Difference between revisions of "Active Directory/Documentation/Infrastructure Todo List"
Jump to navigation
Jump to search
m |
|||
Line 14: | Line 14: | ||
** prototype available at https://sysnews.ncsu.edu/tools-dev/password-change | ** prototype available at https://sysnews.ncsu.edu/tools-dev/password-change | ||
* Populate the rest of unityids (Dan) | * Populate the rest of unityids (Dan) | ||
− | ** DJGREEN will have ABSTEIN roll-out week of 3/ | + | ** DJGREEN will have ABSTEIN roll-out week of 3/16/09 |
* Populate gid/uid's | * Populate gid/uid's | ||
** JAKLEIN volunteers to help with this, has Unity.ad code | ** JAKLEIN volunteers to help with this, has Unity.ad code | ||
Line 39: | Line 39: | ||
* AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance. | * AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance. | ||
* RSOP is broken. Need to determine the firewall ports that need to be opened. | * RSOP is broken. Need to determine the firewall ports that need to be opened. | ||
+ | **Believe current DC policy also disables the service(s) needed for this -- will need to adjust + make sure we're not opening security hole. | ||
'''Feature Additions''' | '''Feature Additions''' | ||
* Change the default location of newly joined computers to an OU so we can apply default settings. | * Change the default location of newly joined computers to an OU so we can apply default settings. | ||
− | **DJGREEN writting proposal email for community -- eta 3/ | + | **DJGREEN writting proposal email for community -- eta 3/16/09. |
* Centralize WSUS (Dan/Josh) | * Centralize WSUS (Dan/Josh) | ||
** WRBEAUDO Maybe add Joe W., need to check w/ Debbie | ** WRBEAUDO Maybe add Joe W., need to check w/ Debbie | ||
− | **Meeting to discuss deployment 3/6/09. | + | **Meeting to discuss deployment 3/6/09. Meeting went well. Announcement expected week of 3/16/09. |
* Centralize WDS (Michael/Alan) | * Centralize WDS (Michael/Alan) | ||
− | **DJGREEN's gonna email out notes when he finds them | + | **DJGREEN's gonna email out notes when he finds them. Found -- emailing week of 3/16/09. |
* Get Webdav working on DFS root servers (Derek/Josh) | * Get Webdav working on DFS root servers (Derek/Josh) | ||
* Create/update (2008/Windows 7) central admx store | * Create/update (2008/Windows 7) central admx store |
Revision as of 17:04, 13 March 2009
2008 Upgrade/DC Upgrade
- Move new DC's to DC's (Derek)
- Figure out the Domain Controller Policy issues w/ 2003 vs. 2008
- DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon?
- Move the crons off of 00dc to the new cron server
- New account needed since using SYSTEM doesn't have the same effect as when on a DC
- dcpromo new DC's and raise forest level to 2008 (Derek/Dan)
- Split out XP/Vista/2003/2008/Default Domain Policy to 5 policies rather than 3
Systems Integration
- Get workshop accounts populating and disabling correctly
- Get LDAPS working correctly from the web/php side
- Update the password change page to try another DC if it fails
- prototype available at https://sysnews.ncsu.edu/tools-dev/password-change
- Populate the rest of unityids (Dan)
- DJGREEN will have ABSTEIN roll-out week of 3/16/09
- Populate gid/uid's
- JAKLEIN volunteers to help with this, has Unity.ad code
- Cross-Realm trust needs to be setup and alt. principals populated
- JAKLEIN volunteers to help with this, has Unity.ad code
- Need to move some crons off cronos to new windows cron server
- WRBEAUDO - We want to compare unity.ad vs. wolftech account provisioning code and see what's better. (John/Stein)
- Everette Allen is currently using the unity.ad GUIDs via ldap for his podcasting services. Before we turn the Unity.ad lights out, we need to make arrangements to migrate this.
Reporting/Tools
- Report on not-linked-in GPO's and last modify date > month
- Report on last logon timestamp for computer objects > 6 months
- Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.
- Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool
Needs Fixing
- Fix Mac File server group permissions issues
- Get the delegation of packaging permissions working correctly
- Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
- WRBEAUDO Since default GPO perms are Domain/Enterprise Admins/SYSTEM + Creator/Owner, options for this are run as "restricted" DA account, or change the default GPO perms in the Schema
- Fix NT Authority/Interactive bug
- DJGREEN has long email written to explain... might eventually send it!
- Fix 2008 TS License location issues
- AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance.
- RSOP is broken. Need to determine the firewall ports that need to be opened.
- Believe current DC policy also disables the service(s) needed for this -- will need to adjust + make sure we're not opening security hole.
Feature Additions
- Change the default location of newly joined computers to an OU so we can apply default settings.
- DJGREEN writting proposal email for community -- eta 3/16/09.
- Centralize WSUS (Dan/Josh)
- WRBEAUDO Maybe add Joe W., need to check w/ Debbie
- Meeting to discuss deployment 3/6/09. Meeting went well. Announcement expected week of 3/16/09.
- Centralize WDS (Michael/Alan)
- DJGREEN's gonna email out notes when he finds them. Found -- emailing week of 3/16/09.
- Get Webdav working on DFS root servers (Derek/Josh)
- Create/update (2008/Windows 7) central admx store
- Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?
- Sane model for support/access/location for personally-owned equipment
- DJGREEN: Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!)
- WRBEAUDO: If we're going to allow for any personally owned machines on the domain, we need to be prepared to handle all of them. Having a solid process/gameplan up front is crucial to not getting screwed later.
- Prep work for roaming profiles
- Needed: filespace (duh), populating the paths in accounts, deciding on opt-in vs. opt-out, setting appropriate policies
- GPO setup with groups and all wolfcopy printers so people can pick w/o much work
- Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
- Move WolfPrint Samba stuff to WolfTech
- Easiest with uid/gids populated and pass-thru auth to MIT Kerberos done. Possible if these things are not done.