ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM November 14th 2008 REGULAR MEETING


A meeting of the ICC was held on Friday, November 14th, 2008 in the ICS conference room. The meeting was chaired and called to order by Steve Lasley at about 10:00 am.

PRESENT: A disappointingly small group of nine members participated.
 
Remote participants: Francis Ferguson and Louise Ryan
 
On-site participants: Dennis Brown, Andrew Carey, Lance Cozart, Wayne Hyde, Jack Kramer (emeritus), Winnie Lante and Steve Lasley
 

STREAMING AUDIO: available here. Steve once again forgot to start the recording immediately, so the first few minutes were lost at the beginning -- sorry.


NOTES:

Agendas were distributed and the sign-up sheet was passed around.


Report from the chairman


Member news:

New members...

Steve noted that Rajankumar Singh and Andres Naranjo are now providing OPS IT support for Microbiology and Cell Science. Steve has sent them a welcome message but has yet to hear back.

Departing members...

Steve learned yesterday that Torrance Zellner has left the Help Desk. That group has now been whittled way down to just Dan Christophy and Ed Steele. Dan Cromer had mentioned at this month's ITPAC that the plan is to fill in with OPS hires.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.


Policy


Shibboleth and Identity and Access Management (IAM) at UF (see prior discussion)

Steve hadn't heard any more on this since last meeting and Dan Cromer had a conflict that prevented him participating. Steve's last understanding was that this was to go into production soon, however.

Report from the November ITAC-NI meeting

Steve mentioned that yesterday's meeting was spent trying to develop a short list of network related improvements/projects which we felt UF should place some priority on. This was being done on the request of Chuck Frazier, UF's new interim CIO. All the various ITAC sub-committees had been charged with developing such lists.

Report from the November ITPAC meeting

Steve mentioned that the Web Domain Policy was finally given the go-ahead at yesterday's ITPAC meeting. All who were involved in pushing for that for the last year or more should be very happy. While the IFAS Web Policy has been in place as an official IMM for a few months, the web team will very soon have the crucial web domain policy in place which should make consolidation possible and aid greatly in moving towards a sorely needed content management system.

Comprehensive IT risk assessments will be REQUIRED soon

Steve asked where we were on this. Basically, Wayne Hyde has been too busy to coordinate things as well as he would like. Dennis Brown and Winnie Lante both mentioned having attended Achilles training but they have not formed the recommended committees due to the difficulties they see in getting cooperation for that. The folks most needed for participation are extremely busy with other important departmental matters and it really would take a decree by department heads for such an effort to be successful.

Lack of specific direction may doom this first round to failure in many cases. IT staff may need a clearer mandate along with administrative buy-in and support in order to pull something like this off successfully--not to mention finding the necessary time.

Update on changing the Barracuda default settings
(see prior discussion)

Steve reported that this still hasn't happened. He raised the matter at ITPAC this Wednesday as a point of notice, but it appears we will still have to continue work on that list of high volume users, trying to contact each one individually. The problem there is that, while about half have been accounted for, the remainder has been problematic. It is a shame that Mike Conlon won't just let Dwight Jesseman run a script he has prepared which will flip the “Use System Defaults” setting to “No” for these folks so we can move on. His reasoning there escapes Steve.

UF Exchange Project updates (see prior discussion)

Mailboxes for users in the "Other" OU

Andrew Carey had mailed out a list of IFAS Exchange Users with no department affiliation to the ICC-L. Hopefully, all ICCers have looked through that list and gotten back with Andrew with any concerns. Andrew hasn't processed those yet and will let us know before he does.

Steve mentioned having one user on that list that had left the Entomology department but whom he believed was still on campus as a student elsewhere. Andrew said that he would let Dwight know that she was no longer in IFAS but might still be around. If she had moved to a department which uses Exchange, the mailbox will be retained.

Lance Cozart asked what the mailbox retention time was supposed to be. Andrew responded that he believes the processes there have not yet been fully worked out--which is why we have the current situation. Andrew did mention that it will be our responsibility (via Remedy ticket to Scott Owens) to remove the mailboxes before removing NMB settings. It is the removal of the NMB settings that throws users into the "Other" OU. How to coordinate all exit processes in a timely fashion will be a challenge however, and mistakes will likely continue to occur unless and until the entire process is automated.

Louise Ryan mentioned that there were an inordinate number of FAMU Courtesy Agents on Andrew's list. If those users truly need to retain their mailboxes, then their associated Directory Coordinators (and each county may have a different person for doing that) need to be contacted and asked to set the proper NMB settings to get them moved back where they belong.

Spam messages to distribution lists are showing up in the Barracuda quarantine

Dennis raised this point, asked if others were seeing this and we all had. No one was sure why this may have started happening recently. Steve did note that he had seen a couple of IFAS-Announce-L message go to Junk E-mail folder (SCL score = 5) and Dwight was going to look into that. There is an Exchange rule set that sets the SCL to 0 if the email address contains lists.ufl.edu or lists.ifas.ufl.edu; perhaps that got messed up somehow recently. Whether that could have any bearing on these quarantined spam messages is anyone's guess at this point.

Backscatter on the rise

Mitch Thompson had raised another e-mail issue via the ICC-L concerning folks receiving bounces which they had not sent themselves. There has seemed to be rash of those lately. Chris Leopold had chimed in that the proper term for this phenomenon is Backscatter.

Mail Meter

Steve mentioned that he had discussed the e-mail attachment archiving a bit at ITPAC so folks there would know what is going on. Overall that implementation is progressing well apparently. It will take some time to crawl through it all the first time though.

Student mail to move to Google Gmail?

Steve repeated what Dan Cromer had mentioned at an earlier meeting, namely that a decision on this has been tabled for the time being.

WAN transition to CNS (previous discussion)

Dan Cromer reported that James Moore has been working very hard on setting up the infrastructure. He is evaluating connection options for our various locations to increase speeds and/or reduce costs. Dan stated that he believes the WAN is being managed as well currently as it was in the past. That doesn't mean there aren't difficulties and it is a continuing problem getting quotes from vendors in a timely fashion.

Reports are that this is going fairly well, though Chris Leopold was not available for comment. Dan Cromer has stated his opinion on a number of occasions that things are going as well or better than expected. We hope to get James Moore back at an upcoming meeting to discuss his viewpoint on things.

Split DNS solution for UFAD problems

Steve Lasley wants to keep this on the agenda for future reference.


Projects


IFAS WebDAV implementation

There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.

Vista Deployment via SMS and WDS

Steve mentioned that Lance Cozart has been working hard on getting a universal image built for Windows XP deployments. Steve has asked Lance to share his findings with us at an upcoming ICC meeting. If anyone has any extra machines which he can borrow for a short while, that would certainly help him test out his included driver set more broadly. Steve hopes everyone will support Lance's efforts as this could be extremely useful for all--perhaps especially for the Help Desk which is now trying to support an untold number of users with very little personnel. Lance is doing the heavy lifting and deserves our support.

Lance mentioned that he is trying to bypass the vendor's drivers wherever possible and go directly to the chipset manufacturers. He finds that this generally reduces the overall number of drivers needed. He has struggled with printer drivers, however, and is not sure adding those is very feasible.

Currently 15 minutes into the stream.

Exit processes, NMB and permission removal (prior discussion)

Dan Cromer wasn't available for comment, but Steve mentioned that Dan has been working to get something more workable implemented centrally via the ITAC-DI committee. Wayne and Andrew reminded folks that a new role of "Mailbox Managed By" has been discussed as a means of de-coupling e-mail handling from file and machine access.

Re-enabling the Windows firewall

Wayne Hyde has created a new GPO that would implement the Windows firewall but needs to find the time to test it thoroughly. He plans to do that after the file server migration is complete.


Operations


VPN options

Steve referred to the announcement regarding important changes in the UF VPN. Among other things, that announcement touted integration with UFAD. Steve asked what VPNs other were using. It appeared that the IFAS VPN is still our best and most flexible option because it authenticates users directly to UFAD. The new UF VPN setup uses UFAD, but not for authentication; rather, it ties into UFAD groups so unit admins may more easily control access to departmental VPNs (at least it is so believed--none had tested this yet).

Disabling/deleting computer accounts based on computer password age

Steve mentioned that he had added into last month's notes a description of what Andrew Carey has proposed in this regard. This seems a very reasonable compromise that would support cleaning up our OUs of disabled machines. The problem, as with so many things in these times of inadequate staffing, is finding time for implementation.

WinXP SP3 upgrades needed for Volume Shadow Copy

Wayne reported that there have been few problems with this roll-out. Steve mentioned that only one machine had an issue with this in his department, and that was due to inadequate disk space. Wayne responded that this seemed to be the most common issue seen overall.

Lance Cozart mentioned having SP3 break Windows Update. Steve responded that he believed this may be due to the issues discussed here back in July and detailed in KB943144.

Non-UF domain names: policies, different policies, and developing IFAS procedures

Steve mentioned that UF Web Administration has one domain policy, and the UF IT site has another domain policy. The former seems more lax than the other. Chris has been looking for some backing from administration in order to work out a more reasonable process for domain name requests. Currently, folks get domains on their own (often inappropriately named) and then expect Chris to support them. Steve wasn't sure if the two differing policies which are posted are going to be resolved. The soon-to-be-posted IMM on IFAS Web Domain Policy may obviate our need for a resolution on this centrally in any case.

New MPS/DC testing -- access by unit-level administrators

Andrew has been getting experience with Hyper-V server and has worked out most of the potential issues on the MPS side. They may use stand-alone servers for sites with beefier storage needs. They have implemented that recently for Apopka and plan to go live with one in Plant City prior to Thanksgiving as well.

The DC side of things is yet to be investigated, but so far everything looks good for utilizing virtualization in order to permit more robust hardware at our various remote sites.

Report generating system

A Lansweeper client (Lsclient.exe) is installed on all IFAS machine via login script and that builds a quite thorough database on various aspects of all our computers. Making that data available to OU Admins is a fairly high priority. Since Lansweeper stores those in a SQL database, one option is to use SQLserver reporting tools to provide access to can queries. Those may be scheduled to run at various times and can even be subscribed to via e-mail.

Andrew mentioned that Dennis and others had provided a number of excellent ideas for useful reports that could be generated from Lansweeper. The main difficulty in making the Lansweeper info available to OU Admins is the need to protect the data and make sure appropriate access is granted and inappropriate access is disallowed.

Core Services status

Wayne reported that he has moved most of the larger departments over to the new file server cluster and hopes to be done with that by the end of the month. Winnie reported that there have been no issues in doing that from the departmental view.

While we are trying to hide the previous versions "restore" button there may be instances where individual machines have that (due to SP3 not being pushed for example). We need to be careful in how we introduce our users to this so that problems don't arise from a person restoring an entire shared folder to a more recent date. Basically, previous versions should be restored to a separate folder and you can drag out individual files you want--rather than replacing an existing folder in a wholesale fashion (which is what the "Restore" button does).

Let Wayne know if any of you want quotas set for your OU. Currently, Wayne uses those to cap overall usage and provide some breathing room for individual LUNs, but it is easy to set those to match what a particular OU Admin might wish. We have eleven 2TB volumes and four 700GB volumes and Wayne has tried to spread things around so that each volume is at roughly 50% utilization. That means we have plenty of capacity for future growth.

As has been discussed previously, we are still looking to get rid of PST files on the file server. Lance mentioned that he had run into Exchange quota difficulties in trying to wean his users off PSTs. Moving the contents of those on-line will require coordination with UF Exchange to assure that quotas aren't exceeded. Lance said that Dwight Jesseman had indicated that they were not yet ready to support doing that on a widespread basis due to their current workload.

ePO version 4 status

Wayne reminded folks that we are still pushing the CMA 3.6 agent via login script rather than version 4.0. This is being done because the older version supports embedded credentials and can install whether or not the user has admin privileges. That broke in the newer agent, unfortunately. If you are setting up new machines and are using your IF-ADMx credentials, you can and should install version 4.0. McAfee VirusScan 8.7i seems to have caused few problems and that is recommended for new installs as well.

Wayne mentioned that the CMA and VirusScan installs should be accessed via the DFS share at \\ad.ufl.edu\ifas\SECURITY-TOOLS. He is changing things on the backend so that using a path directly to the server will break.

Wayne also reminded folks about an ICC-L message he had sent previously regarding the need to delete some registry keys on clone masters for those using imaging tools.

Status of SharePoint services (prior discussion)

Steve mentioned that there had been some discussion of SharePoint at Wednesday's ITPAC meeting as a replacement for the collaboration previously supported by public folders on our file servers. Steve mentioned that no IFAS-wide document library is available and the consensus was that OU Admins would have to set up individual libraries and permission those as needed in order to support collaboration between, for example, departments and RECs.

Winnie asked where we were on supporting separate non-Gatorlink accounts for collaboration with outside organizations. The capability is there technically, but supporting that is something we need to consider very carefully as it could lead to a tremendous amount of administrative effort on our part. There is also a more general concern from the server administrators that this system was placed into production without properly considering and providing resources necessary for its continued support. We are making changes to a production system rather than doing this first in test and primary support is being done by Ben Beach in District Support rather than by someone within the IT/SA group. While Ben has done an admirable job, we need to resist expanding services when additional resources for their support are not forthcoming.

Videoconferencing topics

Steve had learned from Dean Delker that the bridge was so busy yesterday that they actually ran out of ports. Dean was surprised by this unexpected demand and with so many things happening at once he failed to bring up one of those events on the backup bridge; that would have prevented port saturation and made things easier for him overall. Patrick Pettus is getting closer to deploying the Tandberg Management System software, one feature of which is to load balance between two Codian MCUs, and hold a third in backup. That is the long-term solution for such occurrences.

Patching updates...

Microsoft

It was a light patch month for Microsoft with one "critical" patch and one "important" patch.

Third-party apps

There is a recent critical patch for Adobe Reader and Acrobat prior to version 9 as well as a new recommended update for Java, Version 6 Update 10. This latter one promises to finally support "in place" upgrades. That would be a welcome relief to having to uninstall earlier versions separately. PageMaker is another application that needs to be patched and the latest Flash update to version 10 causes problems for Articulate users.

MS Office News update

Steve mentioned a problem he had run into on one machine with using Excel 2007. If a spreadsheet was opened by double-clicking the file in Explorer, the file took several minutes to even begin to open. If the user immediately minimized Excel and then restored the window, the file then began to open immediately. This would not happen if Excel was run first and the file opened from there. It also only affected the first instance. Double-clicking a second file did not cause this delay.

Steve had Googled around and found various possibly explanations/fixes -- none of which worked. He finally found the cure in a forum posting. Basically, installing any of the Excel add-ins (e.g., “Analysis Toolpak” or “Solver Add-in”) fixes the problem:

  1. Run Excel
  2. Click on the circle-thingie in the upper-left corner of Excel and choose the “Excel Options” button
  3. Then select Add-Ins from the column at left and at the bottom, making sure it says “Excel Add-ins”, click on the “Go” button
  4. Try adding one of those by selecting it from the list

Hopefully this might help others should they run into similar problems.

Public folder file deletion policies and procedures status

Steve mentioned having raised notice on this issue at ITPAC on Wednesday. Public folders are already gone for the most part. Wayne said that individual "public" folders will be created for specific users on a request basis, however.

Job Matrix Update status

Steve wants to leave this matter as a standing agenda item for future discussion.

Remedy system status

Steve wants to leave this matter as a standing agenda item for future discussion.


The meeting was adjourned early at about 11:05 AM.