Difference between revisions of "Active Directory/Documentation/Infrastructure Todo List"

From WolfTech
Jump to navigation Jump to search
Line 1: Line 1:
* Change the default location of newly joined computers to an OU so we can apply default settings.
+
'''2008 Upgrade/DC Upgrade'''
**DJGREEN writting proposal email for community -- eta 3/11/09.
+
* Move new DC's to DC's (Derek)
* Centralize WSUS (Dan/Josh)
+
* DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon?
**Meeting to discuss deployment 3/6/09.
+
* Move the crons off of 00dc to the new cron server
* Centralize WDS (Michael/Alan)
+
** New account needed since using SYSTEM doesn't have the same effect as when on a DC
 +
* dcpromo new DC's and raise forest level to 2008 (Derek/Dan)
 +
* Split out XP/Vista/2003/2008/Default Domain Policy to 5 policies rather than 3
 +
 
 +
'''Systems Integration'''
 +
* Get workshop accounts populating and disabling correctly
 +
* Get LDAPS working correctly from the web/php side
 
* Update the password change page to try another DC if it fails
 
* Update the password change page to try another DC if it fails
 
** prototype available at https://sysnews.ncsu.edu/tools-dev/password-change
 
** prototype available at https://sysnews.ncsu.edu/tools-dev/password-change
* Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.
 
 
* Populate the rest of unityids (Dan)
 
* Populate the rest of unityids (Dan)
 
** DJGREEN will have ABSTEIN roll-out week of 3/9/09
 
** DJGREEN will have ABSTEIN roll-out week of 3/9/09
 +
* Populate gid/uid's
 +
** JAKLEIN volunteers to help with this, has Unity.ad code
 +
* Cross-Realm trust needs to be setup and alt. principals populated
 +
** JAKLEIN volunteers to help with this, has Unity.ad code
 +
* Need to move some crons off cronos to new windows cron server
 +
** WRBEAUDO - We want to compare unity.ad vs. wolftech account provisioning code and see what's better. (John/Stein)
 +
 +
'''Reporting/Tools'''
 +
* Report on not-linked-in GPO's and last modify date > month
 +
* Report on last logon timestamp for computer objects > 6 months
 +
* Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.
 +
* Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool
 +
 +
'''Needs Fixing'''
 +
* Fix Mac File server group permissions issues
 
* Get the delegation of packaging permissions working correctly
 
* Get the delegation of packaging permissions working correctly
 
* Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
 
* Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
* Move the crons off of 00dc to the new cron server
+
** WRBEAUDO Since default GPO perms are Domain/Enterprise Admins/SYSTEM + Creator/Owner, options for this are run as "restricted" DA account, or change the default GPO perms in the Schema
* Move new DC's to DC's (Derek)
+
* Fix NT Authority/Interactive bug
* dcpromo new DC's and raise forest level to 2008 (Derek/Dan)
+
**DJGREEN has long email written to explain... might eventually send it!
* Split out XP/Vista/2003/2008/Default Domain Policy to 5 policies rather than 3
+
* Fix 2008 TS License location issues
 +
* AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension.  Needs to be addressed to get back into FERPA compliance.
 +
* RSOP is broken. Need to determine the firewall ports that need to be opened.
 +
 
 +
'''Feature Additions'''
 +
* Change the default location of newly joined computers to an OU so we can apply default settings.
 +
**DJGREEN writting proposal email for community -- eta 3/11/09.
 +
* Centralize WSUS (Dan/Josh)
 +
** WRBEAUDO Maybe add Joe W., need to check w/ Debbie
 +
**Meeting to discuss deployment 3/6/09.
 +
* Centralize WDS (Michael/Alan)
 +
**DJGREEN's gonna email out notes when he finds them
 
* Get Webdav working on DFS root servers (Derek/Josh)
 
* Get Webdav working on DFS root servers (Derek/Josh)
 
* Create/update (2008/Windows 7) central admx store
 
* Create/update (2008/Windows 7) central admx store
* Fix NT Authority/Interactive bug
 
**DJGREEN has long email written to explain... might eventually send it!
 
* Get LDAPS working correctly from the web/php side
 
* Populate gid/uid's
 
** JAKLEIN volunteers to help with this, has Unity.ad code
 
* Fix Mac File server group permissions issues
 
* Get workshop accounts populating and disabling correctly
 
* Report on last logon timestamp for computer objects > 6 months
 
 
* Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?
 
* Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?
 
* Sane model for support/access/location for personally-owned equipment
 
* Sane model for support/access/location for personally-owned equipment
Line 31: Line 54:
 
* Prep work for roaming profiles
 
* Prep work for roaming profiles
 
* GPO setup with groups and all wolfcopy printers so people can pick w/o much work
 
* GPO setup with groups and all wolfcopy printers so people can pick w/o much work
* Report on not-linked-in GPO's and last modify date > month
 
* DC Backups need to go off site
 
* Fix 2008 TS License location issues
 
 
* Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
 
* Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
* Cross-Realm trust needs to be setup and alt. principals populated
 
** JAKLEIN volunteers to help with this, has Unity.ad code
 

Revision as of 14:00, 13 March 2009

2008 Upgrade/DC Upgrade

  • Move new DC's to DC's (Derek)
  • DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon?
  • Move the crons off of 00dc to the new cron server
    • New account needed since using SYSTEM doesn't have the same effect as when on a DC
  • dcpromo new DC's and raise forest level to 2008 (Derek/Dan)
  • Split out XP/Vista/2003/2008/Default Domain Policy to 5 policies rather than 3

Systems Integration

  • Get workshop accounts populating and disabling correctly
  • Get LDAPS working correctly from the web/php side
  • Update the password change page to try another DC if it fails
  • Populate the rest of unityids (Dan)
    • DJGREEN will have ABSTEIN roll-out week of 3/9/09
  • Populate gid/uid's
    • JAKLEIN volunteers to help with this, has Unity.ad code
  • Cross-Realm trust needs to be setup and alt. principals populated
    • JAKLEIN volunteers to help with this, has Unity.ad code
  • Need to move some crons off cronos to new windows cron server
    • WRBEAUDO - We want to compare unity.ad vs. wolftech account provisioning code and see what's better. (John/Stein)

Reporting/Tools

  • Report on not-linked-in GPO's and last modify date > month
  • Report on last logon timestamp for computer objects > 6 months
  • Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.
  • Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool

Needs Fixing

  • Fix Mac File server group permissions issues
  • Get the delegation of packaging permissions working correctly
  • Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
    • WRBEAUDO Since default GPO perms are Domain/Enterprise Admins/SYSTEM + Creator/Owner, options for this are run as "restricted" DA account, or change the default GPO perms in the Schema
  • Fix NT Authority/Interactive bug
    • DJGREEN has long email written to explain... might eventually send it!
  • Fix 2008 TS License location issues
  • AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance.
  • RSOP is broken. Need to determine the firewall ports that need to be opened.

Feature Additions

  • Change the default location of newly joined computers to an OU so we can apply default settings.
    • DJGREEN writting proposal email for community -- eta 3/11/09.
  • Centralize WSUS (Dan/Josh)
    • WRBEAUDO Maybe add Joe W., need to check w/ Debbie
    • Meeting to discuss deployment 3/6/09.
  • Centralize WDS (Michael/Alan)
    • DJGREEN's gonna email out notes when he finds them
  • Get Webdav working on DFS root servers (Derek/Josh)
  • Create/update (2008/Windows 7) central admx store
  • Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?
  • Sane model for support/access/location for personally-owned equipment
    • DJGREEN: Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!)
    • WRBEAUDO: If we're going to allow for any personally owned machines on the domain, we need to be prepared to handle all of them. Having a solid process/gameplan up front is crucial to not getting screwed later.
  • Prep work for roaming profiles
  • GPO setup with groups and all wolfcopy printers so people can pick w/o much work
  • Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
Retrieved from "https://tools.wolftech.ncsu.edu/support/index.php?title=Active_Directory/Documentation/Infrastructure_Todo_List&oldid=9330"