Difference between revisions of "Active Directory/Documentation/Infrastructure Todo List"

From WolfTech
Jump to navigation Jump to search
m
 
(34 intermediate revisions by 4 users not shown)
Line 1: Line 1:
* Change the default location of newly joined computers to an OU so we can apply default settings.
+
==2008/Domain Controller Upgrade==
**DJGREEN writting proposal email for community -- eta 3/11/09.
+
* <s>New DC's/move toDC's (Derek)</s>
* Centralize WSUS (TBD)
+
** <s>Tegan (DC2), Nyssa (Poe), and Romana (DC1) all are ready to go.</s>
**Meeting to discuss deployment 3/6/09.
+
** <s>WT-DC-00 will stay as a VM for now. Possibly shift it to MCNC if OIT gets that ability in the VM infrastructure.</s>
* Centralize WDS (Michael/Alan)
+
* <s>Figure out the Domain Controller Policy issues w/ 2003 vs. 2008</s>
* Update the password change page to try another DC if it fails
+
** <s>Derek has done this.</s>
**JK will investigate?
+
* DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon?
* Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.
+
* <s>Move the crons off of 00dc to the new cron server</s>
* Populate the rest of unityids (Dan)
+
** WRBEAUDO: GPO Delegation moved. New account created (logon to limited to the cron server) since using SYSTEM doesn't have the same effect as when on a DC.  I think this is the only cron that requires that level of permissions, so other crons will need to use different accounts.
** DJGREEN will have ABSTEIN roll-out week of 3/9/09
+
* <s>dcpromo new DC's set for July 1st</s>
 +
* <s>raise forest level to 2008</s>
 +
** <s>DJGREEN: Need to confirm how the 2008 functional level might/might not impact existing/future trusts.</s>
 +
* <s>Split out XP/Vista/2003/2008/Default Domain Policy to 6 policies rather than 3</s>
 +
** <s>WMI filters created</s>
 +
** <s>DJGREEN: might as well stub in Win7 as well.</s>
 +
 
 +
==Systems Integration==
 +
* <s>Get LDAPS working correctly from the web/php side</s>
 +
* <s>Update the password change page to try another DC if it fails</s>
 +
** <s>prototype available at https://sysnews.ncsu.edu/tools-dev/password-change</s>
 +
* <s>COMPLETED 3/16/09 -- Populate the rest of unityids (Dan)</s>
 +
* Move to using Unity.ad account provisioning code. Solves the following issues:
 +
** Populate gid/uid's
 +
** alt. principals populated
 +
** Get workshop accounts populating and disabling correctly and tie in paswd sync w/ these.
 +
** start populating initial passwords
 +
** WRBEAUDO/JAKLEIN gonna work on this
 +
* Everette Allen is currently using the unity.ad GUIDs via ldap for his podcasting services.  Before we turn the Unity.ad lights out, we need to make arrangements to migrate this.
 +
 
 +
==Reporting/Tools==
 +
* Report on not-linked-in GPO's and last modify date > month
 +
* Report on last logon timestamp for computer objects > 6 months
 +
** in beta version of ADToolkit
 +
* <s>Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.</s>
 +
* Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool
 +
** gonna go with "destinationIndicator" for now
 +
* Report on last PW change > 1 year
 +
* WSUS -- computers that need to reboot to apply patches. Combine w/ Ryan's script to determine who's logged in.
 +
* <s>SW groups that are empty and have newer versions available. (ie, packages to remove)</s>
 +
 
 +
==Needs Fixing==
 +
* Fix Mac File server group permissions issues
 +
** Everette is testing this in Wolftest (as much as possible with it in its current state)
 
* Get the delegation of packaging permissions working correctly
 
* Get the delegation of packaging permissions working correctly
 
* Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
 
* Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
* Move the crons off of 00dc to the new cron server
+
** WRBEAUDO Since default GPO perms are Domain/Enterprise Admins/SYSTEM + Creator/Owner, options for this are run as "restricted" DA account, or change the default GPO perms in the Schema
* Move new DC's to DC's (Derek)
 
* dcpromo new DC's and raise forest level to 2008 (Derek/Dan)
 
* Split out XP/Vista/2003/2008/Default Domain Policy to 5 policies rather than 3
 
* Get Webdav working on DFS root servers (Derek/Josh)
 
* Create/update (2008/Windows 7) central admx store
 
 
* Fix NT Authority/Interactive bug
 
* Fix NT Authority/Interactive bug
 
**DJGREEN has long email written to explain... might eventually send it!
 
**DJGREEN has long email written to explain... might eventually send it!
* Get LDAPS working correctly from the web/php side
+
* Fix 2008 TS License location issues
* Populate gid/uid's
+
** Moved engr88lic and its 10TS CALs to WolfTest, Kevin is gonna look at it.
* Fix Mac File server group permissions issues
+
* AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension.  Needs to be addressed to get back into FERPA compliance.
* Get workshop accounts populating and disabling correctly
+
* RSOP is broken. Need to determine the firewall ports that need to be opened.
* Report on last logon timestamp > 6 months
+
**Believe current DC policy also disables the service(s) needed for this -- will need to adjust + make sure we're not opening security hole.
**Referring to users or computers? (djgreen)
+
 
* Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?
+
 
 +
==Feature Additions==
 +
* <s>Change the default location of newly joined computers to an OU so we can apply default settings.</s>
 +
**<s>DJGREEN writting proposal email for community -- eta 3/16/09.</s>
 +
* <s>Centralize WSUS (Dan/Josh)</s>
 +
** <s>WRBEAUDO Maybe add Joe W., need to check w/ Debbie</s>
 +
**<s>Meeting to discuss deployment 3/6/09. Meeting went well. Announcement expected week of 3/16/09.</s>
 +
* Get Webdav working on DFS root servers (Derek/Josh)
 +
* <s>Create/update (2008/Windows 7) central admx store</s>
 +
** Still need to remove all old ADM files.
 +
* <s>Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?</s>
 
* Sane model for support/access/location for personally-owned equipment
 
* Sane model for support/access/location for personally-owned equipment
**Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!)
+
**DJGREEN: Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!)
 +
**WRBEAUDO: If we're going to allow for any personally owned machines on the domain, we need to be prepared to handle all of them. Having a solid process/gameplan up front is crucial to not getting screwed later.
 
* Prep work for roaming profiles
 
* Prep work for roaming profiles
 +
** Needed: filespace (duh), populating the paths in accounts, deciding on opt-in vs. opt-out, setting appropriate policies
 
* GPO setup with groups and all wolfcopy printers so people can pick w/o much work
 
* GPO setup with groups and all wolfcopy printers so people can pick w/o much work
* Report on not-linked-in GPO's and last modify date > month
 
* DC Backups need to go off site
 
* Fix 2008 TS License location issues
 
 
* Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
 
* Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
* Cross-Realm trust needs to be setup and alt. principals populated
+
** MS Had code for doing mass dump of OU/Group/GPO. Dump has been tested, import hasn't.
 +
** We're gonna populate accounts w/o NTLM password. Can test using cross-realm trust.
 +
** Cross-realm trust already setup, but not tested
 +
* Move WolfPrint Samba stuff to WolfTech
 +
** Easiest with uid/gids populated and pass-thru auth to MIT Kerberos done.  Possible if these things are not done.
 +
* Mac Schema extensions
 +
* Terminal Services profile - Set via GPO or on user objects? Required for Citrix implimentation
 +
* Default power savings settings at the root of the domain
 +
* <s>Integration of the Cisco Call Manager system -- Debbie has details; used for authentication.</s>
 +
* Dell/HP ilom Schema extensions
 +
* Firewall rules to allow MCNC access to infrastructure servers?
 +
* DJGREEN: Shadow groups for computers by OS by unit (to be used for GP filters, future SW denies)
 +
*JAKLEIN: Would like to have a dedicated array of UID/GIDs allocated to WolfTech for use with .admin accounts.
 +
 
 +
==WDS==
 +
* Standardize and document procedures for common tasks.
 +
* Automate image import/export for image migrations and backup.
 +
* Create an image backup solution. (short term: use munin?)
 +
* Remove read permissions from \\wolftech\deployment\Staging due to potential information disclosure?
 +
* <s>(DONE; UNDOCUMENTED & UNANNOUNCED) Set up "nonstandard"/"additional" image groups for clients and server OSes; separate default images into "standard" and "nonstandard"/"additional" lists.</s>
 +
* Import imagex, mbrfix into boot images.
 +
* <s>Perform new server performance tests.</s>
 +
* Test wdscapture image upload functionality as non-WDSadmin account.  Hopefully it doesn't work.
 +
* Script the mapping of \\wolftech\deployment\Staging to Z: (or some other drive letter) as initial action during boot image startup? (to make wdscapture somewhat easier to work with)
 +
* Find and migrate to a permissions model that more easily exposes who has perms to which images.
 +
* Create policy for situations when [OU]-Allow Imaging is insufficient due to need for >1 group to have access to images but still keep image security between groups.
 +
* Improve logging with one of the following:
 +
** Publish to log server
 +
** Use logparser to convert to MySQL db entries
 +
* <s>(DONE; UNDOCUMENTED & UNANNOUNCED) Reorder install image list; accomplish by renaming image groups to Custom-[OS] and Base-[OS].</s>
 +
* Resume discussions on ADToolkit & WDS functionality:
 +
** List of images on servers
 +
** List of permissions by image
 +
** Search for images that a user has permissions to use/view
 +
** Report old/stale custom images (1, 2, or 3 years?)
 +
** List of drivers on server
 +
** List of drivers in boot image(s)?
 +
** Publication of server logs (image deployments, imaging events, etc)
 +
** Add user to "nonstandard"/"additional" image groups
 +
* Define support policy on noncurrent OSes (XP, Vista, 2003, 2008 x64, etc...).
 +
* Revisit policies related to images:
 +
** Reject hardware-specific Win7 images (you're doing it wrong)
 +
** Limitation on number of images (one unit having 24 images is probably too much)
 +
** Change permissions from Auth Users to NCSU-Allow Imaging (keep nondesignated users from being able to view image lists, and therefore reimage computers)
 +
* Clarify policy on usage of wds@ as compared to activedirectory@ lists; ensure that this policy is documented.
 +
* Announce all of the changes above to wds@ and activedirectory@ (if appropriate).
 +
* Create documentation for all of the above.

Latest revision as of 09:35, 14 June 2011

2008/Domain Controller Upgrade

  • New DC's/move toDC's (Derek)
    • Tegan (DC2), Nyssa (Poe), and Romana (DC1) all are ready to go.
    • WT-DC-00 will stay as a VM for now. Possibly shift it to MCNC if OIT gets that ability in the VM infrastructure.
  • Figure out the Domain Controller Policy issues w/ 2003 vs. 2008
    • Derek has done this.
  • DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon?
  • Move the crons off of 00dc to the new cron server
    • WRBEAUDO: GPO Delegation moved. New account created (logon to limited to the cron server) since using SYSTEM doesn't have the same effect as when on a DC. I think this is the only cron that requires that level of permissions, so other crons will need to use different accounts.
  • dcpromo new DC's set for July 1st
  • raise forest level to 2008
    • DJGREEN: Need to confirm how the 2008 functional level might/might not impact existing/future trusts.
  • Split out XP/Vista/2003/2008/Default Domain Policy to 6 policies rather than 3
    • WMI filters created
    • DJGREEN: might as well stub in Win7 as well.

Systems Integration

  • Get LDAPS working correctly from the web/php side
  • Update the password change page to try another DC if it fails
  • COMPLETED 3/16/09 -- Populate the rest of unityids (Dan)
  • Move to using Unity.ad account provisioning code. Solves the following issues:
    • Populate gid/uid's
    • alt. principals populated
    • Get workshop accounts populating and disabling correctly and tie in paswd sync w/ these.
    • start populating initial passwords
    • WRBEAUDO/JAKLEIN gonna work on this
  • Everette Allen is currently using the unity.ad GUIDs via ldap for his podcasting services. Before we turn the Unity.ad lights out, we need to make arrangements to migrate this.

Reporting/Tools

  • Report on not-linked-in GPO's and last modify date > month
  • Report on last logon timestamp for computer objects > 6 months
    • in beta version of ADToolkit
  • Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.
  • Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool
    • gonna go with "destinationIndicator" for now
  • Report on last PW change > 1 year
  • WSUS -- computers that need to reboot to apply patches. Combine w/ Ryan's script to determine who's logged in.
  • SW groups that are empty and have newer versions available. (ie, packages to remove)

Needs Fixing

  • Fix Mac File server group permissions issues
    • Everette is testing this in Wolftest (as much as possible with it in its current state)
  • Get the delegation of packaging permissions working correctly
  • Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
    • WRBEAUDO Since default GPO perms are Domain/Enterprise Admins/SYSTEM + Creator/Owner, options for this are run as "restricted" DA account, or change the default GPO perms in the Schema
  • Fix NT Authority/Interactive bug
    • DJGREEN has long email written to explain... might eventually send it!
  • Fix 2008 TS License location issues
    • Moved engr88lic and its 10TS CALs to WolfTest, Kevin is gonna look at it.
  • AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance.
  • RSOP is broken. Need to determine the firewall ports that need to be opened.
    • Believe current DC policy also disables the service(s) needed for this -- will need to adjust + make sure we're not opening security hole.


Feature Additions

  • Change the default location of newly joined computers to an OU so we can apply default settings.
    • DJGREEN writting proposal email for community -- eta 3/16/09.
  • Centralize WSUS (Dan/Josh)
    • WRBEAUDO Maybe add Joe W., need to check w/ Debbie
    • Meeting to discuss deployment 3/6/09. Meeting went well. Announcement expected week of 3/16/09.
  • Get Webdav working on DFS root servers (Derek/Josh)
  • Create/update (2008/Windows 7) central admx store
    • Still need to remove all old ADM files.
  • Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?
  • Sane model for support/access/location for personally-owned equipment
    • DJGREEN: Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!)
    • WRBEAUDO: If we're going to allow for any personally owned machines on the domain, we need to be prepared to handle all of them. Having a solid process/gameplan up front is crucial to not getting screwed later.
  • Prep work for roaming profiles
    • Needed: filespace (duh), populating the paths in accounts, deciding on opt-in vs. opt-out, setting appropriate policies
  • GPO setup with groups and all wolfcopy printers so people can pick w/o much work
  • Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
    • MS Had code for doing mass dump of OU/Group/GPO. Dump has been tested, import hasn't.
    • We're gonna populate accounts w/o NTLM password. Can test using cross-realm trust.
    • Cross-realm trust already setup, but not tested
  • Move WolfPrint Samba stuff to WolfTech
    • Easiest with uid/gids populated and pass-thru auth to MIT Kerberos done. Possible if these things are not done.
  • Mac Schema extensions
  • Terminal Services profile - Set via GPO or on user objects? Required for Citrix implimentation
  • Default power savings settings at the root of the domain
  • Integration of the Cisco Call Manager system -- Debbie has details; used for authentication.
  • Dell/HP ilom Schema extensions
  • Firewall rules to allow MCNC access to infrastructure servers?
  • DJGREEN: Shadow groups for computers by OS by unit (to be used for GP filters, future SW denies)
  • JAKLEIN: Would like to have a dedicated array of UID/GIDs allocated to WolfTech for use with .admin accounts.

WDS

  • Standardize and document procedures for common tasks.
  • Automate image import/export for image migrations and backup.
  • Create an image backup solution. (short term: use munin?)
  • Remove read permissions from \\wolftech\deployment\Staging due to potential information disclosure?
  • (DONE; UNDOCUMENTED & UNANNOUNCED) Set up "nonstandard"/"additional" image groups for clients and server OSes; separate default images into "standard" and "nonstandard"/"additional" lists.
  • Import imagex, mbrfix into boot images.
  • Perform new server performance tests.
  • Test wdscapture image upload functionality as non-WDSadmin account. Hopefully it doesn't work.
  • Script the mapping of \\wolftech\deployment\Staging to Z: (or some other drive letter) as initial action during boot image startup? (to make wdscapture somewhat easier to work with)
  • Find and migrate to a permissions model that more easily exposes who has perms to which images.
  • Create policy for situations when [OU]-Allow Imaging is insufficient due to need for >1 group to have access to images but still keep image security between groups.
  • Improve logging with one of the following:
    • Publish to log server
    • Use logparser to convert to MySQL db entries
  • (DONE; UNDOCUMENTED & UNANNOUNCED) Reorder install image list; accomplish by renaming image groups to Custom-[OS] and Base-[OS].
  • Resume discussions on ADToolkit & WDS functionality:
    • List of images on servers
    • List of permissions by image
    • Search for images that a user has permissions to use/view
    • Report old/stale custom images (1, 2, or 3 years?)
    • List of drivers on server
    • List of drivers in boot image(s)?
    • Publication of server logs (image deployments, imaging events, etc)
    • Add user to "nonstandard"/"additional" image groups
  • Define support policy on noncurrent OSes (XP, Vista, 2003, 2008 x64, etc...).
  • Revisit policies related to images:
    • Reject hardware-specific Win7 images (you're doing it wrong)
    • Limitation on number of images (one unit having 24 images is probably too much)
    • Change permissions from Auth Users to NCSU-Allow Imaging (keep nondesignated users from being able to view image lists, and therefore reimage computers)
  • Clarify policy on usage of wds@ as compared to activedirectory@ lists; ensure that this policy is documented.
  • Announce all of the changes above to wds@ and activedirectory@ (if appropriate).
  • Create documentation for all of the above.