ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM January 11th 2008 REGULAR MEETING


A meeting of the ICC was held on Friday, January 11th, 2008 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley just a bit late at about 10:03 am. As was discovered after-the-fact, Steve had failed to renew the standing reservation with the bridge for 2008, and when he tried to connect, the conference wasn't available; consequently, he created the conference as an ad hoc conference. This apparently caused problems, preventing folks from connecting to streaming via the web. Other issues may have been caused when video services tried to fix the error by creating a new conference and moving folks over. In any case, Steve is very sorry for the difficulties and will try to see they don't reoccur.

PRESENT: Seventeen members participated.
Remote participants: Julio Bastidas, Bill Black, Kevin Hill, Dwight Jesseman, Helena Niblack, Louise Ryan and D. A. Walker.
On-site participants: David Baudree, Dennis Brown, Lance Cozart, Dan Cromer, Marion Douglas, Andrew Carey, Wayne Hyde, Winnie Lante, Steve Lasley and Mark Ross.

STREAMING AUDIO: available here

NOTES:


Agendas were distributed and the sign-up sheet was passed around.

Report from the chairman

New members:

Steve noted that Trish Capps left IFAS after the Thanksgiving holiday following a 2-year stint at the West Florida REC in Milton. Steve knew of no other changes, but asked local IT staff to please check the ICC member page for any missing or extraneous entries. Steve primarily learns about new folks from Chris Leopold as they get IF-ADMx accounts and might not ever hear when someone leaves unless he is notified specifically.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.

Policy

Next ITPAC meeting is February 7th

Steve noted that the upcoming February ITPAC meeting is prior to our next meeting. Since we skipped the ICC meeting in December, however, we hadn't yet had time to review what transpired at the last ITPAC. Steve pointed folks to the notes from the November ITPAC meeting and mentioned that the biggest news there was an edict from Jimmy Cheek asking for a reorganization of IFAS IT, ICS and EMS. At that meeting there was talk about getting a committee together to begin to look at that and the ICC was asked to pass on its recommendation regarding our web policy proposals. From there things have gone into the all-too-familiar "black hole", so Steve asked Dan Cromer if he had any news to relate on the matter or if he was aware of any movement to reorganize IT or ICS.

Dan basically responded that he hadn't heard much more about it except that it is going to happen. Dan did mention that there is now a "web administrative policy committee" comprised of Joe Joyce, Larry Arrington, Ashley Woods, and himself among others. They are discussing what IFAS needs the web to do (i.e., business goals) and also working out some policy issues before we start looking at this from the technical side. Steve asked if they were meeting regularly and Dan replied that this is an ad hoc committee that has met twice. They may have one more meeting before there is some sort of policy statement which will go forth. Apparently, the committee's current "homework" is to review the ICC Web Policy recommendations and they will respond to those at the next meeting.

UF IT Advisory Committee for Network Infrastructure meeting

Steve gave a brief rundown from yesterday's ITAC-NI meeting noting that audio from this meeting is now available. You are encouraged to check the minutes for the complete details--those will be ready within a week or so. The agenda covered the following items:

Steve mentioned having pretty much a minority opinion there on the topic of external network devices in Wallplate buildings. We were scheduled to vote on the matter, but that has now been delayed until next month. Steve feels that no one has done a good cost/value estimate on this proposed policy and the cost troubles Steve considerably. He is also concerned that this policy essentially turns local IT staff into end users regarding the network--something which Steve feels is a waste of university resources as well.

Steve explained how most everyone on the ITAC-NI committee comes from large IT shops who already view networking from a centrally managed perspective. Steve, however, has saved considerable money over the years by implementing small workgroup hubs in various situations. Those roughly two dozen devices have caused literally no problems; but this proposed policy would force our department to replace those with direct drops costing roughly $16,000.

Dan said that he believes the implementation will not be terribly onerous because they intend to allow 4-5 MAC addresses per port. This would not prevent the use of a workgroup hub for the occasional workaround. Steve responded that while it would still be possible, it would be strictly against policy--a line that a local IT person might want to think twice before crossing.

Since there have to be exceptions in any case, for server rooms in departments and the like, Steve would like to see them first fully develop the methods for requesting and granting exceptions along with the documentation and maintenance of those. We are definitely going to need that whether or not this policy is passed. Once those were in place, a more measured step than an outright ban of external devices would be to require unit IT staff to register any external network devices under their control until such time that their elimination is shown to provide positive overall value to the unit and/or the UF organization as a whole.

January 10th UF Exchange technical meeting

Steve attended this along with Dennis Brown, Andrew Cary, Wayne Hyde and Dan Cromer. Steve recorded the session and linked it off the January 10th news item on the ICC homepage.

Present and coming changes

Steve tried to update folks on the upcoming happenings regarding the migration to UF Exchange 2007. On the 18th of this month they are going to move the front ends to point to the new service. There is already a notice concerning this on the IFAS OWA page:

IFAS OWA notice

Steve pointed out that http://www.mail.ufl.edu is the single site for official information about the UF Exchange project. When you see UF Exchange information elsewhere, please take it with a grain of salt.

The new UF Exchange OWA page is already available for use, but after the 18th, IFAS users going to webmail will end up here:

UF OWA logon page

Steve mentioned that he has posted links on the top of the E-mail page within the IT/SA Services Documentation (ufad\if-admn credentials required) to videos of UF Exchange Help Desk training along with the corresponding PowerPoint slide-set. Steve strongly recommends taking the time to look those over carefully. You will also see a link there to the new Active Directory - Help Desk Website (logon with IF-ADMN credentials).

Eventual client setting changes will be required

Though many things will be changing on the 18th, the old hostnames will be re-routed so that most client settings will not be have to be changed immediately for things to keep working. That will be temporary, however. We eventually need to change all email.ifas.ufl.edu settings over to mail.ufl.edu. RPC over HTTP settings will also need to be converted to mail.ufl.edu.

Handhelds will see some changes

As Nancy Johnson pointed out, handhelds will now have a PIN number associated with them, which you will have to create once and use upon each access. One consequence of this new PIN is that if the incorrect PIN is entered 10 consecutive times then your device will be wiped. Mark Ross mentioned that your phone will lock after 15 minutes of disuse and you will have to re-enter the PIN for access--though Mark said his was locking much more quickly than that. Mark uses Telenav (for a monthly charge) along with Google Maps and this locking causes him problems at times. The apps work, even the voice prompts, when the phone is locked; but sometimes he has to look at the map for complex ramps. Once the phone has locked, doing that requires re-entering the PIN.

Migration schedule

Over the first weekend, IFAS IT will be the only IFAS unit whose mail stores will be moved to the new servers. That first weekend with give Dwight Jesseman a much better idea on how quickly the rest of the rollout can proceed. IFAS should be fully migrated by the end of April. There will be an e-mail message sent out prior, so this will not be a surprise for your users; you may still want to put out a message of your own however.

Folder sizes and cached mode

There are a couple of constraints of which you should be aware. You should never have any folder that contains more than 5000 messages; if you do you will see a severe performance penalty. Also, either Outlook 2003 SP2 or Outlook 2007 is fine as the client, but they should be set to cached mode. If Outlook is set to on-line mode, the client will not be able to continue to function during the time in which their mail store is being migrated. Winnie Lante noted that she likely had quite a number not using cached mode and would have to go around checking for that. Mark mentioned that this can be controlled via GPO; that would be the easiest way to handle that.

Quota details

Wayne relayed some questions to Dwight, who was out-of-town, and gave us his answers. The mailbox quotas are 125MB, 250MB. 1Gb and 2GB. 8GB will be the maximum, but that will be reserved for only very special circumstances and not generally available. Since roughly 80% of space used (on average) is kept in attachments and those are moved out and replaced by links, it is hoped that these options will be more than sufficient to handle everyone's needs. When someone leaves and they want to take their mail with them as a .PST, the attachments will have to be "rehydrated" -- that is, reincorporated. There was some concern about this at the meeting, but Dwight responded later that quotas will be removed for the import (hydrate) process to prevent that causing problems.

Mark asked what will happen when they try to move mail stores which are greater than 2 GB. Assuming the relocation of attachments older than 30 days can drop those below the quota, then there won't be any problem. Dennis asked about getting reports on user mailbox sizes. The userinfo page will, of course, provide that information for individual users. Dwight responded that he would be willing to generate reports on mailbox sizes for a department's users upon request.

Auto-deletion and managed folders

Nancy asked about the managed folders. Once a person's mail store is migrated, any messages older than 365 days will be moved to a managed folder labeled "Auto Deletion (30 days)". The original folder structure which existed for those messages prior will be recreated in that location. Files transferred in this manner will remain there 30 days before being deleted. There is another managed folder labeled "Retain Permanently" where people may move messages and be assured they will never be deleted. This measure is intended to force people to manage their e-mail.

There was some later discussion which mentioned that the real problems with this migration will occur when someone's e-mail gets automatically deleted without their knowledge. While Wayne plans to do a full backup prior to moving the mail stores, he also wants to retire the old servers--which would make restoring rather...difficult. Wayne mentioned that we might have Dwight do a backup of everything after it is moved, but he suspected that would be costly since they use TSM.

More end-user documentation needed

Nancy Johnson mentioned that she would really like to see some good end-user information posted regarding the automatic deletion details. Steve suggested that perhaps that is coming; it would certainly be offered through http://www.mail.ufl.edu if anywhere. Wayne suggested it might not be too drastic for support staff to visit each faculty member one-on-one to discuss or at least deliver a handout on the implication of this new auto-deletion mechanism. In 60 days after migration the first major chunk of >365-day-old messages will be completely gone from Outlook and after 30 additional days they will be gone from backup and unrecoverable completely.

The costs of UF Exchange

Wayne asked about whether UF Exchange was ever going to be paid for off the top, or what charges would be levied for units wishing to join. Dan noted that we are paying about $110,000 a year for this service.

The Barracuda

Users will have some control over their own Barracuda spam settings. Since the Barracuda does block some messages (with a very high score) Wayne was a bit concerned with how difficult it will be (compared to looking in the Junk E-mail folder) to go look at those. The other side of that is IT staff may have to dig around to see what users have done there in order to resolve certain issues that the configuration of that might cause.

Note from the future: the first round of e-mail notices went out yesterday. It looks like the e-mail retention scheme (methods not intent) has changed again, so you may wish to take a look.

Split DNS solution for UFAD problems

Steve mentioned that Mike Kanofsky addressed the split DNS problem at the December UF Exchange technical meeting. Mike said that the reason they didn't implement split DNS from the beginning was that they had only a very limited number of public IP addresses to work with. Now, of course, we are regretting that and it will be a very major project to correct this issue.

Projects

SharePoint Test Site

Prior SharePoint discussion. Dan Cromer said that Ben Beach was supposed to be here today to announce the site, but apparently something came up that prevented him from coming. Steve asked about the multiple authentication prompts one gets upon access and Dan responded that he believed it had to do with the multiple levels of security which a person has.

Virtualization of Core Services

Virtualization of Virtually Everything

Wayne Hyde reported that the topic heading on this could likely be changed to read "Virtualization of everything that can possibly be virtualized". Wayne reported that we have about 40 virtual servers currently--not including those which they intend to host for other people. After doing that we still have quite a bit of capacity left. IT/SA is trying to virtualize all the old Compaq hardware and has gotten rid of a number of old machines, one of which had supported ILS for NetMeeting.

SQL and CALS terminal servers

Wayne said that he and Matt Wilson had done some testing in regards to virtualizing SQL server. It appears that the performance of that is more than sufficient for our needs. Consequently, instead of creating a cluster we are going to virtualize our SQL servers and also create a second SQL server off-site that we can do log shipping to. That will give us some redundancy there. Steve mentioned having the impression that SQL servers were something many steered clear from virtualizing. Wayne responded that we don't really have the sort of large transactional databases where this might be a concern. Wayne also mentioned that terminal servers are perhaps the most difficult kind of server to virtualize successfully. Regardless, Wayne hopes to virtualize CALS terminal server lab. They currently have four physical boxes for that which Wayne believes can all be virtualized with little problem due to the low load.

The file servers

Currently we have two file servers: IF-SRV-FILE02 is a physical server (set as passive) and IF-SRV-FILE03 is a virtual server (set as active). Wayne has already migrated most of the data from IF-SRV-FILE03 onto the SAN. He pre-stages that with robocopy and everyday he goes back and robocopies it over again so it is pretty much current. He created another test box attached to the SAN and copied the data over to that.

Going forward, all clients should be using DFS (i.e., \\ad.ufl.edu\ifas\...) to house file shares. The exception to that will be Macintosh clients and some units using Samba; those will have to use the exact server name. With the cluster which we are moving to, you wouldn't use the actual physical server name, but rather the virtual node name. Virtual node names provide some level of naming abstraction as well, so we can eventually add another file server down-the-road, migrate the virtual node into that box without having to worry about pointing clients to a new resource name. This will make future changes much easier to implement.

The details of the naming spec for the new fileserver cluster have been determined. The way it works is you have X number of nodes in the cluster. Since we are doing active/active with two cluster nodes, shares are tied to a virtual node name and not the cluster name for the entire cluster...

Note from 23 September 2008:

The description of the naming conventions provided here were discovered to be in error. Consequently, these details were documented within the File Services section of the the IT/SA Service Documentation (ufad\if-admn credentials required)

...So while our physical servers have names such as IF-SRVC-FILE1 AND IF-SRVC-FILE2, there will be two virtual node names: IF-SRV-FILE1 and IF-SRV-FILE2. IF-SRV-FILE1 and IF-SRV-FILE2 (the virtual names) can be attached to either physical node in the cluster, but normally, IF-SRV-FILE1 would be owned by IF-SRVC-FILE1 and IF-SRV-FILE2 would be owned by IF-SRVC-FILE2. Both shares and disks (user storage and the VSS storage) are associated with the virtual node name. That way, when the virtual name moves between physical boxes, the shares and disks for that virtual name will too. That is how we achieve total abstraction from the physical box. Down the road we could add two more nodes (faster, better) to the cluster, move the virtual nodes to these boxes, and then remove the two old boxes from the cluster.

Issues with copiers and non-Windows client platforms

Nancy Johnson mentioned having a copier which requires an IP# to connect. Wayne responded that we need to find a solution for that, along with Mac and Unix clients. Andrew Carey said that copiers are going to be connected to a separate server, IF-SRV-PRINT, rather than go to the file server. There is a data share there. Andrew believes that most of them should be able to talk to the name somehow. He doesn't know if it is a limitation on the length of the name/path or what; he also has not run into any copiers besides Nancy's which has that problem and means to find the opportunity to look at that before too long. Mark Ross said that the problem with copiers is that there is no industry standard and that companies try to implement the cheapest solution possible so they can say that a machine has networking features.

Wayne countered that, aside from those issues, they will do their best to try and make it work. The goal is to get everything abstracted to some virtual name or to DFS so that future configuration changes on the server side will not impact clients at all. Mark also suggested that units get with him and Andrew prior to signing an expensive copier lease so that they can evaluate the hardware prior.

Web and print servers

Web and print services are the other things they are looking at virtualizing. They might do that with the print server before too long, but they won't worry about the web services until perhaps a year from now when IF-SRV-WEB is due to be replaced.

Volume Shadow Copy and SAN space usage

Steve asked about Volume Shadow Copy for the file server. Wayne responded that our main file server is going to have about 12TB of usable space which will be split into 2TB LUNs to limit the size of volumes. This will permit easier maintenance for such things as CHKDSK. It will also permit separation of OUs so one OU can gobble all the space from the others. There will be eight 2TB volumes and possibly another 700GB volume. We also have two 700GB volumes to use for Volume Shadow Copy. The goal is to have, say, four 2TB volumes on one physical file server in the cluster and one on the other and then have two 700GB Volume Shadow Copy space for those 8TB. Wayne is confident that this will give us plenty of Volume Shadow Copy space--though that be can be changed as is deemed necessary. Quotas will be implemented as hard quotas using FSRM on the server.

Fileserver platform: 2003 vs. 2008

Steve asked for an estimate on when Volume Shadow Copy might be enabled. Wayne said that Andrew and he had created a test cluster on 64 bit Win2K3 R2 with 2TGB of space and some Volume Shadow Copy space. The concern is having the Volume Shadow Space fail over in synch with a node failover and that worked fine in their testing. They just have to build the servers, but would like to wait for the release of Windows 2K8 to test that with the failover scenario (if that is not too far away). There are also some issues concerning whether the backup software will work with that new platform. If the 2008 version has problems we will see about going ahead with 2003. The file server lease expires in 6 months, so we will be buying new hardware soon. Wayne would rather go to 2008 now rather than move to 2003 now and then 2008 in six months. If we go to 2008 now, in six months we can basically just add the new physical servers we buy to the cluster, migrate the old servers to the new and then take the old ones off-line.

List of our current production VMs

  • IF-SRVV-CALSTS04 (their dev terminal server)
  • IF-SRVV-SOILGIS
  • IF-SRVV-DHCP02 (backup DHCP server)
  • IF-SRVV-EPO4 (limited use)
  • IF-SRVV-FILE03
  • IF-SRVV-FRESERV (linux box for FRED)
  • IF-SRVV-GIS
  • IF-SRVV-GROOVE
  • IF-SRVV-ICSSQL
  • IF-SRVV-LISTS (listserv)
  • IF-SRVV-LSTAT (web stats)
  • IF-SRVV-MRM (meeting room manager)
  • IF-SRVV-NAGIOS (server monitoring)
  • IF-SRVV-PCMAN (HP procurve manager)
  • IF-SRVV-RELAY (mail relay)
  • IF-SRVV-SQLDEV
  • IF-SRVV-SWSDE
  • IF-SRVVT-SQL03 (test SQL)
  • IF-SRVVT-WEB03 (test WWW)
  • IF-SRVV-VPN (production VPN service)
  • IF-SRVV-WEC web backup server
  • IF-SRVV-WP (wordpress)
  • IF-SRVV-WSS (sharepoint)
  • IF-SRVV-WSUS

Soon we will add:

  • IF-SRVV-AD-APPS
  • IF-SRVV-TASK01
  • IF-SRVV-DOMITA (Dell OpenManage).

...plus a bunch of other VMs as well for testing (five servers for EPO4 testing, replacement for SQL01/02 test, etc.). Currently, we total 47 VMs on 4 machines overall. FA will add about 10 VMs as well since they have bought into the project.

Power/cost savings from virtualization

There will be considerable power savings realized by Wayne's virtualization project. The CALS and SQL servers alone will save 1700 watts which is ~ 0.5 tons cooling. The old hardware uses roughly the following:

  • CALS takes up 1360 watts and 0.3 tons cooling (4 Terminal servers and 1 file server)
  • SQL01/02 uses 1600 watts and 0.4 tons cooling

On the other hand, their virtualized replacements run something like:

  • ESX host is about 550 watts (0.15 tons)
  • Two DAEs on the SAN use about 350 watts and 0.1 tons cooling each

Then you must consider that Wayne will soon be virtualizing or already has virtualized a boatload of other servers--at an average of maybe 200-250 watts per server. The list is something like:

  • IF-SRV-WSUS
  • IF-SRV-NAS01
  • IF-SRV-GIS
  • IF-SRV-PCMAN
  • IF-SRV-FILE01
  • IF-SRV-AD-APPS (soon)
  • IF-SRV-TASK01 (soon)
  • IF-SRV-DOMITA (soon)
  • IF-SRV-VPN (formerly if-srv-isa
  • IF-SRV-syslog
  • IF-SRV-listserv
  • IF-SRV-virtual (old PE6xxx series) was decommissioned and replaced by ESX
  • consolidated a bunch of file servers (ICS, SNRE, WEC-Coop)
  • soon ENHFILE
  • turned off all of our ML310 Compaq mid-tower servers
  • and there are a bunch of other servers to virtualize in the future as well

Current IT/SA server costs

Each ESX host costs ~ $15,000 and can easily handle 32 VMs, but we'd run out of memory before CPU power. One ESX host is pretty much considered redundancy overhead since you want fail-over capacity. The SAN costs just under $60k/year.

This makes the entire IT/SA operation quite a frugal endeavor considering the capacity we now enjoy. Our ESX cluster has 28 CPUs, 120GB RAM, and gobs of disk space. We are paying $60k per year for the SAN and one ESX host. We bought 2 other ESX boxes at about $5k/year (estimating high). About half the SAN cost is going towards file server storage too: 4 shelves to ESX, 3 (currently) to FILE. We paid $15000 TOTAL for an ESX host on a 4-year lease--so each host costs us $333 per month, assuming a bit of interest. The SAN storage adds about $3000 total per month, spread among 4 hosts @ $750 per host. Consequently, our ESX cluster costs us about $1200 per month per host.

Comparison costs for CNS to provide similar services

CNS hosts VMs at a charge of $30/mo for one "unit" which is 1/8 of a CPU, 512MB RAM, and 12GB disk. Most of our VMs are 2GB RAM, have as much CPU as they need (although that could be restricted if necessary) and 40GB disk. Just for the current 47 VMs, that would run us $67,680/yr at $120/VM/month. Using CNS's charging method just one of our CPUs you would multiply out as 28 * 8 * 30 = about $7000 per month per ESX host.

The above figures might be slightly off one way or the other, but there is just no way CNS could provide these services anywhere close to as inexpensively as IT/SA does. That is why FA went with us in on the ESX cluster. For the cost that CNS charges for VMs, you can pretty much buy a physical server with money left over on a lease for yourself. A VM w/ 4GB RAM will end up costing you $240/mo or $8640 over 3 years. That's more than you could lease a 4GB server yourself by far. Of course that is probably still a decent deal for a department without a sysadmin staff, server room, etc. but, IFAS has all of that already.

IFAS WebDAV implementation

Mark asked why this remains on the project list. Steve responded that we had never officially announced that service was available because no movement has occurred in getting this documented for end users.

Vista Deployment via SMS and WDS

Steve mentioned that eventually Vista will come to widespread use and he hopes we have a good automated method of building those systems in place by that time. Andrew believes WDS is still running, but hasn't had time to really look at it. He believed that whoever has access to RIS has access to WDS, but wasn't sure. Mark mentioned that the RIS deployment has essentially been broken by not being updated in keeping with new Dell hardware offerings. Steve mentioned that Vista SP1 will be out soon and that maybe it will precipitate more rapid adoption. Mark mentioned that most would not see problems with Vista provided they have powerful enough machines. Some applications such as SAS and SPSS still have issues apparently, though SAS claims some level of support currently. Mark also mentioned that his is running Adobe CS3 on 64-bit Vista successfully though he had some installation issues.

Kevin Hill had a question about Vista and the logon scripts. He has found that when someone is logged on with local admin rights the script will not map drives properly unless he turns off UAC. Andrew has a test GPO that works around the problems pretty well. Dennis mentioned the repeated printer install promptings he gets; Andrew's solution addresses that as well. The one known problem with the solution is the following oddity. When testing via Vista with non-admin credentials things worked fine. When we then added the account to the local admins, things continued to work fine. Finally, if we again removed the account from local administrators, on the next logon the script would not run and nothing we tried would remedy or reverse that. This process was found to be repeatable by both Steve and Andrew. We never got beyond that to figure out why the back and forth changes broke things. Louise Ryan mentioned pretty much the opposite problem as Dennis; her Vista machines apparently keep losing printers. No one else mentioned having seen that problem.

Re-enabling the Windows firewall

Steve asked Wayne if he still saw this as fairly low priority. Wayne responded that he saw no reason to proceed quickly at this time.

Operations

Password expirations on IF-ADMx accounts

Wayne is seriously considering setting all the IF-ADMN and IF-ADML accounts to expire the passwords in a month to force folks to change those. Then he would want to shorten the expiration date on those; currently they have a one-year expiration period which is deemed too long for such accounts. Wayne feels six-months might be more appropriate.

Inappropriate fileserver usage

As Wayne robocopies data he tends to look at what is being moved over. In that process he has noticed inappropriate use of our file servers for storing personal music. On the new file server Wayne thinks he may set some FSRM filters that would e-mail a nasty-gram (rather than block) to folks who place such files on the server. There are, of course, some valid uses for .mp3 files. The other concern is .PST files. Wayne will probably set another filter to explain the problems which active .PST files can cause with our backups. Not only do they cause very large differentials (due to continual change) they cannot be backed up when left opened. Wayne would be glad to send OU Admins a list of people who have .MP3s or .PSTs, if you are willing to help get those cleaned up. Wayne estimates there are 20-30 folks who are using active PSTs rather than having the mail within their Exchange stores. We really should fix that before we get migrated.

Wayne also has noticed that some Help Desk and other tech support people have backed up systems to personal folders while they are working on people's hard drives. Wayne is considering setting up some NAS space for IT people for that purpose to keep such things off the expensive SAN storage.

Currently we have soft quotas enabled, but once we get onto the new fileserver we will have hard quotas once again. There was some discussion on how quotas can be bad if they lead users to implementing their own solutions. Wayne said that eventually we will have to put some effort into getting people to be good stewards of their space. Steve said that this is why he originally wanted quotas. Steve is implementing redirection of My Documents (now complete for over 50% of his machines). He also provides each user a "Local Store" area within their local profile and places a short cut to there in their on-line storage. He encourages people to create an archive folder in their local store each year, move all the My Documents contents there, backup to DVD, and then start fresh. That way the older stuff is archived off their hard drive but still readily available there.

Wayne mentioned that some folks are using a similar scenario on the file server itself (sans optical backup) and accumulating multiple copies of older information on our expensive storage. Wayne regrets that Microsoft doesn't provide data de-duplication capabilities along with their standard server software.

Wayne's improved IF-ADML login script

Wayne mentioned having rewritten the IF-ADML logon script (see if-adml-template-cscript.vbs) to something more to his liking and was willing to share that. His main complaint with the version which Chris Hughes had made long ago was that it left a wscript process running if you clicked the "X" to close the IE window. Wayne's version opens up a command prompt via cscript rather than wscript; its only limitation is that it doesn't run on Windows 2000. Wayne had also added some code to get (mostly) around a problem with the use of "sendkeys" in the script which had been dropping some of the special characters he uses in his passwords. The only current limitation there now is the "}" character. The new version also prints out a line telling each command it runs. You can hit enter or Ctrl-C and it closes the script prompt window and kills the cscript process. On top of that, you don't have the IE6/7 problem where at first logon you had to add the location to the trusted sites--that is no longer an issue.

The demise of the Microsoft Internet Locator Service (ILS)

This service had been running on hardware which failed. Since it only runs on Windows 2000 IIS 4 and is unsupported, it was decided that this is a good time to stop supplying that. Steve had some folks query him on what this would mean relative to our use of NetMeeting. The answer is essentially nothing. NetMeeting may still have some use for sharing files during VCs, although the coming widespread use of People+Content may make that less useful. NetMeeting can still be used for that and can connect to a conference ID -- the loss of ILS will have no effect on that. Steve also wanted to mention that Mike Ryabin has gotten NetMeeting working successfully on Vista via a hotfix.

ePO version 4 is awaiting deployment

ePO version 4.0 is getting held up by an issue with the McAfee agents for which we are awaiting a patch. McAfee 8.5 also has a bug where, if a client does not have IE7 installed, it spams the event log with "cannot scan encrypted file" entries. Basically it involves a problem scanning the temporary internet files. The issue with the agent is that every five minutes there is a policy enforcement that causes it to write two events to the event log; this is rather annoying when you are looking through the logs for actual problems. Once those two issues are resolved we can retire ePO 3 and move on to ePO 4.

In the meantime, ePO 3 does have an issue where the McAfee updates on the server side fail and it hangs. Richard Steele and Dean Delker have been good about checking and letting Wayne know, but if you ever notice that your DATS are not up-to-date, please e-mail Wayne so he can reboot the server.

Wayne mentioned that the new McAfee agent has an option to allow you to see the agent log--basically a replacement for http://localhost:8081/, except this updates in real-time and has some other diagnostic features. Implementing that replaces the usual V-Shield icon in the system tray with a square that has a big "M" on it. This give you options for looking at the McAfee agent as well as VirusScan. Wayne wanted our input on whether we thought that change would throw our users. Nobody had any problems with Wayne making that change.

Wayne again reminded us that he does not push VirusScan 8.5 currently as he has been concerned about causing problems for some who may be running other anti-virus packages. He is now considering pushing it for those already at 8.0 currently, however; if anyone has objections to that, please let him know.

ePO 4 does allow pushing upgrades to clients, but the desired granularity of delegation is not there. Wayne cannot grant that privilege to someone without giving them access to all the OUs. Wayne is still investigating workarounds for that.

Patching updates

December was a fairly heavy MS patch month, but January is not too bad. Steve did mention that there was a prerequisite update for Windows Vista SP1 (KB935509) which we might want to consider.

MS Office News update

In Office news, Office 2008 for the Mac is coming very soon. Kevin Hill mentioned that his prior problem with Excel 2007 has been remedied by a hotfix which was later rolled into Office 2007 SP1. This removed Kevin's roadblock to deployment of Office 2007 at Immokalee.

Winnie Lante mentioned that Andrew Carey had sent around a link to an interactive Word 2003 to Word 2007 command reference guide which walks you through how to do 2003 things with 2007.

Job Matrix Update status

This matter was not discussed in Chris Leopold's absence.

Remedy system status

Dan mentioned wanting to make a formal announcement of http://support.ifas.ufl.edu, but he had first wanted some documentation for that showing screenshots and the like. Dan asked for discussion on whether that documentation was really necessary or whether he could just go ahead with the announcement. Dennis asked if he was the only one not using Remedy. A bit of discussion followed with Dan promoting its use for purposes of documenting what we do, while most simply complained about the various shortcomings of the system.

Other news

Enable "Interactive Logon: Do not display last username" for servers

Mark has proposed we do this, for servers only, via GPO.

IFAS OWA notice

Nobody was opposed to doing that.

The meeting was adjourned on time, just a bit before noon.