Windows Server 2003 Setup Question 2

[rsharpe29]

Hello all,

Please bear with me while I try to explain as this is the first time I am attempting to deploy a system of this type. The network is meant to satisfy the needs of my small company and somehow I thought it would be easy. I was wrong

Anyway, I have managed to setup Windows 2003 Server on one of my machines and have installed Active Directory, DNS and DHCP.

What I am trying to do is get 5 clients online with minimal fuss. I would like all clients to share the same attributes in terms of desktops and stuff the can access.

For example, I do not want any of the users on client machines to be able to access the control panel, I want all their screen resolutions to be standard at 1280 x 1024. I want them all to have the same "classic" start menu and start menu options. I want them to be able to run installed programs but not to be able to install programs. All in all a pretty fairly well locked down machine.

All clients will be running XP Pro and I would like to have the installation of the OS deployed from Win Server 2003. I realize I have to make some sort of disk that allows the network connection to be made (all the clients use wireless NICs) and I can't figure out how to do this.

In addition to the above, I also want all users to have a public and a home folder. I want both these to be located on the server machine because it will give me a single point to make backups from.

I purchased the book Mastering Windows Server 2003 by Mark Minasi and while it helped me setup the AD, I'm finding all the rest very hard to understand. His book seems geared at setting up multiple domains and child domains aswell as multiple ADs and I just seem to keep getting lost.

I'd like to also be able to deploy software like Office 2003 and Symantec Corp Edition to all the clients and keep virus definitions updates automatically, without intervention. Same goes for windows xp updates.

I know this seems like I'm asking for a free meal ticket by asking for all the answers but if I had more time to get my head around all this I would most certainly keep at it on my own. Unfortunately, I started this project on Wednesday and was hoping to have it all finished in a day or two and get people their workstations back. No one has done any work for 3 days and there's no end in site unless I can get some help.

I would really appreciate any and all help, keeping in mind that I'm new to this. Having said that, I have created an OU called Employees and have created all 5 users within it. I got lost after that.

I also seem to have a problem with DHCP. I have a crossover cable going into the wan port on my router and the win 2003 box is plugged into the lan port on the router. I have hardcoded the IP for the win 2003 box via TCP/IP but would like the clients to get dynamic IPs. This doesn't work though. The clients can't access the internet when I do this.

Once again, I really appreciate people taking the time to read all this and would be greatful for any and all assistance.

Regards,

RS

 

[rsharpe29]

I forgot to mention, I want all users to be able to login to any client on the network. People move about all day and the clients are not all in the same room.

Regards,

RS

 

[Marcs41]

Sorry to maybe dissapoint you but there is no quick and dirty solution for your project.
You made one big major mistake: you did NOT prepare or test!
In the desired setup you describe, there are so many thing involved that is is close to impossible to give an answer.
We would have to write an entire book here to get you through all that, PLUS, we cannot even SEE what you see or do.

One immediate though I can share is, since your users are all over the place all the time.
Why not consider having them work with Terminal Services. That way, their desktop environment in on the server, every single workstation is identical, everyone can login anywhere they want and get the identical views.


Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do You Get Great Answers To your Tek-Tips Questions? [/sub]See faq222-2244

 

[rsharpe29]

That's what I feared Marc. I knew it was a tall order with me having so many questions but I couldn't help but hope there would be some solutions put forth.

At this stage, I wouldn't mind manually installing XP Pro on all clients but I would really like to be able to be directed on how to get the clients to behave in the manner I described in my first post.

I'll reread Mark Minasi's chapter on deploying software and see if I can get my head around it.

Any good books that teach this stuff in a way that even beginners like myself can understand?

Regards,

RS

 

[Marcs41]

Sorry again, but the point you seem to miss is:
Your setup is NOT for beginners!
You are in over your head and there just in no step by step guide for what you want to achieve.
You either learn very quickly, test in a lab or so, or get someone to do it for you.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do You Get Great Answers To your Tek-Tips Questions? [/sub]See faq222-2244

 

[Marcs41]

PS:
Please don't take the above the wrong way.
What I am trying to say is that you want someone to explain you in 5 minutes is what takes us years to learn and master.
It just does not work that way.

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do You Get Great Answers To your Tek-Tips Questions? [/sub]See faq222-2244

 

[intenzity]

>>>I purchased the book Mastering Windows Server 2003 by Mark Minasi and while it helped me setup the AD, I'm finding all the rest very hard to understand. His book seems geared at setting up multiple domains and child domains aswell as multiple ADs and I just seem to keep getting lost.

Ok, first of all, to try to clear up some of your confusion, given the small business setup you described, and your desired configuration, the first decision you need to make is this: Do you really want to deploy an Active Directory tree within a single server 5 or less client environment? You may very well want to for reasons that I am not going to go into right now, but if you have decided to deploy your W2K3 Server using AD, then it is time to move onto the server configuration itself.

>>>For example, I do not want any of the users on client machines to be able to access the control panel, I want all their screen resolutions to be standard at 1280 x 1024. I want them all to have the same "classic" start menu and start menu options. I want them to be able to run installed programs but not to be able to install programs. All in all a pretty fairly well locked down machine.

This can be achieved by creating Domain policies and Group Policies that will be sent to the individual workstations. You will need to work on creating a Domain policy and Group policy that best suits your needs. The way Group Policies work is, whenever you have a workstation joined to a AD/Windows domain and a valid Domain/Windows account, (and granted a properly configured network) when the user account logs on, the group policy's which you create enforce or evoke privileges based on the account that is logged on, workstation, etc. Inside the group policy editor/MMC, you have many options available to allow or deny particular network, and workstation functions, etc. This is where you will be able to restrict users in loading software, etc. More information on Group Policies and GP management can be found all over the web, as well as on Microsoft's Knowledge Base.

>>>In addition to the above, I also want all users to have a public and a home folder. I want both these to be located on the server machine because it will give me a single point to make backups from.

The first part of this is simple file sharing. Setup a default file share on your server and delegate permissions accordingly. The second part, when creating your user accounts, define a user "Home" directory and assign it a drive letter so that when the user account is logged on, the logon script maps the desired user share to the defined drive letter, thus creating a "User Home Directory". Anything contained on this Home Directory is stored on the server. As with everything inside a Windows/AD domain/NTFS file structure permissions/group permissions can be set and utilized, and you can also set disk quota's defining allowable storage limits for home directories and file shares. You can also take the workstation file storage access in combination with Group Policies another step by substituting the user's "My Documents" default profile folder with the mapped user Home directory, which would reduce the risk of a user saving a file to a local hard disk inadvertently, and not having the file backed up by the server because it resides on the local workstations hard disk. Being a network admin for many years, across numerous corporate LANS/WANS, I have found this to be one of the biggest problems when working with server defined home directory's. Most office user's understand the concept of a mapped home drive/home directory, but they sometimes forget, or become confused when in a situation where they need to save files and are presented with multiple locations to do so, often times resulting in files being saved on a local disk, with no-backup, and often times lost or misplaced files/information, this can lead to serious issues if gone un-noticed, especially if data does get lost or corrupt. Substituting the "My Documents" folder can greatly reduce this confusion and streamline your disaster recovery/backup plans.

>>>All clients will be running XP Pro and I would like to have the installation of the OS deployed from Win Server 2003. I realize I have to make some sort of disk that allows the network connection to be made (all the clients use wireless NICs) and I can't figure out how to do this.

There are many ways to handle OS deployment across multiple workstations; first thing to consider is this: Do all of the workstations have the exact same hardware configuration? Second thing to consider is time. It can take some serious time developing a standard desktop OS platform, and deploying it, so in your case, you said you have 5 PC's that need to have WIN XP, it might actually be faster and more efficient to manually load the OS and configure the individual software packages, rather than spend countless hours developing a workstation image to deploy. Obviously there are many advantages in creating a standard workstation image; however, again, time is of the essence in this situation. If you do decide to develop a standard workstation image, I recommend using the 3rd party application "Ghost" by Symantec Corporation. I think many will agree with me when saying Ghost does the job, and then some.

I hope this helps to get you started, and I wish you the best of luck!

If you need any further assistance, don't hesitate to ask!

Scott Hasler
Network Engineer

 

[rsharpe29]

Hi Marc, I don't take any exceptions to your post at all. I realised when typing it that it was a tall order and I read a few hundred posts on this forum before I even registered to post; people here seem genuinely interested in helping.

I also realise that I won't get anywhere by just sitting about trying to figure this out on my own so if there's any books I can buy or tutorials on line I can read that you or anyone else recommends then I'll invest time and money in them. I'm very keen to learn, even if I have to revert back to stand alone PCs while I'm learning for the next few months. I hate having to conceed to not being able to accomplish something.

Scott, thanks for the advice. The reason I am trying to setup things this way is because I will likely be adding between 5 to 10 new workstations soon and this just seemed a very nice way of administering them all from a central location.

About the domain and group policies, Mark Minasi's book does go into it but being new to windows server it is all flying over my head. Another book that is intended for beginners or even a tutorial would go a long way to helping me. I've searched google and everything it throws up is aimed at people who know the lingo, so to speak. Maybe I'm just not using the right search terms.

I see where you're coming from with the My Document issue. I did think of that and was planning to map it to the user's home dir on the server.

None of my current clients use the same hardware but all new workstations will be the same across the board. I guess manually installing the OS on the 5 clients I currently have will not be a problem and I can cross the bridge of doing it via RIS when the time comes.

In the meantime, I'll keep checking back for perhaps a few tips or book suggestions and possible on-line tutorials aimed at specific parts of my queries.

Thanks guys,

RS

 

[Marcs41]

You want to start simple, this is the way to start!

http://www.dummies.com/WileyCDA/DummiesTitle/productCd-

0764516337,subcat-NETWORKING.html

http://www.dummies.com/WileyCDA/Section/id-100086.html

http://www.dummies.com/WileyCDA/Section/id-100119.html

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do You Get Great Answers To your Tek-Tips Questions? [/sub]See faq222-2244

 

[Marcs41]

http://www.dummies.com/WileyCDA/DummiesTitle/productCd-0764516337,subcat-NETWORKING.html

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do You Get Great Answers To your Tek-Tips Questions? [/sub]See faq222-2244

 

[intenzity]

RS,

Another option you might want to consider since you have not have much experience working with Windows 2003 Server/Windows Server Environments is possibly using the Windows 2003 Small Business Server OS, from what I understand, it is much more first-time server experience user friendly and could possibly prove to be easier to master than the 2003 Standard server OS.

-Scott

 

[Marcs41]

I would not really dare to state SBS is any simpler. In some cases it is even more complex because it forces you into several preset configurations. For starters, you cannot install SBS without a live network connection. Second, you MUST have 2 NICs onboard, or it will not get past stage 2. etc...

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do You Get Great Answers To your Tek-Tips Questions? [/sub]See faq222-2244

 

[intenzity]

>>>I would not really dare to state SBS is any simpler. In some cases it is even more complex because it forces you into several preset configurations. For starters, you cannot install SBS without a live network connection. Second, you MUST have 2 NICs onboard, or it will not get past stage 2. etc...

LOL, although this may very well be true, I have not personally examined the 2K3 SBS release, however I am sure Microsoft and their developer's, and all those involved with sales/marketing/promotions with Windows 2003 SBS would strongly disagree, naturally.

Perhaps some others who have installed/administered Windows 2003 SBS can share their experiences.

Truthfully, the bottom line really does come down to this, no matter what server OS, no matter what network configuration, etc., without a basic understanding of how it works, how to implement it properly (or even incorrect but still functioning?) how to incorporate/implement change, and how to diagnose and repair unwanted problems when they arise (and trust me, problems in the IT world sign most of our checks every week), anyone without experience is going to be overwhelmed, especially if it is their first time dealing with such hardware/software configurations. Becoming resourceful, and often times, practical, will really determine your overall success or failure in such a project. A strong determination, along side a strong desire to succeed and accomplish a particular task/goal will guarantee you success, or at least a step in the right direction. It takes time, research, resources, many questions, mistakes/failures, and most importantly, assistance when trying to achieve goals such as these.

Something I learned though-out the years I have worked in IT/IS is this, "Trial and error will almost always lead to a half ended success story". Take it for what it’s worth.

-Scott

 

[Marcs41]

Trial and error is still the best school, but you need time, will, time, equipmen, time, and ... patience.

SBS is simpler to setup, true, as long as you follow the Wizards.
But, from the moment you want a specific setup, you run into all kinds of restrictions and need workarounds.
SBS is designed to setup a network will all bells and whistles, not for the 'tweaking' kind of environment.

And, 100 % agree on the basic knowledge needs!

Marc
[sub]If 'something' 'somewhere' gives 'some' error, expect random guesses or no replies at all. Please specify details.
Free Tip: The F1 Key does NOT destroy your PC!
How Do You Get Great Answers To your Tek-Tips Questions? [/sub]See faq222-2244

 

[rsharpe29]

Just wanted to firstly, thank both of you for trying to steer me in the right direction. I've managed to figure out most of the stuff I questioned above.

I've created an OU called Employees and within that 2 more OUs called Admin and Staff. I've created the users required within them and have found it relatively easy to create GPOs for both OUs. I must say however, with things the way I've described, I can't for the life of me see a reason to add a Group and make people members of these groups. Is that an optional setting or is it required?

At the end of the day this is how my structure will look:

Employees
- Admins
- Finance
- Marketing
- IT Staff
- Sales
- Designers

Each of these OUs will have the exact same GPOs except for Admin and the IT Staff.

What I do require however is the ALL machines (users?) have the following software available to them.

- Office 2003
- Symantec AV
- WinZip
- Adobe PDF Reader
- Mozilla Firefox
- ICQ

I guess this will need to be installed on a machine basis?

On the other hand the following software will ONLY be available to users in the accounting group.

- Sage

The Admins, IT Staff and Designers will have access to the following additional packages:

- Macromedia MX Studio
- Cute FTP
- Express Thumbnail Creator

I think I understand the concept of Publishing versus assigning but am looking for some clarification. Also, most of these apps don't have an MSI, like WinZip etc. How would I go about creating these so they can be deployed and controlled using GPOs? I've heard of WinINSTALL LE and have tried it, but the process of having to "clean" the generating workstation for each package is a long and ardous one. Anyone have any input?

What would be the best way for me to deploy the software like I've mentioned above?

Also does anyone know of a resource where I can purchase or download additional Administrative Templates for GPO?

The ones provided are very useful, but I can't seem to find one that will allow me to turn off sound on all machines as default or turn on quick launch on all machines (and lock it so they can't accidentally delete the icons). Basically I'd like to see what's available out there that will enhance the environment I'm setting up. For instance, I don't want any machine to have a desktop wallpaper, but it seems the templates available will allow me to set a wallpaper of my choice but will not allow me to have no wallpaper enabled at all.

Thanks

RS