[174] in Kakapo Windows Team
31 Oct container admins minutes
daemon@ATHENA.MIT.EDU (Thomas L. Thornton)
Fri Oct 31 16:06:38 2003
Date: Fri, 31 Oct 2003 16:06:35 -0500 (EST)
Message-Id: <200310312106.h9VL6Zvx019132@the-rim.mit.edu>
From: "Thomas L. Thornton" <tomt@MIT.EDU>
To: contact-container-admins@MIT.EDU
CC: kakapo@MIT.EDU
Reply-To: tomt@MIT.EDU
Container Administrators meeting, 31 Oct, 2003
11:00am-1:00pm, E19-758
Agenda Outline
Introductions
OpenAFS 2003-09-15 deployment
W2K SP4
New "Deployment Opt-In/Out Management Page"
Eventsyslogger settings
Null sessions
Help us test
Offline Files
Some Changes to Web Forms
Discussion
Introductions
-------------
OpenAFS 2003-09-15 deployment
-----------------------------
Although this is now two months old, Joe asks for any new feedback or
issues. Most attendees are happy with it, so we conclude it is
stable.
W2k SP4
-------
SP4 is deployed domain-wide since Wed, 22 Oct. There is not much
feedback. You can still opt containers or individual machines out of
the deployment via our new web interface, see below.
New "Deployment Opt-In/Out Management Page"
-------------------------------------------
There is a new web interface for the Container Administrator in
support of containers and machines in win.mit.edu. The admin can
either temporarily opt out of certain deployments until ready,
or opt in to test deployments early, before they are released
domain-wide. See the URL of this page at:
https://wince.mit.edu/optoutrollout
It allows you to place machines or containers on early opt-in or
temporary opt-out lists. For example:
"Opt Out of all deployments of Win2KSP4"
"Opt Out of MSIs since July 2003 (all OpenAFS, Pismere 2003-08-06, SP4)"
We once had an early "Opt In to the test deployment of Win2KSP4", that
is no longer relevant. There may be future opt-in early test lists,
but once expired they will get blown away and will not appear on
post-test versions of the form.
Eventsyslogger settings
-----------------------
Eventsyslogger is a service that sends a formatted event log message
to a remote server. This log is useful to accumulate the numbers of
active machines users, and tracking which machines got which hotfixes.
We pushed out new settings to standardize report formats on Tue, 28
Oct.
In discussing the central log, Chad would like to see a report of
failed logins in 37-312 after testing the ansify script. He will send
us e-mail, and we hope to enlist ASO to help write such a report.
Null sessions
-------------
We sent out notice a couple days ago that we will disable null session
access by default on Thu, 6 Nov. Null session access by default
permits access to anonymous users according to the OS - on W2K the
anonymous user can find local accounts, shares and SIDs; likewise on
XP and 2k3s, except they cannot enumerate accounts.
See our info URL:
http://web.mit.edu/pismere/support/for-cont-admins/null-session-info.html
These defaults are overridable, with tools specific to the OS. If you
have third-part software requiring null sessions or for any other
need, by all means ask pismere-ops for help to override this.
Help us test
------------
We have a standing web page of features midway between internal
testing and deployment. It is here:
http://web.mit.edu/pismere/support/for-cont-admins/help-us-test.html
This page will be used when we have want to test procedures outside of
pismere-* containers before pushing them out to all other containers.
Right now we want help testing:
ansify: converts Unicode filenames from the profile before saving
back into AFS;
mirror-distrib: keeps a mostly up-to-date copy of
\\win\dfs\ops\distrib locally and removes the network location
from the PATH.
Developers must talk to Chad about the use of the PATH variable in
37-312 - we should not need to hardcode.
Steve believes rejecting login when roaming profile fails is the
domain default. Developers will check back with him on this.
Developers will check back with him on this.
epilogue: Joe looked at the Group Policy settings and found that we
explicitly Disable "Computer Configuration/Administrative
Templates/System/User Profiles/Log users off when roaming profile
fails" in GP.Pismere, and GP.osp does not override this. So, machines
in Steve's container should allow users to get a temporary profile
when the roaming profile fails. He should verify this and contact us
if it is not true so we can work with him more.
Offline Files
-------------
Most people have found that their systems work better by disabling
offline files, and some users have lost data when this is not
disabled.
We are finalizing which settings to push to the domain and how to push
them out. Expect an announcement next week sometime.
In the meanwhile, if you are running into problems, we suggest
disabling it in your container:
Edit your container's GPO.
Computer Configuration/Administrative Templates/Network/Offline
Files/Allow or Disallow use of the Offline Files feature
Set to Disabled.
Some Changes to Web Forms
-------------------------
The Container Maintenance Request Page has been improved. See URL:
https://wince.mit.edu/containermaint
It explains (on the Help page) that the form sends a request and the
task is scheduled via SelfMaint. So, requests should come at least 1
business day in advance of the scheduled task.
It provides some warnings if your request is for a one-time event in
the past or very near future, but it defaults the launch date/time to
the next day.
The Container Request Form is now in production. The new URL is:
http://mit.edu/windows/server/cr
This is now part of the official IS Windows web pages. It has a front
page with three choices... current container admins, you, should
choose option C: "I am already a container administrator and would
like an additional container." After that, the form looks a bit
different but is very similar in content to the old form.
If you have any trouble or the request is improperly processed, please
let us know immediately at container-request@mit.edu.
Discussion
----------
Steve still sees his problem, when he adds to IE favorites, he gets
"shortcuts failed to run." We have a test binary that Steve believes
he runs. Developers will look at Steve's machines to see if he is
using that test version.
epilogue: Richard talked to Steve and it turns out that the newest
OpenAFS binary (post-2003-09-15) actually does fix his problem with
IE.
Ed asks, when a machine leaves the Domain, does it uninstall
everything now? It did not in the past. We think MSIs do and would
like to hear of any that do not. Registry settings are another matter
and may need manual resets. We welcome any reports on these efforts.
Is there any migration support, for moving a couple machines from the
Domain to another? WIN developers do not really have those duties,
even if their time were available, but the DITR team might move into
this business area. Even they might recommend Microsoft consulting
first.
Phil asks, is it OK to turn on the personal firewall, the "Internet
Connection Firewall?" Yes, but messaging clients cannot send, and
confusing error messages may crop up. We hear this setting may become
the default in an XP SP so would like to see testing and instructions
from any users.
Patrick says Biomicro uses TCP/IP filtering, domain-wide, but it has
many confusing settings. He will write up his experiences.
Is anyone allowing remote access? Most recommend against it,
preferring ssh instead. Much discussion ensues on alternatives -
OpenSSH is free, VanDyke is easy, VNC has had problems, MS TS has
limitations.
