ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM June 8th 2007       REGULAR MEETING


A meeting of the ICC was held on Friday, June 8th, 2007. The meeting was chaired and called to order by Steve Lasley, at about 10:02 a.m. in the ICS conference room.

PRESENT: Twenty-one members participated.
Remote participants: Bill Black, Patricia Capps, Chris Fooshee, Mari Jayne Frederick, Nancy Johnson, Mike Ryabin, Louise Ryan, Mitch Thompson and Earl Sloan.
On-site participants: David Bauldree, Dennis Brown, Andrew Carey, Dan Cromer, Francis Ferguson, Wayne Hyde, Gregg Knapp, Winnie Lante, Steve Lasley, Chris Leopold, Mark Ross and Matt Wilson.

STREAMING AUDIO: available here

NOTES:


Agendas were distributed, and the meeting began roughly on time. Unfortunately, our connection to the streaming server died roughly one hour into the meeting and the rest of the stream was unavailable until the recorded archive was moved to the server after the meeting.

Report from the chairman

New members:

Steve had noticed that Gregg Knapp recently was given an IF-ADM account, so Steve had asked him if he wanted to join the ICC. Gregg agreed and attended his first ICC meeting today. Gregg works for the Agronomy Department and we are pleased to welcome him to our group.

Matt Wilson, whose hiring as the IFAS IT DBA had been mentioned back at our April meeting, also attended his first meeting. It is great to have new faces! Welcome to you both.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.

TechEd in Orlando:

Steve pointed out that many of UF's IT folks, including Dwight Jesseman, are in Orlando this week attending TechEd 2007. Steve went to the very first TechEd, also in Orlando, back in 1992; it was amazing and he is sure it has only gotten much better over the years. Steve has been trying to keep in touch a bit with things going on there. He mentioned the Virtual TechEd site and that the first part of the keynote was fun to watch. Mark Minasi, who presented a two day training session at UF recently, gave a TechEd talk yesterday on Controlling Windows From the Command Line which had lots of great tips. You are encouraged to check it out.

Dell Road Show:

Steve wanted to thank Dennis for hosting this session at Fifield and via Polycom. Paul Moore, our Account Manager from Dell was there with Dell Engineer, John Walden. Turn-out was not very good, unfortunately, but the information presented was quite useful in Steve's opinion--highlighting the new models which are upcoming and the features they will have. Paul suggested that future meetings might be held via Live Meeting; that would make attendance even more convenient for future events.

Policy

IT Governance sub-committee status report

Steve mentioned that at least two major IT centralization projects are going currently. One is the Exchange project as mentioned in Marc Hoit's Open Letter to UF OIT Staff in the June IT Connections newsletter. Steve is certain that Dwight can provide us all the details in the future as they become available.

The other major project is...

The Wallplate Project

Steve had considerable concerns about how this project is unfolding. First and most, Steve believes that the security justification for the wallplate ban on local IT deployment of workgroup switches is ill-conceived. This policy is not really a UF security policy, but rather something that CNS has implemented specifically for the wallplate. The pertinent related "Network Infrastructure/Routing" security policy reads:

"Users must not attempt to implement their own network infrastructure. 
This includes, but is not limited to basic network devices such as hubs, 
switches, routers, network firewalls, and wireless access points. Users 
must not offer alternate methods of access to UF IT resources such as 
modems and virtual private networks (VPNs). Users must not offer network 
infrastructure services such as DHCP and DNS.  Exceptions to this policy 
must be coordinated with Network Services and the local network 
administrator." 

Steve can only assume that their reasoning is, under the wallplate, those who are currently local network administrators will become simple users. It seems to Steve, however, that distributing out responsibility for workgroup switches to unit-based IT staff is an entirely reasonable and economical solution. Why remove that option? Maybe this simply hasn't all been well thought out. Steve doesn't know the answer to that, but the security argument doesn't hold water in his estimation--especially considering that IT funding sources are scarce, security needs are great, and dollars spent on security can likely be spent better elsewhere.

UF has proposed to provide central funding for each department on campus (with a few notable exceptions). The last Steve had heard the number of network connections (ports) to be provided was supposedly based on the number in current active use. That number was estimated for each department via a quick survey. In Steve's department, this survey underestimated our true active port counts; this was mainly due to the common use of economical 5-8 port un-managed workgroup switches in various offices and labs. For us, such switches provide an additional 64 active ports currently. While CNS had mentioned a willingness to adjust their counts and include such ports in our allotment, they say that they are not going to allow workgroup switches under the wallplate. Consequently, direct wiring will need to be installed for these 64 ports; this would have to be paid by the department at an estimated cost of $12,800.

From the May ITAC-NI meeting Steve had understood that future expansion beyond the initial allocation would be charged to the units at the rate of $60/port/year. Chris Leopold and Dan Cromer reported that the story has changed, though the wallplate website doesn't make this at all clear. From the discussions Dan and Chris had with Mary Byrd in arranging wallplate deployment for McCarty D, they say that the current working plan now is that switches will be installed to cover existing active ports plus 10%. Future expansion will be handled by the unit buying additional switches as necessary. The $60/port/yr cost of expansion has apparently been dropped. This would indeed be good news, if true.

The reason this matters so much to Steve is that, assuming CNS will be deploying 24-port switches, those will have (on average) 12 free ports per concentration point at deployment (our unit has 4 such concentration points in each of its 3 wings and Urban Entomology). It is easy to see that once all of the roughly 80 unit-based installations are deployed to wallplate, CNS will necessarily have installed a great deal of extra port capacity across campus. We have extra port capacity now for the same reason, but that capacity can be tapped by us at any time for no extra cost. Under the wallplate, Steve had understood that the extra capacity would be sold back to the units at $60/port/yr. If, on top of that, they deny units the option of workgroup switches, this extra capacity will be more quickly sold, we will have to install wiring (~$200) for each and every new connection, and the ~$1/port/yr option that workgroup switches provide us currently would end, resulting in a considerable loss of unit-level economy and flexibility.

Whichever story proves true, under the wallplate the cost per port ($60/yr as estimated by CNS) will increase more than an order of magnitude over what our department has paid in the recent past ($3.50/yr). When one considers that the wallplate's $1.5M steady-state funding is based on port counts which are likely considerably low overall and couple that with the fact that both DHNet and HealthNet claim such services cost over twice what CNS is estimating, one might seem justified to be worried about the ability of CNS to provide adequate support as well. Such a situation does not exactly inspire confidence for units who are considering whether it is in their best interests to join this project.

Steve feels that the main thing which his unit might stand to gain from going wallplate (or lose from not) would be an upgrade path for their telephony needs. Steve would definitely want to see the balance sheet on that vs. other alternatives before opting for this plan, however, a presentation for UF Deans a month ago suggested that the costs would be about $12/phone/month plus the heavily subsidized cost of the handsets ($160-$400 estimated). Since wallplate is a requirement for VoIP, he is not sure that his unit will really have much choice, however. Steve believes our wisest strategy may be to try to convince administration of the value of retaining the option of local IT deployment of workgroup switches under the wallplate; his is unsure of the tactics we might employ to do that, however.

Chris Leopold said that CNS doesn't really have a way, currently, of enforcing a workgroup switch ban, but that is not much consolation if the ban exists as policy. Steve would be interested in knowing, however, how many workgroup switches exist currently under the wallplate; he suspects the numbers are considerable.

Mark Ross took the devil's advocate position, mentioning the various reliability and troubleshooting drawbacks of workgroup switches. Steve, however, said that he and his users are willing to live with those tradeoffs for the economy and flexibility such switches provide. Steve isn't suggesting that such switches are appropriate in all cases by any means, but rather wants to continue to have them as an option.

Chris Leopold is also concerned about losing access and control over the security aspects of port management. Currently he has tools on the HP switches which allow him to quickly locate MAC addresses and to disable ports as security may require. At this point CNS is not offering any tools to units for such matters. Mary Byrd had told Chris that a request may be submitted to disable a port and that such a request might have a 12 hour turn-around time.

Steve noted also that he had understood John Mady, Associate Director of CNS-Telecommunications, was to be in charge of contacting the unit chairs to explain the project and obtain answers to three questions:

  1. Do you wish to Opt-in or Opt-out?
  2. Do you wish to have 10/100 or GB (gigabit) to the desktop?
  3. Do you want VoIP now or wait until at least the next 5-year replacement cycle?

Steve assumed that planning would be completed prior to implementation and that these interviews were to happen soon (actually prior to now) for all departments. Dan Cromer related that units would not be contacted until 3 months prior to their individually scheduled deployment. This strikes Steve as a poor way to proceed, as it omits the proper feedback which Dr. Hoit had assured would be solicited prior to the project beginning.

In any case, Chris Leopold stated that McCarty D has been pushed up in the schedule and that it is now the first building to be implemented under this new project. This was done at the request of Dan Cromer on behalf of our Dean for Research, Mark McLellan and CALS Dean, R. Kirby Barrick, who were seeking a new telephony solution. It is not know whether the special treatment regarding scheduling also means the methods of charging are special in this instance.

Dennis Brown asked whether VoIP is a stable solution or whether more frequent outages might be expected in comparison to conventional phone systems. Andrew Carey said that he had few problems in his three years of using VoIP at Operations Analysis. Matt Wilson also mentioned that the Division of Sponsored Research, his previous department, was an early adopter of the wallplate. He felt that their support at that time was good and that the network was well managed. The question is, can that level of service be maintained under the proposed funding model? We certainly hope so.

Earl Sloan asked via remote chat about Dan Cromer's walk through of McCarty D. Earl had not seen him do that in FYCS. Dan responded that the planned walk-through phone assessment had been replaced by Dan getting John Mady a list of contacts in each department there. Chris Leopold mentioned that he had heard that the VoIP phone discounts were not actually from a pricing agreement with Cisco, but rather were being subsidized by CNS. Dan mentioned that John Mady expected that phone cost savings from VoIP (roughly $350K is billed through yearly currently) would be used to pay for that. Dan said he shared some of Steve's concerns about the funding of this initiative as it is still not clear where all the funding to support this will be coming from.

Recommendation: autogroups for *selected* roles

This item was not discussed but is being kept on the agenda for future consideration. Basic role autogroups are now in place within UFAD.

Split DNS solution for UFAD problems

Steve noted that this problem had been discussed at prior ICC meetings, and that he was now investigating a method which might help alleviate some of the issues until this can be truly resolved at the central level. Chris Hughes had mentioned to Steve that this problem seems to have been resolved in his environment (though he had done limited testing at that point) by disabling the GPO for "Wait for Network Connections to start prior to login". Chris had told Steve that "with this disabled, this process [DC timeouts] happens in the background while the login proceeds". Mike Kanofsky had actually suggested that to Steve prior as well, but Steve had discounted it at the time because he believed it might cause as many problems as it solved.

Steve now thinks that he was hasty in dismissing such a solution and has spent a bit of time testing that. It has shown some potential for improving the UFAD logon experience for very many IFAS folks, and Steve believes wider testing is warranted.

For what they are worth, here are Steve's notes on his so-far quite brief and preliminary testing:

On Office LAN

Only a couple of issues were noted so far connecting at the office either via wired (with antenna off) or WIPA wireless (with network drop disconnected) using Gatorlink VPN "logon via dialup networking" checkbox:

  1. While the main logon dialog comes up very early via Fast Boot, the Gatorlink VPN is not yet ready (has to wait on network config I suppose), so there is a delay until you get the prompt for that.
  2. Synchronization of off-line files hangs on logoff when using wireless via Gatorlink VPN; it tries, but can't find the network. Split DNS would greatly shorten that wait I expect. It looks like this is due to the VPN being disconnected prior to the sync. This would be a user education issue--don't bother to wait for sync in that instance, but just cancel that to save shutdown/logoff time. Likely should put a "sync link" on the desktop for them to use BEFORE logging off.

On Office LAN with WIPA wireless and antenna enabled

No delays noted beyond what is seen in point #1 above. Not certain which path (wired, wireless or both) is taken by the VPN.

Behind workgroup router at Office

Wired (with antenna off) and no VPN showed expected lack of network connectivity, however, no slowness was noted on startup.

On Home LAN: not yet tested

If anyone else, would like to help test this, please get with Steve. Since a split-DNS solution is not expected to happen any time soon, this might really help out with our user experience in the meantime.

UF Calendar Project

Prior UF Calendar Project discussion. Wendy Williams was not available to provide an update, but Steve understands that a couple of potential packages were demoed at their last meeting Wednesday and that they are looking for volunteers to help investigate CalDav and Bedework.

Projects

Move to IF-SRV-WEB

Steve asked Mark if he had any closing remarks before this item was removed from our projects list. Steve intends to include web issues as a standing matter within the Operation section in the future.

Mark said that Florida Ag Calendar was the final site to be moved. It was problematic because it was based on a Perl script. The Ag Institute of Florida outsourced this to peoplecube so everything is done.

Mark had thought about moving the log files over and patching that into LiveSTATS as well, but with the uncertainly regarding the status of LiveSTATS combined with the fact that statistics are only really being monitored on about 10% of the sites registered with LiveSTATS, he thought better of doing that. His plan currently is to do this on a case-by-case basis: when the stats for a particular site hang up, he will move those logs somewhere else (transparent to the user) and restart the service.

Mark has so far been unable to come up with a reasonably priced substitute for LiveSTATS. He mentioned that Dave Palmer has been urging people to use Google Analytics. The concerns with that, according to Mark, are that it requires code be added to each webpage plus Google parses our data; we don't know what they do with that, and we don't know what the statistics are based on. Mark is open to suggestions on how to proceed. Wayne Hyde mentioned that AWStats, which Mark believed hadn't been touched in a couple of years, was updated to version 6.6 in January of this year; he might look at that option again. Mark is concerned about moving to a solution for which support will not be maintained, however.

Listserv confirm settings

Steve asked Dan if he had any closing remarks on this item before it is removed from our project list. Dan said that this has not actually been completed. Consequently, Steve will keep this on the project list for now.

SharePoint Test Site

Prior SharePoint discussion. Ben Beach was not able to be present to give us an update on this. Since our last meeting, Ben has deployed a survey on CMS requirements which you are all encouraged to take. Steve mentioned that he had asked Ben if he could do a little demo for us on Office Groove 2007 and its integration with MOSS. Steve just recently has begun to understand how Groove can provide offline caching for SharePoint collaboration sites. This essentially would permit utilizing SharePoint offline, updating changes once connected. The way Groove replicates changes is quite granular and efficient--very cool.

Virtualization of Core Services

Wayne Hyde talked about issues we have been having with our fileservers. It started with a BSOD on \\IF-SRV-FILE02, the cause of which is still being investigated. Meanwhile IF-SRVV-FILE02 is the sole machine being referred to folks via DFS currently. Steve noted that performance on that virtual machine has been considerable better than on the physical server; this is particularly noticeable for his users because he is using folder redirection of My Documents. Wayne emphasized that all references to fileserver access should be via the DFS designation rather than directly to either on of the servers. That allows him to control things centrally and prevents users from running into issues where multiple people edit the same file simultaneously on two different servers. Earlier, when both servers were being referred, Steve had experience that happening even via the DFS pathway; some of his users were failing over to the secondary referral while other were not. Referring a single machine will prevent that, though it will make transitioning across machines a bit more problematic should issues occur.

Wayne mentioned that there is an issue with DFS whereby, if a server is not shutdown properly, when it comes back up it has to essentially rebuild the DFS database, which is like an initial replication. Since we have about 7M files, and hashes must be built for each to use for comparison purposes in replication, this takes a couple of days. This happened with the BSOD and was what made our issue with dual DFS referral so readily apparent. In Steve's department people continued to work on separate copies of a particular file for quite some time before replication through away one or the other of the copies.

The ultimate solution would be to have our data on a SAN, with than being replicated to a second SAN. That would eliminate our dependence on MS DFS replication for that. This would be a "big wallet" project, but there is some hope that the MOSS project might get us in that door eventually.

Wayne mentioned that, right now, we have no redundancy in our SQLservers. The goal is to have a cluster for those functions, and this is something which Matthew Wilson will be investigating.

Steve asked about when we might be able to turn Volume Shadow Copy back on for the fileserver. Chris Leopold said that this will happen in about three-six months. The plan is to utilize the PowerVault which is currently being used for central Exchange. That should be returned to us once Dwight gets the new hardware implemented for the UF Exchange 2007 project.

There is yet another DFS issue relating to our use of Veritas for backups. Until that is resolved, we have to turn off DFS during our backup windows and then turn it back on after.

Wayne also wanted unit admins to educate their users not to use extremely long file names. Since users are often mapped in fairly deep to the full file path, they can easily create a path which is too long when viewed via the full path specification. This causes management issues for Wayne and the other server admins--particularly with automated processes.

The other user education issue is people duplicating files in their storage area. Wayne is considering methods of searching for duplicate files to deal with that, but user education is the real solution there.

IFAS WebDAV implementation

As usual, Steve passed over discussion on this project because he is aware that no movement has occurred in getting this documented.

Vista TAP and Vista Deployment via SMS and WDS

Steve noted that he had posted quite a few new details about the Mark Minasi seminar in last month's notes. Steve had found some links which might be of use for people who could not attend that, but who were interested in details of what was covered. Steve hopes that the whole matter of Vista deployment is revived as a project for IFAS IT.

Steve asked if anyone had been playing with the Vista deployment tools. He mentioned having spent some time with WinPE 2.0 and had learned how to add network drivers to a WinPE boot CD as the first step to utilizing ImageX. In his first test on a WinXP box, ImageX compression was considerably better than what he had been getting with ImageCast which he uses currently. (Steve uses IC rather than Ghost because it works fine for his purposes and he had purchased an unlimited license for that long ago.) The next step is to learn to customize a Vista install using Windows System Image Manager (Windows SIM).

Andrew Carey mentioned that we do have Vista 32 and 64-bit images available on our WDS site now. There are no answer files currently, however, but people on campus utilizing IFAS DHCP can PXE boot to install from there rather than using a DVD. Andrew plans to eventually look into creating answer files for our use and individual departments may, of course, develop their own in order to supply a custom install solution. Steve would appreciate it if anyone investigating this matter would share what they learn with everyone.

New IFAS IP Plan

Chris Leopold said that a single host remains on subnet 4 to move; that however is Animal Sciences Exchange server with its MX record. Chris will naturally do nothing on that until Dwight gets back from TechEd. The project is very close to completion however. Perhaps now we can begin to move forward to related projects such as re-enabling the Windows firewall.

Exit processes, NMB and permission removal

Prior exit procedure discussion. Progress on this is still pending. We remain basically where we have been for quite some time.

Operations

ITNS and Help Desk web sites get new looks

Mark Ross initiated this, but he offered much of the credit to Jennifer Hugus of ICS who developed the graphics and created the template for this. Mark is now looking for input on what documentation to include on these sites and where--so please consider that matter and get in touch with him on that.

These look great and Steve is very appreciative for Mark's initiative on this. Unfortunately, Mark is struggling with issues with regards to many of our web-based tools (ufad\if-admn credentials required for access), like userinfo and especially the complex and fragile remperms.

Office 2007 issues update

Steve mentioned the May IE7 security patch related Outlook 2003 slowness issue which he has documented.

Integration and support of non-UF owned computers

Mari Jayne Frederick (MJ) had requested that this be placed on the agenda for discussion. She is concerned about student-owned computers and how we integrate them into our system. She does not and will not add those to UFAD for one thing. She feels the need to devise a form where if they choose to be networked (VPN) at our locations for say 1yr - 2yrs that they relinquish IT Support of any responsibility pertaining to their units. It has happened at Homestead in the past with visiting Chinese students, for example. She usually has them access IFAS and shared printers via the VPN and use Webmail and Gatormail to access their email. She does not wish to get into providing support to non-owned UF/IFAS property. She will install MS Office Products, McAfee and necessary software we all use (ufad\if-admn credentials required) to perform our tasks and even trouble shoot simple errors, etc.; but she will NOT get into full blown support. Mike Ryabin, Dennis Brown and her pretty much follow a similar regimen on this.

MJ often sees people who were previously on campus, who come to her center and have expectations beyond what she is willing to provide. That is why she would like some agreement that would lead to more uniformity among how various units handle such things.

Discussion continued for a while, but this is likely to remain up to the discretion of individual units. Mark Ross commented that being consistent is important here. Steve suggested that, if MJ or some other support person wanted to draft a document on this, it might be run by the ICC for comments, and then perhaps we could arrive at something which would be suitable for use at multiple locations. Steve does not believe that one document is likely to suit all, however.

MOICE

Steve mentioned that MOICE (which looks to be a mess) along with the File Block Functionality, are topics we may want to keep our eye on. This is going to be pushed out via Automatic Updates at some future date apparently.

Public folder file deletion policies and procedures status

Movement on this is apparently still pending.

Job Matrix Update status

Chris Leopold had published a new job matrix at "http://itsa.ifas.ufl.edu/job_duties.mht" for which the link is now broken. Chris intends to make the new page available again soon.

Admin Helper Script and IE7

Steve asked if this had been looked at yet, but it is still on a "todo" list.

Other Discussion

Lenovo and GovConnection Contract

Nancy Johnson has continued to following this matter and keep the ICC (as well as the CCC) informed of what she has learned by posting documentation via the web. Steve appreciates her efforts on that. Dan Cromer and Mark Ross both mentioned that they had been trying out the HP desktops and had been quite happy so far.

Privbar

Dennis Brown had asked Steve how he got the toolbar addition for Internet and Windows Explorer which shows what credentials that process is running under. Steve pointed him to his documentation on "The LUA approach: running under least-privilege" (ufad\if-admn credentials required). In particular, this is due to installation of Aaron Margosis's "Privbar" tool, which may be obtained from his weblog. Steve also mentioned that Aaron has a great tool called LUA Buglight for investigating application bugs which prevent running a program under user credentials.

Vista Tricks

Dan Cromer mentioned a trick which Matthew Wilson taught him. This is something which Joe Gasper had shared with the Vista-TAP group back in early October of last year:

When logged on with admin rights and without the old RunAs command on the right-click menu, Vista doesn't allow one to run a particular tool or program with very specific domain credentials. The solution involves

  1. Opening Local Security Policy
    You may find you need to first run a cmd prompt as Administrator and then run gpedit.msc.
  2. Drilling down to Computer Configuration> Windows Settings> Security Settings> Local Policies> Security Options
  3. Setting/Confirm the two Policies for "User Account Control: Behavior of the elevation prompt..." to "Prompt for Credentials"

As a result, when you open "ADUC" or other AD management tools, you will then be prompted where you can specify your AD administrative account credentials.

Steve wanted to share a trick for opening an elevated command prompt in six keystrokes.

Why don't users like WebCT?

Mark continues to have problems with course websites and would really like to understand why people don't use WebCT for such things. Steve suggested that he would contact Doug Johnson to see if Doug could come to an upcoming ICC meeting and provide a demo for us. If more of us understood the capabilities of that system, perhaps we could evangelize its use to our faculty where appropriate.

Pat Capps mentioned the use Elluminate at UF. She had understood from Mark Reiger that this would be a replacement for WebCT, but we are pretty certain that Elluminate rather will be an adjunct to WebCT. In any case, Pat wanted us to know that vendors will be on campus August 13th and she urged us to attend. MJ reported that she has used both WebCT and Elluminate as a student at NSU and thinks they are wonderful and work very well together.

Online Forms

Mark would like to move folks off using FrontPage forms. He wants to get with Joe Spooner to see about changing the look of the form processor which Joe Spooner helped develop from the UF template to the IFAS template. Mark can also supply an ASP solution for folks needing forms.

 

The meeting was adjourned early, just a little prior to noon.