The TBI Bandung Computer Network

You may have heard that there is something special about the computer facilities at TBI’s Bandung branch. Although built around computer equipment that can only be described as average at best, the TBI Bandung network is probably the most sophisticated of its kind among all language schools in Indonesia, and even among many of the international schools as well. Furthermore, we have only just begun to tap its potential!

Following is a discussion of what makes this network so unique and what would be required to make this model work for your branch.

By Matthew Arciniega, TBI Bandung’s chief network architect, former Senior Teacher for IT, now Senior Technology Analyst for IT consulting company PT Kampungcyber.com
 

Background

TBI Bandung’s network is built around the Microsoft Windows 2000 operating system. Windows 2000 is the successor to Windows NT 4, Microsoft’s very successful business-oriented operating system. In contrast, TBI Bandung formerly relied on Windows 95 and Windows 98, collectively known as Windows 9x. Although all versions of Windows bear a superficial resemblance to each other and basically run the same programs, “underneath the hood” they are quite different. Here’s a quick, and necessarily simplistic, summary of these differences.

Windows 9x was designed with the home or small office user in mind, and was particularly optimized for gaming. It was build on top of the old Disk Operating System (DOS), and essentially added a high-tech graphical user interface to that system. But because it was built on top of another system, Windows 9x has always been plagued with stability issues. As any Windows 9x user knows, crashes, hangs, and computer restarts are par for the course. Setting up small home or office networks and sharing files or internet connections is not difficult with Windows 9x. However, security features are limited and cumbersome to administer—particularly in networks of more than 10 computers.

Windows NT/2000, on the other hand, was built from the ground up with stability, security, and large-scale networking in mind. Because of the ever-evolving nature of hardware and software technology, and because the changing needs of users require occasional upgrades in both these areas, it is virtually impossible to create a 100% stable networking environment where conflicts between these elements do not occur. Nevertheless, Windows NT/2000 provides a computing environment that is perhaps 95% more error-free than Windows 9x. It also provides granular control over who can access files and folders, and who can make changes to computer settings. Furthermore, it does this through a centralized administrative model. This means that a network administrator, working from a single computer, can set policies for hundreds or even thousands of other computers. These three features—stability, security, and centralized administration—work hand in hand to reduce an organization’s Total Cost of Ownership (TCO). But equally important, they also allow for the implementation of a number of other features that elevate the functionality and usability of the network to new levels. This is true whether you are working in business, technology, or education fields.
 

Goals for the TBI Bandung Network

In designing the TBI Bandung network, I had three goals in mind:

  1. Improving network facilities for TBI students.
  2. Improving network facilities for TBI teaching staff and administrators
  3. Reducing the Total Cost of Ownership (TCO). This includes improving usability, accessibility, stability, performance, and lessening the time associated with routine administrative tasks.

In the following section I’ve outlined the key features of the new network, and how they relate to these goals. Few of these facilities would have been possible without the upgrade from a Windows 9x model to Windows 2000.
 

Features of the TBI Bandung Network

Relevance to the above goals is given in parentheses, e.g., Folder Redirection (1, 2, 3) means that the feature supports all three goals.

Primary Features (those having a direct impact on end-users):

  • Near rock-solid stability (1, 2, 3). Programs running on our Windows 2000 stations crash or freeze over 90% less than on Windows 98 systems. Furthermore, our Win2k computers almost never require rebooting.
  • Secure logon (1). Users must provide a name and password to user a computer. Staff members have their own logon credentials, while students just type “student” and leave the password field blank. There is no way to bypass the logon screen, as there is with Windows 98.
  • Personalized desktop & roaming user profiles (2). Not only can a staff member set his/her own wallpaper, font sizes, folder view settings, and mouse tracking speed; those very same settings will follow him/her no matter what Win2k station s/he logs on to. Encourages staff to personalize their desktop environment, even when they do not have their own computer.
  • Secure access to personal files (2). Staff files stored in the My Documents folder are 100% protected from access by other staff members. Even network administrators are, by default, denied access to these files.
  • Virtual CD-Rom (1, 2). Perhaps the most innovative facility we provide for students. All our CD-Roms are available through a virtual CD player located in the lower right of every Win2k computer screen. This includes reference materials such as Microsoft Encarta, Britannica, and the Merck Medical Reference; TOEFL preps; multimedia English learning packages; and games such as Airline Tycoon and Tomb Raider. An entire class can access the same virtual CD file with only minimal loss in performance.
  • Folder redirection (1, 2, 3). This is the ability to redirect key user folders, such as the Start Menu folder and the My Documents folder, to a network location. Redirecting everyone’s My Documents folder to the same file server allows for centralized backups of all user files in a single go. Redirecting all staff members’ Start Menu to the same folder allows us to create a consistent, well-organized, and easily updatable Start Menu.
  • Accelerated Internet access (1, 2, 3). Our proxy cache speeds up Internet access by as much as 50% during peak hours, allowing us to support far more Internet connections than would typically be possible through a single dialup modem serving a network of 30-plus machines.
  • Granular control over access to desktop settings and installation rights (1, 2, 3). In the previous networking environment, probably 80% of the network administrator’s time was spent fixing problems created by users who intentionally or unintentionally altered network and system settings to the point of making a machine unusable. Frequently programs were deleted or unauthorized programs added to a system. This is now a thing of the past. User rights are defined from a central console, after which they apply to all users belonging to a particular security group. Students, for example, experience a near-total lockdown of their desktop environment; they can access the programs they need for study and surfing the web, but they can’t change wallpaper or delete icons, programs, or key system files. Staff members, on the other hand, have more freedom to alter their desktop workspace; they can use their own wallpaper, customize fonts and font-sizes, and so on. A side benefit to all this is that users can experiment with their systems as much as they like without fear of mucking things up for other people.
  • Granular control over access to shared files and folders (2). Just because a staff member can see a particular folder or file name doesn’t mean s/he can open and edit it. You won’t get into the Finance folder, for example, unless your user account belongs to the Finance security group. The old system required a different password for each shared folder. Furthermore, the staff and student computers had to be logically separated on the network to prevent unauthorized access by students. Now the key is not where you log on, but rather what your logon credentials will allow you to do.

Secondary Features (reducing TCO and administrative burden):

  • Remote workstation installation (3). Old methods of deploying a fully-loaded computer station would generally take anywhere from four to six hours. Using disk-imaging and network installation technologies, we can deploy dozens of systems in less than 40 minutes.
  • Network-wide antivirus protection (3). Our antivirus server automatically downloads updated virus definition files every week, and then pushes them out to the individual workstations, updating dozens of computers in less than five minutes. It is noteworthy that since the introduction of this system more than six months ago (as of 24 July 2002), TBI Bandung has not once had an uncontained virus infestation. Compare this to previous years where virus intrusions wreaked havoc on our systems on a number of occasions, resulting in significant down time.
  • Centralized, automated backups (3). Protects databases, administrative documents, and staff files in the event of workstation, server, or hard disk failure. Requires no intervention from network administrators. A tiered backup schedule means there is never only one backup made of any set of files. Backups are kept anywhere from one week to nine months depending on the nature of the data.
  • Automatic network ID assignment (3). This saves network administrators the hassle of manually assigning network IDs, and precludes the possibility of duplicate IDs on the network.
  • Security auditing (3). Allows network administrators to monitor access to certain high-risk areas, including financial databases as well as server administration facilities.
  • Tiered administration (3). Allows a senior network administrator to allow or deny access by junior administrators to specific server administration controls. Provides for the possibility of a number of lesser-experienced admins.
  • Terminal Services and Remote Access Services (3). These features allow a network administrator to dial in to a server using a standard analog modem to perform both simple and advanced administrative tasks.
  • Disk quotas (3). This facility allows network administrators to set a maximum limit on the file server disk space used by any one staff member. Administrators receive notice when a user is about to exceed his/her quota. Quotas may be adjusted individually to provide for individual needs. A graphic designer, for instance, generally requires far more space than the average teacher.

Here are a few features that we haven’t yet implemented but which are entirely possible under the Window 2000 framework:

  • Online multimedia library. Stories, audio books, radio dramas, and films.
  • Dial-in capability for staff members. For accessing teaching materials and entering class results.
  • Virtual Private Networking with other branches. For sharing of administrative data as well as teaching resources.
     

Requirements for a Windows 2000 Network

Before you can set up a Windows 2000 network, you need to make sure that you can meet or exceed certain hardware requirements. You must also evaluate whether you can provide the technical support that such a network requires. Hardware requirements and costs are easy to calculate. The time (and money) that may be needed to be invested in training technicians is a more complex matter.

Hardware Resources

The following info should help network administrators assess their Win2k readiness.

Workstations

To function well in a Windows 2000 network that follows the model of TBI Bandung, your PC workstations need at least a 266-MHz processor and 96Mb of RAM. Hard drives should be on the order of 4.3Gb, although at least 10Gb is recommended for student machines that will be expected to run a range of multimedia programs. If you are buying new drives, go for 20Gb 7200 rpm IDE drives (7200 rpm provides a noticeable performance boost over the slightly cheaper 5400 rpm models).

Servers

Following the TBI Bandung model, you’ll need 3 or 4 higher-end PCs: one for the Domain Controller, one for a file server, one for the Internet gateway/proxy, and one more (if you can at all afford it), to provide backup services for both your Domain Controller and your file server. These machines should be running with +500 MHz processors. Here’s a breakdown of other essential components:

Domain Controller

  • 256 Mb RAM
  • 1 x 10 Gb 7200 rpm HD

File Server

  • 512 Mb RAM
  • 3 x 40 Gb 7200 rpm HD
  • IDE RAID controller or RAID-enabled motherboard

Internet Gateway/Proxy

  • 256 Mb RAM
  • 1 x 10 Gb 7200 rpm HD

Backup DC/File Server

  • 256 Mb RAM
  • 2 x 40 Gb 7200 rpm HD

Network Infrastructure

Here the important elements are:

  • UTP Cat 5 cabling throughout
  • 100Mbps fast Ethernet PCI cards for your servers (preferably for all machines)
  • 100Mbps fast Ethernet switches (passive hubs only for very small client clusters)
  • 10/100Mbps Ethernet NICs for your servers and workstations. 10Mbps are possible for smaller client clusters.

Technical Support

Unless your network administrators are already competent in Windows 2000 network administration (not likely if you’re reading this), they will have to learn through on-the-job training during the installation and deployment process. Non-techie school administrators should not be naïve about this: running a Windows 2000 Active Directory domain with a full range of network services is not the same as running a Windows 9x peer-to-peer network. This is the realm of Systems Engineering and Network Operating Systems, albeit on a relatively small scale. Everything rests on those server machines, and on the proper configuration of the services they provide. The sheer volume of new information a Windows 9x administrator must cope with is fairly staggering. I would never recommend that a non-Win2k-trained administrator attempt this kind of upgrade on his/her own, unless s/he has had ample time to play with the server software (generally at least 6 months).

Nevertheless, assuming the upgrade is supervised by an experienced technician, your local administrator will learn the basics of Win2k network admin by being there and assisting. Furthermore, once properly deployed, the network will be remarkably stable. If dial-in facilities are provided, configuration corrections and troubleshooting can generally be supervised or even carried out from a remote location. Bi-weekly check-up and training visits will still be necessary, however, for a period of several months after the initial deployment—although naturally this will depend on the trouble-shooting competence and attention to detail of your local administrator.
 

Logistics of Upgrading to Windows 2000

A “best practices” approach would be to create a mini-network using new server computers and one or two workstations. During the installation and testing phases, the original network is not affected. When all preparations have been made, workstations can then be disconnected from the old network and joined to the new in two stages, beginning with the student computer labs and ending with the admin staff machines.

These steps should be carried out by the local network administrator (under guidance of the Windows 2000 consultant) during the pre-deployment phase:

  1. Survey and document existing hardware. Processor speeds, RAM and hard drive capacities are particularly important here.
  2. Survey and document end-user needs, specifically, what software they currently use and what they would like to see as a result of the upgrade. Software must be Win2k certified or must pass compatibility testing if it is to survive the upgrade process.
  3. Upgrade workstation hardware to Win2k-readiness standards.
  4. Prepare server hardware.

These steps are carried out by the Windows 2000 systems engineer with the assistance of the local network administrator (estimated times are given):

  1. Determine security requirements of the individual branch. Entails examining existing configurations, and meeting with local network administrator and staff supervisors. (4-6 hours)
  2. Install server operating systems and associated server software. (6-8 hours)
  3. Configure network services (including antivirus services), and establish backup procedures. (18-24 hours)
  4. Install a fully-loaded model workstation. (4-8 hours)
  5. Test and refine network services. Expand directory services. Establish Group Policy settings. (12-16 hours)
  6. Create a disk image of the workstation, and test deployment on another workstation. Troubleshoot, if necessary. (2-8 hours)
  7. Stage 1 deployment of workstations to student computer labs. Test & refine. Redeploy as necessary. (4-8 hours)
  8. Migrate administrative data to new servers. Test data integrity. (4-8 hours)
  9. Stage 2 deployment of workstations to staff computers. Test & redeploy as necessary. (4-8 hours)
  10. Refine server settings and security policies as network services come into use. Post-deployment troubleshooting (24-36 hours)
     

Summary

A Windows 2000 network such we’ve implemented at TBI Bandung offers a wide range of features and services that enhance the functionality and usability of computer systems for students, staff, and network administrators. The initial investment in hardware, deployment costs, and training is not insignificant. However, Total Cost of Ownership (TCO) is greatly reduced through ease of administration. Furthermore, the enhanced level of service provided to students, coupled with more intangible factors such as the increased status a tech-savvy educational institution inevitably enjoys in the public’s eyes, contribute to a rapid Return On Investment for schools willing to take the leap into the 21st Century.