ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM July 11th 2008 REGULAR MEETING


A meeting of the ICC was held on Friday, July 11th, 2008 in the main Entomology conference room, Bldg. 970, Room 1014. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: Nineteen members participated.
 
Remote participants: Chris Fooshee, Kevin Hill, Joel Parlin, Louise Ryan, Mitch Thompson and A. D. Walker
 
On-site participants: Benjamin Beach, Bill Black, Dennis Brown, Andrew Carey, Dan Cromer, Francis Ferguson, Wayne Hyde, Jack Kramer, Winnie Lante, Steve Lasley, Chris Leopold, Wendy Williams and Matt Wilson
 

STREAMING AUDIO: available here


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

Steve reported that he had heard of no new members since our last meeting.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details. Since we skipped the June meeting, we have plenty of things to catch-up on.


Policy


Shibboleth and Identity and Access Management (IAM) at UF

Since our last meeting in May, Mike Conlon has held two separate open presentations on Identity Access Management and Shibboleth (June 2 and July 1). The PowerPoint presentation from those has been made available on line.

Have IFAS web programmers begun familiarizing themselves with Shibboleth?

Steve asked Dan Cromer if IFAS had any programmers becoming familiar with Shibboleth or if there were any IFAS web sites that were a high priority to move to this new system soon. Dan responded that Joe Spooner, under contract to IFAS, has developed a web site on IIS. Steve Clay of the FAWN group has also done one under Linux/Apache. Matt Wilson has been studying the documentation on Shibboleth as well. So we do have people in the process of becoming familiar with Shibboleth.

Is Shibboleth meant to replace all other web authentication methods?

Chris Leopold wanted to know if Shibboleth is meant to replace all other authentication methods. Dan responded that Shibboleth is meant as a cross-platform web authentication to replace what is currently in place. The long-term intention and stated direction is for this to be able to control access via UFAD security groups. This is for web-use not file-server access. Chris pointed out that we currently can and are using built-in clear text authentication with an SSL certificate to control web access--in particular with our SharePoint server. Chris is concerned about potentially having to rework how we handle that. He also has some concerns that the work Joe Spooner is doing with Shibboleth involves IIS6 on Win2K3. IFAS is look at moving to IIS7 on Win2K8 within the next 6-8 months or so.

There will be a gradual replacement of GLauth

Dan responded that Shibboleth is slated to go into production here at UF in the Fall on selected web sites. Shibboleth will eventually replace all GLauth, but no date has yet been set for when GLauth will go away and Dan suspects it will be a year or longer before we have to address those kinds of decisions. Dan compared this transition away from GLauth to our previous move from SSN to GLID; there are many separate applications that will be affected and it will take some time just to deal with all those. Dan can't see any need/reason for us to convert any of our non-GLauth authentication methods over generally as long as they are working fine.

See Conlon presentation for details

Dan referred us to Mike Conlon's Shibboleth Presentation for specific details, but pointed out that Shibboleth will solve certain authentication issues between UF and other Shibboleth-enabled organizations. One of the early implementations is expected to involve Mobile Campus. Shibboleth separates authentication from the applications themselves so there is no risk of security breaches via the passing of credentials during the authentication process; the credentials themselves are kept within our organization, but outside Shibboleth-enabled organizations can still use those to grant access to their own applications.

Update from yesterday's UF IT Advisory Committee for Network Infrastructure meeting

Steve gave a quick overview of what was discussed at yesterday's meeting. The agenda included the following:

Steve intends to write the minutes of that meeting after completing the ICC meeting notes, so full details should be available after that time.

Wallplate on schedule!?

Steve did comment on how CNS purports to be on schedule with the Wallplate implementation while he knows that McCarty D, for example, is way behind the original schedule. Dan commented that the way CNS is able to claim that they remain on target is by continually changing what that target is--the UF Wallplate Project Schedule is updated accordingly. Steve added that he seemed to remember that this was originally discussed as a three-year project and now they speak of a five-year replacement plan as if that had been intended all along. The fact is that CNS is facing a tremendous amount of work with the Wallplate rollout--more than originally expected--and is doing their very best to adapt as needed to those demands.

Networking politics being worked out

Steve also admitted not understanding the "Minimum Standards for Networking across campus" discussion which took place at the meeting. Dan Cromer explained that the lack of clarity revolves around the fact that they are dancing around the politics involved. There were two separate incidents which precipitated all this. The first of those is that people who were moved from CLAS or IFAS into the new Cancer/Genetics Genetics building are having to pay the HealthNet imposed Wallplate port charges. The second involved a faculty member in one of the new buildings going to CNS because he believed (w/o asking) that HealthNet could not provide services to match their special needs. They are working to develop a standard stating that networking responsibilities within a particular building will not be split between CNS and HealthNet. Either one or the other will be responsible. Also, they need to work out exactly which buildings are the responsibility of which of those two groups and the details of how that will be decided for new buildings in the future. This is a very high-level political agenda and is not a technical issue at all.

From that the discussion evolved into a detailing of what standards we have in place currently between the two groups--the idea being to arrive at some minimum levels which could be acceptably provided by either group. That is the document which they are currently working towards and about which discussion revolved at the July ITAC-NI meeting. Steve thanked Dan for that explanation stating that this made much more sense than what he had gotten out of the meeting.

Comprehensive IT risk assessments will be REQUIRED soon

Steve asked if anyone had learned any more about what is expected from us for this. He understood that we need to have a report in by November but is unclear as to what role each of us is to play in preparing that. Steve understands that there is some data which is risky to not control and that we need to know as well as we can where that is; but that is about as far as he has gotten with this.

Synopsis

Dan responded that there are basically four things we need to do. First of all we need to analyze the data on our servers searching for things that appear to include SSNs or Credit Card numbers; Dan expects Wayne to handle that. Secondly we need to do the same on our local desktops and Dan is looking to Wayne to advise and provide some tools for the ICC to do that for each unit. The third matter involves training to make people aware of issues involving the storing and handling of restricted data. Finally, we need to develop a plan for business continuation and recovery in the event of some disaster. Dan isn't going to dump all this on Wayne; he needs all the ICC to assist in figuring out how we can do this and in analyzing their departments to determine where restricted and other important data is stored and what your business recovery processes would be.

Things may be more complicated than that

Wayne Hyde would like to point ICCers to http://www.it.ufl.edu/policies/security/uf-it-sec-risk-assessment.html as well as the Risk Assessment Standard and the Risk Assessment Guidelines which are linked off the UF Information Technology Security Regulations page. These suggest this may be a bit more involved than what Dan had summarized.

Update on changing the Barracuda default settings

As reported by Dan Cromer via a May 14th e-mail to the ICC-L, The UF exchange committee voted unanimously to adopt the ICC recommendation for Barracuda management.

Progress update

Steve asked for an update on that. Dan Cromer responded that the people with high-volume accounts have been identified and tier-2 e-mail support people have been given the list to handle them individually. He mentioned having an e-mail nearly composed to the ICC on this. There are 135 people in IFAS who will be impacted (i.e., may get much more in their quarantine folder). Dan mentioned that his delay is in having time to document the process.

Steve was interested in seeing if any appreciable numbers of our users had customized their settings already. If not, then Steve saw no problems; but if so, Steve mentioned we might want to suggest they give the new defaults a try via whatever announcement was planned. Dan responded that there were only a few who had changed from defaults. His proposal will be for the large majority who are still using the defaults to accept the new defaults, give them a try, and if they have a problem with too many items in the quarantine folder, to set the blocking value to a lower number.

Current plan

Dan will send the ICC the list of high-volume users so we can identify our own users who are in that category. He will also send us for comment the e-mails he plans to send to IFAS-Announce-L and to the individual high-volume users. This latter group contains those individuals for which we need to provide some level of one-on-one personal attention.

Steve asked if the UF Computing Help Desk had developed documentation relating to this transition. Dan responded that they had and that he intended to point our users to that in the e-mails he is preparing.

Steve also asked about the expected timeline and Dan replied that he is hoping to have this all ready by the first of August or at least prior to the new term beginning.

The consolidation of IT, ICS and EMR

ICC input unlikely

Steve reported that he had followed Dan Cromer's suggestion and requested (via a June 10th e-mail) the opportunity for ICC input on the IT/ICS/EMS consolidation plan prior to any final decisions being made. When Dr. Joyce responded that the IT/SA group would not be moving to CNS, Steve let him know that he appreciated that, but was concerned that confidence in IT/SA has been weakened.

Consequently, Steve asked Dr. Joyce if he would be willing to make an appearance at an upcoming ICC meeting to address the stability of the IT/SA group. Within that request, Steve went on to explain that his original concern was over discussion between Dan Cromer and Ashley Wood about moving the web server administration position out to ICS.

Addressing the long-term stability of the IT/SA group

The main topic which needs to be addressed in Steve's opinion is the long-term stability of the IT/SA group; the consolidation plan is just one factor which may affect that. There is currently a lack of confidence both within IT/SA and among the IFAS units, that IFAS administration is adequately committed to a centralized model for server support at the IFAS level.

Dr. Joyce has indicated his willingness to meet with us to discuss this matter, but he is unable to schedule that prior to our September meeting. Steve looks forward to that meeting with Dr. Joyce in September because he believes the problem is broader in scope than the consolidation plan per se--though at this time we are unclear exactly what that plan will involve.

Progress on consolidation planning

Steve asked Dan if any progress had been made on the consolidation proposal. Dan responded that a May 28th Memo from Dr. Arrington and Dr. Joyce to Dr. Cheek was handed out by Dr. Cheek at yesterday's administrative council meeting. Dan didn't have a copy with him, but he summarized it by saying that it stated faculty feedback indicates we want IFAS to have a strong web presence, a good facility for e-learning and strong IFAS branding. The reorganization would consequently involve forming a department of Communications and Technology. Their recommendation was to have an Assistant VP/CIO position in charge of this department. Under that position would be three sections: one for web development, another for e-learning/technical support (with technical support including the infrastructure), and finally external relations. Dr. Cheek has said that he will now take this to the Faculty Advisory Council (FC).

Dan is confident that the FC will approve the plan as the process has already begun. The fiscal responsibilities currently handled by Ann Hutcheson, who is retiring shortly, will be moved to Renea Bohannan. The outsourcing of the WAN group to CNS is another aspect of the reorganization which has already happened.

What will this mean for IT support?

Steve commented that we would have to wait to see how all this affected us. Dan replied that in the long term our web developers might be headed by an Associate Director for Web Development. The technical support infrastructure and e-learning and video would be under Dan; currently e-learning is under Ashley Wood. Jack Battenfield would continue to handle External Relations. Dan doesn't see much change with regards to IT support; the IFAS Help Desk is still seen as a needed function in providing network and desktop support for units w/o local IT staff.

UF Exchange Project updates (see prior discussion)

Dwight Jesseman had related to Steve via personal communication that the installation of MailMeter by Waterford Technologies was completed on July 2nd. This is hoped to become our attachment archiving and HSM solution. Here is an example of how the web interface for retrieving attachments might look:

attachment interface

Dwight also mentioned that there were a couple of items that needed fixing, but that it looks promising.

MailMeter demonstrated to Exchange Policy Advisory Committee

Dan commented that MailMeter was demonstrated to the Exchange Policy Advisory Committee yesterday afternoon. Basically, when an e-mail message that contains an attachment is over 30 days old, the attachment is moved off Exchange onto less expensive storage and replaced by a web-link to what is demonstrated above. An additional click brings up the attachment itself. There is a process which will be in place for "re-hydrating" e-mails with the attachments so a PST can be made, for example, for someone who is leaving UF and needs to take their e-mail with them that way.

Questions on e-mail recovery

Dennis Brown raised the issue of e-mail recovery. After someone in his department had e-mail deleted Dennis found out that recovery procedures would have to involve his chairman contacting Mike Conlon to provide justification for recovery. The Exchange backups are considered to be for disaster recovery purposes--not for restoring inadvertently deleted e-mail. Mike Conlon's position is that they provide a suitable structure which end users can utilize for managing their e-mail, but that the management itself is and must be the users' responsibility. If something goes into your Deleted Items it will stay there for 30 days, then move to the Dumpster for 7 days (accessible within Outlook via Tools > Recover Deleted Items...). Dan also mentioned that with the advent of electronic discovery we don't necessarily want to even have the capability of retrieving deleted e-mail.

Dan did add that exceptions have been made, especially during initial transition to UF Exchange, but that the plan is to avoid recoveries by placing management responsibilities with the user.

Jack Kramer asked if off-loaded attachments are deleted when the associated message is deleted. Dan responded that the pointer to the attachment is deleted, but the space on the 2nd-tier storage is not recovered--at least not immediately. That is an issue which they are still investigating.

Current policies for retention of e-mail service after leaving

Kevin Hill asked about the policy for retention of e-mail services for someone leaving IFAS. Dan responded that he is in the process of writing a message on that for Dwight which will be vetted through the Exchange Policy Advisory Committee. The gist of that is, if a person is leaving under normal conditions (i.e., not a hostile termination), they will have 30 days additional access to their mailbox. Additionally, their supervisor (or their delegate) will be given immediate access to their mailbox. It will be the responsibility of the supervisor to go through the e-mail to determine if any of that relating to UF business needs to be retained. If so, the supervisor will be responsible for doing that and tier-2 support may need to be involved to assist with that. Technically, someone leaving should not take UF property (which may include e-mail) with them; the responsibility there will lie with the one departing to not do that. After 30 days, the mailbox will be removed by tier-2 support (Scott Owens in our case) and the GatorLink account will be forwarded elsewhere or to the "bit bucket". The "recent employee" role is available to control these procedures for the 30-day period; once that role is gone, the Exchange mailbox will be gone.

Steve asked if the Departmental Associate role trumped this procedure and Dan responded that it would.

Kevin replied that the automated procedures which Dan mentioned are not yet in effect and we currently have to deal with a tier-2 manual process. Kevin wanted to know if and how Exchange mailboxes are being removed currently for people who have left. Kevin asked how he could control that process if necessary--for example if the supervisor of a departing employee asked that e-mail access continue for a year. Kevin was primarily concerned that mailboxes not go away without notice or his involvement. The answer to retaining those is to use the Departmental Associate role; that role may be used to retain mailbox rights for as long as is deemed necessary.

Other exit considerations

Dan mentioned that another aspect is instances where the NMB has been removed for people with mailboxes. Mike Kanofsky will monitor the Other OU for such occurrences and if they have been there for over 30 days, he is going to start contacting the relevant support people.

Dan admitted that the exit procedures and IT exit checklist which he developed are yet to be integrated into our processes. That is taking much longer than any of us wish, but that effort is going to continue until it is in place and functional. Our HR person, Mary Anne Morgan, has seen the IT exit supplement, thinks it is a good idea, and is going to push it to Kyle Cavanaugh.

Dan mentioned that PeopleSoft roles must be validated yearly. Directory Coordinators should take that opportunity to examine their users with the Departmental Associate roles to determine if those should remain.

Steve summed up by saying that IFAS exit procedures clearly need more work and some major portion of that may have to come from the UF level for it to be implemented and become effective. Until that happens we need to continue to consider the options under our control, remain aware of the problems, and do our best to handle things manually.

Student mail to move to Google Gmail

Dan Cromer had announced via e-mail to the ICC-L on July 2nd that:

All,

Mr. Kyle Cavanaugh has requested possible comments about moving students to a special Google Gmail system from GatorLink e-mail. Have any of you heard any feedback about this from students? Other possible comments? I don't have a link to the full information handy, but the basic system is a special contract with Google to provide Gmail accounts to UF students (which would still have an @ufl.edu address), with the contract providing for appropriate security for restricted data. This is due to start in the fall, and would greatly reduce the support requirements for UF GatorLink e-mail; if funding for all faculty and staff were provide for using Exchange, then the GatorLink e-mail system could be eliminated altogether.

Dan
--
Daniel H Cromer Jr
Acting Director Information Technology
University of Florida IFAS

Students pushing for Gmail

As follow-up to that, Donna McCraw mentioned that The Alligator had published some articles on the subject:

One of these articles mentioned that students, while not allowed to forward their GatorLink accounts, may configure Gmail to POP those. This uploads mail to Gmail and removes it from GatorLink, which accomplishes the same end result as forwarding to Gmail would.

Health Center has performed a risk analysis

Chris Hughes then pointed the ICC to the UF-HSC Information Services Advisory Council (ISAC) "Meetings & Supporting Documents site" which contains three documents discussing aspects of this plan:

Steve noted that, while there is little doubt that students would appreciate the increased services which such a move might promise and that UF sees this as an opportunity to save money--but I hope the Alligator editorial which Donna kindly pointed us to persuades no one. It touts the strongest argument *against* such as move as being the primary reason for making it: "But, the most important reason for moving to the Google system would be to reap the benefits from a safer, more secure e-mail system with more layers of protection for sensitive personal information."

Steve is glad that the HSC is taking the initiative to address the security concerns involved; that aspect will be crucial to such a move being successful as the trend to cloud-computing has security risks which should not be overlooked in evaluating such a transition.

Legal aspects may halt plan

Dan Cromer said that he wasn't at all sure that this move would actually happen. Although the students are behind the idea, our lawyers have said that doing this would mean we can't send students any restricted data. That would mean a professor couldn't send a student a notice about their grades, for example. That may be a deal killer. Dan mentioned that the only way UF would really save on this would be from repurposing the staff which currently maintains the GatorLink e-mail system. Until all faculty and staff were moved to UF Exchange, GatorLink e-mail would still have to continue.

Mailboxes generate revenue for Google

Dan also mentioned that Google calculates that each mailbox they support generates a value of about $90/yr for them because of the way they are paid for advertizing, etc. When Wayne responded that they should then be paying us, Matt Wilson pointed out that ads are removed as part of for-pay service.

WAN transition to CNS

The final agreement is considerably less advantageous to IFAS than the original proposal

Steve related that the final CNS-IFAS WAN support agreement differs considerably from the original CNS proposal that he and Chris Leopold had reviewed back in late March-early April. The yearly cost to IFAS was increased 20% to $120,000 and the scope of work covered by CNS narrowed considerably.

The original proposal included support for all IFAS networks both on and off campus. It even went so far as to specify the NW District Support person as being responsible for assisting CNS with on-campus sites and detailed the transfer of the HP Procurve Management server and software to CNS. Under the final agreement, support for network ports on campus will continue to be the responsibility of IFAS prior to moving to the Wallplate. This means Chris will continue to be burdened with campus network maintenance for years to come. That is particularly disconcerting because freeing up time for Chris was one of the main positives of the original proposal in Steve's opinion.

Dan Cromer explained the changes by saying that Dan Miller and CNS came to better realize the amount of work involved and they consequently increased the cost. Dan also said that CNS reworded the scope of work because they never intended to take over support for the IFAS campus network ports before wall-plate (though the original proposal clearly stated they would).

The bottom line from Dan's viewpoint is that he was directed to cut $300,000 from the central IT salary budget. As Dan sees it, the other option was to lay off Jennifer and Claude and give the whole WAN work to Chris and his team.

Is the transition delayed until January?

Steve was concerned that we are already paying CNS but wouldn't begin receiving support until January 1st. Dan assured him that this was not the case. The January 1, 2009 date mentioned refers only to the fact that there will be a transition period during which IFAS will assist CNS in obtaining access to and the current configuration of each of our routers. The details of that have purposely been left vague because the details involved are not yet completely understood. The goal is to have detailed Service Level Objectives developed by year end.

Transition problems

A major issue has been the documentation and reprogramming of the routers to conform to CNS standards. Apparently, Claude took early retirement and did not work during June and the spreadsheet that Jennifer provided on her last day omitted many pertinent details.

The agreement is already in effect

As access and configuration details are granted, CNS will assume responsibility for each router. CNS is already handling things for the 15 REC circuits. If there is a problem, all we need do is submit a Remedy ticket to the UF network. Ben Beach mentioned that Dan Miller expects a 10-30 minute response to any tickets which are submitted--the duration from that point to resolution will depend on the nature of the issue. Ben also mentioned that CNS plans to create a separate group within the Remedy system for the WAN and that District Support staff would be able to submit tickets via that.

District Support involvement

The original proposal stated that CNS would require the continued help of the five District Support personnel. In that proposal those people would remain "a primary support group for onsite issues in remote locations, and will need to accept work from CNS."

Kevin relayed his understanding that Jennifer and Claude had actively monitored the network status and submitted tickets to service providers as necessary to resolve problems. Kevin wanted to know if District Support staff would now have to take over some of that role. Dan replied that the formal agreement is purposely vague as to what continued support IFAS will provide (i.e., "as appropriate"), with everything to be finalized as of January 1, 2009. At least until the details are worked out, Dan wants IT/SA to maintain Servers Alive so that we can do the same sort of monitoring that Jennifer and Claude had done. Wayne added that CNS uses Nagios and that they will be adding these routers to that system.

Split DNS solution for UFAD problems

Steve wants to leave this as a standing agenda item, but realizes that a solution will be a very long time in coming due to the complexities involved.

Possibly pertinent solution reported by another school

Steve noted, however, that there has been some recent discussion on the Windows Hi-Ed list which he had mentioned to Erik Schmidt and Mike Kanofsky. One message said:

From: windows-hied-bounces@mailman.stanford.edu [mailto:windows-hied-bounces@mailman.stanford.edu] On Behalf Of Richard Kline
Sent: Wednesday, July 09, 2008 7:12 PM
To: Chris Cavanaugh; windows-hied@mailman.stanford.edu
Subject: Re: [windows-hied]: Slow logins using cached credentials

We found that our domain controllers were not completely isolated from non-University subnets by the firewall. Specifically the LDAP ports were open but others necessary for Microsoft Networking (135, 137, etc) were not.

The workstations were able to start the attachment/authentication process (LDAP) to the domain controllers but could not complete the process (135, etc). It was taking the workstations some 9 to 12 minutes to time out, give up and use the cached credentials.

We resolved the issue by blocking LDAP (both secure and unsecure protocol ports) access to the domain controllers and completely isolating them from the outside world.

It would be very interesting to see if this solution might have some applicability to our own situation.


Projects


SharePoint Production Sites (prior discussion)

Steve asked Ben if he had any updates. Ben replied that things are going well. Wayne is going to provide three new Win2K8 servers and they are going to reconfigure the server farm.

Steve mentioned having moved Entomology's fiscal group onto Office 2007. They have a PeopleSoft shadow system which they maintain via Excel spreadsheets; these are very important for keeping track off our spending and current balances. Steve asked about how cautious he should be about moving those materials from the current private file-share into SharePoint. Ben assured Steve that this was production ready and there should be no concerns.

Louise Ryan asked Ben about the status of external collaboration. Ben replied that this was the first thing he planned to put on the new servers once they are ready--even prior to adding the content. He is very committed to getting that working.

IFAS WebDAV implementation

There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on agenda as a standing item.

Vista Deployment via SMS and WDS

Group Policy Preferences hold great promise for allowing us to easily manage things like:

  • Deliver shortcuts (file and web) to desktops, start menus, etc.
  • Create and delete drive mappings
  • Configure difficult attributes like ODBC sources
  • Edit specific Registry values for application
  • Manage applications like Office XP, 2003, and 2007
  • Secure devices like USB drives, Bluetooth devices, and Firewire ports
  • Manage Power Settings and Power Schemes

     ...taken from a document by Jeremy Moskowitz

One possibility for solving some of the logon script issues experienced by our Vista users is to replace much of the current logon script functionality (drive and printer mapping) with the use of Group Policy Preferences.

Steve raised the question of XMLLite and Group Policy Preferences. He is wondering what shape our client machines are in for moving to the use of Group Policy Preferences as a replacement means of drive mapping, etc. The client extensions for group policy have been pushed via WSUS, but the need for XMLLite as a pre-requisite may complicate things. WinXP SP3 and IE7 include XLMLLite apparently; it is likely that WinXP SP3 accounts for far fewer machines than IE7. The questions are:

  1. How many WinXP SP2 machines still at IE6 do we have?
  2. Would the client extensions need to be reinstalled after getting XMLLite on those?

Andrew Cary expressed his opinion that the order of those was unlikely to matter. The issue would only be locating machines in category 1 above and seeing to it that XMLLite was somehow installed on those.

How many are deploying WinXP SP3?

Dennis Brown asked how many are deploying WinXP SP3. Steve mentioned that he has a SP3 slipstreamed version of WinXP which is uses for new machine installs currently.

Potential WinXP SP3 "gotcha" to be aware of...

Bill Black and Francis Ferguson both reported that after installing SP3 the updates seem to break. Googling this Steve found a possible answer to the cause in Windows Update Agent 3.0 not being available when SP3 is installed on a fresh SP2 install. Whatever the cause, Bill mentioned he has solved this problem by re-registering the Windows Update DLLs.

[Note from future: KB943144 explains the issue, the cases in which it may occur, and two separate methods of fixing the issue.]

Steve noted that back in late 2006 Joe Gasper had shared a batch file which he uses for Windows Update repairs:

@echo off
::Batch file to reset Automatic Updates on a Windows XP machine
::
::Batchfile based on Microsoft KB for troubleshooting SVCHOST issues
::
::Created By: Santos Soler - 8/15/06

::Stop services if they are running
net stop wuauserv
net stop bits

::Wait 3 seconds
sleep 3

::Rename the folder CatRoot2 to .old or new
if not exist c:\windows\system32\catroot2.old\nul goto movea
move /y c:\windows\system32\CatRoot2 c:\windows\system32\CatRoot2.new
goto continue1

:movea
move /y c:\windows\system32\CatRoot2 c:\windows\system32\CatRoot2.old
goto continue1

:continue1
::Stop Cryptography services
net stop cryptsvc

::Wait 3 seconds
sleep 3

::Rename SoftwareDistribution folder to .old or new 
if not exist %systemroot%\SoftwareDistribution.old\nul goto moveb
move /y %systemroot%\SoftwareDistribution %systemroot%\SoftwareDistribution.new
goto continue2

:moveb
move /y %systemroot%\SoftwareDistribution %systemroot%\SoftwareDistribution.old
goto continue2

:continue2
::Start Cryptography service 
net start cryptsvc

echo.
echo.
echo Registering DLL's...
::Register all the Windows Updates DLL's
REGSVR32 /s WUAPI.DLL
REGSVR32 /s WUAUENG.DLL
REGSVR32 /s WUAUENG1.DLL
REGSVR32 /s ATL.DLL
REGSVR32 /s WUCLTUI.DLL
REGSVR32 /s WUPS.DLL
REGSVR32 /s WUPS2.DLL
REGSVR32 /s WUWEB.DLL
echo Finished registering DLL's...
echo.
echo.

if exist c:\windows\SoftwareDistribution.new\nul goto skipsrvcs
goto startsrvcs

:startsvcs
echo Starting Services...
::Start the Automatic updates and BITs services
net start wuauserv
net start bits
goto wsus

:skipsrvcs
echo Update services were skipped...
goto wsus

:wsus
Echo Forcing reporting to WSUS... 
::Force Windows to report to WSUS
wuauclt /detectnow

::Change the Automatic Update service to automatic
sc config wuauserv start= auto

echo.
echo.
echo Please wait 5-10 minutes for UPDATES, If Service Host Crashes...
pause

::Change the Automatic Update service to manual
sc config wuauserv start= demand

::Restart the computer in 10 seconds
shutdown -r -f -t 10

::Abort the restart
echo.
echo.
echo If you NEED to Abort the restart...
pause

shutdown -a 

IFAS Software site update request

Steve asked Chris Leopold again if he could update the IFAS Software site (ufad\IF-ADMN credentials required) with the slipstreamed version of WinXP with SP3 as well as add a link to UFAD's slipstreamed Vista SP1. Chris said he would do that and wanted to point out that the MAK key for Windows Vista was now posted there.

WinXP SP3 update via WSUS?

Kevin asked Wayne if there was a reason WinXP updates aren't being deployed via WSUS. Wayne responded that he didn't want the headache that was sure to result if he did this IFAS wide. He is willing to do that on an OU-by-OU basis if that is requested.

Exit processes, NMB and permission removal (prior discussion)

These issues were pretty-well covered this month within the UF Exchange discussion above.

Re-enabling the Windows firewall

Steve wants to leave this matter as a standing agenda item for future discussion. Wayne mentioned previously that he has plans for doing this on Vista but not WinXP; the latter has only an incoming firewall that is essentially ineffective in any case.


Operations


The importance of proper naming conventions for computers

Wayne noted that improperly naming computers can cause a number of issues. There are several things to keep in mind when naming computers, including limiting the length to 15 characters, beginning the name with "IF", and choosing a name which helps to identify where the machine belongs.

Steve has attempted to document this issue within the IT/SA Service Documentation area (ufad\if-admn credentials required) of the ICC web site. Please let Steve know if you discover any errors or omissions in that documentation so we can correct it.

MPS access by unit-level administrators

Chris noted that, within the next few weeks, they will have Win2K8 RODCs at some remote sites as well as on campus in order to do some testing. They are undergoing a proof of concept for the proposed use of a single use a single machine as both a RODC and a virtualized MPS. If that goes well, they plan to begin purchasing new hardware for those in about eight months.

Training and certification

Along with these plans we need to begin discussing what kinds of access to those servers will be appropriate for OU Admins at remote sites. While Chris understands that cooperative administrative access could benefit all--particularly in these times of tight staffing levels--he would like to develop at least some minimal training/certification process to ensure that access isn't granted beyond the capabilities of the support personnel which vary across the IFAS remote locations.

Input sought from remote OU Admins

Chris would like all the remote OU Admins who deal with MPS servers to make a list of the problems they see and what sorts of access you would like to have and/or feel is appropriate. Those items should then be sent to Andrew Carey. He will compile those and we will discuss that further at an upcoming meeting.

Steve asked if any folks connected remotely had a list already in mind. Joel Parlin responded that clearing print queues currently requires that he enter a ticket; he would appreciate having the ability to solve this common need himself. He also said that the ability to install printers would be appreciated. DHCP access is commonly needed also, but he already has that capability.

Virtual management stations may unify toolset for MPS management

Chris added that they expect to soon have management workstations available as VMs which can be accessed via a web page. They hope that will serve to unify the tools used for accessing these servers and hope that this would obviate the need to logon directly to the MPS servers themselves.

Controlling power settings via GPO preferences

We will leave this on the agenda for future discussion. Steve suspects there will eventually be some administrative mandate which will force us to do something along these lines.

Report generating system

This matter relates somewhat to exit procedures addressed above. Matt Wilson has now been able to get this going again (mostly). The system may be accessed via http://if-srv-sql01.ifas.ufl.edu/Reports and had previously been documented (ufad\if-admn credentials required.

Steve and Dennis have both found these reports quite useful in the past and are quite interested in seeing them working again. Matt has all but one of the queries working and will try to fix the e-mail subscription process that seems to be broken. These reports are built from data that is accumulated via our computer startup script (ufad\if-admn credentials required) currently. Wayne reported that they are working on changing that to remove the startup script and utilize Lansweeper instead. In the new scenario, the logon script will inform the server of a new logon and the server will then connect remotely to the computer within 15 minutes and scan for the same sorts of information and more. That will be stored in an SQL database just like it is currently and will be available for reports. Lansweeper is already running and they just need to complete testing before implementation.

Core Services status

More SAN storage on its way

Wayne noted that more SAN storage is coming. Dr. Joyce approved funding for adding 60 more drives to the SAN. About 30 of those will be for file services (6.5TB for DATA, 1.5TB for VSS) and the rest are for SQL/MOM databases and virtual servers.

New file server cluster almost ready

The new file server cluster is about ready for production. Currently they are just keeping the data in sync with IF-SRVV-FILE03. The IT OU and the public share will be migrated shortly. If that goes well, then they will begin OU-by-OU in migrating units to the new cluster.

Macintosh clients should be enumerated

As mentioned prior, the Macintosh clients will be the biggest concern. Please make a list of such folks in your unit, check it twice, and keep it handy for the migration. On the new cluster, Macintosh clients will connect to either IF-SRVC-FILE1 or IF-SRVC-FILE2 depending on which unit you are in.

VSS looks good

Wayne reported that Volume Shadow Copy seems to be working fine and we have enough space currently to back about 3.5 weeks. This is something which Andrew will especially appreciate as he is the one currently in charge of doing the restores from tape which VSS will remove the need for.

ePO version 4 status

As you know, Wayne has been pushing out a new McAfee agent and the new ePO 4 web-based console is among the many things Wayne has been working hard on. Steve has attempted to document some of the details within the IT/SA Services Documentation (ufad\if-admn credentials required) section of the ICC web site.

Wayne led Steve through a demonstration of that web-based console. You are encouraged to read the documentation linked above and request that Wayne provide you access. If you then wish to follow along with the demo given here, you can go to about the 1 hour 33 minute point in the audio stream.

Videoconferencing topics

The use of the H.232 Extension ID (aka E.164) for PVX connections

Steve mentioned that he had contacted Patrick Pettus to arrange H.232 names and H.232 Extension IDs for the four PVX installations currently in his department. It is believed that these IDs can replace most needs for static IPs (either private or public).

Management suite on horizon

Patrick had mentioned that they are progressing with utilizing the Tandberg Management Suite (TMS). Patrick seemed to think that this package will be very useful for managing our various videoconferencing systems.

New IFAS Polycom directory published

Dan Cromer wanted to remind folks that Tom Hintz has posted a new Polycom directory list for IFAS as of June 14th.

Patching updates...

There were four important Microsoft patches this month affecting SQL Server, Windows Explorer, DNS and OWA. The Windows DNS patch for WinXP is causing problems for users of ZoneAlarm. The DNS issue is much broader than just Windows and affects a wide variety of platforms and a wide variety of organizations have really pulled together to jump on fixing this latest problem.

Steve noted that Adobe Reader 9.0 is now available. If you do not upgrade to that version be sure to patch older versions, as vulnerabilities and fixes have been released practically monthly.

Steve had noted that Java Release 6 Patch 7 was just made available, but forgot to mention that he had found a nice no-installation-needed utility called JavaRa which assists in updating Java and will remove older versions, something which has always been an unaddressed annoyance with Java updates.

MS Office News update

Steve has corrected a problem with the Office 2007 install point. The default Exchange parameters are now changed to reflect the move to UF Exchange. The installation is currently at SP1. Winnie Lante mentioned that Dwight had aliased the previous server location so new users on old installs would not be affected by this change either.

Steve also noted that he was surprised to find yesterday that the old RPC over HTTP (aka Outlook Anywhere) settings have apparently been broken since the migration to UF Exchange. He isn't quite sure how all this time transpired without someone complaining about that; having heard nothing prior he had just assumed aliasing had somehow kept the old settings working. Apparently not. The new settings are documented at http://www.mail.ufl.edu/outlookanywhere.html.

Public folder file deletion policies and procedures status

This matter is pending migration to the new file server cluster.

Job Matrix Update status

Steve wants to leave this matter as a standing agenda item for future discussion and offered to help maintain that if Chris wanted.

Remedy system status

Steve has left this on the agenda as a standing item, but there was no discussion on the topic this month.


The meeting was adjourned on time just prior to noon.