Computer Consulting and Support Group Meeting Notes -- June 23, 2008
1. Welcome and Acknowledgements
We have a very light agenda today, so Dan did encourage us to send him more ideas for agenda items next time. "Scolded" was Dan's description, but that won't be recorded here.
CCSG would like to acknowledge the following contributors to today's meeting: Beata Pruski and Steve Kunz, ITS.
2. Announcements:
a. Upcoming Dell & VMware Virtualization presentation -- Dan Carlile
Dan will send out an email concerning this meeting soon. Dell and a VMware rep will come to campus to present on Virtualization using VMWare. This meeting will be held at 8:00 am on July 10 in 206 Durham Center. A continental breakfast will be provided and presentations will begin at 8:30. The room is reserved through 12 noon.
There may be another virtualization talk coming as Red Hat and Dell have expressed interested in doing a presentation on Xen at a later date, according to John Rose.
Dell now has a campus rep, Keith Howard, who will be working with us on campus 3-4 days per month, so some of our problems should be resolved a bit quicker in the future.
b. Changes to MS Server activations -- Steve Kunz and Beata Pruski, ITS
The new generation of Windows Server (Server 2008) has a new activation procedure just like Vista does. We will be putting up an activation server for KMS that the server can repeatedly contact.
The biggest difference between Vista and 2008: Vista required 25 physical machines before you could put up a KMS server, but Server 2008 requires only 5 physical servers. We do not have unlimited licenses for server product, unfortunately, so we'll have to be more careful and rigorous. License activations will have to be done through IPSEC so that it can only be activated for specific IP addresses, making this take a manual process to activate a server. Also, the activation server must be running on Server 2003 or 2008 (unlike the Vista activation server, which can run on Vista).
Tech CYte is now selling Server 2008 (2003 is no longer available) and it is currently coming with individual keys. You can downgrade to 2003, but there's no key available. When you buy 2008. you have 30 days to activate and there's no good way to activate after that key expires.
For now we'll use keys until we come up with a plan to go beyond. More news later.
Q: What's advantage of server authentication?
A: If something in your server changes (hardware, etc.), the activation
becomes invalid and you may need to get a new key (exactly what hardware
changes and how to get a new key are not clear at this time). With KMS
activation, the server can reactivate itself whenever anything changes.
You have 30 days to activate the first time, then at least once every
180 days. Machines are usually configured to reactivate once every two
weeks. For isolated labs, the activation key is preferred; then you
won't need to reactivate until something changes. You can also activate
over the phone if you absolutely have to.
The Volume Activation Management Tool is a proxy for activations. We haven't dealt with this for Vista because our approach was simpler, but we may have to look at it now.
Steve Kunz brought up another case for using MAK keys for laptops off-campus for an extended period of time. If those machines aren't on the campus network (either directly or through a VPN connection), they won't be in the correct IP number range and sooner or later their KMS keys will expire, making their Windows installation invalid.
Q: What is on the pre-configured Vista systems as they come from Dell?
A: This is another key activated through the vendor.
c. Disabling LANMAN/NTLMv1 on Windows Enterprise domain controllers 8/13 - Steven Kunz
Steve sent out a mailing on June 5 about LANMAN/NTLMv1 being disabled on August 13. You should be looking at your systems to see if there is anything requiring LANMAN or NTLMv1 and getting that fixed. You should probably set that as an OU policy right now if you're an OU administrator. We have disabled this at the top level of the IASTATE domain for some time now. Some people have re-enabled it on the OU level so that simple file sharing will work. Beginning on August 13, that will break if you authenticate to the domain controllers. When Steve attended MS TechED they repeatedly told everyone that disabling LANMAN/NTLMv1 was critical, as a talented 6th grader could crack systems if this hasn't been disabled.
Steve will do this during the day on August 13 as he prefers to break things when there are people around to fix them.
3. New Business:
a. Open floor to questions and comments
John Rose hinted that something will be coming on August 1, a campus-wide event for all IT community on campus. He's not ready to announce this, but will send out more info as soon as it firms up. It will be part professional development and part chance to socialize with other IT people on campus. Reserve this date on your calendar!
Q: What is the status on the JMP license?
A: The paperwork was put through on 5/23, but we found out last Friday
that the paperwork was still in Purchasing. We have asked them to
expedite it and Dan will check on it today. Funding is not an issue;
LASCAC provided the money.
Q: Can anyone shed any light on VMware licensing?
A: You can do VMware Workstation free as being a VMware "partner" and
then a subset of their products are available free or at reduced cost.
Player and Server are supposed to be free for everyone. Rod says the
bookstore will sell it for $30. The VMware is supposedly serialized and
doesn't play well with imaging. John Dickerson is reportedly working
with it and they got permission to use it free; check with Chris McCoy
for more info. Dan suggested that we should ask the VMware rep on July
10, he'll prompt them for more info.
Q: Did Dan ever get a copy of Vista Ultimate 64-bit?
A: Dan didn't know, there might be one in his folders from Microsoft;
he'll look to see if it's there. We have Enterprise, but people want
Ultimate for big RAM laptops.
Paul Lustgraaf: This summer Netcomm will be upgrading the code running on all the switches in campus buildings to try to make it up-to-date and consistent. They will be contacting IT staff to coordinate and also to ask if it's OK to turn off IPX in your building. (We did ask about that last month.) We know there are pockets of Novell servers using IPX out there.
Q: Are there plans to release XP SP3 on the WSUS servers?
A: It's already there, but it's not a critical update yet and Microsoft
hasn't yet announced a time that that will become a critical install.
They will do that when they feel like it, probably (with our luck) the
first week of classes. Microsoft does still have a policy tool to
prevent putting a service pack in place for up to a year, so it can be
suppressed by group policy if you feel you need to. Other than the big
download, it hasn't been a problem for most people. There does seem to
be a problem with machines running the ePolicy Orchestrator console and
SP3, but not the ePO agent. If you had the console installed before SP3
is applied, it should be okay but we're still testing that.
We are not planning to interfere with Microsoft's tagging on SP3. You can go in and manually approve updates but our policy is not to interfere. Our WSUS server is a mirror of Microsoft's server and approvals are on autopilot. Updates are approved automatically by the machine's client targeting group.
[John Dickerson arrived late, so Dan asked him about his involvement with VMWare.] John Dickerson is trying to roll out a lab that allows people to easily select Windows, Linux, etc. The Xen-based solution they tried first didn't work so well, so they're looking at VMware. Chris McCoy registered with VMware to get free VMware Workstation for academic machines; it can be used for labs or for researchers, but not for staff machines. That's just VMware Workstation and Server; it doesn't have ESX and the other things. How do we get it? We don't know yet.
Q: How are you getting by the licensing per workstation doing images?
A: If you get the proper installation keys it doesn't. It's a reusable
key.
Wayne checked the CCSG download site and Vista Ultimate 64bit isn't in the download area. Dan will check his office to see if he has the media.
