Active Directory/Documentation/Infrastructure Todo List

From WolfTech
Revision as of 11:42, 13 May 2009 by Djgreen (talk | contribs)
Jump to navigation Jump to search

2008/Domain Controller Upgrade

  • New DC's/move toDC's (Derek)
    • Tegan has been moved to DC2.
    • Nyssa is currently in Poe. WRBEAUDO: Unless there are security concerns, I think we should leave it there.
    • 3rd DC hardware (Romana) had arrived but hasn't had firmware/etc upgraded. Space in DC1 has been allocated (Patrick has info).
    • WT-DC-00 will stay as a VM for now. Possibly shift it to MCNC if OIT gets that ability in the VM infrastructure.
  • Figure out the Domain Controller Policy issues w/ 2003 vs. 2008
    • Derek working on in Wolftest - upgrade plan ready soon-ish
  • DC Backups need to go off site - Isn't OIT pushing tapes to MCNC soon?
  • Move the crons off of 00dc to the new cron server
    • WRBEAUDO: GPO Delegation moved. New account created (logon to limited to the cron server) since using SYSTEM doesn't have the same effect as when on a DC. I think this is the only cron that requires that level of permissions, so other crons will need to use different accounts.
  • dcpromo new DC's and raise forest level to 2008 (Derek/Dan)
    • DJGREEN: Need to confirm how the 2008 functional level might/might not impact existing/future trusts.
  • Split out XP/Vista/2003/2008/Default Domain Policy to 5 policies rather than 3
    • DJGREEN: 6, might as well stub in Win7.


Systems Integration

  • Get LDAPS working correctly from the web/php side
  • Update the password change page to try another DC if it fails
  • COMPLETED 3/16/09 -- Populate the rest of unityids (Dan)
  • Move to using Unity.ad account provisioning code. Solves the following issues:
    • Populate gid/uid's
    • alt. principals populated
    • Get workshop accounts populating and disabling correctly and tie in paswd sync w/ these.
    • start populating initial passwords
    • WRBEAUDO/JAKLEIN gonna work on this
  • Everette Allen is currently using the unity.ad GUIDs via ldap for his podcasting services. Before we turn the Unity.ad lights out, we need to make arrangements to migrate this.


Reporting/Tools

  • Report on not-linked-in GPO's and last modify date > month
  • Report on last logon timestamp for computer objects > 6 months
  • Write web interface to allow "enabling" of user accounts that get erroneously disabled due to feed errors or wrong paswd entry multiple times.
  • Figure out which attribute to use for Remedy info on OU objects, populate, and then make a Computer->Remedy group lookup tool
  • Report on last PW change > 1 year
  • WSUS -- computers that need to reboot to apply patches. Combine w/ Ryan's script to determine who's logged in.
  • SW groups that are empty and have newer versions available. (ie, packages to remove)


Needs Fixing

  • Fix Mac File server group permissions issues
  • Get the delegation of packaging permissions working correctly
  • Get the GPO Delegation script pulling the list of "units" from the database rather than by hand
    • WRBEAUDO Since default GPO perms are Domain/Enterprise Admins/SYSTEM + Creator/Owner, options for this are run as "restricted" DA account, or change the default GPO perms in the Schema
  • Fix NT Authority/Interactive bug
    • DJGREEN has long email written to explain... might eventually send it!
  • Fix 2008 TS License location issues
  • AuthUser:Read permissions exist on every single user object. Current thought is that this was introduced with Services for Unix extension. Needs to be addressed to get back into FERPA compliance.
  • RSOP is broken. Need to determine the firewall ports that need to be opened.
    • Believe current DC policy also disables the service(s) needed for this -- will need to adjust + make sure we're not opening security hole.


Feature Additions

  • Change the default location of newly joined computers to an OU so we can apply default settings.
    • DJGREEN writting proposal email for community -- eta 3/16/09.
  • Centralize WSUS (Dan/Josh)
    • WRBEAUDO Maybe add Joe W., need to check w/ Debbie
    • Meeting to discuss deployment 3/6/09. Meeting went well. Announcement expected week of 3/16/09.
  • Get Webdav working on DFS root servers (Derek/Josh)
  • Create/update (2008/Windows 7) central admx store
  • Certificate services - can we use a chained signing cert from the OIT cert as the SOA for enrollment?
  • Sane model for support/access/location for personally-owned equipment
    • DJGREEN: Needs discussion -- personally opposed to allowing non-NCSU equipment on domain (though I'm willing to make exceptions for special cases -- just don't want every student on it!)
    • WRBEAUDO: If we're going to allow for any personally owned machines on the domain, we need to be prepared to handle all of them. Having a solid process/gameplan up front is crucial to not getting screwed later.
  • Prep work for roaming profiles
    • Needed: filespace (duh), populating the paths in accounts, deciding on opt-in vs. opt-out, setting appropriate policies
  • GPO setup with groups and all wolfcopy printers so people can pick w/o much work
  • Test Domain: What accounts? Push OU/GPO structure regularly. Trusts?
    • MS Had code for doing mass dump of OU/Group/GPO. Dump has been tested, import hasn't.
    • We're gonna populate accounts w/o NTLM password. Can test using cross-realm trust.
    • Cross-realm trust already setup, but not tested
  • Move WolfPrint Samba stuff to WolfTech
    • Easiest with uid/gids populated and pass-thru auth to MIT Kerberos done. Possible if these things are not done.
  • Mac Schema extensions
  • Terminal Services profile - Set via GPO or on user objects? Required for Citrix implimentation
  • Default power savings settings at the root of the domain
  • Integration of the Cisco Call Manager system -- Debbie has details; used for authentication.
Retrieved from "https://tools.wolftech.ncsu.edu/support/index.php?title=Active_Directory/Documentation/Infrastructure_Todo_List&oldid=9538"