponding devices, the process of installation of the product is ready to commence. It starts after the reboot of the work- station. In this scenario, workstation requests boot files from OPSI server, which was pre-configured on the corresponding DHCP server.

4.1.3 Netboot products As alia has always been used exclusively for installation of operat- ing systems within the UCN domain, neither any Local boot prod- ucts nor the OPSI client itself have ever been installed. Delegation and management are handled by the Windows domain, leaving OPSI only as a tool for boot software installations. For these reasons, OPSI client is not even installed on the workstations of UCN domain. This means that alia is used for installation of:

• Operating systems

• Hardware inventory

• Memtest

• Disk cleanup

Netboot products - Operating systems The Central Management Service supports installation and man- agement of these operating systems and bit versions in both English and Czech languages:

• Windows 7 x64

• Windows 7 x32

• Windows XP x32

An option to divide the HDD into multiple partitions is avail- able if the installation is launched from the customized web inter- face. This has been implemented in order to support the working de- partments’ installations, as was described in the first part of this this

25 4. SOLUTIONFOR UNATTENDED INSTALLATION thesis in subsection Localities managed by the Central Management Service. Other netboot products Despite the fact that alia.ucn.muni.cz is not used for installation of applications, number of basic netboot products are still being used either before the OS installation process, or during troubleshooting of occurred problems. These products are: • Disk cleanup • Hardware Inventory • Memtest

Disk cleanup Netboot product designed to erase any partition division. In the current solution, division into two partitions of pre-defined size is done by a set of static scripts. OPSI is therefore designed to expect only one of three hard drive state options during the installation pro- cess: disk without partitions, disk with one partition or disk divided into two partitions defined by the OPSI scripts. Hardware Inventory An inventory of the equipment of an installed workstation has to be made in order for the drivers to be delegated properly. Hardware inventory is therefore included into in the process of OS installation. It can also be deployed alone as a separate netboot product. Memtest Memtest[13] is a third-party tool used in order to verify proper memory state on selected workstation. Deployment of drivers Drivers of supported computers are stored in subdirectory of se- lected operating systems. This means that every operating system has its own set of workstations which it is capable to install to. Drivers are assigned to computers by automatically created identifiers of ev- ery integrated driver. These are assigned to the appropriate worksta- tion during the OS installation process.

26 4. SOLUTIONFOR UNATTENDED INSTALLATION

OPSI server customization Despite the fact that OPSI supports all demanded functionalities, it had to be adjusted to fit into the Service itself in many ways. Ma- jor changes are related to the web interface and partition division scripts. Web interface OPSI does not support groups of users accessing the web inter- face, and it assigns everyone full rights to all of its functions. As de- scribed before, the domain of Masaryk University is administrated by many departments of varying level in a number of localities. In order to provide the solution for all of these localities and local ad- ministrators, a new web interface was developed (Figure 4.3). This interface fully supports groups of accessing users, who can conse- quently modify only a pre-selected number of workstations. These workstations are grouped by their usage, locality and local adminis- tration department.

Figure 4.3: Developed web application

27 4. SOLUTIONFOR UNATTENDED INSTALLATION

Two partitions option It has been explained earlier that workstations included in the Central Management Service can be divided into two groups accord- ing to their usage: employees’ and students’ workstations. In order to support redirected local profiles of employees’ workstations, OPSI has pre-defined alternatives in which the operating system can be in- stalled. These are the standard mode (with one partition used while installing computers in classrooms and study rooms), and two parti- tion mode (for employees’ workstations).

4.2 Alternative technologies and tools for unattended OS installation

Larger corporations now often rely on their IT infrastructure, which has a direct connection to the use of various management tools. Among those are systems for unattended installation, updates, re- mote SW and HW audits and many more functions enabling the ef- fective management of large infrastructures. In the context of the Solution for Unattended Installation, the for- mer system ensuring the unattended OS installation was built on the OPSI system. One of the aims of this thesis is to upgrade this solu- tion, which includes consideration of all available technologies with demanded functions. There are a number of requirements which should be covered by the system selected for further use, if it would be chosen as a succes- sor to the Solution for Unattended Installation built on OPSI. These requirements include fluent transition from the former system to the new one, full coverage of all currently used functionalities, prefer- ably an open source solution with low or no costs, but with prospect of further development. In this section are described the best known systems with focus on fulfilling the requested properties.

28 4. SOLUTIONFOR UNATTENDED INSTALLATION

4.2.1 Microsoft System Center Configuration Manager (SCCM) Formerly known as Microsoft System Management Server, SCCM[14] provides remote control, software installation and updates, SW and HW auditing and operating system deployment on client devices (Figure 4.4). It supports selected Linux-based, Windows and Mac OS X versions of OS, including mobile operating systems such as Win- dows Mobile, Android, iOS and Symbian.

Figure 4.4: SCCM configuration console[15]

SCCM as one of the leading products in the area of remote con- figuration management and it covers a great number of functions. The most important of these features are SW and HW inventory, software distribution and updates, advanced deployment of operat- ing systems, a number of remote tools and more. All these functions are compatible with selected Microsoft products, making the product even more complex and powerful if used with the Windows domain. However, despite all the advantages of this large and professional system, its non-negligible price makes it unsuitable as an alternative to the OPSI system in the Solution of Unattended Installation.

29 4. SOLUTIONFOR UNATTENDED INSTALLATION

4.2.2 Unattended with Unattended GUI Unattended[16] is a narrowly specialized system designed for the installation of selected versions of Microsoft Windows operating sys- tems. It is platform independent, running on both Windows and UNIX based servers. Separately from the original Unattended project, a user interface has been developed. This interface, known as the Unattended GUI[17] (depicted in Figure 4.5), simplifies access to the supported features. The key features of the Unattended system are web based man- agement, support of automatic unattended installation (including deployment of OS and software), network management, multi lo- cation support, inventorization, image deployment, PXE Network booting, client and license management and many more.

Figure 4.5: Uranos Unattended GUI interface[18]

However, despite the good technical level and a wide base of functions of this system, no additional features which would enlarge or improve the scope of the Solution have been found.

30 4. SOLUTIONFOR UNATTENDED INSTALLATION

4.2.3 Automated Network Installations (ANI) ANI[19] is another Linux-based and open source system for unat- tended installation, which supports installation of selected versions of MS Windows. For reasons which will be explained at the end of this section, the analysis of this system will start with the description of the process of the OS installation. This process starts with the installation of an initial ANI client us- ing the boot CD. Attributes of the OS installation are selected using the client’s dialog interface (Figure 4.6). Data of the installed OS is consequently downloaded from the pre-configured ANI server, de- livering all requested data. After the installation is finished, a num- ber of post Windows installation scripts are being run in order to join the installed workstation to the windows domain and notify about the installation outcome via email services.

Figure 4.6: ANI client dialog interface[20]

The whole process of client installation is similar to the installa- tion process of the OPSI. However, without further analysis of this system, it is obvious that it has two major drawbacks. The first and greater one is currently incomplete support of operating systems from Windows Vista family (and so Windows 7 is not yet supported by

31 4. SOLUTIONFOR UNATTENDED INSTALLATION

this system), which makes the product as it was created useless for the current needs of the Solution for Unattended installation. This fact also indicates unreliable future of the whole ANI project. The second drawback is requirement of local administrator inter- action during the whole installation process (insertion of an installa- tion media, filling of the workstation name, resolution, client type). For these two main reasons, ANI is not suitable as an alternative to the OPSI in context of fulfillment of needs and goals of the Solu- tion.

4.3 Analysis and design of the new Solution for Unattended Installation

4.3.1 Analysis of the current unattended installation system

The former Solution for Unattended Installation possesses a num- ber of drawbacks. All changes, updates and troubleshooting are per- formed on a single production server, making the system vulnerable during these tasks (despite the fact that the server is being regularly backed up). The whole system should be made more robust, adjusted for crisis situations and providing a fully-featured development and testing environment. This solution also does not support SSD disks, which are already included in newly-ordered workstations. The new Solution for Unattended Installation should be able to support OS installation of workstations outside the UCN domain. Such functionalities are not fully supported in the deployed system version, and support of these workstations is not implemented at all. As all workstations installed using the former system were auto- matically added to the Windows domain, software distribution was provided using the domain policies. The former solution therefore does not support software installation, which is one of the requested functionalities for the upgraded Solution for Unattended Installa- tion. Software deployment using the upgraded solution will be used together with the option of workstation installation outside the UCN domain. Considering the driver deployment, addition of a new worksta-

32 4. SOLUTIONFOR UNATTENDED INSTALLATION

tion type often results in non-deterministic behavior caused by the assignment system and the (no longer necessary) complexity of their delegation. All these factors cause an occasional wrong driver assign- ment of already supported workstations. After consideration of available technologies for unattended in- stallation in the previous section of this thesis, functionalities which need to be preserved, costs of migration to another system and ben- efits of the current system, it was decided that the Solution will con- tinue to use the OPSI system of version 4.0.3.2. The new solution will support the following new functions and parameters:

• Robust application cluster

• Compatibility with the former system

• Easy maintenance and synchronization

• Support of workstations outside the UCN domain

• Support of selected new OPSI functions and netboot products (for example support of SSD disks and Kill Disk netboot prod- uct)

4.3.2 Design of the new Solution A new version of the Solution will be built on a newer version of this system 4.0.3.2. It will be made more robust in comparison with the former Solution. Its core will consist of 4 servers:

• Tali1 and tali2 – two identical servers in one cluster carrying the Solution after the upgrade.

• Tail-test – server similar to tali1 and tali2, which will be used as testing environment during future upgrades and changes. It will also be used as a gateway during the routine tasks exe- cuted on the OPSI server.

• Alia – the original OPSI server. It will be preserved for sev- eral months in order to guarantee fluent transition from the

33 4. SOLUTIONFOR UNATTENDED INSTALLATION

current system. For this time, it will be partially synchronized with the updated version. After full migration of all managed localities, this server will be fully removed from the Solution.

In order to fulfill the requested functionalities, three of the new functions developed as part of the OPSI will be altered and used: support of installation using SSD disks, software deployment and installation of the Kill Disk netboot product. A number of new functions will be implemented, such as syn- chronization of all servers participating in the Solution and installa- tion of operating systems outside the domain. Some of the currently used tools will also have to be altered. These are changes in the de- veloped web interface used across the University, changes in hard drive partitioning scripts and more. Some of the current approaches will remain, such as the use of VMware[21] virtualization and related backup system. The current backup schedule will also be preserved. After an analysis of the existing system, the following changes, updates and functions have been proposed:

• Update of the current system for security and functional rea- sons

• Carrying server will be doubled in a cluster

• Creation of compatible testing and development environment

• Full coverage of all currently supported functions

• Optimization of maintenance demands

• Optimization of the installation process speed

• Support of SSD disks on local computers

• Option of installation outside the UCN domain

• Deployment of software outside the UCN domain

• Addition of the Kill Disk netboot product

34 4. SOLUTIONFOR UNATTENDED INSTALLATION 4.4 Implementation of the designed Solution for Unattended Installation

4.4.1 Upgrade to the OPSI version 4.0.3.2 Actual OPSI version 4.0.3.2 was installed on the newly created vir- tual servers. All currently supported workstations, localities, access groups and users were manually migrated from the former OPSI server alia. After full overtake of all relevant data, requested netboot products were installed and configured. Tali servers will no longer support XP versions of the Windows operating system. Windows XP will only be supported by the for- mer OPSI server, therefore only OS netboot products of various ver- sions of Windows 7 have been prepared. These were equipped with drivers for new incoming workstations, gradually expanded by dri- vers of migrated localities. A chapter describing driver deployment of the upgraded version can be found further in this thesis. Other netboot products were implemented similarly to the prod- ucts known from the previous OPSI version, namely Disk Cleanup, Memtest and HW Inventory.

4.4.2 Carrying cluster Servers tali1 and tali2 are designed as a pair of identical servers car- rying the Service for Unattended Installation. Active-passive failover cluster of these servers is built up using the Pacemaker[22] cluster re- source manager and Corosync[23] cluster engine. The passive server is activated either in case of an active server unavailability or dur- ing failure of one of the main OPSI services. In order to increase the reliability of the Service, physical servers running these two OPSI in- stances are located in different server rooms.

4.4.3 OPSI testing environment Probably the most important demand on the upgraded Solution for Unattended Installation is the creation of a fully operational testing environment identical to the actual unattended installation system. This environment is designed to fulfill a number of tasks, most im-

35 4. SOLUTIONFOR UNATTENDED INSTALLATION portant being the simulation of newly added drivers and operating systems, testing of their changes and alterations and observation of its behavior during the whole-system upgrades. A server called tali-test was created for these purposes. It is, by design, kept in exactly the same state as the pair of carrying servers, making it perfect for execution of all the described demands. The synchronization of this server with other servers participat- ing in the designed solution is described in the following sections. It is important to note that the synchronization is semi-automatic and on-demand. This makes the testing server easy to use during the replication of the requested changes to the cluster, as it can be added and removed from the synchronization process using only one sim- ple script.

4.4.4 Former OPSI server in the upgraded solution Server alia.ucn.muni.cz fulfills only a secondary function in the pre- pared Solution. Its purpose is to ensure the full support of all ad- ministrated localities during the transition to the updated version. This transition is expected to last for approximately one year, during which it will only be maintained without any extension of its func- tions or impact. Approximate date for the shutdown of the alia server is December 2014.

4.4.5 Synchronization of the OPSI servers One of the most important demands on the prepared solution is sim- plicity in further use and maintenance. The former solution was built on only one server and did not require any system for file synchro- nization, as all changes were simply made directly on the server alia.ucn.muni.cz. This was both unstable during routine maintenance and inflexible when reacting to occurring problems. Both these problems are solved by the design of the upgraded So- lution, but a question of handling the problem of synchronization of all changes arose. The concept of the carrying server synchronization is depicted in Figure 4.7.

36 4. SOLUTIONFOR UNATTENDED INSTALLATION

tali1.ics.muni.cz

tali1/opt/installfiles

tali-test.ics.muni.cz Two-way Periodic alia.ics.muni.cz synchronization Carrying one-way tali-test/opt/installfiles on request cluster synchronization alia/opt/installfiles

tali2.ics.muni.cz

tali2/opt/installfiles

Figure 4.7: Four application servers synchronization model

Synchronization of drivers OPSI version 4.0.3.2 fully supports drivers’ assignment accord- ing to the detected Vendor and Model of the installed workstations. These data must be pre-filled in BIOS of the installed workstations (this request was successfully agreed on with the external supplier of IT equipment at MU). Assignation of drivers therefore commences in order of priority, starting with vendor and model. In case there are no folders of vendor and/or model of the installed workstation, its drivers are assigned from the folder filled with additional drivers. All the drivers which are not found in these two folders are finally assigned from the most universal folder containing most versatile driver versions. The suggested solution is built on the use of tali-test as a gateway for all executed changes. In case that new computers are requested to be added into the UCN domain, the drivers of these computers need to be filled into the directory of the appropriate operating system. This is firstly done, in contrast with the former approach (described in section named Alia customization), on server tali-test. Server tali- test must first be synchronized with the carrying pair of servers (and thus be in an identical state). After a proper test of the newly added drivers, these changes can be (on demand or during scheduled auto- mated synchronization) replicated on the old server alia.ucn.muni.cz and on the pair of new servers tali1 and tali2. As tali-test is not by design in the correct state at every moment of its use, the approach to its synchronization was designed to be on de- mand instead of fully automated. The synchronization is, by default,

37 4. SOLUTIONFOR UNATTENDED INSTALLATION turned on between the pair of carrying servers and server tali-test, leaving its state identical to tali1 and tali2 during its disuse. During the execution of testing operations, the synchronization with tali-test is turned off using easily manageable scripts[24]. These were created in order to provide the requested flexibility. By re-addition of tali- test to the synchronization process after the testing procedures, this server is once again ready for further tasks, having its state identical to the carrying pair of servers tali1 and tali2. It was described earlier in this thesis that drivers are stored in every individual operating system. However, their characteristics al- low for the use of the same drivers for operating systems with the same bit versions, regardless of their language versions. Leaving this state unaltered would lead to an undesirable redundancy of data, and also complicate the synchronization procedures. In order to evade this unwanted behavior, a common folder was created for all drivers of every server (namely folder opt/installfiles/drivers, Figure 4.8) with created symlinks to their original locations.

Windows 7, 64 bit, drivers CZE, in domain Install.wim Windows 7, 64 bit, drivers OPSI 64bit CZE, NOT in domain Install.wim installfiles/drivers server 32bit Windows 7, 64 bit, drivers ENG, in domain Install.wim Windows 7, 32 bit, drivers CZE, in domain Install.wim

Figure 4.8: Scheme of the drivers’ synchronization

It is important to emphasize that in order to preserve the full sup- port of all earlier-installed workstations using alia, the synchroniza- tion with this server is unidirectional. Synchronization of operating systems The Central Management Service supports workstations using two operating systems: Windows XP and Windows 7. All tali servers will be currently used only for installation of Windows 7. These are supported in following versions:

38 4. SOLUTIONFOR UNATTENDED INSTALLATION

• Windows 7 x64 ENG (inside the domain)

• Windows 7 x64 CZE (inside the domain)

• Windows 7 x86 CZE (inside the domain)

• Windows 7 x64 CZE (outside the domain)

Windows 7 core is stored in a single file install.wim stored among other installation files. It can be easily updated using new Microsoft updates, also known as KB files. These files were redirected (simi- larly to the alteration executed on drivers’ folder) into the common folder opt/installfiles/wim (Figure 4.9) using Linux hard links. Win- dows XP will be further maintained separately directly on the alia server.

Windows 7, 64 bit, drivers CZE, in domain Install.wim 7 – 64 -cz Windows 7, 64 bit, drivers OPSI CZE, NOT in domain Install.wim 7 – 64 en installfiles/wim server Windows 7, 64 bit, drivers 7 – 32 cz ENG, in domain Install.wim Windows 7, 32 bit, drivers CZE, in domain Install.wim

Figure 4.9: Scheme of the synchronization of operating systems’ in- stallation files

4.4.6 Installation process speed optimization All tali servers will possess features and alterations increasing its op- erational speed compared to alia.ucn.muni.cz. There are two main factors making this optimization possible. The first factor is the possibility to improve the carrying hard- ware, specifically in terms of full compatibility with more than 2 core processor systems presented in version 4.0.3.2. This also makes the whole system easy to upgrade using the VMware virtualization tools running the tali servers.

39 4. SOLUTIONFOR UNATTENDED INSTALLATION

The second factor is an implemented alteration of storage of clients’ configuration data into a single SQL[25] database instead of separate files, which is the default approach in the original system. This modification greatly optimized the time needed for the process of simultaneous installation of a greater number of workstations.

4.4.7 Support of the SSD discs and two partition division New workstations provided by a supplier can be divided into four basic categories according to their storage equipment those with:

• 1 HDD

• 1 SSD

• 2 HDD

• Combination of 1 SSD and 1 HDD

Managed study rooms and classrooms are equipped only with the first two possibilities with just 1 disk of any type. Installation of an operating system in all of these localities is therefore independent of disk organization, using one disk with only one partition. In the case of employees’ workstations, all four possibilities need to be handled for correct division into system and data partition. The older version of OPSI did not support SSD disks at all. Although ver- sion 4.0.3.2 is able to install on SSD disks (covering the first three cat- egories of new workstations), a solution for handling a combination of SSD and HDD disks in one configuration is not supported. The se- lection of the future system drive is done by automated scripts. These take into consideration only two parameters. The system is installed either on the previous system drive (detection of installed operating system is implemented), or on the first drive on the controller. During communication with the OPSI developers team, an alter- ation of the configuration files was suggested which would select the future system partition during the OS installation process. Altered configuration scripts were accepted by the OPSI team for further use, and this suggested feature has already been announced to be present in the next OPSI version 4.0.4.2.

40 4. SOLUTIONFOR UNATTENDED INSTALLATION

4.4.8 Operating Systems deployment outside the UCN domain

For installation of a selected operating system outside the UCN do- main, one of two approaches had to be chosen: either the use of the same system core for installation inside and outside the domain, or the creation of a brand new netboot product. After consideration of flexibility and probability of further differences possibly demanded of the non-domain systems, the solution with the new netboot prod- uct was selected. A number of basic alterations to the standard netboot operating system had to be made in order to enable this change for broad use. One of these was disabling the scripts responsible for computer addi- tion and consequent settings. This includes alterations made in order to enable installation of the OPSI client during the OS installation. The OPSI client enables an alternative form of remote administration without the use of the Windows active directory domain. Finally, the operating system was added to the altered web application as a new netboot product, making it available to the other technical depart- ments.

4.4.9 Software deployment outside the UCN domain

One of the functionalities provided by OPSI is installation of soft- ware using OPSI client, which is pre-installed during the post OS in- stallation phase. These software packages are named local boot prod- ucts. Their preparation is in many ways similar to the deployment of netboot products. Software is stored on the hard drive in specific folder and format with necessity of alteration of a number of con- figuration scripts. These determine the software’s main attributes. After a proper integration of the new netboot product, the product is available to install using the original web interface. In case of netboot products, OPSI supports automated installation packages for all supported Windows versions, which significantly simplifies the whole process of a new netboot product preparation. However, as the OPSI team does not create these automated pack- ages for local boot products, these packages must be created either manually, or using third party packages such as by GeosOne Opsi

41 4. SOLUTIONFOR UNATTENDED INSTALLATION

Pro[26]. In order to distribute the option of software installation to all technical departments, an updated version of the developed web in- terface with maintained software packages will consequently be de- ployed.

4.4.10 Kill Disk netboot product Kill Disk is a newly released netboot product, which is able to erase workstation’s hard disk memory. Configuration scripts manageable via web interface allow for multiple iterations of the erasing process, ensuring safe data deletion. This new netboot product will be an im- portant step during the migration of workstations between differ- ent localities or employees, providing greater security of the former user’s data deletion.

4.5 Summary

The aim of the second part of the thesis was an upgrade of the current system for unattended OS Installation via OPSI used as part of the Service. This system should be upgraded based on its analysis and requests of the provider of the service. The former solution was analyzed and described. Based on the discovered drawbacks and requested functionalities, a new system has been designed and implemented. This system is based on the up- to-date version of the OPSI system. All changes and improvements are documented in the section called Implementation of the designed Solution for Unattended Installation.

42 5 Conclusion

The first aim of this thesis was the creation of a formalized document containing the general description, the terms of use and the technical description of the Central Management Service. The second aim was an upgrade of the current Solution for Unattended Installation with the requested new functions and with great emphasis on security and reliability of the newly designed system. The thesis has been created in cooperation with the System Administration Department of Institute of Computer Science. At the beginning of this thesis were described motivations for the central management approach and the significance of tools for re- mote administration in the context of today’s technical trends. These trends were then projected onto the requirements of Masaryk Uni- versity and the current capabilities of the Central Management Ser- vice. In order to consistently present all the available solutions, a set of materials was created. All the created materials described and en- closed with this work are the results of this thesis. The second part of the thesis dealt with the Solution for Unat- tended Installation, its significance in the context of the Service, a comparison with state-of-the-art tools and finally the implementa- tion of the upgraded version. The system carrying this Solution was adjusted to meet all the requested functionalities. The author’s con- tribution in this part of the thesis is the design of a new solution, its implementation and adjustment of selected functions listed in the thesis. The results of this thesis are a set of promotional documents and an upgrade of the Solution for Unattended Installation. The created promotional documents in their full form can be found in the appen- dices of the thesis.

43 6 Literature

[1] Masaryk University. Available on WWW: [2] Babinec, P., Rychnovský, L., Tuˇcek,P.: Centralized Approach to Large User and Computer Infrastructure management. Available on WWW: [3] Peša, R., Krajíˇcek, O., Rychnovský, L.: Poˇcítaˇcové studovny MU. Zpravodaj ÚVT MU. ISSN 1212-0901, 2005, roˇc. XVI, ˇc. 1, s. 9-11. Available on WWW: pdf> [4] Fiala, P.: Správa a užívání poˇcítaˇcovésítˇeMasarykovy univerzity. SmˇerniceMU ˇc.6/2011. [5] Bek, M.: Provozní ˇrádpoˇcítaˇcovýchstudoven Masarykovy uni- verzity. SmˇerniceMU ˇc.7/2012. [6] Institute of Computer Science. Available on WWW: [7] Rychnovský, L., Babinec, P., Tuˇcek, P.: TServer - terminálový server UCN. Zpravodaj ÚVT MU. ISSN 1212-0901, 2008, roˇc. XVIII, ˇc.5, s. 9-11. Available on WWW: [8] Bek, M.: Organizaˇcní ˇrád Ústavu výpoˇcetní techniky Masarykovy univerzity. Available on WWW: [9] Microsoft Active Directory. Available on WWW: [10] OPSI - Open PC Server Integration. Available on WWW:

44 6. LITERATURE

[11] Stanek, W. R.: Windows 7 Administrator’s Pocket Consultant. Microsoft Press, August 26, 2009.

[12] Debian operating system. Available on WWW:

[13] MemTest86. Available on WWW:

[14] System Center Configuration Manager (SCCM). Available on WWW:

[15] System Center Configuration Manager console. Available on WWW:

[16] Unattended. Available on WWW:

[17] Unattended GUI. Available on WWW:

[18] Unattended GUI console. Available on WWW:

[19] Automated Network Installations (ANI). Available on WWW:

[20] Automated Network Installations (ANI). Available on WWW:

[21] VMware. Available on WWW:

[22] Pacemaker. Available on WWW:

[23] Corosync. Available on WWW:

45 6. LITERATURE

[24] Hertzog, R., Mas, R.:The Debian Administrator’s Handbook. Freexian SARL, December 24, 2013.

[25] Stanek, W. R.: Microsoft SQL Server 2012 Kapesní rádce admin- istrátora. Computer Press, February 27, 2013.

[26] GeosOne Opsi Pro. Available on WWW:

46 A Appendices

• A.1 Description of the Central Management Service

• A.2 Popis služby centrální správy

• A.3 Information poster: Computer study rooms and class- rooms on MU

• A.4 Information poster: Univerzitní poˇcítaˇcovéstudovny a uˇcebnyMU

• A.5 Process of addition of a new workstation

• A.6 Process of workstation removal

• A.7 Process of the OS installation via the OPSI system

47 A.APPENDICES A.1 Description of the Central Management Service

The concept of unified central management of workstations was cre- ated based on the experience with technologies used in the Univer- sity Computer Centre. University Computer Network (UCN) was established, enabling effective administration of workstations and unified working environment for students and employees across the university. This infrastructure is currently used for three different purposes: university computer study rooms, classrooms and employ- ees’ workstations. Localities included in the central management provide users with integrity of working environment, higher security and uniformity of provided services, unified environment of the Microsoft Windows OS and a standardized set of installed software. The service supports unified logon using standardized logon information: UCOˇ and sec- ondary password. There are several basic types of supported soft- ware. Standardized software is centrally maintained and available in all localities. Also available is specially licensed software covered by the university licenses. The solution also offers an option to include a wider set of software according to individual requests. The main ad- vantage is a great reduction of costs paid for IT administration and provision of a unified working environment throughout the whole MU for lectures as well as for all university study rooms. The infrastructure itself provides administrators with the follow- ing functionalities: unattended installation of workstations (OS + SW), regular update of centrally provided software, granting access to trou- bleshooting tools, remote access to the workstations, their monitor- ing and more. Workstations are regularly updated during scheduled time frames. These are generally planned during the late night hours. During the update time frames, the deployed software and operating systems are updated. Occasionally, the service tasks associated with these up- dates are also executed during this time. The main advantage of this approach is the provision of a constantly up-to-date environment without the need for any user interaction. One of the functions of UCN is the mediation of connection to the centralized printing systems. These enable uniform payment us- ing an ISIC card (via SUPO account) and a standardized printing

48 A.APPENDICES environment throughout the various managed localities. Besides the localities’ standard running mode, two special modes designed for students’ examination are also supported. These modes are adjusted in order to restrict access to undesirable applications, e- mail and internet, or to restrict access to the profile data. Technical courses and assistance are also offered. Currently, the central management is (on various levels of inte- gration) composed of study rooms, classrooms and workplaces from over a half of the organization units of Masaryk University. Among these are: • The rector’s office • Institute of Computer Science • Faculty of Science - geography classroom - geology classroom - the library - science club • Faculty of Law - study rooms and classrooms • Faculty of Art - full administration of employees’ and students’ worksta- tions - the library • Faculty of Education - the library - one classroom • Faculty of Social Studies - the library - two classrooms - selected employees’ workstations

49 A.APPENDICES

• Technology Transfer Office - full administration of employees’ workstations

• University Campus Bohunice - UCB Library - chemistry classroom - Faculty of Medicine localities

• University Computer Centre

• University Centre Telˇc

• Accomodation and Catering Services of MU

Division of localities

The Service of Central Management is offered throughout the Masaryk University in a number of modes according to its use:

• Study rooms – computer rooms available to students

• Classrooms – computer rooms used during lectures

• Employees’ workstations

Study Rooms

Study room is a computer room intended for use by students for free- time studies and associated activities. Students are granted access to the basic set of software and selected software related to their subject of study. Uniform user environment for both study rooms and class- rooms is also provided in the form of roaming profiles, storage and access to shared drivers and printing devices.

50 A.APPENDICES

Classrooms

Classroom is computer room dedicated for lectures and associated activities. Students are granted access to the basic set of software and selected software related to their subject of study (this set of soft- ware is requested during the integration of the classroom into the Service, and is updated every semester). A uniform user environ- ment for both study rooms and classrooms is also provided in the form of roaming profiles, storage and access to shared drivers and printing devices.

Employees’ workstations

Computers in the employee workstation mode offer functionality similar to the functionality of study rooms. In addition to the basic set of SW, employees also have access to the SW associated with their work requirements (economic software, asset management, etc.). This set of software is agreed upon during the integration of the work- place into the central management. Employees also have local stor- age space, access to shared drivers, printing devices, remote desk- tops and network backup storage at their disposal. The profile data is stored locally on the workstation.

Terms of Service

The Service of Central Management is accessible to all economic cen- ters of Masaryk University and is free of charge. The responsible per- sons from ICS are listed on the contacts page. On the side of the eco- nomic centers, the head of LVT of the associated EC is considered the responsible person. This person can delegate all technical mat- ters further throughout the locality. The current possibilities of the System Administration Depart- ment in terms of applied solutions enable the use of the Service of Central Management in two scenarios: localities with their own server equipment and localities without it. Since 2013, new localities have been included exclusively according to the second scenario, i.e. with- out the need for localities to have their own server equipment.

51 A.APPENDICES

Both scenarios are identical from the user’s perspective: profiles, software equipment and all central settings are identical in both these scenarios. The difference in functionality is in the access and rights of local administration departments and individual requirements. In this case, local server equipment can offer a wider range of local func- tions and services. SAD ICS (System Administration Department of the Institute of Computer Science) provides the following activities as part of the Service of Central Management:

• management of authentication via UCOˇ and secondary pass- word

• management, monitoring and backup of servers

• management of workstations’ unattended installations

• management of the basic set of software

• local distribution of hotfixes and updates for Microsoft prod- ucts

• local distribution of updates for Eset anti-virus products

• availability of printing devices using the Active Directory

• management of student profiles

• management of host profiles in order to grant access of the UCN and ICS services (Eduroam, VPN, . . . ) to MU visitors

• provision of information concerning the security state of the IT infrastructure – security audit

• troubleshooting – solution of serious and critical software prob- lems on workstations

• general consultations concerning the area of IT

In localities included into the Central Management (with local ad- ministration not provided by the ICS), the local administration de- partments are responsible for:

52 A.APPENDICES

• management of the extended set of software, which is not dis- tributed centrally

• reaction to the UCN administrators’ requests

• reporting of occurring problems to the UCN administrators

• management of the network infrastructure of local worksta- tions and servers

• complaints related to the locality’s hardware

Inclusion of a locality without HW equipment Following conditions must be fulfilled in order to include an EC into the central management:

Hardware:

• In this scenario, localities use HW equipment of the ICS.

Software:

• the appropriate number of Microsoft OS licenses for worksta- tions included in the UCN infrastructure

• the appropriate number of CALs for workstations included in the UCN infrastructure

• the appropriate number of anti-virus licenses for workstations included in the UCN infrastructure

Inclusion of a locality with HW equipment Hardware:

• 3 servers (service included)

• backup power supply in case of a power outage (for example UPS)

53 A.APPENDICES

• network switch and reserved network segments for servers and workstations

Software:

• three server licenses of Microsoft OS (by arrangement with ICS)

• the appropriate number of Microsoft OS licenses for worksta- tions included in the UCN infrastructure

• the appropriate number of CALs for workstations included in the UCN infrastructure

• the appropriate number of anti-virus licenses for workstations included in the UCN infrastructure

Settings of the client segments Inclusion of workstations into the central management is associated with a set of rules:

• Workstations are added into the domain exclusively using the system for unattended installation of operating systems OPSI at https://tali.ics.muni.cz/

• Subnet (WLAN) containing workstations from the domain may not contain any other device from outside the domain. It must also not be allowed to automatically assign IP addresses in this segment.

• IP addresses are distributed exclusively via DHCP server, which is configured according to the instructions from UCN domain administrators

• Correct setting of DHCP reservations on associated servers

• Correct setting of reverse DNS records

54 A.APPENDICES

Preparation of SW equipment SW equipment of classrooms is modified before the beginning of each semester according to the instructions from the person respon- sible for the classroom, who also communicates with all the lecturers who are going to be using the classroom during the semester. Re- quests for addition/modification of SW must be reported at least three weeks before the beginning of the semester in order to en- sure sufficient testing of the environment. Requests reported after this date might not be handled before the start of the semester. One week before the start of the semester, the classrooms will be ready for testing by lecturers.

Local technical departments Local administrators may not interfere with the system in a way that would allow for the elevation of a common user’s rights. Further- more, under no circumstances is the local administrator allowed to disclose the administrator password or their own password to an- other person. Violation of these two rules will be considered a severe security breach and may lead to disconnection of the locality from the central infrastructure. Local administrators are responsible for local hardware and soft- ware management, solution of routine problems and mediation of communication between users and domain administrators. This in- cludes:

• Setting of BIOS according to the requirements of the Central Management.

• Installation and management of locally distributed applica- tions and printers.

• Solution of local problems that have no direct connection to the functionality of the Service of Central Management.

• Mediation of requests, questions and requirements related to the Service of Central Management to the domain administra- tors.

55 A.APPENDICES

• Local assistance to the domain administrators in solving rou- tine and crisis situations on the locality.

Troubleshooting Problems can be divided by severity into three groups:

• Common - occurrence on a single workstation, solved by reboot or reinstallation of the workstation - occurrence on a single user profile on multiple worksta- tions, solved by a repair of the user’s profile

• Severe - occurrence on multiple workstations, solved by contact- ing the UCN domain administrators

Restart or reinstallation of a workstation Restart of a workstation ensures restoration of domain policies and application of domain scripts. Reinstallation of a workstation provides a completely new con- figuration of the reinstalled workstation (operating system, drivers of devices, software, domain policies, security of the file system). In case of employees’ workstations, profiles and D: drive are left un- touched by the reinstallation process. If these methods fail, the problem should be reported to the UCN domain administrators.

User profile repair If the user profile correction tool is not available to you, contact UCN domain administrators at [email protected] and request profile correction. This request must contain the user’s UCO.ˇ Before con- tacting administrators, verify that the user’s profile is not full – ap- proximately half of the problems with user profiles are caused by insufficient profile space, and the users are capable of solving this issue on their own.

56 A.APPENDICES

Specification of the problem, report of the problem to the UCN domain administrators In case of occurrence of a severe problem, please contact the UCN domain administrators by email at [email protected]. The report of the occurring problem should be as detailed as pos- sible. Every e-mail reporting a problem to the UCN domain admin- istrators should contain:

• Locality (Classroom XY of faculty ZW).

• Problem description.

• Time of the problem occurrence (i.e. today, yesterday, last week, on Wednesday, 14.2., . . . ).

• Any changes to the workstation, which could be related to the problem (power outage, change in hardware equipment, newly installed application, . . . ).

• If the contact person is not the same as the sender of the report, the name of the contact person (equivalently UCOˇ or school mail address).

Provision of all the information as described above during the first contact with the UCN domain administrators will help to signif- icantly speed up the solution of the problem. Examples of serious problems can be: dysfunctional anti-virus software on the workstation, inoperative license server of the main- tained software, inability to log in to the workstation for a larger group of users, unavailability of user profiles and more.

Technical description of the service

Central management (or infrastructure of the central management) is built on Microsoft Active Directory. Standard technologies such as group policies and scripts are used for workstation management. The central domain is the UCN domain. Located in this domain are the infrastructure’s servers ensuring the proper function of the

57 A.APPENDICES service. A number of subdomains are included under the UCN do- main (e.g. PHIL, FSS, . . . ). These are partially administrated by local administrators, allowing them to take over a significant part of the management (e.g. to develop their own policies, to add and remove workstations and more).

Solution for Unattended Installation of operating systems Workstations included into the central management are installed ex- clusively by automated tool OPSI, which is installed on servers alia.ucn.muni.cz and tali.ics.muni.cz. The following preparations have to be made in order to enable installation into the central man- agement:

• Configuration of BIOS of the installed workstations according to the instructions from the UCN domain administrators.

• Insertion of discovered MAC addresses of the installed work- stations into the network according to the description in the chapter Setting of client segments.

• Request to the UCN administrators for the new workstations to be added to the system for unattended OS installation (the names of the workstations from DHCP and their MAC ad- dresses must be included).

Solution for Unattended Installation of OS is based on the boot of operating system via network. In the first step, the workstation boots a Unix-based operating system from the network locality according to BIOS and DHCP configuration. This system initiates the down- load and installation of the desired Windows operating system. The whole process is completed by a series of scripts. These adjust the most important settings in the context of the Service of Central Man- agement. Once the operating system has been installed, a fluent transition to the process of integration into the infrastructure is enabled. This process sets the workstation’s security settings, delegates the main- tained applications and grants access to printing solutions and user profiles.

58 A.APPENDICES

Solution for Software Distribution One of the basic functions of the UCN domain is the distribution of SW equipment. There are two sets of software:

• Basic – identical for all localities, contains all commonly used software.

• Extended – typically SW equipment requested by specific lo- calities for lecturing purposes.

The basic software package contains the software equipment com- mon for all study rooms, be it on individual faculties or in the university-wide study rooms. This whole set of software is regularly updated every two or every four weeks across the whole UCN do- main. This ensures a homogenous environment by offering the same software versions across the domain. In case of necessity to centrally deploy software specific to the se- lected faculty/locality, the preparation of this installation is done by the local administrators (e.g. Total Commander instead of the cen- trally maintained Altap Salamander). If certain parameters are met, the local software can be incorporated into the central management. The extended set of software is updated according to an agree- ment between UCN domain administrators and local administrators. Changes in software versions can cause differences in functionality or compatibility problems, which could severely affect the lectures. Adjusting the frequency of updates of the extended set of software to the needs of lecturers helps to prevent these problems. The basic set of the maintained software consists of:

• 7-Zip

• Adobe digital editions

• Adobe Reader

• Altap Salamander

• ArcGis

• CD Burner XP

59 A.APPENDICES

• Mozilla Firefox

• Flash

• Gimp

• Google Chrome

• Internet Explorer

• IrfanView

• Java JRE 6

• Java JRE 7

• Matlab

• NOD 32

• Notepad ++

• Opera

• PDF 24 Creator

• PDF Creator

• PsPad

• Putty

• Statistica

• TexLive

• VLC Player

• WinSCP

60 A.APPENDICES

Solution for User Profile Administration

One of the main advantages of the central management is the ho- mogeneity of the user’s working environment independent of the classroom and workstation they currently operate on. This is guar- anteed by the use of user profiles that are stored on network storage devices, and copied to the workstations at every login. This way, the user has access to an invariant working environment that allows for better work conditions. The following network repositories are available to the users:

• I: TEMP directory shared from a server. This directory is fully accessible to all users. For example, it can be used to transfer data between stations. The directory is not intended for long- term data storage – these capacities are not backed up and they are regularly erased.

• J: Applications shared on a server. This repository is read-only. It includes applications that do not require installation on the client side.

• K: User Profile that contains all user settings (particularly files of browsers and mail clients). These capacities can be used to store personal files – they are available in the My Documents folder on the workstation’s desktop. The size of this storage has a limited capacity, i.e. the total data size of this folder (in- cluding files from the mail clients, browsers, etc.) must not exceed the given limit. After reaching the limit, the correct be- havior of applications or personal settings cannot be guaran- teed.

• The only folders on the local disk with full student access are: - C: \Users\UCOˇ (on Windows XP C:\Documents and Settings\UCO)ˇ - A copy of the roaming user profile. This in- cludes user’s desktop and documents. - C: \Temp - Local folder. Its size is limited by the capacity of the local disk, and it is erased as required.

61 A.APPENDICES

Solution for Central Datastore All students and employees of Masaryk University are provided with custom profiles, which are made available after logging onto any workstation in the central administration. Individual storage capacities are also created for all university employees, intended for storage and sharing of their daily opera- tional data. These storage capacities are available either from the MU network, or via the use of VPN MU. These capacities are available at \\sam.ics.muni.cz\UCOˇ with credentials:

• Login: UCN\UCOˇ

• Heslo: secondary password

Solution for Remote Wake-up and Shutdown Localities included in the Service of Central Management are offered an option of centrally controlled wake-up, turn-on and shut-down of workstations according to a pre-arranged schedule. This service is only provided to localities with Windows 7 in both bit versions. An early consultation about the deployment of this Solution is also necessary, usually accompanied by a technical audit of the network infrastructure and the workstations’ hardware equipment. For the Solution to function correctly, it is necessary to adjust the Wake on LAN option (typically referred to as WOL) in the locality. These adjustments must be done on both the BIOS of the adminis- trated workstations and the active network components. The Solu- tion also depends on the workstation’s network card being capable of the WOL functionality. It is also necessary to allow the broadcast communication of the UDP protocol.

Solution for Examination Modes Examination modes are one of the options supported under the Ser- vice of Central Management. Lecturers can transfer the workstations from the normal mode to the examination mode in a matter of min- utes. Two examination modes are currently supported:

62 A.APPENDICES

• “Odpovˇedník”mode: After being transferred to this mode, the workstation logs in with a special account and launches an answer sheet from IS MU. This is the only way the work- station can be used in this mode. The students have no access to the internet, their own data or the installed applications.

• “Zkouška” mode: In this mode, the stations are disconnected from the network. Students do not have access to their own data, but all the installed software is fully available.

Solution for Monitoring of Localities For various security, informative and technical reasons, all the locali- ties in the central management are equipped with technical solutions gathering information about users and workstations. Among this in- formation is data about workstations, study rooms and the entries of students into the study rooms. It is also possible to monitor who is currently occupying a given workstation, along with their UCOˇ and basic information. This data is displayed in real time and recorded.

63 A.APPENDICES A.2 Popis služby centrální správy

Koncept jednotné centrální správy poˇcítaˇc˚uvznikl na základˇezku- šeností s technologiemi využívanými v Celouniverzitní poˇcítaˇcové studovnˇe.Vznikla Celouniverzitní poˇcítaˇcováinfrastruktura (Uni- versity Computer Network, UCN), která umožˇnujeefektivní správu osobních poˇcítaˇc˚ua jednotné prostˇredípro studenty a zamˇestnance napˇríˇcuniverzitou. Tato infrastruktura se aktuálnˇevyužívá pro tˇri r ˚uzné úˇcely: univerzitní poˇcítaˇcové studovny, fakultní výukové uˇcebnya zamˇestnanecképoˇcítaˇce. Lokality zaˇclenˇenédo centrální správy poskytují z uživatelského hlediska integritu pracovního prostˇredí,vyšší bezpeˇcnosta uniform- nost poskytovaných služeb. Služba využívá jednotné pˇrihlašování pomocí standardních ovˇeˇrovacíchúdaj ˚u:UCOˇ a sekundárního heslo, jednotné prostˇredív OS Microsoft Windows a standardní množinu základního softwaru. K dispozici je standardní SW specifikovaný dále, který je centrálnˇeudržován. Dále jsou k dispozici speciální li- cencované programy, které jsou kryty univerzitní licencí. Rešeníˇ také nabízí možnost zaˇclenˇenírozšíˇrenémnožiny SW, dle individuálních požadavk ˚u.Hlavním benefitem je výrazná celková úspora náklad ˚u na správu a poskytování stejného pracovního prostˇredív rámci celé MU a to jak pˇrivýuce, tak v univerzitních studovnách. Z hlediska správc ˚upoˇcítaˇc˚uposkytuje infrastruktura následující funkcionalitu: bezobslužná instalace PC (OS + SW), pravidelné aktu- alizace centrálnˇeposkytovaného SW vybavení, zpˇrístupnˇenínástroj ˚u pro ˇrešeníproblém ˚u,vzdálený pˇrístupna stanice, monitorování stanic a další. Aktualizace jsou na stanicích pravidelnˇeinstalovány bˇehemservis- ních oken, které jsou obvykle naplánované na pozdní noˇcníhodiny. Bˇehemtohoto ˇcasuse vykonávají aktualizace operaˇcníchsystém ˚u a nasazeného softwaru, ˇcijiné servisní úkony spojené s aktualizací vybavení stanic. Výhodou tohoto pˇrístupuje poskytování vždy ak- tuálního prostˇredíbez nutnosti jakéhokoli zásahu ze strany uživatele. Jednou z dalších funkcí UCN je poskytování pˇripojeník central- izovaným tiskovým systém ˚um.Ty umožˇnujíuniformní platbu po- moci ISIC karty pˇres úˇcet SUPO a standardní tiskové prostˇredí na r ˚uznýchlokalitách. Kromˇestandardního režimu podporujeme speciální režimy ur-

64 A.APPENDICES

ˇcenénapˇr.pro zkoušení student ˚u.Vyznaˇcujese zabezpeˇcenímproti opisování, pˇrístupuk nežádoucím aplikacím, poštˇea internetu ˇciza- mezením pˇrístupuk dat ˚umv profilech student ˚u.Dále nabízíme pod- poru pˇrir ˚uznýchškolení apod. V souˇcasnostijsou do centrální správy v r ˚uznýchúrovních inte- grace zaˇclenˇenystudovny, uˇcebnya pracovištˇez více jako poloviny organizaˇcníchjednotek MU. Mezi ty kupˇríkladupatˇrí:

• Rektorát MU

• Ustav výpoˇcetnítechniky

• Pˇrírodovˇedeckáfakulta - PoˇcítaˇcováuˇcebnaGeografie - PoˇcítaˇcováuˇcebnaGeologie - Knihovna - Pˇrírodovˇedeckýklub

• Fakulty Právnická - Studovny a poˇcítaˇcovéuˇcebny

• Filozofická Fakulta - Kompletní podpora studentských a zamˇestnaneckých poˇcítaˇc˚u - Knihovna

• Pedagogická fakulta - Knihovna - Poˇcítaˇcováuˇcebna

• Fakulta sociálních studií - Knihovna - Dvˇepoˇcítaˇcovéuˇcebny - Vybrané zamˇestnanecképoˇcítaˇce

65 A.APPENDICES

• Centrum pro transfer technologii - Kompletní podpora zamˇestnaneckýchpoˇcítaˇc˚u

• Universitní kampus Bohunice - Knihovna univerzitního kampusu Bohunice - Poˇcítaˇcováuˇcebnachemie - Lokality lékaˇrskéfakulty

• Celouniverzitní poˇcítaˇcovástudovna

• Univerzitní centrum Telˇc

• Správa kolejí a menz

Clenˇenílokalitˇ

Služba Centrální správy je v rámci Masarykovy univerzity nabízená v nˇekolikavariantách podle úˇcelupoužití:

• Studovny - poˇcítaˇcovémístnosti volnˇepˇrístupnéstudent ˚um.

• Uˇcebny- poˇcítaˇcovémístnosti urˇcenéna výuku.

• Zamˇestnaneckéstanice.

Studovny

Studovnou se rozumí poˇcítaˇcovámístnost urˇcenána volnoˇcasové studium student ˚ua aktivity s ním spojené. Studenti tady mají pˇrístup k základní sadˇeSW a vybraným SW souvisejícím s jejich pˇredmˇetem studia. Nabízí uniformní uživatelské prostˇredíspoleˇcnépro režim uˇcebena studoven v podobˇecestovních profil ˚u,úložného prostoru a pˇrístupuk sdíleným disk ˚uma tiskárnám.

66 A.APPENDICES

Uˇcebny

Uˇcebnouse rozumí poˇcítaˇcovámístnost urˇcenána výuku a aktiv- ity s ní spojené. Studenti tady mají pˇrístupk základné sadˇeSW a SW souvisejícím s jejich pˇredmˇetemstudia (tato sada je dohodnuta bˇehem zaˇclenˇeníuˇcebnydo centrální správy a obnovována každý semestr). Nabízí uniformní uživatelské prostˇredíspoleˇcné pro režim uˇceben a studoven v podobˇecestovních profil ˚u,úložného prostoru a pˇrís- tupu k sdíleným disk ˚uma tiskárnám.

Zamˇestnaneckéstanice

Poˇcítaˇcev režimu zamˇestnaneckýchstanic nabízí ˇcásteˇcnˇeobdobnou funkcionalitu jako studovny - zamˇestnancitady mají pˇrístupkromˇe základní sady SW i k SW souvisejícímu s jejich prací (ekonomické SW, správy majetku, a pod., tato sada je dohodnuta bˇehemzaˇclenˇení pracovištˇedo centrální správy). Dále mají k dispozici lokální úložný prostor, pˇrístupk sdíleným disk ˚um,tisku, vzdáleným plochám a zálo- hovaným sít’ovým úložištím. Data jsou uložena na dané pracovní stanici.

Podmínky poskytování služby

Služba centrální správy je dostupná všem hospodáˇrskýmstˇredisk ˚um MU a je poskytována zdarma. Odpovˇednéosoby na stranˇeÚVT jsou uvedeny na stránce kontakt ˚u.Na stranˇehospodáˇrskýchstˇredisek považujeme za primární kontaktní osoby vedoucí LVT pˇríslušného HS, kteˇrímohou záležitosti centrální správy delegovat dále. V rámci aktuálních možností Oddˇelenísystémové správy v kon- textu nasazených ˇrešení provozujeme službu centrální správy ve dvou scénáˇrích:s vlastním serverovým vybavením lokality a bez serverového vybavení. Od roku 2013 jsou nové lokality již zaˇcle- ˇnoványvýhradnˇedle druhého scénáˇre,tj. bez nutnosti mít vlastní serverové vybavení. Oba scénáˇrejsou z pohledu uživatele shodné: profily, SW vy- bavení a všechny centrální nastavení jsou naprosto totožné v obou verzích. Odlišnou funkcionalitu je možné rozeznat vzhledem k mož-

67 A.APPENDICES nostem lokální správy a individuálních požadavk ˚u,kdy lokální ser- verové vybavení m ˚uženabízet širší škálu lokálních funkcí a služeb. OSS ÚVT (Oddˇelenísystémové správy Ústavu výpoˇcetnítech- niky) zajišt’uje v rámci služby Centrální správy následující ˇcinnosti:

• správa autentizace pˇresUCOˇ a sekundární heslo

• správa, sledování a zálohování server ˚u

• správa bezobslužných instalací uživatelských stanic

• správa základního balíku softwaru

• lokální distribuce záplat a aktualizací pro produkty spoleˇc- nosti Microsoft

• lokální distribuce aktualizací pro antivirové produkty spoleˇc- nosti Eset

• zpˇrístupnˇenítiskáren pomocí Active Directory

• správa studentských profil ˚u

• správa hostovských úˇct˚upro zpˇrístupnˇeníslužeb infrastruk- tury UCN a UVT (Eduroam, VPN . . . ) návštˇevník˚umMU

• poskytování informací o aktuální bezpeˇcnostnísituaci v in- frastruktuˇre– audit bezpeˇcnosti

• troubleshooting – ˇrešenízávažnˇejšícha kritických SW prob- lém ˚use stanicemi

• obecné konzultace v IT problematice

V lokalitˇezaˇclenˇenédo centrální správy (kde koncovou správu zaˇrízenínezajišt’uje UVT ) zajišt’ují lokální správci následující ˇcin- nosti:

• správa rozšíˇrenéhobalíku softwaru, který není nasazován cen- trálnˇe

• reakce na podnˇetyze strany administrátor ˚uUCN

68 A.APPENDICES

• hlášení incident ˚uadministrátor ˚umUCN

• správa sít’ové infrastruktury stanic a server ˚u

• reklamace spojené s hardwarem vlastnˇenýmfakultou

Zaˇclenˇenílokality bez vlastního HW Pro zapojení HS do centrální správy je potˇrebasplnit následující pod- mínky:

Hardware:

• Pˇriscénáˇribez vlastního vybavení využívají lokality HW vy- bavení UVT.

Software:

• patˇriˇcnýpoˇcetlicencí OS Microsoft pro stanice zapojené do in- frastruktury UCN

• patˇriˇcnýpoˇcetlicencí CAL pro stanice, které mají být zapojeny do infrastruktury UCN

• patˇriˇcnýpoˇcet licencí antivirového softwaru pro stanice zapo- jené do infrastruktury UCN

Zaˇclenˇenílokality s vlastním HW Hardware:

• 3 servery (se zajištˇenýmservisem)

• záložní napájení server ˚upro pˇrípadvýpadku elektrické sítˇe (napˇr.UPS)

• sít’ový pˇrepínaˇca vyhrazené sít’ové segmenty pro servery a sta- nice

Software:

69 A.APPENDICES

• 3 serverové licence OS Microsoft (dle domluvy s ÚVT) • patˇriˇcnýpoˇcetlicencí OS Microsoft pro stanice zapojené do in- frastruktury UCN • patˇriˇcnýpoˇcetlicencí CAL pro stanice, které mají být zapojeny do infrastruktury UCN • patˇriˇcnýpoˇcet licencí antivirového softwaru pro stanice zapo- jené do infrastruktury UCN

Nastavení klientských segment ˚u Zaˇrazenístanic do centrální správy je spojeno se souborem pravidel:

• Stanice jsou do domény vkládány výhradnˇepomocí systému pro vzdálenou instalaci operaˇcníhosystému OPSI na adrese https://tali.ics.muni.cz/ • Do podsítˇe(WLAN), v které se nachází stanice z domény, neb- ude zaˇclenˇenožádné zaˇrízení,které se v doménˇe.nenachází. Rovnˇežnesmí být umožnˇenoautomatické pˇridˇelováníIP adres na tomto segmentu. • IP adresy jsou distribuovány pouze pomocí DHCP dle do- dané konfigurace. • Nastavení DHCP rezervace na odpovídajících serverech. • Nastavení reverzních záznam ˚uDNS.

PˇrípravaSW vybavení SW vybavení uˇcebense modifikuje pˇredzaˇcátkemkaždého semestru dle pokyn ˚uzodpovˇednéosoby, která zajišt’uje komunikaci se všemi vyuˇcujícími,kteˇríbudou uˇcebnudaný semestr využívat. Požadavky na pˇridání/modifikaceSW je nutné nahlásit nejpozdˇeji3 týdny pˇred zaˇcátkemsemestru, pro zajištˇenídostateˇcnéhootestování prostˇredí. Požadavky nahlášené po tomto termínu již nemusí být vyˇrízenypˇred zaˇcátkemsemestru. Týden pˇredzaˇcátkemsemestru již budou uˇcebny pˇripravenypro otestování ze strany vyuˇcujících.

70 A.APPENDICES

Lokální správci Fakultní správci nesmˇejížádným zásahem do systému poˇcítaˇceu- možnit zvýšení oprávnˇeníbˇežnéhouživatele. Dále nesmˇejíza žád- ných okolností pˇredat administrátorské heslo ke stanicím ani své heslo jiné osobˇe.Porušení tˇechtodvou pravidel bude považováno za závažné narušení bezpeˇcnostia m ˚uževést až k odpojení z infras- truktury. Fakultní správci mají za úlohu lokální hardwarovou a softwaro- vou správu lokalit, ˇrešenírutinních problém ˚ua zprostˇredkováníko- munikace mezi uživateli a administrátory. To zahrnuje:

• Nastavení BIOS v souladu s požadavky Centrální správy.

• Instalování a správa lokálnˇedistribuovaných aplikací a tiská- ren.

• Rešeníˇ lokálních problém ˚upˇrímonenavazujících na funkcio- nalitu Centrální správy.

• Zprostˇredkovánípožadavk ˚u,dotaz ˚ua úloh souvisejících se Službou centrální správy administrátor ˚um.

• Lokální asistence administrátor ˚umpˇriˇrešenírutinních a kri- zových stav ˚una lokalitˇe.

Rešeníˇ problém˚u Problémy se dají rozdˇelitpodle závažnosti na tˇriskupiny:

• Bˇežné - výskyt na jednom poˇcítaˇci,ˇrešenérestartováním ˇcirein- stalací poˇcítaˇce - výskyt u jednoho uživatele na vícerých poˇcítaˇcích,ˇrešené opravou uživatelského profilu

• Závažné - výskyt na vícerých poˇcítaˇcích,ˇrešenékontaktováním ad- ministrátor ˚uUCN

71 A.APPENDICES

Restart ˇcireinstalace poˇcítaˇce Restart poˇcítaˇcezajistí znovuobnovení nastavení doménových poli- tik a aplikaci doménových skript ˚u. Reinstalací poˇcítaˇcezískáme kompletnˇenovou konfiguraci stan- ice (operaˇcnísystém, drivery zaˇrízení,software, doménové politiky, zabezpeˇcenísouborového systému). U zamˇestnaneckéhoPC je profil uživatele a disk D: reinstalací nedotˇcen. Pokud výše uvedené kroky nepomohou, oznamte problém ad- ministrátor ˚umUCN.

Oprava uživatelského profilu Pokud vám nebyl poskytnut nástroj pro obnovu uživatelského pro- filu, zašlete administrátor ˚umUCN na adresu [email protected] žádost o opravu uživatelského profilu a uved’te uživatelovo UCO.ˇ Pˇred kontaktováním administrátor ˚u ovˇeˇrte, zda uživatel nemá zaplnˇenýprofil - pˇribližnˇepolovina problém ˚us profily je zp ˚usobena právˇetakto a je v silách uživatele toto napravit vlastní cestou.

Specifikace výskytu problému, hlášení problému administrátor˚umUCN

V pˇrípadˇevyskytnutí závažného problému kontaktujte pˇrímoad- ministrátory UCN na emailové adrese [email protected]. Vzniklý problém se snažte hlásit s co nejpˇresnˇejšímpopisem. Kaž- dý email, kterým je hlášený problém administrátor ˚umby mˇelobsa- hovat:

• Lokalitu (UˇcebnaXY fakulty ZW).

• Popis problému.

• Casovýˇ výskyt problému (t. j. dnes, vˇcera,poslední týden, ve stˇredu14.2.,. . . ).

• Místo výskytu problému (ideálnˇe ˇcíslostanice, UCOˇ tehdy pˇrihlášenéhostudenta, ˇcise jedná o jeden výskyt nebo opako- vaný na více stanicích / u více uživatel ˚u.. . ).

72 A.APPENDICES

• Pˇrípadnézmˇenyvykonané na stanici, které by se mohli týkat problému (výpadek proudu, výmˇenaHW zaˇrízení,novˇenain- stalovaný software,. . . ). • V pˇrípadˇe,že se liší kontaktní osoba od odesílatele požadavku jméno kontaktní osoby (ekvivalentnˇe UCOˇ nebo školská emailová adresa).

Poskytnutím všech výše uvedených informací administrátor ˚um hned v pr ˚ubˇehuprvního kontaktu pˇrispˇejetek rychlejšímu vyˇrešení problému. Pˇrípademzávažného problému m ˚užebýt nefunkˇcnían- tivirový software na stanici, nefunkˇcnílicenˇcníserver pro software, nemožnost pˇrihlásitse na poˇcítaˇcepro vˇetšískupinu uživatel ˚u,ne- dostupné uživatelské profily aj.

Technický popis služby

Centrální správa (resp. infrastruktura pro centrální správu) je posta- vena na technologiích Microsoft Active Directory. Pro správu poˇcí- taˇc˚uvyužívá standardní technologie, jako jsou skupinové politiky a skripty. Centrální doména je doména UCN. V této doménˇejsou zaˇrazeny infrastrukturní servery zajišt’ující provoz služby. Pod doménou UCN jsou zaˇrazenysubdomény (napˇr.PHIL, FSS. . . ) spadající pod fakulty a umožˇnujícímístním správc ˚umpˇrevzít významnou ˇcást správy (napˇr.vytváˇretvlastní politiky, pˇridávata odebírat poˇcítaˇce.. . ).

Rešeníˇ bezobslužné instalace operaˇcníchsystém ˚u Stanice zaˇclenˇenédo centrální správy jsou instalovány výhradnˇeau- tomatizovaným nástrojem OPSI na serverech alia.ucn.muni.cz a tali.ics.muni.cz. Pˇredpokladempro umožnˇeníinstalace je pˇríprava stanic na zaˇclenˇenído centrální správy, tj.:

• Nastavení BIOSu stanic dle instrukcí administrátor ˚ucentrální správy. • Po zjištˇeníMAC adres zavedení tˇechtostanic do sítˇedle popisu v kapitole Nastavení klientských segment ˚u.

73 A.APPENDICES

• Podáni požadavku administrátor ˚umna pˇridánístanic do sys- tému bezobslužné instalace OS (nutnou souˇcástížádosti jsou jména stanic z DHCP a ich MAC adresy).

Rešeníˇ bezobslužné instalace OS funguje na báze bootu systému po síti. V prvním kroku koncová stanice dle nastavení v DHCP a BIOS naˇcítáboot operaˇcnísystém na báze unix z pˇredvolenésít’ové lokality. Ta následnˇelokálnˇeiniciuje instalaci požadovaného operaˇcníhosys- tému ze sítˇe.Celý proces je ukonˇcenˇradouskript ˚u,které na stanici upraví nastavení potˇrebnév kontextu Služby centrální správy. Po instalaci operaˇcníhosystému je možný plynulý pˇrechodk pl- nému zaˇclenˇenístanice. To obsahuje bezpeˇcnostnínastavení stan- ice, delegaci spravovaných aplikací, zpˇrístupnˇenítisku a profil ˚uuži- vatel ˚u.

Rešeníˇ distribuce softwarového vybavení Mezi základní funkcionality domény patˇrídistribuce SW vybavení stanic. Rozlišujeme dvˇesady SW:

• Základní – stejná na všech lokalitách, obsahuje veškerý bˇežnˇe užívaný software.

• Rozšíˇrená– typicky SW vybavení požadované konkrétními lokalitami za úˇcelemvýuky.

Základním balíkem softwaru je myšleno softwarové vybavení spo- leˇcnépro všechny studovny jak fakultního, tak celouniverzitního rázu. Základní sada SW je pravidelnˇeplošnˇeaktualizována každé dva, pˇrípadnˇekaždé ˇctyˇritýdny v celé doménˇe.To zaruˇcujehomogen- nost prostˇredídíky nabídce stejných verzí SW v UCN. V pˇrípadˇe,kdy je potˇrebacentrálnˇenasadit software specifický pro danou fakultu/lokalitu, je pˇrípravainstalace vˇecífakultních/lo- kálních správc ˚u(napˇr.Total Commander místo centrálnˇenasazeného Altap Salamander). Pˇrisplnˇenívybraných parametr ˚ulze lokální SW zaˇclenitdo centrální správy. Rozšíˇrenásada je aktualizována podle dohody mezi správci cen- trální správy a správci lokality. Zmˇenyve verzích SW mohou zp ˚u- sobovat odlišnosti ve funkcionalitˇeˇciproblémy s kompatibilitou, co

74 A.APPENDICES m ˚uževážnˇenarušit bˇehvýuky. Nastavením frekvence aktualizací rozšíˇrené sady vzhledem k potˇrebám výuky tak pomáhá v pˇred- cházení tˇemtoproblém ˚um. Základní sada spravovaného softwaru obsahuje:

• 7-Zip

• Adobe digital editions

• Adobe Reader

• Altap Salamander

• ArcGis

• CD Burner XP

• Mozilla Firefox

• Flash

• Gimp

• Google Chrome

• Internet Explorer

• IrfanView

• Java JRE 6

• Java JRE 7

• Matlab

• NOD 32

• Notepad ++

• Opera

• PDF 24 Creator

• PDF Creator

75 A.APPENDICES

• PsPad • Putty • Statistica • TexLive • VLC Player • WinSCP

Rešeníˇ pro správu profil ˚uuživatel ˚u Jednou z hlavních výhod centrální správy je homogennost prostˇredí uživatel ˚unezávisle na uˇcebnˇea stanici, na které aktuálnˇepracují. Ta je zaruˇcenápoužitím profil ˚uuživatel ˚u,které jsou ukládány na sí- t’ových úložištích, a propagovány na stanice pˇrikaždém pˇrihlášení. Uživatel tímto získává nemˇennépracovní prostˇredí,které mu umož- ˇnujelepší podmínky na práci. Uživatel ˚umjsou standardnˇezpˇrístupnˇenynásledující sít’ové úlo- žištˇe:

• I: adresáˇrTEMP sdílený ze serveru. Tento adresáˇrje plnˇepˇrís- tupný všem uživatel ˚um.Je možné ho použít napˇríkladna pˇre- nášení dat mezi stanicemi. Adresáˇrnení urˇcenna dlouhodobé uchovávání dat – není zálohovaný a podle potˇrebyse pravi- delnˇepromazává. • J: Aplikace sdílené na serveru. Adresáˇrje zpˇrístupnˇenvýhrad- nˇe ke ˇctení. Obsahuje aplikace, které nevyžadují instalaci na stranˇeklienta. • K: Profil uživatele, který obsahuje všechny uživatelské nas- tavení (pˇredevšímse jedná o soubory prohlížeˇc˚uˇcimailových klient ˚u).Prostor je možné do urˇcitémíry využít k uložení vlast- ních soubor ˚u– pˇrístupnýje i jako složka Dokumenty na pra- covní ploše. Prostor má omezenou kapacitu, tj. celková ve- likost dat této složky (vˇcetnˇesoubor ˚upoštovních klient ˚u,pro- hlížeˇc˚ua podobnˇe)nesmí pˇresáhnoutkvótu. Po dosažení kvóty není zaruˇcenékorektní chování aplikací ani osobních nastavení.

76 A.APPENDICES

• Jediné složky na lokálním disku, do kterých mají studenti ex- plicitní právo zápisu, jsou složky: - C: \Users\UCOˇ (na windows XP C:\Documents and Settings\UCO)ˇ - Kopie cestovního profilu uživatele. Sem patˇrí i plocha a dokumenty uživatel ˚u. - C: \Temp - Lokální složka, její velikost je limitovaná ka- pacitou lokálního disku a je promazávána dle potˇreby.

Rešeníˇ centrálního datového úložištˇe Všem student ˚uma zamˇestnanc˚umMasarykovy univerzity jsou k dis- pozici vlastní profily, které se zpˇrístupnípo pˇrihlášenína jakoukoli stanici v centrální správˇe. Pro všechny zamˇestnanceuniverzity jsou také vytvoˇrenyindi- viduální úložištˇe,které slouží k ukládání a sdílení jejich bˇežnýchpra- covních dat. Tyto úložné kapacity jsou dostupné pouze so sítˇeMU, eventuálnˇemimo sítˇepoužitím VPN MU. Tyto prostory jsou zpˇrístupnˇenyve složce \\sam.ics.muni.cz\UCOˇ s pˇrihlašovacímiúdaji:

• Login: UCN\UCOˇ

• Heslo: sekundární heslo

Rešeníˇ buzení a vypínání stroj ˚u Na lokalitách zaˇclenˇenýchdo služby centrální správy nabízíme mož- nost centrálnˇeˇrízenéhobuzení, zapínaní a vypínaní poˇcítaˇc˚udle pˇre- dem domluveného harmonogramu. Služba je poskytována výhradnˇe lokalitám s operaˇcnímsystémem Windows 7 v obou bitových verzích. Nutností je také vˇcasnákonzultace možnosti nasazení tohoto ˇrešení, kterou zpravidla sprovází technický audit sít’ového zázemí a hard- warového vybavení koncových stanic. Pro funkˇcnostˇrešeníje nutností pˇrizp˚usobenínastavení lokality na Wake on LAN (typicky oznaˇcovánojako WOL). To je nutno provést jak v BIOSu koncových stanic, tak na aktivních prvcích sít’ového zázemí lokality. Rešeníˇ je také závislé na podpoˇre WOL samotné sít’ové karty stanic.

77 A.APPENDICES

Pro pr ˚uchodaktivními sít’ovými prvky je nutné povolit broad- castovou komunikaci protokolu UDP.

Rešeníˇ zkušebních režim ˚u Jednou z možností režim ˚ustanic podporovaným v rámci služby jsou zkušební režimy. Vyuˇcujícímje k dispozici možnost pˇrevedenístanic z normálního režimu do režimu zkušebního bˇehemnˇekolikaminut. Aktuálnˇejsou k dispozici zkušební režimy dvou druh ˚u:

• Režim odpovˇedník:Stanice se po nastavení režimu pˇrihlásí speciálním úˇctema zpuštˇenýmodpovˇedníkemz IS MU. Ten je v tomto režimu jedinou možností využití poˇcítaˇce.Studenti nemají pˇrístupna internet, k vlastním dat ˚umani aplikacím stanice.

• Režim zkouška: V tomto režimu jsou stanice odpojeny od sítˇe. Studenti rovnˇežnemají pˇrístupk vlastním dat ˚um,mají však k dispozici veškeré softwarové vybavení stanice.

Rešeníˇ monitorování lokalit Na lokalitách centrální správy jsou z bezpeˇcnostních,informativních a technických d ˚uvod˚unasazené ˇrešeníshromažd’ující informace o uživatelích a pracovních stanicích. Mezi tyto informace patˇríinfor- mace o poˇcítaˇcích,studovnách a pr ˚uchodechdo studoven. Lze také zobrazit obsazenost stroje uživatelem i s jeho uˇcema základními údaji. Informace jsou zobrazovány v reálném ˇcasea ze získaných dat je zaznamenávaná jejich historie.

78 A.APPENDICES A.3 Information poster: Computer study rooms and classrooms on MU

Computer study rooms and classrooms on MU

You are currently in one of many computer study rooms and classrooms of Masaryk University. The network of study rooms provides you with a uniform environment adjusted to your needs as a university student. For more information visit our website at the address below.

Software Reporting problems All the study rooms included in the Service of Central Management are equipped with regularly In case of discovering any kind of problem or failure, please immediately report this state to technical support. This updated software managed by the System Administration Department of the Institute of Computer way, you can ensure a reliable workplace for yourself, as well as all the other students and lecturers who frequently Science. use these study rooms during examinations. A report of the failure should contain: List of installed software to date 6. 9. 2013  Locality (Study room XY on faculty ZW)

 A detailed description of the problem which occurred  Time of the event (today, yesterday, last week, on Wednesday 14.2., ...) .NET Framework Flash Opera  Location of the problem (computer number, student ID, ...)  Possible changes made on the station that you are aware of (blackout, HW changes, newly installed software, ...) 7-Zip Gimp PDF 24 Creator

Adobe digital edit. Google Chrome PDF Creator Data store capacities Adobe Reader Internet Explorer Powershell All students of the Masaryk University have at their disposal migrating profiles as part of the Service of Central Management. This ensures homogeneity of workplace Altap Salamander IrfanView PsPad independent of the study room or the work machine they are currently using. In this context, the term 'profile data' means all the data stored in C:\Users\UČO. This ArcGis Java JRE Putty includes all the data from the documents folder, desktop and all internet browsers.

Aspi Matlab Statistica

CD Burner XP MS Office TexLive Printing Printers managed by the Institute of Computer Science can be found in selected Eprezenčka NOD 32 VLC Player buildings across the university grounds. Printing services are available by using SUPO and university ID card ISIC or ITIC. Mozilla FireFox Notepad ++ WinSCP

For more information about university study rooms please visit: In case of any requests or questions concerning equipment of study rooms and classrooms please contact technical support: http://www.ups.muni.cz E-mail: [email protected], tel.: 549 49 7722

79 A.APPENDICES A.4 Information poster: Univerzitní poˇcítaˇcové studovny a uˇcebnyMU

Univerzitní počítačové studovny a učebny MU

Nacházíte se v jedné z mnoha univerzitních počítačových studoven Masarykovy univerzity. Síť studoven vám nabízí uniformní prostředí přizpůsobeno potřebám vašeho studia. Více informací naleznete na webu, viz níže.

Software Hlášení problémů Na všech studovnách centrální správy je studentům Masarykovy univerzity zpřístupněna sada Při zjištění jakéhokoli nedostatku či problému hlaste tuto skutečnost neodkladně technické podpoře. Můžete tak pravidelně aktualizovaného software spravovaná Oddělením systémové správy Ústavu výpočetní pomoci nejen sami sobě, ale i vašim spolužákům a kolegům, kteří studovny běžně využívají i při zkoušení. techniky. Hlášení nedostatku by ideálně mělo obsahovat:

 Lokalitu (Učebna XY fakulty ZW) Seznam software k 6. 9. 2013  Detailní popis problému

 Časový výskyt problému (tj. dnes, včera, poslední týden, ve středu 14.2., ...)  Místo výskytu problému (ideálně číslo stanice, UČO tehdy přihlášeného studenta, ...) .NET Framework Flash Opera  Případné změny vykonané na stanici, které by se mohli týkat problému (výpadek proudu, výměna HW zařízení, nově nainstalovaný software, ...) 7-Zip Gimp PDF 24 Creator

Adobe digital edit. Google Chrome PDF Creator Úložné prostory studentů Adobe Reader Internet Explorer Powershell Všichni studenti Masarykovy univerzity mají v rámci centrální správy zřízené migrující profily, jež zaručují homogennost pracovního prostředí nezávislé na studovně a stanici, Altap Salamander IrfanView PsPad na které aktuálně pracují. Data profilu jsou chápány jako složka C:\Users\UČO, do které patří mimo jiné i plocha, dokumenty či data internetových prohlížečů jednotlivých ArcGis Java JRE Putty uživatelů.

Aspi Matlab Statistica

CD Burner XP MS Office TexLive Tisk Ve vybraných objektech napříč univerzitou jsou rozmístěny tiskové zařízení NOD 32 Eprezenčka VLC Player spravované Ústavem výpočetní techniky. Tisk je dostupný pomoci účtu SUPO a univerzitní karty ISIC, popřípadě ITIC. Mozilla FireFox Notepad ++ WinSCP

Bližší informace ohledně studoven naleznete na webu: V případě podnětů, dotazů či požadavků na vybavení studoven a učeben kontaktujte prosím technickou podporu: http://ups.muni.cz mail: [email protected], tel.: 549 49 7722

80 A.APPENDICES A.5 Process of addition of a new workstation DNS records DNS the employee ) WS delivery to . cz WS . acceptance muni . & ics DNS and rev and DNS @ , ods ( adjustment Creating DHCP Creating server OPSI into WS Adding AD OU proper into WS Moving

network settings WS installation - - - + + acceptance notification WS registration ) ) cz . + cz . muni . DKP code DKP muni

. – installed on the WS the on installed ics - ics @ confirmation @ WS registration majetek licence ( ( registration Request of WS Registration of the WS WS the of Registration pre licenses of Report

- - WS , New WS acceptance New WS provision + preparation + WS accepted acceptance Notification the incoming Notification of New WS order new WS Order of

Request

Request of acceptance the new WS

Department contractor

A Office A & F Employee

Technical Support Support Technical External

) WS ( workstation new a of Addition

81 A.APPENDICES A.6 Process of workstation removal WS WS stored in for further use liquidation liquidation WS sent to DNS records DNS ) . cz . muni . To stock To ics DNS and rev and DNS @ , To liquidation To ods ( x Deleting DHCP Deleting server OPSI from WS Removing AD from WS Removing

- - - & adjustment ) network settings ) cz WS data deletion . cz . DKP code DKP

– muni . muni . ics ics @ @ + + majetek licence ( ( registration of the WS WS the of registration - notification acceptance WS registration removal + Re WS the from licenses released of Report

- - removal confirmation WS registration removal registration Request of WS WS removal Request

acceptance WS removal

Request of the

Department Office contractor

Employee

Technical Support Support Technical A & F External

) WS ( workstation a of Removal

82 A.APPENDICES A.7 Process of the OS installation via OPSI system Reboot requested OS Installation of + Windows installfiles Provision of Deploy installed Windows installfiles Request of Windows OS Reboot Install : Windows PE x Execution of HW Inventory Partition division Drivers installation Windows downloading PE , py . HDD Boot from based OS - setup Provision of based OS - Unix Installation of Unix Failure Success x + LAN Boot from installation x Preparation of a Netboot product PXE Boot , Client directory Start of the DHCP server data request Provision of IP server and image address the client

deployment to Assign product

Application

OPSI Server OPSI ) Workstation ( Client Server DHCP

Web Web Installation process of the OPSI Netboot product Netboot OPSI the of process Installation

83