I work as a network manager at a mid-sized private school in Alton, Hampshire. My job involves dealing with anything IT-related around the whole school (we have a nursery department, prep school, senior school and sixth form, the senior school and sixth form are girls only), from setting up and maintaining workstations to configuring server-based resources such as appropriately filtered Internet access, file storage and web-based applications. I have had previous experience of a similar job in a state school, so here I plan to summarise some of the aspects of the job that relate to the use of open source software within schools, both in the state and private sectors.
The first, most obvious, reason to use open source software is “because it is free”. Especially in a private school, value for money is an important consideration (despite what you might think, private schools aren't rolling in money – they are businesses that have to justify any expenditure). However, simple capital cost alone is an increasingly minor part of the total cost of ownership of any large, organisation-wide computer system. Any piece of software has to be installed, maintained and kept up-to-date, users have to know how to use it (they might need training, or simply some spare time to figure it out for themselves), and the software might be required to exchange data with other applications or organisations.
The ultimate aim of a good network manager should be to make their job redundant – there are more useful things human beings could be doing with their time than servicing machines. In a decade's time the role of the IT expert in schools really should have moved on from basic workstation maintenance to that of resource creator / collator. As such, any school network has to be understandable and manageable by the majority of (reasonably bright) people with the job title of “network manager”. A modern school IT system cannot be completely idiosyncratic, run entirely by a collection of custom Prolog scripts or something – should your current network manager win the lottery and simply not report in for work one morning you need to be able to have someone else step in and take over with a minimum of fuss. Your IT system needs to adhere to some set of standards that work in practice – network managers work at the practical end of computing, documents produced by standards bodies are nice to have but ultimately what actually works in practice is what winds up as the standard.
The above considerations currently point towards the use of an Active Directory, Windows Server based system. Most software intended for the educational market is written (badly) for the Windows platform, which implies at least some Windows workstations on your network – you'll find there's always at least one department that just has to have some bit of Windows software to meet some must-have requirement. Open Source has not yet provided a reasonable replacement for the Active Directory domain controller. Samba is always in development, but cannot, by its very nature, do anything except react to new features in Active Directory, and in the meantime we have real users expecting real results right now.
We, as network managers, have no right to dictate what software is required by the academic staff. If a teacher wants Word because that's what they want to train their pupils to use then that's what we need to work to provide. Making teachers less dumb is a problem that needs fixing somewhere elsewhere – we can, of course, point out open source alternatives that they may wish to consider, but being uncooperative isn't going to help anyone. It should be pointed out that the average teacher is completely clueless as regards to the licensing of software, resources, music or video and can be genuinely baffled and upset by being told that we cannot simply pirate some item for them. This is the root of many complaints by teachers about network managers - “the network manager refused to install X for me”, and one of the main reasons why school machines tend to be heavily restricted in terms of what end users can do with them – if they weren't, staff and pupils would simply fill them with pirated software and resources.
If a school network pretty much has to have an Active Directory server at its heart, what about the use of open source workstation and server-based applications on that network? This brings us back to the point made at the start of this document, that the initial capital cost of a workstation or server should be considered a minor part of its total cost of ownership. Joining a Linux workstation to an Active Directory server, or having a server authenticate users against AD, implies a Windows device Client Access License for each computer on your network, whether running Windows or not, but this is a relatively small cost (around £5 per CAL at education prices). Other than Active Directory, every other function that needs to be done server-side can be handled very well by open source systems. Samba works very well as a file server (in several ways it is more flexible than Windows), server virtualisation, backup and failover can be handled entirely by free, open source software, and web-based services such as VLEs, management information systems and email systems can all be had for free.
However, while saving tens of thousands of pounds on your software costs is nice, it is not perhaps the main advantage to a school of using open source software. A state school might not even have to really consider the actual capital / ongoing cost of a piece of software if they are provided it by a centralised purchasing agreement, or they might simply be forced to surrender part of their budget to their local education authority which will then spend it for them. The real advantage of open source software is the open standards that come along with the software and the flexibility in support options. A school itself may not have the expertise to modify applications or to write plugins to carry out some necessary task, but those skills are easily hireable by the hour in many cases. Open source software is simply flexible in a way that software should be but that commercial software often isn't.
So, as a network manager, how do I use open source software? The same way as I use any software - to get stuff done in the quickest / simplest / cheapest way possible. If a problem needs to be solved right now and there is money to throw at it then commercial software might be the answer, but often some piece of open source software is going to be the better choice, simply because its initial cost is lower, or because its ongoing costs are lower, or because I can get it to work with another system with a minimum of fuss and cost, or because I know that I have multiple third-party support options to choose from (as opposed to one company that might go bust), or simply because everyone else thinks it's the best solution and that's what they are using.
[The above is another of the 'provocation' papers for the forthcoming think tank - Miles.]
> The above considerations currently point towards the use of an Active Directory, Windows Server based system
Discussing this at the session on Friday, it seems that there may be a cunning way around this limitation - however, I seem to have lost the contact details of the chap I was talking to about it. I think it was either Mark Ferns or Simon King I was talking to.
We visitted Simon at Bishop Fox recently - for a case study doc that will be ready soon - and they use OpenLDAP for everything. They don't use AD at all IIRC.
If you still need his details drop me a line at alan dot lord at The Open Learning Centre dot com and I'm sure he won't mind of I send you his email address.
Alan
Hi Dave,
I spoke to Simon about this and he was using adm files to manage the XP machines.
I once did something similar for a workgroup that did not want to purchase a server.
This article gives some basics about it http://support.microsoft.com/kb/816662
So it may be worth contacting Simon to see how they do it.
Regards,
TIm
Yes indeed, we have no AD in our network. There are different challenges involved in administering windows machines that way but it does work and the hard work is a one-time task. It also makes integrating Macintosh and GNU/Linux desktops significantly more straightforward.
Very briefly, the adm files constructed using the above link are used with MS Policy Editor to create a .pol file using a nice tick box interface. You assign the policies to groups, and make sure you get the groups in the correct order so they are applied as you wish. We have an "all users" group that is heavily restricted, and staff and admin groups where restrictions are specifically lifted. That pol file then goes in samba's netlogon folder and named "NTConfig.POL".
Provided whatever setting you want can be implemented in the registry, it can be done by creating your own custom .adm file.
The downside is that if you stuff it up, it may mean deleting user profiles (not their work) to let them get recreated without the so-called "tattoo" of the old registry settings. Individual users can be fixed using regedit to load their "NTUSER.DAT" and editing the registry values directly, however fixing them one by one is not realistic when dealing with >1000 users.
GPOs are convenient when making very regular changes to group permissions (adding and removing the same permission repeatedly), whereas it doesn't necessarily work so well using this method. That said, assuming you have a fairly sane and consistant set of permissions (like us) then setting samba+NTConfig.POL up once is nicer than having another Windows machine to manage. Adding in new registry values is also straightforward.
Without AD you then have the freedom to use your own DNS and DHCP servers, allowing you to have single tasked VM's with failover, and so on, and so forth.
GOSA works well for managing OpenLDAP, with Jxplorer for low level searches and tweaking.
Simon
Many thanks for the post, very informative. I started a related thread over on EduGeek:
http://www.edugeek.net/forums/nix/53501-samba-server-domain-controller.html
Which brought up the interesting subject of Microsoft's External Connector license. If the information I've got so far is correct then I can allow as many users as I like to authenticate against our Active Directory server for a one-off payment of around £200. This is "solving" a problem by simply throwing money at it, but £200 is pretty reasonable. We still have to pay for a device CAL for every machine we join to our domain, but that just becomes a minor part of the overall purchase price of a machine. Has anyone else had any experience with ensuring licensing is correct for using external web-based applications with Active Directory?
Active Directory also requires you to use their DHCP and DNS servers (at least, to work properly) therefore you either need to run additional Windows servers (additional licensing) or do without redundancy. Also, those extra Windows servers need beefier hardware than a lightweight Linux server (with no GUI) running only slapd, bind or dhcpd. Pooling your configuration into a single machine as with AD naturally consolidates things if you only have a few servers anyway, but the ability to have single purpose lightwieght virtual servers makes managing the configuration of any one so much easier without affecting another. For example you can bring down a DNS server for maintenance and let the secondaries take over, without also bringing down DHCP, file, print and authentication as we did before.
According to a recent visiting Microsoft reseller, with virtual servers you either need Windows Server Datacentre edition or enough licenses for each server to run the maximum number of concurrent Windows guests it might be required to host (as licensing is done guests per CPU, not as transferable guest licenses).
One way or another, that £200 soon grows.
Even at £5 per CAL, that would add a singificant fraction onto the £120 Linux clients we deploy if you add them up in quantity.
I'm not saying AD isn't a valid solution in some situations, but that saying "it only costs" must include follow-up costs for future projects and include the limitations in flexibility you face. Migration costs *next* time must also be considered when comparing embedding yourself further into an incumbant and switching to something new (not just applicable to IT).
p.s. When the reseller asked about us not using the "industry standard Windows" everywhere, I asked him what he used at school, or college. He blinked and sat back to think about it, he used BBC Micros, so I asked how it had limited his progress and skills, and how it had disadvantaged him in his current job. He wasn't able to answer that one. I also mentioned the adage "nobody gets fired for buying IBM", after all, who hasn't got an IBM PC on their desk these days ;-)
Also worth pointing out that the OFSTED report "The Importance of ICT" March 2009 actively encourages using more than one operating system and different types of technologies. It has taken a long time but it seems that the education system is finally waking up to the damage that the "you can do everything in MS Word" has done to learning. We now have the majority of the adult population either IT illiterate or terrified of any suggestion of change. The marketing phrase "industry standard" ha a lot to answer for and any genuine educator using it should wash their mouths out. We want children to become industry innovators not industry standards.
p.s. you can use local group policy objects as well for some things (like printer config), especially if you clone machines anyway (subject "how do I clone using free software" saved for another day).
Hm, minor part of the overall purchase price. That might be true as a one off, but on a national scale that adds up to a lot of taxpayers' money locked into a monopoly supplier. Not saying you can do anything about it but I think it is worth reiterating that it is not a good thing for public sector services to be effectively held to ransom and all efforts should be made at all levels to avoid such situations in the future.
Simon,
We are looking to extend our network by adding Linux machines that connect to our Learning platform and run open office for editing course work etc.
We will be implenting a SAN with CIFS/NFS/iscsi so that personal user data can be stored and accessed without the need to always involve Active Directory. Also looking at using some sort of LDAP/AD synchronisation so that we could get the Linux machines to authenitcate against LDAP rather than AD. Even if they do authenitcate against the AD server we have saved the cost of a Windows 7 Pro license. We also get to use older hardware that will boot faster than newer hardware running XP/Windows 7! With new screens, keyboards and mice. They will look and act like new machines :)
Simon would be able to contact me via my email (tim dot bateson att houghtonkepier dot org dot uk, personal tim at monkeyx dot net) I would like to check with you how well learners and staff have taken to using OSS apps and LInux as their primary OS. I am interested to know how you are managing dekstop security, application security(ie locking down firefox to not change proxy preferences) and updates on the clients. (as this this one thing that GPOs and WSUS do well (I know you don't agree that they do :) ) It maybe that you are using XP clients with LDAP backend? Was nore sure if you also had Linux Clients.
The department I have in mind for using Linux will hopefully be reasonably open to trying something new :) Unless we implement the solutions using OSS they would have to wait a long time before we could afford to create an IT suite for them!
All the best,
Tim