Slashdot Mirror
Best Practices in Workgroup Maintenance?
option8 asks: "As the sysadmin for a smallish workgroup (15 or so users) I'm constantly wrestling to balance a regular maintenance regime with the users' continued productivity. As it is, I strive to keep my regular maintenance to a minimum -- optimizing drives, checking for directory and file corruption, permissions repairs, clearing logs, software updates -- after hours, on weekends, or whenever someone goes on vacation. I have a lot of stuff scripted - backups and whatnot go off every night - but there's a lot that requires at least a minimum of my 'monkey clicks the Okay button now' attention. Is this the best way, or do the other BOFHs out there have a better solution to regularly scheduled maintenance for the workgroups/labs/studios they oversee?"
One whip, one master, 14 slaves. "Code, ye dogs!"
I get to take off time early sometimes because I often Remote Desktop to the windows machines (and ssh to the linux ones) to do upgrades/auditing/etc. on Sundays. I don't do that every Sunday, but at least once a month, usually twice a month. So my boss is a little flexible when it comes to coming in at 9, leaving at 5:30, etc.. But without Remote Desktop, I'd have to either a) come in the office, or b) use VNC (which sucks). I have a 12-desktop/9-server setup, so I'm around the same size site as the OP.
. Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
It seems to me that a good BOFH wouldn't worry about little things like regular maintenance. Or any maintenance. Or users, for that matter. In fact, why do you even go into work, except to delete files?
I've found that UltraVNC is the best VNC. Version 1.0.0 was released on 24 Jun 2005, but it is a quite advanced package. Be sure to install UltraVNC with the video driver, which is not included on Sourceforge.
AutoIt is by far the best open source software for automating Windows installs and other tasks in which the program pretends to be a user. There's an IDE with an Intellisense-like interface and a compiler.
I've heard that OpenVPN is the best software-based VPN, but I have not used it. There are hardware firewalls with VPNs; I suggest you stay away from Netgear's, which I have found to be quirky.
--
Bush lied, 100,000 died. J.C. said not to return violence with more violence.
Use Windows for Workgroups 3.11. It is very easy to maintain. Just format C:, install Dos, install Windows, done.
check out cfengine
Why are people obsessed with "The Best" software package for everything? Everytime I browse through forums and newsgroups, there'd be people asking for "the best" software package for this, and that.
"The Best" is what you decide on after evaluating all reasonable choices. The question is not what "the best" is, but what "the recommended" are.
I hate "the best".
If you're maintaining Windows-computers, I can highly recommend AutoIt.
:-)
It is the perfect tool/language for automating away tedious tasks. You can even make executables with it.
AutoIt is script based, so it might take a few minutes to write what you want, but in my experience it's worth it. The language is very simplistic and reminds a bit of batch-files in DOS. But, using the utilities that comes with it, automating a task is a relatively quick undertaking.
It has saved me a lot of time and hassle in the past, and has always been stable and dependable.
Most of my efforts are preventative, putting a lot of thought and fine-tuning into the base software images, to harden them against user abuse and malware, and to automate security patches and definition updates as much as possible. For the Windows machines that's Symantec Anti-Virus with daily updates, Spybot S&D with full Immunization, and MS's auto-critical-updates.
I've found Apple Remote Desktop to be very handy for occasional maintenance on the Macs, such as OS updates and security patches.
For the Windows machines, I usually wait for users to complain about spyware before I wipe them and reload a clean image, rather than doing it on a regular basis during the semester. Mostly that's because the profs don't teach their students good backup habits, and I'm not BOFH enough to go around teaching them painful lessons about not keeping the only copies of their work on the hard drive. Yet. I'm still new on staff, so I'm building up my goodwill reserve before I start doing that.
http://alternatives.rzero.com/
Seriously, you can do everything you've hinted to with VBScript.
I recommend:
The Microsoft ScriptCenter has just launched a new monthly column regarding beginning scripting in Windows; it's called Sesame Script. (The scripting guys are a little geeky.)
Also, point your favorite nntp client at msnews.microsoft.com and do a search for wsh, script, etc, and subscribe and ask! The newsgroups are full of helpful folks!
Remember the motto: If it has to be done more than once, script it!
PS, to get a script to emulate a monkey pressing ok, have it loop, watching for a dialog box of whatever name it will be, then activate that dialog (WScript.AppActivate) and then send an "Enter" keystroke (WScript.SendKeys). Good example is here:
...only, remember:
Use this advice to save yourself time, but don't tell your boss about it. Keep him thinking that you do it all on Sundays, and continue to take the extra time off.
Since you seem to actually care about Things Being Done Properly, you deserve it
Seriously. You are the sysadmin, not a digital janitor. OK, so even if you can do all of this maintenance work from home via Remote Desktop on a Sunday afternoon -- do you really want to? Is this in your job description? As you pointed out, you still have do do the monkey clicks. Even if you script everything, you'll still need to do basic functional tests after the smoke has cleared.
I know of at least one shop in town that has hired weekend help (usually honest and lonely college students) to maintain their end-user Windows PCs. At the end of the year the monkey salary still adds up so little that it's still cheaper than moving to a new platform (Linux, Mac OS X).
I don't know if this suggestion helps at all, but I'd recommend setting up weekly CRON scripts if your servers are *NIX-ish at all. I don't know what your maintenance routine consists of, so I don't know if this is even applicable.
Aside from that...
In my line of work (web application development), I write scripts to do database integrity checks on my clients' systems, filesystem monitoring (for checking file sizes and permissions), and data transfer monitoring. Scripting all of these things together, and having automatic reports sent to me via email, is the way that I do it.
Cheers!
"It was hell!" recalls former child.
That might cut down on the mindless button clicks.
At my work we have about 25 desktops. Because our company is small, one of my side responsibilities is sysadmin stuff. The maintainance part is really small. If you leave a system with auto-updates and an under-targetted browser and email program, it almost maintains itself.
Most of our systems run XP Home with an extra script to properly mount everything on bootup. I have another script for easy installion of that script. We enable auto-update. It hasn't caused any problems and the extra bandwidth usage is too small to worry about. Users are admins of their own systems, but that hasn't caused many problems either. We haven't seen a virus in over a year, and spyware is rare. A new system with monitor, mouse, and keyboard costs about $400-$500, and takes about 2 hours of setup effort. We install OpenOffice on each machine, but those who need MS Office can get it. We'd spend $100k if we found an ERP we liked but we won't just spend needlessly.
Most of our file servers run Linux. They never give us trouble, except one time when two hard disks failed the same week. After that incident (luckily it was a backup server), I wrote a script that combines all our Linux server logs into one giant, but properly sorted log which I glance over each morning for signs of hardware failure. We have one Windows server for running Windows-only server software. We don't use Active Directory, but that hasn't been a problem. We use webmin to easily manage users and groups across multiple servers at once. All our file servers are grouped together onto one network drive using DFS, and each folder is restricted to only those who need access to it.
It seems that in some companies this sort of job involves as much or as little work as one is willing to commit to it. Admins can easily find ways to keep themselves busy, sometimes at the company's expense. There's always something more you can do, but you can often get away with very little. Just do what needs to be done.
I'm not sure which monkey clicks your talking about, but I know for windows patches, if you run them from command line you can put in flags. `KB###### /?` should give you the available options. What we've done at my work on certain occasions is to create a batch file that runs each of the patches, followed by a program that runs at the end to give priority to the proper patches (afraid I can't remember the program, but a google search should reveal). The "At" command also helps with scheduling that batch script. Another option we've explored heavily is PERL scripts.
One thing that is suppose to work well, though we can't use it at my site, is a SUS server. This is suppose to be a middle man for windows update. Allows you to approve patches before installing, and then you point all your windows boxes to the SUS for updates.
I knew a sys admin who could automate just about anything, and was lazy, so if he had to click, it wasn't good enough for him. There are a ton of tools in the windows 2k/2k3 resource toolkits. Hope this helps some.
"And The Geek Shall Inherit The Earth" --Jeff Darlington
If you're talking about Windows PCs, nothing beats Deep Freeze from Faronics.
Get your PCs set up the way you want them, "freeze" them, and that's IT. All changes to the file system are cached. The upshot is that anything the user does the user is allowed to do "normally," but any changes evaporate as the aforementioned cache is deleted on reboot. As long as users have a networked Home Directory you're all set. If you have a SUS/WUS server, the PCs can be set to "thaw" in the middle of the night and apply WindowsUpdates.
And Faronics (the company) is a JOY to work with!!!
signat-url: http://www2.potsdam.edu/dctm/prescor/signat-url.h
I wanted to reiterate how important scripting is for your sanity. Be sure to check out the resource kits that come with each OS & IIS. These have lots of command-line scripts that lend themselves to some time-saving admin scripting fun.
Technology Consulting & Free Downloads
Presumably your computer stuff is important enough that if you totally lost it, you would be out of business.
One of our local ISPs runs a 'data fortress' where people keep off-site backups. It's a really good idea. Depending on how prone your area is to natural disasters, you might want your backup a long way from where you are.
People are also starting to run virtual machines for their servers. I haven't done it myself but I'm told that you can get back online really fast even if the original server is totally trashed.
Otherwise, you seem to be doing everything right. Being proactive, as you are, saves you a lot of work. The trouble is that if you do your job well enough, the boss will take you for granted because your system never causes any problems. Make sure the boss stays a little paranoid by telling horror stories about what's happening at other companies that don't have someone as good as you! If the economy takes a turn for the worse or you get a new boss, your main problem may not be technical. Never underestimate the importance of good PR otherwise you may find yourself losing resources until you can't do your job any more. We had the case where I work where they cut the safety officer's resources back until she quit. They then had to replace her with two bodies. She was working like a hero and management just didn't get it. Her replacement was much better at PR and convinced management of what the woman who quit had been trying to tell them all along.
...then 10 systems is about the max for workgroups.
If you plan to grow any larger I'd recommend moving to a Domain instead of a Workgroup. This would give you centralized administration, give you the ability to remotely publish software updates to you systems and the ability to control all your systems via Group Policies.
This will be a hard sell to you boss but, try to provide a detailed cost/benifit analyse looking at the manpower that currently is wasted by having maintain each system seperately and scaleability issues.
If that doesn't work you can still create local policies on each computer to prevent problems.
Good Luck
I think I think, therefore I think I am.
It is being developed to help reduce and organize administrative tasks. It allows you to manage the computers connected to your network using a Jabber Client as your admin interface. It works like this:
1) Create scripts that determine which computers have a problem.
2) Send scripts to the MATTER clients in your Global Buddy List.
3) MATTER executes those scripts which reports the result back though the MATTER client by assigning a new buddy to their roster. ie. Matter.AddBuddy("No_XPSP2")
4) Login to your Jabber Client as No_XPSP2 and immediately see who has the problem.
5) Fix though the same interface once you have one.
Check the MATTER project out often - we are concentrating on MS OS's in the beta stage and we are looking for a little technical know-how to get it working on Linux next.