ICC Meeting: |
IFAS COMPUTER COORDINATORS
|
[NETMGRS] CNS NEWS: N0505--New BlueCat DNS and DHCP Server CNS NEWS: New BlueCat DNS and DHCP Server CNS Document ID: N0505 In March 2011, CNS Network Services will begin a migration of CNS DNS and DHCP services to Bluecat Networks' IP Address Management (IPAM) system. This Bluecat implementation will allow us to manage our IP Space and Name Space from a single, secure, Web interface. With the explosive growth in IP addresses and related services (DNS; DNSSEC, DHCP, IPv6), it is increasingly important for us to manage and coordinate our services and the software and hardware that support them. A new feature of this address management system will allow us to offer you the advantages of a central DNS service while allowing you to customize and manage your zone according to your needs. If you are not currently using CNS DNS services, you may wish to consider that there are real advantages to using a centralized service that still allows you to manage your own area. For example, syntax errors are prevented by the Bluecat software and you no longer have software or hardware to maintain for this service. We are planning a phased project implementation. For phase one, customers do not need to make any changes. The initial deployment will be internal to CNS as we plan to leave the current DNS/DHCP structure in place and to run the Bluecat implementation in parallel. For this phase we expect that customers will notice no difference in services or procedures. If all goes well with phase one, the next phase of our project will begin later in March. At that time, we will publish another announcement detailing what is needed to migrate to the new services as well as an option for you to move your current DNS service to our central service. Questions and/or comments can be sent to NS-SOFT-L@LISTS.UFL.EDU. Your Comments are Welcome UF Computing & Networking Services |
An update was provided just yesterday:
[NETMGRS] Bluecat (DNS) Update Implementation of the Bluecat system has progressed to the point where we are going to start moving the source of our primary zones from our current hidden master to the Bluecat hidden master. This will be done in a phased approach starting with lower-name.server.ufl.edu (128.227.128.254). Once validation of the change is determined to be successful on lower-name we will move name.ufl.edu (128.227.128.24). This process will continue with other servers in our current DNS service until all are moved. What does that mean to you?
That's it. We expect this change to be transparent to the customers. Soon, we will be posting another announcement containing details of changes needed to start using the new Bluecat service. Please send any questions and/or comments to ns-soft-l@net-services.ufl.edu. ** You may notice in your DNS logs that starting last night there are two new nameserver (ns1.name.ufl.edu - 128.227.30.234 and ns2.name.ufl.edu - 128.227.30.238) trying to initiate zone transfers. These are the zone transfer addresses of the new Bluecat nameservers. If you would, please make whatever changes are necessary to your nameserver to allow zone transfers from these two address. Please note that these addresses should not be used for DNS resolution. If you have questions or concerns regarding this matter, please reply to this email as soon as possible. Network Services Home page: http://net-services.ufl.edu |
Chris Leopold mentioned that he would have liked to have known earlier that CNS was looking into BlueCat. He feels a bit uncomfortable learning of such things only after they are essentially in production. With the demise of the ITAC-NI, there seems to be little or no transparency regarding strategic planning at CNS Net-Services. That CNS group had traditionally been the most forthcoming among the various CNS services in the past.
Dennis Brown asked if/when IFAS might move to CNS's BlueCat offering. Chris Leopold responded that this will have to be examined in great depth. He believes this depends greatly on what UFAD does and how remote sites would be handled. We will continue on as before until the various issues can be studied thoroughly, but Chris realizes that IPAM is likely to become increasingly important for managing UF's IP space and ensuring security down-the-road.
Steve mentioned that, perhaps because he is no doing more remote management, he is discovering that name resolution (especially WINS) can be quite poor. He has taken to specifying the FQDN rather than the NetBIOS names when connecting via RDP for example (i.e., if-machinename.ad.ufl.edu rather than just if-machinename). Otherwise, he often ends up at a different machine than the one intended.
Steve raised the issue to OSG and Luis hadn't even realized they ran WINS; he did suggest looking into its need and potentially removing it down-the-road. Andrew Carey said that he was in favor of halting the publication of WINS on our DHCP scopes but wanted to discuss whether or not anyone had situations that required WINS. Santos Soler mentioned that Macintoshes use WINS to get to copiers running on embedded Linux; that was an issue he had seen previously that had prevented WINS removal.
Chris Leopold mentioned that WINS could be applied very granularly if the need arose, using it for certain scopes and not others or even applying it just to individual reservations as proved necessary.
UF Exchange Project updates (previous discussion)
Contacts issue with the Exchange 2010 migration
Andrew Carey said that GAL entries will overwrite matching contact entries via a synchronization process in Outlook 2010. This could cause great problems for people who use contact entries to shadow and enhance contact data from the GAL. That "feature" can be disabled via Group Policy, however, and this is something which Andrew suspects IFAS will have to implement--though it could be done granularly if desired.
Dennis Brown mentioned that he has a faculty member who has been trying to get email they deleted restored. Dennis has worked with Luis and it would appear that the only possible solution would be a restoration of the entire UF Exchange system from tape--essentially disaster recovery--something which they obviously would not want to do. Dennis noted that this situation will supposedly improve with Exchange 2010 as they will then have the capability of restoring individual mailboxes. Andrew said that he believes their plan is to use DPM to permit that in the future. Wayne Hyde pointed out that having the capability and being willing to do it for "mere mortals" is another (FTE) issue.
Centralized FAX service via Exchange (previous discussion)
Updates not available...
Sakai e-Learning System now in production (previous discussion)
Updates not available...
IT survey is coming (previous discussion)
Dan Cromer reported that this is still pending, but it was his understanding they are contracting with Dell to inventory things via the network. Francis Ferguson mentioned that this is going to be difficult in some counties that are unlikely to provide the necessary access.
Outsourcing of DE course development (previous discussion)
Steve asked Dan Cromer if he was aware of anyone within IFAS who has used this outsourcing. Dan responded that this would cost money and Ron Thomas will do it for free. If this is an on-book course you can also go to the CITT. Consequently, he wouldn't expect anyone within IFAS to go this route.
Alternate IFAS domains in e-mail
Updates not available...
Electronic Copy - Print Output Cost Reduction program (previous discussion)
Dennis Brown asked about the status of this program, saying he thought about it every time he ordered a new printer. Dan Cromer responded that this program will not directly affect desktop printers. Rather it is meant to change the way departmental copiers are purchased and used. UF would contact with an outside vendor to supply copy machines on a strictly per-page charge basis. Our only involvement might be assisting in defining these hosts to UFAD.
Steve mentioned that departments who had just shelled out for new copiers might not be too happy about having those swapped out immediately. Dan responded that this is one aspect that must be considered. It is just a plan so far and the ITNs are yet to go out.
myuf Market (previous discussion)
Steve wants to keep this on our agendas in case discussion seems warranted.
Split DNS solution for UFAD problems
Steve wants to keep this on the agenda for future reference.
Santos Soler reported that he is waiting on memory and space to be allocated. This will be run in our virtual environment, so getting rid of old servers that are not being used is a necessary first step in order to generate the space and free up the virtual resources.
Updates not available...
Updates not available...
New virtual infrastructure being planned and spec'ed out
Updates not available...
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on the agenda as a standing item.
Windows 7 Deployment via the WAIK, MS Deployment Toolkit 2010, USMT 4.0, WDS, and SCCM
Free Windows 7 Deployment Training for UF IT Staff
Great news (for local folks at least)...
Message from Tarrie Van Horn to various lists: With the arrival of Windows 7, Microsoft now offers a better deployment solution than previous versions. Still, Windows 7 can overwhelm even the most experienced network administrators. Vice President and CIO Elias Eldayrie is pleased to announce that UF Information Technology will host a free, 3-day class by Microsoft Windows® Deployment Expert Rhonda Layfield for members of the UF IT community. The “Deployment Done Right” class will be held April 20-22 in Smathers 1-A. The class meets each day from 8:00am to 5:00pm, with a one-hour lunch break. All class fees and materials are free of charge to UF IT staff, but pre-registration is required. In this 3-day class, Layfield will take you from booting a bare metal machine to deploying a complete custom installation of Windows 7 or migration from Windows XP. You will receive step-by-step guides to take back to your own environments that will help you avoid the most common--and very time consuming--mistakes. About the Instructor: Rhonda Layfield is an internationally in-demand instructor with 30 years’ of experience in IT. Layfield writes for Windows ITPro magazine and is a co-author of Mastering Windows Server 2003 Upgrade Edition for SP1 & R2 and Windows Server 2008 Networking Foundations from Sybex. Layfield is also a Setup and Deployment MVP and Desktop Deployment Product Specialist (DDPS). Class Pre-Requisites: Anyone registering for this course should have a basic understanding of networking and experience installing Microsoft operating systems. A working knowledge of a virtual environment (either HyperV or VMWare) would be helpful but is not required. The instructor will be using VMWare Workstation for all demonstrations. Visit the UF IT Web site’s Training section to view the class outline or for more information. |
Erik Schmidt had related seeing her speak at Tech Ed and other conferences, saying that she’s world class at what she does. Erik mentioned that she’s also married to Mark Minasi (who presented here a few years back) and has picked up a few of his tricks, so you can expect an interesting and lively presentation. Don't forget to register!
Windows 7 SP1 via WSUS
Wayne Hyde had reported an easy means of updating Windows 7 to SP1 using WSUS via GPO:
Message from Wayne Hyde to the ICC-L: For those of you who wish to push SP1 to your Windows clients once Microsoft releases it to WSUS, I have created a new WSUS target group “7SP1” that will allow you to push the service pack to your clients. Once enough testing has been done across IFAS, SP1 will be approved for all clients. You will need to modify your OU’s computer GPO (IF-OU Computer) GPO to add the new target group. See the WSUS discussion from http://icc.ifas.ufl.edu/ICCminutes/ICCmin3-12-10.htm#patching for details. If you aren’t comfortable modifying the GPO please contact me and I will assist you. If you want to push SP1 to a few select computers you can create a new GPO with filtering or create a sub-OU with a linked GPO to limit the machines the update is installed on. The new GPO would only need the “Enable client-side targeting” setting and set so the GPO precedence is higher than your “IF-OU Computer” GPO. The target group setting for a department on campus to push SP1 is:
(Yes, the IE8 setting would be superfluous for Win7 hosts) |
Steve pointed out that there is no great hurry to push this out. You may want to peruse The Windows Servicing Guy blog for known issues and recommended checklist preparation before moving wholesale on this as there have been issues in some cases--as mentioned recently on the CCC list.
Kevin Hill mentioned that he has pushed that out for his OU without problems so far. He estimated there might be another 15% of his machines yet to take that.
UF SCCM Support Group
Steve mentioned that he doesn't have a server to play with so he is pretty much on the outside looking in--he is monitoring the SCCM-L list however and finding it interesting.
Nick Smith said that his is trying to work with SCCM a little each day. Currently he is having an issue with PXE boot that Andrew has been helping with. Everything else (except OSD) seems to be working well, however. He has pushed JRE updates to FHSN successfully, though there were a few errors. If you would like to use that in your OU, just let Nick know. He can create a collection for you and advertize it to your systems.
Steve is surprised that Nick has met this with success. Steve noted that he has been foiled in his attempts to patch JRE via PSExec. If a user has the browser open during patching the install ends with an error which actually requires removing the program directory prior to reinstalling.
Steve asked if Nick was using SCUP and Nick responded that this would require WSUS and would have to be coordinated with Wayne; having two WSUS servers might cause a problem.
Exit processes, NMB and permission removal (prior discussion)
Updates not available...
Re-enabling the Windows firewall (prior discussion)
Updates not available...
Services Documentation: Is a Wiki the way? (prior discussion)
Updates not available...
New DHCP reservation site created
Santos Soler has created a new DHCP reservation site which you may use to request reservations. This form created a Remedy ticket, though Santos still has some minor issues with that aspect he is still working out. Steve mentioned having used it successfully twice in the last several days. Steve commented that it might be nice to add documentation links to assist new IT folks in learning the recommended conventions for hostnames and descriptions. It was noted that some details are already available on SharePoint which might be linked.
Restoration of back-ups on the file server
Wayne Hyde intends to document and announce proper usage as time permits.
Membership of ". IFAS-ICC" email distribution group to be narrowed to ICC members only (previous discussion)
Steve will keep this as a standing item on our agendas for now as a reminder. The ICC distribution list is more targeted and restricted to IFAS IT support folks only.
IFAS efforts toward Green IT (previous discussion)
Updates not available...
Creating guest GatorLink accounts: singly or in bulk (prior discussion)
Steve had left this on the agenda in case further discussion was deemed warranted.
Can IFAS support DirectAccess in the future? (prior discussion)
Steve wants to keep this topic on our radar.
Moving away from the IFAS VPN service (previous discussion)
Updates not available...
VDI desktops as admin workstations (previous discussion)
Wayne had mentioned that VMware View 4.6 was released a couple of weeks ago. Any upgrades of our VDI infrastructure will have to wait until between semesters, however, in order not to cause problems for our users.
Steve noted that there is now a VMWare View client for the iPad that looks pretty nice. Wayne responded that VMware View 4.5 requires a direct connection between the client and the VM you are talking to; you can get the new client to connect currently if you run a VPN first. Once the server-side is upgraded to 4.6 the connection should be possible using PCoIP, removing the need for a VPN connection.
Wayne's Power Tools (prior discussion)
Updates not available...
Computer compliance tool in production (previous discussion)
Chris Leopold recently updated the IFAS Policy Compliance Checker tool. A Microsoft’s decision to remove Windows Registry Reflection in Windows 7 and Windows Server 2008 R2 was causing some issues with previous code. This update led him to consider other enhancements and he currently has a new recent candidate which he announced to the ICC a couple of days ago:
Message from Chris Leopold to the ICC-L: Guys, I have made some major “improvements” to the IFAS Policy Compliance Checker application. As an example, I recompiled the code to be a windows-based application instead of a console-based application. I would like to ask that you test the new code on several machines within your unit. Based on the number of positive responses, I’ll push the new code this weekend into production. Thanks again for the helping hand CRLE Changes that were made to the application:
Testing Directions: Open a Command Prompt: In the “Open” box type “CMD” <- This will open the command line interface From within the command line Interface type: \\ad.ufl.edu\netlogon\ifas\ipcc-rc \\ad.ufl.edu\netlogon\ifas /s <- non-interactive mode or \\ad.ufl.edu\netlogon\ifas\ipcc-rc \\ad.ufl.edu\netlogon\ifas <- interactive mode If your system is already in compliance, there won’t be much more than two events in the application log; “IFAS Policy Compliance Checker v1.2 (RC) Started Successfully” and “IFAS Policy Compliance Checker v1.2 (RC) Ended Successfully”. If you really want to mix things up, make your system non-compliant by doing the following: Change the startup-type for the Background Intelligent Transfer Service from “Automatic (Delayed Start)” to “Disabled” Make sure that you change it back once testing is completed |
Chris Leopold provided a quick demo (listen at the 01:08 point in the streaming audio).
Chris asked folks to get with him if they have any other tests they would like added to the compliance checker tool. Wayne suggested that we might add a test to see if machines are updating their GPO settings--something that would check a GPO setting which we could modify periodically. His experience with WSUS has shown that we have a significant number of machines which are not processing GPOs properly.
Folder permissioning on the IFAS file server
You are reminded to please take the time to read and implement the new standards. If you have any questions get with Wayne or Steve.
Disabling/deleting computer accounts based on computer password age
This is yet another matter for which finding time for implementation is proving difficult. Steve wants folks to remember that Andrew Carey has a good plan for dealing with this which he simply has had no time to address. In the meantime, it would be very good of each OU Admin to consider mimicking the proposed plan manually by keeping their own records and deleting any computer object which have been disabled for 90 or more days; Wayne's Power Tools can identify those. Steve has finally begun doing that for his own unit and it has made his view within ADUC much more agreeable.
Core Services status (previous discussion)
Updates not available...
Updates not available...
Status of SharePoint services (prior discussion)
IFAS migrating to centralized MOSS
Santos Soler has been asking about this. The last he heard they had purchased some software to do the move, but it didn't work well. Now they are apparently looking at another piece of software. Chris Leopold mentioned that Ben Beach has provided Buck an administrative account so he can peruse our system.
Public folder file deletion policies and procedures status
Nothing further was available on this topic at this time.
Microsoft
The March Microsoft patches included three bulletins (one "Critical" and two "Important") covering four vulnerabilities affecting various Windows versions as well as Groove 2007 SP2.
McAfee provides podcasts on the highlights of each month's offerings and another podcast summary of these patches is provided by "Security Bulletins for the regular IT guy".
Java
Java SE 6 Update 24 was released about the middle of last month.
Dennis wondered why he wasn't getting more UFIRT notices considering he knows he has out-of-date JRE installations. It is believed that those notices are not based on machine scans, but rather exploit attempts were being flagged via network activity. Not all out-of-date installations stumble upon sites that try to take advantage--thank goodness.
Adobe
Adobe Flash Player 10.2.152.32 was released March 2nd. It had only been a short time since the last release (10.2.152.26) and this latest version is apparently NOT a security release.
MS Office News update
Updates not available...
Job Matrix Update status
This is here as a standing topic--no discussion this month.
Remedy system status (previous discussion)
Updates not available...
The new Microsoft Campus Agreement
Dan Cromer has asked that this be posted on the web, but in the meantime, he has made a couple of items available at http://it.ifas.ufl.edu/misc/: a presentation and a summary. He wanted to note that VDI rights for UF Students are now included.
Site audit at Ft. Pierce includes IT section
Marvin Newman mentioned that Ft. Pierce has been audited by UF's Office of Audit and Compliance Review. During the discussion Dan Cromer provided Steve a copy of the associated IT Questions and References via e-mail. Once he saw the questions, Steve then recognized this as something which he had been provided as hardcopy from his departmental fiscal person. He noted that he had answered "yes" to all items and initialed each. Dennis Brown added that he had done the same. Steve had not received a copy of the Reference document, however.
While some seemed amused that Steve would blithely answer "yes" to all, Steve responded that there is really no other acceptable answer. It is not that these issues are being ignored. Steve is doing his best with each of these items already given available resources. If further refinement is necessary then he feels it incumbent upon administration to provide support for doing so.
RODC issues at remote sites
Chris Leopold mentioned that OSG has been having SYSVOL replication issues and currently there are eight sites that are not working (Baker, Belle Glade, Columbia, Dade, Lady Lake, Ona, Polk, and Putnum).
Kevin Hill said he is not very enamored with these new RODCs as they continue to have problems with extremely slow login scripts. Chris Leopold mentioned there were issues originally with users and computers getting properly associated with the local sites--but those issues should be mostly resolved by now. Kevin said that his resources were correctly populated, but the problems have persisted. Andrew Carey responded that he doesn't believe the RODCs are the culprit, however; he suspects that the problems are related to DNS and that they would still be happening even if a full DC had been deployed.
Chris said that ITSA will take this seriously and continue to look into the causes. Kevin mentioned he might utilize Wireshark to try and get a better handle on what is going on.
Steve suggested that Kevin might populate his users' machines with UNC shortcuts to network resources in the meantime; that could help people in getting to their shares more quickly. With XP Steve has always added a "Places" folder to the "All Users" start menu which contains UNC shortcuts to locations. He also puts a desktop shortcut to that folder to make it easily accessible. People can copy those to their QuickLaunch toolbar to provide even easier access.
UAC settings egregious for users?
Updates not available...
PDF-Xchange (prior discussion)
Updates not available...
The meeting was adjourned about five minutes early at around 11:55 AM.