TweetFollow Us on Twitter

Desktop Systems Engineer and Analyst

Volume Number: 22 (2006)
Issue Number: 3
Column Tag: Interview

In The Trenches

Desktop Systems Engineer and Analyst

by Schoun P. Regan

Interviewing Kevin Denges: Kevin is in charge of the image creation and deployment for Conde Nast. I spoke with him in New York City, at his office.

Schoun: Kevin, tell me about the setup.

Kevin: We have a Windows Active Directory infrastructure for authentication. The Macs are bound to the Active Directory server and the Xserves are used as image servers, primary and secondary K4 servers. K4 is our Adobe InDesign workflow. Each server is setup using 2 Xserve's, one primary and a second mirror for failover. We started all this with Mac OS X 10.3.3, so we've been at it for some time.

Schoun: And for file servers?

Kevin: We are using Extreme z-ip version 4. We started to deploy them in Sept/Oct of this year to our Windows servers, and by doing so, now have single sign on using Kerberos.

Schoun: What about the Macs? How are they deployed? NetBoot?

Kevin: No. The Xserves are just image servers for the most part. We use FireWire drives to deploy our images, but we also store those images on a server. So if a tech ever needs to get a newer image, they boot off of a FireWire drive and install the latest image from our servers.

Schoun: Sounds like NetBoot may solve the booting from FireWire issue.

Kevin: We are looking into that, but for right now, FireWire drives are the most efficient for us.

Schoun: So one image to rule them all?

Kevin: Nope. We have an image that has all the software they need, and one main image. There are older images with 10.3 on them also. It depends on where the computer is placed and with whom as to what image they receive on their Mac.

Schoun: So the image build, it's stock Mac OS X?

Kevin: For the most part yes. We have leveraged the power of launchd to handle some initial binding and computer setup for us, but other than that, it's stock with Adobe's CS2 suite.

Schoun: Take us through the launchd file.

Kevin: Well basically it's very simple, it starts when the machine boots and runs a shell script that we have. Here's what it looks like:


Figure 1.

Kevin: We also have another launchd item that handles the fixing of ByHost files.

Schoun: First tell me about the AD binding launchd item:

Kevin: As you can see, it runs at boot time, waits 2 seconds, then renices to get processor authority, to run ahead of other items. It then calls the shell script ADhook.sh located in a directory I chose. Pretty simple actually.

Schoun: Is the ByHost launchd item the same?

Kevin: For the most part yes, except it calls another script of course.

Schoun: So lets look at the AD script then. We know that the Active Directory plug-in has a command line counterpart, dsconfigad. I assume you use this?

Kevin: It's now a small part of the script, but yes, it is the integral part. The script is divided into four major parts; network connectivity, AD binding, ByHost fixes, and file deletion.

Schoun: Can we walk through some of the major portions of the script?

Kevin: Sure, but keep in mind that some of this came from Mike Bombich's site, so credit goes to him for some of this.

Schoun: I'll let him know.

Kevin: So as we can see, the first part of the script creates a log file for us to write to, then we check for network connectivity.


Figure 2.

Schoun: I see Vicki in here.

Kevin: Yes. The problem we sometimes encountered was that a tech would download an image, and reboot the Mac only to find the Mac was not on the network. Or, in certain cases, the Macs would unbind and we would have to rebind them. Either way, the script now checks for not just network connectivity, but if the Mac is connected to our network. It announces its findings using the voice Vicki on the Mac. This way our techs know whether the machine is binding or not.

Schoun: Part of this script looks familiar.


Figure 3.

Kevin: [laughs] I borrowed-and gave credit to-Mike Bombich as this is based on the script called, "Who stole my Mac script". It was important to us, to make sure our techs knew what the status was, when they imaged a machine. This helps us track binding issues.

Schoun: Let's talk about the AD binding.

Kevin: Sure. Before I run the actual bind, I set all the parameters. This part of the script sets the parameters.


Figure 4.

Schoun: I see the uuidgen command in there! I should explain to our readers that uuidgen is a command that creates a unique ID, unique enough that the man page states, "The uuidgen command generates a Universally Unique Identifier (UUID), a 128-bit value guaranteed to be unique. A UUID is made unique over both space and time by combining a value unique to the computer on which it was generated--usually the Ethernet hardware address--and a value representing the number of 100-nanosecond intervals, since October 15, 1582 at 00:00:00." You gotta love Apple code writers sometimes. "Unique over space AND time" Ha.

Kevin: Well, the issue is that if a Mac binds to an AD domain, the AD domain cannot use that computer name to bind more than twice. So, if a computer's name is already in the AD domain, and our techs re-image it, the bind fails. Using a portion of the uuidgen output insures us a unique ID with which to bind the Mac.

Schoun: I also see that you did not put the password into this script for the actual bind. That you are calling the output of an AppleScript file. Why?

Kevin: Security. This way the script calls the AppleScript file and it returns the password. Just a little more secure this way.

Schoun: So with all the variables set, now the bind?

Kevin: Yes. Again we used the dsconfigad command line tool for that. We of course write to the log file, check for an older edu.mit.Kerberos file and get rid of it, if one exists, and set the search policies.


Figure 5.

Schoun: I see a sleep command in there.

Kevin: It seemed to go smoother when we did this.

Schoun: Then the ByHost issues? Why the problem?

Kevin: As you know, ByHost files are MAC address specific, so we have them set the way we want, then we put all Xs in the place of the address. We then copy these and replace the Xs with the local Mac's MAC address. We do this for the template for any user's that log in via AD, our local administrator account, and a hidden account we have.


Figure 6.

Schoun: And the last part of the script?

Kevin: Checking the bind, having Vicki notify the tech, and then deleting the launchd item, the AppleScript file with the password, and then deleting itself, killing the loginwindow process and having it come back. This way, the AD user can log in and get a newly created home folder, with all the customized tweaks we've added in the user template, such tweaks to the .GlobalPreferences file, the Dock, the menu bar, the screen saver, the background, and so on.


Figure 7.

Schoun: This is in incredibly powerful script. Again I see some of Mike's work in here, but you have done a nice job of pulling it all together.

Kevin: Thanks. Our next step is to take this and make a launchd item that watches the bind and if it fails, it deletes the /Library/Preferences/edu.mit.Kerberos file, the DirectoryServices directory inside of the same location, and pulls them from a hidden location on the local disk and rebinds the machine automatically.

Schoun: I would also suggest, you use the mail command to email an administrator account, when this occurs. In this way, your techs can be a bit more proactive than reactive. They will know when a machine unbinds.

Kevin: Yea. We want to do more with launchd and scripts.

Schoun: Kevin, this is all we have time for, but I know you have more to say about your setup. I think this script is an excellent place to start. It gives the reader a clear- cut way of implementing this type of bind. I'd like to talk to you more about how this interacts with the local NetInfo database and what other tweaks you've done to the system.

Kevin: Be happy to. We are very confident in our process, and have moved to cut down time to under 5 minutes, if possible.

Schoun: I think our readers will be excited to learn about what else you have done.

Ed Note: Kevin has much more to say about his infrastructure but this time I wanted to focus on the script itself.

Vital Stats

Years in IT industry : 6

Information: Kevin is in charge of the image creation and deployment for Conde Nast.

Computers: About 2700 Macs, 42 Xserves, 4 Xserve RAIDs, Windows Active Directory Servers, wireless networks.

Programming Languages:Shell Scripting, AppleScript


Schoun P. Regan is CEO of ITInstruction.com, which specializes in Mac OS X training and consulting. He speaks regularly to CEOs and CFOs on how to control IT department spending, the myths surrounding cross-platform integration, and the lunacy of expected lost revenue stemming from a culture bred to tolerate IT staff and operating system inadequacies as "normal". He seeks to change self-fulfilling IT departments that breed complacency for their jobs and contempt for the end user, neither of which are conducive to business.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Things 2.5.4 - Elegant personal task man...
Things is a task management solution that helps to organize your tasks in an elegant and intuitive way. Things combines powerful features with simplicity through the use of tags and its intelligent... Read more
NeoOffice 2014.10 - Mac-tailored, OpenOf...
NeoOffice is a complete office suite for OS X. With NeoOffice, users can view, edit, and save OpenOffice documents, PDF files, and most Microsoft Word, Excel, and PowerPoint documents. NeoOffice 3.x... Read more
iPhoto Library Manager 4.2 - Manage mult...
iPhoto Library Manager allows you to organize your photos among multiple iPhoto libraries, rather than having to store all of your photos in one giant library. You can browse the photos in all your... Read more
Web Snapper 3.3.8 - Capture entire Web p...
Web Snapper lets you capture Web pages exactly as they appear in your browser. You can send them to a file as images or vector-based, multi-page PDFs. It captures the whole Web page - eliminating the... Read more
TeamViewer 10.0.41404 - Establish remote...
TeamViewer gives you remote control of any computer or Mac over the Internet within seconds, or can be used for online meetings. Find out why more than 200 million users trust TeamViewer! Free for... Read more
Ableton Live 9.1.8 - Record music using...
Ableton Live lets you create and record music on your Mac. Use digital instruments, pre-recorded sounds, and sampled loops to arrange, produce, and perform your music like never before. Ableton Live... Read more
VOX 2.5 - Music player that supports man...
VOX is a beautiful music player that supports many filetypes. The beauty is in its simplicity, yet behind the minimal exterior lies a powerful music player with a ton of features & support for... Read more
OmniFocus 2.1.2 - GTD task manager with...
OmniFocus helps you manage your tasks the way that you want, freeing you to focus your attention on the things that matter to you most. Capturing tasks and ideas is always a keyboard shortcut away in... Read more
Adobe Flash Player 17.0.0.169 - Plug-in...
Adobe Flash Player is a cross-platform, browser-based application runtime that provides uncompromised viewing of expressive applications, content, and videos across browsers and operating systems.... Read more
iMazing 1.1.3 - Complete iOS device mana...
iMazing (was DiskAid) is the ultimate iOS device manager with capabilities far beyond what iTunes offers. With iMazing and your iOS device (iPhone, iPad, or iPod), you can: Copy music to and from... Read more

Chainsaw Warrior: Lords of the Night has...
It's time to put the Darkness back in its place now that Chainsaw Warrior: Lords of the Night has officially made it to iOS. | Read more »
A World of Ice and Fire Lets You Stalk 2...
George R. R. Martin’s A World of Ice and Fire, by Random House, is a mobile guide to the epic series. The new update gives you the Journeys map feture that will let you track the movements of 25 different characters. But don't worry, you can protect... | Read more »
Gameloft Announces Battle Odyssey, a New...
Battle Odyssey, Gameloft's newest puzzle RPG, is coming to the App Store next week. Set in the world of Pondera, you will need to control the power of the elements to defend the world from evil. You'll be able to entlist over 500 allies to aid you... | Read more »
Fusion - HDR Camera (Photography)
Fusion - HDR Camera 1.0.0 Device: iOS Universal Category: Photography Price: $1.99, Version: 1.0.0 (iTunes) Description: Fusion creates HDR (high dynamic range) photos by capturing different exposures and then combining them into one... | Read more »
Sago Mini Toolbox (Education)
Sago Mini Toolbox 1.1 Device: iOS Universal Category: Education Price: $2.99, Version: 1.1 (iTunes) Description: Come build with the Sago Mini friends! Use a wrench, try a saw, or hammer some nails. From sewing hand puppets to... | Read more »
You Should Probably Grab Hitman GO While...
Hitman GO is a surprisingly cool (yet also incredibly drastic) departure from the Hitman series. It's well worth playing for any puzzle game fans out there, and at the moment you can get your hands - or garrotte if you will - on it for a mere $0.99... | Read more »
IFTTT is Bringing Do Button and Do Note...
IFTTT has announced Do Button and Do Note for the Apple Watch. Do Button lets you make your own personalized button that can connect to things like your Google Drive, control the temperature in your home with Nest Thermostat, or turn the lights on... | Read more »
How Many Days, Hours, and Minutes Are Le...
Countdown, by Yves Tscherry, is now available on the App Store. The app keeps track of countdowns to your favorite things such as someones birthday or days till the New Year. You can display the time in seconds, minutes, hours, days, weeks, months,... | Read more »
The All-New Misfit 2.0 App is Available...
Misfit has just given their app a complete overhaul. Misfit 2.0 now has a brand new interface with a sleek design and is easier to navigate. You'll be able to sync your Misfit device and look up health and fitness information faster than ever before... | Read more »
Halo: Spartan Strike (Games)
Halo: Spartan Strike 1.0 Device: iOS Universal Category: Games Price: $5.99, Version: 1.0 (iTunes) Description: Delve into 30 challenging missions through cities and jungles using a devastating arsenal of weapons, abilities and... | Read more »

Price Scanner via MacPrices.net

Clearance 13-inch 2.6GHz Retina MacBook Pro a...
B&H Photo has clearance 2014 13″ 2.6GHz/128GB Retina MacBook Pros now available for $1099, or $200 off original MSRP. Shipping is free, and B&H charges NY sales tax only. Read more
Apple refurbished 2014 13-inch Retina MacBook...
The Apple Store has Apple Certified Refurbished 2014 13″ Retina MacBook Pros available for up to $400 off original MSRP, starting at $979. An Apple one-year warranty is included with each model, and... Read more
iMacs on sale for up to $205 off MSRP, NY tax...
B&H Photo has 21″ and 27″ iMacs on sale for up to $205 off MSRP including free shipping plus NY sales tax only: - 21″ 1.4GHz iMac: $1019 $80 off - 21″ 2.7GHz iMac: $1189 $110 off - 21″ 2.9GHz... Read more
Sale! 16GB iPhone 5S for $1 with service
Best Buy is offering 16GB iPhone 5Ss for $1.00 with 2-year activation at a participating cellular provider. Choose free home shipping and activation, or buy online and activate during in-store pickup... Read more
Apple refurbished 2014 MacBook Airs available...
The Apple Store has Apple Certified Refurbished 2014 MacBook Airs available starting at $679. An Apple one-year warranty is included with each MacBook, and shipping is free. These are currently the... Read more
27-inch 3.5GHz 5K iMac on sale for $2349, sav...
 Adorama has the 27″ 3.5GHz 5K iMac in stock today and on sale for $2349 including free shipping plus NY & NJ sales tax only. Their price is $150 off MSRP. For a limited time, Adorama will... Read more
Save up to $380 on an iMac with Apple refurbi...
The Apple Store has Apple Certified Refurbished iMacs available for up to $380 off the cost of new models. Apple’s one-year warranty is standard, and shipping is free: - 27″ 3.5GHz 5K iMac – $2119 $... Read more
iFixIt Teardown Awards 12-IInch Retina MacBoo...
iFixIt has posted its illustrated teardown of the new 12-inch MacBook Retina. They note that this new MacBook is less than half the thickness of the last Apple notebook called just “MacBook” back in... Read more
13-inch 2.5GHz MacBook Pro (refurbished) avai...
The Apple Store has Apple Certified Refurbished 13″ 2.5GHz MacBook Pros available for $829, or $270 off the cost of new models. Apple’s one-year warranty is standard, and shipping is free: - 13″ 2.... Read more
Faithful iPad 2 Gets A Second Career In Retir...
Finally, after four months’ transition, I handed my faithful old 2011 iPad 2 off to my wife at the end of March and switched whole-hog to using the iPad Air 2 I bought back in November. I’d found... Read more

Jobs Board

*Apple* Retail - Multiple Positions - Apple,...
Job Description: Sales Specialist - Retail Customer Service and Sales Transform Apple Store visitors into loyal Apple customers. When customers enter the store, Read more
*Apple* Solutions Consultant - Retail Sales...
**Job Summary** As an Apple Solutions Consultant (ASC) you are the link between our customers and our products. Your role is to drive the Apple business in a retail Read more
*Apple* TV Live Streaming Frameworks Test En...
**Job Summary** Work and contribute towards the engineering of Apple 's state-of-the-art products involving video, audio, and graphics in Interactive Media Group (IMG) at Read more
Event Director, *Apple* Retail Marketing -...
…This senior level position is responsible for leading and imagining the Apple Retail Team's global engagement strategy and team. Delivering an overarching brand Read more
*Apple* Solutions Consultant - Retail Sales...
**Job Summary** As an Apple Solutions Consultant (ASC) you are the link between our customers and our products. Your role is to drive the Apple business in a retail Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.