IFAS COMPUTER COORDINATORS
NOTES FROM January 13th 2006 REGULAR MEETING
A meeting of the ICC was held on Friday, January 13th, 2006. The meeting was chaired and called to order by Steve Lasley, at 10:00 a.m. in the ICS conference room.
PRESENT: Eighteen members participated. Remote participants: Chris Fooshee, Joel Parlin, and A.D. Walker. On-site participants:
David Bauldree, Dennis Brown, Dan Cromer, Marion Douglas, Chris Hughes, Wayne Hyde, Dwight Jesseman, Winnie Lante, Steve Lasley, Chris Leopold, Chang Lin, Ligia Ortega, Marshall Pierce, Mark Ross and Joe Spooner.
STREAMING AUDIO: available here
Agendas were distributed and the meeting was called to order pretty much right on time.
There are two new members:
Brian M. Cain is Bob Huston's support tech at Indian River REC now. Steve has not heard back from his initial contact with Brian.
Chang Lin was also introduced. Chang is a programmer who has been hired by the IFAS software group and is currently involved with Marshall Pierce in moving the IFAS web sites to the new server.
Recap since last meeting:
Steve pointed folks to the notes of the last meeting for context but did not go into particular details.
New agenda format:
Steve noted that we have begun using a new format for our agendas that was recommended by Joe Spooner. The items are now arranged by Policy (recommendations for ITPAC), Projects (long-term matters which we are hoping to get implemented), and Operations (change notices and procedural discussions). The purpose of the restructuring is to better organize and categorize our growing list of issues so that we can keep good track of them and deal with any discussion/notification in our meetings as efficiently as possible.
Pending issues for the next ITPAC meeting on February 8th
Steve raised the question of whether or not we wish to revisit the ITPAC recommendation on requiring confirmation on all IFAS lists. Chris Hughes feels that the recent spat regarding IFAS-ALL-L (see the many "remove" messages in the January IFAS-ALL-L archive) could have been avoided if this recommendation had been implemented. Chris believes that the confirm message could include verbiage explaining the nature of that list, how membership is assigned, and what the options are for one not wanting to receive those postings. Dwight Jesseman, however, is not currently aware of a way to add text to the confirmation messages for a particular list. Chris Leopold believed that there was a way, but has not found it yet and plans to look into that. Dwight believed that we may have to put notification into responses to sign-off requests to get that information out.
Dan Cromer has a two-part plan to help address these issues. First, he intends to implement the list confirmation recommendation, which has been approved by administration. This would include a web page detailing the rationale behind the change and how confirmations work, followed by an IFAS-ALL-L message explaining the changes and pointing to the documentation. This method proved quite successful for the recent e-mail project and seems an excellent way of handling change notification to our users. Secondly, Dan stated his intention of having a footnote added to IFAS-ALL-L messages explaining the list policy and detailing, for those who may have left IFAS but not been removed, how directory liaisons control that membership and how to see that is accomplished. Once that is ready, Dan would also like to have Dr. Joyce send out a message stating that policy regarding appropriate usage.
Dwight mentioned that Pete Vergot had requested a number of his lists be moved to requiring confirmation and that he would be a good resource for feedback on how that affected users and the problems they might experience. Apparently, the biggest issue was with delays that sometimes occur between posting and receiving the confirmation e-mail for that post. We will want to cover the details of that aspect well in any documentation we produce on this. Such delays may be due to either slowness in the Gatorlink mail system, or our own listserv being backed up in sending out mail.
Further discussion ensued on the IFAS-ALL-L brouhaha. Dwight explained that the recent rash of "please unsubscribe" messages on IFAS-ALL-L was related to the e-mail changes made December 27th. Membership in the IFAS-ALL-L list is built dynamically from entries in the IFAS Directory database. Anyone in that database who has an e-mail address set becomes part of a mailing to IFAS-ALL-L. Regarding inclusion on the IFAS-ALL-L list for current employees, the only exceptions allowed are for Vet Med and Courtesy Faculty who specifically request removal--which is done via clearing the e-mail address field. Of course, Directory liaisons can do this for each unit at their discretion, but should note that this will remove that address from any printed IFAS directory as well.
The IFAS directory has long had a large number of entries for people you have left and which should have been removed. Many of those had addresses which were invalid and had been bouncing for sometime. On the 27th, all addresses in that database were corrected to use the "GatorlinkUsername@ufl.edu" format, which caused a number of those being bounced previously to now actually be delivered. This is why we had quite a few people wondering why they were all-of-a-sudden getting IFAS-ALL-L messages when they may have been gone from IFAS some time and had not been getting those for quite sometime until just recently. This includes students who may have worked for IFAS at one time and had an IFAS mailbox, but who had left and basically abandoned their IFAS mailbox.
This problem obviously demonstrates (again) the importance of the role that IFAS directory liaisons play in this process. Until we improve our IFAS employee exit procedures, such problems (as well as the more serious issue of security regarding access to computer resources) will continue. Although Dan Cromer feels that the hire/fire issues will/must be addressed at the UF level, Chris Hughes believes that UF has clearly indicated that many aspects of this issue will need to be handled by the units. Chris is aware of other units in AD who have clear procedures for dealing with the exit process and re-emphasized how IFAS administration needs to address it. Chris believes a security audit might provide an impetus for action.
Mark Ross pointed out that these problems generally occur at the beginning of semesters. He suggested that an IFAS-ALL-L message be sent out at the beginning of each semester explaining the list usage details.
Steve Lasley would like to point out that, while this may be an excellent idea, it is not an IT matter, but rather something for IFAS administration to deal with. Dan Cromer stated that, while the administration has felt this list should be monitored, no one within administration wants to perform that task. Since most (incorrectly) perceive IFAS IT as being in control of the policies regarding this matter, we continue to receive blame. Because the blame is misdirected in this way, IFAS administration feels no great impetus to correct things by handling what is truly an administrative policy matter themselves.
As a temporary measure, until the current flare-up subsides, Dwight and Dean Delker are now set as moderators of the IFAS-ALL-L list. That this method was implemented reflects a mis-application by administration of the distinction between IT procedures and administrative policy issues. If moderation is indeed necessary, it should not be IT support staff doing that.
Prior exit procedure discussion. The discussion regarding directory liaison roles and hire/fire procedures led to further discussion about how we, as OU Admins, can handle people leaving IFAS. There has been an increase of over 1600 users accounts in the IFAS OU since migration; this is clearly due to failure to remove accounts for people who have exited. In lieu of officially developed procedures, an attempt to detail this has been made on the ICC site under the topic Exit procedures and permission removal (ufad\if-admn credentials required for access). Steve would appreciate input as to how to improve that documentation.
Dwight mentioned that he is working with Personnel in a step-wise fashion to resolve a number of related issues. He has given them a list of people in the IFAS Directory that do not have Gatorlink accounts so that those can be addressed. The next step will be to provide them with a list he has of people whose user accounts are in the Other OU, but that still have an IFAS mailbox. The next category he will provide includes people with IFAS mailboxes whose accounts are in OUs outside IFAS. For those, they will need to determine whether the mailbox has been abandoned. The final step will be to contact John Bevis to find who has changed the "GL@my.ifas.ufl.edu" forwards which Dwight set December 27th, in an attempt to discover abandoned mailboxes for people whose AD accounts still reside within the IFAS OU.
Regarding removing user accounts and permissions within IFAS, Dwight stated that OU Admins are in complete control of that except with regards to entries in the IFAS Directory--for which a directory liaison is required. Once we move off our dependence on that separate directory (a step which is on long-term hold due to IT workloads in the IFAS software group), our ability to manage our own IT-related exit matters will be complete. Of course, this assumes we can determine when a person has actually left--which is a separate and basically non-IT issue which we need to continue to find ways to plug into.
At Mark's prompting, Dwight explained that the mailbox removal procedure, which can be initiated by OU Admins for their users via the Permissions Removal site, uses ExMerge to back-up the mailbox to a .pst file that is then moved to \\if-srv-file01\pst where you can gain access via your IF-ADMN account. The previously existing SMTP addresses are noted before the mailbox is removed and added as aliases to a new external e-mail address (forward) that is then created and which points to "GatorlinkUsername@ufl.edu". This retains mail flow from their old addresses to their Gatorlink (or wherever their Gatorlink is forwarded--under the users own control). PLEASE NOTE: It is important that their Gatorlink forwarding be either removed or set to something other than IFAS PRIOR TO INITIATING THIS PROCESS! Dwight and Dean are the only two in IFAS who have the permissions to view how an individual's Gatorlink forwarding is currently set, so Dan would like them involved in this process to assure that mail loops are not created. The alternative is to work directly with the end user to assure that does not happen.
An attempt has been made to organize and arrange some of the details of various IT projects that are in progress. These are generally listed currently in order by date begun (as evidenced by discussion at ICC meetings). Without clearer details as to project timelines, no clearer ordering or tracking seems very feasible and IT/SA project leads are greatly encouraged to provide more details on such matters so that this information can be better organized and progress tracked.
Any projects that have been completed will be moved to the top of the list for one final hurrah/R.I.P. and then retired from the list.
E-mail domain name change
This major project was completed through great effort, but with very few problems from the end-user perspective. Dwight and the other folks who assisted in this project deserve our greatest appreciation for a job well done.
Dwight detailed the changes that were made:
- On December 27th, all user objects within the IFAS OU were e-mail enabled.
- Those having an IFAS mailbox now have a return address of "GatorlinkUsername@ufl.edu", but all previous aliases remain in effect as well.
- Those who do not have an IFAS mailbox also have a return address of "GatorlinkUsername@ufl.edu", but have an "external e-mail address" (aka "forward").
- Listserv subscriptions were corrected via scripts for the new return address in both UF and IFAS listservs
- Listserv owners and editors for IFAS lists were manually corrected.
Dwight then briefly detailed how the flow of things has changed as a result:
- When someone with an IFAS mailbox sends mail out of our system, replies will return via the "GatorlinkUsername@ufl.edu" address. This means they will come back first to the Gatorlink mail system and then be forwarded on (via a "GatorlinkUsername@my.ifas.ufl.edu" setting there) to their IFAS mailbox.
- When you find someone in Outlook's Global Address List (GAL) who does not have an IFAS mailbox, (and this includes some IFAS groups such as Animal Science, County offices, etc.), your message goes first to Gatorlink and is then forwarded on based on the forward set there.
Chris Hughes reported that on January 24-25th he will be attending the Vista Airlift in Seattle along with Mike Conlon and Dick Deason. Various materials, including a beta Vista release and PowerPoint presentations on the Vista TAP, are now available on the secure portion of the ICC web site. These are linked off the BOTTOM of the Desktop Deployment page within the IT/SA Services Documentation portion of the ICC web site. UFAD\IF-ADMN credentials are required for access.
Chris reminded people that, if they install the Vista beta, they should also install the Microsoft Error Reporting tool (Microsoft Beta Client version 1.20.2174) from http://connect.microsoft.com . Before you may access that site, Mike Kanofsky must forward your name and Microsoft Passport address to our Microsoft rep--after which you will receive an invite via e-mail. Please contact Mike if you need that. Additionally, Steve will try to keep the Vista section of the Desktop Deployment page up-to-date with links to files of interest.
Removal of WINS
Chris Hughes reported that CREC has removed WINS without experiencing any problems. It was decided that reference to the WINS service would be removed from the DHCP configuration for campus on February 1st--with a reminder notice being sent to the ICC-L just prior. This would affect clients, but not servers--as they are not using DHCP. If problems arise, the reference can be re-added to the DHCP scopes and a reboot (or ip release/renew) would set things back for a particular client machine. If no problems arise, Chris has a script that will remove the settings from statically configured servers and this can be done around the March 1st timeframe. Since Netbios aliases set to assist in migration (done via the following setting... HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Add Value: OptionalNames REG_SZ String: "Alias") do not work without WINS, OU Admins should assess their use of those and fix any references that use them prior to February 1st if possible.
RIS and SMS
Chris Hughes stated that we will likely wait until the new Windows Deployment Services (WDS) versions are available.
The wallplate divestiture
Chris Leopold has become an expert with HP Procurve Manager, which he is using to reconfigure the BPOP switches that are being released from CNS to IFAS, fixing the ACLs for CNS access and changing the passwords on the switches. This project is essentially completed. There is a complication in the CNS divestiture of the IFAS BPOP switches in that CNS is requiring that IFAS wireless access points be on an external device VLAN, which is a separate IP address from the authenticated VLAN that it hosts to its clients. We are thus required to push two VLANS to all our locations. Currently, this has been done so far in building 120 and McCarty D. Dennis Brown asked how firmware updates for switches was being done. Chris related that the Ciscos were somewhat problematic, but that the HP switches are done via policies in Procurve Manager.
new IFAS IP Plan
As of last week, Chris Leopold has asked Marcus Morgan to release the required IP address ranges to CNS and IFAS for deployment of the new numbering scheme on campus, but has not heard back. Our specific IP range request has been denied, but we will be getting three consecutive /24 public ranges and all our on-campus IP numbers will be changed accordingly.
Move to IF-SRV-WEB
Marshall Pierce related that this move has taken quite a while, but that he has made sure that all web sites are configured uniformly on the new server. This weekend, the web sites will be re-synchronized; this may cause site performance this weekend to suffer a bit. After this re-synchronization is complete the web site admins will be informed of the new "dev-" versions so they can test those for proper operation.
Steve asked if there was any way to tie web admins to their corresponding OU admins. This would allow the OU admins to have prior notice of what sites might be affected in their unit. Steve thinks this could also support what he feels would be a good standard practice in our web site creation process--where OU Admins would be given access to all web site within their unit in order to permit them to better assist with such sites.
New File Server
Dwight has been made the lead on this project. Now that the e-mail project is over, he can devote more time to getting this up and going.
Wayne Hyde issues
Wayne has a number of long-standing issues on his plate:
- Re-enabling Windows firewall for IFAS (GPO:IF-Firewall-Windows Clients)
- ePO reorg and exclusion lists
- New VPN server (if-srv-isa.ad.ufl.edu).
Having just recently joined IT/SA, along with having to deal with recent patching emergencies, Wayne has still not had time to turn his attention to these matters yet. Wayne has an IT Security Questionnaire to fill out this coming week for the Office of Audit and Compliance Review that is due next Friday. This will document all the critical IT resources within IFAS. After that time, Wayne intends to get with Chris Hughes to begin looking at the ePO reorg.
Removing Appletalk from all IFAS subnets
This remains a low priority issue. We are aware of some folks that use this protocol (ICBR for example). We also know that better alternatives exist and that it is primarily a training issue. Chris will likely wait on this until more pressing issues can be put to rest. Chris did warn, however, that if we don't eventually address this, CNS will someday just go ahead and "solve" this for use by turning it off.
Remedy Project Update
Dwight explained that we are working on what is hoped to be the last bit of preparation before the IFAS Remedy system can be officially announced to all. This step involves creating a web site that would allow OU Admins to selectively control whether tickets for people in their respective OUs were assigned specifically to their OU Admin, or whether they were assigned originally to the Help Desk. A separate flag would control whether an OU Admin receives an e-mail notification when a user in their unit initiates a ticket request. This latter feature would allow an OU Admin to keep in touch with tickets relating to their own users, but still have the Help Desk as their first line of support for them on user generated ticket requests. Daniel Halsey, of the IFAS software group, is currently building a web page to provide that functionality. Once that capability is in place, Dwight will approach Fran with the desire that ticket assignment and notification be pulled from our SQL Server table which would include the OU Admins for each NMB code along with flags that controlled assignment and notification.
Removal of x500 e-mail addresses
There are a number of incorrect x500 e-mail address within our Exchange system. Dwight would like to remove all those settings and then re-populate them with the correct x500 "GatorlinkUsername@ufl.edu" settings via the ADModify tool. These x500 records are used by Outlook users' personal distribution lists and similar lists within public folders. When a list has even a single entry with an incorrect x500 setting, any e-mail to that entire list fails. Chris Leopold was concerned that recreating these might cause all our users to have to rebuild many or all personal distribution lists. Chris consequently advised careful testing and planning should we attempt this.
Mark Ross mentioned that, since support for public folders is marked for eventual removal by Microsoft, he is looking for alternatives in any case. Lists created via ldap based query to AD might be a better long term solution for unit level lists because of that.
User notification on forced reboots
There was considerable discussion on how end-user notification should be made for these. Chris Hughes felt that OU Admins should handle that for their units. His reasoning was based on the fact that the WSUS group policies can be (and have been) modified so that each unit can be handled differently. Others, such as Ligia Ortega believed that a notification to IFAS-ALL-L was the appropriate notification method. Steve was concerned about units for whom the Help Desk functions as OU Admin. Notification would be much more difficult for that group of users if it was left to the OU Admins.
Most agreed that some kind of notification is needed, however, simply to assure that an attempt has been made to prevent what is potentially a very serious event for folks who are running long-term jobs (for example) that may be in jeopardy due to such occurrences. No clear resolution was decided upon, but at minimum, it is expected that the ICC will be notified prior to each forced reboot so they have the opportunity to consider handling this for their own users.
IMM on the role of the ICC
Dwight pointed out he was surprised that, with the publication of this IMM, we didn't have complete representation of all IFAS units at this monthly meeting. Although we cannot force participation from our end, Steve agreed to put together documentation on attendance by unit that would be available for easy review by all--including Dr. Joyce, should he wish to address the issue with individual department heads.
The meeting was adjourned (early!) at approximately 11:40 pm.