IFAS COMPUTER COORDINATORS
NOTES FROM March 13th 2009 REGULAR MEETING
A meeting of the ICC was held on Friday, March 13th, 2009 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.
PRESENT: Seventeen members participated.
Remote participants: Bill Black, Dan Cromer, Francis Ferguson, Chris Fooshee, Wayne Hyde, Kamin Miller, Stephanie Miller, Mike Ryabin, and Louise Ryan.
On-site participants: David Bauldree, Dennis Brown, Andrew Carey, Stewart Collins, Winnie Lante, Steve Lasley, Santos Soler, and Wendy Williams.
STREAMING AUDIO: available here.
Agendas were distributed and the sign-up sheet was passed around.
Nick Smith started with WFREC in Milton in January. Nick had shared the following with Steve previously:
I have been working on and building my own computers,
and computers for friends and family for almost seven
years. This is my first job in IT, I am very excited
and it feels good to now be living one of my long time
dreams, which was to have a job in IT. I am only 18
years old, so it was quite a surprise to be offered
such a position, but I feel confident, and I will
strive to exceed expectations. I am a senior at Milton
High School, where I have worked as community service
for almost two years in their own IT department, and I
feel that the experience and knowledge gained there
can be applied here. I plan to go to college where I
hope to earn a PhD in Information Technology.
Probably what I like doing the most, is working on the
actual hardware, but that may just be simply because
itís what Iíve done the longest. But the hardware lead
to networking. I bought an old computer from the
county surplus store, and deployed my first file
server at home. After I was bored with that, I turned
it into an FTP server, which was fun.
Aside from computers, I have played guitar for five
years, and drums for two. Iím not much of a gamer, but
I do like to play Team Fortress 2.
Santos Soler was also introduced. Santos began work last Friday and will be replacing Mark Ross who is leaving. Santos comes to us from Operations Analysis where he was a server administrator. That is the same group, headed by David Gagnť, with which Andrew Carey used to work. Santos has a decade of experience working with computers, the last six of those being with server administration.
The ICC would like to welcome both Nick and Santos and hope they can find the time to participate with our group.
Recap since last meeting:
As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.
UF IT Action Plan
Steve mentioned that the final UF IT Action Plan report had now been posted on the UF IT Action Plan site. Steve noted with pleasure that "Server/Web Support" was specifically written into the proposed organizational structure of IFAS IT (page 18). Steve feels that keeping this portion in-house will remain the best choice for IFAS for quite some time. Steve also noted that Dan Cromer will now report both to the IFAS VP and to the UF CIO.
Feedback from the Jeremy Moskowitz training sessions
Steve solicited a bit of discussion on what people thought of Jeremy Moskowitz's two day GPO training session here at UF. Most of the folks present and even a few of our remote people attended all or part of that. Steve mentioned that there is a big gap between book learning of GPO usage and its actual practice, but he greatly appreciated this opportunity and wanted to thank all those responsible on behalf of the ICC.
Shibboleth and Identity and Access Management (IAM) at UF (see prior discussion)
Steve noted that there is now a fairly detailed web site describing our Shibboleth implementation, including instructions for installing the Shibboleth ISAPI module on Windows 2003 and IIS6.
The March ITAC-NI meeting
The main topic was a HealthNet IPAM update.
Comprehensive IT risk assessments
Steve wanted to ask Wayne Hyde if he could provide a brief summary of how the report went, but Wayne was not available to respond at the time. Steve mentioned that there may not be a whole lot he can say about it other than the fact that he put considerable effort into it on behalf of all of us. Wayne did respond on some of his security concerns a bit later in the meeting.
Update on changing the Barracuda default settings
(see prior discussion)
Steve noted that this finally happened with nary a peep from our users (at least that he had heard). It is amazing that this simple process took 51 weeks and untold man-hours to accomplish! Let's hope this is not a representative example of what can we can expect from centralizing critical IT services.
UF Exchange Project updates (see prior discussion)
Steve mentioned having recorded the February 6th UFAD/Exchange meeting. One of the more interesting items discussed there was the beginnings of a UF SharePoint project.
In mid-February, Dwight Jesseman finished a project that made inward forwarding addresses from Gatorlink consistent for all Exchange users. "firstname.lastname@example.org" was added as a secondary email alias to all mailboxes in UF Exchange. This provides an email address for forwarding from foreign email systems; it will not be used as primary email address or promoted for clients to use as an email address. Once that process was completed, all forwarding which had been previously set to "@my.ifas.ufl.edu" was changed to "@mail.ufl.edu". As a final step, all the "@my.ifas.ufl.edu" aliases were removed. This makes IFAS accounts consistent with the rest of campus.
Clients could notice a couple of minor changes. On the GatorLink self help website under the modify link, forwarding to "UF Exchange/Outlook" will be an option. Also, when a client views the properties of their name in Outlook they will see the additional email address.
WAN transition to CNS (previous discussion)
Steve had heard that there had been another WAN meeting with CNS on Wednesday, but Chris Leopold was unavailable to provide an update on how things were going.
Split DNS solution for UFAD problems
Steve wants to keep this on the agenda for future reference.
IFAS WebDAV implementation
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.
Vista Deployment via SMS and WDS
Vista as an Admin Workstation
While having nothing to do with Vista deployment, Steve did mention that there is a hotfix available which greatly improves the performance of the RSAT GPMC on Vista SP1 UFAD administration machines. To get an elevated file management GUI on that platform, Steve recommends looking at running something like NexusFile via runas.
Steve also noted that he has been unable to get the DHCP plug-in to run on that platform so is relying on a WinXP VM to provide that function. Andrew Carey responded that Santos Soler had discovered that this was due to a problem on the DHCP server itself and should now be corrected. It was actually due to an improper option setting on the PXE boot configuration where some quotation marks were inadvertently omitted. [During the writing of these notes Steve confirmed that the plug-in now works just fine. Thanks Santos!]
Print Server issues
Steve used this opportunity to ask about the print server, which they had been doing some work on as well. Andrew responded that IF-SRV-PRINT has been virtualized but is still crashing frequently; we don't have to worry about hardware failure anymore but all the other problems still exist. He is working on transitioning to the Win2008 platform, but it appears that migration may have to be a tedious manual process because the Print Management snap-in for 2008 is apparently choking on the HP language monitors that are packaged with all the drivers. Andrew hopes to have that accomplished by our next meeting, however.
Exit processes, NMB and permission removal (prior discussion)
Nothing further was available on this topic at this time.
Re-enabling the Windows firewall
This is still planned but is pending the time to implement.
DHCP log access
Steve asked how valuable folks were finding this. He hadn't had any security incidents recently, but really likes having this access when there is an issue. Others agreed.
Disabling/deleting computer accounts based on computer password age
As with so many things in these times of inadequate staffing, finding time for implementation is proving difficult.
Andrew mentioned finding a good article describing the "Machine Account Password Process". That article explained that the password change process only occurs when a machine is turned on and can contact the DC. That explains why a machine can be left off for a long time and still connect when the machine account is re-enabled.
New MPS/DC testing -- access by unit-level administrators
Steve asked Andrew how things were going with this project. Andrew recently learned from our Dell rep that the next (10th) generation of 2950s is coming out on March 24th. We are going to stick with the proven 9th generation machines for the MPS servers; they may even drop a bit in price when the new models arrive. There has been some discussion as to whether we are going to go with the wall-mounted cages with the MPS as previously discussed or whether we would allow these to be rack mounted. They are still leaning towards requiring the cages for security reasons.
Mike Ryabin asked whether there would be any changes in access levels for local OU admins. Andrew responded that he wasn't exactly clear on what sorts of access folks have currently, but that it seems to vary by location. You almost certainly won't have access to logon to the server locally either by remote desktop or by sitting at the console. You will, however, have the ability to change file permissions, etc. remotely. Mike asked about DHCP access and Andrew responded that he expected that access to stay mostly the same, with the ability to configure reservations.
Report generating system
Unfortunately, this is yet another useful project for which implementation time has been lacking.
Core Services status
Wayne Hyde wasn't available for his usual update, but Andrew Carey had supplied a few tidbits about the DHCP and Print servers during discussion on the Vista Deployment item within the project section of the agenda.
ePO version 4 status
Nothing further was available on this topic at this time, but Steve asked if OU Admins had been using the web-based ePO Console (ufad\if-admn credentials required--access available on request). Steve was surprised at how few were using that, and encourages folks to take a look at the cursory documentation he has done on that (ufad\if-admn credentials required). Andrew relayed from Wayne Hyde that EVERY OU ADMIN should have access and should request and account from him.
Wayne wanted to stress once again that we only push the ePO agent--not the McAfee antivirus software. It is up to the OU admins to ensure that VirusScan gets installed either by doing it locally or using the ePO console. Dennis Brown asked if Wayne was recommending VirusScan 8.7 and Steve responded that he believes Wayne would suggest this latest version. Kamin Miller commented that he believed the new version improved performance, especially on Vista.
Kamin asked if there was an anti-spyware module for that version as there is for version 8.5. No one seemed to know and Kamin seemed to be the only one who had been using this.
Wayne let it be known that OU Admins SHOULD NOT place their own Gatorlink accounts into the local administrators group on their unit's machines. That is a BIG NO-NO! He is aware that this has been happening and it has to stop. Doing so cancels the entire point behind our if-admx admin account structure (ufad\if-admn credentials required).
Status of SharePoint services (prior discussion)
Nothing further was available on this topic at this time.
Public folder file deletion policies and procedures status
Nothing further was available on this topic at this time.
Potential access for VC coordinators to modify scheduled VCs
Steve mentioned that there has been some discussion about providing unit VC coordinators access to the Tandberg Management Software web interface so they could make changes. Steve thinks that this could be extremely useful to all, provided that such access involved proper vetting and training of unit personnel involved.
Advertizing a new category of VC might help all
Steve also noted that he believes a "new" category of videoconference service might be worth considering for promotion, whereby one could request a bridged conference based on a single endpoint. Steve feels that this could simplify coordination of multi-point conferences considerably. By adding dummy endpoints for such conference, a multi-point VC can be pre-configured. Most remote site wishing to participate may then join on an ad hoc basis by dialing the Conference ID which they could obtain from the Event Listing at http://video.ufl.edu. The only exceptions would be Polycom units which did not have the Gatekeeper properly configured. This really isn't anything new that isn't being done already, but Steve feels that promoting this as a separate option would benefit all and save a great deal of staff time--both at VCS and at the various units.
In response to Steve's suggestion regarding conference scheduling, Dan Cromer asked if Steve knew how to create an ad hoc conference. Steve said that he did, but that he wanted to send folks to the event listing off the http://video.ufl.edu to look those up; he didn't want to have to be involved in the distribution of the conference IDS individually. He believes that involving the bridge in this would be a superior solution. Dan countered that we need to find a way of having ad hoc conferences show up on the event list; that might be the best solution of all.
Just as a FYI, Dean Delker has recommended that ad-hoc videoconferences be created by either using numbers in between the multiples of 10 which the new management system schedules, or by jumping above the 2000 - 2999 range anywhere--thus 7833000 or greater. That procedure should greatly decrease the possibility of a collision.
Documentation and training remain issues
Stewart Collins expressed his opinion that end-user training and lack of good documentation was the biggest roadblock to making videoconferencing work smoothly. He stated his belief that most at the remote locations have no clue about how the system works. Winnie Lante agreed that the documentation was lacking. She gave the example of needing to know how to do a PVX install and not being able to locate configuration instructions.
Mike Ryabin suggested that RECs were in a little better position to support VC use than some of the county offices. His experience suggested that many of the CEOs don't have anyone locally who really knows how to set up a videoconference and to operate the Polycoms. Receiving content has been a particular problem. Mike suggested that we needed to do a better job of making sure someone at each CEO was properly trained.
Louise Ryan took exception to those comments saying that everyone in the NW District knows how to set up VCs, operate their Polycoms and how to use People+Content. Francis Ferguson responded similarly for his district; he said that there should be one person in every Central District CEO that is knowledgeable. In some offices there are two to three such people. He has personally done that training. Steve suggested to Stewart that if he is having problems with a particular location that the District Support folks would be good contacts to follow up with. The ICC membership page lists the District Support folks for the various Districts.
Dan Cromer said he is looking for volunteers to help create documentation and Louise Ryan responded that she has created some Polycom videoconferencing documentation on the NWFREC site under the Information Technology heading.
Dan mentioned that he didn't want people to give up on using http://video.ifas.ufl.edu. Steve asked who was maintaining that site currently. Dan responded that it is a joint effort between Patrick Pettus and himself. Dan is trying to convert it all over to the http://video.ufl.edu page, but it's a work in progress.
Polycom test system available
Dan also wanted everyone to know that the Polycom previously housed in Tom Hintz's office has been moved to the Help Desk in Building 162. That unit is always on and may be used as a test site for whoever needs that. There is usually somebody there during the day though they may not be able to respond. That machine has an MCU and the IP address there is 18.104.22.168. This is the machine you should be using for testing.
Stewart asked if the IFAS Videoconference Directory had been updated recently. That was previously maintained by Tom Hintz and is still available from the http://video.ifas.ufl.edu site along with deployment instructions. That list was used as the beginning point for a new endpoint database for the new Tandberg Management system. Dan Cromer pointed out that this database is viewable via the web on the http://video.ufl.edu site by clicking on the "videoconferencing" link and selecting the "Search" tab. If one clicks on the IFAS link there you can view all the endpoints in IFAS and drill down in. This is the authoritative reference now. Patrick Pettus is the person to contact should any of your information require correction or updating. The plan is for the directory listings on the Polycom units to be maintained centrally from now on via the management program.
Lance Cozart coordinating warranty repairs
Dan Cromer also mentioned that Lance Cozart, who provides computer support for ICS, is taking over some responsibilities for assisting units in obtaining warranty repairs of Polycom systems by coordinating with VSGI.
HD Polycom usage
Mike Ryabin asked if anyone was using the HDX Polycom units in HDX mode or whether bandwidth constraints made that a bit like putting lipstick on a pig [Steve's words--not Mike's.]. Kamin mentioned that they had two HDX systems in Fifield but were limited by SD cameras. Dan mentioned that those were purchase "looking ahead" simply because they were offered a "deal" where they were only $100 more than the regular systems. You do need to have HD cameras and you need to set the VC bandwidth at 2 mbs; if that is done then they will automatically go into HD mode. The bridge, however, does not support HD, so only point-to-point VCs could be run in HD. Chris Fooshee noted that they have HD capability in Apopka along with sufficient bandwidth. If anyone wanted to test HD with him, he would be glad to oblige.
Scheduling of and download access to VC recordings needs improvement
Dennis Brown mentioned that arranging recording of VCs and getting download access to them is still too difficult; he would like to see that process improved. Kamin mentioned that they are doing two such VCs a week for a course. He was provided web access for download by Patrick, but that process is exceedingly slow.
Dennis said the files come in Codian format and that he uses the Windows Movie Maker in-built to Vista to convert and compress them to format that works with Windows Media Player. Dan Cromer plans to ask Wayne Hyde to setup a server with NFS which Patrick can use to offload these files for longer-term storage and distribution.
March saw one critical and two important Microsoft patches. An overview video is available.
A number of people, including Mike Ryabin, Micah Bolen, Brian Cain, and Dwight Jesseman reported having problems with the KB958690 patch on some Dell OptiPlex 755 boxes. Mike summarized the issue as follows:
"It looks like this problem is sporadic, some machines get hit and
some donít, most of those are XP and some Vista, even one x64
blue screened then quickly recovered on its own. The most common
and successful fix appears to be a restore to the pre-update point.
Iím also forwarding Brianís message below with a bit more details.
Hope this will be of some help to those who encountered the problem
as well as those with potential candidate PCs."
Version 9.1 of Acrobat Standard/Pro and Adobe Reader was released March 10th. The Acrobat versions are available as patches, though the in-built "update" doesn't seem to currently work. Fortunately, the Reader version is available as a full install package w/o the Acrobat.com and Adobe AIR additions.
Flash Player 10 version 10.0.22.87 came out February 24th. This update addresses a number of security vulnerabilities.
Java Version 6 Update 12 was recently released. Steve has had difficulty using the in-built upgrade service for this on several stations--an error being thrown. Downloading and installing the new version manually overcomes those problems.
Third-party apps in general
Kevin Hill asked Steve if he had considered pushing out some of these via GPO. Steve admitted a combination of ignorance and fear on doing that. While he is aware that there are methods for doing that, there seem to be a great number of caveats which vary by application and by patch situation. This is compounded by the great number of updates that occur on a frequent but unpredictable basis. Steve encouraged any ICCer who believed they had worked out some good options in this regard to please share that with all via the ICC-L.
Steve mentioned that he had disabled autoplay a couple of weeks ago for all the computers in his OU via the ďIF-ENTNEM ComputerĒ GPO (on the computer side):
It looks like the necessary patches to make this effective have been pushed out to all platforms (KB967715 for WinXP and KB950582 for Vista). Steve would expect this setting to be recommended for all and wanted to know how folks felt about adding this to the IFAS Co-Managed computer GPO.
Kamin mentioned having done this for his machines as well, but nobody seconded that idea of doing this at the IFAS level. Winnie asked if Steve had warned his users prior and Steve responded that he had not in this instance. So far there have been no complaints.
MS Office News update
Steve had noted that an Outlook 2007 Pre-SP2 Cumulative Update has been touted as being a great improvement. Kevin Hill reported: "It's worlds better than before - especially processing secondary imap accounts." He will be glad when SP2 is released via WSUS so he can push these improvements to his users.
Job Matrix Update status
Steve expressed his wish that this matrix be updated to reflect Santos Soler's new duties.
Remedy system status
Steve wants to leave this matter as a standing agenda item for future discussion.
Mike Ryabin noted that a joint facility with FAU is being built on the Ft. Lauderdale REC campus and that his unit will have one floor of that four-story building. That building is going to provide a support challenge for which he was investigating a potential virtual desktop solution. Mike wondered if there were any policies or guidelines about using such technology or if anyone has tried or tested that. Andrew mentioned that IFAS IT (Wayne Hyde) has developed implementations for labs in CALS and Soils and Water Sciences utilizing VMware View.
Windows 7 Beta
Mike asked if anyone had played with Windows 7. Steve mentioned that Ben Beach had installed it. Kamin Miller mentioned having loaded it on an OptiPlex 745 and that it ran very well. Most of the feedback has been good. Steve mentioned that he hopes he can just skip Vista in his department and go right to Windows 7--preferably on x64. There are some application issues on x64 apparently, but they are getting fewer and fewer. Steve believes a VM setup might handle the few cases where compatibility issues could not be resolved.
Stewart Collins mentioned that SAS has been a pain point on Vista. Kevin Hill responded that version 9.2 works much better on Vista and he has even run it on Windows 7. He has been impressed with the Windows 7 Beta overall. It seems to be much more streamlined than Vista and the install takes about half the time of a Vista install. Kevin is looking forward to its release as it solves a lot of the problems which people have with Vista.
Mike asked about McAfee on Windows 7. A number of people reported that version 8.7 apparently works just fine on that platform.
The meeting was adjourned early at approximately 11:10 AM.