|
|
ICC Meeting: |
IFAS COMPUTER COORDINATORS
|
|
All, Mr. Kyle Cavanaugh has requested possible comments about moving students to a special Google Gmail system from GatorLink e-mail. Have any of you heard any feedback about this from students? Other possible comments? I don't have a link to the full information handy, but the basic system is a special contract with Google to provide Gmail accounts to UF students (which would still have an @ufl.edu address), with the contract providing for appropriate security for restricted data. This is due to start in the fall, and would greatly reduce the support requirements for UF GatorLink e-mail; if funding for all faculty and staff were provide for using Exchange, then the GatorLink e-mail system could be eliminated altogether. Dan |
Students pushing for Gmail
As follow-up to that, Donna McCraw mentioned that The Alligator had published some articles on the subject:
One of these articles mentioned that students, while not allowed to forward their GatorLink accounts, may configure Gmail to POP those. This uploads mail to Gmail and removes it from GatorLink, which accomplishes the same end result as forwarding to Gmail would.
Health Center has performed a risk analysis
Chris Hughes then pointed the ICC to the UF-HSC Information Services Advisory Council (ISAC) "Meetings & Supporting Documents site" which contains three documents discussing aspects of this plan:
Steve noted that, while there is little doubt that students would appreciate the increased services which such a move might promise and that UF sees this as an opportunity to save money--but I hope the Alligator editorial which Donna kindly pointed us to persuades no one. It touts the strongest argument *against* such as move as being the primary reason for making it: "But, the most important reason for moving to the Google system would be to reap the benefits from a safer, more secure e-mail system with more layers of protection for sensitive personal information."
Steve is glad that the HSC is taking the initiative to address the security concerns involved; that aspect will be crucial to such a move being successful as the trend to cloud-computing has security risks which should not be overlooked in evaluating such a transition.
Legal aspects may halt plan
Dan Cromer said that he wasn't at all sure that this move would actually happen. Although the students are behind the idea, our lawyers have said that doing this would mean we can't send students any restricted data. That would mean a professor couldn't send a student a notice about their grades, for example. That may be a deal killer. Dan mentioned that the only way UF would really save on this would be from repurposing the staff which currently maintains the GatorLink e-mail system. Until all faculty and staff were moved to UF Exchange, GatorLink e-mail would still have to continue.
Mailboxes generate revenue for Google
Dan also mentioned that Google calculates that each mailbox they support generates a value of about $90/yr for them because of the way they are paid for advertizing, etc. When Wayne responded that they should then be paying us, Matt Wilson pointed out that ads are removed as part of for-pay service.
WAN transition to CNS
The final agreement is considerably less advantageous to IFAS than the original proposal
Steve related that the final CNS-IFAS WAN support agreement differs considerably from the original CNS proposal that he and Chris Leopold had reviewed back in late March-early April. The yearly cost to IFAS was increased 20% to $120,000 and the scope of work covered by CNS narrowed considerably.
The original proposal included support for all IFAS networks both on and off campus. It even went so far as to specify the NW District Support person as being responsible for assisting CNS with on-campus sites and detailed the transfer of the HP Procurve Management server and software to CNS. Under the final agreement, support for network ports on campus will continue to be the responsibility of IFAS prior to moving to the Wallplate. This means Chris will continue to be burdened with campus network maintenance for years to come. That is particularly disconcerting because freeing up time for Chris was one of the main positives of the original proposal in Steve's opinion.
Dan Cromer explained the changes by saying that Dan Miller and CNS came to better realize the amount of work involved and they consequently increased the cost. Dan also said that CNS reworded the scope of work because they never intended to take over support for the IFAS campus network ports before wall-plate (though the original proposal clearly stated they would).
The bottom line from Dan's viewpoint is that he was directed to cut $300,000 from the central IT salary budget. As Dan sees it, the other option was to lay off Jennifer and Claude and give the whole WAN work to Chris and his team.
Is the transition delayed until January?
Steve was concerned that we are already paying CNS but wouldn't begin receiving support until January 1st. Dan assured him that this was not the case. The January 1, 2009 date mentioned refers only to the fact that there will be a transition period during which IFAS will assist CNS in obtaining access to and the current configuration of each of our routers. The details of that have purposely been left vague because the details involved are not yet completely understood. The goal is to have detailed Service Level Objectives developed by year end.
Transition problems
A major issue has been the documentation and reprogramming of the routers to conform to CNS standards. Apparently, Claude took early retirement and did not work during June and the spreadsheet that Jennifer provided on her last day omitted many pertinent details.
The agreement is already in effect
As access and configuration details are granted, CNS will assume responsibility for each router. CNS is already handling things for the 15 REC circuits. If there is a problem, all we need do is submit a Remedy ticket to the UF network. Ben Beach mentioned that Dan Miller expects a 10-30 minute response to any tickets which are submitted--the duration from that point to resolution will depend on the nature of the issue. Ben also mentioned that CNS plans to create a separate group within the Remedy system for the WAN and that District Support staff would be able to submit tickets via that.
District Support involvement
The original proposal stated that CNS would require the continued help of the five District Support personnel. In that proposal those people would remain "a primary support group for onsite issues in remote locations, and will need to accept work from CNS."
Kevin relayed his understanding that Jennifer and Claude had actively monitored the network status and submitted tickets to service providers as necessary to resolve problems. Kevin wanted to know if District Support staff would now have to take over some of that role. Dan replied that the formal agreement is purposely vague as to what continued support IFAS will provide (i.e., "as appropriate"), with everything to be finalized as of January 1, 2009. At least until the details are worked out, Dan wants IT/SA to maintain Servers Alive so that we can do the same sort of monitoring that Jennifer and Claude had done. Wayne added that CNS uses Nagios and that they will be adding these routers to that system.
Split DNS solution for UFAD problems
Steve wants to leave this as a standing agenda item, but realizes that a solution will be a very long time in coming due to the complexities involved.
Possibly pertinent solution reported by another school
Steve noted, however, that there has been some recent discussion on the Windows Hi-Ed list which he had mentioned to Erik Schmidt and Mike Kanofsky. One message said:
|
From: windows-hied-bounces@mailman.stanford.edu [mailto:windows-hied-bounces@mailman.stanford.edu] On Behalf Of Richard Kline We found that our domain controllers were not completely isolated from non-University subnets by the firewall. Specifically the LDAP ports were open but others necessary for Microsoft Networking (135, 137, etc) were not. The workstations were able to start the attachment/authentication process (LDAP) to the domain controllers but could not complete the process (135, etc). It was taking the workstations some 9 to 12 minutes to time out, give up and use the cached credentials. We resolved the issue by blocking LDAP (both secure and unsecure protocol ports) access to the domain controllers and completely isolating them from the outside world. |
It would be very interesting to see if this solution might have some applicability to our own situation.
SharePoint Production Sites (prior discussion)
Steve asked Ben if he had any updates. Ben replied that things are going well. Wayne is going to provide three new Win2K8 servers and they are going to reconfigure the server farm.
Steve mentioned having moved Entomology's fiscal group onto Office 2007. They have a PeopleSoft shadow system which they maintain via Excel spreadsheets; these are very important for keeping track off our spending and current balances. Steve asked about how cautious he should be about moving those materials from the current private file-share into SharePoint. Ben assured Steve that this was production ready and there should be no concerns.
Louise Ryan asked Ben about the status of external collaboration. Ben replied that this was the first thing he planned to put on the new servers once they are ready--even prior to adding the content. He is very committed to getting that working.
There continues to be no progress on the documentation which was to happen prior to announcement. Since this has never been formally announced, the matter remains on agenda as a standing item.
Vista Deployment via SMS and WDS
Group Policy Preferences hold great promise for allowing us to easily manage things like:
...taken from a document by Jeremy Moskowitz
One possibility for solving some of the logon script issues experienced by our Vista users is to replace much of the current logon script functionality (drive and printer mapping) with the use of Group Policy Preferences.
Steve raised the question of XMLLite and Group Policy Preferences. He is wondering what shape our client machines are in for moving to the use of Group Policy Preferences as a replacement means of drive mapping, etc. The client extensions for group policy have been pushed via WSUS, but the need for XMLLite as a pre-requisite may complicate things. WinXP SP3 and IE7 include XLMLLite apparently; it is likely that WinXP SP3 accounts for far fewer machines than IE7. The questions are:
Andrew Cary expressed his opinion that the order of those was unlikely to matter. The issue would only be locating machines in category 1 above and seeing to it that XMLLite was somehow installed on those.
How many are deploying WinXP SP3?
Dennis Brown asked how many are deploying WinXP SP3. Steve mentioned that he has a SP3 slipstreamed version of WinXP which is uses for new machine installs currently.
Potential WinXP SP3 "gotcha" to be aware of...
Bill Black and Francis Ferguson both reported that after installing SP3 the updates seem to break. Googling this Steve found a possible answer to the cause in Windows Update Agent 3.0 not being available when SP3 is installed on a fresh SP2 install. Whatever the cause, Bill mentioned he has solved this problem by re-registering the Windows Update DLLs.
[Note from future: KB943144 explains the issue, the cases in which it may occur, and two separate methods of fixing the issue.]
Steve noted that back in late 2006 Joe Gasper had shared a batch file which he uses for Windows Update repairs:
@echo off ::Batch file to reset Automatic Updates on a Windows XP machine :: ::Batchfile based on Microsoft KB for troubleshooting SVCHOST issues :: ::Created By: Santos Soler - 8/15/06 ::Stop services if they are running net stop wuauserv net stop bits ::Wait 3 seconds sleep 3 ::Rename the folder CatRoot2 to .old or new if not exist c:\windows\system32\catroot2.old\nul goto movea move /y c:\windows\system32\CatRoot2 c:\windows\system32\CatRoot2.new goto continue1 :movea move /y c:\windows\system32\CatRoot2 c:\windows\system32\CatRoot2.old goto continue1 :continue1 ::Stop Cryptography services net stop cryptsvc ::Wait 3 seconds sleep 3 ::Rename SoftwareDistribution folder to .old or new if not exist %systemroot%\SoftwareDistribution.old\nul goto moveb move /y %systemroot%\SoftwareDistribution %systemroot%\SoftwareDistribution.new goto continue2 :moveb move /y %systemroot%\SoftwareDistribution %systemroot%\SoftwareDistribution.old goto continue2 :continue2 ::Start Cryptography service net start cryptsvc echo. echo. echo Registering DLL's... ::Register all the Windows Updates DLL's REGSVR32 /s WUAPI.DLL REGSVR32 /s WUAUENG.DLL REGSVR32 /s WUAUENG1.DLL REGSVR32 /s ATL.DLL REGSVR32 /s WUCLTUI.DLL REGSVR32 /s WUPS.DLL REGSVR32 /s WUPS2.DLL REGSVR32 /s WUWEB.DLL echo Finished registering DLL's... echo. echo. if exist c:\windows\SoftwareDistribution.new\nul goto skipsrvcs goto startsrvcs :startsvcs echo Starting Services... ::Start the Automatic updates and BITs services net start wuauserv net start bits goto wsus :skipsrvcs echo Update services were skipped... goto wsus :wsus Echo Forcing reporting to WSUS... ::Force Windows to report to WSUS wuauclt /detectnow ::Change the Automatic Update service to automatic sc config wuauserv start= auto echo. echo. echo Please wait 5-10 minutes for UPDATES, If Service Host Crashes... pause ::Change the Automatic Update service to manual sc config wuauserv start= demand ::Restart the computer in 10 seconds shutdown -r -f -t 10 ::Abort the restart echo. echo. echo If you NEED to Abort the restart... pause shutdown -a |
IFAS Software site update request
Steve asked Chris Leopold again if he could update the IFAS Software site (ufad\IF-ADMN credentials required) with the slipstreamed version of WinXP with SP3 as well as add a link to UFAD's slipstreamed Vista SP1. Chris said he would do that and wanted to point out that the MAK key for Windows Vista was now posted there.
WinXP SP3 update via WSUS?
Kevin asked Wayne if there was a reason WinXP updates aren't being deployed via WSUS. Wayne responded that he didn't want the headache that was sure to result if he did this IFAS wide. He is willing to do that on an OU-by-OU basis if that is requested.
Exit processes, NMB and permission removal (prior discussion)
These issues were pretty-well covered this month within the UF Exchange discussion above.
Re-enabling the Windows firewall
Steve wants to leave this matter as a standing agenda item for future discussion. Wayne mentioned previously that he has plans for doing this on Vista but not WinXP; the latter has only an incoming firewall that is essentially ineffective in any case.
The importance of proper naming conventions for computers
Wayne noted that improperly naming computers can cause a number of issues. There are several things to keep in mind when naming computers, including limiting the length to 15 characters, beginning the name with "IF", and choosing a name which helps to identify where the machine belongs.
Steve has attempted to document this issue within the IT/SA Service Documentation area (ufad\if-admn credentials required) of the ICC web site. Please let Steve know if you discover any errors or omissions in that documentation so we can correct it.
MPS access by unit-level administrators
Chris noted that, within the next few weeks, they will have Win2K8 RODCs at some remote sites as well as on campus in order to do some testing. They are undergoing a proof of concept for the proposed use of a single use a single machine as both a RODC and a virtualized MPS. If that goes well, they plan to begin purchasing new hardware for those in about eight months.
Training and certification
Along with these plans we need to begin discussing what kinds of access to those servers will be appropriate for OU Admins at remote sites. While Chris understands that cooperative administrative access could benefit all--particularly in these times of tight staffing levels--he would like to develop at least some minimal training/certification process to ensure that access isn't granted beyond the capabilities of the support personnel which vary across the IFAS remote locations.
Input sought from remote OU Admins
Chris would like all the remote OU Admins who deal with MPS servers to make a list of the problems they see and what sorts of access you would like to have and/or feel is appropriate. Those items should then be sent to Andrew Carey. He will compile those and we will discuss that further at an upcoming meeting.
Steve asked if any folks connected remotely had a list already in mind. Joel Parlin responded that clearing print queues currently requires that he enter a ticket; he would appreciate having the ability to solve this common need himself. He also said that the ability to install printers would be appreciated. DHCP access is commonly needed also, but he already has that capability.
Virtual management stations may unify toolset for MPS management
Chris added that they expect to soon have management workstations available as VMs which can be accessed via a web page. They hope that will serve to unify the tools used for accessing these servers and hope that this would obviate the need to logon directly to the MPS servers themselves.
Controlling power settings via GPO preferences
We will leave this on the agenda for future discussion. Steve suspects there will eventually be some administrative mandate which will force us to do something along these lines.
This matter relates somewhat to exit procedures addressed above. Matt Wilson has now been able to get this going again (mostly). The system may be accessed via http://if-srv-sql01.ifas.ufl.edu/Reports and had previously been documented (ufad\if-admn credentials required.
Steve and Dennis have both found these reports quite useful in the past and are quite interested in seeing them working again. Matt has all but one of the queries working and will try to fix the e-mail subscription process that seems to be broken. These reports are built from data that is accumulated via our computer startup script (ufad\if-admn credentials required) currently. Wayne reported that they are working on changing that to remove the startup script and utilize Lansweeper instead. In the new scenario, the logon script will inform the server of a new logon and the server will then connect remotely to the computer within 15 minutes and scan for the same sorts of information and more. That will be stored in an SQL database just like it is currently and will be available for reports. Lansweeper is already running and they just need to complete testing before implementation.
More SAN storage on its way
Wayne noted that more SAN storage is coming. Dr. Joyce approved funding for adding 60 more drives to the SAN. About 30 of those will be for file services (6.5TB for DATA, 1.5TB for VSS) and the rest are for SQL/MOM databases and virtual servers.
New file server cluster almost ready
The new file server cluster is about ready for production. Currently they are just keeping the data in sync with IF-SRVV-FILE03. The IT OU and the public share will be migrated shortly. If that goes well, then they will begin OU-by-OU in migrating units to the new cluster.
Macintosh clients should be enumerated
As mentioned prior, the Macintosh clients will be the biggest concern. Please make a list of such folks in your unit, check it twice, and keep it handy for the migration. On the new cluster, Macintosh clients will connect to either IF-SRVC-FILE1 or IF-SRVC-FILE2 depending on which unit you are in.
VSS looks good
Wayne reported that Volume Shadow Copy seems to be working fine and we have enough space currently to back about 3.5 weeks. This is something which Andrew will especially appreciate as he is the one currently in charge of doing the restores from tape which VSS will remove the need for.
As you know, Wayne has been pushing out a new McAfee agent and the new ePO 4 web-based console is among the many things Wayne has been working hard on. Steve has attempted to document some of the details within the IT/SA Services Documentation (ufad\if-admn credentials required) section of the ICC web site.
Wayne led Steve through a demonstration of that web-based console. You are encouraged to read the documentation linked above and request that Wayne provide you access. If you then wish to follow along with the demo given here, you can go to about the 1 hour 33 minute point in the audio stream.
The use of the H.232 Extension ID (aka E.164) for PVX connections
Steve mentioned that he had contacted Patrick Pettus to arrange H.232 names and H.232 Extension IDs for the four PVX installations currently in his department. It is believed that these IDs can replace most needs for static IPs (either private or public).
Management suite on horizon
Patrick had mentioned that they are progressing with utilizing the Tandberg Management Suite (TMS). Patrick seemed to think that this package will be very useful for managing our various videoconferencing systems.
New IFAS Polycom directory published
Dan Cromer wanted to remind folks that Tom Hintz has posted a new Polycom directory list for IFAS as of June 14th.
There were four important Microsoft patches this month affecting SQL Server, Windows Explorer, DNS and OWA. The Windows DNS patch for WinXP is causing problems for users of ZoneAlarm. The DNS issue is much broader than just Windows and affects a wide variety of platforms and a wide variety of organizations have really pulled together to jump on fixing this latest problem.
Steve noted that Adobe Reader 9.0 is now available. If you do not upgrade to that version be sure to patch older versions, as vulnerabilities and fixes have been released practically monthly.
Steve had noted that Java Release 6 Patch 7 was just made available, but forgot to mention that he had found a nice no-installation-needed utility called JavaRa which assists in updating Java and will remove older versions, something which has always been an unaddressed annoyance with Java updates.
MS Office News update
Steve has corrected a problem with the Office 2007 install point. The default Exchange parameters are now changed to reflect the move to UF Exchange. The installation is currently at SP1. Winnie Lante mentioned that Dwight had aliased the previous server location so new users on old installs would not be affected by this change either.
Steve also noted that he was surprised to find yesterday that the old RPC over HTTP (aka Outlook Anywhere) settings have apparently been broken since the migration to UF Exchange. He isn't quite sure how all this time transpired without someone complaining about that; having heard nothing prior he had just assumed aliasing had somehow kept the old settings working. Apparently not. The new settings are documented at http://www.mail.ufl.edu/outlookanywhere.html.
Public folder file deletion policies and procedures status
This matter is pending migration to the new file server cluster.
Job Matrix Update status
Steve wants to leave this matter as a standing agenda item for future discussion and offered to help maintain that if Chris wanted.
Steve has left this on the agenda as a standing item, but there was no discussion on the topic this month.
The meeting was adjourned on time just prior to noon.
