The amateur sysadmin
By David Walker (Google profile)
This item is here mostly as a note to me on how I do things. But while I was writing it, I realised it might be usefiul to other amateur sysadmins runing small networks of PCs.
What - or who - is an amateur sysadmin? It's anyone who spends an hour or three a month keeping in line a small network of PCs and their users. It might be a home network, or a network of three computers in a small business. "Sysadmin" is the industry term for "systems administrator", the person who overseas a computer system. Amateur sysadmins are often professionals, and frequently highly paid - but to do other work, like management or law or accounting. They don't have computer science degrees or years of full-time sysadmin experience.
Being an amateur sysadmin often looks economically irrational. Brad Bond and Paul Adler at the Melbourne PC services firm Invizage note that amateur sysadmins are some of the most expensive PC administration labour around. In one sense, I would be better off if I stopped futzing around with DHCP settings and paid a crowd like Invizage to administer it all for me. But I - and countless thousands of others like me - do it anyway. A lot of us do it because it's kind of interesting. You learn about technology, and you learn about disciplined thinking. Blokes have another motivation: systems administration is what we do because we don't have a garage with an old Ford in it.
Trouble is, there's not much out there that sets out how to be an amateur sysadmin. The Internet is full of sysadmins talking to each other, but they mostly take the basic ideas for granted.
I learnt a bunch from Dave the Veteran Sysadmin (a.k.a. long-time Melbourne systems administrator David Brown) during my years at the online finance firm eChoice, and more from other tech-savvy friends; I've gleaned other bits from the Internet.
Step 1: Decide your network set-up
I use the classic network set-up:
- Cable modem at the front.
- Firewall right behind the cable modem to stop anyone else getting into the system.
- Router/switch/hub behind the firewall (in practice, often combined with it).
- Behind all that:
- A central file and print server - a low-power, always-on PC where all the data files (Word documents, text files, Photoshop images etc) live. This removes a bunch of issues about file locations, lets you print from any PC, and lets you back everything up.
- local programs
- networked data storage, with all the data files kept on the file server
backups from the file server to:
- another PC on the network
- a server somewhere a long way away (in my case, at Dreamhost, on the other side of the world in Los Angeles)
- disks that I can store off-site
- Web server and email remotely hosted (also at Dreamhost - I don't want to run my own Web server, I don't have enough internal mail to justify a local mail server, my IP address isn't static, and I don't want the trouble of more holes in my defences).
"Amateur" doesn't have to mean "disorganised". Here, have a diagram of a typical small home network - mine:
Step 2: Put the structure together
People used to cannibalise old PCs for this job, and you still can. But plummetting prices on dedicated hardware router/firewall combinations make them the most attractive tool for the job. (In a PC Magazine reliability survey, users voted heavily for the Linksys brand: http://www.pcmag.com/article2/0,1759,1733165,00.asp.)
The file server
The file server can be an old box as long as it has RAM, a fast hard drive and Windows 2000 or XP Professional. For years I've been using a 1997 Pentium II-266 with 384MB of RAM and a succession of drives, running Windows 2000. The only fancy add-on it needs is a good uninterruptable power supply (UPS) - basically a big battery with enough of an electronic brain to instruct your file server to smoothly shut down if the power goes off.
Windows 2000 and XP Pro both let you easily and cheaply manage three to 10 PCs as a collection called a "workgroup". These operating systems provide built-in Internet Connection Sharing (which is just what it sounds like) and a "DHCP" component which supplies crucial IP addresses to all the PCs in the workgroup.
Now, if you have more than ten PCs in use, you may want to run Windows Small Business Server or even Windows Server 2003 on your file server. These operating systems allow more than XP Professional's maximum of ten concurrent connections to the file server. They also let you establish what's called a "domain" and set up a lot of users' settings remotely. For an amateur sysadmin, they're overkill. But installing Windows server means learning about Microsoft's Active Directory, which is probably more hard work than you want. And Linux? It's a wonderful thing in the right hands, but for a network with Windows clients it's crueled by the complications of the SAMBA system which lets Windows clients use drives on a Linux server. Leave Windows Server and Linux to the professional sysadmins; we're amateurs here. 2000 or XP Pro is enough.
Setting up a workgroup network, Internet Connection Sharing and much else is explained at Practically Networked, http://www.practicallynetworked.com/. Australians may find much more detailed information from the prolific OzCableGuy, Darren Stribning, at http://www.ozcableguy.com/; I used Darren's magnificently clear instructions to set up my first home network.
Note that in a small or home office, you can also use this machine for Word, email and other computing tasks. Just don't put a fancy screensaver on it which will chew up all it's processing power when you're wanting files out of it.
Note, by the way, that there's a new generation of dedicated file server boxes coming out like Buffalo's LinkStation and Kuro Box and Linksys's NSLU2, all designed to make much of this task easier and cheaper.
The client PCs
The client machines should be bog-standard Windows 2000 or XP (you don't have time to teach users or yourself Linux, and the Windows 9X operating systems introduce too many complications). The hard drives don't need to be huge, because all the big data files will go on the file server. Windows XP leaves you with minimal set-up work:
- Give each box a name. Mine are all named after cities; more imaginative people name them after Muppet Show characters. Just don't name the box for the person who'll be using it - a PC's users change over time, but PC names on a network should not.
- Have users choose a strong password based on a memorable phrase which includes numbers and punctuation. A colleague of mine used to use something like "The five find-outers were shocked to discover ..." which became T5f-ow!2d (she'd read a lot of Enid Blyton as a kid).
- Don't make users change passwords - it drives everyone crazy, and the users end up with sticky notes taped on their monitor detailing their password for this quarter.
- Install a firewall and anti-virus software.
- Apply the latest XP service pack and updates.
- Map the drives and create a directory structure as described below.
The directory structure
I pinched this simple structure from Dave The Veteran Sysadmin and adapted it. Variations have been going around for decades. It's based on a simple principle: keep users' data in a location that everyone knows, and from where it can be backed up.
Every Windows computer on the network should look basically the same. When you log on, they will all have:
- C: drive which holds the Windows operating system and most of the programs (Word, Outlook, Photoshop, CityDesk etc).
- Other "local" drives that are specific to that machine:
- A: is a 3 1/4 inch floppy disk drive (if it exists - people used to have B: drives, too)
- D: is often a second hard disk
- D: and E: and F: may also be CD or DVD drives.
- J: drive, a private drive accessible only by you and the system administrator. This drive doesn't actually exist on the PC you're using; instead it exists on the file server. But as long as you're connected to the network, it works exactly like any other drive. (On laptops, it's also synchronised for offline use.) It's the place for all the files that you are working on alone. The J: drive has several standard directories:
- Favorites - your Internet Explorer Favorites.
- Settings - configuration files for as many of your programs as possible.
- My Pictures - for private pictures.
- My Music - for private music. Please keep these files to a minimum.
- My Videos - for private videos. Please keep these files to a minimum.
- Templates - for document templates you create for your own use (can be set using TweakUI).
- Downloads - for private downloads (can be set in Firefox).
- Outlook - contains your current Outlook PST file, the file containing all your mail, contacts, appointments etc.
- Archived is for files you don't change anymore. Unlike the other J: drive directories, this folder only gets backed up every six months or so. It contains:
- old Outlook email PST files
- "Dump", a directory for stuff you probably don't want but are not quite willing to get rid of yet. (If you delete files from J: they don't go to the Recycle Bin - they just disappear.)
- Other directories containing files you're no longer actively using and which aren't critical going forward.
- K: drive, the public drive accessible by anyone on the network. This drive doesn't actually exist on the PC either, but again it works exactly like a normal drive as long as you're connected. It's the place for files that everyone needs to share. It contains:
- Programs - software to be installed on network machines (preferable to installing from CD).
- Fonts - also to be installed on network machines.
- Graphics - images that are not purely photos e.g. layered Photoshop files, vector graphics, Flash files.
- "Dump", a directory for stuff we probably don't want but are not quite willing to get rid of yet. (If you delete files from K: they don't go to the Recycle Bin - they just disappear.)
Depending on the user, they may also have:
- L: drive, the team drive with directories specific to particular teams and projects, each with their own permissions.
- S: drive (not available to everyone) - the directory root (not the document root) of the local Web server
- T: drive (not available to everyone) - the directory root (not the document root) of the remote Web server
- U: drive (not available to everyone) - the directory root (not the document root) of the intranet server
Here's the sneaky bit. You set your users' "My Documents" folders up (right-click on "My Documents" for each user and choose "Properties") so that it always points to the J: drive - that is, you see exactly the same things when you click "My Documents" as you do when you click "J: drive". This way, users can use their "My Documents" folder happily - important, since a lot of programs make this the default place for users to put data.
Step 3: Install core programs
These are the basic programs that I put on every new PC. Again, this is mainly a note to myself and my friends; the programs are listed in order of importance. (You do need a firewall, anti-virus protection and XP Service Pack 2; you probably need a spam filter; you may need office software; you probably don't need Windows XP themes.)
- ZoneAlarm protects PC-connected computers from intrusion and takeover. This type of software is called a "software firewall". Make it another line of defence on all your PCs, even if you have a dedicated hardware firewall. Install it on any Internet-connected Windows box before anything else, because you don't want a Windows box exposed longer than it has to be. (Windows XP contains a firewall, but it doesn't yet do the same thorough job that ZoneAlarm does; disable it just before you install ZoneAlarm.) Free for non-commercial use.
- Review from ZDNet: http://reviews-zdnet.com.com/ZoneAlarm_with_Antivirus/4505-3667_16-30898743.html
- Link: http://www.zonelabs.com/store/content/catalog/products/zonealarm/znalm_details.jsp
- Alternatives: ZoneAlarm provider ZoneLabs also offers a range of keenly-priced security products ranging up to the $US69.95 ZoneAlarm Security Suite, which includes not just the firewall but also an anti-virus solution, privacy features, instant messaging security, program controls, identity theft and fraud prevention protection, ad blocking, and Web site filtering. If you buy this you can forego the anti-virus and anti-spam software described below.
- More on firewalls from the independent Home PC Firewall Guide: http://www.firewallguide.com
- eTrust EZ Antivirus from software giant Computer Associates blocks most virus at low cost and without slowing down your boxes. The interface is bare-bones but you can automate it with simple Windows tools. I like it; you may prefer something else. Cost, at time of writing: $US29.95 ($A40).
- Review from ZDNet: http://reviews-zdnet.com.com/eTrust_EZ_Antivirus_2005__6_2_/4505-3681_16-30990989.html
- Link: http://www.my-etrust.com (but note also that at time of writing eTrust was offering a $US14.95 special at www.my-etrust.com/microsoft/)
- Commercial alternatives: Just put something on all your PCs. You can buy the ZoneAlarm Security Suite described above. Norton and Trend Micro both have fine reputations.
- Free alternatives: Home users can take the free route with AVG Anti-Virus, which is a perfectly respectable solution; their commercial SOHO and small network editions are keenly-priced, too.
- Link: http://www.grisoft.com/
- More on anti-virus software from the independent Home PC Firewall Guide: http://www.firewallguide.com/anti-virus.htm
- XP Service Pack 2 from Microsoft contains critical security updates. Free.
- AdAware detects spyware on your computer. Free for personal use, cheap for businesses.
- SyncBack can be used to backup your files and directories from their original location to other directories or drives in the same computer or another computer in your network, and to a location on the Internet, if you don't like using batch files. Free.
- Link: http://www.2brightsparks.com/syncback/syncback-hub.html
- Cobain Backup does the same job. Free.
- New HOSTS file from mvps.org lets you avoid downloading dangerous content and bandwidth-hogging ads. Free.
- ClearType Tuner refines the control of the Microsoft ClearType technology that provides superior displays on LCD screens; it's not very useful on the old-style bulky cathode ray Tube (CRT) displays. It's another semi-official Microsoft Windows "PowerToy". Free.
- Productivity software:
- Office suite (word processor, database, presentations, Visio-style drawing, databases) - OpenOffice is perhaps the world's most successful open-source Windows application. Now almost as good as the Microsoft office suite, it outperforms its giant rival in a couple of areas - for instance, automatic PDF creation and turning graphics into Flash files. Free.
- Image manipulation - The GIMP is an impressive free open-source, cross-platform program for such tasks as photo retouching, image composition and image authoring - all the stuff that Adobe Photoshop does, but ... Free.
- Web browser - Firefox provides more security and more functionality than Microsoft's Internet Explorer browser, while working almost exactly the same way. Its fast-growing set of extensions do everything from duplicating Internet Explorer's useful GoogleBar to displaying the weather forecast. Internet Explorer was a good browser in a less vulnerable, non-broadband age, but Firefox has left it behind. Free.
- VNC, which allows you to control PCs remotely when necessary. VNC stands for Virtual Network Computing; the software came out of AT&T and is used by sysadmins all over the world. (Windows has a remote access system which sounds good and gets mentioned a lot - yet I've ever seen anyone use it.) Free.
- Link: http://www.realvnc.com/
- Authoring utilities:
- PureText de-formats text to plain ASCII. Free.
- CLCL records anything you send to the clipboard, and lets you move those snippets to a permanent archive. Free.
- MWSnap gives you screen captures, color sampling and a screen ruler in one program. Free.
- SpaceMonger shows you where your disk space is going. Free.
- Everest Home Edition (the successor to the old AIDA32) tells you your PC's hardware and software profile - very useful when something goes wrong. Free for non-commercial use.
- TweakXP (for Windows XP) and TweakUI (for Windows 2000 and earlier) is a semi-official Microsoft Windows "PowerToy" that lets you change various Windows settings. Free.
- Link for TweakUI for Windows XP: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
- Link for TweakUI 1.33: http://www.microsoft.com/ntworkstation/downloads/powertoys/networking/nttweakui.asp
- UXTheme Patch For Windows XP SP2 Final - lets you use themes without paying for StyleXP. Free.
- Royale Theme is a leaked Microsoft XP theme.
Step 4: Test your system
Run an audit to see whether your PCs are secure. The most detailed set of audits comes from SecuritySpace at https://secure1.securityspace.com/smysecure/index.html; their swag of pricing schemes includes a number of free options.
Step 5: Make backups
Most serious creators of computer files eventually get serious about backing up data. Usually, this occurs just after they lose a whole bunch of data - through hard drive failure, catastrophic fire or mistimed click of the "delete" key. I once talked with a small business owner who explained quite matter-of-factly that she had "almost lost her business" when a hard drive failed.
The ideal backup solution
The ideal backup solution:
- works even if the buildings burns to the ground
- is completely reliable
- lets us recreate everything (customised programs, files we created yesterday morning, etc)
- lets it all happen immediately
- costs nothing
- involves no work
Now, in the world of systems administration, backup solutions are an art. You spend money and time creating them and testing them. In the world of small offices and home offices with busy amateur administrators, the sysadmin approach doesn't always work. There's a higher premium on reliability: you want to be able to see that something is working, because you don't have time to test it. And there's a higher premium on time: the system should be able to work without you doing anything much. There's also a lower premium on completely recreating systems: most of your software is off-the-shelf, and you'll just repurchase and reinstall it after a burn-to-the-ground catastrophe. All you need is the software codes and original proof of purchase.
The right compromise
Instead of achieving perfection, this backup system achieves a satisfactory performance at low cost in time and money, and it's transparently obvious that it's working. It relies on three key points:
- Disk space is cheaper than ever before, so our system will rely largely on backing up from one hard disk to another.
- Disk space on the Web is cheap too, so we'll back up as much as possible to the Web.
- Fancy incremental backups frequently foil even expert sysadmins. This happens with astonishing frequency, as far as I can tell from listening to people like Dave the Veteran Sysadmin (who, I should add, himself never lost data in all the years I worked with him). And restoring even a good incremental backup can take serious time. So we'll concentrate on using plain or zipped copies that we can open up for visual inspection or otherwise verify. Disk space is cheap, and inspecting file systems is fast and reliable.
Back up files according to a few simple principles:
- Tell your users what will happen. Make it really, really clear.
- Only files stored on the file server get backed up - that is, the stuff on the J: (private) and K: (shared) drives. Make sure users know this.
- The backup problem is that we can't have everything. What we need is a compromise that gets us reasonably close to the ideal backup solution at low cost.
Three types of backups
We run three types of regular, scheduled backups.
Two of these are controlled by batch files and scheduled using Windows' Task Scheduler: at a scheduled time (in the early morning) we copy certain files from one drive to another, or from our network to the remote server via FTP. Mostly we rely on built-in windows tools, including the command-line FTP function that almost no-one uses anymore. The third backup relies on someone - that would be you - actually sticking DVDs into a PC and copying files from the file server onto a disk.
Here are the backups:
- To a removeable hard drive or a bunch of DVDs, every six months - a "complete backup". This includes all our data.
- This backup is thorough, but probably not recent.
- This isn't automated, so it's the one most likely to fail.
- What's this for? So that when the computers are stolen or the house burns down, we have a reasonably complete copy of all our data from the not-too-distant past.
- What's in it? All our data, from crucial essays and databases to emails to software installation files to MP3 files of our CD collection.
- Assorted thoughts:
- A proper sysadmin would not call this a complete backup, since when the drive fails we won't be able to recreate it exactly as it was. But remember, we only really care about data, not about restoring all our applications instantly.
- In an ideal world, you use a removeable hard drive - maybe an old 8Gb drive placed in a $A70 sleeve.
- In a less perfect world, you make two identical sets of back-up DVDs and give one to a mate to keep off-site.
- In the real world, you only create one set of back-ups, you don't always do this every six months, you store the disks next to your server, and the disk corrupts anyway.
- Seriously, in the current state of the technology, DVD burning produces more errors than seem safe for a decent back-up solution. Get the removeable hard disk and give it to the neighbour when you've done the backup.
- To a hard drive location on another drive, every night - a "nightly backup". This includes important data.
- This backup is recent, but not thorough.
- It's easily automated via a batch file or the simple backup software mentioned above.
- What's this for? Mostly, it's to prevent us losing critical data if the file server hard disk decides to fail, as they eventually tend to do.
- What's in it? In a home set-up, this will include most of the material in users's individual J: drive directories, plus some material in the shared drive e.g. documents in the J:Household directory.
- Material in "Archived" is an exception: it only gets the six-monthly complete backup. If users move a whole bunch of material into "GSArchived", they should ask the sysadmin to back it up ASAP. Make really sure users know that material in "Archived" only gets the six-monthly backup. And ask them to help you by putting appropriate material into their Archived directory. Discourage people from leaving large photo files, MP3 collections and video in the main area of their J: drive.
- Assorted thoughts:
- You'll be safer from theft if the second drive is on a different PC - but that relies on the second box also being on. On the other hand, even if you only leave the second PC on one night in three, you'll have a pretty recent back-up.
- To a remote directory at the Dreamhost account, every month - a "critical Web backup". This may include only special defined material that is critical - the draft of that book, details of insurance policies and tax records, and the like.
- This backup is neither recent nor thorough - but it is a long way away.
- It's also easily automated via a batch file or the simple backup software mentioned above.
- What's this for? Mostly, it's to prevent us losing really critical data we might want if the building (home or office) burnt down and we couldn't even get a recent copy of the DVD with the complete backup on it.
- What's in it? In a home set-up, this will be mostly material in users's individual J: drive directories, plus some material in the shared drive e.g. in a home network, documents in the K:/Household directory. We'll use an exclusion list for each user to keep the file size from getting too huge.
- Assorted thoughts:
- This option looks more attractive than ever before. Hosting firms like Dreamhost will give you 2GB of server space for less than $US10 a month. On a big Web back-up, the biggest cost of the system may be the extra charges from your ISP.
This may seem complicated, but it's the best system I've found. When you combine this with the monthly critical Web back-up, you end up with most of your data safe. With this system, come the disaster, the data you're least likely to have is also the data you're least likely to need.
Too hard? You still need a good backup, so think about shelling out $15 or so a week: Offsite Backup at http://www.offsite-backup.com.au/ will come in and automate the whole process for you.
Step 6: Considering email ...
The open source Mozilla Thunderbird is the email and RSS feed equivalent of the Mozilla Firefox browser. It's caught up to Microsoft's Outlook in most respects, with features including the powerful Bayesian filtering anti-spam technique. If users aren't wedded to Outlook, it's the amateur sysadmin's best choice.
Microsoft Outlook is used by more business people than any other email client. Your users may be used to it. My own view is that it's a nice personal information manager, and Outlook 2003 has enough security to make it at least a candidate. But it remains the most vulnerable major email client, partly because it uses the Internet Explorer engine to display HTML email. Even if your users like it, you should seriously consider alternatives, notably the open-source Mozilla Thunderbird.
Now a pet gripe: running Outlook across a network doesn't work like you'd think. Outlook's PST data files - the files that Outlook reads to display messages and contacts and everything else - are built on Microsoft's standard database engine. That database engine supports multiple concurrent connections. So you should be able to put a PST file anywhere on the network and connect to it from as many computers as you like, right? Wrong. Outlook will complain if you try to have two PCs access the same PST file at the same time. Microsoft goes further in a slightly hilarious Knowledge Base article at http://support.microsoft.com/?kbid=297019, explaining at length how its staff never intended that PST files be used on a network (and intent is what matters, right?). Indeed, Microsoft list the horrors that will befall you if you go against the intent of Microsoft's programmers by putting a PST file on the network and accessing it there:
- lack of Microsoft support
- "a great deal of overhead"
- "a corrupted .pst file if the connection degrades or fails"
- and quite possibly plagues of frogs as well.
Microsoft's suggestion? Buy a copy of Exchange Server, their large and complicated solution for administering email. On the other hand, I've been running PST files over a network for years without problems. Users just need to remember not to open two copies of Outlook on different PCs at the same time. If this solution doesn't suit, it may be time to investigate Microsoft Small Business Server, which gives you Exchange Server.
Outlook has one other bizarre characteristic: although it has those PST-file databases easily to hand, it stores configuration information all over the file system. You could try to back this stuff up, but frankly it's more trouble than it's worth. Just make sure the PST file is on the user's J: drive (a separate folder is a good idea) and leave it at that.
If you're using Microsoft Outlook, add these two tools:
- Lookout speeds up searching in Outlook. Free.
- SpamBayes Outlook plug-in by Mark Hammond stops spam remarkably effectively by implementing Paul Graham's Bayesian filtering technique that learns what you consider spam over time. Free.
File locations for email programs
Default Email file name(s)
Default Folder Location
c:\windows\local settings\application data\microsoft\outlook
c:\windows\documents and settings\\application data\microsoft\outlook
Outlook stores all of its data and settings in a single "pst" file.
Outlook Express 5.x/6.x
c:\Documents and Settings\\Local Settings\Application Data\Identities\\Microsoft\Outlook Express
Mac OS 8/9
Outlook Express 5/6 creates a "dbx" file for each email folder you create. You need to backup the entire "Outlook Express" folder.
Eudora for Windows creates a "mbx" file for each mail folder you create, and stores all of these files in the same folder with the Eudora program and its key settings.
Mac OS 8/9
System Folder:Eudora Folder
Eudora for Mac creates a file for each mail folder you create, and stores them in the Eudora Folder file, separate from the Eudora program.
Mac OS 9
Documents/Microsoft User Data/Office 2001Identities.
Entourage creates a folder for each person at the location noted above. Entourage creates a file here for each mail folder you create.
Mac OS X
Users/[username]/Documents/Microsoft User Data/Office X Identities
AlienCamel et al
I can never remember why he called it AlienCamel - no, wait, it's an anagram of "clean email" - but my friend Syd Low runs a total clean-email service that costs a little ($US15.99 per email address for six months at time of writing) but delivers a lot:
- Heavy-duty spam filtering using multiple techniques, including a Bayesian filter.
- Virus filtering
- Anti-phishing measures
- Unlimited storage
Syd is an ultra-smart guy (former Apple software development entrepreneur turned McKinsey management consultant turned successful dot-com entrepreneur) who lives and breathes this stuff. Not much gets through his systems. For amateur sysadmins needing to protect a couple of small office or home user accounts, this is the ultra-safe option: http://aliencamel.com/
As an alternative for amateur sysadmins who need more email accounts, the ultra-reliable Valueweb Web hosting service offers 20 email addresses with high-quality BrightMail anti-spam filtering for $US19.95 a month at time of writing in January 2005. (I'd still be with them if they'd offered MySQL databases in their basic package back in 2003; as it is, Dreamhost was a little more attractive, and now I'm settled.) Buying this package will also give you somewhere to send large backup files - plus, of course, a Web site if you want one. Link: http://www.valueweb.com
Step 7: Educate users
A few simple rules:
- Only store data on a network drive i.e. J: or K:
- "My Documents" = J:, so storing stuff in "My Documents" is good.
- No opening email attachments unless you specifically know that someone was planning to send them to you. Even attachments from people you know could carry a virus - possibly one which read you name in your friend's address book.