ICC-AD Committee Meeting
8/13/02
Attendees:
John Sawyer Sherry Hays
Mike Kanofsky Chris Leopold
Dean Delker Kevin Hill
Steve Lasley Jack Kramer (via phone)
Dwight Jesseman Claude King
David Ayers David Gagne
Joe Hayden Mark Palmer
Tim Nance
Meeting opened at 1:30pm.
OLD BUSINESS:
Chris Leopold passed out the Network Systems Server Survey. Kevin stated that we had the WIN information together. Chris suggested putting together a new form and have all the IFAS IT personnel fill it out as far as what they need for AD to join the forest. Kevin said that we have a good start for the enumeration and we are making good progress.
Enumerate shares – include hardware
Sherry Hays passed out the Questionnaire, it was suggested that we ask Dan Cromer to send another message to department heads and ask their IT personnel to fill out the questionnaire. We should make the cut off date August 30th.
Chris feels we still need a structured meeting with each IT department to find out who are dissenters and if department is going to join the tree.
Kevin stated that Steve has been doing a good job in keeping the ICC-AD web site up to date with everything that is coming in to him for AD. It was suggested that certain web pages be password protected to keep people from the outside seeing sensitive information. Other suggestions were: look at //nt-file/adplanning$ --- put sensitive data in this file; put an empty template out on the public web site with a link to the nt-file folder. Steve went over the web pages and what can be found on them. If we send him links we want added, he will add them.
NEW BUSINESS:
Develop a project timeline – Kevin has the Microsoft Timeline template from Chris we just need to make sure that we put deadlines on it. Discussion was held on bringing in an outside consultant, Dell or Compact. We need to think about what time we need to bring in a consultant -- after we have designed the domain structure and hierarchy and how are we going to pay for it. Would the consultant be able to help us the domain structure, cost, and implementation. It was determined that if we don’t have something put together up front, we will be charged more money in the long run.
At the last consortium meeting it was decided they need info from ITAC and then bring in the consultant to ask whether they should have AD at all, now they are trying to get money to move forward to create the UF root so IFAS can join the tree and move on their planning. Dell has offered to provide free hardware to start the UF root.
It was mentioned that everything is starting to move on the UF level because the ICC group is pushing this on.
Kramer asked if anyone had set up triggers. We need to keep our ears and eyes open – advise Dan Cromer to keep his eyes open for this. Key words – who would we give them to? Division of sponsored research, touch base with IFAS sponsored programs. Kevin feels we probably have enough in old equipment to start up a test site. We will be looking early next year for hardware.
PRELIMINARY AD DESIGN DISCUSSION:
Chris has an OU design. We need to build the administrative model that is built on management. First thing – get requirements on paper.
Primarily used by students
Primary authentication
Single password, one signon is the biggest pull we have right now to go to AD
Kevin does not want to give up administrative rights
Name space does not have to overlap active directory
Dynamic DNS for workstations
A split DNS entry
Total separate name space – everything would fall under that (UF suggestion)
How is AD going to work with FIRN? – There will be two different DNSs separate from FIRN everything is done through DHCP.
3. No compromising local security
Password control – length and change policy
Is any one looking at the UNIX AD with Microsoft direction they make Samba?
Samba.org (developing AD)
4. Integration with UF Directory – LDAP
LDAP as it exists right now is going away – will be redesigned
Schema control issue
Has anyone talked to the people who are working on the phone system they are having to use AD also.
Global catalog is going to be an issue because of all the changes that everyone makes – is it going to be correct?
There will be changes to the schema over time.
5. Policy and procedure for environmental changes
Windows.NET is supposed to have schema changes, forest trusts, there were holes found that if you go with a shared forest environment, there are fixes for that.
By having multiple forests there would be no sharing of the Global Catalog. If there is only one Global catalog there is only one authentication.
It was discussed that we need to come up with several different schemes for the consultants to look at. Claude King will provide an article for Kevin to look at based on schemas.
Win2K OU= NT4 Domain
Populate a domain with nothing but users (GL = gatorlink) it’s populated by Kerberos
Active Directory will act as seed data
Will be importing data to a queue
Staff will login as staff.ufl.edu
Student will login as student.ufl.edu
Will need powerful servers to handle all the data coming in and out
UF students logging in, we may need another domain controller
Everyone will have special cases where they need to have authority to add new accounts
A user can only appear in a forest once
You apply group policy at the site or OU level (planning will be very important)
If you put all users in their own OU then they cannot appear anywhere else, cannot be with their comps, servers, etc.
Computers will work just like they do now, under Windows 2000
There is no trust between OUs
Scenario 1
Put all students in one OU, then Users, plantpath, in a separate OU. Add printer, server and workstations under PlantPath.
Or have child OUs under the Users
If you create a policy for your main OU then that filters down to all the child OUs
When you create an OU you have to create a security group (which are stand alone)
OU has a user level and computer level
The transitivity remains in the forest.
There is an add-on that allows users to browse AD – it allows lookups, etc.
If the IT person for a specific unit is not in the office, then the user can call IT and get answers/help. This is one of the best things about AD, there is a central person who can provide help.
An OU hierarchy needs to be created before we start populating them.
OU is not used for searching, it’s used for administration.
REC’s will be different because they will have more resources. Will need delegation to ITs.
Keep in mind pushing information to workstations – keep the path simple.
We need to decide what is needed at the login level – login script. A policy should be applied at the first OU.
Distribution lists can come off of the root, because they are a separate structure.
Say… Animal Sciences wants to be their own island (do we create a child domain…) We need to come up with rules/policies that would not allow that. If each department doesn’t meet the requirements, then they cannot join the forest (domain). If security is an issue, then make it from the top down.
We need to make rules that will allow departments that need the extra security. Or, we can make the rules that we don’t go past tier 2. They will also have to create their own “name” they can’t participate in AD.UFL.EDU.
If you have Visio it allows you to create a hierarchy for you. Automatically names everything. Submit some ideas to the list.
TO DOs:
Chris, Tim and group are summarizing number of shares per server, IFASDOM for now. Put the Perl script on the web. The Perl script could populate an Excel worksheet. Servers only.
Kevin will work on the template and the timeline.
Sherry Hays was asked to contact Dan Cromer and ask him to send a reminder email to the Department Heads about the questionnaire. Have a summarization done by next meeting. Chris suggested rewriting the questionnaire.
Kevin suggested someone from the ICC group sitting down with a department head to discuss joining AD. This will be done only with dissenters. The person who sits down with these people needs to have enough information to answer the questions clearly.
Next meeting will be Tuesday, September 10th, at 1:30pm.
The meeting was adjourned at 4:45pm.