Practical Handbook of Thin-Client Implementation

THIS PAGE IS BLANK Copyright © 2008, New Age International (P) Ltd., Publishers Published by New Age International (P...

Author: Nasimuddin Ansari | Shekhar Tiwari | Neeraj Agrawal

107 downloads 1011 Views 8MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

THIS PAGE IS BLANK

Copyright © 2008, New Age International (P) Ltd., Publishers Published by New Age International (P) Ltd., Publishers All rights reserved. No part of this ebook may be reproduced in any form, by photostat, microfilm, xerography, or any other means, or incorporated into any information retrieval system, electronic or mechanical, without the written permission of the publisher. All inquiries should be emailed to [email protected]

ISBN (10) : 81-224-2314-0 ISBN (13) : 978-81-224-2314-3 Price : £ 9.99 PUBLISHING FOR ONE WORLD

NEW AGE INTERNATIONAL (P) LIMITED, PUBLISHERS 4835/24, Ansari Road, Daryaganj, New Delhi - 110002 Visit us at www.newagepublishers.com

DEDICATION to all the technocrats who are putting their sincere efforts to make this world a better place.

THIS PAGE IS BLANK

Preface Thin-Client/Server computing is probably the most under-rated technology of this era. Until we got involved in implementing this Thin-Client/Server model, we really hadn’t understood the advantage of this cutting edge technology. We found that there are not many books available on this technology in the market to help the professionals to get the know-how quickly. Therefore, when the idea of this book was conceived, we thought of coming up with a book that could deal with practical aspects of technology along with basic concepts. We finally settled on writing a handbook instead of a textbook, having step-by-step guidance and pictorial representation. We have tried to use simple and lucid style for better comprehensiveness. Screenshots and pictures have been used to clarify the concepts. As it is not a textbook but a handbook targeted at a large audience, we have avoided too much theoretical explanation. Every IT support personnel must have felt, how difficult it is, to support an enterprise network having large number of hardware & software components. It attracts frequent human intervention for problem solving and maintenance. This book is an effort to make the ITindustry aware of this wonderful technology & its enormous potential that reduces maintenance to a great extent. It is our belief that very soon the Thin-Client/Server model would be playing a crucial role in the information infrastructure of almost every enterprise, be it, government organizations, health sector, educational institutions or even small businesses. Thin-Client/Server computing model removes almost all the vulnerabilities of hardware failures, OS crashes & data losses at Client System. To begin with, this is a multi-user, server based model in which almost all the applications run on the server. This helps in managing users, resources and even data, centrally. Also, this requires low network bandwidth for users to be able to work on the server. We tried to provide step-by-step details of every process involved in the implementation of this model. Both Microsoft and Open Source Operating systems support this model. We have discussed the pros & cons of implementing this model mostly around Microsoft platform and presented a glimpse of Open Source technology just to help you in deciding your choice. We wrote the book on Windows 2000 Server Operating System because after 4 years of its release, it can now be considered as a stable system as compared to Microsoft’s latest releases. Microsoft releases Service Packs, patches and HotFixes over an extended period of time for its products. Sometimes it takes a long time to find and fix such problems. Even some of the HotFixes related to Terminal Services of Windows 2000 have been released only during last year-end. Another thing, with newer Microsoft OS releases, we must purchase Citrix MetaFrame Series of products to use ICA protocol. However, If we wish to use RDP protocol (to avail advanced features of these Operating Systems), we must upgrade RDP client on Thin-Clients to a latest version. That again adds cost because no manufacturer upgrades it for free.

viii We hope this book would be able to answer all the queries pertaining to this upcoming Technology. We also expect that this effort will help a bit in emergence of this technology in the vast horizon of network computing. We have divided the complete handbook in TEN chapters: CHAPTER ONE: “Introducing Thin-Clients” discusses the concept, architecture, benefits and the need for Thin-Client based implementation. CHAPTER TWO: CHAPTER THREE: CHAPTER FOUR:

CHAPTER FIVE: CHAPTER SIX:

CHAPTER SEVEN:

CHAPTER EIGHT:

CHAPTER NINE:

CHAPTER TEN:

“Windows 2000 Server Installation” deals with the installation and configuration details of Windows 2000 Server. “Licensing Policies of Windows” explores the type of licenses as proposed by Microsoft, their functionality and activation. “Communication Protocols” discusses various communication protocols used by Thin-Clients to communicate with the server. It also describes configuring them and presents a brief comparison. “Managing Users & System Resources” talks about authenticating users and giving them access rights of resources. “Understanding Windows 2000 Print Services” gives the idea on configuring and installing various printers connected locally or remotely to a Thin-Client. In addition, we discuss common problems faced by Administration in controlling printers and print service. “Performance & Tuning” establishes the appropriate way to Monitor various Parameters of Windows server and tuning them if required. “Integration of Thin-Clients With Linux Server” introduces the philosophy of Open Source and the license related jargons. The advantages and drawbacks are narrated and a brief idea of using Linux for Thin-Client or diskless Client has been presented in this chapter. “Bridging Windows & Linux Operating Systems” - suggests methods to access two entirely different platforms for interoperability and presents Comparative Study of Windows & Linux “Problem Solving & Frequently Asked Questions” throws light on common issues faced during operation and overcoming them suitably. Nasimuddin Ansari Shekhar Tiwari Neeraj Agrawal

Acknowledgements This is our first endeavor in authoring a book, which would not have been possible if Sri. Saumya Gupta of New Age International (P) Ltd would not have offered us this wonderful opportunity. It is our privilege & pleasure to have worked with this esteemed Publishing House. We owe so much to the Production crew at New Age International (P) Ltd for making the book possible, and for making it to come all together. We are extremely thankful to them for showing their trust and belief in us during the course of this project. We are extremely indebted to Sri.Vishwaroop - GM (NTPC Ltd), Sri. R.L Deohans AGM-IT (NTPC Ltd), Sri. Sujoy Dasverma - DGM-IT (NTPC Ltd) & Mr. Sourajit Ghosh Sr.Manager-IT (NTPC Ltd) for providing us the necessary infrastructure required for research and testing on this emerging technology. Not only this, they also guided us on various front and provided moral boost during this project. We also extend our thanks to Sri. M.S.Raizada, Sri. Indrajit Khandai & Sri. Zafar Aslam of CMC Limited who motivated us and provided opportunities to enhance our technical skills. We feel extremely humble & grateful to our friend R.Vaidyanathan for reviewing the manuscript and suggesting ways to make the book better and more user friendly. His past experience with Indian Express has benefited us enormously. We must extend a warm “Thank You” to all our friends & folks who continuously encouraged and supported us - particularly Kamlesh Kukrety & Saurabh Agrawal. Last, but not the least, we are most appreciative of the blessings and support provided by our families. It was all because of their faith & trust that we could successfully complete this book. We definitely hope that our book will attain a vast readership and appeal the minds of IT aspirants to deploy the proposed architecture. We assure all our readers to provide more informative books on newer & latest technologies in the future.

Nasimuddin Ansari Shekhar Tiwari Neeraj Agrawal

THIS PAGE IS BLANK

Contents 1 INTRODUCTION TO THIN-CLIENTS

1—14

• What is Thin-Client?

2

• How does Thin-Client Work? • Terminal Services

4 4

• Thin Client Middleware • Thin-Client Architecture

4

• Benefit of Thin-Client Implementation n Total Cost of Ownership (TCO)

6 6

n n n n n n n n n

System Security Centralized Administration Software Upgradation

7 7 7

Remote Control of Users Desktop Data Security

8 8

Maintainability Scalability

8 9

Availability Virus Protection

9 9

Training • Schema of a Sample Network n

• Basic Requirements of Thin-Client Implementation n Server n n n n

11 11

Operating System Licenses

12 12

Thin-Client Communication Protocol

12 12

• Who Needs Thin-Clients? n Thin-Clients are for n

9 9

Thin-Clients are not for

13 13 14

xii

2 WINDOWS 2000 SERVER INSTALLATION

15—34

• Hardware Requirement for Windows 2000 Server

17

• Checklist for Installation of Windows 2000 Server • Windows 2000 Installation Process

17 18

• Initiating Installation from Setup Boot Disks n Start Setup from the Boot Disks

18 20

• Initiating Installation from a Bootable CD-Rom n Text Mode Installation Phase

20 20

n

GUI Mode Installation Phase u Selecting Licensing Mode for Windows 2000 Server Note about Computer Name and Administrator Password Choose Service Component for Windows 2000 Server

28 29

u

Configuring Network Settings Join a Domain or Workgroup

30 32

u

Windows 2000 Server and Advanced Server Configuration Options

32

u u u

3 LICENSING POLICY OF WINDOWS • Terminal Server Licenses n n

Windows 2000 Server License Windows 2000 Client Access License (CAL) u u

n n

26 27

Per Seat License Per Server License

Cost Effectiveness Windows 2000 Terminal Services Cal (TSCAL)

35—55 36 36 36 36 37 37 38

Standard TSCAL Internet Connector License

38 38

Built-in Licenses Temporary Licenses

38 38

Application License • Terminal Services Licensing Model

38 38

• Components of TSL Model n TSCAL Token

39 39

u u u u n

n n

Terminal Server License Server

39 39

Microsoft Clearinghouse • Steps to Setup a TSL Model

39 40

License Purchase License Server Setup

40 40

n

n n

C-9d:\N-Hand\Title.pm5

xii

xiii n n n

License Server Activation

40

License Token Installation License Distribution

40 40

• Mode of Licensing for CAL Licenses n Per Server

41 41

Per Seat • Installation of Terminal Services

41 41

n

n n

Remote Administration Mode Application Server Mode

42 42

• Points to Ponder before Identifying Location for Licensing Database • TSCAL Activation

44 45

n Terminal Services Licensing Wizard • Backing Up a Terminal Server License Server

45 53

• Restoration of TSL Server • How to Reactivate TSCAL Licenses without Having Backup?

55 55

4 COMMUNICATION PROTOCOLS

57—77

• Independent Computing Architecture (ICA) • ICA Clients

58 59

• Installation of Citrix Device Services (ICA Server Services) n Citrix Device Services Installation

60 60

Activating a Citrix Device License • Remote Desktop Protocol (RDP)

63 64

• RDP Clients • Creating RDP Clients

65 65

Connecting to Terminal Server Thru RDP Client • ICA and RDP Client on Linux Operating System

66 68

n

n

n n

ICA Client for Linux Operating System RDP Client for Linux Operating System

68 69

• ICA/RDP Server Configurations n Server Settings Folder

70 70

Connections Folder • Comparative Study of ICA & RDP

71 76

n

5 MANAGING USERS & SYSTEM RESOURCES • Local Users and Groups Overview n Default Local User Accounts n

Default Local Groups


xiii

79—118 80 80 81

xiv • Local User Administration n n n n

Environment Sessions

85 86

Remote Control Terminal Service Profile

87 88

Dial-in • Detailed View of User Profiles n

n n

82

Types of User Profiles Contents of a User Profile

89 89 90 90

Creation of Customized Default User Profile Using Registry Editor • Let’s Learn to Manage Users Default Desktop

92 95

• Points to Ponder Before Creating Profile • Disk Quota

99 99

n

Enabling Disk Quota Deleting Disk Quota Entries

100 101

• Points to Ponder in Setting Up Quota • Access Control

102 102

n n

n

Permissions u Permissions and Security Descriptors

102 103

How does Inheritance Work? Permissions for Files and Folders

103 107

u u

Ownership of Objects Sharing u

n

u u u u u u n

Methods of Accessing Shared Resources Case Study

111 112

Special Shared Resources Some of the Special Shared Resources

113 114

Managing Shared Folders from the Command Line Points to Ponder Before Enabling Sharing

114 115

User Rights u Privileges

115 115

Logon Rights Object Auditing

116 117

u n

109 110

6 UNDERSTANDING WINDOWS 2000 PRINT SERVICES

119—139

• Printing Concepts • Printing Process

120 121

• Configuring Client Printer on Windows 2000 Server • Configuring Print Server

122 125


xiv

xv • Printer Settings Configuration

128

Printing Permissions Assigned to Groups • General Printing Problems

133 137

n

7 PERFORMANCE MONITORING & SYSTEM TUNING • Performance Console Vs. Task Manager • Performance Console n

Performance Log and Alert u Counter Logs u u

n

Trace Logs Alert Logs

System Monitor u Features of System Monitor u u

Configuration of System Monitor Using the Shortcut Menu How to Operate System Monitor

141—154 142 142 143 143 143 143 143 143 144 145

Points to Ponder • Understanding Your Server’s Behavior

145 146

Counters to Monitor Memory Counters to Monitor Processor

146 147

Counters to Monitor Hard Disk Counters to Monitor Terminal Services

147 147

u

n n n n

Counters to Monitor Terminal Services Session • Task Manager n

n n n n

Accessing Task Manager Operating Task Manager

148 148

Monitoring Applications Monitoring Processes

149 149

Monitoring the System • Event Viewer n

n n

Application Log Security Log

System Log • System Tuning n

n

n n

150 150 150 150 150 151

Memory Tuning u Adjusting Paging File Size

151 151

Points to Ponder While Deciding Paging File Size Server Performance Tuning

152 153

Optimizing Services Tuning Disks

153 154

u n

147 148


xv

xvi

8 INTEGRATING OF THIN-CLIENTS WITH LINUX SERVER

155—184

• What is Linux?

156

• History of Linux • It’s a Heterogeneous World and Management is Critical

157 158

• Understanding Jargons FSF, GNU, GPL, LGPL, Copyleft? • LINUX or GNU/LINUX?

159 159

• Cost of Linux Operating System • What is a Linux Distribution?

160 161

• Benefits of Using Linux with Thin-Client n Cost Saving

162 162

n n

Security Reliable and Affordable

• Drawbacks of Using Linux? • Basic Requirements of Thin-Client Implementation n n

Network Band Width Requirement for Each Thin Client Choosing Linux Distribution

• Installing Linux Distribution on Your Server • Configuring Thin-Clients to Work with Linux n n

Bare Minimum Configuration Changing the Default Display Manager

162 162 163 163 163 165 165 165 165 167

How to Start Some Application During Display Manager Startup • For Full Featured Thin-Client Configuration

168 169

What is LTSP? n How to Install LTSP on the Server? u Installing the LTSP Utilities u Installing the RPM Package u Installing the Tarball (Tar.Gz or Tgz) Packages u Installing the LTSP Client Packages • Configuring DHCP, TFTP, NFS, XDMCP Needed by LTSP • How to Force Client to Boot Linux Image from Remote Server? n Using Boot ROM on Network Cards u Etherboot u PXE u Netboot n Using Local Storage Media u Floppy Disk u Hard Disk u CD-ROM u USB Memory Device

169 170 170 171 171 171 175 178 179 179 180 180 180 180 180 180 180

n

n


xvi

xvii • What Happens when Kernel Image Executing on Your PC?

181

• First Hand Test with pxes ISO Image

183

9 BRIDGING WINDOWS & LINUX OPERATING SYSTEMS

185—198

• Accessing Windows 2000 Server from Thin Client Connected to Linux Server

186

• Accessing Linux Server from Thin Client Connected to Windows 2000 Server n Command Line Connection

188 188

n

X-Environment Connection u XwinLogOn Windows X-Server u u

X-Deep/32 - PC X-Server Cygwin X-Server

Virtual Network Computing Projects • Comparative Study of Windows & Linux u

n n

Case Study Conclusion

191 194 194 195 197 197

10 PROBLEM SOLVING & FREQUENTLY ASKED QUESTIONS INDEX


189 189

199—208 209—214

xvii

THIS PAGE IS BLANK

Introduction to Thin-Clients

1

Introduction to Thin-Clients

1

The latest trend in computing is towards centralized management of applications and resources. Its like older huge mainframe based installation, running Unix like multi-user operating system. Mainframe systems had enough Memory, Storage space and processing power for many users. All the applications and data generated by users used to remain on the server. Users used to issue commands from the character-based terminals having lower processing power using slower communication media like telephone line on RS232C serial protocol. In Thin-Clients based installation too, Applications and data are stored on the server rather than the individual machines. Thin-Clients use different chunks of memory and processing power of the server that they are connected to, while facilitating services to users. In contrast to older technology, it has colorful visual interface that can be operated through keyboard or mouse & Fast Ethernet protocol to access server over 100 Mbps network media. When a user logs on to the server from any of the Thin-Clients, server provides him with his/ her desktop environment. We can restrict the accessibility of various applications. User sees only the applications he is authorized (by administrator) to use. Application’s accessibility and desktop-environment can be tightly monitored and configured by system administrator. It seems the age-old adage, ‘history has a strange habit of repeating itself’, holds true even in computer technology though in a slightly different form even.

WHAT IS THIN-CLIENT? For a novice a Thin-Client is nothing but a slashed PC devoid of CD-ROM player, floppy drive, add-on cards and hard disks. These devices can be managed centrally. Since all the applications are run on the central server and not on the Thin-Client they don’t require powerful resources on themselves. A Thin-Client is many folds cheaper than a PC. Now, let us discuss why Thin-Clients are called “Thin-Clients”: • The name seems to have been derived from the fact that the basic operating system / kernel of this device (to access all the I/O devices, memory management and handling all the processes) is embedded in a size of not more than 32 MB, which is real thin. • Another reason may be - it is really sleek in look because almost all the electronics are on a single, small motherboard packed in a book-size plastic or metal case. If you compare it with PC that is also known as Fat-Clients it is comparatively small due to absence of many accessories. • Another philosophy says that all the devices using less bandwidth over communication media (e.g LAN, Wireless network etc) are known as Thin-Client. Because it takes less bandwidth to transfer the information. 2

3

INTRODUCTION TO THIN CLIENTS

Considering the physical shape & size, Thin-Clients are of mainly two types namely Desktop Thin-Clients and Tower Thin-Clients (Fig. 1.1).

Front View of Desktop Thin-Client

Back View of Desktop Thin-Client

Front View of Tower Type Thin-Client

Back View of Tower Type Thin-Client Fig. 1.1

However, we can plug in many types of peripherals into these Thin-Clients. At Air Port kiosks, people may plug in magnetic stripes readers, fingerprint readers, printers and so on. Building all such functionalities made the Thin-Clients into a relevant solution for such places. In some technical literature we found that the term “Thin-Client” is also used as a synonym for both NetPC as well as the Network Computer (NC), which are somewhat different concepts. Thin-Clients are generally based on Cyrix processors. The NetPC is based on Intel microprocessors and could be further classified into two groups. First one is WBT i.e. Windows

C-9d:\N-Hand\Hnd1-1.pm5

3

4

PRACTICAL HANDBOOK OF THIN-CLIENT IMPLEMENTATION

based Terminals which uses Windows CE kernel and software. The other one is LBT i.e. Linux base Terminal which uses embedded Linux as its kernel. The network computer (NC) is a concept backed by Oracle and Sun Microsystems that may or may not use Intel microprocessors and uses a Java-based operating system.

HOW DOES THIN-CLIENT WORK? Now, lets discuss the basic question as to how our Thin-Clients work as PCs when they don’t even have enough memory or hard disk. The answer lies with the standard feature present in the server based operating systems called Terminal Services. Using these services and standardized display protocols, the ThinClients are able to communicate with the Server and run desktop applications even without having much of hardware on themselves. But before discussing the Terminal Services lets look at the brief history of Terminal Services, which gave way to a low cost, secure and single-point administrative network.

TERMINAL SERVICES It was Citrix Systems, which proposed the idea of multi-user version of Windows to Microsoft. As a result, Microsoft agreed to sell them the Windows NT 3.51 source code. Citrix then turned this into Citrix WinFrame:- a version of NT 3.51 that allowed multiple users to run on the same server. Later Microsoft incorporated this new technology into a special version. That is known as NT 4.0 TSE (Terminal Server Edition). Now they have incorporated Terminal Services in all versions of Windows Server Operating System. The Terminal Server version allows the access of all ‘Windows’ software under ClientServer model. Users log onto the server using Thin-Clients and the server creates sessions in its memory dedicated to those users. The server (instead of the client) thus processes all the requests made by the user.

THIN-CLIENT MIDDLEWARE Thin-Client middleware is a software layer that sits between the application running on the server and the screen on the client device. This middleware layer transforms the information on the server into a proprietary protocol. The information then passes through proprietary compression and encryption algorithms and is sent to the client device where it is decompressed, decrypted and displayed on the screen.

THIN-CLIENT ARCHITECTURE Thin-Client implementation has a 3-tier architecture (Fig. 1.2) in which • The Thin-Client hardware is at the 1st tier, • The server at the 3rd tier and • The terminal services at the 2nd tier acting as the binding layer. Thin-Client implementation follows the Client/Server model. • Thin-Clients may be physically connected to the server via UTP cable or a PSTN (through modem), but the logical connection between the Thin-Client and the server takes place via TCP/IP protocol. TCP/IP is a point-to-point protocol. Both Thin-Client and the server are assigned unique IP addresses and flow of data packets between the two takes place using these IP addresses in combination with the MAC Addresses.


4

5


Well, the MAC (Media Access Control) address is just a 16-bit Hexadecimal code engraved into the NIC (Network Interface Card) of the device.

Fig. 1.2: Thin-Client Topology.

• The communication between Thin-Client & the Server takes place using Terminal services running on the server with the help of communication protocols like RDP (Remote display protocol) or ICA (Independent Computing Architecture). The RDP and ICA are display protocols that run over TCP/IP protocols. They have a client as well as a server portion running over the Client and the server machines respectively. In case of ICA, the server portion is called CDS (Citrix device service). All the keyboard & mouse movement are captured by the client portion of these display protocols and transmitted to their counterparts running on the Server machine. The server portion of the display protocol interacts with the Terminal services for processing the inputs made by the client and the output of the processed request is sent back to the client portion of the display protocol running on the client machine. • The terminal services responds to the connection initiated by server portion of the display protocol by opening an independent session. When the client inputs any keystroke or a mouse movement, the terminal services open a virtual channel through which the client communicates with the server. This channel runs by allocating memory space and CPU cycles for itself, which are independent and discreet of other virtual channels simultaneously running on the server. The allocation of resources depends on the kind of applications used by the clients as shown in Fig. 1.3. This sliced yet independent allocation of resource pool keeps the logged in user unaffected even if a process has crashed in some other virtual channel opened for some other user.


5

6


1st user 2nd user 3rd user nth user

Resource allocation for independent sessions Fig. 1.3

• When the user logs on to the server, it checks for the user’s validity by checking its security database. In case of Windows 2000 server, if its in domain controller mode i.e. when using active directory, it checks for the file called “ntds.dit” for users’ authentication. And if its in a normal mode, the file named “sam” (security accounts manager) has the users’ authentication information. Once the user has been authenticated, its profile and location of home directory is activated and the same is transmitted to the Terminal Services, which in turn sends them to the TC using display protocol. If a particular policy for user permissions/restrictions has been activated on the server it also gets enforced on that user. The server allocates as well as also helps user access other resources across network like printers, scanners etc.

BENEFITS OF THIN-CLIENT IMPLEMENTATION Before we move on to technical discussion of the Thin-Clients, let’s see the main advantages of Thin-Client implementation. We will discuss this topic under following headings. 1. Total Cost of Ownership (TCO) The most convincing factor for Thin-Client adoption is Total Cost of Ownership (TCO). Senior management often gives preference to cost measures. Below is the comparison of TCO between a PC based installation & a Thin-Client based installation: • The initial hardware acquisition cost of a Desktop PC is at least thrice than the ThinClient. • Administration, management, maintainability and helpdesk cost associated with installation using Thin-Clients is comparatively less than that of using PCs. • Compared to networked PCs, Thin-Clients offer simple installation & administration. It also eliminates upgrading the desktop hardware frequently. • Percentage of data loss at client end is nil. • Downtime (due to hardware failure) is very less compared to a Desktop PC. • Components which cause most of the problems in desktop PCs are HDD, CD-Drive, FDD, OS, virus infection, software updating. Such problems gets minimised in a ThinClient based installation. It slashes running cost by large fraction.


6


7

• Fewer technicians with Administrators having sound knowledge are enough to maintain a set of Thin-Clients as compared to an equal number of PCs. • TCO will go down by many factors if you use Thin-Clients in Unix environment. It’ll further go down if you use it with FreeBSD or Linux like ‘Open Source Operating System’ running GPL software e.g OpenOffice, GIMP, Postfix MTA, Apache etc. All other factors being discussed below will further lower TCO in one-way or the other. 2. System Security At places where the public can walk up to the device like airport kiosks, we wish to have security that protects the server from a hacker and lets the right people through. In such cases, Thin-Clients may provide great relief to the System Administrators. There are ThinClients available in the market with such strong security features like smart cards and biometric fingerprint readers, which operate as authentication tools. If all the above three features username and password; smart cards; fingerprint readers are enabled, the Thin-Client setup would be almost foolproof. As neither data nor application resides on user machine, there is no local security threat. Another aspect is that ICA and RDP protocols encrypt and compress the data being transferred. Due to which sniffing data out of the transport media can be overruled easily. In thin-Client based installations, Administrator configures the most restrictive permissions and profiles of a user. He gives rights as and when user’s requirement arises. 3. Centralized Administration Resources like storage space, printers, scanners and the authorization to use applications can be administrated from a single location. It gives a lot of flexibility, saves time, aids faster implementation, increases productivity and gives user satisfaction. For example, if a user adds a Laser printer with his Thin-Client, administrator need not go to his/her workspace to load the required driver. Administrator can install the Laser Printer driver on the server from his seat. Later, the installed printer can be configured and appropriate permissions shall be granted to the user. Administrator can give or revoke permission for any user at any time without leaving his seat. 4. Software Upgradation What’ll happen if we are using desktop PC in place of a Thin-Client in following cases? • Deployment of new software • Upgrading software to a newer version • Applying service packs, patches & Hot Fixes • Backup and restoration of user’s data and applications If we have to do the above said jobs for 100 users, it will take quite a long time in implementation and out of which most of the time in traveling from one user to another. These jobs are such in nature that they should be finished at the earliest possible time. Suppose you are implementing or upgrading application software, all the users must access the same version of application simultaneously. Otherwise data may become inconsistent. This is true in case of service packs & hot fixes as well. Therefore, either upgrade all desktops at once or postpone for later suitable time. Similarly, if backup is not centralized it would require more time in taking backup of every individual PC.


7

8


In case of Thin-Client based installation all the above can be done at the server end itself. Looking at these cases, we can conclude following benefits • Saving deployment time • Saving Man-hours • Increased overall system availability • Increased user satisfaction level • Increased productivity • Efficient and maximum use of resources • Ease of manageability • High Data security • Ease of deployment of new system policies 5. Remote Control of Users Desktop One appreciable feature of terminal services is that you can remotely control the users’ desktop. This may be beneficial in the following ways• Helping users in resolving their application or OS related problems. Let us say a user is unable to find a particular address in the address book of his Mail Client. The administrator can take the remote control of user desktop and demonstrate the solution. This way, user is empowered to tackle similar problems in future. • Spying the user activity. For example, proxy server report shows that a user is accessing an unsolicited site. He can be caught red-handed. 6. Data Security One of the major concerns of any organisation is the security of critical data. This can be easily achieved by Thin-Client based implementation in which the data resides only on the central server and permissions can be granted as per the requirement. The data cannot be transported without the administrator’s permission, as Thin-Clients do not have Floppy drives attached to them. This also relives the administrator and the whole network from Virus infection through users’ Floppies. In case of Desktops, backing up critical data of the users, is also a major headache. A backup administrator have to backup each and every machine but in Thin-Client technology the whole data lie on the server and the administrator can backup the data of all the user at a single location. Consequently, we can restore them back in a jiffy. Administrator may take daily backup on removable media (like 20/40 GB magnetic DAT media or non-magnetic virtual tape drive devices) or schedule automatic backup on on-line storage devices such as NAS or SAN. In view of the USA 9/11 attacks wherein there was huge loss of valuable data, we all understand the importance of data loss. 7. Maintainability All the system resources, authorisation & accounting are centralised. Not only this, in most of Thin-Client we can upgrade firmware, change IP address, add or modify users, take profile backups, restore settings from server console. This slashes the maintainability of


8


9

hardware and Operating System by a large fraction. This can be done with the management software provided by Thin-Client manufacturer. 8. Scalability Scalability is excellent, provided we have taken care of it at the time of deployment. If we have sufficient server resources and extend the existing network for more hosts, adding additional Thin-Client is a cinch. Plug the Thin-Client on to the network, assign IP address, and configure ICA or RDP to finish the Thin-Client side configuration. On server you have to create new user and register additional licenses, if required. Neither user nor administrator has to think about OS and Application software to be loaded on hosts as in case of PCs. 9. Availability Thin-Client based setup availability is very high in comparison to server-client based installation or peer-to-peer installation due to following reasons: • Thin-Clients don’t have components like Operating System, Hard Disk, Floppy Disk, CD-ROM etc, which cause most of the problems. So failures in Thin-Clients are much lesser than that of PCs. • In case of replacing Thin-Clients, we don’t have to load any additional software on host end. • Comparatively very few shutdowns are required in Upgradation & patching. • Downtime due to data loss can be minimized to zero. • Almost all problems related to software configuration can be sorted out thru remote administration. 10. Virus Protection You neither have to load virus scanner software (on each user workstation) nor have to update virus definitions time to time. Just updating the central server will solve the purpose in case of thin-Client based installation. It will save money as well as time & reduce the virus infection risk also. 11. Training User definitely need not know about application loading and configuration. There is no client part, as such. Training requirement is also not much because Thin-Client setup is simpler than desktop. Leave the user to work on applications and provide assistance remotely as and when required. The low cost and ease of installation gives us the flexibility to replace the failed device quickly with ease. No data is lost even when Thin-Client crashes, as all data resides on the central server.

SCHEMA OF A SAMPLE NETWORK Before further discussion, we introduce you to a sample implementation of Thin-Client based network (Fig. 1.4). It has all the basic components like Thin-Clients, printers, Windows Server, Linux Server, License Server, Gateway, Print Server, Network Attached Storage and a Fax server.


9

10


Gateway Internet cloud

TS enabled Linux Server

RDP/ICA

Telnet

Network TS enabled Windows Server

Windows License Server

Thin-Clients

Print Server Fax Server

NAS/SAN

Fig. 1.4: Integrated Network Infrastructure.

In the above diagram, the Thin-Clients are networked via ‘Terminal Services’ (TS) on Windows and Linux server. The License Server of the TS enabled Windows server is a different machine in this diagram. Both can be combined on a single machine, too. These servers in turn are connected to Internet via Gateway. Several other resources like Print Server, Fax Server and Network Attached Storage also connected to the network. We have introduced this network at this stage of the book to familiarize you with it coz the same would be referred very frequently in later stages of our discussion.


10


11

BASIC REQUIREMENTS OF THIN-CLIENT IMPLEMENTATION The basic requirements of Thin-Clients may be categorised as: 1. Server The first & foremost requirement for Thin-Client implementation is a machine that will work as ‘Server’. It would facilitate the Thin-Clients to behave as PC so that the user won’t know whether he is working on a PC or a Thin-Client. The Server hosts Thin-Client sessions connected to it. Because of the tremendous technology advances in the last few years in entrylevel machines, many installations will not even require a true server class computer. The computing requirements for ‘lighter’ applications (Excel, VB Applications, etc.) are even lower. The main requirement is that the servers must have enough memory to handle the sessions. However, to find the exact requirements of the server, we must first analyze the types of users and the kind of applications they would be accessing thru Thin-Client. There are mainly three types of users: • LIGHT USERS: These users usually run 2-3 applications like word, excel, power point and at most some mail access client. • MEDIUM USER: These users are more enthusiastic users who like to work on 3-6 applications simultaneously. • HEAVY USERS: This class of users is most demanding that they want to work on more than 6 applications involving graphics & multimedia applications and which require a lot of processor time. (i) RAM. The server requires a minimum of 150 MB of RAM to run the operating system if it is Windows 2000 server. The minimum RAM requirement to run users’ processes is approximately 15 MB per user. This also includes RAM requirement for running the Server Portion of Display protocol. (ii) APPLICATION REQUIREMENTS. The 32 bit applications like MS-word, PowerPoint requires 2-4 MB of server RAM per application. The16 bit applications run on Windows server by opening up a WOW (Windows on windows) as the OS is a 32 bit. In other words WOW is a kind of emulation platform for running 16-bit application. These applications require a minimum of 4 MB for WOW and another 2 MB for itself. (iii) PROCESSOR. The average number of users supported by a single P-III, 500MHz processor is approximately: Light users Medium users

: 60 : 40

Heavy users : 23 (iv) HARD DISK. As the cost of storage byte is reducing day by day, one could plan in advance whether they need RAID-5 or RAID-1 for redundancy. It is recommended that the OS be allotted a minimum of 8 GB space. And depending upon the data generated by the users, the storage capacity may be scaled. Example: Considering there are 100 users out of which there are 30 light users, 50 medium users and 20 heavy users who are to be connected to the Server running Windows server using ThinClients. We further assume that the users are running three 32-bit applications and one 16-bit


11

12


application, whereas the medium users are using six 32-bit applications and two 16-bit applications. The heavy users are running eight 32-bit applications and four 16-bit applications. Note: We have increased the number of applications for medium & heavy users in comparison to the light users considering the analytical calculations involved & the processor requirement by the applications used by such users.

Now we can calculate the RAM requirement for the server as below: (a) For OS (b) For light users

: 150 MB : 30 * 15 + 30 * 3 * 2 + 30 * 1 * 4 = 750

(c) For medium users : 50 * 15 + 50 * 6 * 2 + 50 * 2 * 4 = 1750 (d) For heavy users : 20 * 15 + 20 * 8 * 2 + 20 * 4 * 4 = 940 The total RAM requirement for the server is = (a) + (b) + (c) + (d) = 4 GB (approx.) (v) CPU. Let’s consider that all the users are medium users. If we refer to the Processor requirement given above, we can conclude that: One P-III, 500MHz processor can support = 40 medium users So, 100 medium users can be supported by = (Total 100 user)/(40 users per processor) = 2 processors Then, to implement Thin-Clients for 30 light, 50 medium and 20 heavy users, the server we require a minimum of two processors (P-III, 500 MHz) and 4.0 GB RAM. 2. Operating System For the implementation of Thin-Clients, the Operating System running on the server machine should support Terminal Services. This could be a LINUX, Windows NT 4.0 terminal server edition, Windows 2000 Server or Windows 2003 Server. Terminal Services enable the users to avail the multi-user feature of Windows Operating System in true sense. 3. Licenses The most important part of this discussion is licensing. If you are going for the Linux based solution then licensing is not a big issue as it’s an open source product. But for windows based implementation licensing is a real big concern as MICROSOFT is very stringent about its licenses. For windows based solution, we require two kinds of Licenses for every ThinClient. 1. CAL (Client Access License) 2. TSCAL (Terminal server client access license) The TSCAL licenses must be registered on the Microsoft site before integrating ThinClients. 4. Thin-Client The final component is the Thin-Client itself, and this is where decisions must be made. We can use even the old PCs (having processor as old as 486), with 4 MB RAM, hard disk just capable of loading the Win 3.1x, NIC card and a monitor for our use. Alternatively, we could go for the commercially available Thin-Clients, which come at a price as low as 12000 INR. Few of Thin-Client brands are Itona series of VXL, Evo series of HP and Winbee series of HCL. 5. Communication Protocol For Thin-Clients to talk to the server, the communication protocols must be supported on the Thin-Client as well as the Server machine. The popular firms providing such protocols


12


13

are Microsoft and Citrix. Microsoft provides RDP (Remote Desktop Protocol) for client / server communication and Citrix provides ICA (Independent Computing Architecture) protocol to use Terminal Services. These are well supported on Windows platform. There are few other less popular third party protocols too. We may prefer to use RDP because it is from the same company that develops Windows Operating System. Not only this, you don’t need to install server portion on your Server separately, to support the protocol. For example to support ICA protocol, you have to install Citrix Device Services (CDS) package (discussed in later chapters) on Windows 2000 Server for basic facility. For advanced features you must go for Metaframe series of product on Windows 2000 & Windows 2003 Operating System. CDS must also be registered at Citrix site before use. To access Linux Server, Thin-Clients must support X-protocol, XDMCP (X Display Manager Control Protocol) or VNC (Virtual Networks Computing) clients. To access Windows server’s desktop from a PC, we have to install appropriate client portion for the protocol on your PC. Microsoft has a software client available for free on their website called TSAC (Terminal Server Advanced Client). It is simply an Active-X plug in (COM object) that allows us to run Terminal Services sessions within Microsoft Internet Explorer Web Browser. Alternatively we can create the client program (from Windows Server Operating System) using Terminal Services Client Creator.

WHO NEEDS THIN-CLIENTS? Thin-Clients provide lower ownership costs and offer improved manageability, stability for the enterprise. Thin-Clients are ideal for companies that seek to improve application deployment, decrease hardware maintenance, simplify their architecture and reduce the strains on their IT staff.

Thin-Clients are for • Firms that require a highly reliable network of computers connected to a centralised server running mission critical applications. Education Institutes, Publishing industries, Hospitals, insurance agencies, airline reservation centers, hotels etc. are typical businesses that fall into this category. • Information accessing and data acquisition thru a web-based interface (with bare minimum facility) is an emerging scenario. In this case we need not configure any protocol to access an Operating System Desktop. Now a days all the Thin-Clients based on Linux or other open source kernel come bundled with browsers like Mozilla / Netscape / FireFox. Those based on Microsoft Kernel come bundled with browser Internet Explorer. Travel agencies, supermarket, medicine counter, fast food restaurant etc are few areas where this type of requirement may arise. But you need to assure two things before going ahead: n

n

The web browser of Thin-Clients has plug-ins to access your web server, e.g macromedia flash plug-in to show pages having flash pictures; Java related plugins to access JSP pages. It is strongly advisable to check the Thin-Client product for such features before buying. Browser capability varies vendor to vendor & product to product. Printing may be a big headache if you are accessing your web page thru ThinClient browser. Chances are that only ASCII documents would be printed on your generic printer.


13

14


• Firms that utilize highly standardized computing tasks, like call centers, data entry jobs or technical support desks can realize substantial cost savings from Thin-Clients. The computing power and flexibility of a PC is often unnecessary and potentially undesirable as end-users can reconfigure, load applications or otherwise tamper with the computer’s settings. • Educational institutions are examples of typical concern that require more computing resources and at ever-shrinking budget. Universities and schools with under-resourced IT infrastructure can keep hundreds or thousands of Thin-Client devices up and running with latest softwares. • Call centers, transportation, retail, hospitality, health care, government, broadcasting, content creation, chemical manufacturing, drug companies are quite a broad spectrum of Thin-Client use. • Fortune 1000 firms with aggressive cost cutting agendas can help reach their goal with Thin-Clients. IT managers are challenged daily to do more with less budget. Most firms can realize tremendous cost savings by reducing the amount of support staff from 5: 1 if they use Thin-Client in place of PC. Thin-Clients enable network administrators deploy new systems in rapid fashion because a Thin-Client can be set up and made functional within 15 minutes. Firms that are used to old-style characterbased “dumb” terminals would like to upgrade to a more robust, colorful GUI platform available with Thin-Clients. It can handle email access programs (Outlook Express, ThinderBird) and common business applications (OpenOffice, MS office) while retaining access to legacy application (by using some terminal emulation program).

Thin-Clients are not for The same aerodrome can’t be used for Fighter Planes, Passenger Planes and helicopters. It is also true in technologies too. There are situations in which using Thin-Client based setup is not advisable, at least practically. These may be categorized as • If intended users fall in power user categories then better to provide them desktop PCs, workstation and Laptops instead of Thin-Client. Design engineers, scientists, graphic artists, multi-media developer, Animation industry professional, web designers, marketing and sales professionals etc have requirements for powerful local processing, local storage, special multimedia hardware, the ability to read/write from CD-ROMs, Scan and print document. Since they use a lot of server resources and network power, Thin-Clients would cause an unnecessary headache for administrators. • If you own low bandwidth network like Thick Ethernet and co-axial or number of hubs on your network, avoid adopting this technology. You have to wait till your network administrator upgrades it to Fast Ethernet. You might be clear that as everything is being processed at server output of the programs will travel on network to be displayed on user monitor. So, if a power user application is being accessed thru Thin-Clients it will consume enough network bandwidth. Second point you have to consider here is - there should not be a single point of failure if your installation is going to span in many building or cities in rather large geographical area. So far, we have discussed about the Thin-Client technology, requirement to be considered before planning. We have also discussed, when and where this technology can be of use. In coming chapters we will explain the way of quick implementation & getting maximum out of less investment. Further we will discuss the issues one can face during implementation and how to troubleshoot, isolate & tackle the problem and find the solution.


14

Windows 2000 Server Installation

2

2

Windows 2000 Server Installation

Before the advent of Windows 2000 Server from Microsoft, the most sought after server for technical and business needs was Windows NT Server. And Windows 2000 Server is nothing but the renamed Windows NT 5.0 built entirely on NT technology. Windows 2000 server line has more powerful features & solutions than Windows NT Server Enterprise Edition. With the introduction of Windows 2000 series, Microsoft launched four products namely: • Windows 2000 Professional • Windows 2000 Server • Windows 2000 Advanced Server and • Windows 2000 Data Center. Following table (Table 2.1) gives the brief comparison of these four products. Detailed comparison is not in the scope of this title. You may refer Microsoft Press Manuals for minute details. Table 2.1 Features

Processor Supported

Windows 2000 Professional

Windows 2000 Server

Supports Single Supports upto two- Supports upto fourprocessor. way SMP way SMP

Physical memory

—

—

Clustering and load balancing services

—

—

Desktop Operating System with highlevel security and improved manageability.

Small-to-mediumsized enterprise (SME) application deployments, web servers, workgroups and branch offices

Usability

Windows 2000 Advanced Server

16

—

Windows 2000 Data center Supports upto 16way SMP 64GB

Yes

Yes

More powerful departmental and application server that provides network Operating System and Internet services

Designed especially for large data warehouses, econometric analysis, large-scale simulations in science and engineering, online transaction processing and server-consolidation projects

WINDOWS 2000 SERVER INSTALLATION

17

HARDWARE REQUIREMENT FOR WINDOWS 2000 SERVER The following are the minimum hardware requirements for installation of windows 2000 Server. • 32-bit, Intel-based microprocessor computer such as Pentium-compatible 166 MHz or higher. • VGA or higher resolution monitor • Keyboard • 64 MB RAM minimum • A minimum of 650MB of free disk space on the partition that will contain the Windows 2000 system files. Several factors affect free disk space required by Windows 2000 Setup. It includes disk cluster size, amount of RAM in the system, the file system used (For example, NTFS uses a smaller disk cluster size than FAT file systems) and network based installation as compared to local installation (which requires less free space). Setup proceeds only if you have sufficient disk space along with the optional components you have selected. • For installation from a CD-ROM drive, system should be capable to boot from CDROM. So you can start Setup program without using a floppy disk drive. • If your system does not boot from CD-ROM drive, a high-density 3.5-inch disk drive as drive A and a CD-ROM drive would be required. Boot the system from bootable Floppy and run setup program from CD. • For network installation, one or more network adapters must be installed on your computer and should have access to the network share containing the Setup files. • A mouse or other pointing device Note: However to have a functional Windows 2000 Server, we require at least 128 MB RAM and a minimum of 1 GB disk space.

CHECKLIST FOR INSTALLATION OF WINDOWS 2000 SERVER Before going ahead with the installation of Windows 2000 Server, the following points must be taken into consideration. • Hardware Compatibility: Ensure that the machine on which you are planning to install Windows 2000 Server is compatible for Windows 2000 Server. To verify the same, visit http://www.microsoft.com/windows2000/server/howtobuy/upgrading/ compat/where Hardware Compatibility List (HCL) can be found. • Disk Space: Ensure the system has sufficient disk space. The minimum disk space recommended for installation of Windows 2000 is 1 Gigabytes (GB). • Disk Partitions: This must be given immense thought, as you need to decide as to how much space is to be provided to the users / Operating System / Applications i.e. the partitioning scheme must be finalized prior to the installation. Also what sort of data recovery / protection methodology is to be implemented like RAID / Mirror / Volumes. • File System: NTFS file system is preferred for the optimum utilization of the security features provided by Windows 2000 Server. • Licensing Mode: There are two modes: per-server and per-seat. The mode can be switched from per-server to per-seat after installation, but not from per-seat to perserver. However, if you are installing Windows 2000 Server as Terminal Server, then you must install it in Per-seat mode only.


17

18


• Computer Name: The computer must have a unique name if it is to be a member of any Windows network environment. • Network Membership: If the computer is to become part of a network, determine the type of network group the computer will join. The computer can either be in a Domain or a Workgroup. If it will be joined to a Domain, the Domain name is needed and a computer account needs to be created within the Domain for the new computer. The computer account can be created prior to installation or it can be created during the installation process with an appropriate Domain administrator account and password. • Installation Method: Determine whether the Windows 2000 Operating System will be installed from Setup boot disks, CD-ROM, or over-the-network. • Service Components: Prior to installation, determine the services that will be required for the installed Operating System. For server installations, considerations may include Terminal Services, Active Directory, DNS, WINS, or DHCP.

WINDOWS 2000 INSTALLATION PROCESS As we had described earlier, there are three ways to install Windows 2000 Server: • Setup boot disks • CD-ROM • Over-the-network The setup boot disk installation method requires the use of four setup floppy disks. The setup boot disk method of installation will be required if the computer on which the Operating System is not capable to boot from CD-ROM drive. The CD-ROM installation method requires configuration of the computer’s motherboard BIOS to detect and boot from a bootable Windows 2000 installation CD.

INITIATING INSTALLATION FROM SETUP BOOT DISKS If Windows 2000 setup disks are not already available, they can be created on another computer from the installation CD-ROM. To create Startup disks adopt following steps. 1. Firstly, you must have 4 blank, 1.44 MB formatted 3.5-inches disks. Label them “Setup Disk 1”, “Setup Disk 2”, “Setup Disk 3”, and “Setup Disk 4”. Indicate on each of the disks whether they are for Windows 2000 Server or for Windows 2000 Professional. 2. Use another computer running any Windows Operating System to create the setup boot disks. 3. Insert the disk labeled “Setup Disk 1” and Windows 2000 Operating System CD into appropriate drive. In the \win2k\bootdisk folder you will find the following 6 files (Fig. 2.1). First four are the image files and the remaining two are the executable files that will transfer these image files into the four floppies respectively.


18

19


Fig. 2.1

4. Click Start, and then click Run. Otherwise open an MS-DOS Command prompt. 5. At the prompt, type the following command, replacing the d: and a: drive letters with the appropriate letter of the CD-ROM drive and floppy disk drive of the computer being used: d:\bootdisk\Makeboot.exe a:\ (Fig. 2.2)

Fig. 2.2


19

20


6. Follow the instructions that appear as shown in screenshots in Fig. 2.3.

Fig. 2.3

Your Startup disks for the installation of Windows 2000 Server are ready for use.

Start Setup from the Boot Disks Once Setup is started from the boot disks, it starts prompting for insertion of specific boot disks and the CD-ROM, requesting information, copying files, and restarting the system. Start Setup from the setup boot disks as follows: • Insert “Setup Disk 1” into floppy drive before turning on the computer. • Follow the Setup instructions on the screen. The text mode installation phase will begin.

INITIATING INSTALLATION FROM A BOOTABLE CD-ROM If your system supports CD-ROM, using a bootable CD-ROM is the simplest method of initiating the Windows 2000 Setup program. Place the Operating System CD in drive and power on the system. Once the Setup program is started, it starts prompting for insertion of specific boot disks and the CD-ROM, requesting information, copying files, and restarting the system. As long as complete installation procedure is concerned, it is two-phase installation. First, Text mode installation portion will work out. During this phase mouse and GUI is not available. Later, graphical mode will take you to the end of installation.

Text Mode Installation Phase This installation phase is similar for both, disk and CD-ROM installation, with the little difference that the boot disk installation will prompt the user whenever the next setup disk is required. Setup will begin by first inspecting the computer’s hardware. The screen will display the message “Setup is inspecting your computer’s hardware configuration...” Once the setup has ensured the requisite hard disk space, it enquires whether third party SCSI or RAID controller drivers are required. If required, press the F6 key. Else, allow the setup process to continue .If the F6 key is pressed following screen appears (Fig. 2.4).


20

21


Fig. 2.4

Pressing the S key will cause Setup to search the A drive for a third party driver disk. Setup will read the information on the floppy disk and will display the available choices as shown in Fig. 2.5. Choose the appropriate driver and press the ENTER key to continue.

Fig. 2.5

Now, a confirmation of the selected driver will be shown as in Fig. 2.6. On pressing ENTER driver will be loaded.


21

22


Fig. 2.6

If more drivers are to be installed, press the S key to repeat the steps until driver installation is completed. When all the drivers are loaded, press ENTER to proceed further Once the necessary files have been loaded, a message will appear for a brief moment stating; “Setup is starting Windows 2000”. In the following screen you are given three options (Fig. 2.7). • To install Windows 2000, • Repair an existing installation • Exit the Setup process. Press the ENTER key to install Windows 2000 Server freshly.

Fig. 2.7

If you have a brand new, unformatted hard disk or if your hard disk already has an Operating System, which Windows 2000 Setup could not recognise, you must format the disk before starting the installation. Then you may continue with the Setup by pressing the C key. Otherwise, press the F3 key and make appropriate configuration changes or backup measures before restarting the Setup process again (Fig. 2.8).


22

23


Fig. 2.8

Next you will be presented with the Windows 2000 Licensing Agreement (Fig. 2.9). After reading the Licensing Agreement, make sure the page has been scrolled all the way to the bottom and press the F8 key to agree with the Windows 2000 Licensing Agreement and continue with the installation.

Fig. 2.9

The next interactive screen (Fig. 2.10) will show the existing hard disks and partitions, if any, available on it. If there are multiple partitions or multiple hard disks they will be identified in the interactive display. Any unpartitioned space on the disk will need to be partitioned and formatted before it can be used. To use all of the existing unpartitioned space, press the ENTER key. In order to partition the disk for use press the C key.


23

24


Fig. 2.10

The interactive display shows that the new partition was created and must be formatted. To format the partition press the ENTER key (Fig. 2.11).

Fig. 2.11

If you prefer to create a partition, the next screen (Fig. 2.12) will provide you with the option to define the size of the new partition. The default size selected will be the entire unpartitioned space of Hard Disk. Either modify the size as per the requirement or accept the default by pressing ENTER key.

Fig. 2.12


24

25


The screen as shown in Fig. 2.13 displays the newly created partition.

Fig. 2.13

The following screen will present the options for formatting the selected partition (Fig. 2.14). Windows 2000 Server requires the use of NTFS for the optimum utilization of its security features. Format the partition as NTFS.

Fig. 2.14

Once formatting is completed, Windows 2000 Setup will examine the disks and start copying the necessary Operating System files to the hard disk (Fig. 2.15).


25

26


Fig. 2.15

When all files have been copied to the hard disk, Windows 2000 Setup will restart the computer. Make sure to remove any disk from the floppy drive. When the Computer reboots, the installation will continue in the Graphical User Interface (GUI) mode. This second phase installation is as follows.

GUI Mode Installation Phase During this phase of installation you will be provided with the options to install the optional components and even setting up the Administrative password. Windows 2000 will collect configuration information through several interactive screens for setting up the Operating System. A Windows 2000 Setup Wizard will appear (Fig. 2.16). Click Next to continue, or wait a few seconds and the Wizard will start on its own.

Fig. 2.16

The Windows 2000 Setup Wizard will begin by automatically detecting and installing hardware devices. This may take a few minutes and the screen may flicker during the process. When this process completes, the Regional Settings dialog box will appear (Fig. 2.17).


26

27


Specify regional settings and provide server’s user name & the organization name.

Fig. 2.17

Look on the back of Operating System CD case and fill up the Windows 2000 product key in the ‘Your Product Key’ dialog box (Fig. 2.18). It is a 25-character alphanumeric case sensitive string. Click Next to continue.

Fig. 2.18

Selecting Licensing Mode for Windows 2000 Server In the ‘Licensing Modes’ dialog box, select the client-licensing mode. Available choices are ‘Per seat’ and ‘Per Server’. If unsure of which mode to use, select Per server because Microsoft Inc. says you can change later to Per seat at no cost. Consider it as the rule of thumb. On the other hand, if you use Thin-Client with this Server, have Per-seat licenses (Fig. 2.19). Once the licensing mode is selected, click the Next button to continue with Setup.


27

28


Fig. 2.19

Note About Computer Name & Administrator Password The Computer Name and Administrator Password dialog box asks for the computer name so that it may be recognized on the network by a distinct name. The advisable length for computer name is 15 characters or less. Use the numbers 0 to 9, uppercase and lowercase letters and the hyphen (-) character for computer name. If this computer will be part of a domain, choose a computer name that is different from any other computer in the domain (Fig. 2.20).

Fig. 2.20

The Windows 2000 Setup program creates a user account on the computer called Administrator that has administrative privileges for managing the overall configuration of the computer. The Administrator account is intended for the person who manages this computer. For security reasons, it is necessary to specify a password for the Administrator account. Leaving Administrator password blank indicates no password for the account. Password can be up to 127 characters. For the strong password security, use a password of at least 8 characters, and use a combination of uppercase and lowercase letters, numbers, and other special characters such as *, ?, or $. Confirm password and Click Next to continue with Setup. Once the


28

29


installation is over, rename the Administrator account on first priority so that no one can easily guess the privileged user name (it cannot be deleted).

Choose Service Components for Windows 2000 Server In the Windows 2000 Components dialog box (Fig. 2.21), select the necessary components for the server being installed. This dialog box allows addition or removal of components during installation. Complete the selection and move on.

Fig. 2.21

If Setup is completed and it is later decided that other components are needed, they can be added later. To do so, click Start, point to Settings, click Control Panel, and then doubleclick Add/Remove Programs. In Add/Remove Programs, click Add/Remove Windows Components. You will get the same screen as shown in Fig. 2.21 Next screen is, the Date and Time Settings dialog box (Fig. 2.22). Select appropriate time zone and set date and time.

Fig. 2.22


29

30


Configuring Network Settings The Networking Settings dialog box (Fig. 2.23) allows you to connect to other computers on network and browse the Internet. Select either Typical settings or Custom settings based on the information obtained from the network administrator. If uncertain, select Typical Settings at this stage as it may be changed later.

Fig. 2.23

Typical Settings: When the Typical settings radio button is selected in the Networking Settings dialog box, Windows 2000 Setup checks to see if there is a Dynamic Host Configuration Protocol (DHCP) Server within the Domain/Workgroup. If there is a DHCP server, that server provides the IP address. If there is no DHCP server Automatic IP Addressing (APIPA) service assigns an IP address. APIPA provides automatic IP address assignment for computers on networks without a DHCP server. It uses a reserved class B network (169.254.0.0 with the subnet mask of 255.255.0.0). The PC hosting this service will assign itself 169.254.0.1 . Other network element asking for an IP address will get the subsequent addresses. These cannot directly communicate with hosts outside this subnet e.g Internet hosts. To browse Internet you must have NAT (Network address Translation) enabled on the server connected with the internet. This option is most suitable for small, single-subnet networks, such as a home or small office. Custom Settings: When the Custom settings radio button is selected in the Networking Settings dialog box, Windows 2000 Setup will open the Networking Components dialog box to allow customized configuration of network components including the selection of dynamic or static IP address and networking information. All servers should have a static IP address though you can assign dynamic IP address too. To specify a static IP address follows the steps below: • In the Networking Settings dialog box, select the Custom settings radio button and click the Next button to continue. • In the Networking Components dialog box (Fig. 2.24), click Internet Protocol (TCP/IP), and then click Properties.


30

31


Fig. 2.24

• In the Internet Protocol (TCP/IP) Properties dialog box (Fig. 2.25), click Use the following IP address.

Fig. 2.25

• In IP address and Subnet mask, type the appropriate numbers. (If required, specify the Default gateway as well). • Under Use the following DNS server addresses, type the address of a preferred DNS server and, optionally, an alternate DNS server. If the local server is the preferred or alternate DNS server, type the same IP address as assigned in the previous step. • If a WINS server will be used, click Advanced, and on the WINS tab, click Add to add the IP address of one or more WINS servers. If the local server is a WINS server, type the IP address assigned in step 5. • Click OK in each dialog box, and click Next in the Networking Components dialog box continue with Setup.


31

32


Join a Domain or Workgroup The Workgroup or Computer Domain dialog box (Fig. 2.26) allows the option of joining a workgroup or a domain. • Select either the ‘No, this computer is not on the network …’ radio button for a workgroup or the ‘Yes, make this computer a member of the following domain …’ radio button for a domain. (If the computer is a server that is to become the first Domain Controller for a Domain, select the ‘No, this computer is not on the network...’ radio button. The server can be converted later to a Domain Controller, as instructed in the “Convert Windows 2000 Server to a Domain Controller” heading.) • Enter the name of the workgroup or domain in the text box and click the Next button to continue with Setup. • Windows Setup will install all the previously defined Windows 2000 components. • Click the Finish button to reboot the computer.

Fig. 2.26

Workgroup: A workgroup is a logical grouping of few computers for sharing resources with each other. Computer’s resources, security and user accounts are managed at each computer. In a workgroup centralized account management is not possible. A computer cannot be part of two workgroups at the same time. Domain: A domain is a collection of computers managed thru a centralized computer known as Domain Controller. In a domain, all computers share a central directory database that stores security and user account information for that domain. This directory database is managed by one or more domain controllers. To join a domain, computer requires an account in the specified domain controller. As long as installation is concerned, this computer account needs to be created prior to proceeding with Setup. Alternatively an authorized administrator of Domain Controller can create the required computer account and join the domain during Setup. A computer may be part of more that one domain.

Windows 2000 Server and Advanced Server Configuration Options When the Setup wizard completes the installation of Windows 2000, the computer restarts. Basic setup installation is over, now. For Windows 2000 Server and Advanced Server


32

33


installations, the screen ‘Configure Your Server program’ will appear. To make further configuration easy, the initial Server page provides three choices as shown in Fig. 2.27.

Fig. 2.27

This is the only server on my network: Selecting this option and clicking the Next button will present a page (Fig. 2.28) informing the administrator that Windows will automatically configure the server as a Domain Controller. To proceed and configure the server as a Domain Controller click the Next button and follow all subsequent directions. Otherwise, click the Back button and select another option.

Fig. 2.28

One or more servers are already on my network: Selecting this option and clicking the Next button will present the administrator with the Configure Your Server page (Fig. 2.29). From this page, the administrator can choose any of the options on the left hand column for step-by-step instructions on configuring the server as per the requirement.


33

34


Fig. 2.29

I will configure this server later: Selecting this option and clicking the Next button will present the administrator with the Configure Your Server page i.e. Fig. 2.29 just as explained with the previous option. With this, the installation and configuration part of the Operating System gets completed. We will refer to this server as Thin-Client server in successive chapters. You will learn later, what additional services and components are required to be installed and configured, to make it a Thin-Client Server in true sense.


34

Licensing Policy of Windows

3

Licensing Policy of Windows

3

Terminal Services provide remote access of a Windows 2000 Server Operating System to clients through remote display protocols. But this is not possible until & unless certain licenses are implemented & activated on the server running Terminal Services. Let’s take an overview of these licenses.

TERMINAL SERVER LICENSES The Windows 2000 Server products include integrated Terminal Services. The Server family consists of Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Data Center Server. There are four licenses, which are required for the implementation of Thin-Clients on Windows: 1. Windows 2000 Server License is required for hosting Terminal Services sessions. 2. Windows 2000 Client Access License (CAL) is required to access Windows 2000 Terminal Services and other basic network/application services in the Windows 2000 operating system. 3. Windows 2000 Terminal Services CAL (TSCAL) license is required to run applications on a Windows 2000 Server via Terminal Services by a remote user. 4. Application License: -the applications that are to be run on the Terminal Server must also be properly licensed.

1. Windows 2000 Server License This license comes along with the base operating system. The license key of the operating system acts as the license at the time of installation of the operating system.

2. Windows 2000 Client Access License (CAL) These licenses are of two types:

Per Seat License This requires that every client on the network have its own license. This is the easiest method of adding up your licensing because you account only for how many clients you have. From licensing point of view you need not worry about concurrent connection into a single server or how many servers each client connects to. Per seat is usually cheaper if we have more than one server because with this licensing method you buy a CAL for every computer that attaches to your server. It is hardware dependent and not user dependent. For example, if 5 users access the server using only one workstation (one by one not concurrently), then we don’t need 5 independent CAL licenses. Instead we need just one CAL 36

37

LICENSING POLICY OF WINDOWS

license. Thus with only one CAL license 5 users can logon (to the mail server) one by one to access their mail. In another scenario, with the same CAL license a user can access two or more servers at the same time from his workstation. One need not bother about legal issues of License availability on these servers.

Per Server License This differs from the per seat license in a sense that it’s a “concurrently used license”. There is a pool of licenses maintained on the server. They are distributed to the clients on first come first serve basis for accessing the server resources. We need to have an independent license for every user. For example, if there are 50 ‘per server’ licenses in the pool and 50 users are working on the server simultaneously, then when the 51st user tries to access the server, he is just denied the connection. As the first 50 users have already consumed the available 50 licenses, 51st user must wait for someone to release the server for his use. Compared to Per Seat License it is usually more expensive as it is available in packs of 5, 20, 25 and so on. So when you require 13 per server licenses, you have to buy a 20 License pack. Another aspect of cost comparisons is- if a user is going to be access many servers from his workstation (all complying per server licensing scheme), all servers must have license available for his connection.

Cost Effectiveness We should understand that choosing a licensing scheme might prove costly or cheap depending on the infrastructure you have. To understand the cost effectiveness of the two licenses, lets take up the case of a company where there are nearly 40 workstations, 2 servers & 200 users in total. We are discussion two scenarios in which use of same hardware may impose license cost more of less depending on its use. Scenario 1: Assuming 40 users will access both servers from their workstations concurrently and the company management opts for ‘per server’ licenses. Then for 40 users they need to buy 2 X 40 = 80 CAL licenses (Fig 3-1). However, if they go for ‘per seat’ licenses, then no matter how many servers are accessed simultaneously by users from the 40 workstations, all they need to buy is just 40 CAL licenses(Fig 3-2). Thus in this scenario, ‘per seat’ licenses are more cost effective than the per server licenses by saving 50% license cost. WS1

CAL1

WS2

CAL2

WS1

1

SCENARIO-1 Per-Seat Mode TOTAL CAL=40

SCENARIO-1 Per-Server Mode TOTAL CAL= 80

40 CAL on Server-1

40 CAL on Server-2

WS40

Fig. 3.1


37

NO CAL on Server-1

WS40

Fig. 3.2

CAL40

NO CAL on Server-2

38


Scenario 2: Assuming 40 users from 40 workstations are to access the two servers in the fashion that at a single point of time maximum 30 users are connected to both servers. First server is serving 15 users and second server to another 15 users. Thus maximum 30 concurrent uses on both servers. Now if we procure per server licenses, we have to purchase 15 licenses for each server because at most 15 users will access a server at a time. Thus, we need to 2 X 15 = 30 license for 40 workstations. However, if we go for per seat licenses, then we need to purchase 40 licenses. Thus in this scenario, per server licenses are more cost effective than the per seat licenses.

3. Windows 2000 Terminal Services CAL (TSCAL) TSCAL licenses are required for each client that will access Terminal Services. There are four types of TSCAL licenses available.

Standard TSCAL These TSCAL licenses are for named user accounts, (in a domain or on a stand-alone server in a workgroup. These are issued on per seat basis to every workstation that accesses the server regardless of the display protocols they are using to connect to the server.

Internet Connector License These are the special licenses available to companies that give their employees access to their corporate servers via Internet using display protocols. This license allows a maximum of 200 concurrent anonymous users to connect to the Terminal Services. In a sense, it is not machine dependent rather user dependent license. This license is costlier than the standard TSCAL license.

Built-in Licenses A built-in token is issued to a client that is running Windows 2000 Professional or its successor operating systems (i.e. Windows XP Professional) from the built-in pool of license tokens.

Temporary Licenses Terminal Services can be availed even without having the standard active TSCAL licenses as Terminal Server issues. A temporary token allows the client to connect to the Terminal Server for 90 days. This period is known as the license server grace period and begins from the first time a Terminal Services client connection is made to the Terminal Server. This grace period is designed to allow ample time for the administrator to deploy a license server. A built-in token is issued to a client that is running Windows 2000 Professional or its successor operating systems (i.e. Windows XP Professional).

4. Application License In a Terminal Server environment, the licensing of applications running onto the server is treated in the same way as in a single user environment. For instance, Microsoft Office applications are licensed per-device. Each device that runs Office via a Terminal Server must have a license for Microsoft Office. Say if you have 50 numbers of Thin-Clients accessing the MS-Office applications concurrently then you need to have 50 numbers of MS-Office licenses.

TERMINAL SERVICES LICENSING MODEL Terminal Services can be configured in two modes. In “Remote Administration” mode, two concurrent sessions are allowed to log on to the server without requiring a license server.


38


39

In “Application Server” mode, Terminal Services Licensing service is used to obtain and manage license tokens for devices that connect to a Windows 2000 terminal server Terminal Services Licensing contains two primary components: the ‘Terminal Services Licensing’ Service and the ‘Terminal Services Licensing’ Administration utility. These components are referred to collectively as TSL. TSL manages unlicensed, pre-licensed, and temporarily licensed clients, as well as clients using CAL licenses. TSL supports per-seat CAL licenses and Internet Connector Licensing for Terminal Services. The licensing service simplifies the task of license management for the system administrator. It also helps administrators determine how many licenses to purchase. TSL is Microsoft’s first step in developing integrated licensing technologies within the Windows operating system. This new technology helps you account for and properly license Terminal Services clients, and helps Microsoft ensure that only licensed clients access Terminal Services.

COMPONENTS OF ‘TERMINAL SERVICES LICENSING’ MODEL The following four components make up the TSL model (Fig 3.3)

1. TSCAL Token The Terminal Services Client Access License token is issued to the physical device that is running the Terminal Services client software.

2. Terminal Server The Terminal Server is a Windows 2000 Server machine that has Terminal Services enabled in Application Server mode. The Terminal Server provides multiple clients with access to Windows-based applications running on the server. Microsoft licensed access to a Windows Terminal Server on a per-seat basis. When you accessed a Terminal Server from a client device, the Terminal Server checks the client’s license token to see whether that client device had a TSCAL for accessing the Terminal Server. If the client does not have a license token, the Terminal Server requests one for the client from the license server. If the client device already had a TSCAL (either a previously assigned one or one from a Windows 2000 Professional machine with a built-in license), the client logged on. If it didn’t, the Terminal Server contacted the License Server, which assigned a TSCAL to that client device and permanently stored it on the client’s hard disk. The license server associated that TSCAL with the client, moving it from the “available” pool to the “assigned” pool, then the client could log on.

3. License Server A “license server” is a computer on which Terminal Services Licensing is enabled. It stores all Terminal Services license tokens (that have been installed for a group of terminal servers) and tracks the license tokens that have been issued. For example, if we have 5 Servers serving Thin-Clients, we can have one license server to serve the license tokens for all 5 Terminal Servers. A license server can issue Terminal Services Internet Connector license tokens, TSCAL tokens, temporary tokens, and built-in tokens. A Temporary token is issued to a client when there are no TSCAL tokens available on the license server.

4. Microsoft Clearing House The Microsoft Clearinghouse is the facility Microsoft maintains to activate license servers. It also issues client ‘license key packs’ to the license servers that request them. (A client license key pack is a digital representation of a group of client access licenses.) Microsoft Clearinghouse


39

40


is accessed through the Licensing wizard in the Terminal Services Licensing tool. It may be reached directly over the Internet, through a Web page, by fax, or by phone (Fig 3-3).

Microsoft Certificate Authority and License Clearing House

MICROSOFT CUSTOMER Windows 2000 Server-Terminal Services Licensing or Local Licensing Server

Windows 2000 ServerTerminal Services

Clients

Fig. 3.3. The License Service Model

STEPS TO SETUP A TSL MODEL The following five steps are needed to set up TSL 1. License Purchase Purchase Terminal Services licenses. You can buy them either as part of the packaged product through a reseller or through one of Microsoft’s many volume licensing programs. 2. License Server Setup Install the Terminal Services Licensing component on a Windows 2000 server. You can do this either during initial system setup or later using Add/Remove Programs. 3. License Server Activation Activate a license server by requesting a limited-use digital certificate from Microsoft Clearinghouse. This digital certificate lets the license server install licenses in a secure fashion. 4. License Token Installation Make a connection to Microsoft Clearinghouse and provide purchase information. It validates your information. Then, you can install the corresponding license tokens on the license server. 5. License Distribution After TSCAL tokens are installed, the license server issues these tokens to Terminal Server clients on an as-needed basis. A Terminal Server can also be enabled as an Internet Connector after the ‘Terminal Services Internet Connector license’ has been installed on the license server.


40

41


MODE OF LICENSING FOR CAL LICENSES Before setting up the Terminal Services Licensing, the most important thing that you should take care of is the mode of access of users to the Terminal Server.There could be two modes in which the users could access the server. • Per Server • Per Seat In the Per server mode the Terminal Server would issue only temporary token licenses valid for a period of 90 days even if the TSCAL licenses have been activated and installed. This is because, by nature, the TSCAL licenses are assigned to the clients only on per seat basis. Therefore, for the permanent implementation of Terminal Services, you must choose the per seat mode for client access. However, even if you have installed the Windows 2000 server in Per Server mode, you may still change the client access mode to ‘Per Seat’ but not vice-versa. The screen below (Fig 3.4) could be accessed by going to Start->Settings->Control Panel> Licensing.

Fig. 3.4

Once you alter the Licensing mode the following warning message appears (Fig 3.5), which says that you could alter the option only once. But practically, you could do it as many times as you wish.

Fig. 3.5

INSTALLATION OF TERMINAL SERVICES ‘Terminal Services Licensing’ can be installed either during OS installation or even later on. Let us discuss this installation step-by-step taking into account all the necessary constraints and precautions. To install the Terminal Services, reach the ‘Windows Components Wizard’ through Start>Settings->Control panel ->Add/Remove Windows Components (Fig 3.6).


41

42


Fig. 3.6

Select Terminal Services & Terminal Services Licensing and click Next. Now, you would find the Terminal Services Setup (Fig 3.7), which is by default in Remote Administration mode. The other option is Application Server mode. Before moving ahead lets first understand what do these modes stand for.

Remote Administration Mode As the name suggests, this mode enables the administrator to manage the server remotely. Here two simultaneous connections to the Windows 2000 server could be established (for administration) without the need for any external licenses.

Application Server Mode This mode would enable users to remotely access various applications (installed on the server) with optimum server performance. We would select this mode for thin-client implementation.

Fig. 3.7


42

43


As you see in the screen-shot below (Fig 3.8), the mode has been changed to ‘Application Server’ mode from ‘Remote Administration’ mode.

Fig. 3.8

The next screen demands information regarding permissions for application compatibility (Fig 3.9). “The Permissions compatible with Windows 2000 users” option of the Terminal Server setup secures some system folders and registry keys by locking them, thus preventing applications from altering them. In this mode certain legacy applications (generally 16 bit) may not work. We have selected “Permissions compatible with Terminal Server 4.0 users” as our users may require all sorts of applications, some of them may even be legacy applications. One always has the option of changing the permission mode without reinstalling the Terminal Services.

Fig. 3.9


43

44


The next screen asks for the role as well as location of the Licensing server (Fig 3.10). If the server is a member of a domain and it is to cater to the needs of parent as well as child domains then “Your entire enterprise” option is the right selection. Else, if the server is not required to serve other domains except its own, then you should go for the “Your domain/ workgroup” option.

POINTS TO PONDER BEFORE IDENTIFYING LOCATION FOR LICENSING DATABASE: • Lets say, your server has two hard-disk controllers for two hard disks. The OS is installed on first hard disk. Then while installing the Licensing Database specify the location of the database on the second hard disk. This will improve performance of the Terminal Services, as the OS doesn’t need to employ its controller to check for the licenses every time the server is accessed by any client. This will also help in having data redundancy in case the operating system crashes.

Fig. 3.10

Fig. 3.11


44

45


• It is advised to install the licensing database on to a different server that is more secure & less accessed by the users. This would keep the Terminal Services licensing database secured and redundant. After the above screen the application would ask for Windows 2000 server CD. Insert the CD into CD-Rom or if you have the dump of Windows 2000 server CD on some drive, supply the path of the same. The dump may also come handy in future in case of emergency. Windows would start configuring the Server (Fig 3.11). Once the Setup completes configuring the system as per your requirements, the following screen appears (Fig 3.12).

Fig. 3.12

Click on the Finish button and then restart the server to bring about the changes incorporated by this installation.

TSCAL ACTIVATION Once the Terminal Services have been installed, the next step in thin-client implementation is to register and activate the TSCAL Licenses.

Terminal Services Licensing Wizard The activation & registration of TSCAL Licenses using ‘Terminal Services Licensing Wizard’ is almost an automated process. All you need to do is, fill in the desired information and the Wizard automatically fetches the requisite license key from the Microsoft’s License Activation site via Internet. Now, lets see in detail the steps involved in activation & registration of TSCAL Licenses through Terminal Services Licensing Wizard First, to check the status of your Terminal Server, go to Start->Programs->Administrative Tools->Terminal Services Licensing. As you can see in Fig 3.13, the activation status of the Terminal Server (i.e. NC-Server) is “Not Activated”. Here the TSCAL licenses have not been activated and they are running under the grace period of 90 days.


45

46


Fig. 3.13

Now to activate the TSCAL Licenses through Terminal Services Licensing Wizard, select the License Server and double click, the Licensing Wizard’s Welcome screen pops up (Fig 3.14). You can also access the Licensing Wizard by selecting Terminal Server and choosing the Install Licenses option under the Action Drop-down menu.

Fig. 3.14

The Welcome screen of the Licensing Wizard provides you with the Product Id of your Server. Note it down, as it would be required to put in this information at later stage of activation of the licenses. Click Next and you would find the Licensing Wizard Properties screen. In this screen, under the Connection Method tab, you would encounter four connection methods for activation of the licenses.


46

47


• Internet • World Wide Web • Telephone • Fax When the connection is made through Internet option, the licensing server needs to be directly connected to the Internet. Through World Wide Web option the licenses could be activated from any PC that is connected to the Internet. You can also activate the licenses by providing your company’s information to the Microsoft’s License Activation cell via Fax or Telephone. For demonstration purpose, we have selected World Wide Web as the connection method (Fig 3.15).

Fig. 3.15

In this case, we don’t need to fill in the information required under other tabs (namely Licensing program, Company Information and company address). For other connection methods, you will have to furnish such details.

Fig. 3.16


47

48


Click OK and the licensing Server wizard provides you with the ‘Terminal Services Licensing’ Web site address. The web site ‘https://activate.microsoft.com/’ is a secured site, used for activation, reactivation and deactivation of the TSCAL licenses (Fig 3.16). Go to this site and the following home page appears (Fig 3.17). In this screen you would find three options namely: • Activate a License Server • Install Client Access License Tokens • Reactivate a License Server After a TSL Server is activated, it becomes the repository for TSCAL licenses. ‘Install Client Access License Tokens’ option is selected when you need to activate your TSCAL Licenses. This is done once you have activated your Terminal License Server. The third option of ‘Reactivate a License Server’ is used to retain the records of your licenses. Licenses that were already issued remain valid. Any unissued licenses are also valid, but must be reissued through the Microsoft Clearinghouse. In our case, we have selected the ‘Activate License Server’ assuming we are activating the License server afresh.

Fig. 3.17

In the next screen (Fig 3.18), type in the Product ID generated earlier and also your company’s information. On clicking Next, a confirmation screen (Fig 3.19) appears for the information you have furnished in the above screen. Once you confirm the information, the License Server ID is generated as shown in the next screen. This License Server ID must be entered on the ‘Terminal Server License Server Activation Wizard’ at the time of registration of the TSCAL Licenses on your Terminal Server. This ID establishes the server’s identity for future license transactions (this server identity is used only to ensure that a license is installed on the machine that requested it). Using this ID, a license server can make subsequent transactions with Microsoft to receive ‘client license key packs’.


48

49


Fig. 3.18

Fig. 3.19

This screen also asks you whether you would like to install the license tokens at the same time.If you click on Yes then the next screen appears with the ‘Install Client Access License Tokens’ option already selected.However, you always have the option of installing the License tokens later on by reaching the ‘https://activate.microsoft.com’ site and selecting the Install Client Access License Tokens option. As you can see in Fig 3.20, we have selected the Install Client Access License Tokens option to activate our TSCAL licenses.


49

50


Fig. 3.20

On the next screen (Fig 3.21), you are supposed to enter the Product id, personal information and the Purchase method. You may select the purchase method as ‘Select or Enterprise Agreement’, ‘Microsoft Open License’ or ‘Other’.

Fig. 3.21

• Select or Enterprise Agreement. If you purchase software using this method, use your enrollment agreement number to request and install licenses. The installation of licenses is not a purchase. You should report purchases of TSCALs to Microsoft as you would for any other software purchase. • Open License. If you purchase software using this method, you must use the authorization number and license number received from Microsoft when you purchased your Terminal Services licenses.


50

51


• Other. This category includes licenses purchased at retail outlets or any other channel that provides a license code. License codes typically come as part of a Microsoft License Pack (MLP) purchased through retail channels. A license code is a 25-character alphanumeric code that looks similar to a product’s CD Key. The licensing wizard prompts the user to enter license code to install licenses onto the TSL server. Customers, who receive licenses through MSDN, or other special Microsoft programs, should consult their product or program packaging for the TSL information specific to them. The next screen (Fig 3.22) asks for the Product Type, number of licenses, your license Authorization number and the License Agreement number.

Fig. 3.22

The next screen (Fig 3.23) is a confirmation screen that displays all the information submitted by you regarding the Licenses.

Fig. 3.23


51

52


Once you confirm the information, the ‘License Key Pack Id’ is generated (Fig 3.24) which must be entered in the Terminal Server License Server Activation Wizard during registration of the TSCAL Licenses. This key pack contains multiple TSCAL tokens for distribution by the Terminal Server, on behalf of the license server.

Fig. 3.24

As soon as you enter this License key pack id in the Licensing wizard and click Next, as many TSCAL are registered on your Terminal Server (Fig 3.25).

Fig. 3.25


52

53


The following screen (Fig 3.26) shows that the Licenses have been registered on the License Server.

Fig. 3.26

BACKING UP A TERMINAL SERVER LICENSE SERVER The process of ‘activation, deactivation or reactivation’ of Terminal Server Licenses is very tedious and requires a lot of time & effort. Therefore, it is advisable to take back up of the TSL Server regularly by using the Backup tool. This will help protect your licensing data from accidental loss if your system experiences hardware or storage failure. While backing up, take back up of both the System State data and the folder in which the Terminal Server License Server is installed (The default location for the license server database is systemroot\System32\LServer). This ensures that data in both registry as well as the Terminal Server License Server database is backed up. To take the backup of your Terminal Server Licenses using the Windows 2000 Backup & Recovery Tools, go to Start-> Programs->Accessories->System Tools-> Backup (Fig 3.27) Click on the Backup tab (Fig 3.28). Select System State Folder as well as the LServer by going to C:\WinNT\System32\Lserver (in our case the system root is C:\WinNT). System State data includes registry, COM+ Class Registration database, files under Windows File Protection, and system boot files. Depending on the configuration of the server, other data may be included in the System State data. For example, if the server is a certificate server, the System State will also contain the Certificate Services database. If the server is a domain controller, Active Directory and the SYSVOL directory are also contained in the System State data.


53

54


Fig. 3.27

Fig. 3.28

The LServer directory is the default directory in which all the informations regarding Terminal Server Licenses are stored. Under this tab, you may define the Backup destination, which may be either a file or QIC. If you choose the File as backup destination, then you have the option to select the file in which you want to keep your backup. However, if you have chosen QIC as your Backup destination then you need to specify the name of the new media. Click on the Start Backup button and you get the following screen (Fig 3.29). This screen provides you with two options. • If you have already taken backup in certain file then you may either append the current backup in the same or • You may replace the content of the file with the current backup.


54

55


Fig. 3.29

In case you are taking automatic backup, you may schedule the backup at a particular date or time as per your requirement under the Schedule tab. You may also specify the type of backup you need under the advanced tab. Permission could also be set in such a way that only you or the administrator may access the backup taken by you.

RESTORATION OF TSL SERVER To restore unissued licenses correctly, restore the System State data and the database to the same TSL Server with the original OS. Otherwise, restoration may not be correct and an event will appear in the system log of Event Viewer. However, the unissued licenses can be retrieved by contacting your Customer Support Center thru phone or fax. Note: In case the Operating System crashes, the backup taken by the above method would not help restore your licenses. You will have to go through the process of Reactivating licenses. It is therefore recommended that you crate the image backup of the system partition that holds Operating System as well as your applications and the Terminal Server Licenses. For this purpose you may use commercial imaging tools like Symantec Ghost Image or Partition Quest Drive Image.

HOW TO REACTIVATE TSCAL LICENSES WITHOUT HAVING BACKUP? Scenario-1: If the system is able to boot in safe mode and activation codes are visible then contact the Microsoft Clearing House via email/telephone/fax. Using the activation codes of the licenses, get the deactivation code. Otherwise you cannot reactivate the TSCAL licenses. As soon as deactivation codes are issued against your Terminal Server licenses, your licenses are no longer considered as Active in the Microsoft Clearing House. Now, you can reinstall the operating system and reactivate the licenses to use the Terminal Services. Scenario-2: If the Server-machine having your Terminal Server crashes and you are in no way able to get the activation codes of your licenses then contact the Microsoft Clearing House. Provide the license Authorization number and the License Agreement number of the TSCAL Licenses. There they would deactivate the licenses and you are authorized to reactivate the Licenses all over again. Activate the licenses to be able to use the Terminal Services.


55

THIS PAGE IS BLANK

Communication Protocols

4

Communication Protocols

4

We will start this chapter with the detailed discussion on communication protocols namely ICA & RDP. In subsequent part of this chapter, we will show how to install the client of these protocols on a Desktop already running an Operating System. Finally we will explore the ways to configure the server portion of these protocols. As of now we have understood that Thin-Clients cannot act as smart devices until & unless they are connected to the Server running Terminal Services. In order to make the ThinClients talk with the Server, we need to have certain communication protocols. There are mainly two such protocols, which are widely used, namely ICA (Independent Computing Architecture) and RDP (Remote Display Protocol). We will discuss ICA first.

INDEPENDENT COMPUTING ARCHITECTURE (ICA) Independent Computing Architecture (ICA) is a Windows presentation services protocol. It provides the foundation for turning any client device, thin-or-fat into desktop accessing device. It is a protocol for an application server system, designed by Citrix Systems. The protocol lays down a specification for passing data between server and clients, but is not bound to any one platform. The ICA technology includes • A server software component, • A network protocol component and • A client software component. Practical products conforming to ICA are Citrix’s WinFrame and MetaFrame products. These permit ordinary Windows applications to be run on a suitable Windows server and any supported client to gain access to those applications. The client platforms need not run Windows, they could have any operating system such as Mac or even Unix. In the traditional client/server architecture, Central server as well as Client accessing the server, both should be powerful machines. In this computing architecture, (as defined by Sun, Oracle, Netscape, IBM and Apple) components are dynamically downloaded from the Server onto the client device for execution by the client. But with the Citrix server-based computing approach, users are able to access business-critical applications without requiring them to be downloaded to the client. Such applications include latest 32-bit Windows-based applications, Java™ applications etc. This approach provides considerable savings in total cost of ownership as these applications are centrally managed and can be accessed by users without having to rewrite them. ICA is the “thin” protocol that enables Citrix to separate screen updates and user input processing from the rest of the application’s logic. When using an ICA Client, all application logic executes on the server end and only the display updates, mouse movements and keystrokes 58

COMMUNICATION PROTOCOLS

59

are transmitted via the ICA session. It consumes less than 20 kilobits per second of network bandwidth. As a result, applications consume just a fraction of the network bandwidth usually required. This efficiency enables the latest, most powerful 32-bit applications to be accessed with exceptional performance from Thin-Clients. This allows Thin-Clients to operate consistently, even over dial-up and ISDN connections, without regard to the bulkiness of the executing application. This concept may work just with equivalents of an Intel 386 processor and a minimum of 640 KB of RAM. We present a comparison of various network bandwidths in Fig 4.1.

Fig. 4.1. ICA Requires the Least Bandwidth to Operate

On the server, ICA has the unique ability to separate the application’s logic from the user interface and transport it to the client over standard network protocols such as IPX/PX, NetBEUI, TCP/IP and PPP and over popular network connections - dial-up telephone lines, ISDN, Frame Relay and ATM. Virtually any application that can run on a Citrix server can be executed over ICA. These include most Windows based applications; Java and PHP based applications, as well as UNIX text and X-application. On the client, users look and work with the application’s interface, but 100% of the application logic executes on the server. A key challenge of such an architecture is performance–a graphically intensive application (as most are when presented using a GUI) being served over a slow network connection requires considerable compression and optimisation to render the application usable by the client. The client may be on a different platform, and may not have Windows GUI routines available locally–the server must then send the actual bitmap data over the connection. This may be achieved by ICA

ICA CLIENTS A Citrix ICA Client is the software component that executes on the client device. It allows the user to establish an ICA session with a Citrix server. This session enables the user to locally access the server-based applications that actually execute on server. Citrix native ICA Clients are available for Windows, Macintosh, UNIX Operating systems. It is also available with Windows Based Terminals (WBTs), Thin-Client and a range of handheld devices. The Citrix Java ICA Client provides ICA functionality to an even wider range of devices. Citrix ICA Client software also allows Mac, Linux, Java, and even non-32 bit legacy Windows platform (to name just a few) users to run the latest Windows or UNIX applications directly on the server, without having to upgrade or give up their client hardware


59

60


All ICA Clients support the use of locally connected printers. In effect, the server side provides the print driver for formatting the print job. This allows users to make the best use of newer printers on a wide range of operating systems without waiting for the appropriate drivers. Most ICA clients also allow access to local drives (if available on client) for storage and retrieval of data, after mapping on the server. ICA Clients could be even accessed via a Web browser. For this one you must use Citrix NFuse technology, which integrates application sets along with customised Web content on a per-user basis. ICA Clients are offered at no cost.

INSTALLATION OF CITRIX DEVICE SERVICES (ICA SERVER SERVICES) The server portion of the ICA protocol is called–Citrix Device Services (CDS). We must first install the (this) CDS on the server (running Terminal Services) to access the Terminal services via Thin-Clients. If your Thin-Clients supports ICA, you’ll have a CD from the manufacturer containing CDS and Citrix Device License (CDL). The CDL contains an Original Equipment Manufacture (OEM) ID. Whenever a Thin-Client connects to the server, CDS checks against installed CDL & if this check fails, the Thin-Client won’t connect to the CDS. For example, if in a Thin-Client setup you have thin-boxes of two vendor’s namely VXL & HCL. Suppose you have installed the CDL for only HCL supplied Thin-Clients, then the VXL supplied Thin-Clients won’t connect to the CDS as it fails to recognize the CDL of the VXL device. Therefore it is mandatory to install CDL pertaining to all kinds of OEM devices on the CDS.

Citrix Device Services Installation To install the CDS on Windows 2000 server, insert the Citrix device CD that comes along with each Thin-Client. Then, Go to Control Panel->Add/Remove Programs->Click on CD or Floppy and browse path as cd\CDS\WIN2KSERVER\i386\setup.exe (Fig 4.2) (or relevant one).

Fig. 4.2


60

61


As soon as you click on the Next button, the CDS welcome screen appears as in Fig. 4.3.

Fig. 4.3

Click on Next and you come across the screen as in Fig 4.4.

Fig. 4.4

Click on next and you find the next screen as in Fig 4.5.

Fig. 4.5


61

62


Click on Add Citrix Device Licenses and you find the screen in Fig 4.6, which demands the CDL, which is specific to the manufacturer of every terminal device.

Fig. 4.6

Once you have entered the CDL of a specific device, you get the following screen giving you message (Fig 4.7) that you need to register the CDL within 36 days on the Citrix site.

Fig. 4.7

After this message, the Server requires to be rebooted to make the changes effective. Once the server reboots, the screen in Fig 4.8 keeps popping up at various times till you have activated the CDL licenses on the Citrix Site.


62

63


Fig. 4.8

Activating a Citrix Device License To activate CDL of a particular terminal device, first log on as an administrator on the server running Terminal Services. Go to Start -> Programs-> Citrix Device Services Tools> Citrix Licensing. Citrix Licensing windows displays the different license numbers for each OEM of Thin-Clients. For example if you have Thin-Clients from HP, VXL & HCL, Citrix Licensing windows will display three different License number in three rows. Select a licensing number to activate and then click License, Activate License. The following Activate License dialog box appears (Fig 4.9)

Fig. 4.9

To get the activation code of the terminal device of a specific make, go to site http:// www.citrix.com/activate/. On the front page of the site, click on the link ‘Citrix Activation System (CAS) via MyCitrix.com’.

Fig. 4.10


63

64


You need to have a Login name to proceed further. If you don’t have a login name, then first create one to access the activation menus. After submitting the requisite information, Citrix sends your Login name & password through mail in your mailbox. This takes around half-an-hour to 2-3 hours. So be patient!! After logging on you need to go to the Licensing menu. Select Activate or Allocate License under Citrix Activation Systems. You get the following screen (Fig 4.10). Click on continue, enter the manufacturer’s name along with location and some other information. You will be provided with the Activation code. Enter the Activation Code in the ‘Activate License’ box as in Fig 4.11. On clicking OK, your Licenses will be activated successfully.

Fig. 4.11

REMOTE DESKTOP PROTOCOL (RDP) The Remote Desktop Protocol (RDP) is a presentation protocol from Microsoft that allows Thin-Clients to talk with a machine running Windows Server class Operating System. The RDP technology is similar to ICA in terms that it also includes a server software component, a network protocol component, and a client software component. RDP also works across any TCP/IP connection, such as a local area network (LAN), wide area network (WAN), dial-up, Integrated Services Digital Network (ISDN), digital subscriber line (DSL), or virtual private network (VPN) connection. RDP lays down a specification for passing data between server and clients, but is not bound to any one platform. Remote Desktop Protocol is based on, and is an extension of, the T-120 family of protocol standards (http://www.packetizer.com/conf/t120/primer/). The multichannel capability of this protocol allows for separate virtual channels to operate in real time without having to send the same data to each session individually. It carries presentation data, serial device communication, licensing information and highly encrypted data (such as keyboard, mouse activity). RDP provides 64,000 separate channels for data transmission. However it is important to note that, though RDP is designed to support many different types of Network topologies (such as ISDN, Plain Old Telephone Service-POTS) and many network protocols (such as IPX, Net BIOS, TCP/IP), the current version of RDP runs only over TCP/IP. The activity involved in sending and receiving data through the RDP stack is essentially the same as the seven-layer OSI model standards for common LAN networking today. Application data or service to be transmitted is passed down through the protocol stacks. It is sectioned & directed to a channel (through MCS). Key modifications in data occur between the fourth and seventh OSI layers where it is encrypted, wrapped, framed, prioritized and placed onto the network protocol. Finally, the data packet is sent over the network media to the client. The received data undergoes reverse processing. Now, it is stripped of its address, unwrapped, decrypted, and so on until presented to the application for use. You might worry why till now we have not talked about server portion of RDP ? That’s because you need not install the RDP server portion as it automatically gets installed whenever Terminal Services are installed on the Server.


64

65


RDP CLIENTS When initiating a RDP session from a Thin-Client or any other client, many of the resources are available within the session. • The client file system is accessible to the RDP session, as if it was a network shared drive. No network connectivity software (other than Remote Desktop itself) is required for this file-system redirection feature. This is also applicable for RDP enabled Windows desktops. • The audio streams, such as .wav and .mp3 files, play through the client computer’s sound system. However this feature was not available in the earlier versions of RDP i.e. before RDP 5.0. • The applications running within the session can have access to the serial and parallel ports on the client computer. This allows them to access and manipulate bar code readers, scanners, and other peripheral devices. USB support has also been incorporated in RDP 5.0. • The default local or network printer for the client computer becomes the default printing device for the RDP session. • The Remote Desktop session and the client computer share a clipboard. This allows data to be interchanged between applications running on the remote computer and the applications running on client computer within a RDP session. This is again applicable for RDP enabled Windows desktops.

CREATING RDP CLIENTS On Server, log-on as Administrator, go to Start->Programs-> Administrative Tools-> Terminal Services Client Creator. The following screen appears. It asks for the Microsoft operating system (16-bit or 32 bit) for which the RDP client is to be created (Fig 4.12). For DOS 6.22 or Windows 3.11, you will need to select Terminal Services for 16-bit windows option. This requires 4 nos. of 1.44MB formatted floppies. For Windows 9x machines and further, you need to select Terminal Services for 32-bit X86 windows option. This requires 2 nos. of 1.44MB formatted floppies.

Fig. 4.12

Alternate method of installing an RDP Client is to share the folder %systemroot%\ system32\clients\tsclients\net ( %systemroot% value is generally C:/WINNT). There are 3 folders within the Net folder- win-16 for 16-bit clients; win-32 for windows 9x / NT clients and win32a for NT-Alpha clients. Browse to the respective folder through Network Neighborhood and run setup.exe to install the RDP client.


65

66


There are third parties RDP client software for various Thin-Clients based on their own operating system One such is Tarantella which conforms to RDP version 5.1 with full 24 bit color support.

Connecting To Terminal Server Thru RDP Client To connect to the Terminal Server through RDP Client, go to Start-> Programs>Terminal Services Client ->Client Connection Manager and Select new connection. The screen as in Fig 4.13 would ask for connection name and the IP address/ NetBIOS name of the Terminal Server.

Fig. 4.13

User can logon to the server automatically if he has already filled the information of user name, password, and Domain name after checking the Logon Automatically with this information option (Fig 4.14).

Fig. 4.14


66

67


The user can also decide the size of screen and its resolution in the screen he will get on clicking on Next button of previous screen (Fig 4.15).

Fig. 4.15

If the user is connecting via Mode/ slow network then he badly needs data compressions and his images to be cached onto the system. Such user are advisable to check both check-box in the screen shown in Fig 4.16.

Fig. 4.16

If the user has defined the path of a particular program in the following screen (Fig 4.17) then only that program would be accessible to him after logon.


67

68


Fig. 4.17

To connect to the server, open the client connection manager and right click on the icon RDP client and click on Connect (Fig 4.18). You would be connected to the Terminal Server Operating System.

Fig. 4.18

ICA AND RDP CLIENT ON LINUX OPERATING SYSTEM There may be requirement to install ICA and / or RDP client on machines running Operating System other than Microsoft Operating System. In this topic we will briefly discuss how to get, install and configure clients on Linux Operating System

ICA Client for Linux Operating System Citrix ICA client is available for various operating system from Citrix download page http://www.citrix.com/site/SS/downloads/downloads.asp?dID=2755. From this page you can go to client download page.


68

69


There are two formats of client packaging: rpm and tar. The rpm package is for Red Hat based Linux distribution. The rpm package can also be downloaded from our favorite www.rpmfind.net You may install it in one go by using command ‘rpm -ivh/ICAClient-8.01.i386.rpm’. We have tested it successfully on Fedora Core 3. For other Linux distro, we recommend tarball format. Unpack the downloaded tar file and read the files Readme.txt and Install.txt to install it. Uninstall older versions before installing the new one. To start installation of tar.gz file, login as root on your machine and execute below command steps. It is advisable to choose the default option wherever available. On completion the binaries will be installed in /usr/lib/ICAClient/. We assume that your tar file is in /tmp/ica_clinet/ # cd /tmp/citrix/ # tar zxvf linuxx86.tar.gz # ./setupwfc Follow the instruction on screen. To configure the Citrix ICA client, run the configuration manager /usr/lib/ICAClient/wfcmgr. You will get the screen as in Fig 4.19.

Fig. 4.19

• Click on Connections-> New and fill up the information according to your setup. • Then go to Tools ->Setting and click on combo selection box showing Preferences. Here choose Windows option. Set the windows size as desired, screen color as 256 bits and resolution as 800x600. • Now, you are ready to make a connection either from configuration manager windows or running command /usr/lib/ICAClient/wfica from terminal window.

RDP Client for Linux Operating System The RDP client for Linux is rdesktop. The rdesktop package might have been shipped with the Linux distribution. First check the operating system CD or DVD for rdesktop package. You can download the source code with compilation instruction from http://www.rdesktop.org/ #download. You can download latest compiled RPM package from rpmfind.net and install it in one go as ‘rpm -ivh rdesktop-*.rpm’. You can use ‘rdesktop -u <win-user-name> -p -n <win-server-ip> -g 800x600’ to connect to Windows server. There might be some front end GUI interface available on installed distribution. For example, with Fedora Core 3, you can get it (Fig 4.20) from Application-> Internet-> Remote Desktop Connection. Set its preferences in preferences screen (Fig 4.21)


69

70


as described for ICA. Now you can connect to your chosen Windows server on clicking connect button.

Fig. 4.20

Fig. 4.21

ICA/RDP SERVER SIDE CONFIGURATIONS After the installation of the Citrix Device Services, you have to activate Citrix Device Licenses. Further, you need to configure the ICA settings. These are Global settings and are applicable to any client connecting to Terminal Services using ICA irrespective of user’s privileges. To configure general setting for all terminal services connections using ICA or RDP, go to Start-> Programs Files-> Administrative Tools-> Terminal Services Configurations. You will find two folders namely Server Settings & Connections.

Server Settings Folder Server Settings folder contains options that control the type of access permitted to client. There are also options for creating & deleting per session temporary files & folders e.g. all .tmp files. You can enable or disable the internet connector licensing and provide the user with Active Desktop. Even the Permission Compatibility options could be configured through Server Settings (Fig 4.22).


70

71


Fig. 4.22

Connections Folder: Display protocols like ICA & RDP could be configured using this folder. Right click on the ICA or RDP connection. You’ll find options to Disable/Rename connections, Delete connections and also the Properties of ICA connections. By selecting Disable Connections you can deny access to Terminal Services to any Client. For detailed control of display protocols, choose Properties option. To configure ICA, select ICA-tcp & to configure RDP select RDP-tcp. The settings under the property tabs are similar for both ICA & RDP (Fig. 4.23). We explain all the tabs for ICA below. Configure RDP properties similarly.

Fig. 4.23


71

72


General Tab: This screen controls the degree of encryption. There are three levels of encryption. High, Medium & Low. ‘High’ uses 128-bit encryption methodology, wherein both server & clients’ communications are protected. ‘Medium’ uses 40-bit algorithm for encryption. In ‘Low’ protection level, communication from client to server is protected by the Server key strength but the reverse communication is left unprotected. However, ICA doesn’t let you alter the encryption level. It remains ‘None’ by default (Fig 4.24).

Fig. 4.24

Log on Settings: Here there are two options. Either you can allow user to automatically log-on to the Terminal Server or you may check its Authentication every time it attempts to connect to the Server (Fig 4.25).

Fig. 4.25


72

73


Sessions: In this tab, you can decide upon the session limits and also the action to be taken once the session limit is reached. These settings would override the user’s individual settings if the override user settings checkbox has been checked. We strongly r e c o m m e n d u n c h e c k i n g all the option here (Fig 4.26). We observe the KMODE_EXCEPTION_NOT_HANDLED problem in win32k.sys due to these settings.

Fig. 4.26

Environment: With the Environment settings, one could control the start up programs and user’s desktop wallpaper settings irrespective of user’s individual settings (Fig 4.27).

Fig. 4.27


73

74


Remote Control: If any other option except the Use remote control with default user settings has been selected, then the remote control option selected under the users’ properties will be overridden and these settings will prevail over all the clients connecting via ICA/RDP (Fig 4.28).

Fig. 4.28

Client Settings: Here you can select client devices ports, which would be automatically mapped once the client has connected to the Terminal Server (Fig 4.29).

Fig. 4.29


74

75


Network Adaptor: If you want to limit the number of clients connected to the server for load balancing purpose, this tab is essential (Fig 4.30).

Fig. 4.30

Permissions: Here you specify which user groups will have access to connect through this connection type and what privileges they will have to interact with other user sessions of the same connection type (Fig 4.31).

Fig. 4.31


75

76


COMPARATIVE STUDY OF ICA & RDP The following table compares the basic features of ICA and RDP (Table 4.1). Table 4.1 Supported Clients

Citrix’s ICA

Microsoft’s RDO 5.0

Windows 95, 98, NT, 2000

YES

YES

Windows for Workgroup 3.11

YES

YES

Windows 3.1

YES

—

DOS

YES

—

Windows CE

YES

YES

Macintosh

YES

—

UNIX Solaris, DEC, HP/UX, IBM, SGI, SCO

YES

YES

Linux

YES

YES

Java

YES

—

Browser

YES

YES

TCP/IP

YES

YES

IPX/SPX

YES

NetBEUI

YES

Protocols

Network Connections LAN

YES

YES

WAN

YES

YES

Direct (async) Serial Connection

YES

—

Direct Dial-up (without using a service like RAS)

YES

—

RAS Dial-up (ISDN, XDSL, VPN)

YES

YES

System beeps

YES

YES

Windows Audio (WAV, MIDI, AVI)

YES

Video

YES

Multi-media bandwidth control

YES

Multi-Media


76

77


Supported Clients

Citrix’s ICA

Microsoft’s RDO 5.0

Print to local printer attached to a PC client

YES

YES

Print to a local printer attached to a WBT

YES

YES

Local drives accessible from server-based apps

YES

Redirection of COM ports

YES

Local Device Support

Other Capabilities Cut and paste between client and server

YES

YES

Connect directly to application or full desktop

YES

YES

Automatically put servers apps on client desktop

YES

Cache bitmaps to disk for improved performance

YES

YES

Encrypt protocol

YES

YES

Publish application to a web browser

YES

Management Shadowing (remotely control other users desktop)

YES

Automatically update client software

YES

Pre-configure client with IP or other info

YES

YES

YES

Note. The above table compares the features of Citrix released ICA & Microsoft’s RDP protocols. You must not confuse the above protocols with the Open Source display protocols, which are released by independent developers. Display protocols released by Open Source fraternity may or may not have features that are present in the above-mentioned Proprietary protocols.


77

THIS PAGE IS BLANK

Managing Users & System Resources

5

Managing Users & System Resources

5

The main responsibility of a System Administrator involves effective & secured system resource management. This includes providing access to authorized users, setting up their privileges, managing resources for optimum usage. Therefore, keeping in view the role of the System Administrator, this chapter deals with user creation, understanding groups, user profiles, policies & access controls.

LOCAL USERS AND GROUPS OVERVIEW Users accounts must be created and appropriate permissions; rights must be assigned to access available resources. Resource may be of Server to which client is connected or of the client itself. This way the system resources could be managed in a secured manner. A ‘rights’ authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. ‘Permission’ is a rule associated with an object (usually a file, folder, or printer), and it regulates which users can have access to the object and in what manner.

Default Local User Accounts There are some default user accounts, which are created automatically when we install a stand-alone server or member server running Windows Server 2000. Let us have a look of some of the default user accounts and their rights. Administrator: The Administrator account has full control of the server and can assign user rights and access control permissions to other users if necessary. That is why it is highly recommended that this account should have a very strong password like more than 8 characters long with numbers and special characters. The Administrator account is a member of the Administrators group on the server. The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed or disabled. Since the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will deter malicious users to attempt access to the server. But as you can see in Fig 5.1, we have renamed it to Tsadmin for security reasons as hackers could attempt to log on to the server with some of these known accounts. Guest: The Guest account is used by people who do not have an actual account on the computer. A user whose account is disabled, but not deleted, can also use the Guest account. The Guest account does not require a password. The Guest account can be assigned rights and permissions just like any user account. By default, the Guest account is a member of the default Guests group, which allows a user to log on to a server. The Guest account is disabled by default, and it is recommended that it stays disabled. 80

MANAGING USERS & SYSTEM RESOURCES

81

IWAM_Servername: It is a built-in account for Internet Information Services to start out of process applications IUSER_Servername: It is an anonymous login, which comes in use when the server hosts IIS (Internet Information Server). TsInternetUser: It is used when the server is being accessed via Internet using Internet Terminal Server Connect License.

Default Local Groups Similar to the local users, there are some default Groups that are automatically created when you install a stand-alone server or a member server running Windows Server 2000. If a user belongs to some default group, it is automatically assigned the rights and abilities to perform various tasks on the local computer. Local user accounts, domain user accounts, computer accounts, and group accounts can be added to local groups. However, local user accounts and local group accounts cannot be added to domain group accounts. Now let us see of some of the default Group accounts and the default rights assigned to the users belonging to that group. Administrators: Members of this group have full control of the server and can assign user rights and access control permissions to users as necessary. When this server is joined to a domain, the Domain Admins group is automatically added to this group. The users of this group can access the machine over the network, adjust memory quotas for a process, log on locally; log on through Terminal Services, back up files and directories, bypass traverse checking, change system time, create a pagefile, debug programs, Force shutdown from a remote system, increase scheduling priority, load and unload device drivers, manage auditing and security log, modify firmware environment variables, perform volume maintenance tasks, profile system performance, remove computer from docking station, restore files and directories, shutdown the system, take ownership of files or other objects. Guests: Members of this group will have a temporary profile created at log on, and when the member logs off, the profile will be deleted automatically. The Guest account (which is disabled by default) is a default member of this group. Even Guest account should be renamed if in use or else should be disabled. If this account is enabled, you can log onto the server by just giving the username as Guest without any password. Backup operators: Members of this group can back up and restore files on the server, regardless of any permission that protects those files. This is because the right to perform a backup overrides all file permissions. But they cannot change security settings. However, they can access this computer from the network; Allow log on locally; Back up files and directories; Bypass traverse checking; Restore files and directories; Shut down the system. The users of this group should be created with care as they can take possession of any of the files on the computer. Power users: Members of this group can create user accounts and then modify and delete the accounts they have created. They can create local groups and then add or remove users from the local groups they have created. They can also add or remove users from the Power Users, Users, and Guests groups. Members can create shared resources and administer the shared resources they have created. They cannot take ownership of files, back up or restore directories, load or unload device drivers, or manage security and auditing logs. They can also change the system time, remove computer from docking station and if needed, Shutdown the system.


81

82


Replicator: The Replicator group supports replication functions. Only members of Replicator group can alter the properties of Replicator Service. He can shutdown and restart the service too. In order to access the Replicator Server, user must have a Domain user account. Users: Members of this group can perform common tasks, such as running applications, accessing resources of remote server over network and locking the server. Users cannot share directories or create local printers. By default, the Domain Users, Authenticated Users, and Interactive groups are members of this group. Therefore, any user account created in the domain becomes a member of this group.

LOCAL USER ADMINISTRATION We can add new users for accessing the server through ‘Computer Management’ Console (Fig 5.1). Get the console by issuing compmgmt.msc at Run menu or navigating from Start>Programs->Administrative Tools->Computer Management. It is a collection of administrative tools that one can use to manage a single local or remote computer. This compmgmt.msc tool can also be used for editing and adding users on a remote machine provided Administrative rights are granted. By default it runs in a local mode.

Fig. 5.1

To create a new user account just open the ‘Users’ folder under ‘Local Users and Groups’ and then choose new user from Action menu. Fill in the fields in user name and password and confirm password and click the create button (Fig 5.2). The user will be created. Full name and description are optional fields. There are four options regarding password and account accessibility. · ‘User must change password at next logon’: If checked, the user will be presented with a change password screen when he logs in for the first time.


82

83


• ‘User cannot change password’: If checked, the user is not given the right to change his/her password. By default, this could only be done by the administrators or account operators group. • ‘Password never expires’: If checked, the password assigned by the administrator to the user never expires. • ‘Account disabled’: If checked, the user would never be able to log on to the server. The administrator generally uses this option when a user is on leave or has left the organization.

Fig. 5.2

Let’s see the detailed properties of this user. To look at it, just select the user, right click and select Properties in the Context menu. The following screen would appear (Fig 5.3).

Fig. 5.3


83

84


GENERAL TAB: Under this tab, you find the basic information regarding the user like name, description and password & accessibility options MEMBER OF TAB: This tab shows which group the user belongs to. By default all the users belong to Users group, but you can make this user a member of any group by adding that group. PROFILE TAB: The first frame of this tab is User profile (Fig 5.4). On computers with NT technology, a user’s profile is created for each individual when the user logs on the computer for the first time. These user profiles thus created contain the desktop settings for each user’s work environment on that local computer. All such ‘user profile settings’ are contained in an ntuser.dat file. We will discuss in detail about various features of user profiles in windows 2000 in the later stages of this chapter under ‘Detailed view of user profiles’. For now, here is a brief description about the various settings contained in this tab.

Fig. 5.4

User’s Profile Path: Here you need to specify the location of the folder, which contains ntuser.dat file. This may be present locally (as a local profile) or on a remote server (as a roaming profile). Default users local profile is at %systemroot%/Documents and Settings / %Username%. For creating roaming profile this could be //server-name/folder-name/ %username%, where ‘server-name’ is the name that you give to your server and ‘folder-name’ is the name that you give for a shared folder. This folder in turn contains subfolders of different ‘user names’ that are generated automatically by using the above syntax. Note: For creating a mandatory profile of a particular user, just find its ntuser.dat file and rename it to ntuser.man file. For example, say you have two users namely Shekhar & Neeraj. Shekhar is having a Local Profile whereas Neeraj is having the Roaming Profile. Now,


84


85

to convert the local profile of Shekhar into Mandatory profile, browse to %systemroot%/ Documents & settings/Shekhar, find the ntuser.dat file & rename it to ntuser.man. Shekhar’s Local profile has been converted into Mandatory Local profile. Now, assuming that the Roaming profile of Neeraj is stored on a Remote server named Rserver in the shared folder named Rprofiles. To convert the Roaming profile of Neeraj into a Mandatory profile, all you need to do is, browse through the path //Rserver/Rprofiles/Neeraj. Find ntuser.dat file & rename it to ntuser.man. Voila, the Roaming profile has been converted into the Mandatory Roaming profile!!. Logon Scripts: In windows one can write shell scripts or batch files for running automated backups, windows updates, particular application at user logon, enforced restrictions on users and so on. This field asks where such scripts could be found. These scripts are executed whenever user logs on to the system. If nothing is specified, the Operating System proceeds without checking for any scripts. Home Folder: This is the second section of the profiles tab. In the local path field, the administrator can assign the path of a particular folder to point it as the user’s default folder for the ‘Open and Save As’ dialog boxes, for ‘command prompt’ sessions, and for programs. This can be a local folder or a folder located on a shared resource. It can be assigned to a single user or many users. The My Documents folder is an alternative for home folders, but it does not replace them. When a user tries to save or open a file, most programs determine whether to use the home folder or My Documents in one of two ways: • Some programs first look in the home folder for files that match the type of file that is to be opened or saved (for example, *.doc or *.txt). If a file with that extension is found, the program opens the home folder and ignores My Documents. If a file of that type is not found, the program opens My Documents. • In other programs, the home folder is ignored regardless of whether the home folder contains any files. We suggest moving the target of My Document to the home folder of the user. In both the cases mentioned above, user’s data will be saved in the same path. Make a practice to assign home folder in a storage area other than Operating System area. This will help us in two ways, First - System area will not be filled up by user’s data and Second - all users data will fall on a common storage area to help you in archiving quickly and easily.

Environment Under the environment tab the administrator may define which program could be executed automatically when the user logs in (Fig 5.5). For example: if the ‘Start the following program at logon’ is checked, command.com is written in the ‘Program file name’ field and say e:\ in the ‘Start in’ field, then whenever the user logs on only the command window will open with e:\ as its working directory. He is authorized to work on the command window only and no other applications are accessible to him. Once he closes this window, he is simply logged out. The ‘Client devices’ section is applicable only if the user logs in from a PC. Checking all three options enables the client drives and the printers (including the default printer available) for the user.


85

86


Fig. 5.5

Sessions The Sessions tab of the Terminal Services Extension provides settings for limiting the time length of sessions based on their current state (active, idle, or disconnected). You can also specify what action needs to be taken when a session has reached a time limit (Fig 5.6). Options available are : End a Disconnected Session: This specifies the maximum duration that a disconnected session is retained. The session is reset and can no longer be reconnected after the time limit has expired. Active Session Limit: It specifies the maximum connection duration. When the time limit is reached, the session will either be disconnected, leaving the session active on the server, or reset. Idle Session Limit: This specifies the maximum idle time (time without connection activity) allowed before the session is disconnected or reset. The session is disconnected or reset when the interval elapses without any activity at the connection. Note: If ‘Never’ is selected, the timer is disabled. When the connection to the server is broken for any reason, including a request, a connection error, or an idle or active limit is reached, the client session is either placed into the disconnected state or it is ended. A session that is ended can no longer be activated by a user and is closed. A disconnected session is left active on the server and is available for reconnection. By default, a terminal server allows the user to reconnect to a disconnected session from any computer. However, to allow only the original client computer to reconnect the session, it can be specified that a user can only reconnect to a disconnected session from the computer where the session originated. This option is supported only for Citrix ICA clients that provide a serial number when connecting.


86

87


Fig. 5.6

Remote Control This tab allows the administrator to either observe or actively control a client session (Fig 5.7). If the Remote control is enabled the administrator could view or interact with the client session. If the Require user permission checkbox is enabled then whenever the administrator tries to view or interact with client’s session the client will be presented with a Dialogue box asking permission to port his desktop to the administrator. The administrator may choose the level of control over the client’s session by enabling may of the two options i.e. View the user’s session or Interact with the session. With the first option enabled the administrator may only view the user’s activities whereas with the other option enabled he may take control of the whole user session.

Fig. 5.7


87

88


Note: • Only the members of the Local administrators group can perform remote control. • The administrator cannot take remote control from the server, which is running the terminal services, as he is not connected to the server using terminal services. To take the remote control he needs to have another client machine, which is connected to the server using terminal services. • The computer from which remote control is administered must be capable of supporting the video resolution used at the remotely controlled client session. Otherwise, the operation fails. • By default, to end remote control, press CTRL+ASTERISK (*). Any other hot key may be defined to perform this function as well. Before porting the user session, the administrator is asked the hot key sequence to end the session.

Terminal Services Profile This tab lets administrator assign each user a profile specifically created for terminal server sessions (Fig 5.8). Administrators can then create user profiles tailored to the Terminal Services environment. The Terminal Services profile can be used to restrict access to applications by removing them from the user’s Start menu. Administrators can also create and store network connections to printers and other resources for use during user sessions.

Fig. 5.8

Terminal Services Home Folder Administrators can specify a path to a home folder to be used for terminal server sessions. This can be either a local folder or a network share.

Allow Logon to Terminal Server Administrators can grant access to a specific terminal server on a per-user basis. If this option is left disabled, the user is not allowed to log onto any terminal servers.


88

89


Dial-In This tab is useful when the user is accessing his terminal session via a dial-up modem using RAS (Remote Access Service) on the server (Fig 5.9). He may be allowed or denied access to the server depending on the tab setting. Users may also be controlled via setting up a control policy for Remote access. The user authentication may be verified by checking the Verified Caller-id option. Callback options are security options that are used for caller authentication. With No callback option, server doesn’t dial back the call requested by the caller. Set by caller option makes the server call back to the client, making request for the remote session. In this the server stores the clients dial-up number and calls back. Always callback option enables the administrator to assign only selected dial-up number the access to the server. The server always calls back on this number whenever requests for remote access are made.

Fig. 5.9

The administrator may assign static IP address to the dial-up user if required. A predefined static Route may also be defined for users who wish to log on remotely to the server via dial-up connection.

DETAILED VIEW OF USER PROFILES On computers running Windows Server 2000 Operating Systems, a user profile is created for each individual when the user logs on the computer for the first time. Such user profiles in turn create and maintain the desktop settings (automatically) for each user’s work environment on that local computer. User profiles provide several advantages: • When an individual workstation is shared among many users, each user may have his/her own customized desktop, which remains unaffected even when he logs off and other one logs in. In other words, say there are two users and they want to have their own desktop settings i.e. icons, wallpapers, screen savers, shortcuts etc. and also are unwilling to share his/her desktop with other users. Here is when the real advantage


89

90


of user profiles come into picture as these desktop settings are stored on different locations for different users. • If these desktop settings are stored on a network server, the user may log-on to any PC, irrespective of the workplace and still gets same desktop settings. The modifications made by him during his session will get replicated to this network server. This concept is called Roaming Profile. User profiles provide the following options to the Administrator: • He can set up a mandatory user profile in which users can modify the desktop settings of the computer while they are logged on, but none of these changes will be saved when they log off. The mandatory profile settings are downloaded to the local computer each time the user logs on. • The administrator can specify the start menu options that will get displayed for the user. He can set for no control panel, no run menu, no find menu etc. by modifying the default user profile. The user may change their desktop settings but they cannot modify the start menu options provided to them by the administrator.

Types of User Profiles There are basically four types of user profiles• Local User Profile: A local user profile is created the first time a user logs on to a computer and is stored on a computer’s local hard disk. These profiles are machine specific. • Roaming User Profile: These profiles enable users to log on to computers in a domain while preserving their user profile settings onto the Server. User profiles are stored at an administrator specified server location. When a user logs on and has been authenticated by the server, the user profile (including user settings and documents) is copied to the local computer. Changes made will be updated to the user profile stored on the server. This updated profile will be made available the next time user logs onto any of the machines on the network. • Mandatory User Profile: A mandatory user profile is a profile that can be used to specify particular settings for individuals or an entire group of users. In case of Mandatory user profiles, changes made by the users are not replicated onto the Server. Only system administrators can make changes to mandatory user profiles. • Temporary User Profile: If the server is not available, the local cached copy of the roaming user profile is used. If the user has not logged on to the computer before, a new local user profile is created. In either case, if the centrally stored user profile is not available when the user logs on, it is not updated when the user logs off. This profile is called the Temporary profile.

Contents of a User Profile A user profile folders contain various items including the desktop and Start menu. As explained in the earlier sections, the Default Users profile setting is in NTuser.dat file. Whenever a new user is created, this profile gets inherited to it from Default User’s folder. The file (NTuser.dat) for default user is located at “system drive”:/Documents & settings/Default user/ • This default user folder is hidden by nature. In additional to this, newly created user will get the ‘common programs groups’ from the ‘All Users’ folder. Common program groups are always available on a computer, no matter who is logged on. Common program groups are stored in “system drive”:/Documents & settings/All users/.


90

91


The screen shot in Fig 5.10 shows the list of contents of user named “Shekhar”.

Fig. 5.10

• Application Data: Program-specific data (for example, a custom word of a word processor dictionary). • Cookies: User information and preferences. • Desktop: Desktop items, including files, shortcuts, and folders. • Favorites: Shortcuts to favorite locations on the Internet. • Local Settings: Application data, history, and temporary files. Application data roams with the user by way of roaming user profiles. • My Documents: User documents and subfolders. • My Recent Documents: Shortcuts to the most recently used documents and accessed folders. • NetHood: Shortcuts to My Network Places items. • PrintHood: Shortcuts to printer folder items. • SendTo: Shortcuts to document-handling utilities. • Start Menu: Shortcuts to program items. • Templates: User template items. • NTuser.dat: The ‘NTuser.dat’ file is the registry portion of the user profile. When a user logs off of the computer. The system unloads the user-specific section of the registry (that is, HKEY_CURRENT_USER) into NTuser.dat and updates it. The following are some of the settings that a user profile generally contains : • Windows Explorer: All user-definable settings for Windows Explorer. • My Documents: User-stored documents.


91

92


• My Pictures: User-stored picture items. • Favorites: Shortcuts to favorite locations on the Internet. • Mapped network drive: Any user-created mapped network drives. • My Network Places: Links to other computers on the network. • Desktop contents: Items stored on the Desktop and shortcuts. • Screen colors and fonts: All user-definable computer screen colors and display text settings. • Application data and registry hive: Application data and user-defined configuration settings. • Printer settings: Network printer connections. • Control Panel: All user-defined settings made in Control Panel. • Accessories: All user-specific program settings affecting the user’s Windows environment, including Calculator, Clock, Notepad, and Paint.

Creation of Customized Default User Profile Using Registry Editor Now let’s see how we can create a customized profile for our Default users using Registry editor. Here a question arises: Why Default? The answer is - once you have defined the profile

Fig. 5.11

for default users, every new user created will automatically inherit these settings from the default user’s profile. It will save lots of time & effort in creating customized profile, especially if you have to create a large number of users with similar profiles. In other words this customized


92

93


default user profile will be used as template for all user created in future. (It is therefore advisable that you create the entire Administrative privileged users before customizing Default user profile.). To access Registry editor go to Start -> Run and type ‘regedt32’ and click OK. Following Screen as shown in Fig. 5.11 appears:Select HKEY_USERS. Click on Registry drop down menu & Load Hive as shown in Fig. 5.11. Let us first try and understand the concept of HKEY_USERS and HIVE. • HKEY_USERS: This Root Key under Registry tree structure contains information about actively loaded user profiles and the default profile. This includes information that appears in HKEY_CURRENT_USER. • Hive: It is a section of the registry that appears as a file on your hard disk. The registry subtree is divided into hives (named for their resemblance to the cellular structure of a honey beehive). A hive is a discrete body of keys, subkeys, and values that is rooted at the top of the registry hierarchy. A hive is backed by a single file and a .log file, which are in the ‘%systemroot%\System32\Config’ and ‘%systemroot%\Documents & settings\username’ folders respectively. By default, most hive files of the Operating System (e.g Default, Security Account Manager SAM, General Security and System.) are stored in the ‘%systemroot%\System32\Config folder. The ‘%systemroot%\Documents & settings’ folder contains the user profile for each user of the computer. Because a hive is a file, it can be moved from one system to another. It can be edited using Registry Editor tools. Let’s return to the discussion of ‘Load Hive’. The above step will open a browsing window for selection of NTuser.dat file (Fig 5.12). (C:\Documents & settings\Default users\NTUser.dat)

Fig. 5.12

Once you select the NTuser.dat file, you would be asked to assign a temporary Key name to the Hive (FigMM). Let us name it as test. And press OK. After assigning the name as test, screen as in Fig. 5.13.


93

94


Fig. 5.13

The test hive will have a number of subfolders and keys; these are cryptic form of your desktop settings (Fig 5.14).

Fig. 5.14

Let us change some of the parameters. To do so, click on Software subfolder of test. You have to navigate upto ‘Software\Microsoft\Windows \CurrentVersion\Explorer\User Shell Folders’. Here you can see all the settings for the test hive, which are stored in different folder as displayed in the following screen (Fig 5.15). The common programs which are displayed on the desktop in ‘Start->Programs’ menu are taken from the Programs entry (highlighted in Fig 5.15) of ‘ Shell Folders’.


94

95


Fig. 5.15

LET’S LEARN TO MANAGE USERS DEFAULT DESKTOP In this section, we’ll see as to how to create a customized Programs menu for the default user by registry tweaking. Lets assume that the present Program menu for any user is seen as shown in Fig 5.16.

Fig. 5.16


95

96


In order to customize the Start->Programs menu, you must edit the String editor (Fig. 5.17). String editor can be achieved by double clicking on the Program row highlighted in Shell Folders (Fig 5.15).

Fig. 5.17

Now create a folder named “C:\test_menu” and place shortcuts of only those applications under it, which you wish to appear in the Program menu. (Fig 5.18). (Note: The customized folder must be created in the System drive only i.e. the drive in which Operating System has been installed. Customization wouldn’t take place if the folder were created in any other drives.)

Fig. 5.18

Now change the path in the String editor from ‘%USERPROFILE%\Start Menu\Programs (Fig 5.17) to C:\test_menu as shown in the screen in Fig 5.19. Click OK.

Fig. 5.19


96

97


The entries in the ‘Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders’ for the Test hive will look like as in Fig 5.20.

Fig. 5.20

In order to enforce some restrictions on the users Desktop (e.g Non availability of common groups, Run menu, Autorun of CD media, Start menu subfolders and Pop up menu when right clicked on the Taskbar) you need to put the entries in form of Dword values in the ‘Software\Microsoft\Windows\CurrentVersion \Policies\Explorer’. Dword can be created by going to ‘Edit->Add Value-> Value name’ (Fig 5.21). DWORD values are Data represented by a number that is 4 bytes long. Many parameters for device drivers and services are this type and are displayed in Registry Editor in binary, hexadecimal, or decimal format.

Fig. 5.21


97

98


Now to save the customized settings of the Default user’s profile, select the Test hive, go to Registry menu and click on Unload Hive (Fig 5.22).

Fig. 5.22

After the customization, any newly created user will get the Start menu (Fig. 5.23) that have only those application whose shortcuts were placed in the C:\test_menu folder. Further, he will not have accessibility of common groups, Run menu, Autorun of CD Media, Start menu subfolders and Pop up menu that we get by right clicking on the Startup button.

Fig. 5.23


98


99

Customization can also be done on Internet Explorer settings for the Default user profile. This can be done by editing registry entries in the “test hive\Software\Microsoft\Internet explorer\Main” folder.

POINTS TO PONDER BEFORE CREATING PROFILE • Since roaming profiles are stored on the server and may be accessed from different types of machines with different hardware. Care should be taken that these profiles are compatible to different hardware like different VGA cards, monitor etc. For example, the window setup in a user profile created for a computer with a Super VGA monitor might not look correct when loaded on a computer with a normal VGA monitor. • When a mandatory user profile is created for several users, create a single user profile for the whole group of users only if they all use computers with the same type of video hardware. • The Encrypted File System (EFS) is not compatible with roaming user profiles. If profile folders or files in the user profile are encrypted using EFS, the user’s profile will not roam. • Since a users roaming profile can contain personal information such as confidential documents and EFS certificates, care should be taken to protect access to the shared directory. Restrict access to the shared directory to only those users that need access. You can also create a security group for users that have profiles on a particular shared directory, and limit access to only those users. o Give users the minimum permissions, they need. o When creating the shared directory, hide it by placing a $ at the end of share name. This hides the shared directory from casual browsers, and it will not be visible in My Network Places. • Since user’s roaming profile may contain personal informations, which move between client computer and the server hosting the roaming profile. It is important to ensure that data is protected as it travels over the network media. Features such as Kerberos, IPSec, and Server Message Block (SMB) signing should be used to secure the user’s data. • It is recommended that one should configure servers hosting roaming profiles to use the NTFS File System. As unlike FAT, NTFS supports Discretionary access control lists (DACLs) and system access control lists (SACLs), which makes the both server & users’ data more secured. Note: Though we have tried to cover almost all the necessary points pertaining to Profiles, there are still many more features left untouched. You are expected to explore those points on your own.

DISK QUOTA Disk quotas help administrator track and control disk space usage for NTFS volumes by the users. Only user with administrative privileges can enable quotas on local volumes, network volumes, and removable drives as long as they are formatted with the NTFS file system. In addition, network volumes must be shared from the volume’s root directory and removable drives must be shared. When you enable disk quotas for a volume, volume usage is automatically tracked for all users from that point on.


99

100


Enabling Disk Quota To enable Disk Quota on a particular drive, select the drive, right click & choose Properties (Fig. 5.24). Under the Quota tab you should check ‘Enable Quota Management’. Once Quota Management has been enabled, you may set the limits of disk usage & the warning level also. However, to enforce these limits, you must check the “Deny disk space to user exceeding quota limit”. You may even log events when a user exceeds his quota limit or when he crosses the Warning level of disk usage.

Fig. 5.24

To enforce Quota Management on a particular user, first create an entry for that user by clicking Quota Entries & you will get the screen as shown in Fig. 5.25. Under the Quota Menu, select New Quota Entry. You will be presented with a Browser window containing a list of all the users of the Server. Select the user for which you want to set the quota limits. For example we have added a user named ‘Test’. Now double click on the entry of Test user and you’ll get “Add New Quota Entry” screen (Fig. 5.26).


100

101


Fig. 5.25

Fig. 5.26

In this screen, you can set two values: the disk quota limit and the disk quota warning level. For example, administrator has set Test user’s disk quota limit to 2 (GB), and disk quota warning level to 1.5 GB. In this case, the user can store no more than 2 GB of files on the volume & will get a warning message when he crosses the warning limit i.e. 1.5 GB.

Deleting Disk Quota Entries As disk quotas are tracked by owner of the files, deleting quota for a particular user is done in two steps. 1. 2.

Volume files owned by that user should either be deleted or removed from the volume, or another user should take ownership of those files. Now the entry of that user may be deleted from the window of that quota entry volume.

Note: The fsutil command-line utility could also be used to manage disks and volumes. Fsutil quota is used to create and modify disk quotas for a specific user, query disk quotas for a specific volume, search the system log for any quota violations, or to perform these tasks using scripts.


101

102


POINTS TO PONDER IN SETTING UP QUOTA • Because disk quotas monitor volume use by individual user, each user’s utilization of disk space does not affect the disk quotas for other users of the same volume. For example, if Volume D has a quota limit of 100 megabytes (MB) and a user saves 100 megabytes (MB) worth of files to Volume D, that user cannot write additional data to the volume without first deleting or moving some existing files from it. However, each of the other users can continue to save up to 100 MB worth of files on that volume as long as there is sufficient free space. • Disk quotas apply only to volumes and are independent of folder structures of volumes and their layout on physical disks. • File compression cannot be used to prevent users from exceeding their quota limits because compressed files are tracked based on their uncompressed size. For example, if you have a 500 MB file that is 400 MB after it is compressed, Windows counts the file’s original 500 MB size toward the quota limit.

ACCESS CONTROL Access control is the process of authorizing users, groups, and computers to access objects on the network. Key concepts that make up access control are permissions, sharing, user rights, and object auditing. 1. Permissions Permissions define the type of access granted to a user or group for an object or object property. For example, the Human Resources group can be granted only Read and Write permissions for a file named Employee master.xls. Permissions are applied to any objects such as files, volumes, Active Directory objects, or registry objects. Permissions can be granted to any user, group, or computer. It is a good practice to assign permissions to groups rather than individual users. Some permission, however, are common to most types of objects. These common permissions are: • Read permissions • Modify permissions • Change owner • Delete When the administrator assigns permissions, he specifies the level of access for groups and users. For example, he can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. He can set similar permissions on printers so that certain users can configure the printer and other users can only print from it. To change the permissions on a folder, you can run Windows Explorer, right-click the folder name, and click Properties. On the Security tab, you can change permissions on the folder. For example, if you want to set permissions on a folder named ‘Test’, then right click on it and you’ll find the screen a shown in Fig 5.27. Under the Security tab, you can assign various permissions to different users. As shown in the Fig 5.27, user group ‘Everyone’ has been assigned permissions namely Full control, Modify, Read & Execute, List Folder Contents, Read & Write. Further, ‘Allow inheritable permissions from parent to propagate to this object’


102

103


option causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within Test folder, when created, will inherit the permissions of the Test folder.

Fig. 5.27

Permissions and Security Descriptors Every object on the network has a set of access control information attached to it known as a security descriptor. This security descriptor is automatically created whenever an object is created. This information controls the type of access allowed to users and groups. Permissions are defined within an object’s security descriptor. Permissions are associated with, or assigned to, specific users and groups. For example, for the file employee master.xls, the Administrator group might be assigned read, write, and delete permissions, while the HR group might be assigned Read and Write permissions only. Each assignment of permissions to a user or group is known as a permission entry, which is a type of access control entry (ACE). The entire set of permission entries in a security descriptor is known as a permission set or access control list (ACL). Thus, for a file named employee master.xls, the permission set includes two permission entries (ACE), one for the Administrator group and one for the HR group making an ACL. There are two types of permissions: explicit permissions and inherited permissions. • Explicit permissions are those that are set specifically on the object either by owner or Administrators. • Inherited permissions are those that are propagated to an object from a parent object. Notes: Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.

How Does Inheritance Work ? To show how inheritance works, we have set security of Test folder as shown in the screenshot below (Fig 5.28). Here ‘Everyone’ has inherited full control permissions from the Drive whereas ‘Terminal Server User’ group has been assigned Explicit permissions on Test folder.


103

104


Fig. 5.28

Later we created a Child-Test folder under Test folder. We have assigned Exclusive permission to Administrator group on this Child-Test folder. It can be seen that by default both ‘Everyone’ & ‘Terminal Server User’ group have inherited permissions on Child-Test folder and are displayed in gray and disabled (Fig 5.29).

Fig. 5.29


104

105


If you don’t want inherited permissions to propagate to the child files then uncheck the Allow Inheritable permissions from parent to propagate to this object. The following window will appear (Fig 5.30).

Fig. 5.30

If you click on the Copy button, the inherited permissions will become Explicit permissions for that object (Grayed out checkboxes of permissions become white & enabled) (Fig. 5.31).

Fig. 5.31

If you click on the Remove button, all inherited permissions will be removed and checkboxes become clear for modification of permissions. Only explicit permissions remain unchanged (Fig 5.32).


105

106


Fig. 5.32

Cancel button would abort the action. If you want to keep only inherited permissions and remove all explicit permissions on all child objects, then click on Advanced button & check the ‘Reset permissions on all child objects and enable propagation of inheritable permissions’ option. In our case, we will check the ‘Reset permissions on all child objects and enable propagation of inheritable permissions’ option of the Test folder and find out its effect on Child-Test folder (Fig 5.33).

Fig. 5.33


106

107


As soon as you check this option, the following screen appears (Fig. 5.34). Click Yes to see its effect.

Fig. 5.34

As you can see, the Explicit permissions of Administrator group on Child-Test have been cleared and only the Inherited permissions of ‘Everyone’ & ‘Terminal Server User’ group remain visible. However, if ‘Allow Inheritable permissions from parent to propagate to this object’ option were not checked for the Child-Test folder, even these permissions would not have propagated from the Test folder (Fig. 5.35).

Fig. 5.35

Permissions for Files and Folders Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Each of these permissions consists of a logical group of special permissions, which are listed and defined below. To view these special set of permissions right-click the file or subfolder, click Properties, click the Security tab, click Advanced button, select the group or user and click on View/Edit button (Fig. 5.36).


107

108


Fig. 5.36

Traverse Folder/Execute File: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. (Applies to folders only.) Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right. (By default, the ‘Everyone’ group is given the Bypass traverse checking user right. So each of us can browse sub folders and files) Execute File allows or denies running program files. (Applies to files only). Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder. List Folder/Read Data: List Folder allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed. (Applies to folders only.) Read Data allows or denies viewing data in files. (Applies to files only.) Read Attributes: Allows or denies viewing the attributes of a file or folder, such as read-only and hidden. Attributes are defined by NTFS. Read Extended Attributes: Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. Create Files/Write Data: Create Files allows or denies creating files within the folder. (Applies to folders only). Write Data allows or denies making changes to the file and overwriting existing content. (Applies to files only.) Create Folders/Append Data: Create Folders allows or denies creating folders within the folder. (Applies to folders only.) Append Data allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data. (Applies to files only.)


108


109

Write Attributes: Allows or denies changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS. The Write Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete. Write Extended Attributes: Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. The Write Extended Attributes permission does not imply creating or deleting files or folders, it only includes the permission to make changes to the attributes of a file or folder. In order to allow (or deny) create or delete operations, see Create Files/Write Data, Create Folders/ Append Data, Delete Subfolders and Files, and Delete. Delete Subfolders and Files: Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file. (Applies to folders.) Delete: Allows or denies deleting the file or folder. If you do not have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder. Read Permissions: Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write. Change Permissions: Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write. Take Ownership: Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any existing permissions that protect the file or folder.

Ownership of Objects When a user creates an object that could be any thing from file or folder, he is by default owner of the same. No matter what permissions are set on an object by the administrator, the owner of the object can always change the permissions on that object unless the administrator has not taken the ownership himself. Ownership can be taken by: • By default, the Administrators group is given the Take ownership of files or other objects user right. • Anyone or any group who has the Take ownership permission on the object in question. • A user who has the Restore files and directories privilege. If say, the user has left the company or is on leave and the folders created by him needs immediate accessibility to other users, to take the ownership, the administrator should right click on the folder, select properties, under the security tab, click advance button and navigate under the owner tab and check the option, ‘Replace owner on sub containers and objects’. The ownership will be given to the Administrator (Fig 5.37).


109

110


Fig. 5.37

2. Sharing Sharing enables resources to be accessed across network like file, folder, printer etc. To share a resource just right click on the object, select properties and click on Sharing tab. There we find options to make the object sharable & at the same time secured by setting up appropriate permissions. By default any created object is un-shared. You need to specify the share name (e.g test) as well as the permissions to be granted to the users who would be accessing the object from across the network. We can also limit the number of users who might access the object (Fig. 5.38).

Fig. 5.38


110

111


You can use Offline Files to work with shared resources even when you are not connected to the network. Offline Files stores a version of the shared resources in a reserved portion of disk space on the client computer, which is called a file system cache. The client computer can access this cache whether or not the client computer is connected to the network. When you create a shared resource, you can specify if and how files in the shared resource are cached (stored) locally on client computers when other users access the file (Fig 5.39).

Fig. 5.39

• Only the files and programs that users specify will be available offline. • All files and programs that users open from the share will be automatically available offline. • Files or programs from the share will not be available offline.

Methods of Accessing Shared Resources You can control access to shared resources with a variety of methods. • You can use share permissions, which are simple to apply and manage. • You can use access control on the NTFS file system, which provides more detailed control of the shared resource and its contents. • You can also use a combination of these methods. If you use a combination of these methods, the more restrictive permission always applies. For example, if the share permission is set to Everyone = Read (which is the default), and the NTFS permission allows users to make changes to a shared file, the share permission applies, and the user is not allowed to change the file.

Share Permissions • Apply only to users who gain access to the resource over the network. They do not apply to users who log on locally, such as on a terminal server. In these cases, use access control on NTFS to set permissions.


111

112


• Apply to all files and folders in the shared resource. If you want to provide a more detailed level of security to the subfolders or objects in a shared folder, use access control on NTFS. • On FAT and FAT32 volumes, only Share permissions are applicable as NTFS permissions are not available. You can assign the following types of access permissions to shared folders or drives: Read: Read permission allows: • Viewing file names and subfolder names • Viewing data in files • Running program files Change: The Change permission allows all Read permissions, plus: • Adding files and subfolders • Changing data in files • Deleting subfolders and files Full Control Full control is the default permission that is assigned to the ‘Everyone’ group in Windows 2000 (Fig. 5.40). Full Control allows all Read and Change permissions, plus: • Changing permissions (NTFS files and folders only)

Fig. 5.40

Case Study Now, since you have understood the concepts of local user permissions & sharing, consider a scenario in which you need to create certain folders for sharing amongst users depending on their departments. You require that only a particular user of a particular department can upload shareable data in his departmental folder and people from other departments could


112

113


only view the contents of this folder but cannot modify/delete contents of this folder. What would be the most appropriate permissions & policies that need be applied to different users to achieve your objective? Lets take only two departments for better understanding of this objective: (say) HR & Finance. You want to create two Sharable folders HR & Finance and you want that HR personnel could upload/Modify/Delete data in HR folder and view data of the Finance folder but cannot modify/delete content of Finance folder. Same conditions would be applicable for the Finance personnel. First create two users named HR & Finance. The permissions could be granted to these users either through sharing permissions or through local files & folders security permissions. To avoid ambiguity you should assign full control permission to Everyone Group as Share permission. The control on users accessing their respective folders could be exercised through NTFS permissions, which can be applied for most restrictive permissions. In the above scenario, on the HR folder, you should assign full control to the Administrators group, Read, write modify to HR user & Read only to Finance user. With this set of permissions, the HR user would be able to modify/delete contents in his HR folder either from the network or locally. However the Finance user would be able to only view the contents of the HR folder. This is because, as has already been explained that if share & local permissions, both are applied then the effective permission of user or group would be most restrictive of them all.

Special Shared Resources These special shared resources are not visible from My Computer, but you can view them by using Shared Folders. This can be reached from Start->Programs->Administrative Tools-> Computer Management. Here under the System Tools, you’ll find the Shared Folders (Fig. 5.41).

Fig. 5.41


113

114


You can hide other shared resources from users by typing $ as the last character of the shared resource name (the $ then becomes part of the resource name). These shared folders are hidden from Windows Explorer like special shared resources, but otherwise they are not special. Note: If you change permissions on special shared resources, such as ADMIN$, the default settings will be restored when the Server service is restarted or when the computer is restarted. This does not apply to user-created shared resources whose share name ends in $.

Some of the Special Shared Resources drive letter$ This resource enables administrators to connect to the root directory of a drive. ADMIN$ It is used during remote administration of a computer. The path of this resource is always the path to the system root (the directory in which the Operating System is installed, for example, C:\Windows). IPC$ This is used to share the named pipes that are essential for communication between programs. You use IPC$ during remote administration of a computer and when you view a computer’s shared resources. You cannot delete this resource. NETLOGON It is used on domain controllers. Removing this shared resource causes a loss of functionality on all client computers that the domain controller serves. SYSVOL This is also used on domain controllers. Removing this shared resource causes a loss of functionality on all client computers that the domain controller serves. PRINT$ It is used during remote administration of printers. FAX$ A shared folder on a server that is used by fax clients in the process of sending a fax. The shared folder is used to temporarily cache files and to access cover pages that are stored on the server. Fixed disks on your computer, such as drive C or drive D, are automatically shared using the syntax drive letter$, such as C$ or D$. These drives do not appear with the hand icon that indicates sharing in My Computer or Windows Explorer, and they are also hidden when users connect to your computer remotely. If your computer is not protected by a firewall, and someone knows the user name and password of any member of the Administrators group, Backup Operators group, or Server Operators group, that person has the same access to your computer as an administrator.

Managing Shared Folders from the Command Line In addition to Shared Folders and Windows Explorer, you can use the following command-line utilities to manage shared resources.


114


115

net file: View and control resources that are shared on the network. The Server service must be running for you to use this command. net config: View the maximum number of users who can access a shared resource and the maximum open files per session. net use: Connect a computer to or disconnect a computer from a shared resource. net session: Manage server connections. net share: Create, delete, manage, and display shared resources. net view: Display information about the domains, computers, or resources that are shared by the specified computer, including the offline client caching settings. net help: View help for network commands.

Points to Ponder before Enabling Sharing • To keep your drives secure, use a strong password for all accounts. • For best security, you can also rename the Administrator account. For more information about how to do this, see Accounts: Rename administrator account. • If you change permissions on special shared resources, such as ADMIN$, the default settings may be restored when the Server service is stopped and restarted or when the computer is restarted. 3. User Rights User rights grant specific privileges and logon rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissions because User rights apply to user accounts, and permissions are attached to objects. User rights define capabilities at the local level. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. This ensures that a user logging on as a member of a group automatically inherits the rights associated with that group. By assigning user rights to groups rather than individual users, you simplify the task of user account administration. User rights that are assigned to a group are applied to all members of the group while they remain members. If a user is a member of multiple groups, the user’s rights are cumulative, which means that the user has more than one set of rights. There are two types of user rights: privileges and logon rights.

Privileges The following list shows the privileges that can be assigned to a user. These privileges can be managed with the user rights policy. • Act as Part of the Operating System • Add Workstations to a Domain • Back Up Files and Directories • Bypass Traverse Checking • Change the System Time


115

116


• Create a Token Object • Create Permanent Shared Objects • Create a Pagefile • Debug Programs • Enable Trusted for Delegation on User and Computer Accounts • Force Shutdown from a Remote System • Generate Security Audits • Increase Quotas • Increase Scheduling Priority • Load and Unload Device Drivers • Lock Pages in Memory • Manage Auditing and Security Log • Modify Firmware Environment Values • Profile a Single Process • Profile System Performance • Replace a Process-Level Token • Restore Files and Directories • Shut Down the System • Take Ownership of Files or Other Objects • Unlock a Laptop Some of these privileges can override permissions set on an object. For example, a user logged on to a server as a member of the Backup Operators group has the right to perform backup operations . However, this requires the ability to read all files on the server, even files on which their owners have set permissions that explicitly deny access to all users, including members of the Backup Operators group. A user rights, in this case, the right to perform a backup, takes precedence over all file and directory permissions.

Logon Rights The following list shows the logon rights that can be assigned to a user. These logon rights can be managed with the user rights policy. • Access This Computer from Network • Log On Locally • Log On as a Batch Job • Log On as a Service • Deny Access to This Computer from the Network • Deny Logon as a Batch Job • Deny Logon as a Service • Deny Local Logon The special user account LocalSystem has almost all privileges and logon rights assigned to it, because all processes that are running as part of the Operating System are associated with this account, and these processes require a complete set of user rights.


116

117


4. Object Auditing An audit records an entry whenever users perform certain actions that you specify. For example, the modification of a file or a policy can trigger an audit entry. The audit entry shows the action performed, the associated user account, and the date and time of the action. You can audit both successful and failed attempts at actions. Actions are not audited by default. If you have the appropriate administrative permissions, you can specify what types of actions are audited. When you enable auditing, you: 1. Establish a local audit policy on the computer where the actions occur. 2. Choose the actions to audit. If you do not enable Audit Policy, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited. To enable the Audit Policy, go to Start->Programs->Administrative Tools-Local Security Policy. Under Local policies, choose Audit Policy and select ‘Audit Object Access’ policy (Fig. 5.42).

Fig. 5.42

Now, under the Action menu, select Security and you will find the following screen (Fig. 5.43). Click on Success and File & folder-auditing policy will be enabled. For example, if you want to start auditing on a folder named Test in terms as to how many times a user named ‘cmc’ does successful Delete & Delete Subfolders & files operations. Then first select Test folder, right click on it and choose Properties. Under Security Tab, go to Advanced window. Under Auditing tab, add user ‘cmc’. Set its Audit access levels as Delete & Delete Subfolder & files (Fig. 5.44).


117

118


Fig. 5.43

Fig. 5.44

The Administrator can view these security-related events of ‘cmc’ in the security log with the Event Viewer (Start -> programs-> administrative tools-> event viewer).


118

Understanding Windows 2000 Print Services

6

Understanding Windows 2000 Print Services

6

One of the most critical issues in a Thin-Client setup is printing using a local or a network printer. Clients can send print jobs to printers attached locally to the client itself or to printers connected to the network. Windows 2000 Server supports several advanced printing features such as administering a print server running a Windows 2000 Server present anywhere on your network. Another advanced feature is that you do not have to install a printer driver on a client to enable it to use the printer.

PRINTING CONCEPTS Before getting into the details of actual printing, lets first try to explore the printing concepts & definitions involved in the print services provided by Windows 2000 server. Print Devices: These are the physical printing devices, which may either be connected the client machines or to the network. For example- DeskJet Printer, Dot Matrix Printers, Laser Printers, Plotters etc. Print Job: These are printing requests that contain both the data to be printed and the commands for print. Printer: This is a logical printer, which is a software interface between the print device and the Operating System. Whenever a printing request is made, it first interacts with the logical printer, which converts the print job into a format that is understandable by the print device before forwarding it. Print Processor: This is Printer component that in conjunction with the printer driver receives and alters print jobs. This is done according to print jobs data type to ensure that the jobs get printed correctly. E.g if print job is ASCII text, no alteration is required to print on any Print Device. But if it is an image file, it has to be converted by Print process in different formats for a Laser Printer and for an Inkjet printer respectively. Print Spooler: This is an Operating System module that manages the printing requests by the Printer till the print device is ready for printing. These requests are stored in the disk or the memory before it is forwarded to the print device. Local Print Provider: This is a component of the print spooler that writes the content of print jobs to a spool file, which has extension .spl. The default location for this file is %systemroot%\system32\spool\printers. Printer Driver: This is a program designed to allow other programs to interact with a particular printer without concerning themselves with the specifics of the printer’s hardware and internal language. 120

UNDERSTANDING WINDOWS 2000 PRINT SERVICES

121

Printer Permissions: These are permissions that are specified by the Administrator for the type of access that a user or group must have to a printer. The printer permissions are - Print, Manage Printers, and Manage Documents. Printer Window: This is a window that shows information about any pending print jobs for the printer. For each printer you have installed or to which you are connected, you can view information such as how many documents are waiting to be printed, who own them, and how large they are. This window is also called the queue view. Printing Pool: It is a pool of two or more identical printers that are connected to one print server and act as a single printer. In this case, when you print a document, the print job will be sent to the first available printer in the pool. Printer Control Language (PCL): This is the page-description language (PDL) developed by Hewlett-Packard for their laser and inkjet printers. Because of the widespread use of laser printers, this command language has become a standard in many printers. Graphics Device Interface (GDI): This portion of windows 2000 server begins the process of producing visual output whether that output is to the screen or to the print device. To produce the screen output the GDI calls the video driver and for printed output the GDI calls the printer driver. Print Monitor: This is the last component of a printing process and consists of two monitors namely Language monitor & Port monitor. • Language Monitor: This monitor is created when the printer driver is installed and it comes into play only when the print device communicates with the printer in a bidirectional mode. In a bi-directional communication the client machine is always updated about the status of the print job & health state of the print device. • Port Monitor: This monitor controls the flow of information to the I/O port to which the print device is connected such as serial, parallel, network or SCSI/USB ports. By default, Windows 2000 server controls parallel and serial ports only. If the print device is connected to some other port, then port monitor for this port has to be specifically provided by the vendor.

PRINTING PROCESS To understand the Printing Process, let’s take the case where a user tries to print a document through the printer connected locally to his Thin-Client. The steps involved in this process are as follows: 1. The user chooses the print device through which he wants to print his document. 2. If the document is submitted from a Windows application like MS-Office, the application calls the graphics device interface (GDI), which calls the printer driver associated with the target printer. Thus a print job is created. 3. The print job is now given to the local print provider (component of the spooler), which spools the print job (writes it to the disk). 4. The local print provider polls the print processor. The print processor recognizes the job’s data type and receives the print job. The print processor then converts the print job according to its data type. 5. Control of the print job is now passed to the separator page processor, which adds a separator page, if specified, to the front of the job.


121

122


6. The job is de-spooled to the print monitors. For bi-directional printers, language monitor handles the two-way communication between the sender and the printer, .If the printer is unidirectional, the print job goes directly to the port monitor, which sends it to the target printer. 7. The printer receives the print job, converts each page into bitmap format, and prints it. Note: The Windows printing process normally supports five data types. The two most commonly used data types are—ready to print (RAW) and enhanced metafile (EMF). Others are RAW [FF Auto], RAW [FF Appended] & TEXT.

RAW: RAW is the default data type for clients other than Windows-based programs. The RAW data type tells the spooler not to alter the print job at all prior to printing. With this data type, the entire process of preparing the print job is done on the client machine. EMF: This is the default data type with most Windows-based programs. With this data type, the printed document is altered into a metafile format that is more portable than RAW files and usually can be printed on any printer. EMF files tend to be smaller than RAW files that contain the same print job.

CONFIGURING CLIENT PRINTER ON WINDOWS 2000 SERVER To create a new printer on the server connected to the local machine follow the following steps: Go to Start->Settings->Printers. Click on add printer icon, the ‘Add Printer Wizard’ appears (Fig. 6.1).

Fig. 6.1

Click Next and it asks whether you need to add a Local printer or a Network printer (Fig. 6.2). In our case, we would choose the Local printer option.


122


123

Fig. 6.2

In general, we need to manually select the LPT or COM port for adding a new printer. However, for Thin-Clients, we find few additional ports per Thin-Client enlisted in the list of available ports. When a client connects to the terminal server, all it’s LPT and COM ports are automatically redirected to the server and are identified by the name of the Thin-Client itself. This is one of the features of ICA and RDP communication protocol. For example CLIENT\SHEKHAR_231_254#\LP, CLIENT\SHEKHAR_231_254#\LP_COM1 and CLIENT\SHEKHAR_231_254#\LP_COM2 are the ports which have automatically appeared in the list of available ports. Here the CLIENT identifies that the port is originated from a Thin-Client whose name is SHEKHAR_231_254. LP signifies that it’s a parallel port and LP_COM1 & LP_COM2 are two serial ports of the Thin-Client as shown in (Fig. 6.3).

Fig. 6.3


123

124


Next we need to select the manufacturer & type of printer attached to the Thin-Client. (Fig. 6.4)

Fig. 6.4

Click Next and give a significant name to the printer in presented window (Fig. 6.5). It would help you in managing printers and printer services for huge number of clients connected to the server.

Fig. 6.5

The final screen (Fig. 6.6) shows all the options you had entered at each stage of the configuration. Click Finish, if you want to configure the printer with the settings or go back to correct them.


124


125

Fig. 6.6

CONFIGURING PRINT SERVER Before getting on with the configuration part of a print server, let’s first understand the significance of Print Server in a Thin-Client setup where most of the printers are attached to the Thin-Clients itself. As you have seen that every time a new print device is added to the Server, you need to install its manufacturer’s driver, if it is not available in the list of printers in the Add Printer Wizard. That makes it pretty tough to install a new driver every time a new kind of print device is attached to any of your Thin-Clients. It would rather be very convenient if you already have all sorts of drivers installed on the server for the different kind of print devices that might be attached to the Thin-Clients. This is where the Print Server comes into play. To make your server ready to accept all sorts of print devices that might be attached to Thin-Clients, go to Start->Settings->Printers. Select any printer that is already installed on your Server. Go to File menu and choose Server Properties (Fig. 6.7).

Fig. 6.7


125

126


Under the Drivers tab, you could see the list of all the printer drivers already installed on the Server (Fig. 6.8). In this screen you get the options to Add/Remove or even Update the existing printer drivers.

Fig. 6.8

For example, say you want to add an HP 950 C printer driver. First insert the manufacturers CD. Click on Add and provide the location of its .inf file (Fig. 6.9).

Fig. 6.9

It would identify the new printer driver (Fig. 6.10). The next screen asks you for the kind of Environment & Operating System in which you want to install that particular printer driver. If your client is a Thin-Client, you must choose these parameters based on the Server to which they are talking. However, in case the client is a Desktop running some other version of Microsoft Operating System, choose these parameters based on the Desktop client machine’s Environment and Operating system (Fig. 6.11).


126


127

Fig. 6.10

Fig. 6.11

The last screen of Add Printer Wizard reviews the options selected by you for installing the new printer driver (Fig. 6.12). Click on Finish, the Operating System starts copying the required driver files.

Fig. 6.12


127

128


After the successful copying of driver files, if you again go to the Server Properties window and view the enlisted drivers under the Driver tab, you will be able to see the new Printer driver added to the list. This way you could install all kinds of Printer drivers to your Server and need not do it while adding printer, every time a new print device is attached to your Thin-Clients.

PRINTER SETTINGS CONFIGURATION Once you have setup the Printer, you need to configure its settings. To configure a Printer setting, go to Start->Settings->Printers. Select printer, right click on it and choose Properties. Under the General tab you get the general information of the printer. Here you have the option to modify the name of the printer, its location and its printing preferences (Fig. 6.13).

Fig. 6.13

Printing preferences provides you with the options to choose the layout & paper quality. Under layout, you can choose orientation, page order and pages per sheet. And under paper quality you can select Paper source and color. Under the Sharing tab (Fig. 6.14), you can define whether the printer can be shared across the network or not. You also have the option to install additional printer drivers if this printer is being shared with users running different Windows Operating System. If a user running different version of Windows besides Windows 2000, tries to print on this shared printer then the appropriate driver compatible to his Operating System automatically gets downloaded onto the users system and print job is processed. Port settings control the ports onto which different print devices are attached (Fig. 6.15). Here you have the options to Add and Delete all the enlisted ports. However, you can configure only the Servers ports but not the ports announced by Clients.


128


Fig. 6.14

Fig. 6.15


129

129

130


You get the following error message if you try to configure ports, which have been announced by clients attached to the server (Fig. 6.16).

Fig. 6.16

You can always create multiple printers for a single print device. But if you want to have a Printer driver configured to print on multiple ports then you need to enable Printer Pooling. Before enabling the Printer Pooling following points must be taken into consideration. 1. The printers in the pool must be identical. 2. When the clients send their print jobs, the job will be printed the first available print device. 3. With this kind of constraints it is recommended that all the Print devices must be installed in close proximity. For example, if you have three DeskJet printers of same make and model & they are connected to three different ports of the Server like LPT1, LPT2 & USB1. By enabling the Printer Pooling option, the Operating System lets you select all the three ports simultaneously. Under the Advanced tab, you can define the period of availability of the Printer to the user (Fig. 6.17). If separate printer drivers have been installed for the same print device and has been assigned to different users, then you may set the priority on different printer drivers. The default value of Priority is 1 and higher numbers have higher priorities. The highest priority that one could assign is 99.

Fig. 6.17


130


131

For example, three printer drivers namely deskjet1, deskjet2 & deskjet3 have been installed for a single print device. Suppose Deskjet1 is assigned to Shekhar, Deskjet2 is assigned to Neeraj & Deskjet3 is assigned to Nasim respectively. Now, if Deskjet1 has been given Priority level as 3, Deskjet2 as 2 and Deskjet3 as 1, then any time if all the three give their printing requests simultaneously, the print job of Shekhar will always be printed first followed by Neeraj’s and then Nasim’s print job. You also have the option to bypass spooling and print directly to the printer. Note that this option is not enabled on all printer drivers and is dependent on the memory of the Print device. For printing larger documents Spooling is strongly recommended. You can also instruct the printer to hold the mismatched documents; print spooled documents first; keep printed documents and enable advanced printing features (Fig. 6.17). These options will be available only when you have selected the ‘Spool print documents so program finishes printing faster’. Printing defaults provides you with the options to choose the layout & paper quality. Under layout, you can choose orientation, page order and pages per sheet. And under paper quality you can select Paper source and color. If you want to toggle between different data types, select the print processor option (Fig. 6.18).

Fig. 6.18

If a number of users are printing on a single print device, then to segregate the different print jobs you could assign separator pages. You may browse to the location %systemroot%\system32\sysprint.sep for printing a blank page as separator. You may also create customized separator pages (Fig. 6.19).

Fig. 6.19


131

132


Under the color management tab, you may either choose the option where Operating System decides the best Color profile from the list of associated color profiles or you may yourself manually select the default color profile for the print device (Fig. 6.20). The default location for these color profiles is %systemroot%\system32\spool\drivers\color. The color profile files have extensions as .icm.

Fig. 6.20

Security tab provides three levels of printing security permissions: Print, Manage Printers, and Manage Documents (Fig. 6.21). When multiple permissions are assigned to a group of users, the least restrictive permissions apply. However, when Deny is applied, it takes precedence over any permission. The following is a brief explanation of the types of tasks a user can perform at each permission level.

Fig. 6.21


132

133


Print: The user can connect to a printer and send documents to the printer. By default, the Print permission is assigned to all members of the Everyone group. Manage Printers: The user can perform the tasks associated with the Print permission and has complete administrative control of the printer. The user can pause and restart the printer, change spooler settings, share a printer, adjust printer permissions, and change printer properties. By default, the Manage Printers permission is assigned to members of the Administrators and Power Users groups. By default, members of the Administrators and Power Users groups have full access, which means that the users are assigned the Print, Manage Documents, and Manage Printers permissions. Manage Documents: The user can pause, resume, restart, cancel, and rearrange the order of documents submitted by all other users. The user cannot, however, send documents to the printer or control the status of the printer. By default, the Manage Documents permission is assigned to members of the Creator Owner group. When a user is assigned the Manage Documents permission, the user cannot access existing documents currently waiting to print. The permission will only apply to documents sent to the printer after the permission is assigned to the user. Deny: All of the preceding permissions are denied for the printer. When access is denied, the user cannot use or manage the printer or adjust any of the permissions.

Printing Permissions Assigned to Groups Windows assigns printer permissions to four groups of users. These groups include Administrators, Creator Owner, Everyone and Power Users. By default, each group is assigned a combination of the Print, Manage Documents, and Manage Printers permissions as shown in the following table (Table 6.1). Table 6.1 Group

Print

Manage Documents

Manage Printers

Administrators

YES

YES

YES

Creator Owner

X

YES

X

Everyone

YES

X

X

Power Users

YES

YES

YES

For fine-tuning the printer permissions, Click on Advanced, select any one of the entries and click on View/Edit. (Fig. 6.22) The following screen (Fig. 6.23) appears wherein you get the options of Print, Manage Printers, Manage Documents, Read Permissions, Change Permissions & Take Ownership permissions.


133

134


Fig. 6.22

Fig. 6.23


134

135


The following table summarizes the level of access associated with each of the printing security permissions (Table 6.2). Table 6.2 Tasks Permitted

Print

Manage Documents (applies to documents only)

Manage Printers

Print

YES

X

YES

Manage Printers

X

X

YES

Manage Documents

X

YES

X

Read Permissions

YES

YES

YES

Change Permissions

X

YES

YES

Take Ownership

X

YES

YES

Owner: The administrator can give the printer to a new Owner from the Owner tab of the Access Control settings dialogue box. By default the user who has installed the printer and his group has the ownership of that printer and is shown in the ‘Current owner of this item’ in Owner tab (Fig. 6.24)

Fig. 6.24

Auditing: By default, Auditing is not enabled until and unless it has been enabled using Systems Group Policy editor. Go to Programs -> Administrative Tools -> Local Security Policy-> Local Policies->Audit Policy. Here you need to enable the policy ‘Audit Object Access’. Under the Auditing tab of Access Control settings dialogue box of the


135

136


printer, click on Add to select the users or groups for whom Auditing is required. For example, we have selected user ‘shekhar’ for which auditing is required (Fig. 6.25).

Fig. 6.25

The auditing could be performed for two types of events namely successful and failed events (Fig. 6.26). For each successful or failed response from the Server on the given object an event is logged under Event Viewer. There are six events on which auditing can be performed: Print, Manage Printers, Manage Documents, Read Permissions, Change Permissions & Take Ownership. In our example, we try to track that how many times our user ‘shekhar’ uses the printer and at what time.

Fig. 6.26


136


137

The following screen shows the Access Control Settings of ‘Shekhar’ (Fig. 6.27).

Fig. 6.27

Everytime Mr. Shekhar tries to print, an event is generated and is logged in the Event Viewer. The Event viewer also logs the date & time of the event thus enabling Administrator to get fully aware of the users activities.

GENERAL PRINTING PROBLEMS A step-by-step and systematic approach helps you find the root cause of the printing problem quickly and more accurately. These problem may beProblem: A printer connected to a Thin-Client does not print? Diagnosis: A problem might exist with the physical print device, Thin-Client’s parallel port, network connectivity, the print driver, a print server, or the application you are trying to print from. Solution: If the thin-client is able to connect to the terminal server but the printing isn’t taking place follow the following steps to diagnose the problem: • Ensure that Print Device is powered on. • Print a test page from the control panel of Printer. For example: in Wipro LQ1050+DX Dot Matrix Printer, while pressing Line Feed (LF) button , power on the printer. Printer prints the self test page. • Check the Print Device and make sure that it is in a state to accept print jobs. i.e online LED is ON. • Check the data signal cable to make sure it is connected properly. If the printer cable is loosely connected to the Thin-Client, the printer may print erroneous character and skip pages while printing. • Generally all thin-clients are shipped with the built in operating system and some pre installed applications like Pericom Emulation or telnet for connecting to Unix


137

138


servers. These applications print directly to the parallel port. If you could get a print out on the print device, it will confirm that the port is working fine. • Make sure the print spool service is running on the terminal server. If not start the same by going to Start à administrative tools à Services. Select Print Spooler and start it. • If the printer driver is installed on the terminal server and still printing isn’t occurring then, make sure that the client port assigned to the printer driver is correct. For example if a Thin-Client name has been changed from SHEKHAR_231_254 to SHEKHAR_250_250 then printer port for the Thin-Client printer should also be changed to CLIENT\SHEKHAR_250_250#\LP from CLIENT\SHEKHAR_231_254#\LP. • If the port selection is correct then try to get printout from simplest application like notepad. If you cannot print from text editor, the problem could lie with the printer driver. Ensure that the printer driver is installed as per the make and model of the print device. • If printing from the notepad is correct but still your are unable to take print out from an windows application then you should check two things : o The free space on the disk could be very low. There may not be enough room even to spool the jobs. o The windows application with which you are trying to get a print-out could have gone corrupt. Then repairing or reinstalling the application remains the only viable procedure left. • If the printer is network printer and connected directly to the network, check the LED indication on the network interface to verify the connectivity. If other users can’t print on it, it is neither a problem of the printer nor of the print server but network. Problem: Printing of a multi-linguistic document is not proper? Diagnosis: Multiple language fonts are not installed on the Terminal Server. Solution: Install fonts for appropriate languages on Terminal Server. Problem: Users get an Access Denied message when trying to configure a printer from within an application like changing layout, print quality etc? Diagnosis: User does not have the appropriate permission to change printer configuration. Solution: Request System Administrator to grant ‘Manage Printer’ permission for changing printer’s setup. Problem: The document does not print completely or comes out garbled. Diagnosis: The printer’s driver is either corrupted or incorrect. Solution: Verify or reinstall the correct printer driver on the client computer. Check the communication cable for proper connectivity. A loosely connected data cable, poor paper quality, defective cartridge may also cause this problem. Problem: The document does not reach the print server? Diagnosis: The hard disk might not have enough space for spooling the document.


138


139

Solution: Make sure the hard disk of the Terminal Server has enough disk space, or relocate the spool folder to another volume. Problem: Documents on the print server will not print and cannot be deleted? Diagnosis: The print spooler might be stalled. Solution: On the print server, try to stop and restart the Print Spooler Service. Problem: Thin-Client is trying to print from a 16-bit application but fails? Diagnosis: A Printer Device is not set a default printer. Solution: The print device selected for printing from a 16-bit application must be set as default printer. Problem: Printer connected on USB port of TC not responding? Diagnosis: You may be using Citrix’s ICA or Microsoft’s RDP 4.0/ below to connect Thin-Clients to Terminal Server. Solution: Until you use Citrix’s Metaframe in your Thin-Client/Server model, you wouldn’t be able to make the Print device work, connected on the USB port. Also, you wouldn’t be able to print through USB ports if you don’t use Microsoft’s RDP 5.0 or above to connect your thinclients to the Terminal Server. RDP 4.0 or below don’t support printing through USB ports.


139

THIS PAGE IS BLANK

Performance Monitoring & System Tuning

7

Performance Monitoring & System Tuning

7

Performance monitoring is a method to ensure that the Server resources are being utilized optimally. This involves a number of monitoring tools, which provide you vast information in different formats for detailed analysis on hardware and Operating Systems. This analysis in turn helps diagnose the bottlenecks of the system. Two of the well-known Performance monitoring tools of Windows 2000 Server are System Performance Monitor and Windows Task Manager. However, before formulating your Performance monitoring policy, you must analyze as to which of the two is most suitable for you.

PERFORMANCE CONSOLE VS TASK MANAGER Performance Monitor is the tool that provides you system log for extended analysis. Whereas, Task Manager provides a quick look into what is occurring on your system but doesn’t provide a mechanism for logging it. However, Task Manager lets you manage applications (i.e., processes) that might be adversely affecting your system.

PERFORMANCE CONSOLE You can start the Performance console by visiting Start->Programs->Administrative Tools-> Performance or by running perfmon.msc command at the Windows command prompt. (Fig. 7.1). In the ‘Performance’ window, there are two tools namely ‘Performance Logs & Alerts’ &.‘System Monitor’.

Fig. 7.1

142

143

PERFORMANCE MONITORING & SYSTEM TUNING

(1) Performance Logs & Alerts The log is used for detailed analysis and record-keeping purposes. Retaining and analyzing log data collected over a period of several months can be helpful for administrative decisions & planning. Windows 2000 provides three types of performance-related logs that have following features: • Counter logs record sampled data about hardware resources and system services. • Trace logs collect data against the specified events such as disk and file I/O, page faults, thread activity. When the event occurs, a report for that particular event is logged from start to end. • Alert logs are useful when you are not actively monitoring but want to be notified when a particular counter exceeds or falls below a specified value so that you can investigate and determine the cause of the change. Windows 2000 also provides the following add on features on logs and reports: Viewing logged data is easier and more convenient. Counter logs can be viewed in System Monitor also. Data in counter logs can be saved as comma-separated or tab-separated files that are easily viewed with Excel. These Logs can be designed as linear or circular. In linear logs data is collected according to user-defined parameters. We can run it for a specified length of time, stop when that parameter is met, and start a new log. In circular logs, data is recorded until they achieve a user-defined size limit and then start over. You can save log settings to an HTML. Configuring logs and alerts is flexible and easy to manage. Users can manage multiple logging sessions from a single console window. These logs can be managed as per user defined parameters such as their size, their start & stop schedule etc. (2) System Monitor In System Monitor we can view various parameters of the system in graphical format that are easy to configure & analyze. The graphs can be saved in HTML / Excel formats.

Features of System Monitor System Monitor is designed for troubleshooting, diagnosis and short-term viewing of data. It provides you with the options to create graphs, bar charts (histograms), and text reports of performance counter data. System Monitor can be configured using either the toolbar or a shortcut menu. However, using the shortcut menu offers more control and flexibility in configuring the display. Lets first understand as to how to configure System Monitor using Toolbar. In the toolbar, you can configure the following options (Fig. 7.2):

Fig. 7.2


143

144


• Type of display has the View Chart, View Histogram and View Report buttons. • Data source. Click the View Current Activity button for Real-time data or the View Log File Data button for data from either a completed or a currently running log. • Counters. Use the Add or Delete buttons as needed. You can also use the New Counter Set button to reset the display and select new counters. Clicking the Add button displays the Add Counters dialog box, as shown below (Fig. 7.3). You can also press the DEL key to delete a counter that is selected in the legend.

Fig. 7.3

• Data updates. Click Clear Display to clear the displayed data and obtain a fresh data sample for existing counters. To suspend data collection, click Freeze Display. Use the Update Data button to resume collection. • Highlighting chart or histogram data. To accentuate the line or bar for a selected counter with white (default) or black (for light backgrounds), click Highlight on the toolbar. • Importing or exporting counter settings. To save the displayed configuration to the Clipboard for insertion into a Web page, click Copy Properties. To import counter settings from the Clipboard into the current System Monitor display, click Paste Counter List. • Configuring other System Monitor properties. To access colors, fonts, or other settings that have no corresponding button on the toolbar, click Properties.

Configuration of System Monitor using the Shortcut Menu When you right-click the System Monitor display, a shortcut menu appears with the following options: • Add Counters. Use this option in the same way as the Add button in the toolbar. • Save As. Use it to save the current display configuration under a new name. If you click Save on the Console menu, the current settings are stored. This overwrites the blank version of Perfmon.msc that was installed first with Windows 2000 and thus alters the default appearance. • Properties. Click this button to control all aspects of System Monitor data collection and display.


144


145

How to Operate System Monitor • Data Printing You can print performance data in several ways: o Copy the current view to the Clipboard (by pressing ALT+PRINT SCREEN), start a paint program, paste in the image from the Clipboard, and then print it. o Add the System Monitor control to a Microsoft Office application such as Microsoft Word or Excel, configure it to display data, and then print from that program. o Save the System Monitor control as an HTML file by right-clicking the details pane of System Monitor and typing a file name for the HTML file to be created. o Import a log file in comma-separated (.csv) or tab-separated (.tsv) format into an Excel spreadsheet and print from that application. • Know the features of individual counters. When adding counters, if you click Explain in the Add Counters dialog box for System Monitor or Performance Logs and Alerts, you can view counter descriptions. • Getting more detailed analysis in a report. By default, reports display only one value for each counter. This is current data if the data source is real-time activity, or averaged data if the source is a log. However, using the General properties tab, you can configure the report display to show different values, such as the maximum, minimum, and so on. • Arrange items in the legend. To sort entries in ascending or descending order for that category, click Object, Counter, Instance, or Computer in the counter legend. For example, to sort all counters by name, click Counter. • Select a group of counters or counter instances to monitor. o To select all counters or instances, click All counters or All instances. o To select specific counters or instances, click Select counters from the list or Select instances from the list. o To monitor a group of consecutive counters or instances in a list box, hold down the SHIFT key and scroll down through the items in the list box. o To select multiple, nonconsecutive counters or instances, select the item and press CTRL.

Points to Ponder Monitoring large numbers of counters leads to a high amount of overhead sometimes even makes the system unresponsive to keyboard or mouse input. To reduce this burden, view data System Monitor in Binary log. • Maintain two separate instances of System Monitor if you want to monitor a large number of counters while keeping each graph relatively simple and organized. This method also helps in comparing them effectively. • Instead of monitoring individual instances for a selected counter, you can instead use the _Total instance, which sums all instances’ values and reports them in System Monitor. • To highlight a particular counter’s data, press CTRL+H or click Highlight on the toolbar.


145

146


• If you are working with a log file that is currently collecting data, you should click the Select Time Range button and keep moving the Time Range bar to the right to update the display.

UNDERSTANDING YOUR SERVER’S BEHAVIOR As the old adage goes “to understand a behavior always learn to observe things very carefully and persistently”. The idea is to form a pattern that would help us conclude, as to why a particular event is occurring repetitively. For troubleshooting a disturbed behavior of your system, watch the following hardware resources: memory, processors, disks, and network components. The role assigned to a particular server decides which particular hardware resource could result in some bottleneck. The following table gives a detailed outlook (Table 7.1): Table 7.1 Type of Server

Potential Bottlenecks

Terminal servers

Memory and Processors

File and Print servers

Memory, disk, and network components

Mail/messaging servers

Processor, disk, and memory

Web servers

Disk, cache, and network components

Database servers

Disks and processor

Backup servers

Processor and network

Domain controllers

Memory, processor, network, and disk

Routine monitoring is required over periods ranging from days-to-weeks-to-months that allow you to establish a baseline for system performance. A baseline is a measurement of various system parameters which are derived after collecting data over an extended period over a varying workloads and user connections. The baseline is an indicator of how individual system’s resources or a group of resources are used during periods of normal activity. Let us now take a detailed look of a few Performance counters.

Counters To Monitor Memory To determine a baseline for your system, here are few counters to create logs of memory usage over an extended period (from several weeks to a month). • \Memory\Pages/sec: indicates the number of requested pages that were not immediately available in RAM and had to be read from the disk or had to be written to the disk to make room for other pages. If your system experiences a high rate of hard page faults, the value for Memory\Pages/sec can be high. If the value of this counter is consistently above 20 then one should seriously think about increasing the RAM. • \Memory\Available Bytes: Indicates how much physical memory is remaining after the RAM space has been allotted to running processes and after the cache has been


146


147

allotted their quota of memory address .A constant lowering of this counter indicates that any program or application is experiencing memory leaks. A minimum of 4MB should always be present. • Process (All_processes)\Working Set: indicates the amount of RAM that a process is using to store the data. If this counter is also on increase without adding any other process, then some process in the existing RAM is contributing to memory leak.

Counters To Monitor Processor Processor bottlenecks occur when the processor is so busy that it cannot respond to requests for time. Here are few counters to recognize the bottleneck: • Processor\% Processor Time: If this rises constantly above 80 percent, then CPU is working real hard. This doesn’t necessarily mean that the hardware needs to be upgraded. The above could also be caused by an erroneous application generating high numbers of interrupts or a single interrupt has been assigned to two hardware devices that are utilizing the processor time. The other counter described below can pin point the cause. • Processor (Total)\Interrupts/sec: This lists the total number of interrupts generated in a second. If this value exceeds over 3500 in a Pentium based PC, then try singling out the application that appears to be erroneous.

Counters To Monitor Hard Disk If you suspect a disk-specific performance problem, monitor the following types of counters: • Paging counters (under the Memory object) Pages/sec: It records the rate at which the pages are being read from disk to the memory and written back. A value more than 20 implies server needs more RAM. • % Disk Time: This shows the percentage of time the physical disk is servicing readand-write requests. A constantly high value indicates more physical memory is required. • Avg. Disk Queue Length: This shows the number of read-write requests waiting for the disk during selected interval. • Throughput counters: (Disk Bytes/sec, Disk Read Bytes/sec, Disk Write Bytes/sec): These show you the number of requests expecting service by the disk. The values of these counters provide a measure of disk demand.

Counters To Monitor Terminal Services To ensure that your server provides optimum throughput, you must track the following counters: • Active sessions show the number of active Terminal Services sessions. • Inactive sessions show the number of inactive Terminal Services sessions. • Total sessions show the total number of Terminal Services sessions.

Counters To Monitor Terminal Services Session To monitor the individual Terminal Services sessions, observe the following counters: % Processor Time: This is the percentage of elapsed time that a process thread takes to execute instructions on the processor.


147

148


Total Bytes: This gives the total number of bytes on this Session including all the protocol overheads. Working set: It is the current number of bytes in the Working Set of this process. As an example, if you want to monitor the Processor time for ICA-tcp-10 session, select the highlighted items from (Fig. 7.4) and click add. The details of ICA-tcp-10 session could be obtained thru Start -> Programs -> Administrative tool -> Terminal Services Manager.

Fig. 7.4

TASK MANAGER Task Manager provides information about the currently running applications on your system. It also provides information about the processes, memory usage and statistics about processor performance.

Accessing Task Manager To start Task Manager, use any of these methods: • Press CTRL+SHIFT+ESC. • Right-click the taskbar, and then click Task Manager. • Press CTRL+ALT+DEL, and then click Task Manager. • On the command prompt, run taskmgr • Click Start->Run and type taskmgr in the dialog box

Operating Task Manager Task Manager has three tabs: Applications, Processes, and Performance. While Task Manager is running, the status bar always displays the total number of processes, CPU use, and virtual memory use of the system. You can control the rate at which Task Manager updates its counts by setting the Update Speed option on the View menu. • High. Updates every half-second. • Normal. Updates once per second.


148

149


• Low. Updates every 4 seconds. • Paused. Does not update automatically. Press F5 to update.

Monitoring Applications In Task Manager, under ‘Applications’ tab, you will find the list of all the currently running applications (Fig. 7.5). Here you have the options to end the currently running application, switching on to some other application or you could even start a new application.

Fig. 7.5

Monitoring Processes In Task Manager, under the ‘Processes’ tab you can find the list of running processes and measures of their performance (Fig. 7.6). The table includes all processes that run in their own address space, including all applications and system services.

Fig. 7.6


149

150


Monitoring the System To observe real time system performance of processor and memory usage in a graphical and numerical display format, click the ‘Performance’ tab, as shown below (Fig. 7.7):

Fig. 7.7

EVENT VIEWER Event Viewer helps in knowing about Hardware, software and system problems. These problems are logged in Windows 2000 Server Operating System under three heads which are: Application Log It contains events logged by applications or programs. For example, an MS-Access program might record a file error in the application log. Application developers decide which events to log. Security Log It records events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening, or deleting files or other objects. For example, if logon auditing is enabled, attempts to log on to the system are recorded in the security log. System Log The system log contains events logged by Windows system components. For example, the failure of a driver or other system component to load during startup is recorded in the system log.

SYSTEM TUNING Tuning your server improves the client response, helps you avoid bottlenecks, and sometimes extends the hardware upgradation period. You can use the information from your monitoring program to decide how you should best tune your server.


150

151


Memory Tuning When you are working on a system with lazy response and slowly executing application, it may be the time to increase memory capacity to a few more mega bytes. The technical reason of system laziness may be, it is running low on memory and paging activity is high. Paging is the process of moving the infrequently used pages from RAM to hard disk. This frees up space to accommodate new processes and subsequently brings them back from hard disk as and when required. If the above process is on the rise, I/O operation on disk increases along with intensifying a disk bottleneck. This in turn pressurizes the processor to execute these numerous unwanted interrupts (for page requests) causing slowness of the entire system. There are ways to determine the amount of memory on your computer. You can find it by clicking the Performance tab in Task Manager. Alternatively, double-click System in Control Panel and then click the General tab for RAM Value.

Adjusting Paging File Size For virtual-memory support, Windows 2000 creates one paging file called ‘Pagefile.sys’ on the disk or volume on which the Operating System is installed. The default size of pagefile.sys will be 1.5 times of the physical memory, if the same is less than 2 GB. Otherwise pagefile.sys will be 2 GB. Maximum allowed file size is 4095 MB. If you require larger paging file, you may work around it by creating more paging files on different volumes. A small paging file limits what can be stored and might exhaust your virtual memory for applications. If you are short on RAM, more paging occurs, which generates extra activity for your disks and slows response times for the system. As the size and location of paging files can affect your system’s performance, you might want to modify these. To modify the Virtual memory, right click on My Computer, select properties, the following screen would appear (Fig. 7.8):

Fig. 7.8


151

152


Click on ‘Performance options ...’ and you’ll encounter the screen as shown in Fig. 7.9.

Fig. 7.9

Click on change, select the drive and specify the initial & maximum Paging File size (Fig. 7.10).

Fig. 7.10

Points to Ponder While Deciding Paging File size • Ideally one should leave a small Page file on Boot volume and maintain a large Page File on remaining volumes. • Although Windows 2000 supports up to 4,095 MB for each paging file, you can supply large amounts of virtual memory (to applications) by maintaining multiple paging files. Distributing paging files across multiple disk drives and controllers improves performance because multiple disks can process input/output (I/O) requests concurrently in a round-robin fashion.


152

153


Server Performance Tuning The performance tuning involves how the Operating System is allocating the CPU cycles to the various server processes. Basically Windows 2000 classifies all processes into two categories. Their definitions are: 1. Foreground applications: All applications that are interacting with the user like MS Word which is constantly attentive to user, whether its giving input or taking print out of the job. 2. Background applications: The system specific jobs like logging, monitoring health of various services, responding to various users’ request for shared resources and so on. With Terminal services installed on the windows 2000 in application mode, the server should always be optimized to run foreground applications better than background applications, as its basic purpose is to service clients who are running various applications. One can edit these parameters by Right clicking on My Computer, selecting properties and going to ‘Advanced’ menu and selecting ‘Performance options’, the following screen appears (Fig. 7.11).

Fig. 7.11

Select applications menu in case of terminal server.

Optimizing Services In general, Windows 2000 has been optimized so that only the most commonly used services run by default, and you need not turn off any services. However, you can reduce the system memory requirements by turning off some of the default services provided by the operating system. To stop a service 1. From the Start menu, point to Programs, point to Administrative Tools, and then click Services. 2. Right-click the name of a service, and then click Stop. This procedure stops the service for the current session. To disable the service permanently, you need to change the value for service start-up in the properties dialog box. To


153

154


use this dialog box, click Services in the ‘Administrative Tools’ menu or under the ‘Computer Management console’. Right-click the service you want to change, select Properties in the shortcut menu, and change the value to Disabled in the ‘Startup type’ box.

Tuning Disks If your disk system is too slow, consider the following alternative steps: • Defragment the disk using Disk Defragmenter. • Consider deploying a RAID 5 volume if your applications are read-intensive and require fault tolerance. Use of mirrored volumes for fault tolerance increases the I/O performance. If you do not require fault tolerance, implement stripe sets for fast reading, writing and enhanced storage capacity. With stripe sets are implemented, disk utilization falls and overall throughput increases (Due to distribution of work across various physical disks). • Place multiple drives on separate I/O buses, particularly if a disk has an I/O-intensive workload, distribute workload among them. • Limit the use of file compression or encryption.


154

Integrating Thin-Clients with Linux Server

8

Integrating Thin-Clients with Linux Server

8

Before introducing you to the concept of integrating Thin-Client with Linux server, we will first introduce you to Open Source technology as Linux is an Open Source product. Since Open Source is very much dependent on Internet and has been developed on Internet, you will be explained the concepts in brief and required URLs of web sites will be presented for detailed and thorough study wherever found necessary. This chapter assumes that readers has user level working experience on a Linux desktop and knows at least one text editor like vi , emacs, joe etc. If you wish to learn vi editor, take the tutorial available on www.eng.hawaii.edu/Tutor/vi.html

WHAT IS LINUX? If you are familiar with the Open Source philosophy you must have heard the hue and cries being raised about Linux Operating System. Linux is a Unix Like freely distributed computer Operating System (OS). Initially it was designed to run on Intel x86 family processors based systems. But with time, it has been developed to suit to a wide range of computer hardware configurations. HP Alpha, All Intel-based, AMD, Cyrix, IDE, Transmeta, Mac, Sun Sparc, Amiga computers etc can run Linux. Linux is a Unix-like Operating System, but not a version of Unix whereas the other freely distributed Operating System Free BSD Operating System was started with the source code of Berkeley Unix. FreeBSD kernel source has its roots grounded on the Unix soil and therefore can be considered as derivative of Unix. However, the Linux kernel was written from scratch by Linus Torvalds. Linux Kernel has no reference to Unix source code. Linux kernel comes under a special type of copyright called GPL. Complete source code is available to everyone and can be modified by anybody to suit his/her requirements. Linux is a multi-user, multitasking Operating System that supports networking & journaling of file systems. It has in-built features like gcc compiler, Shell interpreter, vi and emacs editors, the X Windows based GUI, Ghostscript etc. These powerful features were earlier available only on gigantic mainframes. But now a days the same features are available to home users and small enterprises at affordable or no cost at all thru Linux and similar other Open Source OS. Due to Open Source, lots of utilities and applications are being ported and developed on Linux platform. Thousands of applications have already been developed under General Public License and alike. 156

INTEGRATING THIN-CLIENTS WITH LINUX SERVER

157

A vast number of organizations and vendors are supporting widespread usage of Linux as the preferred desktop Operating System for personal and business computers. The primary reasons behind this worldwide support are - (1) Savings in terms of licensing fees charged by proprietary desktop application vendors (2) Inherent security and manageability features of Linux. Considering these benefits, more users are adopting Linux as their preferred Operating System. Double-digit growth has been recorded every year in Linux servers. IDC research shows that Linux adoption will reach around 29% of the market share by 2008. But Linux on personal Desktop is still lagging and has to go a long way. It is only 2.3% market share in 2003 - and is not expected to increase dramatically in the next couple of years. No doubt Linux has made its initial inroads and market penetration in the back-end server arena, where applications such as File Sever, Mail Server, Proxy Server, databases and Web servers reside. Companies have embraced Linux in this capacity to take advantage of the secure, manageable, affordable, and reliable nature of Linux servers relative to alternative Operating Systems. To use the model of Geoffrey Moore, author of the popular book ‘Crossing the Chasm’, Linux at the server level seems to be crossing the chasm from the level of early technology adopters and innovators to mainstream adoption. Desktop Linux, however, is still in the early adoption phase due to significant existing investments and familiarity with popular and pervasive Microsoft Windows-based applications that challenge the rapid overall adoption of Linux-based client devices. The fact is desktop Linux is not just about PCs. The movement to desktop Linux is in part led by a rapidly growing Thin-Client market, in which a server-centric approach with attached thin computing devices at the desktop is providing a much more versatile, cost-effective, secure, and manageable IT environment. Accounting for more than 20% of the current worldwide Thin-Client market, which is outpacing PC shipment growth, Linux Thin-Clients are becoming a popular choice as companies and organizations look to cut costs and fulfill Linux mandates. You can imagine a rapid movement towards Thin-Clients on Linux platform as more companies, organizations, vertical markets and global regions embrace the advantages of Open Source computing. It has been predicted that in 2004-2005, Thin-Clients will drive Linux desktops further across the chasm towards the mainstream. As Red Hat chairman and CEO Matthew Szulik puts it in an article, “Our challenge will be challenging the way people have historically thought about having a fixed device. Our customers are now talking about ThinClients, our customers are talking about accessing data from anywhere...” “Thin-Clients present a cost-effective alternative to the traditional desktop machines,” said Bill Weinberg, Open Source architecture specialist for Open Source Development Labs (OSDL). “Linux-based ThinClients provide a valuable tool for smooth migration to Linux in the enterprise, from data center to desktop and beyond.”

HISTORY OF LINUX Below are two posts on comp.os.minix newsgroup of a Finland student, which will help us understand a lot about the history of Linux> From: [email protected] (Linus Benedict Torvalds) > Newsgroups: comp.os.minix > Subject: What would you like to see most in minix? > Summary: small poll for my new Operating System > Message-ID:


157

158


> Date: 25 Aug 91 20:57:08 GMT > Organization: University of Helsinki > Hello everybody out there using minix > I’m doing a (free) Operating System (just a hobby, won’t be big and > professional like gnu) for 386(486) AT clones. This has been brewing > since april, and is starting to get ready. I’d like any feedback on > things people like/dislike in minix, as my OS resembles it somewhat > (same physical layout of the file-system (due to practical reasons) > among other things). > > I’ve currently ported bash(1.08) and gcc(1.40), and things seem to work. > This implies that I’ll get something practical within a few months, and > I’d like to know what features most people would want. Any suggestions > are welcome, but I won’t promise I’ll implement them :-) >

Linus (torvalds@@kruuna.helsinki.fi)

> PS. Yes - it’s free of any minix code, and it has a multi-threaded fs. > It is NOT protable (uses 386 task switching etc), and it probably never > will support anything other than AT-harddisks, as that’s all I have.

And see further a part of post on comp.os.minix on October 5th, 1991 announcing birth of Linux. (Complete text is available on http://www.quantumLinux.com/links/Linux.html) Do you pine for the nice days of minix-1.1, when men were men and wrote their own device drivers? Do you want to cut your teeth on an Operating System that will achieve world domination within 15 years? Want to get rich quick by the end of the century by taking money from hordes of venture capitalists and clueless Wall Street suits? Need to get even with Bill Gates but don’t know what to do except throw cream pies at him? Then this post might just be for you.

The student was Linus Benedict Torvalds, and the “hobby” he spoke of eventually became what we know today as Linux. Linux is being developed on the Internet by several thousand people, first and foremost by Linus Torvalds, who created Linux for the 80386 in 1991. Now a days, Linux is being tested and used by perhaps millions. Since Internet has played vital role in development of Linux and Open Source (Still playing in more meaning full way), we usually refer Internet URLs here and there. A recommended reading - http://humorix.org/articles/2000/01/Linux-history1/

IT’S A HETEROGENEOUS WORLD AND MANAGEMENT IS CRITICAL Applied to the Open Source environment, Linux Thin-Clients are designed to operate in a heterogeneous OS environment running multiple applications simultaneously. Linux ThinClients can offer Windows, Linux, Java, text-based, or browser-based applications, delivering a manageable client unlike other desktop Linux configurations. An essential element of Linux Thin-Clients and their increasing market adoption is the fact that Thin-Clients essentially function as network devices rather than “fat” clients, and as such are much easier to manage,


158


159

configure, upgrade, and protect than Linux desktop PCs. Thus, the adoption of additional network devices in the form of Thin-Clients is a simple integration that does not present an increased burden on management costs or resources.

UNDERSTANDING JARGONS FSF, GNU, GPL, LGPL, COPYLEFT? Richard M. Stallman (RMS) founded Free Software Foundation (FSF). Purpose was to provide software for use by the world that isn’t founded on the principles of stringent patent laws, high prices, or restrictive copyrights. This FSF started as project called GNU. GNU is a recursive acronym standing for “GNU’s not Unix”. Its aim was to produce a fully functional Unix compatible Operating System completely free of copyrighted code. That can be used by anyone freely. Since codes are available publicly to use and modify, it is better to say it copyleft in place of copyright. The license types under which GNU software release is know “GNU Public License” (GPL). GPL has variants such as Free Document License (FDL) and Lesser General Public License (LGPL). FDL grant GPL type license for documentation. LGPL is successor of the GNU Library General Public License, describes the freedom to use, distribute, and modify the sources and less restrictive than the GPL. It is often used for software libraries. The GNU Lesser General Public License is used only by a few (not all) GNU libraries. This license was formerly called the Library GPL. Increasingly GNU is discouraging the use of LGPL in favor of GPL. Although GNU was proposed in the mid-eighties, it was not until the early nineties that it became a reality. Before that time, many GNU utilities such as gcc - gnu C compiler, bash bourn again shell, emacs editor etc were developed. Linus Torvalds join the Richard Stallman movement and tagged his Operating System kernel with GNU. GNU programs are free in the sense that there are no copyrights, but programs are protected by the GPL (GNU General Public License). A copy of GPL is attached with all GNU software. To understand the philosophy of Open Source software and to really understand why so many people around the word are writing complex code without any expectation, We recommend the reading of title “Free for All How Linux and the Free Software Movement Undercut the High-Tech Titans” by Peter Wayner. It can be downloaded from http://www.wayner.org/books/ ffa/

LINUX or GNU/LINUX? Till now you have understood that Linux Kernel is initially developed by Linus Torvalds. It is copyrighted in his name only. Later a lot of system programmer around the word contributed and are still contributing to make the kernel stable, faster, bug free and feature rich. Similarly application developers have contributed in following ways: • In porting the application from other Operating System • In cloning the application available in other Operating environment and • In creating new pieces of software individually and/or in collaboration with other Open Source enthusiast all over the world. Most of the applications developed by application developers are under GNU. An Operating System kernel without an application is of no use for common people. To make the Linux Kernel usable for end user, thousands of GNU applications are packed on Linux CD. Though, in general a Linux Operating System CDs is referred as ‘Linux’ in place of ‘GNU/Linux’ in conversation and writing. But it is better to call it GNU/Linux. Some people think that in 1991 a single person created a complete Operating System called Linux but


159

160


actually it is not so. A lot of have been working on the GNU Project since 1984 to produce Open Source software.

COST OF LINUX OPERATING SYSTEM If we say Linux costs nothing, it will be a real shock to the readers who are so familiar with the Proprietary Software. But it is true that GNU/Linux is free. Linux Kernel accompanied with various GNU applications is freely available to everyone. This is the reason why there is thousands of Linux Distribution. Generally Distributor does not cost for the software but their services. So it is very easy to get a GNU/Linux distribution for a meager sum of Rs. 100/-. That includes the cost of 3 to 4 CDs of Operating System and service charges of distributor too!!. However you may get it absolutely free • If you have high speed Internet connection and spare time to do download it. • You may ask your city Linux user group’s mailing list to send it (Mailing list will be explained later in this chapter). • Or some one could lend you a copy to make a copy to use and to distribute. But be sure that the software that are not available under GNU or similar license policies will not be packed on the CD obtained by you by above method. Or in rare case if you have somehow obtained it, you are authorized to use it personally only. In case you need it for commercial purpose or on production system, you are required to pay to developers. For example, Oracle Database is a license product and has to be purchased separately to use on your GNU/ Linux Installation. You are not authorized to use a pirated copy of Oracle Database on your Linux OS just assuming that your OS is Free. Further we will explain this with the example of very prestigious and widely used Open Source office application OpenOffice (OO) and its commercial StarOffice software. In 1999 StarOffice has been bought by Sun Microsystems from Inc StarDivision. (1) The source code available at OpenOffice.org does not consist of all of the StarOffice code. Usually, the reason for this is that Sun pays to license third-party code to include in StarOffice. Those things, which are or will be present in StarOffice but are not available on OpenOffice.org include: • Certain fonts (including, especially, Asian language fonts) • The database component • Some templates • Extensive Clip Art Gallery • Some sorting functionality (Asian versions) • Certain file filters You may use OpenOffice.org binaries or source code for commercial use just by downloading its from its site. But to use StarOffice you have to pay to Sun. StarOffice is much cheaper that other office applications available in market. It costs Rs. 7500/- only for 25-user license. This cost includes support charges too. If you are going to use for educational purpose (not for commercial training), just contact Sun. They will ship it you with no license fees but charge you cost of media and shipping. (2) OpenOffice and StartOffice are available for almost all Operating Systems. So it is very useful to the organizations that wish to provide similar feel on all available Operating Systems to their user.


160


161

(3) OpenOffice code is released under the LGPL that can never be taken away by anyone in the world. Once software is under LGPL, always under LGPL. Sun Microsystems has no plans to return to a closed-development model. Sun is subject to the same rules as the rest of the community, including giving back modifications under the LGPL. Thus, Sun can never take away the code and the community’s contributions to it.

WHAT IS A LINUX DISTRIBUTION? The part of a Linux distribution are : • Operating System (OS)- It consist Shell, device drivers, system calls, memory management code, application interface, system administration and monitoring utilities, kernel configuration and tuning files etc. • Server Software- includes SAMBA server, Web Server (apache), Mail Server (Qmail, Sendmail, Postfix), Database server (mysql, ProstgreSQL) • Application Software- includes Package Installer (rpm, apt) Word Processor (OO, Kword), Multimedia related software, Image manipulation software (GIMP), Web browser (Mozilla, Netscape), compression utilities (bzip2, gzip), Backup utilities (tar, cpio) etc. It is obvious by now that a Linux distribution is, in a basic sense, a set of packages that together make up the Operating System. However, it is a little more than that. In order to install the Operating System, the tools to perform the installation must be available in the correct order to the user. Various distributions will allow: • Different tools and methods to set the system up. • Various way of installation like Desktop, Server, Custom etc. • Various choices of packages to install. The core of the Operating System is still likely to be the same or similar and many of the packages used are same too. However, user can get additional packages and install them on the Operating System. One Distribution may differ from other in the sense how the Operating System Installation take place, how it boots, what type of package installer it uses (e.g rpm or Deb), which type of application software has been packed on CD, how much or how many CDs can be accommodated in the distribution etc. In short, a Linux distribution or GNU/Linux distribution (or a distro) is a Unix-like Operating System plus application software comprising the Linux kernel, the GNU Operating System, assorted free software and sometimes proprietary software, all created by individuals, groups or organizations from around the world. Companies such as Red Hat, SuSE and MandrakeSoft, as well as community projects such as Debian and Gentoo, Knopix, Gnopix Linux assemble and test the software and provide it as a complete system, more or less ready to install and use. There are over 200 different Linux distributions in active development.


161

162


BENEFITS OF USING LINUX WITH THIN-CLIENT The benefits of using Thin-Clients with Linux OS are same as discussed in the chapter one “Introducing Thin-Clients” under the title “BENEFIT OF THIN-CLIENT IMPLEMENTATION”. But still there is scope to add few more point under TCO, security, reliability & affordability.

Cost Saving Definitely adopting Thin-Clients with Linux Operating System helps in huge cost saving. • We don’t have to pay any license fee for Operating System. Whereas in case of proprietary server class Operating System, you need to shell out quite a hefty sum for the licenses. • You are not required to buy licenses to access server resources thru your Thin-Clients using Operating System services. As in case of Windows Operating System, you need to have CAL licenses. For example, if you are using the server as a file server to save 100 users’ data on server storage, you have to buy 100 CAL licenses. In Linux OS no such license is required. • You are not required to spend money to get the licenses to use the Terminal Services of Operating System. For Example, you must buy 100 TSCAL licenses for 100 ThinClients to connect to the Windows Operating server. In Linux the Terminal Services (LTSP and PXES) are available with zero cost for download. You can connect as many Thin-Clients as your server resources allow. • Support for installation and configuration is free thru various mailing list and discussion forum. People are ready to share their experiences and answer the queries raised by new administrators and users. In case of proprietary Operating System or Terminal Services Layered product like Citrix Metaframe, you have to have agreement with respective company to get support. Really costly affair. Not only this they even conclude the problem as - upgrade to new version, that is again going to be priced item!!! • Users manual & Technical Literature for Linux related software and services are free to download. You almost never require to buy a copy of these from a publisher. But in case of proprietary OS, you have to buy literature in the form of costly books. Not only this, Linux related downloadable versions are frequently updated. For new version of printed media, you have to wait till all the copies of publisher store are sold out or they feel to produce new book because of entirely new avatar of software.

Security Perhaps the most important advantage of a Linux configuration lies in the security advantages of Thin-Clients in an Open Source environment. Unlike Linux desktop PCs, which run a variety of network services and local applications that are prone to virus attacks and security intrusions, Linux Thin-Clients do not house vulnerable applications at the desktop. In addition, Linux Thin-Clients are in a “locked down” configuration, with no floppy drives, extraneous peripherals, or software downloads that can introduce additional security threats.

Reliable and Affordable Another key benefit of the Linux Thin-Client is that it is extremely reliable. Unlike PCs, Thin-Clients have no moving parts such as fans, a hard drive, CD-ROM, or floppy drive. When it comes to cost, according to a survey by TechRepublic, initial purchase price and licensing cost are the primary reasons businesses are motivated to deploy Linux servers. But when it


162


163

comes to the Linux desktop, the difference in licensing cost is not as much, and hardware requirements are equal to a Windows-based PC. Additionally, the total cost of ownership (TCO) of a desktop Linux PC is not significantly lower than a Windows-based PC. In fact, a few research firms claim that Windows desktop PCs have a lower TCO than Linux desktops. ThinClients, on the other hand, help businesses save the licensing cost and also decrease the migration cost since they can easily integrate into an existing heterogeneous corporate infrastructure. Additionally, in Thin-Clients the ongoing cost or TCO is minimized due to a longer hardware life cycle, virtually no need for software or hardware upgrade for at least 3-5 years, and no need for expensive desktop administrators.

DRAWBACKS OF USING LINUX Here again, all the points mentioned under title “Thin-Clients are not for” of Chapter “Introducing Thin-Clients” hold true. Only one thing that can be added here is that the GUI applications running on Linux is rather more resource hungry than that of a similar type of application running on other commercial proprietary Operating System. To a well-experienced administrator, it is possible to make it comparable by switching off the unused daemons and stopping applications that are not required.

BASIC REQUIREMENTS OF THIN-CLIENT IMPLEMENTATION It’s not unusual to have 50 clients, all running Mozilla and OpenOffice from a Dual P4-2.4 GHz with 4GB of RAM. It has been observed that the load-average is rarely above 1.0. We have already discussed the hardware requirement in chapter one. That holds true here too. But few additional topics are being elaborated here.

Network Band Width Requirement for Each Thin-Client Quick answer is - it depends? Means it depends on what type of applications are being accessed from the Thin-Clients. For example, your Thin-Client requires more bandwidth if you are using multimedia application and requires lesser bandwidth when you use word processor merely creating a text document. Network technology and application you are going to access thru Thin-Client, will be the deciding factors as to how many Thin-Client can concurrently work with your Linux server. There may be a possibility that you have a Fast Ethernet network that can pipe 100Mbps data but such old Thin-Clients with network interface that can support only 10 Mbps halfduplex connectivity. In this case you have to either change your network devices port on auto negotiation (if it supports and works fine for you) or change the connecting port characteristic manually to match your Thin-Client network interface. These parameters are documented by all good manufacturers in product’s Technical datasheets of your product. General rule of thumb is that each client will only use a little more than 1Mbps most of the time. We did some tests with LTSP and used RRDtool to graph bandwidth utilization and it is really quite small. RRDtool is a graphing and logging tool (Fig. 8.1). RRD is the Acronym for Round Robin Database.It is a system to store and display time-series data (i.e. network bandwidth, machineroom temperature, server load average). It stores the data in a very compact way that will not expand over time, and it presents useful graphs by processing the data to enforce a certain data density. It can be used either via simple wrapper scripts (from shell or PERL) or via front ends that poll network devices and put a friendly user interface on it.


163

164


RRDtool can be downloaded from http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ download.html. Currently it compiles on a number of different Unix platforms as well as on NT. If you can program yourself you can use RRD tool right out of the box or if you don’t program you can use one of several front ends (http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/ rrdworld/), which use RRDtool. If you want to monitor your Linux server, we recommend the webmin module (Fig. 8.1). It’s called webminstats and it’s very slick. Webminstats project homepage is http:// webminstats.sf.net/. The requirements are webmin, perl, and rrdtool. To know more about webmin you may read the article on http://nansari.cjb.net/webmin.html

Fig. 8.1

For performance not upto expectation, you have to analyze server resource as well as network usage. If you conclude that problem is due to network throughput of your server network interface or the number of clients that you wish to support thru single network card is rather high, it is strongly recommended to put more Ethernet cards in the server. You have to use the Linux “bonding” module to bond two 100Mbps Ethernet cards together in your server.


164


165

You might be aware that Ethernet becomes very inefficient under high load so it is best practice to try to keep traffic utilization averaged under 35-40% on the server if you can. It will help you to maintain low network latency.

Choosing Linux Distribution In Linux based installations you have the choice of selecting a distribution out of thousands available in the world market either for free to download or at a meager sum. While choosing Linux distribution, choose the one • On which you feel comfortable and have already worked on. • Having mailing list and LUG (Linux user group) support, which can be availed in case of difficulties.

INSTALLING LINUX DISTRIBUTION ON YOUR SERVER The days have gone when installation of Linux was an expert job. Now a days, Linux distribution come with nice graphical installer that will guide thru the installation. All the distributions come with an installation guide in text, htm and pdf formats. Also the web site of your distribution will provide extensible installation helps. In a few popular distributions, there are dedicated mailing lists for installation related issues. Just browse the mail-archive of installation mailing list, probably someone else had already posted a mail about the problem you are going to ask and got some reply from the knowledgeable member of that mailing list. You must also search on ‘google’ search engine database for Linux on http://www.google.com/ Linux. If still not able to solve the problem, post a query to mailing list of that particular distribution or Linux India Help mailing list. You can visit the Linux India Help mailing list page at https://lists.sf.net/lists/listinfo/Linux-india-help.

CONFIGURING THIN-CLIENTS TO WORK WITH LINUX The Thin-Clients may be configured with basic or full versions of Linux.

Bare Minimum Configuration To make the Thin-Client connect to the Linux Server and work as PC, you need to have the knowledge as to how to configure X display manager control protocol (XDMCP). XDMCP provides a means for a user sitting at one (client) computer running X to communicate with another (server) computer running an X display manager. Once a connection is established, the user can log in and run programs as if the user were sitting at the remote computer. The client where the user sits often is referred to as an ‘X terminal’. This is why the Thin-Clients having support of XDMCP are sometimes called X-Terminal. Before you start configuration, you have to determine which display manager is running on your server. It can be determined by the output of command ‘ps x|grep -E “gdm|xdm|kdm” as root user. Now you have to configure this Linux X display manager for accepting XDMCP requests. You are supposed to follow the following steps. (It may vary from one distribution to other). The xdm usually runs as a local copy of X on server. It can serve the requests from remote hosts over a network. The xdm configuration file is /etc/X11/xdm/xdm-config. Xdm uses this file for all the configurations and logs. File /etc/X11/xdm/xdm-config should be altered in


165

166


the way, so that it can listen to XDMCP connection. In some distributions, it is set not to listen to any XDMCP request. This is for security reasons. Ensure a line matching the below variable is commented using “!”. ! DisplayManager.requestPort:

0

Now your Linux server can listen to all of the XDMCP requests. The kdm also reads the same file in some distribution and /etc/X11/kdm in some other distribution. Working of kdm is exactly the same as xdm except for the configuration file. Xsession file is what makes the environment available to users. Changes have to be made in/etc/kde/kdm/kdmrc that is a symbolic link to /etc/X11/xdm/kdmrc, like this: (Plenty of explanation is available in this file) To get all the host access of server remove initial # from one of the line as below. #*

# Any host can get a login window or

#*

CHOOSER %hostlist

#

One of the above lines should be in /etc/X11/xdm/Xaccess or in /etc/X11/kdm file. First line will setup your server in Broadcast mode. Means it will list all the X-Servers that are listening and are willing to manage your X connections. Second line will allow only those hosts that are listed in %hostlist variable in the Xaccess file. You can list any number of hosts by separating them by white space. For security reasons, change the mode of file as 644 by issuing command “chmod 644 /etc/X11/xdm/Xaccess” and “chmod 644 /etc/X11/kdm” Now your Linux server can listen to all of the XDMCP requests. The gdm display is a new avatar of xdm. In most of the distro, this is default display manager e.g in Fedora Core 3 distribution.It has similar functions to xdm and kdm display managers. It reads configuration files /etc/X11/gdm/gdm.conf. The gdm.conf file contains several sections having many variables in each section. Variables are more than 100 in numbers. Sessions is a subdirectory in /etc/X11/gdm. This directory contains a script for each session (failsafe, KDE, GNOME, Default). Each script has a line that calls Xacess with appropriate arguments. For example GNOME script has a line ‘exec /etc/X11/xdm/Xsession gnome’. It will execute Xsession with ‘gnome’ argument. To activate XDMCP, causing it to listen to the request, you have to change variable Enable= 0 to Enable =1. Frequently false and true words are being used in place of 0 & 1 respectively. You have to do it in /etc/X11/gdm/gdm.conf for gdm. This line can be found under [xdmcp] section and looks like this : [xdmcp] Enable=true Older version of gdm may accept this setting as Enable=1. When enabling the xdmcp, make sure that there are no unplugged security loopholes as your server is now going to be accessed by others. Sometimes you have to make sure the static table looks up for clients’ names are in /etc/hosts. Alternatively, GDM can be configured with much ease thru GUI interface, if available. In Fedora Core 3, go to Application->System Settin->Login Screen. You will get screen as in Fig. 8.2. In XDMCP section of this window, check the box against ‘Enable XDMCP’ and change the other option according to your need except ‘Listen to UDP port’.


166

167


Fig. 8.2 Note: Printing from client system will be an issue in this basic type of configuration. All the Thin-Clients come with Unix printing daemon called ‘lpd’. You have to use ‘lpd’ remote printing method to get the printout on client machine. Insert ‘rm=’ under printer configuration section in /etc/printcap file. You may like to visit http://linuxprinting.org/ for extensive information on Linux printing.

Changing the Default Display Manager Display manager gdm is default display manager in most of the distribution. It is undisputable that gdm and kdm are a bit resource intensive. As per requirement, a less resource demanding, display manager such as Tomcat Window Manager - twm can be installed. Let us see how to change the display manager to ‘twm’ with Fedora Core 3 distribution.( With other distributions the process will be similar) The ‘twm’ manager is generally available with all the distribution. If it is not available with your distribution, you may download it from www.xfree86.org. To know the binary of ‘twm’ run the command ‘locate twm | grep bin’. The output on Fedora Core 3 is /usr/X11R6/bin/twm. · If your user is starting X- Windows, from command line by running ‘startx’ command, you have to modify .xinitrc file in users home directory. Simply add one line ‘exec /usr/X11R6/ bin/twm’ in this file. If the file doesn’t exist then create it. Next time when the user starts X windows by running ‘startx’ command, twm windows manager will start. Since we have not added any X application to start with twm, only windows manage will start displaying ‘X’ sign on the center of screen. Right click on screen, and click xterm to start terminal windows. From here you can start the X- application e.g xclock, xpdf. If you want to restore system default windows manager, simply remove the .xinitrc file and restart X-windows. Next time when user will run startx command, it will read global configuration file /etc/X11/xinit/xinitrc and start default display manager. • If you have already running xdm as your display manager and need to switch to twm then, you have to edit .xsession which lies in users home directory. Insert the same


167

168


line ‘exec /usr/X11R6/bin/twm’ in this file. During the users next logon, twm display manager will get activated automatically via xdm. • If your user is log in via gdm, you need to incorporate ‘exec /usr/X11R6/bin/twm’ in .Xclinets file of user’s home directory. • User can also change his display manager by running command ‘switchdesk’ in xterminal windows. As is visible in Fig. 8.3.

Fig. 8.3

The commands for starting some popular window managers are (Table 8.1): Table 8.1 Windows Manager

Command

KDE

startkde

Gnome

gnome-session

Blackbox

blackbox

FVWM

fvwm / fvwm2 /fvwm95

Window Maker

wmaker

IceWM

icewm

Enlightenment

enlightenment

How to Start Some Application During Display Manager Startup Assume that your user is starting twm display manager via gdm display manager (GNOME login screen). As you understand that on system startup gdm reads •Xclients files from users


168


169

home directory. Put the applications executable in this file. For example, as shown below, •Xclients will start xclock and xterm. #! /bin/sh xterm -bg black -fg white -geometry -0-0 & /usr/X11R6/bin/xclock -geometry +0+0 -bg lightblue -fg turquoise -bw 15 exec /usr/X11R6/bin/twm If these applications have to be started for every users of the system, place them in gdm’s global file /etc/X11/xinit/Xclients. If you want to generate. Xclients file in the users home directory during users creation, create this file in /etc/skel directory. This is the directory from where configuration files are copied to newly created user’s home directory.

FOR FULL FEATURED THIN-CLIENT CONFIGURATION Under this heading you will be guided how to configure your Thin-Client to use the full potential of Linux. Similar to Windows OS, Thin-Clients can be implemented full-fledged with Linux environment too. Definitely, we need some software equivalent to Terminal Services of Windows Operating System. In Linux environment, Terminal Services equivalent is the “ltsp” (Linux Terminal Server Project) package. Other similar packages are PXES (initiated by Diego Torres Milano and hosted at http://pxes.sf.net) & netstation (at http://netstation.sf.net). All these are packages are Open Source package and written as excellently as other Open Source software are. Here we will discuss only ltsp in brief. Other two products are similar in feature and at par to ltsp. Few Professional prefer PXES to LTSP. The main reason is LTSP uses NFS to give the thin client access to certain shares of the server. NFS is a stateless protocol. It means there is no communication mechanism that confirms the Client about the action performed by the server against request made by it. So NFS causes huge problems with a network, which has even a tiny problem. Moreover, starting up and shutting down NFS takes a LONG time, and the server appears more sluggish with LTSP than with PXES. So LTSP is not preferable for any less than the best networks. Whereas PXE creates a local filesystem from the initrd (initial ramdisk) that includes whatever programs have been built into the initrd. Since these will be in RAM, they are available to be run locally. Other programs are run on the XDM server, to which the Thin-Client connect. Those programs use the resources of that server.

What is LTSP? The LTSP (Linux Terminal Server Project) provides same services as Microsoft Terminal Services provide for Windows. With the LTSP coming into picture, all you need to do is to concentrate on your server to make them efficient helper for your many end users scattered throughout the large geographical area. It provides a way to use ready made Thin-Clients as either graphical or character based terminals on a GNU/Linux server. Older computers with just a network card may also be used as Thin-Clients and may be connected to the Linux Server. Presently, almost all the network cards come with a socket in which an EEPROM can be inserted. Depending on the contents of EPROM, a PC with just a network card can be booted from remote machine over network. Linux Terminal Server Project web sites are http://www.ltsp.org/ or http://ltsp.sf.net/. These are well-designed sites. The ltsp project provides a lot of documentation and help thru mailing list (http://www.ltsp.org/mailinglists.php). The documentation available on these sites are so well organized that you don’t need to search anywhere else in case of problem. For


169

170


details visit the documentation page of the site on http://www.ltsp.org/documentation/ index.php. Here you will find a document prepared by James McQuillan having title “LTSP Linux Terminal Server Project - v4.1” as a pdf file ltsp-4.1—documentation.pdf. While working, some basic questions may definitely arise in your mind regarding these Thin-Clients such as how the TC comes to know from where to pick up the Operating System, setup working directory for users, get a valid IP address to use for TCP/IP protocol suit & present the X- Desktop. The answers are : • DHCP or BOOTP protocol gets a valid IP address from a DHCP server running on same subnet. IP address is supplied based on MAC address of network card. • TFTP server running on server will provide the Image of Operating System to diskless machine to boot. • NFS protocol is being used to mount the directory of server to provide working space of diskless machine. • XDMCP provides a mechanism for X-Server to emulate the X-Terminal to run on your client (Workstation, Diskless PC, Thin-Client). It allows the X-Server to run on one or multiple X Window based applications that reside on a host machine. The XTerminal can be displayed with an individual window or multiple Windows, based on your X client software capabilities. All the above four services can be run either on the same server or different servers. But to understand the concept it is better to assume that all the above services and even some additional required services are running on the same Server thru which the clients are going to access the applications.

How To Install LTSP On The Server? LTSP is best thought of as a complete distribution of Linux. It’s a distribution that sits on top of a host distribution. The Host distro can be any Linux distro that you want. In fact, there’s no real requirement that the host be running Linux. The only requirement is that the host system needs to be able to serve NFS (Network File System). In fact any Unix system can handle that. Even some versions of Microsoft Windows can also be configured to work as a LTSP server. There are three phases to build an LTSP server. • Installing the LTSP utilities • Installing the LTSP client packages • Configuring the services needed by LTSP

Installing the LTSP Utilities Starting with version 4.1, LTSP has a package of utilities for installing and managing the LTSP client packages (The stuff that is executed on the Thin-Clients), and for configuring the services on the LTSP server. The administration utility is called ltspadmin and the configuration tool is called ltspcfg. Both of these tools are part of the ltsp-utils package. The ltsp-utils package is available in both RPM and TGZ formats. Choose which format you prefer to install, and follow the appropriate instructions.


170


171

Installing the RPM Package Find the latest release of the ltsp-utils RPM package from ‘www.rpmfind.net’ and download the same. The rpm could be installed using the following command: rpm -ivh ltsp-utils-0.10-0.noarch.rpm The above commands will install the utilities on the server.

Installing the Tarball (TAR.GZ or TGZ) Packages If you have downloaded the latest release of the ltsp-utils in TGZ package and install it using the following commands: # tar xzvf ltsp-utils-0.10-0.noarch.tgz # cd ltsp_utils # ./install.sh The above commands will install the utilities on the server. This is useful for non-RPM based systems. You may get some error during configuration and installation saying that there is un initialized variable in ltspadmin script. You may require to upgrade ltspcfg. One of the LTSP Rpm package download link ishttp://prdownloads.sf.net/ltsp/ltspcfg-0.5-0.noarch.rpm?download

Installing the LTSP Client Packages Once the installation of the ltsp-utils package is complete, you can run the ltspadmin command. This utility is used to manage the LTSP Client packages. It will query the LTSP download repository, and get the list of currently available packages. Run the ltspadmin command and you’ll see a screen displaying three options (Fig. 8.4) • Install/Update LTSP package • Configure the installable option • Configure LTSP

Fig. 8.4. LTSP installer–Main Screen


171

172


From this screen, you can choose “Install/Update”, and if this is your first time running the utility, it will display the installer configuration screen (Fig. 8.5).

Fig. 8.5

In the configuration screen (Fig. 8.6), you can set several values that the installer will use, for downloading and installing the LTSP packages. The values you have to set are—

Fig. 8.6. Configuration screen—showing configuration values


172


173

(i) Where to retrieve packages. This may be URL http://www.ltsp.org/ltsp-4.1/ if you are connected to internet and wish to install package from there only without downloading them on your local storage. But if you want to install the packages from a local storage, you should download all the GZIP files (about 61 file) from the above page. Save them in a directory of your choice. Say it is /tmp/ltsp-package. All these file has extension .tgz at the end. In this case you have to answer file:///tmp/ltsp-package/ against this question. Note three leading /// after colon. But downloading so many files is tiresome activity. LTSP has release and iso image of about 99 MB having all the package. Follow below step : 1. Download it from http://www.ltsp.org/ltsp-iso-4.1.html. . Save it in a temporary directory say it is /tmp. 2. Run md5sum on the downloaded file, and make sure the result matches the number given on above site. # md5sum ltsp-4.1-0.iso 3. Mount the ISO image, using the loopback device on another temporary directory (/ mnt): # mount -o loop /tmp/ltsp-4.1-0.iso /mnt Now you have to answer file:///mnt against this configuration option. Leave the remaining options as is.

Fig. 8.7. LTSP installer–Component list


173

174


(ii) Choosing the directory you like to place the LTSP client tree. This is the directory on the server, where you’d like to put the LTSP client tree. Typically, this would be: /opt/ltsp. The directory will be created, if it does not already exist. Within this directory, the root directories for each architecture will be created. Currently, only x86 workstations are officially supported by LTSP, but there are several people working on ports to other architectures, such as PPC and Sparc. (iii) HTTP Proxy. If the server is behind a firewall, and all web access must go through a proxy, you can configure the installer to use the proxy here. The value should contain the URL to the proxy, including the protocol and the port. An example for this setting is: http://firewall.yourdomain.com: 3128. If you don’t need a proxy, you should set this to “none”. (iv) FTP Proxy. For packages located on an FTP server, if you need to go through an FTP proxy, you can enter it here. The syntax is similar to the HTTP Proxy option above. If you don’t need a proxy, you should set this to “none”. Once you get past the configuration screen, the installer will query the package repository, and obtain the list of currently available components (Fig. 8.7). Select each component that you want to install. To select it, move the highlighted line to that component, and press ‘I’ to select the individual component (Fig. 8.8). You can also press ‘A’ to select ALL of the components. Most of the time, this will be what you want. That way, you can support the broadest range of Thin-Client hardware.

Fig. 8.8


174


175

There are several keys that can be used to navigate around this screen. You can get help on those keys by pressing the ‘H’ key (Fig. 8.9).

Fig. 8.9. LTSP installer–Help window.

If you want to see the list of packages that are in a particular component, you can press ‘S’, and the list of packages will be displayed. It will show the version currently installed, and also the latest available version. Once the desired components are selected, you can exit the component selection screen. The installer will prompt you, to see if you really want to install/update the selected packages. If you answer ‘ Y’, then it will download and install the selected packages.

CONFIGURING DHCP, TFTP, NFS, XDMCP NEEDED BY LTSP The ltspcfg can be used to configure all of those services, plus alot of other LTSP related things. You can access ltspcfg from the ltspadmin, or you can run ltspcfg by typing it at the command line. When you run the ltspcfg utility, it will scan the server, to assess what is currently installed and running. You will come across a screen as printed here. (Fig. 8.10): This shows all of the things that the utility is looking for. To configure all of the things that need to be setup, choose ‘ C’, and the configuration menu will be displayed (Fig. 8.11). From the configuration menu, you’ll need to go through each item, to make sure it is configured properly for serving LTSP workstations.


175

176


Fig. 8.10. Itspcfg-initial screen

Fig. 8.11. Itspcfg-configuration screen

I

Runlevel The Runlevel is variable used by the init program. With Linux and Unix systems, at any given time, the system is said to be in a specific “Runlevel”. Runlevel 2 or 3 is


176


177

typically used when the server is in text mode. Runlevel 5 typically indicates the system is in graphical mode on a network.

II

For an LTSP server, traditionally Runlevel 5 is used. Most systems are already configured to serve NFS and XDMCP when in Runlevel 5. For those systems that aren’t configured already for that, this utility will take care of them. Interface selection For systems that have multiple network interfaces, you’ll need to specify which interface the Thin-Clients are connected to. By selecting the interface, the configuration tool will be able to properly create other configuration files, such as the dhcpd.conf and the /etc/exports files.

III

DHCP configuration DHCP needs to be configured to supply the required fields to the workstation. Among those fields are fixed-address, filename, subnet-mask, broadcast-address and rootpath.

IV

By selecting this menu option, you’ll be able to create the dhcpd.conf configuration file, and enable dhcpd to run at startup time. TFTP configuration

V

TFTP is used by the Thin-Client to download the Linux kernel image. The tftpd service needs to be enabled on the server, to serve up the kernel image. Portmapper configuration

VI

The Portmapper is used by RPC services such as NFS. NFS configuration NFS is the service that allows local directory trees to be mounted by remote machines. This is required for LTSP, because the workstations mount their root filesystems from the server. This menu item will take care of configuring NFS to start at bootup time. The configuration file is /etc/exports.

VII

XDMCP configuration XDMCP is the “X Display Manager Control Protocol”. The X server sends an XDMCP query to the Display manager on the server, to get a login prompt. Common display managers in use are XDM, GDM and KDM. This menu item will display which display managers are found, and which one is configured to run. For security purposes, the Display manager is configured by default to NOT allow remote workstations to connect. This is usually the reason for the infamous Gray screen with large X cursor. ltspcfg can usually configure the display manager to allow remote workstations to get a connection.

VIII Create /etc/hosts entries Many services, like NFS and the Display manager need to be able to map the IP address of the workstation to a hostname. You could setup the Berkeley Internet Naming Daemon (BIND) to do that, but you’d have to make sure you get the reverses setup properly. Ultimately, using bind is probably the best way to do it, but configuration of bind is beyond the scope of this handbook and the ltspcfg utility.


177

178


A much simpler approach for configuring the mapping of IP addresses and hostnames is the /etc/hosts file. IX

Create /etc/hosts.allow entries Some services use a layer of security known as tcpwrappers . This is configured through the /etc/hosts.allow file. This menu item will setup that file for you.

X

Create the /etc/exports file This is the file that NFS uses, to determine which directories are allowed to be mounted by remote machines. This menu item will create that file.

XI

Create the lts.conf file The configuration of each workstation is directed by entries in the lts.conf file. For fairly modern workstations with a PCI bus, it shouldn’t require any additional entries in the lts.conf file. But, the file still needs to exist. This menu item will create the default lts.conf file for you.

HOW TO FORCE CLIENT TO BOOT LINUX IMAGE FROM REMOTE SERVER? To boot Linux kernel into client memory from a remote server, you either use BootROM or Local storage media. BootROM is an EEPROM chip burnt in with bootable program, which can be installed in the socket on Network Interface card. Let us have a look on the component participate in remote booting using: BootROM image : • A bootstrap loader, that is boot program that can be installed either in an EPROM of the network card, or in the flash BIOS or on a Disk-on-Chip (DoC) or ATA-Disk chip/ATA-Disk module (ADM). They could be put anywhere in the address space which the BIOS probes in. For testing this could be put on a floppy disk or a hard disk partition. Some configurations may even always be run from a floppy disk (e.g. temporary testing setups or pedagogic uses). • A DHCP or bootp server should run on the server which will supply IP address and other network related information when remote client send its MAC (Ethernet card) address. • A tftp server should configured and run on server to send the kernel images and other files required to boot the remote client. • A NFS server for providing the disk partitions that will be mounted if Linux is being booted and later for providing users home directory. Instead getting the boot image thru tftp, bootstrapping process can get the kernel from sever by mounting a directory as NFS mount . • A Linux kernel tailored for remote client machine, which resides on server to be supplied to clients when asked by them thru tftp request or NFS request. Linux kernels must be tagged with the mknbi-Linux , which will prepare the kernel for network booting, by prefixing the kernel with some additional code, and appending the initrd to the end of the kernel. Assuming that now you have the knowledge of components of booting process, we move onto explain the two ways of booting our host with Linux image placed on server : (A) Using Boot ROM on network cards (B) Using Local storage media


178

179


(A) Using BootROM on Network Cards Following options are available to make a BootROM to get the Linux image over network to boot the PC. (i) Etherboot. Etherboot is a very popular open-source bootrom project license under GNU General Public License for creating ROM images. Its home page is http://etherboot.sf.net. The image contains drivers for many common network cards, and works very well with LTSP. This boot ROM image has to be burnt into EPROM and installed on network card. On machine boot time, it can download code over an Ethernet network to be executed on an x86 diskless PC. For first hand testing you can also use Etherboot image on a floppy Disk. Download the Etherboot package and configure it for according to type of network interface card bootrom, and compile the source to produce a bootrom image. Burn this image into EPROM or write to a floppy disk. Marty Connor has simplified the whole procedure on ‘www.Rom-O-Matic.net’. This web site has web based front-end for configuration and compilation (Fig. 8.12). Just select what type of network card you have, and say whether you will use this image on bootrom or floppy disk & what kind of image you want. You may have a look in ‘Configuration’ of image you are going to get. Finally click on the ‘Get ROM’ button to get bootrom image. In a while ‘Save As’ window will pop us to ask the location where image has to be saved on your machine. We are sure, on completion; you will be thankful to Marty Connor for such a nice gift to the Internet world.

Fig. 8.12

To write floppy disk image run ‘dd if=etherboot_image_file of=/dev/fd0’. Within a few second your boot floppy will be ready to use. If you have generated bootrom image, use an EPROM programmer to copy it on an appropriate size EPROM.


179

180


Etherboot can boot computers faster than from a local disk because there are no parameter like seek time, delays in spinning up disks, etc that are associated with disk drives. A 10Mbps throughput Ethernet card practically takes only fraction of a second to get an efficiently tailored kernel of about 500kB size. Compared to booting from solid-state devices, e.g. Flash disks, Etherboot has the advantage of centralized software administration and configuration (e.g NFS, DHCP etc), the tradeoff being the dependence on a server. Etherboot not only works well with bootrom but it can also work excellently with RAM disks, NFS filesystems or even permanent and removable storage media. (ii) PXE. It was Intel’s attempt to incorporate the SUN’s remote booting concept. In late 1990 the mention of this technology was found in ‘Wired for Management’ specification for a bootrom in form of Pre-boot Execution Environment abbreviated as PXE. A PXE bootrom can load at max a file of 32-kilobyte size. Linux kernel is quite large than that. Therefore, a much reduced PXE for Linux referred as pxeLinux is activated. This pxeLinux is small enough to be loaded initially, and it knows how to load a much larger file, such as Linux kernel. To know how to configure and troubleshoot the same browsing on http:/ /sysLinux.zytor.com/pxe.php is recommended. (iii) Netboot. Netboot, like Etherboot, is a free software project that provides free boot ROM images. Home page http://netboot.sf.net/english/index.shtml of Netboot describes it as “a packet to boot a computer with an Intel processor over an IP network without access to a hard disk or a diskette” . It differs with other remote booting procedures as its design is wrapped around NDIS driver or packet drivers that ship with almost all the network cards. Bill Dooley has written an excellent “how-to” document on netboot, which can be accessed from http:// netboot.sf.net/texts/HOWTO.html

(B) Using Local Storage Media Boot with local media is always the first option during installation and testing. You can use any one of following removal media. Floppy Disk There are two ways to boot a LTSP workstation with a floppy. One way is to load Etherboot in the boot sector of the floppy. This, will then act like a bootrom. The boot code will be executed, the network card will be initialized, and the kernel will be loaded from the network server. You can also write the kernel and initrd to the floppy, and boot that way. However, it is actually faster to load the kernel over the network. Hard Disk The hard disk can be used with LILO or GRUB, to load the Linux kernel and initrd. OR, you can load the Etherboot bootrom image from the harddisk, and it will act like a bootrom. CD-ROM A bootable CD-ROM can be loaded either with a Linux kernel, or an Etherboot image. USB Memory Device Just like a CD-ROM, Floppy disk and Hard disk, you can use a USB Memory device to boot either an Etherboot module, or a complete Linux kernel and initrd image.


180


181

WHAT HAPPENS WHEN KERNEL IMAGE EXECUTING ON YOUR PC? • Once the kernel image has been loaded into memory, it starts executing itself. • The kernel will then initialize the entire system and recognizes all of the peripherals. • This is where the fun really begins. During the kernel initialization process, a ramdisk image will also be loaded into memory. A kernel command line argument of root=/ dev/ram0 tells the kernel to mount the image as the root directory. • Normally, when the kernel has finished booting, it will launch the init program. But, in this case, you’ve instructed the kernel to load a small shell script instead. We do this by passing init=/Linuxrc on the kernel command line. • The /Linuxrc script begins by scanning the PCI bus, looking for a network card. For each PCI device it finds, it does a lookup in the /etc/niclist file, to see if it finds a match. Once a match is found, the name of the NIC driver module is returned, and that kernel module is loaded. For ISA cards, the driver module MUST be specified on the kernel command line, along with any IRQ or address parameters that may be required. • A small DHCP client called dhclient will then be run, to make another query from the DHCP server. We need to do this separate user-space query, because we need more information than the bootrom retrieved with the first dhcp query. • When dhclient gets a reply from the server, it will run the /etc/dhclient-script file, which will take the information retrieved, and configure the eth0 interface. • Upto this point, the root filesystem has been a ram disk. Now, the /Linuxrc script will mount a new root filesystem via NFS. The directory that is exported from the server is typically /opt/ltsp/i386. It can’t just mount the new filesystem as /. It must be first mounted as /mnt. Then, it will execute pivot_root. pivot_root will swap the current root filesystem for a new filesystem. When this is completed, the NFS filesystem will be mounted on /, and the old root filesystem will be mounted on /oldroot. • Once the mounting and pivoting of the new root filesystem is complete, we are done with the /Linuxrc shell script and we need to invoke the real /sbin/init program. • Init will read the /etc/inittab file and this will begin setting up the workstation environment. • One of the first items in the inittab file is the rc.sysinit command that will be run while the workstation is in the ‘sysinit’ state. • The rc.sysinit script will create a 1mb ‘ramdisk’ to contain all of the things that need to be written to or modified in any way. • The ramdisk will be mounted as the /tmp directory. Any file that needs to be written will actually exist in the /tmp directory, and there are symbolic links pointing to these files. • The /proc filesystem is mounted. • The lts.conf file will be parsed, and all of the parameters in that file that pertain to this workstation will be set as environment variables for the rc.sysinit script to use. • If the workstation is configured to start swapping over NFS, the /var/opt/ltsp/ swapfiles directory will be mounted as /tmp/swapfiles. If there isn’t any swapfile for the workstation this will be automatically created. The size of the swapfile is configured in the lts.conf file.


181

182


• The swapfile will then be enabled, using the swapon command. • The loopback network interface is configured. This is the networking interface that has 127.0.0.1 as its IP address. • If Local apps is enabled, then the /home directory will be mounted, so that the apps can access the users home directories. • Several directories are created in the /tmp filesystem for holding some of the transient files that are needed while the system is running. Directories such as: /tmp/compiled /tmp/var /tmp/var/run /tmp/var/log /tmp/var/lock /tmp/var/lock/subsys will all be created. • The /tmp/syslog.conf file will be created. This file will contain information telling the syslogd daemon which host on the network to send the logging information to. The syslog host is specified in the lts.conf file. There is a symbolic link called /etc/syslog.conf that points to the /tmp/syslog.conf file. • The syslogd daemon is started, using the conf file created in the previous step. • Once the rc.sysinit script is finished, control returns back to the /sbin/init program, which will change the runlevel from sysinit to 5. • This will result in execution of entries in /etc/inittab file. • By default, there are entries in inittab to run the /etc/screen_session script on these virtual terminals tty1, tty2 and tty3. That means that you can run 3 sessions at a time, and the control for each type of session is done by the SCREEN_01, SCREEN_02 and SCREEN_03 entries in the lts.conf file. • More entries can be setup in inittab for more sessions, if desired. • If SCREEN_01 is set to a value of startx , then the /etc/screen.d/startx script will be executed, which will launch the X Windows System, giving you a graphical user interface. • In the lts.conf file, there is a parameter called XSERVER. If this parameter is missing, or set to “auto”, then an automatic detection of the video card will be attempted. If the card is PCI or AGP, then it will get the PCI Vendor and Device id, and do a lookup in the /etc/vidlist file. • If the card is supported by Xorg 6.7, the pci_scan routine will return the name of the driver module. If it is only supported by XFree86 3.3.6, pci_scan will return the name of the X server to use. The startx script can tell the difference because the older 3.3.6 server names start with ‘XF86_’, whereas the newer Xorg X sesrver modules are typically lowercase names, like ati or trident . • If Xorg is used, then the /etc/build_x4_cfg script will be called to build an XF86Config file. If XFree86 3.3.6 is used, then /etc/build_x3_cfg will be called to build the XF86Config file. These files are placed in the /tmp directory. Which, if you’ll remember, is a ramdisk. Seen only by the workstation. • The XF86Config file will be built, based on entries in the /etc/lts.conf file. • Once the XF86Config file has been built, then the startx script will launch the X server with that new config file. • The X server will send an XDMCP query to the LTSP server, which will offer a login dialog.


182


183

• At this point, the user can log in. They’ll get a session on the server and all the commands they run will be actually be running on the server. Only the output will be displayed on the workstation.

FIRST HAND TEST WITH pxes ISO IMAGE Do not confuse pxes ISO image with pxe. PXES is ready to use package for any machine having CD drive and network card to connect with a configured Linux server. Developers call it the “universal Linux software”. You will definitely agree with them if you have used it at least once. Just copy the iso image on a CD media and boot any PC to connect with the Server running Linux (with XDMP configured) or Windows configured with RDP. You can download 13 MB iso file from http://pxes.sf.net/. We are sure that if you are the first time user, you will be amazed by the performance of the product. It is free to use for personal as well as commercial purposes. If your older system has a CD drive too and you wish to use CD based booting through out, you have nothing to do at client side. Just create as many boot CDs as the number of PCs you have and configure your server with LTSP (as mentioned above). The above-mentioned site also provides customization guide that can help you to customize the pxes source code and make tailored iso image according to your need. At the end of this chapter, we hope that by now you must have got the feel of implementing Thin-Clients and diskless PCs with a Linux Server.


183

THIS PAGE IS BLANK

Bridging Windows and Linux Operating Systems

9

Bridging Windows and Linux Operating Systems

9

In this chapter we will discuss how to access Linux Server (from command line and X-Windows) from a machine running Microsoft Operating System and similarly how to get Remote Microsoft Windows Server Desktop on a Linux machine. We will also do a comparison of Linux based setup and Windows best setup in view of parameters viz. TCO, Stability, Reliability, and Security etc.

ACCESSING WINDOWS 2000 SERVER FROM THIN-CLIENT CONNECTED TO LINUX SERVER Take the scenario that all the Thin-Clients are connected to a Server running an Open Source Operating System like Linux. You can easily get Linux Desktop on Thin-Client by connecting them to Linux Server over X-protocol. A user working on a Thin-Client can connect to Terminal Services enabled Windows 2000 Server without logging out from Linux Desktop using RDP protocol. RDP Package might have come with your distribution CD or you may download it from http://www.rdesktop.org/ #download. Install the package as per the instructions bundled with the package on the Linux Server. ‘rdesktop’ is an Open Source client for Windows Terminal Server, capable of natively speaking Remote Desktop Protocol (RDP) in order to present the user’s Windows desktop. Unlike Citrix ICA, no server extensions are required on top of Windows Operating System. As you have already learnt in the “Licensing policy of Windows” chapter that for connecting each Thin-Client with a Windows Based server, you need a CAL & a TSCAL licenses. As soon as a Thin-Client connects to Windows Operating System enabled for terminal services, a TSCAL license will be assigned to the Linux Server forever. If you connect your Thin-Clients with Windows server in this fashion, Windows Server figures that all the connections are coming from Linux Server on which all the Thin-Client have logged in. So Terminal Service Manager will issue only one TSCAL License to Linux Server for all the connection. But the problem arises when printing issue will come into picture. Only Linux Server parallel port will be mapped in Windows server because Windows Server does not know about any other system connecting to it. All the Thin-Client users are forced to take printing jobs on printer directly connected to Linux Server. Thus, Linux Server will not work as connection hub for all the Thin-Client users but also it has to work as print server. So you have to enhance number of parallel port on the server and connect all the printers to it. 186

BRIDGING WINDOWS AND LINUX OPERATING SYSTEMS

187

From Linux working space, you can use rdesktop graphical interface or command line option to connect with Windows server. To connect from graphical screen, go to Application-> internet -> Remote Desktop Connection. You will get the following screen (Fig. 9.1).

Fig. 9.1

Fill up the IP address (or name) of Windows Server in ‘Remote Desktop’ field. This graphical front end will work for RDP and VNC protocol. So you have to type prefix as rdp:/ or vnc:/ for RDP or VNC protocol respectively. Click on Connect tab you will get another screen confirming desired resolution (Fig. 9.2). Choose one that is supported by your Thin-Client.

Fig. 9.2


187

188


Click OK to connect to Windows Server and get the login screen as shown in Fig. 9.3.

Fig. 9.3

To connect using command line, you can use following command: $ rdesktop -u <user_name> -f <server_name> & user_name of Windows server is the user account name in which one wishes to login. Option-f says that use full screen. Server_name may be replaced with the name of Windows server if Linux server can resolve it into its IP address. Otherwise use IP address of the Windows server. The “&” will send the command in background and free the terminal window for next command.

ACCESSING LINUX SERVER FROM THIN-CLIENT CONNECTED TO WINDOWS 2000 SERVER A user can access Linux server even while he is connected to the Windows server. If user is working most of the time on Linux Server X-based Desktop, it is recommended to configure XDMCP protocol available in all the Thin-Clients. Unlike Windows, where only GUI connectivity is possible, connection to the Linux Server may be made in two ways. 1. Command Line Connection 2. X-Environment connection 1. Command Line Connection Native user of Linux OS likes to work on command line interface (CLI). For them, using powerful CLI commands is an ethical issue. Two most popular client for this type of connection are telnet & ssh (Secure Shell). Telnet client is part of almost all Operating System including Windows OS. The ssh client (e.g. putty) for other Operating System is free for download. So download and install it on Windows Server through which Thin-Client users are going to access Linux Server.


188


189

To serve telnet clients requests, telnet daemon must be enabled in its configuration file /etc/xinetd.d/telnet.d/telnet by ensuring presence of line ‘disable = no’. The xinetd super daemon starts a new telnet daemon (in.telnetd) for each telnet request. To serve ssh client request, sshd daemon must be running in Linux Server. If it is installed but not running, administrator can start it by running command ‘service sshd start’. 2. X-Environment Connection To access the Linux GUI desktop from a Windows thin-client, X-Server application of Linux must be installed on Windows 2000 Server OS. There are commercial X-Server applications available in market like HummingBird eXceed or Starnet’s XWin32 X-Server. We will discuss the four most popular Open Source Free X-server applications that are freely available. (i) XWINLOGON WINDOWS X-SERVER. XwinLogOn has its origin in popular Cygwin (explained later) environment of Windows. Along with XDMCP it also supports SSH, RSH, SSH Compression, backing store, OpenGL, Windows clipboard integration, single Windows mode, multi Windows mode, and multi external window manager Windows mode. The interface is licensed under the GNU GPL. All other software’s are licensed by their respective creators. Its developer’s advise not to install XwinLogon if you already have Cygwin installed on your system. XwinLogon installation program xwinlogon-1.0-setup.exe (13.5 MB) can be downloaded from http://sourceforge.net/projects/xwinlogon. Installation is so easy that it does not need any explanation. To know where it stands against commercial X Server applications like XWin32 and eXceed for Windows environment, checkout http://www.calcmaster.net/visual-c++/xwinlogon/ compare.php. To connect to your Linux Server, Click on Shortcut “XWinLogon Win32 X-Server” created on your desktop or C:\xwinlogon\xwinlogon.exe file. You will get ‘Win32 X Windows Terminal’ to choose the type of connection (Fig. 9.4).

Fig. 9.4

After providing the requisite information, click on Connect & “c:/xwinlogon/XWin.exe” will get executed. What it does during a connection process, will be displayed in Command Window as shown below (Fig. 9.5).


189

190


Fig. 9.5

You can save the option by saving session of “Win32 X Windows Terminal” in a batch file. Later you can use this batch file to connect to your Linux Server. This batch file sets the PATH variable to get the executable of XwinLogOn, set the display variable for your Linux X client and a line to start Xwin32.exe with all the option. The batch file may looks like thisSET PATH=C:\xwinlogon SET DISPLAY=:0 start XWin.exe :0 -query 191.254.5.70 -clipboard -trayicon -bs If everything is fine, you will get the default login screen of your Linux Server to login as shown in screenshot in Fig. 9.6. There is excellent help available on http://www.calcmaster.net/ visual-c++/xwinlogon/help.php for it.

Fig. 9.6


190


191

(ii) X-DEEP/32-PC X-SERVER. Let’s thank to Pradeep Nambiar who wrote this matured X Server application for Windows Operating System. It is not only free but also small enough (15MB) for quick download, installation & configuration. Home page of X-Deep/32 applications is http://www.pexus.com. Download instruction page is available at http://www.pexus.com/ Download/download.html. Latest (and final release) can be download from any of below links. http://www.caslab.queensu.ca/software/xdp40Full.exe http://wcarchive.cdrom.com/pub/simtelnet/win95/telecomm/xdp40Full.exe Installation of X-Deep is very quick and easy. Just execute xdp40 full.exe file on your Windows Server and follow the instructions. Shortcut of executables will be created in program folder. To start X-Server, click “X-server” icon to run xdeep32.exe (Fig. 9.7).

Fig. 9.7

The first dialogue box will show you the option to choose interface of server to bind X-Server with them (Fig. 9.8). If you wish to bind (allow) the entire available network interface to be used by X-Server, select ANY option from the list. After this selection, X-Server will try to detect all the remote machines running (Fig. 9.9). Unix Like Operating system and can communicate with X-Deep/32 server.


191

192


Fig. 9.8

Fig. 9.9

The figure shows that in our network two such machines are available namely BACKUP & ES40. First one is an x86 server running Fedora Core Linux and second one is a HP RISC based Alpha server running Tru64 Unix. Connect to desired machine from the list. You will get the graphical login screen of remote server. Your connection will fail if you have not put IP address and the hostname of the remote machine in your Windows server “c:\WINNT\system32\drivers\etc\hosts” file. Login on to your remote server with valid username of remote machine and corresponding password. If you are first time user, you will be amazed to see the performance. Two screenshot presented here show the desktop of Linux OS (Fig. 9.10) and Tru64 Unix (Fig. 9.11).


192


193

Fig. 9.10

Fig. 9.11

In case of any problem, you may refer to a well deigned document present at C:\xdeep32_40\usr\X11R6\doc\index.htm in your server It has release note & X-Server FAQs, Configuration Options, manual page etc. • X-Deep/32 4.x X-Server • X Client Launcher • X Clients Man Pages • X-Deep/32 -FAQ (Frequently Asked Questions) • Misc X and Unix resources


193

194


(iii) CYGWIN X-SERVER. Cygwin is a Linux-like environment for Windows. Its X11 package can be used to build up an X Server for Windows. However, to get the benefit of Cygwin, you have to download the source code and compile it yourself. If you are not comfortable with compiling and debugging compilation error, you may use XwinLogon Windows X-Server or X-Deep/32 - PC X Server. Cygwin X-Server consists of two parts: A DLL (cygwin1.dll) that acts as a Linux API emulation layer providing substantial Linux API functionality. And a collection of tools, which provide Linux look and feel. The Cygwin DLL works with all nonbeta, non “release candidate”, ix86 32 bit versions of Windows since Windows 95, with the exception of Windows CE. X-Server is one of the tools of cygwin package. Downloading and installation is a bit lengthy process. You have to download a 264 KB executable installer file - setup.exe from http://www.cygwin.com/packages/xorg-x11-xwin/. Indian mirror Server for this file is http:/ /ftp.iitm.ac.in/cygwin/. On execution of this file, you will have option to install it from Internet or download all the files from cygwin server to your local storage and then compile them. If you have high-speed reliable direct connection to Internet, you can opt first method. We recommend the Second method. Setup.exe installer file will present a list of entire mirror server hosting Cygwin applications. Choose one near to your location. You have to select concerned application from all the cigwin packages. Since your purpose is to install X-Server, select X11 as shown in Fig. 9.12.

Fig. 9.12

On clicking Next, X11 related application would be downloaded on your system. All of them are in tar ball (.tar.gz) format. You have to extract them and compile them on your Windows environment to use. All the compilers & tools required to compile the Server will also be downloaded. An excellent cygwin user guide is available on http://x.cygwin.com/docs/ug/. (iv) VIRTUAL NETWORK COMPUTING PROJECTS. Virtual Network Computing (VNC) is one of the most popular applications to access hybrid Operating System. It is available for almost all platforms e.g all Microsoft Windows OS, Linux, FreeBSD and other UNIX flavors. VNC implementations are also known as RFB (Remote Frame Buffer). VNC Server (installed


194


195

on Remote machine) facilitates accessing the remote machine’s Desktop from a VNC client just like the Terminal Services. Now a days most of the Thin-Clients have support for VNC client. There are several projects developing VNC around the world. Recommended to have a look at few of them : x11vnc on http://www.karlrunge.com/x11vnc/ RealVNC, on http://www.realvnc.com/ TridiaVNC on http://www.tridiavnc.com/ TightVNC on http://www.tightvnc.com/ DotNetVNC on http://www.dotnetvnc.sourceforge.net/

COMPARATIVE STUDY OF WINDOWS & LINUX Here we’ll discuss the points that may help you in deciding which OS to use to implement your Thin-Client solution. It may be either Windows based or Linux based. Recommended link is : http://bucarotechelp.com/download/Linux.asp. You have to consider following factors during system integration and design. All these will affect the total project cost directly or indirectly. Operating system There are a number of Open Source Operating Systems available. They are available to everybody at almost no cost. Contrary to this you have to pay a good amount for Windows Operating System. If you are keen for future support you can buy Commercial Version of Linux Operating System from Red Hat Inc., Novell, Caldera etc. These firms will ensure support for the application shipped with Operating System CD and fix the bugs, if found any. Still this cost is meager in comparison to the cost of Windows Operating System. License In most of the cases, you have to pay nothing as licensing fee based on per user or per client with Linux. However, you need to Purchase CAL for each user & TSCAL for each client machine connecting to server, in case of Windows OS. Tools and utilities Say you need a program to archive and compress a directory and all of its contents. Probably you will opt to buy Winzip or Winrar program. In Linux there are utilities like tar, bzip2, gzip, compress, gnozip, Karchive, Gnochive, Fileroller, Unace etc, which are all for free. Few of the Open Source application have even been ported on Windows too. But it is advisable to have an Open Source Operating System if you wish to use Open Source tools. Check http:/ /Linuxshop.ru/Linuxbegin/win-lin-soft-en/table.shtml for Windows based application and their equivalent available for Linux Operating System. Few of them are at par in terms of cost with their counterparts available in commercial world, for example GIMP. Auto probing of hardware Current Linux kernel is capable of detecting of as much hardware device as a commercial Operating System does. It does not only detect the hardware but most of the time loads the required driver too. For example there are several SCSI RAID controllers cards, for that one need not load drivers in Linux but separate driver installation is required in Windows operating system.


195

196


Security Linux provides the most robust security features. Each file has owner, group and others permission tagged in 9-bit code in filesystem’s inode table. Now SELinux has born under GPL license for providing much more tighter security. FAQ of National Security Agencies says“The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs. When confined in this way, the ability of these user programs and system daemons to cause harm when compromised (via buffer overflows or misconfigurations, for example) is reduced or eliminated. This confinement mechanism operates independently of the traditional Linux access control mechanisms. It has no concept of a “root” super-user, and does not share the well-known shortcomings of the traditional Linux security mechanisms (such as a dependence on setuid / setgid binaries)”. Integrity & reliability Integrity of OSS product is much more than proprietary applications because hundreds of users are working and testing the applications at time. They are not in hurry to release the application code to meet the dead line with buggy application. Even with the best efforts, if some holes remain unplugged in the application the patch are released as soon as the problems are reported. This scrutiny process gives a well-tested OSS application with good integrity and reliability than a closed-source proprietary product. Support One of the biggest fears that IT managers have while going for OSS applications, is whether they’ll get the necessary support for these products. They should be aware that there are more mailing lists & discussion forums available in support of OSS products than any of the commercial products. Not only this, OSS followers host very frequent user meets at town, city and even at county level. It is one of major reasons why Apache dominates the web server market. Virus infection One of the major headaches of Windows Administrator is to protect the server with virus infection. These threats come in form of virus, Trojan horses, worms, spyware etc. In Windows world you need to have a security expert to keep track on Virus related issues. It is almost impossible to run a Windows server without commercial anti-virus software. Even with best Antivirus solution, one cannot be sure that the Windows servers will be virus free. OS upgradability Microsoft tends to stop support once another new Operating System has been released by them.This leaves you with no other option but to upgrade your existing OS with newer version of Operating System. In Linux world, the support is always available thru mailing list and discussion forums even for the oldest or primitive kernel. Device drivers In Windows you have to have different device drivers for different OS versions for the same device. In Linux, same binary will work unless the device file of the hardware has been changed. If you have the source code, just compile it to make it work in any environment or on any hardware platform. Application development In Windows world, you have to buy development toolkit to develop application, which is not the case with Linux. This leads to reduction in development cost.


196


197

Porting of existing application Once you develop application in OSS environment, you can port it to any other environment too in most of the cases. For example- if you have developed a web-based application using PHP, Apache web server & MySQL database, you will not face any hurdle in implementing them on Windows. Think once about porting application written in visual basic to Linux? Endures training Since OSS is not so old as Windows is, your end user may not feel comfortable working on Linux. They are so used to working on Windows OS that you may have to devote a few hours with end user to make them comfortable with the Linux. However, KDE desktop developers are devoted to make the Linux X-interface give the feel of Windows OS. Stability No comparison at all. Linux Server rarely requires rebooting once it comes in production use. If some program or daemon create problem, kill it and restart. All other processes will continue to work as if nothing is going on. But in Windows world, it is not the case. For most of the problems, the only solution windows provide is Rebooting. Interpretability with other OS OSS has come out with SAMBA application that is excellent example of reverse engineering. Before SAMBA, the native protocol supported by Linux type of Operating System was TCP/IP. So it was not possible to see your Linux computers in your network neighborhood Windows. The machines, which are visibles, are result of Microsoft NetBUI protocol or a TCP/ IP protocol suit having NetBIOS over it. NetBUI protocol is based on Microsoft NetBIOS (Network Basic Input Output) message block. SAMBA is based on Simple Message Block (SMB) that does the same job in Linux. Now it is possible to see your Linux system through Network Neighborhood (or Computers Near Me) of your Windows Operating System. Similarly you can mount a sharable resource of Windows machine over network on a Linux machine considering it smbfs (SMB file system) type of network filesystem. Smbfs concept in Windows world is similar to NFS (Network File System) in unix environment.

Case Study We recommend the case study prepared by Sudev Barar of Nuchem Limited published in “Linux For You” magazine. You can get the article from the URL- http://www.Linuxdelhi.org/anCMS/data/download/Nuchem-LTSP-Linux-Casestudy.pdf They have beautifully explained how they have saved about 30 Lacks Indian Rupees by implementing and Open Source product, Thin-Clients and The Linux Terminal Services.

CONCLUSION The topics covered in this chapter are very concise. To explain all the topics in depth we need to write a series of books. But we are sure that we have given you glimpses of Open Source philosophy, its Movement and explained the benefit and need in Thin-Client implementation. Though, many major vendor claim in various forums that they support open source movement by heart, it is not hard to see them advertise with sentense ‘‘we recommend Microsoft Windows OS’’. Let us consider it their business limitation. We can however expect that an age will come soon when a line on their advertisement will be printed like “We recommend Open Source OS, too” along with the existing recommendation.


197

THIS PAGE IS BLANK

Problem Solving & Frequently Asked Questions

10

Problem Solving & Frequently Asked Questions

10

In this chapter we have tried to cover the most commonly encountered problems and their solutions. Hope this suffices most of your queries. Problem: My Thin-Client behaves erratically. Sometimes it doesn’t store system configuration settings and sometimes even fails to boot. Diagnosis: CMOS battery might have drained Solution: Replace the CMOS battery with a new one. If this didn’t work, you have to upgrade the firmware of Thin-Client. Problem: How to upgrade firmware /DoC (Disk on Chip)? Diagnosis: In case the OS has become corrupted and you need to reinstall it. Solution: If you have a Thin-Client that uses M-Systems’ DoC (e.g. Vxl Netica, HCL WinBee), then adopt following procedure to correct DoC’s image. 1. First connect a bootable hard disk having FreeDOS 1.0 or MS DOS 6.22 on the first IDE port of a working Thin-Client’s motherboard. Next download the freely available utility of M-Systems from http://www.m-systems.com/content/Developer/ TFFS_Tools.asp and copy in the c:\utilities folder of this IDE Hard Disk. Now, boot the Thin-Client with HDD as the first boot device. 2. Execute DINFO.EXE file from c:\utilities folder to get the information of DoC such as its Drive Letter, its Version and size. 3. Run GETMIMG.BAT filename from c:\utilities to copy the image of the DoC to a file. For example ‘c:\utilities\GETMIMG.BAT C:\thinclient_image.img’ (File name can be anything of your choice). 4. Now repeat Steps 1 & 2 with non-functional Thin-Client. 5. If DINFO.EXE does not recognize DoC, you have to replace the DoC. If DINFO.EXE shows the drive letter, size & version of the DoC, you can replace its image with the working one you created earlier in step 3. 6. Now, Run DFORMAT.EXE to format the DoC of the non-functional Thin-Client. For example, to format DoC whose drive letter is D:, run command ‘c:\DFORMAT.EXE D:’ 7- Run PUTMIMG.BAT filename to copy the image file created in step 3 onto this formated DoC. For example: ‘c:\utilities\PUTMIMG.BAT C:\thinclient_ image.img’ 8- With this DoC your system should function properly. GETMIMG.BAT & PUTMIMG.BAT files are batch files, which in turn calls DOCPMAP.EXE with various parameters. Therefore ensure that you download all the files as listed below: 200

PROBLEM SOLVING & FREQUENTLY ASKED QUESTIONS

201

• DFORMAT.EXE—DiskOnChip formatting utility • DINFO.EXE—DiskOnChip information utility • DOCPMAP.EXE—Duplicating the DiskOnChip utility • GETMIMG.BAT—Get DiskOnChip image (first part of duplication utility) • PUTMIMG.BAT—Put image on DiskOnChip (second part of duplication utility) In the HP make, Evo T20 and T30 series of Thin-Clients you have to use Netxfer utilities. It is a utility program that allows you to replace the entire binary image on flash with a new one. It is packaged along with Thin-Client firmware in a self-extracting file known as SoftPaq. Its file naming convention is five digits preceded by SP e.g SPXXXXX. Download the appropriate SoftPaq of your Thin-Client from http://h18004.www1.hp.com/support/files/thinclients/ us/ to a directory on your hard drive. Execute the downloaded file and follow the on-screen instructions. Go to Netxfer directory to find the documentation and the executable. Problem: Booting problem of windows 2000 server or no display on server console? Diagnosis: Hardware may not be working or boot sector may be corrupt. Solution: Diagnosis of a hardware related problem must be done sequentially. • First check whether AC power is available on all the power supply (SMPS) units of the server. If yes, then ensure that SMPS fan is working. • But to fully ascertain it is capable of powering the Motherboard, check whether the CPU cooling fans are working or not. If yes then SMPS is ok. • Still if the Server fails to boot probable cause may be with the Motherboard, RAM, Processor or BIOS. You can also conclude the problem by listening the beep sound from speaker. For Ram failure and Display card failure, beep codes of different time interval will be heard. Refer url http://www.computerhope.com/beep.htm to know the details of various beep pattern. • However if you think that the Server is able to boot (there is an initial beep sound, the initialization of the hard disk is audible and keyboard is getting initialized) but there is no display, then there could be a problem with the display card. • Another problem that you may face while the Server boots is the Error message “System initialization failed, please insert boot diskette.” In this case either your hard disk has crashed or hard disk controller is not working or the MBR of your boot disk has gone bad. • If your hard disk has crashed or the controller has gone bad, then there is no other option but to replace the same. Now suppose, some virus or some other means has corrupted MBR of the disk, then boot the system with Windows 2000 Operating System CD. You will find an option of Repairing of the existing installation. There are two ways of doing it: 1. Using Emergency Repair Disk 2. Using Recovery Console Problem: How to create Emergency Recovery Disk (ERD)? Diagnosis: For repairing your Windows 2000 Server installation in case the MBR of the boot disk has been corrupted by Virus or some other means.

C-9d:\N-Hand\Hnd10-1.pm5 201

202


Solution: To create the Emergency Recovery Disk (ERD): 1. Run the backup utility found in Accessories-> System tool->Backup. Click on tools menu and select ‘Create Emergency Repair Disk’. 2. Insert a formatted Floppy disk when prompted (Fig. 10.1). You would have the option of copying the Registry files to Repair Directory. Your ERD will be created. It is always recommended that you create ERD.

Fig. 10.1

How to Install Recovery Console? Diagnosis: To repair your Windows 2000 Server installation. Solution: As a preemptive action, you should know how to install Recovery Console. Go to Start->Run and type E:\i386\winnt32 /cmdcons where E: is the drive letter of your CDROM. In the worst case when you don’t have an ERD or your Server fails to boot then you need to boot the Server using Windows 2000 CD. Run Setup. The setup will copy some files for accessing the Server’s hardware. Then Windows 2000 will give you options for Repairing. The two options are - ERD and Recovery Console. Choose Recovery Console by pressing C. It will then ask for the existing installation’s Administrator Password. Command line interface will get opened. From there, type command ‘fixmbr’ or ‘fixboot’ to fix the MBR and the Boot Sector. Problem: My System boots but doesn’t reach Alt+Ctrl+Del window, shows some files missing / the Blue screen appears. Diagnosis: You may have installed a new hardware whose driver is not digitally signed by Windows 2000. May be this hardware device is creating IRQ or Memory Address clash. The other reason could be that you have tried to upgrade the existing hardware’s driver. An improperly installed application or an incompatible program may also cause this error.



203

Solution: When the menu appears, press F8 to enter Advanced Debugging Options, which are enlisted as below: 1. Safe mode 2. Safe mode with networking 3. Safe mode with command prompt 4. Enable boot logging 5. Enable VGA mode 6. Last know good configuration 7. Directory services restore mode (Windows 2000 Domain controllers) 8. Debugging mode 9. Boot normally Safe Mode Options (1,2,3): In Safe mode only bare minimum hardware drivers and services are loaded. However if you need Network support also, choose ‘Safe mode with networking’ option. For troubleshooting Explorer.exe, boot in ‘Safe mode with command prompt’. In normal condition explorer.exe is the GUI shell of Windows. This is most prone to virus attacks. When you boot your server choosing option ‘Safe mode with command prompt’ the default shell will CMD.exe instead of explorer.exe. Pressing Alt+Ctrl+Del will activate task manager from where one could run any new task. Run the Virus removal tool and then copy a fresh Explorer.exe file either from Floppy or CD to C:\Winnt. In these modes, you may downgrade any erroneous hardware driver or remove the problematic application causing booting failure. Enable boot logging: Here Windows 2000 logs all the files that are loaded at Boot in a file called NTBTLOG.txt that is found in the root directory. Enable VGA mode: This option is useful when you have installed an inappropriate display driver. With this option a generic VGA driver is loaded which may be replaced with the correct driver later. Last Known Good Configuration: This option is only useful when critical system errors have not occurred due to System files or hardware drivers. Suppose you have installed an application and in the next boot, the operating system gets extremely slow. Now you think that the earlier installation was better. In this case choose ‘Last Known Good Configuration’ that would automatically remove the erroneous application and restore the previous configuration. Debugging Mode: Connect the Windows 2000 with another running computer on serial ports. At the receiving computer open a HyperTerminal Session and configure its Properties to log the Debugging Information obtained from the Server. Problem: Thin-Client hangs and neither keyboard nor mouse works while connecting to the Terminal Server. Diagnosis: This is a bug mentioned at Microsoft’s Knowledge Base Article no.: 324446 & 332023.


204


Solution: Patch against KB324446 is also know as Pre Service Pack 5. Means it may be released as Service Pack 5 in future. It fix a number of know problems. To get these patches, you need to contact the Microsoft’s Support center giving reference to this Knowledge Base Article. They will e-mail you an URL of the Hotfix with required password to download. This Hotfix can be obtained free of cost. This article describes the way of enabling cache memory of disk controller using an executable file. You should confirm its result. You might require to manually enable write cache memory of your SCSI card by invoking SCSI card configuration during boot time. For example, we enabled cache memory in our ACER make server Adaptec SCSI cards to rectify the problem. Problem: I received the error message “Unable to log on locally”, while trying to logon to the server. Diagnosis: Local rights don’t permit you to log on to the server. Solution: Go to Start->Programs->Administrative Tools->Local Security Setting->Local Policies-> User Rights Assignment-> Log on Locally-> Add User/ User group. Click on the ‘Local Policy Setting’ (Fig. 10.2). Here, figure out the setting problem to resolve this issue.

Fig. 10.2

Problem: How to Terminate user sessions, which are lying idle? Diagnosis: User has forgotten to close his session or network connectivity has broken down or Thin-Client has faced sudden power cut while working on the Server. Solution: Go to Start-> Programs-> Administrative Tools-> Terminal Session Manager. Select the users by Ctrl + Click and right click. Chose End Session or disconnect session. Problem: How do I set the User time out limit? Diagnosis: To avoid above problem, one wish to set the time out.



205

Solution: The time out limit for the idle session could be set on per user basis or on display protocol based. Go to user properties-> Sessions-> Set idle session limit. You also need to define what action would operating system take when this limit is reached. Either disconnect from the session or end session (log off). Problem: How to send common messages to all users? Diagnosis: To inform about the maintenance activity to be performed on the server, you need to inform all the users currently logged-in prior to taking the shutdown. Solution: There are two methods to send common message to all the users: 1. “msg” is a command line tool which may be used to send common messages to all the Terminal users. The syntax is :‘c:\>msg * Message_Text_To_Send_To_User’ 2. Go to Start-> Programs->Administrative tools-> Terminal Services Manager. You will find a list of users currently working on the Server. Select the users to whom you want to send the message. Use Ctrl+ Click to select multiple users. Now select send Message from Actions menu. A Pop-up Send Message screen will appear. Type in the message title and message; click OK to send the message all selected users. Problem: Some of the Installed applications on my Terminal Server don’t work as expected. Diagnosis: The applications might have been installed before Terminal Services were activated. Solution: 1. Terminal services may run in two mode- ‘Remote Administrator Mode’ and ‘Application Mode’. In later mode, all the application must be installed using Add or Remove Programs. If your application has not been installed in this way, remove and reinstall this fashion. 2. Application is not written and tested for Terminal Server clinet. Check the product specification or ask the vendor to confirm that it will work for Terminal Services session. We strongly recommend not to install unproven and experimental application. Problem: Client fails to connect with “This initial program cannot be started” message. Diagnosis: If the Server has been configured to Start an application at Log-on, but the program path or the filename is incorrect. Solution: Ensure that the program path and filename are correct in the user’s startup menu, and that the program exists in the specified location on the server. If you want to set an application’s path such that it may be accessed directly from Run menu even though its home directory is different from Windows System directory. Right click on My computer select Properties under Advanced tab, select Environment variables. Go to System variable sub menu, select path and Edit. Append the location of application’s home directory (Fig. 10.3).


206


Fig. 10.3

Problem: How to terminate a hanged application? Diagnosis: The application has stopped responding due to some internal error of the application or Operating System. Solution: The application could be terminated using Task Manager from the Server’s Console. If only a particular user is facing such problem then using Terminal Services Manager, under the Processes tab, you may select & terminate that process (Fig 10.4).

Fig. 10.4



207

Problem: The Quota tab does not appear on the Properties dialog box. Diagnosis: Either you are not administrator or not a member of Administrator group. Solution: Disk quotas can only be set by Administrator or members of the Administrators group on the volumes shared from the volume’s root directory and formatted with the NTFS file system. Therefore, if you were not a member of the Administrators group the Quota tab would not appear for you. Problem: I am unable to delete a quota entry. Diagnosis: The quota entry of a user cannot be deleted until all the files that the user owns i.e. files created by him; have been removed from the volume or another user has taken ownership of the files. Solution: First Move, delete, or take ownership of all files that the user owns on that volume. Now you can delete the quota entry of that user. Problem: I am getting “insufficient disk space” message when trying to add files to a volume. Diagnosis: The user has exceeded the quota limit. Solution: Create space by deleting some data or compressing it. Alternatively request Administrator to increase your quota limit, move or delete files from the volume, or clear the Deny disk space to users exceeding quota limit check box in Disk Quotas. Problem: User is unable to identify his printer in the list of printers available in his print screen. Diagnosis: In the print screen all the printers on the network are enlisted and its difficult to identify one’s own printer. Solution: By default ‘Everyone’ has been given the Print permission of newly installed printer. It will be enlisted to all users. To restrict this, remove the ‘Everyone’ user and add only the specified user for printing permission. Now, the printer can be seen by only those who have been given the Print permission. Problem: How to clear pending documents in the Print queue? Diagnosis: The user has sent the print job to a Printer, which has some hardware problem. Solution: To clear the Print queue, stop and restart the Print Spooler service. Problem: I am not aware of the patches and HotFixes to be installed on Windows 2000? Diagnosis: Search Knowledge Base of Microsoft and Citrix. Solution: For windows 2000, we recommend: Service Pack 4, KB324446, KB841720, KB839429, KB837001, KB827350, KB834745, and KB835732. HotFixes and patches are released when a problem has been resolved. So for your problem you should search Knowledge Base page of Microsoft or other vendor’s site. Problem: Not able to decide, which operating system should I use? Diagnosis: Depends on priority, feature requirement, fund availability and technical skill. Solution: If you don’t wish to use USB printers connected to Thin-Client, Multimedia application on Thin-Client and also you cannot hire consultant for installation, then go for


208


Windows 2000. If you are familiar enough with the ways of Microsoft’s working, need advance facilities (such as USB printer support and multimedia) and fund is not a big problem, then you can go for Windows 2003. If you are a good administrator of Linux operating system, hard working, searching for cheapest solution and your users are ready to use non-Microsoft applications, then go for Linux. Problem: I am not able to get remote Linux server X-windows over XDMP? Diagnosis: On server, display manager is not serving your request. Solution: Configure Linux Server display manager configuration file to accept the XDMCP connection from client over network. Refer ‘Bare minimum Configuration’ section of chapter 8 to learn various display manager. Problem: I am not able to telnet to Linux machine? Diagnosis: Either telnet is not installed or not enabled Solution: First check telnet server is installed or not by looking into xinetd super daemon configuration directory /etc/xinetd.d/. There a file in the name of telnet should exist. If it is not present, then install the telnet from your Distribution media. If this file is present then change line ‘disable=yes’ to disable=no’. Finally restart xinetd super daemon by issuing command ‘service xinetd restart’. Now your Linux machine is ready to accept telnet connection. Problem: What are the resources available on net? Solution: You can refer to an excellent URL ‘http://www.thethin.net/links1.cfm’ which has several very useful links pertaining to Terminal Services issue. Not only this, Larry Page and Sergey Brin brought Google search Engine to life in September 1998 for your use. Discussion forums at Microsoft site and mailing list for Linux User Groups (LUG) are other good sources of getting information. Problem: Where to contact to get support from Microsoft or Citrix? Solution: You can find information in support section on the respective vendor’s home pages. However, below are contact informations for Microsoft & Citrix Microsoft India:

Microsoft Corporation (India) Pvt. Ltd. The Great Eastern Center100 70, Nehru Place New Delhi - 110019 INDIA Phone: (91) (80) 25595733, (91) (11) 26294600 (91) (11) 2629601, (91) (22) 2850193 Fax: (91) (11) 6292650

Citrix India:

Citrix Systems India Private Limited No. 212, 80 Feet Road, I st Main Domlur II stage Bangalore, 560 071 India Telephone: +91-80-25352911 Fax: +91-80-25352916


Index

Index non-alphabets /etc/exports 177 /etc/hosts. allow 178 /etc/hosts see hosts

A Access control list 103 Activate License 63 active sessions 147 Add/Remove Programs 29 ADM see ATA-Disk module admin$ 114 Administrator password 28 alert logs 143 Alpha server 192 Apache 7 Application Compatibility 43 Application License 36, 38 application log 150 Application mode 205 Application server mode 39, 42 Application software 161 ATA-Disk module 178 Attributes 108 auditing 135 auto negotiation 163 auto probing 195 availability 9

B background applications 153 Backup license 53 backup 7 beep codes 201 BIND 177

BIOS 18 bonding module 164 Boot disk 19 boot diskette 201 BOOTP 170 BootROM 179 Build in License 38 Bypass traverse checking 108

C Cache memory 204 CAL 36 call back 89 CDS 5, 13, 60 circular logs 143 Citrix Activation System 63 Citrix Device License 60, 62 Citrix Device Services 60 Citrix MetaFrame 58 Citrix WinFrame 58 client/server model 4 Clustering 16 CMOS 200 color management 132 communication protocol 12 community projects 161 Connection Method 46 cookies 91 copyleft 159 copyright 159 counter logs 143 counters 144 Creating RDP clients 65 Cygwin X-server 194

210

211

INDEX

D daemon 189 DAT 8 Data security 8 dd (command) 179 Debugging mode 203 Deleting disk quota 101 device drivers 196 see also Knowledge base Disk partition 17 disk queue length 147 Disk quota 99 disk time 147 Disk-on-Chip see DoC display protocol 5 distro 161 DNS Server 31 DoC 178, A102 + A68200 Domain 18 domain 32 Dumb Terminal 14 Dword 97

E emacs editor 156 Emergency Repair Disk see ERD EMF 122 enabling disk quota 100 Encrypted file system 99 Encryption 72 ERD Create 202 ERD 201 etherboot 179 event viewer 150 eXceed 189 Explicit permission 103 Explorer 203

F fast ethernet 163 FAT-clients 2 Fedora core 166 Firmware 200 fixboot 202


fixmbr 202 foreground applications 153 Format 25 FreeBSD 7, 156 FSF 159 fsutil 101 FTP Proxy 173 full-duplex 163

G Gateway 10 gcc 156 gdm 166 GIMP 7 gnome 166 GNU Public License see GPL GPL 7, 156 graphics device interface 121 GUI Mode 26

H half-duplex 163 Hardware compatibility list 17 hive 93 home folder 85 hosts file 192 hosts 177 HotFixes 7, 207 HTTP Proxy 173 Hyperterminal 203

I ICA 5, 58 idle session 86 inactive session 147 Independent computing architecutre see ICA inherited permission 103 Insufficient disk space 207 Internet connector License 38 Internet protocol 30 ipc$ 114 IRQ 202 ISDN 59, 64

212


K kdn 166 kernel 156, 159, 177 Knowledge base 203 (KB324, KB841720,KB839429,KB837001, KB827350, KB835732)

L language monitor 121 LGPL 159 Library GPL 159 licences 12 License key pack lD 39, 52 License Server lD 48 License Server 39 Licensing Agreement 23 Licensing Mode 17, 27 linear logs 143 linus torvalds 156 Linux distribution 160 Linux User Group see LUG local groups 81 local print provider 120 local users and groups 82 logon rights 116 logon scripts 85 Lserver 53 LTSP 162, 169 ltspadmin 170 ltspcfg 175 ltsp-utils package 170 LUG 165, 208

M MAC 5 maling list 165 mainframe systems 2 Maintainability 8 manageable client 158 mandatory profile 84 MBR 201 md5sum 173 memeory/pages/sec 146 Memory Address 202


memory/available bytes 146 Microsoft Clearing House 39 MOLP 50 Multi-tasking 156 Multi-user 156 MySQL 197

N NAS 8 NC |see Network computer net session 115 net use 115 NetBIOS 197 Netboot 180 netlogon 114 netpc 3 netstation 169 network computer 3 Networking Setting 30 Netxfer 201 NFS 170 NTBTLOG.txt 203 NTFS 17 NTFS 17, 112 ntuser.dat 84 ntuser.dat 84, 91

O object auditing 116 OEM 60 Offline files 111 OO see Open Office open source development lab see OSDL Open source operating system 7 open source 156 Open Office 7, 160 OSDL 157 OSS see open source owner 135 Ownership of objects 109

P page file 151 pages/sec 147

213

INDEX

Patches 7 per seat license 36, 41 per server license 37, 41 performance console 142 perl 163 port monitor 121 port settings 128 portmapper 177 power users 81 previleges 115 print devices 120 print job 120 print processor 120 Print Queue 207 print server 125 print spooler 120 print$ 114 printer control language 121 printer drive 120 printer permission 121, 132 printer pool 121 printer pooling 130 printer priority 130 printer window 121 printer 120 printing preferences 128 process \ working set 147 processor (total) \ interupts/sec 147 processor \ %processor time 147 profile 84 Proprietary software 160 Purchase Method 50 putty 188 PXE 180 PXES 162, 169, 183

Q Quota 207

R RAlD Controller 20 RAlD 11 RAS 89 RAW 122


rdesktop 186 RDP 5, 64 Reactivation Licenses 55 Recovery console 201, 202 regedt32 93 registry editor 92 Registry file 202 Remote Administrator Mode 38, 42, 205 remote control 8, 87 Remote Frame Buffer 194 replicator 82 Reset permission 106 Restoration Licenses 55 roaming profile 84, 90 Round Robbin Database 163 RPM 170, 171 RRDtool 163 RS232C 2

S Safe mode 203 samba 197 SAN 8 Scalability 9 SCSl 20 security log 150 separator page 131 Sevice pack 204 services 153 share permissions 111 sharing 110 SME 16 SMPS 201 SoftPaq 201 ssh 188 Standard TSCAL 38 StarOffice 160 startup disk 18 startx 167 Subnet mask 31 switchdesk 168 sysinit 181 system log 150 system monitor 143

214 System State data 53 sysvol 114

T Task manager 148, 206 TCO 6 telnet 188 Temporary license 38 temporary user profile 90 terminal server licenses 36 Terminal Server Licensing Wizard 45 Terminal Server 39 Terminal Services Manager 186, 206 Terminal Services 4 TFTP 170 total session 147 trace logs 143 Traverse folder 108 Tru64 Unix 192 TS |see terminal services TS CAL Token 39 TSCAL Activation 45 TSCAL 36, 38, 162, 186 TSE 4 TSL model 38, 39, 40 twm 167

U user profiles 90 user rights 80, 115 UTP 4



V vi editor 156 virtual memory 151 virus 9, 196 VNC 13, 187, 194 Volume 207

W WBT 3 webmin 164 webminstats 164 Win32k.sys 73 Window Based Terminal 59 Windows 2000 Cilent Access License 36 Windows 2000 Server License 36 Windows 2000 Terminal Services CAL 36, 38 windows CE 4 Workgroup 18, 32 WOW 11

X X-Deep/32-PC X server 191 XDMCP 13, 165, 206 XDMCP 13, 206 xdm 165 xinetd 208 X-terminal 165 X-windows 186 Xwinlogon Win32 X-server 189

Practical Handbook of Thin-Client Implementation

Practical Handbook of Photovoltaics

Handbook of Practical Astronomy

Handbook of Practical Astronomy

Handbook of Practical Astronomy

Handbook of Psychoeducational Assessment: A Practical Handbook

Handbook of Practical Program Evaluation

Handbook of Practical Program Evaluation

Practical Handbook of Thoracic Anesthesia

Practical Design Control Implementation for Medical Devices

Adaptive Filtering: Algorithms and Practical Implementation

Wiley IFRS: Practical Implementation Guide and Workbook

Adaptive Filtering: Algorithms and Practical Implementation

Fair Value Measurements: Practical Guidance and Implementation

Practical Oscillator Handbook

Practical Foundation Engineering Handbook

Skipper's Practical Handbook

Pro WCF: Practical Microsoft SOA Implementation

Practical Electric Motor Handbook

Practical Antenna Handbook

Well Production Practical Handbook

Pro WCF: Practical Microsoft SOA Implementation (Pro)

Practical Design Control Implementation for Medical Devices

Adaptive Filtering: Algorithms and Practical Implementation

Wiley GAAP: Practical Implementation Guide and Workbook

Practical Radio-Frequency Handbook

The Practical Pumping Handbook

Practical Electronics Handbook

The Practical Pumping Handbook

Practical antenna handbook

The Practical Pumping Handbook

Practical Handbook of Thin-Client Implementation

Practical Handbook of Photovoltaics

Handbook of Practical Astronomy

Handbook of Practical Astronomy

Handbook of Practical Astronomy

Handbook of Psychoeducational Assessment: A Practical Handbook

Handbook of Practical Program Evaluation

Handbook of Practical Program Evaluation

Practical Handbook of Thoracic Anesthesia

Practical Design Control Implementation for Medical Devices

Adaptive Filtering: Algorithms and Practical Implementation

Wiley IFRS: Practical Implementation Guide and Workbook

Adaptive Filtering: Algorithms and Practical Implementation

Fair Value Measurements: Practical Guidance and Implementation

Practical Oscillator Handbook

Practical Foundation Engineering Handbook

Skipper's Practical Handbook

Pro WCF: Practical Microsoft SOA Implementation

Practical Electric Motor Handbook

Practical Antenna Handbook

Well Production Practical Handbook

Pro WCF: Practical Microsoft SOA Implementation (Pro)

Practical Design Control Implementation for Medical Devices

Adaptive Filtering: Algorithms and Practical Implementation

Wiley GAAP: Practical Implementation Guide and Workbook

Practical Radio-Frequency Handbook

The Practical Pumping Handbook

Practical Electronics Handbook

The Practical Pumping Handbook

Practical antenna handbook

The Practical Pumping Handbook

Recommend Documents