ICC logo IFAS logo


ICC Meeting:

IFAS COMPUTER COORDINATORS
(ICC)

NOTES FROM December 8th 2006       REGULAR MEETING


A meeting of the ICC was held on Friday, December 8th, 2006. The meeting was chaired and called to order by Steve Lasley, at 10:10 a.m. in the ICS conference room.

PRESENT: Sixteen members participated.
Remote participants: Chris Fooshee, Kevin Hill, and Louise Ryan.
On-site participants: David Bauldree, Benjamin Beach, Dennis Brown, Dan Cromer, Wayne Hyde, Dwight Jesseman, Nancy Johnson, Winnie Lante, Steve Lasley, Chris Leopold, Richard Phelan, Mark Ross, and Joe Spooner.

STREAMING AUDIO: available here

NOTES:


Agendas were distributed and the meeting was called to order at on time at 10 AM.

Report from the chairman

New members:

Dan Cromer mentioned that Scott Owens is shifting roles a bit. Since the mainframe operations have diminished significantly due to Peoplesoft, Scott has been assigned some duties to help central IT with the listserv, increasing mailbox stores and things like that. This is being coordinated via the Help Desk, with certain of those tasks being assigned to Scott. This adds the new role of "Business Unit extension" to the Help Desk. Scott still creates CICS accounts for people that need to use the student systems (Student Records, ISIS, SASS, and Student Financial Affairs).

Recap since last meeting:

As per his usual procedure, Steve pointed folks to the notes of the last meeting, without going into any details.

ICC OU Admin Peer Training:

We skipped the November ICC meeting and held this event in its place on November 7th, 1-4pm in McCarty G001; it was well attended both locally and across the state via Polycom. Training got off to a somewhat rocky start due to apparent bandwidth issues, but comments were positive and we will likely try this again on a roughly annual basis if there is interest. The video stream is available (ufad\if-admn credentials required) for those who may be interested in seeing it after-the-fact.

Recap from November ITPAC meeting

Discussion at ITPAC centered mostly around web-based informal training and the work that Marion Douglas is doing in developing back-end systems for course evaluation. There was a discussion of our processes for new web site requests. Dan Cromer received support for modifying our web request form so that requestors confirm having read and understood UF web policy, that they specify the reason behind their request, and that they specify a chair or director who would have approval authority over the site. Dan also continued his efforts in developing of a central process for software development coordination within IFAS and received ITPAC support for doing so. Steve gently prodded the committee to continue to push for an active videoconferencing committee and Pete Vergot spoke to the need for IFAS clientele support for the IFAS Legislative Budget Request (LBR) for IT.

Policy

IT Governance sub-committee status report

The UF IT Governance Task Committee has produced an IT Governance Summary Document. The details of the workings of that committee are well detailed at http://www.it.ufl.edu/reorg/governance, including the minutes of their meetings. Dan Cromer reported that they had met just yesterday. The committee agreed that further steps towards IT guidance would require the sponsorship of a third-party group whose focus would be outside or above the various individual IT organizational goals of the committee members. The committee intends to recommend to upper administration that such a group be appointed to continue development within the suggested framework, gathering input from all IT groups at UF as well as from UF faculty and staff.

Recommendation: autogroups for *selected* roles

Steve asked Dan Cromer if, now that the GLAM project was complete, he expected any attention paid to this matter in the near future. Dan believed this was coming, but that there have been a number of little issues in finishing that project which has kept the staff very busy. Dan said that Daniel Halsey had also been kept busy on another project, so not much has happened regarding IFAS integration with Peoplesoft via the Biztalk infrastructure that is now in place.

Kevin Hill asked for details of what "autogroups for *selected* roles" meant and Steve referred him to details from earlier ICC notes.

Steve mentioned that when the GLAM project recently disabled approximately 50,000 Gatorlink accounts, a number of folks lacking the proper affiliations were removed. Although lists were made available to Directory Coordinators, a number of Emeritus and Courtesy faculty (among others) were dropped inappropriately. Instructions were provided on how to acquire the proper affiliations; Departmental Associate, Direct Support Staff and Courtesy Faculty affiliations may be set by any directory coordinator and others are managed by various offices around UF. I you are having e-mail delivery issues for a particular person, one possibility to consider is that the recipient may have had their account disabled.

Projects

IFAS Remedy System

Steve mentioned that if you have the Remedy (ufad\if-admn credentials required) routing system (again, ufad\if-admn credentials required) set to notify you but to assign to the Help Desk, tickets entered for people in your OU will still be assigned to you and not to the Help Desk. Such tickets are often overlooked by the Help Desk and so languish in the queue. If you enter tickets on behalf of your users, you are encouraged to "assign" the ticket generally to Dan Christophy (i.e., moses32) or, if you know the one who needs to handle the issue, directly to them.

Dan Cromer asked about the new interface and Steve referred him to notes from our last meeting for the known details on that.

IFAS WebDAV implementation

Steve inquired as to the status of the documentation for this. Ben Beach determined that 64-bit versions of Windows (WinXP or Vista) could not utilize the http://files.ifas.ufl.edu site. Mark Ross mentioned that WebDAV is a protocol, which is an extension of HTTP 1.1, and the client must be able to handle it. More uniquely, under our Microsoft-based environment, NTLM is generally used for authentication; unfortunately, that is not universally supported on the client side. To add complication, firewalls and any number of issues may interfere with the process.

Dan Cromer mentioned that we want to have all the issues resolved (or at least managed) prior to announcing this service. Steve again recommended having web-based documentation prior to announcement and Dan agreed. Diana's tentative documentation, based on an e-mail from Ben Beach is viewable at http://edis-symposium.pbwiki.com/SharingFiles. There is a link entitled "BensEmail" there which offers some proposed verbiage.

Steve mentioned that Nick Hostettler, Entomology's Macintosh support person, has had no success accessing this via the Macintosh native protocol handler, but is able to utilize Goliath to easily make use of this.

Nancy Johnson asked about the details of administering the Private OU subfolders on the IFAS file server for workgroup file sharing purposes. Steve briefly explained the details of that (create and populate a security group with the people needing access, then create a subfolder for them and assign that group "modify" permissions) and pointed everyone to the documentation he has done on our file services. Steve would appreciate feedback on how to make that documentation better and more useful. Chris Leopold mentioned that Ben Beach has some documentation on use of the multi-purpose servers and it was suggested that he provide that to Steve for hosting on the ICC site (something Steve would be more than glad to do).

Vista TAP and Vista Deployment via SMS and WDS

Steve mentioned that Erik Schmidt has created http://vista.ad.ufl.edu for delivering important information about Windows Vista and Office 2007; everyone is advised to peruse that site. You will find a link for downloading that software there; other useful related software packages are also available, including the Cisco VPN Beta for Vista, and McAfee VirusScan 8.5i Release Candidate for Vista.

Having installed Vista and Office 2007 on his laptop, Steve mentioned a number of problems which he had encountered. One was the surprising lack of support for the in-built NIC. Others have reported such matters and the solution is always to install legacy drivers followed by updates if available. Of course, lack of a NIC driver makes this a difficult process to bootstrap.

Regarding installation, Steve also noted the Vista ".img" file, which is available for download on the IFAS Software Site (ufad\if-admn credentials required) may be burned to DVD by first renaming the file so it has an ".iso" extension. Chris Leopold said that he planned to rename that on the IFAS Software Site (ufad\if-admn credentials required) simply to reduce confusion, because he had fielded a number of calls on that already. Most who have burners will have some bundled software for burning discs; if not, there are command-line burning tools available for use on WinXP via the Windows Server 2003 Resource Kit Tools. The Office download comes as an ".exe" which expands into the installation files; unlike Vista, this will fit on one CD.

Steve mentioned that he had begun a "Software Availability" (ufad\if-admn credentials required) section of the ICC IT/SA Services documentation (filed under "Services" as "Software" for convenience in locating). This area is meant to point IT support folks to a number of the locations which may be recommended for obtaining various software packages for UF faculty, staff and students.

Dwight Jesseman raised the issue of IFAS needing training for Office 2007. Steve mentioned that this had been discussed previously, but that was really a matter for Tom Hintz. Dan Cromer mentioned that we each need to come up to speed with it ourselves first. Then we need to get Tom using it and developing classes. Dan mentioned that it is really a UF-wide issue and that he expects there will be some training support centrally as well.

The IE7 Admin Helper script (explorer-based version of the iexplore-based script currently used as the if-adml logon script) does not seem to work on Vista and Steve has found no way to logon with local admin credentials (i.e. as IF-ADML) and then "runas" an explorer window via network admin credentials (IF-ADMN). The only effective method of gaining remote network admin access Steve has found is to map a drive via elevated credentials (i.e., do a "net use x: \\ad.ufl.edu\ifas /user:ufad\if-admn-GL") and use the command-line for file and folder access. Unless a solution is found we may have to re-address our admin account procedures. One possibility might be to modify the IF-ADMN logon script (which automatically logs such a user off when they try to log on to a computer locally), adding a test for OS. Since Vista has in-built protections for admin accounts, perhaps we could agree to allow logon by IF-ADMN accounts to Vista machines via that method.

A similar problem in running admin tools, does have a solution courtesy of Joe Gasper:

1) Open Local Security Policy
       You may find you need to first a cmd prompt as Administrator and 
       then run gpedit.msc.
2) Drill down to Computer Configuration> Windows Settings> Security 
       Settings> Local Policies> Security Options
3) Set/Confirm the two Policies for "User Account Control: Behavior of 
       the elevation prompt..." to "Prompt for Credentials"
When you open "ADUC" or other AD management tools, you will then be prompted 
where you can specify your AD administrative account credentials.

While one can load the Win2003 SP1 admin pack, it requires considerable trickery. The W2K3 Admin Pack for Vista has completed final testing and an announcement of its availability is expected to be out next week according to Dom Vila, Senior Microsoft Consultant with the UF TAP program.

Kevin Hill reported that our logon scripts are not running under Vista either. The main script runs, but it is not assigning drive letters. This is definitely something that needs to be resolved ASAP.

A number of folks mentioned that the 64-bit of Vista has various driver issues currently (scanners, disc burners, etc.) that make it difficult to use as a production system; one assumes those problems will go away, for the most part, fairly soon after Vista is released to the public. Dan Cromer recommended sticking with the 32-bit version for now, as he tried the 64-bit version and found it to be not adequate for his daily work.

Kevin asked about the schedule and number of machines which UF had agreed to deploy under the TAP program, and who is coordinating how that would be split within IFAS. Nobody at the ICC knew for certain the details on that, but it was suggested that Erik Schmidt would be the person to ask. Chris Leopold believed that there were no clear numbers identified yet and thought that application compatibility testing had been falling behind schedule. Ben Beach has been asked to attend the Vista Tap meetings and has been doing this since last month. He reported that Erik has heard nothing from IFAS. Dan Cromer suggested that each IT support person keep Erik informed (with cc to Ben and possibly Steve) of the number of Vista machines which they had running.

Discussion then ensued about how quickly we should plan to move to Vista. Most agreed there was no reason to push our users in that direction; but at the same time, IT support needs to get up to speed rapidly so we can field the questions coming in February when Vista starts shipping on Dell machines. Of course, we can continue even then to order machines with WinXP, should we wish. There was even some discussion about posting a policy that IFAS IT does not currently support Vista--until such time that we feel it is ready for wider distribution.

Kevin asked Wayne if an ePO agent compatible with VirusScan 8.5, is being pushed out yet. Wayne said we are pushing out the current release version at this time, but not it is not compatible with 8.5. Wayne said he would let the ICC know just as soon as that was available.

Regarding Vista Activation and KMS, there is a Microsoft site which details this process and both the FAQ and the step-by-step guide are recommended for those wishing to understand the process. There has been a very good thread discussing the matter, however, on the Activedir.org mailing list and Laura Robinson offered the following excellent summary there:

There are two types of activations for Vista- MAK activation and KMS activation.
 
MAK activation works much like an MSDN subscription. You tell Microsoft how many 
MAK activations you want to purchase. Microsoft sells you a MAK key with that 
many activations. A machine that is activated via MAK activation never has to 
renew. A MAK-activated client either directly contacts Microsoft servers for 
activation or (in 2007, when the VAMT tool is released) it activates against a 
proxy in your company that "feeds" the activation to Microsoft activation 
servers. If you reinstall the OS and specify MAK activation again, then that 
will use another of your allocated activations. MAK activation is designed for 
machines that are NEVER connected to your network (VPN counts as connected) in 
any given six-month period. Therefore, we're talking about a machine that goes 
out your door and you don't see it again for a very long time. MAK keys should 
not be commonly or lightly used. In the reinstall scenario, much as you can now, 
you can contact Microsoft at that time and explain the situation and get another 
activation. 
 
KMS activation DOES NOT REPORT ANYTHING TO MICROSOFT. You activate the KMS host 
against a Microsoft activation server, and your KMS clients get activated by 
YOUR KMS host. Once a week, they try to renew. If renewal is successful, the 
KMS client now has six months from that day to renew again. The client will 
still renew once a week and will be extending that six month window each time. 
In other words, you always have six months from initial activation or renewal 
of activation before the client MUST contact a KMS host again. If it's day 179 
and your KMS host has been down that entire time, when you bring it back up on 
day 179, your clients can renew their activations for another six months. 
During those 179 days while the KMS host was down, they are unaffected unless 
their 180 days of validity expired during that time and they were unable to 
locate and contact another KMS server.
 
If you reinstall the OS on a KMS-activated client, IT DOESN'T MATTER, because 
Microsoft doesn't track KMS clients. In fact, even the KMS server only keeps 
track of the last fifty activations it has performed. Now, if you want to keep 
this information for your own records, you can easily extract it from the event 
logs or you can use the MOM management pack for KMS.
 
With KMS activation, you are simply saying to Microsoft, "we anticipate that 
we will have 10,000 [or whatever] Vista clients. Therefore, we'll pay you for 
that many Vista clients." That's the end of the story as far as Microsoft is 
concerned. If you exceed 10,000 active Vista clients, then you're in violation 
of your agreement, but Microsoft won't know about it via some magic mechanism. 
KMS-activated clients don't talk to Microsoft. They talk to your KMS host. 
 
The step-by-step guide I referenced tends to look dry and overwhelming to 
people and I suspect that many folks don't really sit down and take the time 
to read it thoroughly (can't blame 'em), but it really is all explained there.

The UF KMS server is up and in-place, so Vista machines connected and joined to our domain should activate automatically. For machines which are not connected at least every 6 months, there will be MAK keys available--however, those may be delayed until January or so.

Ben mentioned that we will need to get the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats on our Office 2003 and earlier Office installs so that our users can open, edit, and save documents, workbooks, and presentations in the file formats new to Microsoft Office Word, Excel, and PowerPoint 2007. This is something we may want to try and push out to our users via WSUS, if possible.

Removal of WINS

This issue has been tabled indefinitely.

New IFAS IP Plan

Steve asked for a status on this. Chris Leopold responded that CNS is anxious to get all our old public numbers back. We are down to four subnets: 134, 135 (farm area around ICS), a portion of Fifield along with Merhoff (which is all one subnet) and 4 (Livestock Pavilion and Animal Science). The problem with finishing this is simply finding the time.

Move to IF-SRV-WEB

Mark Ross gave an update on what he is working on regarding the web servers. Mark's main focus has been setting up WebDAV access to allow removal of FTP and he presented a demo of how this will function using Dreamweaver as his example model. Mark explained how Microsoft's WebDAV implementation used NTLM for secure authentication. Products like Dreamweaver do not understand that and must authenticate using clear text--which is bad. Consequently, Mark has setup the web server to use an HTTPS connection on port 6502 and allowed read/write access to each web site so that editors may modify their files using SSL. That encrypts what would otherwise be an insecure connection method. The key to this was in getting SSL on IIS to run on multiple web sites; it turns out that there is a command-line method of doing that which is fairly well documented and is supported by Microsoft.

While one can configure Dreamweaver to use a UNC path, the WebDAV method works from various platforms and also from home w/o the need for a VPN. You configure the application to use WebDAV with an https connection to your web site using port 6502. With the ICC website, for example, one would use "https://icc.ifas.ufl.edu:6502" as the target specification. This alternate port was necessary because we use SSL on some web sites for browse access as well; we thus can't use the standard 443 port for editing access purposes.

Client configuration is fairly easy and Mark plans to have a web site with screenshots of how to accomplish this. This solves the dual problems we have with FTP which passes credentials as clear text and allows inappropriate directory traversal.

Frontpage can use NTLM authentication and does not need to use this WebDAV method for access. Windows users may utilize IE for WebDAV access via the "Open as Webfolder option" and Goliath works fine for the Macintosh.

Steve noted that Expression Web, Microsoft's replacement for Frontpage, is now available. There is a 60-day free trial available for download. Woody Leonhard has a good write-up on this and other upcoming MS web applications via his Office Watch Newsletter.

Mark mentioned that he is ready and anxious to move everyone off \\if-srv-web01 to the new server. The problem is with the Frontpage Server Extensions. He knows a number of sites will break. We can fix those as they arise, but he really wants to get going on the migration. Mark wanted to give us the heads-up on that, because some sites are bound to break and require fixing.

Exit processes, NMB and permission removal

Prior exit procedure discussion. The GLAM project is now complete. Some accounts were not properly associated prior and were disabled. If you have an email delivery problem to an Emeritus or Courtesy faculty member, you might consider this as a possible cause.

Steve asked Dan if anything further has progressed on improving our processes. Dan referred back to our earlier discussion on the Biztalk situation. Apparently, nothing else has happened yet.

Listserv confirm settings

As you may recall, administration had asked Dan Cromer to investigate all possibilities for addressing our listserv/spam issues due to the fact that they feared a list sender might forget about the confirmation and consequently an important notice might not go out in a timely fashion. Steve asked if any other ideas have come up. Dan responded that the current plan is to utilize a programming solution to examine "From" addresses of e-mails sent to our lists to verify that they are in the IFAS Directory. This won't prevent delivery of spoofed addresses, but Dan believes that we may then further tweak that process to validate against IP or some other parameter that could be used to weed out spoofed messages as well. No programmer is available for doing this currently, however.

Removing Appletalk from all IFAS subnets

CNS really wants Appletalk off the core routers. Chris Leopold has proposed that this be done shortly for Fifield, ICS and Entomology. Although Steve didn't see this listed on the maintenance notification for Sunday, Chris believes it is indeed being done this weekend. Nick Hostettler, Mac support person for Entomology related that they have some computers running OS 9 because of the software requirements:

  • One old Mac used as a key-server. Solution: a static address would work instead of AppleTalk
  • One old Mac must use AppleTalk to print to a color printer. Solution: local seeding of subnet via Win2k3 server.
  • One old Mac used for data acquisition with remote printer Solution: could use a dedicated printer.

There are work-a-rounds even for OS 9, such as ShareWay IP and AppleTalk over IP, to connect for file transfer/backup.

Operations

Status of our Public folder file deletion policies and procedures

This is another example of an implementation that has been on hold due to inadequate staffing levels and the lack of time to follow-up with such matters. Implementation, as previously discussed, is awaiting documentation. Steve feels the notice should point to web-based documentation. Once documentation is in place, the actual deletion policy can be implemented as per prior ICC discussion. Dan Cromer has suggested that this be combined with the documentation about the IFAS WebDAV implementation so that a single notification of both could be made to the IFAS-ALL. The problem is that no one has been made responsible for doing any of this.

IE7 via Automatic Update

IE7 is being picked up by folks using Windows/Microsoft update both at home and at work, but is set to "Detect only" within our WSUS server, and thus is not being pushed out everywhere yet. Wayne mentioned that specific OUs may request IE7 be approved for them if desired.

There is a known issue with IE 7 causing some of e-mails in Outlook and Outlook Express to not print their headers anymore. One possible workaround involves changing the margins to 7.5 inches all around, but if this feature is important to an individual it may require rolling back to IE 6. Offering remote assistance (if-admn credentials required) is apparently broken under IE7 as well.

Roll back to IE6 may be accomplished rather easily via the Add/Remove Programs control panel. Simply click "Show updates", find IE 7 and remove.

Admin Helper Script and IE7

Chris Leopold proposed adding a check to the current Admin Helper Script (ufad\if-admn credentials required) that would test for IE7 and, if so, use the version supplied by Chris Hughes that uses explorer.exe rather than iexplore.exe. The Explorer version works with Vista, but not with Windows 2000.

Steve suggested just completely replacing the iexplore version with the explorer version. Folks who wanted or needed (Win2K) the iexplore version could run that manually from the netlogon location if that file was left there clearly named.

Other discussion

CALS Form Processor

Nancy Johnson asked about the CALS form processor which Joe Spooner had developed. She wasn't clear on where to find it.

Slow Laptop Startup and Logon

Steve asked if others had had problems with laptops trying to contact DCs during startup and logon via wireless, causing very slow startup times. Everyone mentioned having seen this. Steve had e-mailed a request for comment to Mike Kanofsky four weeks ago and again two weeks ago, but has received no response:

Hi Mike,
   This problem is long standing but seems to be getting generally worse 
and more bothersome for some reason. In fact, at the last ITPAC meeting, 
Pete Vergot, Jim Selph and others all agreed that "UFAD has caused 
extremely slow startup times" for their machines and those of their 
staff--note that these are extension folks who use laptops regularly. 
   It would appear that when a laptop has its wireless radio enabled in 
range of an access point, and is not connected via network cable, the 
machine can somehow see UFAD (at least in some fashion) and it takes a 
very long time (5-10 minutes is not uncommon) to give up trying to 
authenticate via that route.
   Some laptops can have their radios disabled via keypress or switch 
to circumvent the problem (if people are aware--though turning that off 
often causes problems for the next user. Others can only fix this via 
disabling the interface--which requires admin access and is not an 
option on laptops we make available for checkout.
   Is there any way that the DCs can be better firewalled to prevent 
this problem? I haven't tried this at home, so I'm not sure if it is 
just an issue via UF access points using wipa or if the DCs can be seen 
in some fashion from the commodity internet as well. 
Thanks,
Steve

Dwight suggested sending such things to the support@ad.ufl.edu as Mike may have been too busy lately with GLAM issues to respond. Steve thanked Dwight for this suggestion and will do so.

Kevin mentioned that this problem happens when on the commodity Internet as well, and is due to the DCs being pingable. Pinging is how UFAD currently monitors that a DC is on-line (though there have been some discussions that this monitoring is not actually closely followed or responded to in a timely manner by an actual individual). The assumption is that a workaround for that is what is holding up fixing this matter--but until we hear back from the UFAD people, that is mere speculation.

Local Unowned Machines

Dennis brought up the issue of having machines placed in Fifield classrooms by Academic Technology. These are old and need replacing, plus they are causing problems for his users. His example had to do with the application of updates, with that occurring at boot-time and thus greatly slowing down access to the computer once each month. The professor comes in to prepare for class and it takes "forever" to get the machine running. The problem is that Dennis has no admin access to those machines. It was recommended that Dennis take admin ownership of those and perhaps consider replacing them with departmentally-owned machines at his first opportunity. Dennis said that this was somewhat of a political issue because the machines were used by various departments within Fifield and no single department might like to foot the bill for that.

 

The meeting was adjourned just a bit early at about 11:55 a.m. Dennis Brown arranged for us to take Joe Spooner out to the Olive Garden for lunch after the meeting and a good time was had by all.