[203] in Kakapo Windows Team
21 Nov container admins minutes
daemon@ATHENA.MIT.EDU (Thomas L. Thornton)
Mon Nov 24 11:55:50 2003
Date: Mon, 24 Nov 2003 11:55:47 -0500 (EST)
Message-Id: <200311241655.hAOGtlwr023857@the-rim.mit.edu>
From: "Thomas L. Thornton" <tomt@MIT.EDU>
To: contact-container-admins@MIT.EDU
CC: kakapo@MIT.EDU
win.mit.edu Container Administrator's meeting, Friday, 21 Nov, 2003
11:00am-1:00pm, E19-758
Agenda outline
MS03-049
WIN deployments
Null sessions
Cross-forest
Blat/SMTP auth
Next meeting
Closing issues
January plans
New and changed web forms
Help us test
Discussion
MS03-049
The MS03-49 patch came out the 11th. It is rolled into RIS images.
We know most machines took it, but container admins should be sure to
check your machines by looking for a Knowledge Base Article number in
Add/Remove Programs or finding the "NtServicePack" event in the System
log. The real confusing issue with the MS03-049 patch is that the
Windows XP version was released earlier, with MS03-043. Thus, the
2000 and XP versions of the patch have different KB Article numbers.
So when you are checking a Windows 2000 machine, look for information
about KB828749. When you are checking a Windows XP machine, look for
information about KB828035.
One container admin taught users to stay logged in, back when we saw
slow boots, so his users would need to reboot for this autohotfix. An
eventsyslog-based report of container hotfix deployments is to come.
On W2K3S there are two versions of the 039 patch. This caused some
conflict between the reported machine state and the test in the
deployed GP, which caused one member server to loop at bootup.
If you have a server with an important cron job at 3:30, be careful to
avoid autohotfix conflicts. Consider moving the job to a different
time, or as a last resort opt out of using autohotfixer. If you have a
servers that must not be rebooted at 3:30 am, but you still desire the
functionality of autohotfixer, please contact pismere-ops.
[postscript: Chad had a daily reboot set for 3:30am which he agreed we
should change. Joe changed it to 3:45 am.]
WIN deployments - Null sessions
The setting increasing default null session security restrictions
domain-wide went out two weeks ago. Tom Coveney raised a possible
issue related to Mac File and Print Services. Distribution of the Mac
UAM via a guest account on the server appears to require enumeration
of the shares using a NULL session. However, there may be
workarounds. If the UAM was distributed by SWRT from the software
page, then there should be no need for NULL sessions.
If anyone else encounters a problem that may be related to the
disabling of NULL sessions please open a bug report in casetracker
using pismere-bugs, or let pismere-ops know.
WIN deployments - Cross-forest
A setting to enable AFS roaming profiles in Windows Server 2003
domain-wide took place this week. There are very few W2K3S machines
in the domain but this will support them. It *may* cause weirdness in
SP4, but we do not believe this would be apparent to users - let us
know if so.
Printer Scripts
We have been deploying these for a long time, but at times the scripts
assigning printers would hang. Joe reproduced this, finding a
script-required key is created too late in the boot sequence. We now
use a permanent key, avoiding many hangs. It is possible that during
the script the spooler still may be unready for processing, so do let
us know if you see further hangs.
Service ticket lifetimes
WIN service tickets now are given out with a one hour lifetime when we
would expect ten. MS should provide us a binary today and we will
consider installing it late next week. This affects one of our server
programs, but few applications that would be visible to the container
admin or user. Since we now are past the course drop date we plan to
change binaries minimally.
Blat/SMTP auth
WIN uses blat.exe for programmed mail. As you may have seen in mail
sent to IT Partners, mail may soon require a valid from address - any
MIT user in or out of the Domain would be affected.
Joe makes a new blat binary supporting authentication, and we expect
to deploy it at IAP. Probably by June 30 we need to use SMTP auth,
but this in turn requires several notices, usage and support
documents. If your code should use blat, investigate getting a
keytab, be aware of the plans and watch for announcements.
Next meeting
There will be no Container Admins meeting in December, our gift to
you. Happy holidays.
Closing issues
Since the Institute closes at Christmas, what machines are
indispensable, that would need to stay up and running? We expect all
normal operations in the WIN domain to be available during the
closing. However some of the functions that require human
intervention may take a couple of days to process. For example,
response to bug reports, in contrast to service outages, may take a
longer response. Also, responding to container requests may be
significantly delayed. Please take the time to plan for the closing
in advance. Responses to container creation/maintenance requests may
be delayed.
January plans
WIN IAP classes will be announced to this list. Current container
admins may not see much new except perhaps GPMC, but please suggest
new topics or bring questions.
We are still working on disabling offline files, developing GP
metrics.
Testing the user's choice of setting the Roaming Profile may be opened
up pretty soon.
Maybe we will deploy a new AFS client before the end of IAP. The
newest test client works through VPN and fixes the NETBIOS limit in
addition to having many fixed memory leaks. Chad sees many AFS
crashes, despite using ANSIfy. The team would love a stack dump of
this, like a Dr. Watson log, so Chad should set his registries to do
this if they are not. This is also a good candidate for which to
develop a status report on AFS failures. Chad also sees many profiles
left sitting around and has to run a script to go clean them up. We
must work with Chad & Phil to identify users and bring them into the
troubleshooting.
New and changed web forms
There are changed forms:
http://mit.edu/windows/server/cr - Container Request
https://wince.mit.edu/getrisaccount - RIS or Join Computer
https://wince.mit.edu/deletemachine - Delete a machine from the Domain
The latter two each support a Membership list in addition to the
Container owner and machine owner ACLs.
As usual, the options in the Opt-In/Out Management Page reflect
current GP. See:
https://wince.mit.edu/optoutrollout
Help us test
The "Help Us Test" page asks you for some time to validate prospective
services. See:
http://web.mit.edu/pismere/support/for-cont-admins/help-us-test.html
We believe that the Roaming Profile choice fits in this category. It
has been tested by a couple people outside the dev team with no ill
results.
Profile ANSIfication has been tested by Chad. He says the popup is
bothersome, so we will make sure it is minimized in production.
The Ops\distrib DFS directory local mirror service probably will be
pushed out by January. If you are a container admin doing path mods,
please talk to us about how to modify them gracefully.
Discussion
Is W2K3S recommended past IAP? Yes, provided your client works on it.
Note that Terminal Services 2003 no longer has two free admin accounts
and needs a license server.
Barry cannot get TechTime 9.0.4 to run as a local user. 6 works fine.
He will send a report.
