IFAS COMPUTER COORDINATORS
"....as far as my background goes, I’m fairly new as far as IT goes. I have some certifications (currently working on Network+), about 18 credit hours toward my Computer Engineering degree, and experience with home user/small business owner hardware/software /network issues. So, I view my IT interests as “wide-ranging” for now.
Steve was very pleased that Micah could make it to the meeting and hopes everyone will join him in welcoming Micah to IFAS.
Recap since last meeting:
As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.
Steve noted that he hadn't heard any news on this topic, which was introduced at our last meeting, but assumes things are moving ahead as planned.
A UF IT Advisory Committee for Network Infrastructure meeting is scheduled for next week.
Steve forgot to mention this matter, but wants everyone to know that full details will be available via the official minutes a few days after that meeting.
Steve said that unit IT staff is basically awaiting direction on what they need to do about this matter.
Dan Cromer related that Wayne Hyde had used some tools to scan our servers looking for SSNs and credit card information. He found two sites that were inappropriately sharing SSNs to our intranet and those are now in remediation. 116 people had to be sent letters informing them of this breach--still this was quite small and limited when compared to problems located among other UF units (CLAS had 12,000 incidents and UF had on the order of 14,000 overall). The next step will be to scan individual departmental machines.
Dan mentioned that UF Exchange is getting ready to implement MailMeter as an e-mail attachment archiving solution. Because they don't want two major changes to occur at one time, the planned change in the Barracuda default settings will be temporarily delayed. Attachment archiving is high priority because it will free up considerable space on our Exchange servers.
Dr. Joyce is scheduled to visit with us at our September meeting
Steve said he had not heard anything new about the proposed consolidation since our last meeting. Dr. Joyce is coming to next month's ICC meeting, however, and that should give us some opportunity to discuss this topic along with its potential effect on our various IFAS IT groups.
Is administration removing IT from its vocabulary?
Steve asked Dan Cromer if anyone had expressed concerns that the reorg plan seems to remove "IT" from administration's vocabulary. The "nuts and bolts" of how IT is done seems to now be hidden behind a "facade" of vague terms such as "Communications and Technology" and "Technical Support". There is no mention in the org chart of many of our most critical IT groups, including server administrators and administrative programmers.
Dan responded that he hoped the suggestion for a CIO position to head this newly "reorganized" group would help keep the focus on IT. He did suggest, however, that we raise this issue to Dr. Joyce when he attends our next meeting.
ITPAC meeting on August 21st
Steve mentioned that he hopes to learn more about the plan at the upcoming ITPAC meeting. He also hopes ITPAC can make some progress on the Domain Policy and that they could get administration to respond quickly with IMM policy statements.
New UF Exchange documentation for review
[Note from future: Dwight Jesseman informed Steve on Saturday that the replacement has already taken place.]
MailMeter attachment stubbing
Dan Cromer mentioned that UF Exchange is moving rapidly ahead with a plan to use MailMeter to archive attachments from messages older than 30 days. They hope to implement that within a week from today if possible, with an announcement going out next Wednesday.
Dwight Jesseman had mentioned to Steve yesterday that details of the MailMeter attachment handling are being finalized. Messages with attachments over 5KB will be revised so that their attachments are archived to second-tier storage. These messages will then contain web-links to the attachments.
Where the attachment(s) would have been prior to replacement, the mail user will see a small text stub attachment as in this example screenshot from Outlook:
Should they open this stub they will see the following:
---------------------------------------------------------------------- UF Exchange Archive ---------------------------------------------------------------------- The attachments in this message have been placed in an archive to conserve space on the email servers. Click on the links below to access attachments. ----------------------------------------------------------------------
How stubbed attachments will be reported in the revised messages depends on the format of the message itself. Here is an example screenshot of how things will look for HTML/RTF messages:
and here is an example for a plain text message:
Potential Vista issue
Dan noted one issue that end-users might run into and Steve tried to demonstrate that. There is an issue with Vista and IE7 that occurs when you click on the web-link to an archived attachment within e-mail. IE runs but a "Information Bar" is triggered that is immediately followed by this modal dialog box:
You must close that dialog box to proceed. When that is done with WinXP one may then continue to click on the Information Bar to authorize the download. On Vista, when you dismiss the dialog box the Information Bar disappears and you cannot download the file. The solution there seems to be to tell the dialog not to appear again by checking the "Don't show this message again" checkbox and then retrying the link from the e-mail.
Want to get a jump on the e-mail archiving experience?
Dan mentioned that those wanting to try this out prior to their users should contact him and he will pass that along to the Exchange group.
Steve asked Dan if he knew in what forum this matter was being discussed. Dan responded that it has been discussed at the UF Exchange project team meetings and he believes that the Data Infrastructure committee chaired by Steve Pritz may be discussing the matter as well. It is certainly being evaluated at the highest levels because the UF General Counsel has said that no restricted data (e.g., grades or course information) could be sent to students should we move to such an external system. Dan feels that ruling is a "show-stopper".
WAN transition to CNS
The transition is progressing
Steve mentioned that he hadn't been able to talk to Chris Leopold to learn how this was going. Dan responded that Chris has been swamped with work on that project. Dan stated that he believed it is proceeding well, though not as quickly as we might have hoped. Dan said that the transition has been difficult due to a lack of adequate documentation. Consequently, Chris must go back and update the documentation as best he can, downloading the configuration from the various sites. The CEOs are generally the most difficult in that regard.
CNS has now hired someone to oversee our WAN and August 18th is the official date by which CNS will take over things. Dan said that the details are still being worked out, but the plan is for our District Support staff and some of our Help Desk staff to be able to submit tickets directly to the CNS Remedy queue in order to report and receive follow-up on network issues which occur. They intend to have direct access to the CNS Remedy system until some interoperability can be fashioned between that and the IFAS Remedy system. Currently, the "refer to CNS" function in that latter system does not work.
District support has noticed some problems
Louise Ryan mentioned that an issue with Calhoun county caused her to lose considerable confidence in CNS. She reported that none of the troubleshooting that CNS suggested was of any help and that the problem was eventually resolved by Chris Leopold himself. Dan responded that the Calhoun incident was a learning experience for CNS and he is fully convinced that they will improve as a result. The wide variety of connectivity methods and vendors used by IFAS across the state may make the initial stages of transition a bit difficult at times, but Dan is confident CNS will get up to speed as quickly as possible. This is going to remain a joint effort, however, as the district support staff and staff at the RECs will continue to be involved in reporting and follow-up on networking issues with CNS bearing the main responsibility for keeping things working.
Dennis Brown asked if CNS would be visiting remote problem locations as necessary. Louise responded that CNS did not come out to Calhoun, but rather she went there to implement a fix based on instructions being relayed from Gainesville. Dan mentioned that there will likely be some training for IFAS remote support staff so they can assist CNS in remote troubleshooting and deployment of routers. When the network is down remote staff may have to connect a laptop to the router via serial cable which CNS can then connect to via dial-up in order to access the device for diagnosis and configuration.
Kevin Hill shared his experience with Collier County where they were out of communications for over two weeks. When a replacement router finally arrived, Kevin had to connect to the router via serial cable and do some reconfiguring before it would go on-line. Kevin hopes we can rapidly get CNS to where they can have replacement routers preconfigured and ready to go via overnight shipping to remote sites. That way district support staff can simply take it out of the box, plug it in, and it will be up and running.
Dan responded that what Kevin described is indeed what is intended. If we can locate contacts at CEOs who are sophisticated enough to unplug the old and plug in the new, then district support may not even have to make site visits for router replacements in some instances. The problems noted by Louise and Kevin should not occur in the future once the documentation and configuration information is in place for CNS to manage those properly.
Steve noted that discussion of this issue continues on the Windows Hi-Ed list from time-to-time. Here is one such recent post:
-----Original Message----- From: email@example.com [mailto:windows-hied- firstname.lastname@example.org] On Behalf Of Barth, Alexander G Sent: Monday, August 04, 2008 2:09 PM To: 'Brian K. Doré'; Philip Woodell; email@example.com Subject: Re: [windows-hied]: AD Campus Firewall Issue We've put in place a "not-quite-split" DNS structure. We have our AD namespace delegated from our campus DNS servers to stand-alone DNS servers who are secondaries to the domain controllers. This lets us put our DC's on RFC1918 addresses (which has cured the slow login issue for us) without impacting public resolution of our domain. Our off-campus Exchange users use either the VPN or Outlook Anywhere (RPC-over-HTTPS) without issue. -alex
Steve can only hope that some solution offered will be easily applicable to our situation here at UF.
Steve demonstrated how quickly he can forget things and become easily confused by asking about the various sites within SharePoint--a matter which had been discussed a mere six months ago. Steve apologizes for that senior moment and promises to visit SharePoint more frequently to refresh his acquaintance.
Louise wanted to warn folks about something she had found out the hard way. When you create a workspace for a meeting on SharePoint, once the meeting is over everything in the workspace is deleted.
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.
Steve mentioned that Lance had been asking about desktop image management solutions prior to the meeting. He had been looking into Acronis for use at ICS and was wondering if there were other options available. We had a brief discussion with Andrew Carey about using WDS for that along with some of the new imaging tools available with Vista. Lance had been particularly interested in the options available with the Acronis Enterprise product.
Steve said that he would certainly like to see a centralized solution as opposed to each unit going their own way with such a thing--because this is a need all units have. Steve would hope that whatever solution was chosen would be available to all. Lance asked about an interim solution while we slowly transition to Vista. Andrew mentioned that we do have a RIS server and Steve mentioned that Mark Ross might be a good source of info about using that, as he had done so (with a number of challenges) when at Plant Pathology.
It turns out that Lance was looking beyond initial deployment and rebuilds to regular image-based workstation backups. It was Andrew's opinion that the storage costs alone would make such a system unmanageable, however. Steve suggested that efforts might be better placed in getting data off local machines so that profile wipes could be used to address certain issues for which a rebuild did not seem warranted. Being able to restore an entire PC to the way it was a week or a month ago via snapshot images is probably not going to be economically feasible due to storage needs, even if software is made available for doing that.
Lance also mentioned wanting to have VMs available for ICS IT staff to use for quickly and non-destructively trying out new things. They have been looking at MS Virtual PC for that. Steve noted that Wayne has plans to provide some management VMs for the ICC to use for such purposes which may or may not suit Lance's needs.
IFAS Software site update request
Chris Leopold wasn't available to remind about this request. As we know, he is very busy with the WAN transition and this update can wait until he has more time. If anyone needs items in the meantime, you may contact Steve.
In an e-mail to the ICC on July 31st Dan Cromer shared the current UF Employee Exit Checklist along with two draft documents related to our exit procedures:
Dan mentioned that UF is slowly getting a better idea at the highest levels of the need to address IT issues at employee exit--a subject which we have been discussing for years via the ICC. It is clear that the UF Employee Exit Checklist is both incomplete and underutilized. Dan believes Mike Conlon intends to take up the matter at the ITAC Data Infrastructure committee and bring this eventually to Kyle Cavanaugh for incorporation into the official UF exit policy.
The real difficulty has been that, while we see the need, this is an HR process--not an IT process. We must solicit considerable outside cooperation for our goals on this to be met. Dan mentioned seeking input on the draft documents and suggested adding links to the various necessary contacts directly into the checklist document: links to the list of DSAs and unit Directory Coordinators as well as contacts for any local unit directories such as the IFAS Directory Liaisons. Steve mentioned that the UF Exchange web site has a good start on listing local unit IT staff as well.
Steve agreed that it is a good idea to flesh this out with more of the details and suggested that IT staff procedures for each of the checklist items needs to be documented somewhere as well.
Questions on mailbox creation requests for new hires
Lance had some questions on the other end of things--who handles what functions for new hires. Steve pointed out that it is very convenient for IT staff to get the roles added (ufad\if-admn credentials required) so they can handle NMB changes. Dan mentioned that UF intends to create a new role for this so NMBs can be managed without becoming full-fledged Directory Coordinators. Dan mentioned a role for setting Gatorlink forwarding is planned as well. Both of those would be welcome additions for IT support staff.
Lance wanted to know who should have the responsibility for requesting an Exchange mailbox for new hires. Steve responded that this could be handled a number of ways. Since Steve is also a Directory Coordinator for his unit, he prefers to handle that himself. IT support within other units may want to hand that off to some other unit Directory Coordinator. There is no right/wrong way as long as it gets done--but an Exchange mailbox also isn't always necessary for all employees--it depends on the particular situation. The advantage of IT support handling things is that when a ticket is created via the IFAS Remedy system it can be assigned directly to Scott Owens who is very good about handling those expeditiously. Steve mentioned that he includes in his request that Scott e-mail him when the mailbox has been created so that he can assist the user in configuring their e-mail client. That makes up for a weakness in the Remedy e-mail notification system and Scott has always been very kind in doing that.
Francis Ferguson asked about procedures to remove access for folks who may be leaving under not-so-friendly circumstances. The best advice there is to get their supervisor to e-mail you with the need to remove access--as they are the ones with the authority to request this. That message can then be forwarded to Wayne Hyde (for access removal via machines which utilize our group policies) and firstname.lastname@example.org (for changing access to their Exchange mailbox). Dan mentioned that this is termed "exit under special circumstances" in the draft Employee Exit Checklist Supplement on Electronic Mail Handling.
Steve wants to leave this matter as a standing agenda item for future discussion. Wayne mentioned previously that he has plans for doing this on Vista but not WinXP; the latter has only an incoming firewall that is essentially ineffective in any case.
Training of new IT staff
Dan Cromer mentioned that, from discussions with Dr. Bennett, it has been decided that we should plan for the Help Desk to provide some introductory training to new IFAS IT support folks such as Micah. After finishing some initial project which he has been assigned, the plan is to send Micah over to the Help Desk for that.
Dan also mentioned that Animal Sciences has hired 24-hour a week OPS help whom he has talked to about this. Dr. Osborne from Ag Ed and Communications is looking to hire somebody as well. Dan feels that some effort at orientation will pay benefits in getting new unit support staff up-to-speed more quickly.
Steve also offered that Micah and other new staff should always feel free to ask any of the ICC members for assistance. Questions can always be posted to the ICC-L or to Steve directly and we will do our best to assist. Much of the work of getting up-to-speed involves learning who to contact for assistance in various areas.
Lance Cozart added that he had trouble initially finding where various things were in UFAD. Steve pointed out that he documents everything he learns either via the ICC notes or via the IT/SA Services Documentation (ufad\if-admn credentials required) on the secure portion of the ICC site. This latter section has a tendency to get out-of-date, but Steve is always willing to update that when folks report problems or deficiencies--just let him know.
IFAS DNS clean-up
Chris Leopold had sent an e-mail to the ICC a couple of days ago requesting comments on retiring the following zones:
Chris wanted to us to review all sub-domains for IFAS.UFL.EDU and look towards cleaning-up older addresses but wasn't available to lead any discussion on the matter. Steve noted that he is sure the intent is to remove unnecessary zones as we can and to try to move towards deprecating any legacy zones still in use--not to remove any zones still in active use.
MPS access by unit-level administrators
Chris wasn't available to continue this discussion. Andrew mentioned that they are still working on the new MPS configuration and getting ready to test that. Unfortunately, Hyper-V requires very new hardware so obtaining equipment for field testing has proved problematic. They will be considering how to best handle access by remote unit staff as testing continues. Kevin asked if they were still looking at 1U rack-mount servers for MPS. Andrew said it looks like we will have to move to 2U 2950s, which will fit into the secure wall-mounted cases. Sites without such cases will be getting them. Kevin mentioned there may be space problems at some locations with such a scheme.
Andrew mentioned that UFAD is looking into the use of RODCs at remote sites as well. A test system is deployed currently--Andrew believed at Palm Bay. Even with those we still want to keep things well locked up and secured.
Steve mentioned that Winnie Lante had raised via the ICC-L the need to control power settings across multiple profiles already established on a particular machine. A number of options were suggested to her at the time, but Steve did some testing (with suggested improvements from Andrew) which demonstrated that this is quite easy to do via GPO preferences.
Steve made a new OU in ADUC called “Power Test”:
and then created and linked a new test GPO using the new Remote Server Administration Tools (RSAT) with Vista SP1 that supports preferences:
Configuring this in the editor itself looks just like the control panel applet (=so easy even Steve could do it):
Then Steve dragged a test machine into the OU (from its parent) and voila! The settings changed for when Steve logged on.
Andrew refined this by suggesting the use of Item-level targeting instead of creating a new OU:
Wayne provided some quick updates via e-mail. He noted that they are adding another 6.7 TB to the file cluster to support Animal Science and some other units with file servers that are being phased out.
He also mentioned that they had ordered four more Disk Array Enclosures (DAEs) for the SAN. Three of those will be for the ESX cluster and SQL. One is for the file cluster.
Once the new DAEs are installed, Wayne will also increase the VSS space on the file cluster to ~10% of the total storage per node. That comes out to about 1.2TB per node for VSS snapshots. Hopefully that will let us keep about 3-4 weeks' worth of VSS snaps so Andrew won’t have to go to tape for restores. Users and OU admins don’t currently have the ability to restore from snapshots, but ITSA can do it for you until we are moved over.
IF-SRVV-FILE03 is down to about 110GB free. Wayne has had to clean up some old junk a few times to keep us from going to 0, so if any ICCers want to clean up their OU storage space, please have at it.
Once the new DAEs are installed they will start migrating so the new file cluster is primary storage instead of backup storage.
Steve had meant to mention the new web-based ePO4 console again and encourage folks to contact Wayne and start looking into using it--but he forgot. This new system is quite useful and if you haven't checked it out yet you should certainly do so. Among other things, it provides an easy way to get all your computers up-to-date with VirusScan 8.5.i. It also provides a very useful way to monitor various aspects of your managed PCs in addition to listing malware/virus detections across your unit.
Steve mentioned that Patrick Pettus has been setting SNMP and Telnet access up on all our Polycom units in order to link those into the Tandberg Management console. Steve knew of no other updates however.
There will be seven critical and five important Microsoft patches this month affecting various Windows platforms, IE, Media Player, older versions of Office, and older versions of Access, along with current and older versions of Excel, PowerPoint.
Steve noted the ICC-L posting this morning from Mitch Thompson at Apopka concerning bogus "anti-spyware" being thrust at folks while browsing the web. A number of folks had responded about seeing these sorts of things on machines--particular home machines brought in by their users. Protection is a user-education issue for the most part; McAfee's keeps us fairly insulated on managed stations--though some things will no doubt continue to slip through as long as users are running with admin privileges. It sounds like there is a wide range of removal tools available for various malware infestations. People struggling to remove a particular infestation are advised to solicit assistance from the ICC-L so we can all learn what issues others are addressing and how.
Dennis Brown mentioned that he generally just rebuilds rather than take the time to figure out how to remove such things. He also mentioned that he sent a notice to his users warning them that such things were making the rounds and to be on the lookout. Some of these programs apparently add an icon to the system tray which looks similar to the Windows update notification.
Dennis also mentioned having seen a number of flash drive infections. Wayne Hyde responded with a recommendation to disable AutoRun via GPO. Note that even this may not be enough with Vista without MS08-038. [Note: as of 25Nov08, the most recent info on this is available in KB953252.] Dennis ran into a situation where he had reformatted a flash drive to remove an infection and that proved insufficient. Viewing the drive via a Macintosh showed additional files which Windows format did not touch. Speculation on the mechanism behind that was inconclusive--alternate partition perhaps?
MS Office News update
Steve had no details to offer on this but wants it to remain as a standing discussion topic.
This matter is pending migration to the new file server cluster, but Dan wanted the ICC to start thinking about how public folders should be managed. We have removed the individual unit public shares and now have a single IFAS public folder, but we need to educate our users of the risks and the need to not place confidential information there even temporarily.
Steve mentioned that creating a read-only "_Policy_Please_Read_ folder within the IFAS Public folder that includes a short policy statement text file would seem appropriate. Perhaps something like:
******************************************* ***** IFAS PUBLIC FOLDER USAGE POLICY ***** ******************************************* * The sole purpose of the IFAS Public folder is to facilitate moving files within IFAS and UF. This area is read/write to all IFAS and is readable by all UF. Consequently, FILES CONTAINING RESTRICTED OR PRIVATE INFORMATION ARE STRICTLY PROHIBITED! * This area MAY NOT BE USED AS STORAGE. Files placed here will be retained for only X days. * Before placing files in this area, create a folder whose name clearly indicates the person responsible for the removal of those files. "Last, First" would be preferable. Make sure your files are placed in that folder. Any files not clearly denoted in this fashion may be removed without notice. * When passing files via the public folder, instruct those who will be receiving the files to REMOVE them once they have been retrieved. Please follow up to assure that this is done. * Remember that this area is inherently insecure. Anyone in IFAS may delete or alter any information you place there at any time and all information is readable by anyone at UF.
After the meeting Kevin Hill shared a script which he has been using to age-out files for some time:
' Script to delete files from the Temp Drive with a "CREATED DATE" older than 30 days. ' (Note that this attribute is the date that the file or folder appeared on the drive, ' which is different than modified date or accessed date). ' Kevin Hill, UF/IFAS - SWFREC - 03 Feb 2005 ' Folder to start search in... path = "F:\Shares\IMOK_TMP" ' delete files older than 30 days... killdate = date() - 30 arFiles = Array() set fso = createobject("scripting.filesystemobject") ' Don't do the delete while you still are looping through a ' file collection returned from the File System Object (FSO). ' The collection may get mixed up. ' Create an array of the file objects to avoid this. ' SelectFiles path, killdate, arFiles, true nDeleted = 0 for n = 0 to ubound(arFiles) '================================================= ' Files deleted via FSO methods do *NOT* go to the recycle bin!!! '================================================= on error resume next 'in case of 'in use' files... arFiles(n).delete true if err.number <> 0 then wscript.echo "Unable to delete: " & arFiles(n).path else nDeleted = nDeleted + 1 end if on error goto 0 next 'msgbox nDeleted & " of " & ubound(arFiles)+1 _ ' & " eligible files were deleted" sub SelectFiles(sPath,vKillDate,arFilesToKill,bIncludeSubFolders) on error resume next 'select files to delete and add to array... ' set folder = fso.getfolder(sPath) set files = folder.files for each file in files ' uses error trapping around access to the ' Date property just to be safe ' dtlastmodified = null on error resume Next dtlastmodified = file.datecreated on error goto 0 if not isnull(dtlastmodified) Then if dtlastmodified < vKillDate then count = ubound(arFilesToKill) + 1 redim preserve arFilesToKill(count) set arFilesToKill(count) = file end if end if next if bIncludeSubFolders then for each fldr in folder.subfolders SelectFiles fldr.path,vKillDate,arFilesToKill,true next end if end sub
Job Matrix Update status
Steve has left this on the agenda as a standing item, but wanted to point out that it currently appears up-to-date (thanks to Chris).
Outlook and Exchange support
Lance asked about who he would contact regarding Exchange server issues. Steve responded that server side problems should be reported to email@example.com. Client-side issues can be raised to the ICC-L. Lance mentioned having a client with off-line address book sync issues. He had been in touch with Dwight Jesseman about that but none of the offered suggestions has proven to fix the problem. Lance tried tools that professed to correct the issue, but they were ineffective--likewise with deleting the OAB files or reinstalling Office. Steve said that getting back with Dwight would be the thing to do on that issue. Steve did know that Dennis and he had reported similar issues and Dwight was having problems accumulating sufficient data to submit to MS for resolution. In Steve's case, the problem was on a retired professor's laptop; getting access proved difficult and that user just dropped pursuing a fix. The case Dennis had seen was resolved by rebuilding their machine.
Steve wants to leave this matter as a standing agenda item for future discussion.
Dan related that Bill Black had recommended CrossLoop and it looks like a good quick/simple/free solution for remote support. It only works on Windows via installing a version of VNC. The traffic is encrypted, however, and the implementation requires that the user give you permission to take over the machine. Dan would like others to try this out as well.
Microsoft Messenger spoof
Dan also mentioned getting a spoofed/stolen MS Messenger message purporting to be from Ben Beach that appeared to be phishing for his account credentials. Dan said this has prompted him to stick with UF Jabber from now on.
As a notes-only exclusive, Steve wanted to share the free/no-installation-necessary Grabtxt utility which "copies error messages from message boxes so you can put the copy the selected issue into a search engine to find more about those errors and how to fix them".
The meeting was adjourned early at about 11:45 am.