ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM January 12th 2007       REGULAR MEETING


A meeting of the ICC was held on Friday, January 12th, 2007. The meeting was chaired and called to order by Steve Lasley, at 10:12 a.m. in the ICS conference room.

PRESENT: Nine members participated.
Remote participants: Chris Fooshee and Joel Parlin.
On-site participants: Benjamin Beach, Dennis Brown, Dan Cromer, Wayne Hyde, Winnie Lante, Steve Lasley, and Mark Ross.

STREAMING AUDIO: available here

NOTES:


Agendas were distributed and the meeting was called to order a bit late.

We had a number of difficulties this time. The Polycom connection kept getting bumped or not connecting--not quite sure which it was. Prior to the meeting this may have been due to MCU congestion, but the same thing would happen every time we tried--including just prior to noon. Also, the streaming was interrupted at one point when the laptop which was doing that function rebooted. Consequently, we lost the archive of the audio portion prior to that; the notes may be sparse early on as a result.

Report from the chairman

New members:

No new members were noted.

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.

Report from December and January ITAC-NI meetings

Steve reported that he is now on the ITAC-NI committee, having replaced Joe Spooner. Dan Cromer and Chris Leopold are our other representatives. Steve intends to write notes on those meetings and has done so for the December meeting. That meeting focused on UF's plans for the wall plate. Generally, this group meets the second Tuesday of each month, but the January meeting was cancelled due to lack of an agenda.

Policy

IT Governance sub-committee status report

Steve asked Dan Cromer for a status report on the UF IT Governance Task Committee. Dan reported that there has been some reorganization at the UF VP level which raises some questions as to exactly how and where our OIT structure will report. As a result, IT governance development has been on hold until that larger picture resolves.

Recommendation: autogroups for *selected* roles

This item was not discussed but is being kept on the agenda for future consideration.

Projects

IFAS Remedy System

Steve reported finding a bug in the Remedy system which was reported to Adam Bellaire and has since been corrected.

The symptom noted by Steve was that when he went to the http://remedy.ifas.ufl.edu site (aka "http://at.ufl.edu/~hdweb/ifas//"), logged on with his Gatorlink credentials, then entered his own GL username to start a new ticket for himself, the resultant "New Ticket Contact Info" page came up with all the fields blank. Steve then noticed that he was unable to do a "Person Lookup" on his GL username; the "UFID" and "Find By Name" lookups did work for him, however. Interestingly, the problem was there with the new Remedy interface as well. That interface reported "No UF Directory Entry found." yet still listed Steve's tickets.

After looking into this matter, Adam discovered this problem existed for any person whose UFID began with a zero. Because the LDAP record removes leading zeroes from the "uidnumber" field, the subsequent UF Directory query failed. Adam reported that this would be a relatively easy fix; that could be accomplished by formatting the UFID properly even if leading zeroes are truncated before the UF Directory query.

Since reporting that and prior to it being fixed, Steve discovered that this issue also affected the http://support.ifas.ufl.edu page (aka http://at.ufl.edu/~hdweb/ifasask/). When any users whose UFID begin with a zero tried to submit a ticket there (using their Gatorlink username as most would), the process would fail w/o an obvious error message. They would simply get a blank page and many might assume the ticket was indeed submitted.

Shortly thereafter, Adam fixed the issue on all affected web pages, including the IFAS ticket creation, IFAS ask-a-question, and Directory Lookup scripts. Supplying a UFID with a leading zero or a gatorlink username belonging to such a UFID now functions properly.

In his exchanges with Adam, Steve raised the previous notification issues which we believed we had been having. Adam's response was quite illuminating. The most interesting point to Steve was learning that the Remedy admin interface does not use the notification and assignment system. Below is Adam's complete explanation which is well worth reading:

"As far as I can determine, the system is behaving as expected. However, "as expected" 
is not entirely a straightforward proposition:

The notification and assignment system at http://remedyassign.ifas.ufl.edu is used 
when client submit tickets through the ask-a-question interface form.  

However, when you or another service provider create a ticket directly through the 
main interface at http://remedy.ifas.ufl.edu/, this is not the default behavior. The 
system leaves it up to you what happens to the ticket in terms of assignment and email.  
If you simply "Save" the ticket, it will go to the Ifas Help Desk queue.

If you wish to assign the ticket to the Lan Managers and e-mail them, you must click 
the "Assign to Lan Manager(s)" button next to the listed managers in the upper right.  
Because you have full control over where to route the ticket, the automated behavior 
is not used from the interface at http://remedy.ifas.ufl.edu/

Also, there is a little confusion over the meaning of the "Assigned-to" field.  For 
a ticket to be assigned to you, two conditions must be true:  Your gatorlink username 
must appear in the "Assigned-to" field, *AND* the ticket must be in the "Assigned" 
status.  

This is the reason your test ticket did not email you even though you appeared in the 
"Assigned-to" field.  Since the ticket was had the status "Referred" and not 
"Assigned", it belongs to the Help Desk Queue and not to you personally.  The 
Assigned-to field alone does not indicate ownership of the ticket, and since the 
status was not "Assigned", you were not emailed.

I know all of this is convoluted, but, as near as I can recall :), this is the way the 
system was set up to behave as per the meetings we had with the IFAS HD folks in the 
beginning. Please give me a call at 392-2007 (ask for Adam) if you'd like to talk about 
this further."

Steve very much appreciates Adam's helpfulness in resolving the issue and in explaining how the current system is configured. At this point, Steve believes we can take Remedy off the project list and include any further discussion in the operations section of our meetings as necessary.

IFAS WebDAV implementation

Steve glossed over discussion on this project because he was aware that no movement has occurred in getting this documented.

Vista TAP and Vista Deployment via SMS and WDS

Ben Beach reported that he had been involved in this project but that little has happened in the last several weeks. He thinks we may have missed our best opportunity for involvement back when Chris Hughes was pulled off that project in order to address our web server problems.

Steve discussed his major concerns with Vista. First of all, he has still found no way to logon with local admin credentials (i.e. as IF-ADML) and then "runas" an explorer window via network admin credentials (IF-ADMN). The only effective method of gaining remote network admin access Steve has found is to map a drive via elevated credentials (i.e., do a "net use x: \\ad.ufl.edu\ifas /user:ufad\if-admn-GL") and use the command-line for file and folder access. As reported at our December meeting, unless a solution is found we may have to re-address our admin account procedures. Steve has further researched one possible solution, which would be to modify the IF-ADMN logon script (which automatically logs such a user off when they try to log on to a computer locally), adding a test for OS. The following replacement for our current "logoff.vbs" script should do that:

set objShell = WScript.CreateObject("WScript.Shell") 
OSProduct = objShell.RegRead ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
            Windows NT\CurrentVersion\ProductName") 
If OSProduct <> "Windows Vista (TM) Enterprise" Then
   objShell.run "logoff.exe"
End If

Steve would like to test that but does not have the proper credentials to modify the logon script setting for his own if-adml account; further investigation will require assistance from the IT/SA group. The idea here is that, since Vista has in-built protections for admin accounts, perhaps we could agree to allow logon by IF-ADMN accounts to Vista machines via that method.

Steve's second big concern with Vista is that the main logon script does not properly pass off to the individual group scripts and, consequently, drives aren't mapped during logon. If the individual group scripts are run manually, they do work, so the problem has something to do with the main script. Steve has offered to help debug that, but would require a copy of that script be placed on the netlogon location for IFAS to which he had modify rights.

Removal of WINS

This issue has been tabled indefinitely.

New IFAS IP Plan

Steve believed that little progress had occurred on this since our last meeting. Chris Leopold wasn't available for confirmation, but Wayne Hyde indicated this was indeed the case.


Note: This is roughly the point where the existing recorded stream begins.


Move to IF-SRV-WEB

Mark Ross reported that he has made copies of all the if-srv-web01 files onto if-srv-web. He is using Robocopy to keep those synchronized at regular intervals. His main problem is going to be with sites which have subwebs--i.e., folders within a website which require alternate security permissions. Those permissions are implemented and enforced by FPSE (FrontPage Server Extensions) and Mark has no way of scripting those. This is making migration quite difficult.

Mark would like for a policy to be put in place for class websites which would organize those beneath a single folder structure. The reason he wants this is that access is generally provided via UFAD course autogroups. Those autogroups are named such (including a term and year specifier in the name) that new group permissions must be implemented each term. It is somewhere between extremely difficult and impossible to work out a scripting solution for that problem when these sites are all over the place. Consequently, Mark would like to push for a policy that would permit him to do that reorganization.

After a bit of discussion, it was agreed that Steve would draft an ICC recommendation on this for consideration by the ICC via the ICC-L. The goal would be to present this for ITPAC at the upcoming February meeting.

Exit processes, NMB and permission removal

Prior exit procedure discussion. Steve mentioned that he was pretty sure no progress had been made on this issue and that we are still where we were at our last meeting.

Listserv confirm settings

This is another of those issues which has stagnated due to lack of resources to pursue.

Removing Appletalk from all IFAS subnets

Steve had not heard that this had been implemented, but Dennis Brown indicated that he believed it had. If so, it was pretty much a non-issue.

Operations

Security updates

Steve mentioned that there is an Acrobat Reader vulnerability for which there are updates. Those using versions 7.0.8 and prior are encouraged to upgrade to the new 7.0.9 or to 8.0.

Wayne said that he can provide reports from the information our startup scripts gather which can help folks locate installs. Steve also mentioned that Spiceworks has free software which works very well for doing an inventory of your software as well. The problem is still getting the updates out to everyone. Installation can be automated via GPO (Mark Ross had been doing this at Plant Pathology) but upgrades require removal of the old version. Mark had figured out a way of doing that using the Description of the Windows Installer CleanUp Utility and interested people are encouraged (by Steve at least :-) to see him about that.

Various wireless drivers have had vulnerabilities reported lately and Dell has critical updates for a number of those. You are encouraged to check on those.

Service Redundancy via Virtual Servers

Wayne reported that a lot of his time has been given lately to trying to implement redundancy for all our critical services. This is being done by creating virtual servers for each of our services. We are trying to get a PowerVault storage array that will mirror all the data on if-srv-file02 so that we can switch to our if-srvv-file03 virtual server implementation in the case of a failure on if-srv-file02. Mirroring of the fileserver data would be handled by our DFS structure--making this one of the easiest services to implement this redundancy for. This would avoid a very long and nasty recovery from tape in the case of such a failure. On the other hand, SQLserver and the web will be most troublesome services to implement.

The hardware being used for this is a Dell PowerEdge 2900 with two dual core processors and 24 GB of RAM. Wayne has already successfully virtualized the WSUS server and it "runs circles around the old physical server"; this was implemented to get around SQL query performance issues with the old hardware. Right now Dwight has about nine virtual servers on the machine for testing Exchange 2007. It is running VMware's Virtual Infrastructure 3 (VI3), which is basically custom Linux, on bare hardware and it is a very nice product. Wayne mentioned they still need to work out a backup scheme for the virtual server images; there are agents with Backup Exec which permit that with constant uptime, or we may just back up the VHD files.

Compromise report

Wayne reported that things have been pretty quiet lately (knock wood). He did have a DMCA copyright violation report to follow-up on, but no compromises.

IT Staffing Replacements

Interviews are being set up for next week for the AD position and hopefully we will soon have a replacement for Chris Hughes. Dr. Joyce had asked Dan to defer replacing the DB Admin position vacated by Richard Lee until the beginning of this calendar year for salary saving reasons. Dan hopes to get that released shortly and also intends to pursue refilling the position vacated long ago by Jenny Brewer. That latter position would help fill in for all the extra things Dwight Jesseman used to do beyond just running our Exchange server.

Admin Helper Script and IE7

Steve mentioned that he did not know where we were with replacing the Admin Helper Script. If people are concerned about that they should contact Chris Leopold. It doesn't solve the Vista problem, however.

Server Status Notification

Steve had meant to bring this up at the last ICC meeting and failed to do so. Chris Fooshee wanted to know if there is any place they can go to learn about server issues without having to interrupt the very folks who are likely trying their best to fix those. Steve had pointed out our documented Service Status sites (ufad\if-admn credentials required), but those don't seem to work too well. Wayne said that the software we use, Servers Alive, does not allow for dependencies and is just not really up to the task. We need better software to really allow us to do what is needed.

Steve didn't mention this during the meeting but will do so now: it might be a good idea to post brief status notices to the ICC-L when service problems occur (except for email interruptions of course) and then a, perhaps, more thorough status report after the problem is resolved--something along the lines of what Network Services does with their Network Status update e-mails. That would help train unit support staff to correlate various issues they see with the services interruptions that occur centrally and permit them to better and more accurately report any problems they might see in the future.

Office 2007 issues

Steve has created an LIS install point for office 2007 (ufad\if-admn credentials required). Steve urges folks to try it and provide feedback.

There are some reports that McAfee's "On-Delivery E-mail Scanner" is incompatible with Outlook 2007. Steve also would like to point out that there is a Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats tool available for installing on earlier Office installs. This will allow them to read and write the Office 2007 file formats. Steve has placed that "FileFormatConverters.exe" file at \\ad.ufl.edu\ifas\SOFTWARE\MSOFFICE2003 for easy access.

E-mail As Public Record Policy

Dan Cromer wanted to make folks aware of the UF E-mail Policy; this is just one of the many UF IT policy links which may be found at http://www.it.ufl.edu/policies. There is a continuing question as to what communications must be retained and for how long. Support folks should be aware of the policies, although actual implementation is by no means enforced or even controllable.

Status of our Public folder file deletion policies and procedures

This is another example of an implementation that has been on hold due to inadequate staffing levels and the lack of time to follow-up with such matters. Implementation, as previously discussed, is awaiting documentation.

Other discussion

UF Wall Plate

Steve wanted Dan Cromer's input on whether or not we should discuss the Wall Plate project at the ITPAC. Dan thought it was too early to really proceed on that effectively. Steve is concerned with the costs. He feels that units will likely incur continuing costs for ports above and beyond the base allocation and those costs will greatly exceed what has been the case historically. The ironic corollary of this is that the $5/port/month cost is likely too low to support this centrally--based on experience at the Health Science Center and Student Housing.

Steve believes the wall plate also may be used to enforce UF security policies by requiring all devices be directly on managed ports. While this could be technically good for security, it is only one tiny component of overall security management and potentially could remove the ability of local support to perform ad hoc configuration changes to address emergent issues. One wonders if a cost/benefit analysis would encourage spending such a large portion of our available IT funds on this single effort; perhaps there are other projects which would give us more "bang for the buck" considering the overall funding shortage within IT.

Dan felt that the decision would be made at the highest levels and that the ICC and he would have little if any input into that. Dan did say that he has expressed his concerns to Dr. Joyce over what he believes is a budget shortfall to pay for this project and which will likely result in an eventual assessment to all the colleges to pay for this.

H.239 Support for Video Conferencing

Steve mentioned that Mitch Thompson in Apopka has been trying to mobilize and formalize support for Polycom People + Content (aka H.239). He would like to formalize a list of sites which support that feature because he has had great problems using Netmeeting to share Powerpoints during VCs. Mitch passed along the following from Patrick Pettus (circa early January) which indicates that we may be getting somewhat closer to realizing this goal:

"The problem with content sharing for classes is currently a ‘weakest link 
in the chain’ problem. Some of the RECs that offer classes have the ability 
to do H.239. However the two RECs that most of the classes come from (Ft. 
Pierce and Ft. Lauderdale) do not have, or are not ready to use H.239. Ft. 
Lauderdale only has the iPower which does not do H.239. Ft. Pierce has an 
VSX 8000 but it is not integrated into their AMX control system so they 
cannot use it when teaching, only for receiving classes. Homestead, Quincy 
and Immokalee also needs to be updated for H.239."  

"...sent you an email in October giving you a prefix for testing H.239 with 
all problems resolved, I guess you must have missed it. I have included it 
below. From the testing I have done it works very well. If the opportunity 
presents it self to use H.239 in classes this semester I intend to do so. 
That will be determined by which REC are teaching and receiving each class. 
If we can get Ft. Pierce, Ft. Lauderdale, and Homestead up to speed then we 
will be using H.239 for the majority of classes instead of NetMeeting.  

I believe this is the current state of H.239 at the RECs:
Apopka – Ready
Balm – Ready
Belle Glade – Not Ready (only needs Visual Concert)
Brooksville - Ready
Ft. Lauderdale – Not Ready
Ft. Pierce – Not Ready (can receive but not send, needs programming work)
Lake Alfred – Not Ready
Live Oak – Not Ready
Homestead – Not Ready
Immokalee – Not Ready
Marianna – Not Ready (only needs Visual Concert)
McCarty G001 – Not Ready
McCarty 1031 A - Ready
Milton - Ready
Ona – Ready 
Plant City – Not Ready (will be ready in 2 weeks or less, needs additional VGA cables run)
Quincy – Not Ready
Ruskin - Ready
Vero Beach – Ready

This list does not take into account bandwidth which may limit some places. 
I will try to put together a spread sheet this week of this same list, but 
with more detail on what is needed."

 

The meeting was basically ended quite early, but continuing discussion occurred until just before noon, when the meeting was adjourned.