Airplay across VLANs using Debian and Avahi

This guide is a 5 step process to enable Airplay across VLANs and subnets.

Having recently split the ever more complicated network in work into smaller VLANS we discovered that Airplay across VLANs was a bit of a problem.

To enable you to run Airplay across VLANs you will need a PC to run UNIX on (we used Debian) and access to the internet.  It is possible to do this using a Rasberry Pi but I would not recommend it.

STEP ONE: Install UNIX (Debian) Server on your host

Do this from a disc (follow install prompts)

In our configuration we initially untagged one VLAN on the switch the UNIX box is connected to and set the UNIX box to obtain a DHCP address.

This will work for the initial setup and will need to be changed later.

All of the commands in blue in the guide are run from the UNIX command line.

STEP TWO: Check for updates and upgrades then install Avahi and VLAN support

Once the install is complete and the DHCP address is assigned download and install updates and upgrades for the UNIX box

apt-get update && apt-get upgrade

Once this is finished run

apt-get install vlan

You need to check that the updates and upgrades are applied to VLANs so re run (to check)

apt-get update && apt-get upgrade

STEP THREE: Add VLANS to the box

When all the updates are applied you will need to start the VLAN service on the UNIX box

modprobe 8021q

The above command will start the VLAN service running but will be lost upon reboot.  To ensure that the VLANs will work after a reboot you will need to add the 8021q to the modules loaded at boot

su –c ‘echo “8021q” >> /etc/modules’

Once the VLAN service is running you will need to add a VLAN for each VLAN you have on the network, to do this run (for instance)

vconfig add eth0 1171

The above will add a VLAN as eth0.1171, we have several so you will need to run the above for each VLAN changing the VLAN ID for each.  This assumes you are using eth0 as the raw device name.  Once you have added all of the VLAN IDs run

cat /proc/net/VLAN/config

This will display all of the VLAN IDs you have created and you can check they are right, ours looks like this.  Once you are happy that all of the VLANs are created you will need to create a fixed IP address for each VLAN.  This is done by editing the network interfaces file one of two ways:

nano /etc/network/interfaces

Ours looks like this.  The easier way (for us) to do this was to create a copy of the file using a text editor on windows and save the file as interfaces.txt.  Once the file is saved there is a backup/recovery version of the file for DR.

Copy the file to the UNIX box (using sFTP, port 22), you may need to copy this to a user space then move it using the root login directly on the server we have a user called admin so we copied it to /home/admin then moved it using:

cp /home/admin/interfaces.txt /etc/networking/interfaces

The above command will overwrite the existing file.  After you have all of the VLANs created and the interfaces file in place you will need to either reboot the server or run

ifdown eth0

ifup eth0

/etc/init.d/networking restart

The network should restart and will show OK on the screen.  After this run the command below to check the network config is correct

ifconfig

The output of ours looks like this.  At worst it may be a good idea to reboot the server at this point, all services should start OK.

STEP FOUR: Test the VLAN configuration

Once you are done you should be able to ping any of the IP addresses created on the UNIX box from a windows desktop.  This is provided that the VLANs that the IP addresses reside in are tagged on the switch port the UNIX box is connected to (we tagged them all for obvious reasons).

If you get a ping response from all the IP addresses then go to step 5 – caveat; when we tried this with an Ubuntu build we found that there was only a ping response from a device within the same VLAN, this did not mean the system would not work, but, using Debian worked and did not exhibit this behaviour.  Always remember that if you are using Ubuntu you need to precede every command with ‘sudo ‘ (because otherwise pretty much nothing works and files are opened read only in nano).

STEP FIVE: INSTALL Avahi to enable Airplay across VLANs and subnets

Install avahi-daemon and avahi-utils using the following command

apt-get install avahi-daemon avahi-utils

Once again check that updates and upgrades have been applied to the Avahi packages

apt-get update && apt-get upgrade

Edit the config file for the Avahi daemon

nano /etc/avahi/avahi-daemon.conf

Change the line

#enable_reflector=no

to

enable_reflector=yes

Save the file and exit nano

At this point reboot the box, once done; you should be able to airplay across VLANs e.g. from an iPhone or iPad in one (wireless) VLAN to a desktop PC in another (wired or wireless) VLAN.

Further information about Avahi can be found at http://avahi.org/

Incidentally none of this is necessary if you are running an Aruba Wifi system, you simply enable airplay and setup your VLANS in the Aruba controller.  Best turn off Avahi if you do this because they don’t play well together…..

AvahiAirplay across VLANSDebian

SIMS photo export utility

SIMS photo export, that’s what I need!  Having recently struggled to get all the photos I needed of staff and students to be able to create access control cards for use in the school I was eternally grateful to find a SIMS photo export utility here:
http://blog.salamandersoft.co.uk

and (a direct link); far more important:
http://www.salamandersoft.co.uk/utilities.html

The SIMS photo export utility is a neat little tool that using a CLI will export all of your photos from SIMS to (small) files which can easily be used to generate access control / ID cards for staff and students.  You can export single years or just the staff group.  By default the program names the files as either [staffcode].jpg or [admissionnumber].jpg.  Although the latest version of the program can create the filenames from a csv file which contains the admission number against the preferred name (potentially this feature is very useful).

A couple of important things the SIMS photo export utility readme.txt tells you:

  1. You must have SIMS.net installed on the machine you are trying to use (obviously)
  2. You must run GenerateConfigFile.bat every time you update SIMS or change C:\Program Files\SIMS\SIMS .net\connect.ini as the photoexport.exe file fails to work if you have not done this.

Usage is;

PhotoExport username password outputFolder [/staff] [/year:x] [/nameAsId] [/format:xxx] [/names:filename] [/thumbnail]

You do not need to use any switches (this will simply export all of your photos into a single folder).

Some important things the SIMS photo export utility readme.txt doesn’t tell you:

  1. The size of the images created is basically a thumbnail, this I because SIMS compresses the original images when they are imported from the original. [edit] It seems that SIMS does not compress the images when they are imported, if you wish to import images to SIMS you will either need to be a SIMS photo partner (registered photographer) or you will be best advised to compress the images before they are added to student records.  If you do not compress the images first you will find that your SIMS database grows very large as the images are stored as blob files.  Whilst this did not cause an issue for SIMS it has caused an issue for Gladstone’s Cashless catering system (for us).  To reduce the size of images before import we used a tool called ‘Image Resizer for Windows’, available from https://imageresizer.codeplex.com/ this is a clone of the Microsoft XP Powertoy for image re-sizing which was lost in later versions of Windows.  It worked very well and created images of the correct size for importing to SIMS.[end edit]
  2. Although the images cannot really be used for much other than ID/access control cards the SIMS photo export utility is still a great tool to have.

 

SIMS photo export - Nate Allen (ALLFacilities)

Configuring IE Enhanced Security in 2008R2 Server

How annoying is a ‘feature’ from a software provider which blocks access to all features unless you basically disable it?  Microsoft provide Internet Explorer Enhanced Security on their server versions of Windows, unfortunately while this feature is in use it may as well be called; ‘Internet Explorer Completely Unusable’.  It is impossible to browse the internet without accepting endless warnings and if you run Windows Update it will fail (with a spurious security error)!

I could advise that you install a different browser, like Firefox for instance.  Whilst this is a good idea it will not make Windows Update work.

In 2003 server the first thing you would do would be to go to control panel and uninstall this useless feature. In Windows 2008 server the process is not the same.  You will need to open Server Manager (which opens every time you log on until you ask it not to), click on the root folder and scroll down to the security information section and click on configure IE ESC.  Disable it, it is USELESS (a little like Windows Firewall).

Creating addusers CSV file

Addusers CSV file can be created using the following simple instructions (well they can if you’re an IT GEEK)

To run the addusers process it is necessary to have an addusers CSV (Comma Separated Value) text file for the program to read the user information from.  The simplest way to create this file is to use Excel.

To start the process of creating the addusers CSV file you will need a list in xls format from SIMS which contains the following information:

• Name (Forename, Surname)
• Address line 1
• Date of birth

The first thing you will need to do is sort the data by address, this is done to randomise the student usernames; this is the only reason this field is necessary and it can be discarded after the sort (right click the column letter [B] > delete).  Once the data is sorted you will need the following information in the file:

• User name
• Name (Forename Surname)
• Date of birth
• Description (as; ‘Name Intake Year’ e.g. John Smith Intake 11)
• Home drive letter (N:)
• Home drive path (as; \\userfileserver\Username$ e.g. \\studentdata\09001JSmi$)
• Profile path (\\studentdata\Student$\Profiles\All_Students)
• Login script name (login.vbs)

To create the username you will first need to break the ‘Name’ field you have into separate values using data > text to columns.  Before you do this it is advisable to ensure that you have enough free columns after the name column you are splitting (any columns with data in them will be over written).

To achieve this it is best to copy and paste the Name column [A] to column J, that way all of the columns which the data will expand into are blank, plus you will still have the Name column [A] intact for later use, then; select column J > data > text to columns.

After the data has been split it will be necessary to remove any hyphens from names and to manually cut and paste any double barrelled names which had spaces into the relevant column.

At the end of this part of the process you need to end up with 2 columns (Forename and Surname, [column J and column K]) with NO SPACES and NO HYPHENS and no SINGLE QUOTES (‘) plus you will still have the original Name column [A].

At this point cut and paste the Name column [A] into column I and cut and paste the Date of Birth column [B] into column L

You will now need to create a column [M] of numbers from 001 (put 001 in row 1 002 in row 2 > select the two populated cells and drag [flood fill] down) to however many users you are adding (this column [M] will need to be formatted as text, exel may show this as an error, ignore this ‘error’).

It is now possible to start to create all of the fields you will need for the addusers CSV file to import the new users.

Within your addusers CSV you should now have columns A – M with data in columns I – M (provided you deleted the column with the address data in it).

In cell A1 you will need to type:

=CONCATENATE(“11”,M1,LEFT(J1,1),LEFT(K1,3))

This will create a username which consists of intake year (11) 3 random numbers (generated from the address sort) the first initial of the First Name and the first 3 letters of the Surname e.g. 11001JSmi

In column B cut and paste the contents of column I (the name column)

In column C cut and paste the contents of column L (the date of birth column).

In cell D1 you will need to type:

=CONCATENATE(B1, ” Intake 11″)

where 11 is the current year, don’t miss the space before Intake.

In cell E1 type:

N:

In cell F1 type:

=CONCATENATE(“\\studentdata\”,A1,”$”)

where studentdata is the file server containing the users home folders this will resolve to e.g. \\studentdata\11001JSmi$ as will be created in Bulk Adding AD Users

In cell G1 type:

\\studentdata\Student$\Profiles\All_Students

This path needs to be valid as the path to the student profile you will also need to right click and remove hyperlink on this cell.

In cell H1 type login.vbs

This is assuming the login script is available in \\[domain]etlogon as login.vbs

Row 1 will now be complete with data you will need to drag (flood fill) columns A,D,E,F,G and H.

At this point there will still be data in columns J,K and M DO NOT DELETE this data yet.

Save the addusers CSV file as a CSV e.g. intake11.csv accept any warnings about format and close the file.  Open the newly created addusers CSV file e.g, intake09.csv using Excel, delete the contents of columns J,K and M and format column C as date 00/00/00 this is because the initial student passwords need to be formatted in this manner.  Once again save and close the file.

From Windows Explorer right click the addusers CSV file e.g. intake11.csv and select open with > notepad.  The final step to make the file useable with addusers.exe is to insert a new line at the beginning of the document and type; [users] with the square brackets, then save and close the file.

DO NOT USE EXCEL TO REOPEN THE ADDUSERS CSV FILE FROM THIS POINT ON:

if you do so you will need to ensure you reformat column C as date 00/00/00 before closing it.  You will also need to open the file in notepad and remove the 7 commas (,) from the file after the [users] entry.

written by Nate Allen

addusers CSV creation instructions (ALLFacilities)

Bulk add AD users in Active Directory

Bulk add AD users in Active Directory

As September draws around again I need to bulk add AD users (210 new users) to the school Active Directory, this is a pretty simple process, but if you have never done a bulk add before it may seem daunting.

Creating new users on a bulk basis is an 8 step process.  Simply put:

1. Create CSV list of users and properties.
2. Create users using addusers.exe.
3. Create an OU for the users and move them into it.
4. Create intake Security Group
5. Add users to Security Groups using AD
6. Create user home directories.
7. Create a share for each user
8. Test login for new users

In more detail the process is as follows:

Step 1 Create CSV list of users and properties

The [CSV Fields names] required for entering data using addusers are (in this order):

User Name
Full Name
Password
User Description
Home Drive (letter:)
Home Drive Path
Profile Path
Login Script name

The easiest way to create this file is to use Excel, by taking a simple list of the names for import use built in Excel functions i.e CONCATENATE to create the necessary fields then save the file as a CSV see creating an addusers csv file.  The file should for ease of reference be called [intake year].CSV e.g. intake11.CSV

Step 2 Create users using addusers.exe

Addusers.exe is NOT part of Windows Server as a default.  It is however part of the resource kit and so freely available.  Check the file addusers.exe is installed on the machine you are using (look in the Windows system root e.g c:\winnt).  If the file is not there it can be found on Microsoft FTP server (save it to windows system root).
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/addusers_x86.exe

More info on using addusers.exe can be found on the Microsoft support site:
http://support.microsoft.com/default.aspx?scid=kb;en-us;199878

To run the user CSV import, open command prompt and navigate to the folder where the CSV file is saved then run addusers.

Example usage:

C:\>AddUsers domain_name /c intake11.csv /p:e

This is based on the CSV file being called intake11.CSV and saved in the root of C:.  This will create all the users on the AD for [whatever domain_name you use] in the ‘Users’ OU of the domain.  If you do not include the domain name in the above command you will create lots of new users on your local PC!

Step 3 Create an OU for new users and move them into it

From a workstation or server with Admin Pack installed see installing admin pack.  Open AD (Start > Programs > Administrative Tools > Active Directory Users and Computers).  Expand domain view, right click students, click new, Organizational Unit.  Name the OU as year of intake e.g 11.  This will create the new OU.

To move the users:

Select ‘users’ OU > bulk select the new users in the right hand pane > right click > click move > navigate to the OU ([11], just created) select this OU > OK.
Note by default there are some objects in the “users” OU that need to stay there so make sure only the new users just created are moved (sort them first).

Step 4 Create intake Security Group

Each user needs to be added to 2 security groups for Group Policy to function correctly, these are ‘students and intake[yearnn].  You will need to create the security group intake[yearnn].

In AD right click OU ‘Groups’ > click new > Group.  Select type’global’ and ‘security’; name the group as intake[yearnn] e.g intake11.

Step 5 Add new users to Security Groups using AD

Expand OU students and select the new OU e.g. 11.  In the right hand pane select all users > right click > click add to group > in the search window type students;intake11 click OK.

Step 6 Create User Home Directories

Navigate to the studentusers share on the network e.g \\studentdata\student$.  Create a new parent level folder name it as intake year e.g. 11.  Right click the folder and select security tab > deselect the ‘inherit permissions from parent’ (copy permissions) and remove ‘students’ from the permissions list.  Add the intake Security Group e.g. intake11 with ‘list folder contents’ permission only.  Click advanced > double click intake Security Group e.g. intake11 > set the permissions to ‘This folder only’.  Apply > OK.  This assumes that the parent folder (\\studentdata\student$) has full control access for domain admins, read / write permissions for staff and read access for students.

Create the individual homefolders

Create a list of usernames (use Excel and the CSV file used to add users) save the list as 2011users.txt ensuring this file only contains the username column (without the header row).

Open a command prompt and navigate to the folder where you saved 2011users.txt and run a for command:

C:\>for /f %u in (2011users.txt) do md \\studentdata\student$\11\%u

This will create a directory for each user in the list (2011users.txt) in the 11 folder on the  student$ share of the studentdata server.  Obviously if any of these parameters are not correct the command would need to be amended appropriately.

You will need to set the security on the folders you have created this is also an automated task see Managing user home drives (using security.bat) for instructions on this part of the process.

Step 7 Create a SHARE for each user

This step is required as the users may wish to connect to an AD connected Mac or MacBook and this will enable the Mac to (more easily) mount the home folder on login.

Creating shares can be completed from any network connected workstation using the tool RMTSHARE.exe available from Microsoft FTP (save to system root).
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/RMTSHAR.EXE

These instructions are based on a new intake of 11.

Open a command prompt and navigate to the folder where you saved 2011users.txt and run a for command:

For /f %u in (users.txt) do rmtshare \\studentdata\%u$=e:\students\11\%u /GRANT %u:full /GRANT domain\staff:full /REMARK:”Share for %u”

This will create a hidden share (ending in $) for each user in the 2011users.txt file on the studentdata server using the server’s e: drive folder you created in step 6.  Obviously if your student data is not stored on the server e: drive or the root folder for students is not ‘students’ you will need to amend the command appropriately.  This command will also REMOVE access to the everyone group in share permissions ACL (a VERY good idea) and GRANT full access to both staff and the user in the share permissions tab (without this neither the user nor any staff member will be able to browse to the contents of the folder).  The /REMARK is simply to add a descriptive name for the share which is visible in computer management window (right click My Computer).

Step 8 Test login for new intake

It will not be possible to fully test the functionality of logins for a bulk add users until the folder security has updated, as the users will not have access to their home folders until security.bat has run; see Managing user home drives (using security.bat) to manually set security on these folders before logging in as any selected (new) student and testing the functionality of the login.

Within my school network I have created a scheduled task to ensure file security is correct for all users, so it is possible to wait until the next day to test the login.  This also tests the scheduled task is running and functioning as expected.

bulk add AD users - Nate Allen

V-Shpere Server Virtualisation

Next week I will be involved in the (commencement of) server virtualisation of a 10 Server 700 client 1600 user school network. 

The hardware has arrived; 3 HP servers with 32GB RAM and 2*8 core Zeon processors 4 + 4 GB NICs and 14.4TB of HP SAN will form the basis of the environment.

Cotham School plans to build a V-Sphere VM environment onto this hardware then transfer the server roles into the virtual world, god I hope the hardware installation team KNOW what they are doing 😕  Once they are finished its over to us to configure the Windows environment.

To complicate matters somewhat we need to take the opportunity here to update the server OS to Windows Server 2008 R2, update to Exchange Server 2010 (from 2003) plus we plan to roll out Windows 7 sitewide as soon as we have been able to test stability and ensure programs and services will continue to run.

As much as I plan to write about the experiences the IT Support Team at Cotham School have doing this (good and bad), I think the current question on my mind is this; is V-Sphere server virtualisation easy (or what)?

I have a couple of words of advice for myself:

  1. Make sure those system state backups are SOLID.
  2. Don’t throw everything in
  3. Retain the existing DCs as long as possible.

The initial aim will have to be to see the new (VM) environment and enable a simple file share from the SAN which can be accessed from the client(s) and go from there.  Once we are there I will feel much more comfortable.

If you happened across this page and have any advice or benefit of experience you can offer I will be grateful to hear from you.