Difference between revisions of "Active Directory/Documentation/Infrastructure Todo List"
Jump to navigation
Jump to search
m (→WDS) |
|||
(29 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
− | + | ==2008/Domain Controller Upgrade== | |
− | * | + | * <s>New DC's/move toDC's (Derek)</s> |
+ | ** <s>Tegan (DC2), Nyssa (Poe), and Romana (DC1) all are ready to go.</s> | ||
+ | ** <s>WT-DC-00 will stay as a VM for now. Possibly shift it to MCNC if OIT gets that ability in the VM infrastructure.</s> | ||
+ | * <s>Figure out the Domain Controller Policy issues w/ 2003 vs. 2008</s> | ||
+ | ** <s>Derek has done this.</s> | ||
* DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon? | * DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon? | ||
− | * Move the crons off of 00dc to the new cron server | + | * <s>Move the crons off of 00dc to the new cron server</s> |
− | ** New account | + | ** WRBEAUDO: GPO Delegation moved. New account created (logon to limited to the cron server) since using SYSTEM doesn't have the same effect as when on a DC. I think this is the only cron that requires that level of permissions, so other crons will need to use different accounts. |
− | * dcpromo new DC's | + | * <s>dcpromo new DC's set for July 1st</s> |
− | * Split out XP/Vista/2003/2008/Default Domain Policy to | + | * <s>raise forest level to 2008</s> |
+ | ** <s>DJGREEN: Need to confirm how the 2008 functional level might/might not impact existing/future trusts.</s> | ||
+ | * <s>Split out XP/Vista/2003/2008/Default Domain Policy to 6 policies rather than 3</s> | ||
+ | ** <s>WMI filters created</s> | ||
+ | ** <s>DJGREEN: might as well stub in Win7 as well.</s> | ||
− | + | ==Systems Integration== | |
− | + | * <s>Get LDAPS working correctly from the web/php side</s> | |
− | * Get LDAPS working correctly from the web/php side | + | * <s>Update the password change page to try another DC if it fails</s> |
− | * Update the password change page to try another DC if it fails | + | ** <s>prototype available at https://sysnews.ncsu.edu/tools-dev/password-change</s> |
− | ** prototype available at https://sysnews.ncsu.edu/tools-dev/password-change | + | * <s>COMPLETED 3/16/09 -- Populate the rest of unityids (Dan)</s> |
− | * Populate the rest of unityids (Dan) | + | * Move to using Unity.ad account provisioning code. Solves the following issues: |
− | ** | + | ** Populate gid/uid's |
− | * Populate gid/uid's | + | ** alt. principals populated |
− | ** | + | ** Get workshop accounts populating and disabling correctly and tie in paswd sync w/ these. |
− | + | ** start populating initial passwords | |
− | ** | + | ** WRBEAUDO/JAKLEIN gonna work on this |
− | * | + | * Everette Allen is currently using the unity.ad GUIDs via ldap for his podcasting services. Before we turn the Unity.ad lights out, we need to make arrangements to migrate this. |
− | ** WRBEAUDO | ||
− | + | ==Reporting/Tools== | |
* Report on not-linked-in GPO's and last modify date > month | * Report on not-linked-in GPO's and last modify date > month | ||
* Report on last logon timestamp for computer objects > 6 months | * Report on last logon timestamp for computer objects > 6 months | ||
− | * Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times. | + | ** in beta version of ADToolkit |
+ | * <s>Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.</s> | ||
* Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool | * Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool | ||
+ | ** gonna go with "destinationIndicator" for now | ||
+ | * Report on last PW change > 1 year | ||
+ | * WSUS -- computers that need to reboot to apply patches. Combine w/ Ryan's script to determine who's logged in. | ||
+ | * <s>SW groups that are empty and have newer versions available. (ie, packages to remove)</s> | ||
− | + | ==Needs Fixing== | |
* Fix Mac File server group permissions issues | * Fix Mac File server group permissions issues | ||
+ | ** Everette is testing this in Wolftest (as much as possible with it in its current state) | ||
* Get the delegation of packaging permissions working correctly | * Get the delegation of packaging permissions working correctly | ||
* Get the GPO Delegation script pulling the list of "units" from the database rather than by hand | * Get the GPO Delegation script pulling the list of "units" from the database rather than by hand | ||
Line 35: | Line 48: | ||
**DJGREEN has long email written to explain... might eventually send it! | **DJGREEN has long email written to explain... might eventually send it! | ||
* Fix 2008 TS License location issues | * Fix 2008 TS License location issues | ||
+ | ** Moved engr88lic and its 10TS CALs to WolfTest, Kevin is gonna look at it. | ||
* AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance. | * AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance. | ||
* RSOP is broken. Need to determine the firewall ports that need to be opened. | * RSOP is broken. Need to determine the firewall ports that need to be opened. | ||
+ | **Believe current DC policy also disables the service(s) needed for this -- will need to adjust + make sure we're not opening security hole. | ||
− | + | ||
− | * Change the default location of newly joined computers to an OU so we can apply default settings. | + | ==Feature Additions== |
− | **DJGREEN writting proposal email for community -- eta 3/ | + | * <s>Change the default location of newly joined computers to an OU so we can apply default settings.</s> |
− | * Centralize WSUS (Dan/Josh) | + | **<s>DJGREEN writting proposal email for community -- eta 3/16/09.</s> |
− | ** WRBEAUDO Maybe add Joe W., need to check w/ Debbie | + | * <s>Centralize WSUS (Dan/Josh)</s> |
− | **Meeting to discuss deployment 3/6/09. | + | ** <s>WRBEAUDO Maybe add Joe W., need to check w/ Debbie</s> |
− | + | **<s>Meeting to discuss deployment 3/6/09. Meeting went well. Announcement expected week of 3/16/09.</s> | |
− | |||
* Get Webdav working on DFS root servers (Derek/Josh) | * Get Webdav working on DFS root servers (Derek/Josh) | ||
− | * Create/update (2008/Windows 7) central admx store | + | * <s>Create/update (2008/Windows 7) central admx store</s> |
− | * Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment? | + | ** Still need to remove all old ADM files. |
+ | * <s>Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?</s> | ||
* Sane model for support/access/location for personally-owned equipment | * Sane model for support/access/location for personally-owned equipment | ||
**DJGREEN: Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!) | **DJGREEN: Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!) | ||
**WRBEAUDO: If we're going to allow for any personally owned machines on the domain, we need to be prepared to handle all of them. Having a solid process/gameplan up front is crucial to not getting screwed later. | **WRBEAUDO: If we're going to allow for any personally owned machines on the domain, we need to be prepared to handle all of them. Having a solid process/gameplan up front is crucial to not getting screwed later. | ||
* Prep work for roaming profiles | * Prep work for roaming profiles | ||
+ | ** Needed: filespace (duh), populating the paths in accounts, deciding on opt-in vs. opt-out, setting appropriate policies | ||
* GPO setup with groups and all wolfcopy printers so people can pick w/o much work | * GPO setup with groups and all wolfcopy printers so people can pick w/o much work | ||
* Test Domain: What accounts? Push OU/GPO structure regularly. Trusts? | * Test Domain: What accounts? Push OU/GPO structure regularly. Trusts? | ||
+ | ** MS Had code for doing mass dump of OU/Group/GPO. Dump has been tested, import hasn't. | ||
+ | ** We're gonna populate accounts w/o NTLM password. Can test using cross-realm trust. | ||
+ | ** Cross-realm trust already setup, but not tested | ||
+ | * Move WolfPrint Samba stuff to WolfTech | ||
+ | ** Easiest with uid/gids populated and pass-thru auth to MIT Kerberos done. Possible if these things are not done. | ||
+ | * Mac Schema extensions | ||
+ | * Terminal Services profile - Set via GPO or on user objects? Required for Citrix implimentation | ||
+ | * Default power savings settings at the root of the domain | ||
+ | * <s>Integration of the Cisco Call Manager system -- Debbie has details; used for authentication.</s> | ||
+ | * Dell/HP ilom Schema extensions | ||
+ | * Firewall rules to allow MCNC access to infrastructure servers? | ||
+ | * DJGREEN: Shadow groups for computers by OS by unit (to be used for GP filters, future SW denies) | ||
+ | *JAKLEIN: Would like to have a dedicated array of UID/GIDs allocated to WolfTech for use with .admin accounts. | ||
+ | |||
+ | ==WDS== | ||
+ | * Standardize and document procedures for common tasks. | ||
+ | * Automate image import/export for image migrations and backup. | ||
+ | * Create an image backup solution. (short term: use munin?) | ||
+ | * Remove read permissions from \\wolftech\deployment\Staging due to potential information disclosure? | ||
+ | * <s>(DONE; UNDOCUMENTED & UNANNOUNCED) Set up "nonstandard"/"additional" image groups for clients and server OSes; separate default images into "standard" and "nonstandard"/"additional" lists.</s> | ||
+ | * Import imagex, mbrfix into boot images. | ||
+ | * <s>Perform new server performance tests.</s> | ||
+ | * Test wdscapture image upload functionality as non-WDSadmin account. Hopefully it doesn't work. | ||
+ | * Script the mapping of \\wolftech\deployment\Staging to Z: (or some other drive letter) as initial action during boot image startup? (to make wdscapture somewhat easier to work with) | ||
+ | * Find and migrate to a permissions model that more easily exposes who has perms to which images. | ||
+ | * Create policy for situations when [OU]-Allow Imaging is insufficient due to need for >1 group to have access to images but still keep image security between groups. | ||
+ | * Improve logging with one of the following: | ||
+ | ** Publish to log server | ||
+ | ** Use logparser to convert to MySQL db entries | ||
+ | * <s>(DONE; UNDOCUMENTED & UNANNOUNCED) Reorder install image list; accomplish by renaming image groups to Custom-[OS] and Base-[OS].</s> | ||
+ | * Resume discussions on ADToolkit & WDS functionality: | ||
+ | ** List of images on servers | ||
+ | ** List of permissions by image | ||
+ | ** Search for images that a user has permissions to use/view | ||
+ | ** Report old/stale custom images (1, 2, or 3 years?) | ||
+ | ** List of drivers on server | ||
+ | ** List of drivers in boot image(s)? | ||
+ | ** Publication of server logs (image deployments, imaging events, etc) | ||
+ | ** Add user to "nonstandard"/"additional" image groups | ||
+ | * Define support policy on noncurrent OSes (XP, Vista, 2003, 2008 x64, etc...). | ||
+ | * Revisit policies related to images: | ||
+ | ** Reject hardware-specific Win7 images (you're doing it wrong) | ||
+ | ** Limitation on number of images (one unit having 24 images is probably too much) | ||
+ | ** Change permissions from Auth Users to NCSU-Allow Imaging (keep nondesignated users from being able to view image lists, and therefore reimage computers) | ||
+ | * Clarify policy on usage of wds@ as compared to activedirectory@ lists; ensure that this policy is documented. | ||
+ | * Announce all of the changes above to wds@ and activedirectory@ (if appropriate). | ||
+ | * Create documentation for all of the above. |
Latest revision as of 09:35, 14 June 2011
2008/Domain Controller Upgrade
New DC's/move toDC's (Derek)Tegan (DC2), Nyssa (Poe), and Romana (DC1) all are ready to go.WT-DC-00 will stay as a VM for now. Possibly shift it to MCNC if OIT gets that ability in the VM infrastructure.
Figure out the Domain Controller Policy issues w/ 2003 vs. 2008Derek has done this.
- DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon?
Move the crons off of 00dc to the new cron server- WRBEAUDO: GPO Delegation moved. New account created (logon to limited to the cron server) since using SYSTEM doesn't have the same effect as when on a DC. I think this is the only cron that requires that level of permissions, so other crons will need to use different accounts.
dcpromo new DC's set for July 1straise forest level to 2008DJGREEN: Need to confirm how the 2008 functional level might/might not impact existing/future trusts.
Split out XP/Vista/2003/2008/Default Domain Policy to 6 policies rather than 3WMI filters createdDJGREEN: might as well stub in Win7 as well.
Systems Integration
Get LDAPS working correctly from the web/php sideUpdate the password change page to try another DC if it failsprototype available at https://sysnews.ncsu.edu/tools-dev/password-change
COMPLETED 3/16/09 -- Populate the rest of unityids (Dan)- Move to using Unity.ad account provisioning code. Solves the following issues:
- Populate gid/uid's
- alt. principals populated
- Get workshop accounts populating and disabling correctly and tie in paswd sync w/ these.
- start populating initial passwords
- WRBEAUDO/JAKLEIN gonna work on this
- Everette Allen is currently using the unity.ad GUIDs via ldap for his podcasting services. Before we turn the Unity.ad lights out, we need to make arrangements to migrate this.
Reporting/Tools
- Report on not-linked-in GPO's and last modify date > month
- Report on last logon timestamp for computer objects > 6 months
- in beta version of ADToolkit
Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.- Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool
- gonna go with "destinationIndicator" for now
- Report on last PW change > 1 year
- WSUS -- computers that need to reboot to apply patches. Combine w/ Ryan's script to determine who's logged in.
SW groups that are empty and have newer versions available. (ie, packages to remove)
Needs Fixing
- Fix Mac File server group permissions issues
- Everette is testing this in Wolftest (as much as possible with it in its current state)
- Get the delegation of packaging permissions working correctly
- Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
- WRBEAUDO Since default GPO perms are Domain/Enterprise Admins/SYSTEM + Creator/Owner, options for this are run as "restricted" DA account, or change the default GPO perms in the Schema
- Fix NT Authority/Interactive bug
- DJGREEN has long email written to explain... might eventually send it!
- Fix 2008 TS License location issues
- Moved engr88lic and its 10TS CALs to WolfTest, Kevin is gonna look at it.
- AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance.
- RSOP is broken. Need to determine the firewall ports that need to be opened.
- Believe current DC policy also disables the service(s) needed for this -- will need to adjust + make sure we're not opening security hole.
Feature Additions
Change the default location of newly joined computers to an OU so we can apply default settings.DJGREEN writting proposal email for community -- eta 3/16/09.
Centralize WSUS (Dan/Josh)WRBEAUDO Maybe add Joe W., need to check w/ DebbieMeeting to discuss deployment 3/6/09. Meeting went well. Announcement expected week of 3/16/09.
- Get Webdav working on DFS root servers (Derek/Josh)
Create/update (2008/Windows 7) central admx store- Still need to remove all old ADM files.
Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?- Sane model for support/access/location for personally-owned equipment
- DJGREEN: Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!)
- WRBEAUDO: If we're going to allow for any personally owned machines on the domain, we need to be prepared to handle all of them. Having a solid process/gameplan up front is crucial to not getting screwed later.
- Prep work for roaming profiles
- Needed: filespace (duh), populating the paths in accounts, deciding on opt-in vs. opt-out, setting appropriate policies
- GPO setup with groups and all wolfcopy printers so people can pick w/o much work
- Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
- MS Had code for doing mass dump of OU/Group/GPO. Dump has been tested, import hasn't.
- We're gonna populate accounts w/o NTLM password. Can test using cross-realm trust.
- Cross-realm trust already setup, but not tested
- Move WolfPrint Samba stuff to WolfTech
- Easiest with uid/gids populated and pass-thru auth to MIT Kerberos done. Possible if these things are not done.
- Mac Schema extensions
- Terminal Services profile - Set via GPO or on user objects? Required for Citrix implimentation
- Default power savings settings at the root of the domain
Integration of the Cisco Call Manager system -- Debbie has details; used for authentication.- Dell/HP ilom Schema extensions
- Firewall rules to allow MCNC access to infrastructure servers?
- DJGREEN: Shadow groups for computers by OS by unit (to be used for GP filters, future SW denies)
- JAKLEIN: Would like to have a dedicated array of UID/GIDs allocated to WolfTech for use with .admin accounts.
WDS
- Standardize and document procedures for common tasks.
- Automate image import/export for image migrations and backup.
- Create an image backup solution. (short term: use munin?)
- Remove read permissions from \\wolftech\deployment\Staging due to potential information disclosure?
(DONE; UNDOCUMENTED & UNANNOUNCED) Set up "nonstandard"/"additional" image groups for clients and server OSes; separate default images into "standard" and "nonstandard"/"additional" lists.- Import imagex, mbrfix into boot images.
Perform new server performance tests.- Test wdscapture image upload functionality as non-WDSadmin account. Hopefully it doesn't work.
- Script the mapping of \\wolftech\deployment\Staging to Z: (or some other drive letter) as initial action during boot image startup? (to make wdscapture somewhat easier to work with)
- Find and migrate to a permissions model that more easily exposes who has perms to which images.
- Create policy for situations when [OU]-Allow Imaging is insufficient due to need for >1 group to have access to images but still keep image security between groups.
- Improve logging with one of the following:
- Publish to log server
- Use logparser to convert to MySQL db entries
(DONE; UNDOCUMENTED & UNANNOUNCED) Reorder install image list; accomplish by renaming image groups to Custom-[OS] and Base-[OS].- Resume discussions on ADToolkit & WDS functionality:
- List of images on servers
- List of permissions by image
- Search for images that a user has permissions to use/view
- Report old/stale custom images (1, 2, or 3 years?)
- List of drivers on server
- List of drivers in boot image(s)?
- Publication of server logs (image deployments, imaging events, etc)
- Add user to "nonstandard"/"additional" image groups
- Define support policy on noncurrent OSes (XP, Vista, 2003, 2008 x64, etc...).
- Revisit policies related to images:
- Reject hardware-specific Win7 images (you're doing it wrong)
- Limitation on number of images (one unit having 24 images is probably too much)
- Change permissions from Auth Users to NCSU-Allow Imaging (keep nondesignated users from being able to view image lists, and therefore reimage computers)
- Clarify policy on usage of wds@ as compared to activedirectory@ lists; ensure that this policy is documented.
- Announce all of the changes above to wds@ and activedirectory@ (if appropriate).
- Create documentation for all of the above.