IFAS COMPUTER COORDINATORS
(ICC)
NOTES FROM February 9th 2007 REGULAR MEETING
A meeting of the ICC was held on Friday, February 9th, 2007. The meeting was chaired and called to order by Steve Lasley, at 10:12 a.m. in the ICS conference room.
PRESENT: Ten members participated.
Remote participants: Mike Ryabin, Louise Ryan and A. D. Walker.
On-site participants:
David Bauldree, Dennis Brown, Dan Cromer, Dwight Jesseman, Winnie Lante, Steve Lasley and Kamin Miller.
STREAMING AUDIO: not available
NOTES: (from memory)
Agendas were distributed and the meeting was called to order about 12 minutes late. We had been waiting to see if we could arrange streaming, but that proved impossible.
Thanks to Marion Douglas, the Polycom connection did work properly this time, however, and we had three remote participants via that method from two different sites. My apologies to those who tried and were unable to listen via our usual streaming.
New members:
Steve welcomed Kamin Miller to the ICC. Kamin is a new OPS Tech at Horticultural Sciences and is soon to move to Plant Pathology where he will assume the position that Mark Ross vacated.
Andrew Carey is joining IT/SA as the new AD lead, filling the position vacated by Chris Hughes. Andrew was previously a Coordinator of Computer Applications with Operations Analysis here at UF, working for David Gagne. Andrew's job responsibilities there included supporting Windows XP and 2000 workstations, Windows 2003 and 2000 servers integrated with UF Active Directory, and installing and maintaining Exchange 2003 and Blackberry Enterprise Server 4.0 Servers. Andrew designed and implemented the Operations Analysis Helpdesk Request System. He also participated in the OFA migration to UFAD and led the migration from Exchange 5.5 to 2003. We are very happy to welcome Andrew to Chris Leopold's IT/SA group and the ICC.
Regarding the open DB Administrator position, the posting for that closes today and hopefully there will be a good pool of candidates from which to choose. The announcement for this job was as follows:
Expected starting salary is $55,000 to $70,000 annually;
commensurate with education and experience.
This position is primarily responsible as SQL database adminstrator
for IFAS teaching, research, extension and administrative computer
applications.
Essential Functions:
1. Support IFAS SQL servers with database administration, including,
but not limited to, database creation for Web applications and
monitoring SQL applications and backups.
2. Responsible for the assessment of internal and external UF/IFAS
client needs for Information Technology services and products.
3. Develop components for complex web based tools and multimedia
products, such as dynamically generated web services, HTML, DHTML, XML,
Gus, interactive CD-ROM, PERL, Java Script and Applets. Design and
develop software tools and components for creation of text and graphic
databases and presentations.
Minimum Requirements:
A high school diploma and four years of any combination of relevant
experience, education and/or certification. The level of expertise and
skill required to qualify for a position in this classification is
generally attained through combinations of education and experience in
the field. While such employees commonly have a bachelor's or higher
degree, no particular academic degree is required.
A valid Florida Driver's License is required.
Recap since last meeting:
As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.
Report from the February ITAC-NI meeting
Steve briefly recapped what had been discussed at this ITAC-NI meeting and referred people to the ICC notes for that meeting.
Report from the February ITPAC meeting
Again, Steve briefly recapped what transpired at the quarterly ITPAC meeting. Dennis Brown represented the ICC at this meeting due to Steve being home sick. We were sucessful in getting the support Mark Ross needs to proceed with reorganizing IFAS course websites so that they are more easily maintainable. ICCers are referred to the ICC notes for that meeting for more details.
Policy
IT Governance sub-committee status report
We briefly discussed how the IT reorganization basically has been on hold while the upper-level administrative reporting and advisory structure for IT is being sorted out. It is not so much the structure of IT itself that is in question, but rather how the office of the CIO plugs in to the overall UF administration structure. There are a number of rumors on how that may unfold, but no actual details yet.
Dennis asked if we should just disband the ICC IT Governance sub-committee. Steve said that he preferred to leave the details of that in place for now. Dan agreed that he expects the eventual opportunity for feedback and the ICC could be involved in providing that--possibly via this subcommittee.
Recommendation: autogroups for *selected* roles
This item was not discussed but is being kept on the agenda for future consideration.
Split DNS solution for UFAD problems
Steve mentioned the considerable problem of wireless access causing great delays in non-wired laptop startups logging on with cached credentials. There are a number of workarounds, but all are problematic. One can simply avoid joining a laptop to the domain, implement local accounts, and use a VPN to access network resources. Some have reported that keeping the LAN connection above the Wi-Fi in connection bindings may help, but Steve's own experience shows that to not be a universal cure by any means.
He has been in discussion with the UFAD folks on the matter and the consensus is that the solution lies in implementing for UF what Mark Minasi terms a split-brain DNS. The problem is that a number of situations occur where domain-joined computers can find the DCs via DNS but can't actually access them, so they cycle through the list of DC's, timing out at each. This is a problem for domain-joined computers that are connected to the Internet outside our UF network as well.
Since laptops cache the DC DNS entries, even a split-DNS may not be enough to resolve this issue however. Joe Gasper suggested that perhaps doing a "dfsutil /pktflush /spcflush" at computer startup might help. There are also certain well-respected folks, like Todd Myrick (NIH/CC/DNA) who do not recommend Split-brain DNS:
"On the topic of DNS and Split-Brain DNS support. My past experiences have
taught me to avoid Split-Brain DNS unless you like daily pain and the politics
are two strong that you are forced to use it.
Here are some of the things you run into with Split-Brain designs. Laptops
that register A and PTR records multiple times with different IP. Our KCC
script picks these up each night. VPN users who register names at home and
at work. Now keep in mind, the politics of my organization allow secure and
non-secure updates to our DDNS, and the DHCP service sometimes proxies
registrations of down-level clients in some organizations. In addition, if
you use split brain DNS and have multiple domain trees, delegated DNS, and
firewalls, you will find yourself having secondary or stubs hosted on your
DDNS servers. Also if your webmasters happen to use a URL of .
to resolve web addresses and your AD is named the same as the URL, you will
find that the URL doesn't work cause the DC's are intercepting the request.
So internally you will have to train people to use www..
My recommendation going forward is to never do Split-DNS again. Use a TLD
of .AD or .LAN. Especially in large environments. We did a lot of work to
get this to work, and while it does work pretty well, it is an unnecessary
operation IMHO.
A lot of my early influence to use split DNS was from experts like Mark
Minasi, and MCS when they insisted that you register your domain just in
case you plan to use it later. I refer to this as when I was young and
drinking the 1.0 AD cool-aid. I bought into using DNS and mirroring and
one day replacing the UNIX DNS. My attitude now is let a third party or
edge device host the forward facing DNS. Let DC's host the internal DDNS
namespace as integrated zones and allow only secure updates, and don't
allow DHCP to proxy down-level client registrations. What is the point of
letting third-party devices register dynamically is my opinion.
My opinion has changed on other AD design ideas as well since the release
of ADAM and MIIS.
So in summery just say no to split-brain.
In any case, UFAD staff is aware of the problem and the fact that it affects a great number of our users adversely. The problem there is the same as most places; they have many projects and are short staffed. Resolution is unlikely to be a trivial affair. Steve has asked Dan Cromer if he would consider raising the matter for discussion at an upcoming ITAC UFAD Committee meeting--perhaps, to increase the priority of the issue. Dan has agreed to do that. The issue of split DNS has also been added to the agenda for the upcoming UFAD meeting on February 15th.
Projects
IFAS Remedy System
Steve mentioned that he is moving the Remedy system off the projects list to the operations section of the ICC agenda. He is doing that because discussions with Adam Bellaire have cleared up what Steve believes to be the final pending issues with that. There are still a few annoyances which could be fixed, such as the sorting of names within the interface at http://remedyassign.ifas.ufl.edu, but they should not affect the end-user experience.
ICCers are referred to earlier discussion to learn about the evolution of this. Each previous discussion is linked back to the one prior, so you may easily drill back through all our discussions on this over (literally) the years.
Dan Cromer said he would like affirmation from the ICC that the system is ready for announcement to all users via IFAS-ALL. Steve agreed to put out a vote on the matter, with the hope that we could clear up any remaining objections and place the system into "full production".
IFAS WebDAV implementation
As was the case last meeting, Steve passed over discussion on this project because he is aware that no movement has occurred in getting this documented.
Vista TAP and Vista Deployment via SMS and WDS
Steve mentioned that there is a two-week push by the Vista TAP group to complete creation of a standard Vista deployment image for campus use. They intend to create documentation for deploying and customizing with the various deployment tools as well. Steve related that Ben Beach had been unable to attend Tuesday's meeting, but Stephen Reese and Ed Howard from FRED did. Stephen had reported:
The meeting got off to a slow start, but we began with determining what installs
and options should be defined in the base image that will be available to all of
campus and possibly become preinstalled on the computers from DELL. Next we began
an overview of how to create an image and answer file using WAIK. The next meeting
the base image will be developed and tested. I have sent a message over to the
Vista TAP group to see where the notes and documents for the meeting are going to
be posted since I haven’t seen anything on the Vista TAP site yet...
Stephen intends to attend next week as well and hopefully can keep us in touch with what transpires.
Steve mentioned his hope that Mark Ross or one of the other IT/SA staff might find the time to re-implement the WDS project which Chris Hughes had initiated previously. Steve sees automated deployment of Vista as offering a huge payback in time savings for IT staff across IFAS.
Removal of WINS
This issue has been tabled indefinitely.
New IFAS IP Plan
Steve believed that little progress had occurred on this since our last meeting. Steve is aware that Marcus Morgan is extremely interested in getting our public IP numbers returned and has asked Dan Cromer to encourage Chris Leopold to complete this project ASAP.
Move to IF-SRV-WEB
Mark wasn't available to discuss this matter, but Steve expressed his hope that ITPAC's support for the reorganization of IFAS course websites may assist him somewhat in getting our web services more ship-shape. That is an enormous job and the sooner it is done, the sooner Mark can devote a portion of his time to other important matters.
Exit processes, NMB and permission removal
Prior exit procedure discussion. Steve mentioned that progress on this is still pending. We remain where we were at our last meeting.
Listserv confirm settings
This is another of those issues which has stagnated due to lack of resources to pursue.
Removing Appletalk from all IFAS subnets
Steve had asked for confirmation from Chris Leopold that this had been implemented. Chris responded that he had not heard and would need to check.
Operations
Security updates
Since Wayne was unable to make the meeting Steve asked if there were any new issues of which folks were aware since last meeting.
Mike Ryabin raised the issue of anti-virus for the Macintosh. Steve and Mike had been in prior contact on this matter. Steve had checked with Nick Hostettler, who is Entomology's Mac support person, on whether or not he recommended McAfee Virex for this. Nick indicated:
I don't run any anti virus software. Having said this doesn't mean I
have this blind trust. The Berkley Kernel may be considered to be among
the most secure of all existing OSs, but my data is not in their Kernel.
Also, some processes have their fingers a bit too deep in the inner guts
for comfort, QuickTime for one.
The latest was that an antivirus software renders a Mac more vulnerable
as some doors are opened for the software to scan. Now, there have been
potential treat for Safari, iTunes and QuickTime, and thus the software
updates are important.
This doesn't mean that one will never have to install one, but if one
believes Symantech the possibility of a virus be written for OS X in use
is next to nil. The widgets did create some apprehensions as due to the
nature how they work there might be vulnerabilities but none has been
reported.
Now, if some one is so stupid as to open many ports and is permanently
connected to the web it's all a different ball game, but it would be then
limited to the computer in question.
As third party vulnerabilities become more prevalent we may need to keep a close look on what we recommend for Mac users. Mike requested that we keep in touch should we learn anything regarding this issue.
Mailbox cleanup
Dwight Jesseman reported a continuing issue with "Users with an IFAS Mailbox not in the IFAS OU". Dwight had raised the issue at this week's ITPAC. Considering the difficulties in implementing robust exit procedures (though we will keep trying), Steve urged Dwight to develop efficient and flexible procedures which best met his own needs--while covering against potential data loss. Should policies ever follow, he could then adapt those to whatever changes they might enforce. By continuing to share his plans with the ICC, Dwight can at least get outside input which may at times assist in that; but Dwight is the expert on this and is the person in position to best decide on how to proceed.
Daylight Savings Time changes
The other topic which Dwight raised relates to preparing for daylight saving time changes in 2007. These changes affect a broad range of software products, including SQL server, Blackberry, Java, Windows Mobile and especially within Outlook.
Dwight reviewed what tools are available and it was generally decided that the installation of necessary patches should be confirmed and then we should prepare to push out the Time Zone Data Update Tool for Microsoft Office Outlook via a machine startup script.
Steve urged people to enter appointment times in the subject line as a "failsafe" recovery method. This change is likely to cause problems for heavy users of Outlook calendars, no matter how carefully we plan. Here is the notice that Susan Bradley is presenting to her users, as posted on the Patch Management Mailing list:
"IMPORTANT FOR APPOINTMENTS BETWEEN MARCH 11 AND APRIL 15
For all appointments placed in anyone’s calendar between March 11, 2007
and April 15, 2007, ensure that you place IN THE SUBJECT LINE of the
appointment the exact time (without referring to standard or savings
time) of the appointment.
Do not rely on the time in the calendar during this time period, only
go by the time that is shown in the subject line. Due to issues with
Daylight savings changes, to ensure that issues are minimized use this
subject line technique to ensure that everyone agrees on the proper
time of the appointment.
If you see an appointment in your calendar without a time in the subject
line, check with the secretaries and/or confirm on the phone with your
client of the time to ensure that you are meeting at the proper hour."
Admin Helper Script and IE7
Steve still does not know where we are with replacing the Admin Helper Script. Again, if people are concerned about that they should contact Chris Leopold. It doesn't solve the Vista problem, however.
Server Status Notification
Dwight asked about why this was a problem. Steve related past discussion. This matter is actually more difficult to resolve than one might expect; there are service dependencies to consider as well as internal processes which can fail w/o necessarily affecting simple port monitoring status reports. John Sawyer had previously recommended Nagios to Wayne as a good way to monitor servers and services. John reported that it is free, but runs on Linux. He said there is a separate project called Fruity that makes the configuration all web based as well.
McAfee Enterprise and the ePO agent
Wayne Hyde had posted an ICC-L message reminding folks about the new ePO agent and the the latest version of McAfee. Wayne has been pushing out the agent and will eventually do the same with VirusScan 8.5i. No serious issues with that have been reported as far as Steve knows. Steve mentioned that he has tried to update the documentation on this (ufad\if-admn credentials required) and would appreciate corrections or additions to those from anyone.
Office 2007 issues
Steve apologized for not having input ready on this. He encourages folks to continue to investigate this new software and report and issues which arise.
Vista issues of interest
Steve recommends reading an article entitled "Faulty RAM issues surface in move from XP to Vista" by Serdar Yegulalp. Apparently, Vista's new memory allocation methods can bring to light hidden memory issues. Interestingly, Vista has a built-in memory test: "From the Start menu, type mem in the Search box to bring up the Memory Diagnostics Tool. When run, it will reboot your computer and run a series of aggressive tests on your system memory, then report the results back to you."
Also worthy of notice, PowerShell 1.0 Installation Package for Windows Vista is now available.
Status of our Public folder file deletion policies and procedures
This is another example of an implementation that has been on hold due to inadequate staffing levels and the lack of time to follow-up with such matters. Implementation, as previously discussed, is awaiting documentation.
The meeting ended early and the meeting was adjourned at about 11:30am.
|