Difference between revisions of "Active Directory/Documentation/Infrastructure Todo List"

2008/Domain Controller Upgrade

• New DC's/move toDC's (Derek)
  • Tegan (DC2), Nyssa (Poe), and Romana (DC1) all are ready to go.
  • WT-DC-00 will stay as a VM for now. Possibly shift it to MCNC if OIT gets that ability in the VM infrastructure.
• Figure out the Domain Controller Policy issues w/ 2003 vs. 2008
  • Derek has done this.
• DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon?
• Move the crons off of 00dc to the new cron server
  • WRBEAUDO: GPO Delegation moved. New account created (logon to limited to the cron server) since using SYSTEM doesn't have the same effect as when on a DC. I think this is the only cron that requires that level of permissions, so other crons will need to use different accounts.
• dcpromo new DC's set for July 1st
• raise forest level to 2008
  • DJGREEN: Need to confirm how the 2008 functional level might/might not impact existing/future trusts.
• Split out XP/Vista/2003/2008/Default Domain Policy to 6 policies rather than 3
  • WMI filters created
  • DJGREEN: might as well stub in Win7 as well.

Systems Integration

• Get LDAPS working correctly from the web/php side
• Update the password change page to try another DC if it fails
  • prototype available at https://sysnews.ncsu.edu/tools-dev/password-change
• COMPLETED 3/16/09 -- Populate the rest of unityids (Dan)
• Move to using Unity.ad account provisioning code. Solves the following issues:
  • Populate gid/uid's
  • alt. principals populated
  • Get workshop accounts populating and disabling correctly and tie in paswd sync w/ these.
  • start populating initial passwords
  • WRBEAUDO/JAKLEIN gonna work on this
• Everette Allen is currently using the unity.ad GUIDs via ldap for his podcasting services. Before we turn the Unity.ad lights out, we need to make arrangements to migrate this.

Reporting/Tools

• Report on not-linked-in GPO's and last modify date > month
• Report on last logon timestamp for computer objects > 6 months
  • in beta version of ADToolkit
• Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.
• Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool
  • gonna go with "destinationIndicator" for now
• Report on last PW change > 1 year
• WSUS -- computers that need to reboot to apply patches. Combine w/ Ryan's script to determine who's logged in.
• SW groups that are empty and have newer versions available. (ie, packages to remove)

Needs Fixing

• Fix Mac File server group permissions issues
  • Everette is testing this in Wolftest (as much as possible with it in its current state)
• Get the delegation of packaging permissions working correctly
• Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
  • WRBEAUDO Since default GPO perms are Domain/Enterprise Admins/SYSTEM + Creator/Owner, options for this are run as "restricted" DA account, or change the default GPO perms in the Schema
• Fix NT Authority/Interactive bug
  • DJGREEN has long email written to explain... might eventually send it!
• Fix 2008 TS License location issues
  • Moved engr88lic and its 10TS CALs to WolfTest, Kevin is gonna look at it.
• AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance.
• RSOP is broken. Need to determine the firewall ports that need to be opened.
  • Believe current DC policy also disables the service(s) needed for this -- will need to adjust + make sure we're not opening security hole.

Feature Additions

• Change the default location of newly joined computers to an OU so we can apply default settings.
  • DJGREEN writting proposal email for community -- eta 3/16/09.
• Centralize WSUS (Dan/Josh)
  • WRBEAUDO Maybe add Joe W., need to check w/ Debbie
  • Meeting to discuss deployment 3/6/09. Meeting went well. Announcement expected week of 3/16/09.
• Get Webdav working on DFS root servers (Derek/Josh)
• Create/update (2008/Windows 7) central admx store
  • Still need to remove all old ADM files.
• Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?
• Sane model for support/access/location for personally-owned equipment
  • DJGREEN: Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!)
  • WRBEAUDO: If we're going to allow for any personally owned machines on the domain, we need to be prepared to handle all of them. Having a solid process/gameplan up front is crucial to not getting screwed later.
• Prep work for roaming profiles
  • Needed: filespace (duh), populating the paths in accounts, deciding on opt-in vs. opt-out, setting appropriate policies
• GPO setup with groups and all wolfcopy printers so people can pick w/o much work
• Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
  • MS Had code for doing mass dump of OU/Group/GPO. Dump has been tested, import hasn't.
  • We're gonna populate accounts w/o NTLM password. Can test using cross-realm trust.
  • Cross-realm trust already setup, but not tested
• Move WolfPrint Samba stuff to WolfTech
  • Easiest with uid/gids populated and pass-thru auth to MIT Kerberos done. Possible if these things are not done.
• Mac Schema extensions
• Terminal Services profile - Set via GPO or on user objects? Required for Citrix implimentation
• Default power savings settings at the root of the domain
• Integration of the Cisco Call Manager system -- Debbie has details; used for authentication.
• Dell/HP ilom Schema extensions
• Firewall rules to allow MCNC access to infrastructure servers?
• DJGREEN: Shadow groups for computers by OS by unit (to be used for GP filters, future SW denies)
• JAKLEIN: Would like to have a dedicated array of UID/GIDs allocated to WolfTech for use with .admin accounts.

WDS

• Standardize and document procedures for common tasks.
• Automate image import/export for image migrations and backup.
• Create an image backup solution. (short term: use munin?)
• Remove read permissions from \\wolftech\deployment\Staging due to potential information disclosure?
• (DONE; UNDOCUMENTED & UNANNOUNCED) Set up "nonstandard"/"additional" image groups for clients and server OSes; separate default images into "standard" and "nonstandard"/"additional" lists.
• Import imagex, mbrfix into boot images.
• Perform new server performance tests.
• Test wdscapture image upload functionality as non-WDSadmin account. Hopefully it doesn't work.
• Script the mapping of \\wolftech\deployment\Staging to Z: (or some other drive letter) as initial action during boot image startup? (to make wdscapture somewhat easier to work with)
• Find and migrate to a permissions model that more easily exposes who has perms to which images.
• Create policy for situations when [OU]-Allow Imaging is insufficient due to need for >1 group to have access to images but still keep image security between groups.
• Improve logging with one of the following:
  • Publish to log server
  • Use logparser to convert to MySQL db entries
• (DONE; UNDOCUMENTED & UNANNOUNCED) Reorder install image list; accomplish by renaming image groups to Custom-[OS] and Base-[OS].
• Resume discussions on ADToolkit & WDS functionality:
  • List of images on servers
  • List of permissions by image
  • Search for images that a user has permissions to use/view
  • Report old/stale custom images (1, 2, or 3 years?)
  • List of drivers on server
  • List of drivers in boot image(s)?
  • Publication of server logs (image deployments, imaging events, etc)
  • Add user to "nonstandard"/"additional" image groups
• Define support policy on noncurrent OSes (XP, Vista, 2003, 2008 x64, etc...).
• Revisit policies related to images:
  • Reject hardware-specific Win7 images (you're doing it wrong)
  • Limitation on number of images (one unit having 24 images is probably too much)
  • Change permissions from Auth Users to NCSU-Allow Imaging (keep nondesignated users from being able to view image lists, and therefore reimage computers)
• Clarify policy on usage of wds@ as compared to activedirectory@ lists; ensure that this policy is documented.
• Announce all of the changes above to wds@ and activedirectory@ (if appropriate).
• Create documentation for all of the above.