IFAS COMPUTER COORDINATORS
NOTES FROM July 14th 2006 REGULAR MEETING
A meeting of the ICC was held on Friday, July 14th, 2006. The meeting was chaired and called to order by Steve Lasley, at 10:01 a.m. in the ICS conference room.
PRESENT: Twenty-one members participated.
Remote participants: Trish Capps, Richard Faulk, Kevin Hill, Mike Ryabin, Louise Ryan, and A.D. Walker.
Benjamin Beach, Dennis Brown, Dan Cromer, Marion Douglas, Francis Ferguson, Chris Fooshee, Joe Hayden, Chris Hughes, Wayne Hyde, Dwight Jesseman, Winnie Lante, Steve Lasley, Chris Leopold, Ligia Ortega, and Mark Ross.
STREAMING AUDIO: available here
Agendas were distributed and the meeting was called to order at approximately 11 AM.
Steve announced that Louise Ryan joins us as the new NW District support person. Louise had previously relayed the following concerning her background:
"I am looking forward to participating in the ICC meetings
but I will need to be a remote participant most of the time
probably. I come from Michigan where I was an Extension IT
person in Van Buren County. I held that position for 10
years. Before that I worked at a large hospital as an IT
Systems Analyst. I worked there for 17 years. We had a
Novell network and Groupwise at the hospital and a Novell
network without Groupwise at the county. I was also the
security administrator at the hospital on the network and
the mainframe, using RACF on the mainframe. I was also on
the mainframe communications team using VTAM at the hospital.
In my Extension life I was the only computer person so I
supported the office, hardware, software, network,
troubleshooting and took calls from the public on computer
issues. I held programs on various computer topics and
taught workshops for the general public on various computer
programs. Mostly Microsoft Office (PowerPoint, Word,
Publisher, Access, Mail Merge, Excel, Outlook, Front Page
etc). I also taught workshops on Adobe Photoshop and
QuickBooks. What I like best is helping people use technology.
I like to teach and I like people."
Steve noted how similar the challenges of Extension work must be between Michigan and Florida, both having state-wide distributed programs and the consequent budgeting concerns. We hope Louise enjoys working for IFAS and that she feels free to use the ICC for help in getting up-so-speed in her new position. Dan Cromer specifically thanked Ben Beach for the help he has been providing there.
Steve also recognized that Marshall Pierce had resigned his IT Expert-System Engineer position. Chris Leopold is anxious to replace that position and the job announcement has been or will be posted very shortly.
Recap since last meeting:
As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.
IT Governance sub-committee status report
Chris Hughes reported that he had been too busy to pursue this any further. Ben asked him if he could provide more copies of The Visible Ops Handbook.
Dwight Jesseman asked for some background information on the committee--why it was formed and what it expected to accomplish. The IT Taskforce Report had recommended that IFAS "Implement an industry standard IT governance framework to improve overall IT operations, policies, and procedures." Chris Hughes volunteered to chair a sub-committee of the ICC to provide recommendation related to IT Governance. The charge of this sub-committee is to provide recommendations to the ICC and ITPAC for completion of the aforementioned taskforce action item. The subcommittee intends to begin by reviewing the current IFAS IT governance structure and how that structure interfaces with IT Governance at the UF level. It then hopes to provide recommendations for changes in IT Governance that would map IFAS to existing and successful industry frameworks.
The group has a file share at \\ad.ufl.edu\ifas\PRIVATE\IT-Goverance which contains the agenda from, and a recording of, the May 4th meeting--the only meeting which they have had currently. It also contains a "Resources" folder that includes the Committee Charge document as well as numerous resources relating to the subject of governance frameworks.
Recommendation: autogroups for *selected* roles
This issue was raised at our last meeting and Steve wanted to remind folks about the issue. Autogroups will be created in UFAD for the various UF Security Roles and it may be very beneficial to have certain roles cross-referenced by OU so that we can use them, for example, to contact or permission folks with a particular role within IFAS or within a particular unit. One likely example might be the role or roles pertaining to IFAS Directory Coordinators. We should be thinking about those items which would facilitate our work so that we might make recommendations in this regard at the proper time. Please look at the available roles and consider which ones might be most useful for us. This is another opportunity for the ICC to influence for the better how things function within UFAD--so let's take advantage of that.
Dan Cromer reported that the Gatorlink Account Management (GLAM) project is currently taking all the resources of Mike Conlon's group. Once that project is finished, which is expected to be around the end of September, then they will be able to look at this autogroup issue further.
IFAS Remedy System
Steve mentioned that he had emailed Dan Christophy to see if any progress had been made on the issues which had been discussed at our last meeting, but Dan apparently had not had time to respond. Dan had informed Dwight via IMM that he would be unable to attend today's meeting.
IFAS WebDAV implementation
Steve asked about the status of this project. Dwight related that a server has been purchased and built for that project, but is not yet in production. This is a Dell 1850 with dual 3 GHz processors and 4 GBs of RAM. Dwight mentioned that the current sslgateway is not working. Since that was configured by Marshall Pierce, who has left, Dwight needs to determine how that was configured in order to determine what the problem might be. Steve mentioned that Dwight might want to look at the University of Michigan's well documented configuration for some details. Chris Hughes mentioned that he had additional documentation to assist in this as well. He also revealed that the application had been installed on a test machine, IF-SRV-EXWEB01, which explained why it is not working currently--as that machine is down. There are security issues on our web servers that need to be resolved before WebDAV should proceed.
Steve asked for and received confirmation that Web-based Distributed Authoring and Versioning (WebDAV) will solve the problem of IFAS fileserver share access for Macintosh users. Steve indicated that this was of more interest to him currently than the remote access aspect, due to the lack of AFP on the IFAS server. While OS X offers other alternatives, Steve still has a number of older Macs and has yet to incorporate even the newer ones into UFAD.
Chris Hughes mentioned that files with the extension ".ASP" do not work via WebDAV due to how IIS6 processes files of that type.
Vista TAP and Vista Deployment via SMS and WDS
Chris Hughes reported that, as of Tuesday, there is a VHD file that was prepared by Dom Vila, Senior Microsoft Consultant with the UF TAP program, that is available for official testing on the Vista Share. You can download Microsoft Virtual PC 2004 Service Pack 1 (now free) and use that to create a VM that uses the VHD file (ufad\if-admn credentials required). This will allow our remote users a means for testing Vista prior to deployment being implemented on the multi-purpose servers (MPS) at remote sites. That remote deploy depends on hardware upgrades that are planned for installation sometime after August. Actually deployment remotely may not be ready until RC1, however.
Chris noted that the problem with activation of Vista builds has been resolved. If you have an installation that has not expired, you should now be able to activate that. If you have a machine that is expired, you will have to reinstall. Although there has been a new build since Beta 2, it is not for client testing. The SMS build process will continue to use Beta 2 for now.
Removal of WINS
This is still on the back burner due to cleanup preparation for that being a rather difficult and thorny issue to handle centrally.
New IFAS IP Plan
Chris Leopold gave a status update on this project. The old IP ranges for Entomology, Microbiology, Newins-Ziegler Hall and Newell Hall have been returned. McCarty A and B are nearly ready to be returned to CNS. FacOps, the Farm Area, and McCarty D remain to be handled; the latter two are expected to be quite complicated and take considerable coordination and time.
Chris provided McCarty B example documentation of the sort of that he has been working on for our layer two infrastructure. He explained how he envisioned that being organized and asked for input. Joe Hayden asked that certain connected devices be documented as well. He has building controls on certain ports that should never change and are unmanageable. Wireless access points were another such device that some thought would be good to include. Chris said that he had been documenting wireless, but that this example just did not indicate that.
Mark Ross mentioned that it would be good to retain older diagrams as revisions were made and suggested adding a revision panel that referenced older documentation files so it would be easier to track exactly when certain changes were made. Chris said that he would look into a means of doing that.
Chris Leopold related that he has tasked his people with documenting everything they do. Some of that documentation may be internal to IT/SA (as there are numerous security issues mixed into such information), but Steve would urge that as much of that as is reasonable be made available to OU Admins as well--via the secure portion of the ICC web site. Steve feels that knowing how internal management is done within IT/SA can greatly help unit admins in understanding what service requests may or may not be reasonable to make, as well as give them the proper vocabulary for making such requests. The better we all understand how things work, the more efficient we can be in providing services to all our users. Steve would be glad to assist however he can in organizing and securing that documentation.
Move to IF-SRV-WEB
Steve asked if the migration was on hold until a replacement was found for Marshall Pierce. Chris Leopold responded by saying that he has asked Chris Hughes to put Vista and his other projects on a lower priority so that he can help with at least moving IF-SRV-WEB02 to the new server. This is an IIS6-to-IIS6 move and should not involve as many issues as will moving the older IF-SRV-WEB01. Unfortunately, after investigating what was moved and how it was done, there are some very serious security concerns on our web servers. Chris Hughes is working hard to address those, but it looks like it will take some time prior to re-instituting the migration itself.
Dan Cromer mentioned that we had also lost Chang Lin, the OPS programmer who was helping with the migration. It was originally expected that he could be replaced, but budget cuts made by administration currently appear to have removed that option. Hence, the project is extremely strapped for staff. Chris Leopold spoke to IT/SA's overall staffing woes by saying that one third of his staff is gone, that he expects another third to be leaving shortly, and that he fears IT/SA will be down to two FTE within a short while. The staffing situation is not good. As a result of these matters, Ben Beach has been made part of Chris Leopold's staff (in addition to his District II duties) and Ben will be trained to assist IT/SA with various projects. It was noted that Ben receives no additional compensation for this added responsibility.
Joe Hayden mentioned that we might want to re-address making better use of the ICC for helping IT/SA with some of their duties. Chris said they are looking into ways to do this. For example, Dwight has done a good job documenting how to perform DHCP reservations and a number of unit folks have been given the permissions for doing that. There are delegation and security issues, however, that must be considered. In many case, delegation is not granular as one would wish. As another example, Chris has been working with Steve to develop documentation (ufad\if-admn credentials required) that would allow OU Admins to assist in deploying their own switches to IFAS standards.
Dan Cromer stated that Jimmy Cheek and his administration are very interested in reducing the administrative overhead in order to provide units with the maximum amount of funding possible. Consequently, everyone under Dr. Joyce (central services, IT, etc.) received a 25% reduction in budget. (Joe Hayden also noted that physical operations and maintenance (PO&M) received a 35% reduction across the board.) Counter to that, we have had an IT Taskforce Report which recommends centralizing portions of our IT spending in order to improve overall IT efficiencies of operation. Dan has been meeting with Joe Joyce, trying to reconcile that situation. Dan stated it would not hurt for the ICC to make administration aware that we believe central IT should be funded inn accordance with their requested budget. He wasn't sure that it would help either, but it couldn't hurt. Steve said that he would try and find a good opportunity to raise that matter. Additionally, ICCers are encouraged to speak to their unit heads about this matter in order to build grass-roots support.
Exit processes, NMB and permission removal
Prior exit procedure discussion. Dan Cromer said he had spoken with Dale McPherson, the interim personnel director, and that Dale agreed to work more on our exit processes. Unfortunately, he is overworked himself. Dan said that some informal arrangements had been made for that office to send reports of folks who had left and Dan wondered if Dwight had received any of those. Dwight said he had not, but mentioned that IFAS HR itself has no IT-aware entrance and exit process even for their own people. Dwight found recently that they had over 30 people in their OU that did not belong there. Dwight felt that if that office had no clue of how to manage NMB (they were under the false assumption that manipulation of the IFAS Directory controlled that), he found it hard to believe that they would be either interested or able to assist in solving this problem for all of IFAS.
Dwight asked Dan Cromer about the prospects of eventually being able to manage NMB via the IFAS permission removal site. Dan said he thought this was part of the GLAM project, but Chris Hughes stated that it was not. We could provide a "one-stop-shopping" service via that site if we were provided access to the proper UF Directory APIs, but that access had been refused to-date.
Dwight related how he has run into the issue of improper exit procedures numerous times in setting up permissions on the new fileserver. When doing that for units, he is often asked who exactly has permissions to those files. He then shows them the members in their OU autogroup and hears back that many of the members are people who have left. This is all brand new information to these people, who have no idea how all this works--yet they are often the actual Directory Coordinator who is supposed to be managing that!
Mark Ross mentioned, and Steve agreed, that it is so inefficient to keep telling this over and over again--particularly when there is no central documentation of the issue to which people may be referred. It is an incredibly inefficient process. Steve mentioned that Dan Cromer had, at one point, tasked Dean Delker with documenting all these processes--while Chris Hughes stated he was under the impression that it had since been reassigned to Dan Christophy. Steve asked if that was going to be re-tasked or was it simply not going to happen. Dan responded that it will happen eventually, but that a variety of things have happened to delay that. Steve told Dan that he feels this should be given a higher priority. As Mark Ross stated, Directory Coordinators were given the role of managing NMB, without even being told about it or having been given training. That should come not from us, but from higher up. However, as a stop-gap measure, Steve believes that documentation of these processes is a much needed interim step.
Steve said that he could draft an ICC recommendation that this matter be addressed at the IFAS level and run it by the ICC for approval at the September meeting. Dan Cromer responded that Steve would be spinning his wheels to do so. Dan said this is not an IT issue, but a policy issue. Dan believes, in spite of what Chris Hughes says, that Mike Conlon is seriously concerned about role assignment and review. Dan says he has spoken with Mike Conlon about the need for resource access control in conjunction with these processes. Dan wants this solved at the UF level first of all. As an interim step he has proposed that someone be hired at the IFAS HR level to manage NMB for all IFAS. When the new personnel head is hired he plans to talk about that further. Dan said that it wouldn't hurt to make the recommendation, but the recommendation is already there and Dan is upset that IT is trying to provide security functions for personnel actions. On the other hand, Dan apologized for the folks who had been tasked with creating the aforementioned documentation; he feels they should have finished that already.
Chris Hughes took issues with the continued statements that UF administration is looking at methods to address the problem. At the March 10th ICC meeting, when asked what is being done currently by the UFAD group to remove locally assigned permissions, Mike Conlon responded that he knew of no changes being planned in that area. Mike's position at that time was that locally assigned permissions would have to be removed locally. Dan responded that, although such things are not always reported so that all might know, discussions are indeed proceeding on this issue. Dan said that there would be a meeting that very afternoon, which he was given permission to record, during which he expected these issues to be discussed further. Dan said that the administration is aware of these requests regarding removal of local permissioning and that it is a problem for all UF--not just IFAS. Dan also stated that he is not waiting for them, but wants to have something for our own personnel folks to do about this. Steve would like to re-iterate, however, that the local IFAS HR methods Dan is investigating would only address autogroup membership and not local permissioning. It is important that we don't lump those two issues together; they are both important, but while a UF-wide solution for the former may be in the works, it is much less likely that the latter will be addressed in a centralized fashion.
Listserv confirm settings
Dan Cromer said that the administration view on this had changed through discussions. They were concerned that some important posting might fail to be disseminated in a timely fashion due to the sender forgetting to wait and respond to the confirmation message. Rather, IT is now investigating a listserv function that will validate the sender via SMTP query to see that the message came from a valid email address within our domain. This wouldn't stop spoofed addresses, but might improve things w/o requiring confirmations. Dan hadn't even mentioned this to Dwight yet because of all that Dwight has to do, but that is the current investigation. Right now, Dwight, Dean Delker, and Dan Cromer are moderators on the IFAS-ALL as a stop-gap measure to prevent spam and the resultant uproar that always occurs.
Removing Appletalk from all IFAS subnets
Chris Leopold mentioned that CNS is giving a higher priority to this matter. Al Williamson, who deals with Educational video at ICS, is concerned about the removal; but Chris believes that Al's needs are only for Appletalk locally on a single subnet, and the proposed change would not affect his ability to do that. Mark Ross asked if the people who are requesting a need for Appletalk realize that Apple has supported IP since version 7.
McAfee License Renewal
Steve said that he was aware of several units who had responded individually to the UF Software Licensing Services McAfee Survey for continuing our site license. The current license ends in early October and SLS was requesting accurate projections of node counts for computers utilizing that software. Steve wanted to make sure that IFAS intended to submit numbers for the entire organization, however. Wayne Hyde indicated that he would do that.
Wayne Hyde reported that quite a number of Office updates are failing because the MSOCache directory does not exist. Wayne intends to run a report of affected machines and get that out to the ICC so the problems may be corrected. Updating those will involve either reinstalling Office and leaving the cache directory, or you will likely need to have the installation CD available.
Another project is locating and fixing machines with various outdated and vulnerable software installs. Wayne says this will be a very big report, as there are many vulnerable installs--something we all can easily imagine.
Discussion concerning off-site backup
Dwight told us that retention of our regular backups includes 8 weeks of data (monthly and quarterly backups are done as well) and that currently he takes the 8th week off-site to CNS so that we have some protection against data loss should we lose the server room to some disaster. Dwight was looking for input on that process, as to which week's data was most appropriate to store off-site. After some discussion, it was decided that week 2 would be a better choice--provided that that didn't lead to an inordinately greater amount of work for Dwight when it came to doing restores. It was agreed that Dwight would make that the new practice and bring the matter back for our input should any problems arise.
Moving from Veritas Storage Central to the MS quota system
Dwight provided a demonstration of the quota management features included in Windows 2003 Server R2. Dwight intends to move to this for use on the IFAS fileserver. This system permits filtering by file type as well, so that it can control what file types are allowed within individual folders. Delegation of rights to this quota management process is possible and Dwight intends to look into implementing that so that OU Admins may perform their own quota management. Steve mentioned that simply being able to view the current quotas might be sufficient if that proves easier or more feasible.
Procedures for establishing file and mailbox quotas
Dwight wanted to have a discussion about this process and how quota increases are approved. After some discussion, it was decided that the current processes are sufficient. This should be left up to Dwight's discretion and he can escalate issues to Dan Cromer on an individual basis should he feel the need.
Ben Beach asked if there was a way to hold training for the users to instruct them on what they should and should not retain? A brief discussion ensued on UF email retention policy and whether that could be easily communicated to the end users. Steve mentioned that we could use documentation that address even more basic issues than that in this regard, including emptying the "Deleted Items" folder on a regular basis and removing attachments from emails sent for which local copies already existed. IT support folks take those matter for granted, but many end users are unaware of best practices in this regard. It would be wise to produce documentation on these simple matters to which we could direct users when questions arose.
Installing the Volume Shadow Copy client via GPO
Dwight demoed the server and client components of the volume shadow copy system using a test server. The client is available at \\ad.ufl.edu\ifas\IFAS-multi\volume shadow copy client, but it has apparently been incorporated into the Windows XP ISO available from the IFAS Software Site. The "view" feature allows the end user to see what versions are available. When a client is using the system, Dwight recommends doing a "copy" to a local location so the current version is not replaced prior to assuring that that is exactly what is desired. The client is scheduled to be installed via GPO to IFAS co-managed computers tonight.
Replacing NetMeeting: Windows Collaboration, Microsoft Live Communications Server, Oracle Collaboration Suite, and other options
Trish Capps, Educational Media Communications Coordinator at WFREC in Milton reported that she couldn't have designed a better demonstration for her people to see what students are dealing with in trying to take classes via Polycom. NetMeeting going down was typical what has been their experience. Trish hopes to advocate very strongly for user testing of whatever products are considered for replacing NetMeeting, rather than simply accepting that Microsoft Live Meeting is necessarily the best way to go. It has been her experience that technical promise doesn't always translate to practical field use.
Trish feels that growth of the IFAS distance education program could provide a funding source back to central campus to help meet some of our IT needs, but we need to resolve a number of our end user problems to do that. She hopes to use the ICC as a forum for eventually building this issue into project status.
Trish requested that, due to the late hour, this topic be moved to the September ICC agenda and that it be placed early on to assure that it might be addressed at that time. Steve agreed to place it there as a special topic within the "Report from the Chairman" section. Steve also apologized to Trish and Richard Faulk for the time overrun that cut this section of the agenda so short. Steve noted that he believes Trish's points are well taken and that he hopes to include Ron Thomas, who has done considerable research into collaboration options for distance education, in future discussions.
Improved resource booking and scheduling capabilities coming in Exchange 2007: naming convention preparations for rooms, vehicles, Polycoms, etc.
Dwight spoke on how the new version of Exchange will rely heavily on "resources". There will be an agent that will keep the "free/busy" information up-to-date for resources, and that will permit more advanced usage of those. In support of that, there will be a new "resource" object in AD that does not have logon rights. Since public folders are going to be less emphasized and eventually removed, Dwight wishes to begin moving us in that direction.
Dwight is concerned that UFAD currently doesn't provide a recommendation for naming standards on those. Currently, some units use a "#" prefix while others use "@". Dwight wanted feedback from the ICC as to which we thought was more appropriate. After some discussion, we agreed to use the "@".
Dwight gave a brief demonstration of how meetings may be scheduled via Outlook's calendar feature to include the "inviting" of resources. Those can then be set to either accept those automatically or pass it along to an individual for review. Dwight invites folks to send lists of resources you may want created (as service accounts), or to create those yourselves. Dwight will be investigating what descriptor fields are appropriate for eventual migration of those to resources under Exchange 2007.
The meeting was adjourned just a bit late, at about 12:15 p.m.