Unity Migration Blog

FYI,

I've migrated the volumes off of 22acn to clear a stuck Thunderbird lock file. I'm also rebooting it to clear some old connections that can't be manually cleared. I'll re-balance tonight.

FYI,

I've migrated the volumes off of 22acn to clear a stuck Thunderbird lock file. I'm also rebooting it to clear some old connections that can't be manually cleared. I'll re-balance tonight.

Over the past two weeks I've noticed that when UNI04NT has had performance issues or Apache issues, I would find at the root of each partition on the server large files with the name format of _vxfivspcacheFile*.* These result from Veritas Netbackup not removing the temporary files after a backup is complete. The normally 2 gigs of free space is reduced to megabytes on the System partition. Symantec Antivirus can hinder the timely release of the file, if is not configured to exclude the specific files. Once held open by Symantec AV, I've only been able to clear the files by rebooting the servers.

I've reconfigured the exclusions of Symantec AV on UNI04NT and Scripts00 to hopefully not touch those files. I'll check on the other servers. Any SMS attached drives need to be included in the exclusion.

Here's some change management info:

I've granted the following rights to P:\Scripts and P:\Logs on scripts00, so that we can move off of the local D: drive:

itd.scripter: full control
itd_microsys_staff: full control
itd_microsys_unity_accounts: full control

I've moved the following scheduled jobs to refer to P: rather than D: (damn whoever decided that environment variables can't be used in scheduled tasks!)

AD Sync Report
Generate Web Pages
Generate_GPO_Settings_Report
GPO Report
GroupSync Remedy
oncallremind
Status-KMS

I have not changed the SCRIPTS_ROOT and LOG_ROOT environment variables, so as not to disrupt Andy unexpectedly. Scripts will continue to use the D: drive until these are directed to P:

Quick change management re: the wolfjeers server.
I installed the HP Web JetAdmin 10 on it, working with Jesse. It was horrible, so I've disabled it and closed port 8000.

The software is still installed but should be inactive.

The RPC Server Unavailable error on SCRIPTS00 has been fixed. I believe the problem occurred because of how the DNS suffix search order was configured. It was set to only search unity.ad.ncsu.edu. I changed it to search unity.ad.ncsu.edu, ad.ncsu.edu, and unity.ncsu.edu.

The account management script is running every 5 minutes again.

Folks,

FYI, I've created organizations under "Organizations" and "Unity Computers" for ETSS_CS and ETSS_CS_DEV for a project Debbie and John Garcia of ETSS are working on.

In the next few days, I'll be forging a locker for them as well.

I've made some changes to wds00 so that the web servers can securely deliver the WDS iso files.

Apache is now mapping /download/installation to the share "//wds00.unity.ad.ncsu.edu/wdsboot"

This share has been created, and given ntfs read rights for the group "ITD_Web Servers"

This allows apache to deliver the ISOs without granting excessive rights to \\wds00\distribution$ which has some private stuff on it that might be readable should the ntfs permission be assigned there.

For things that we want to download, please make an Apache alias for /download/whatever to a share where you keep the "whatever" files, and grant read rights in ntfs for the "ITD_Web Servers" group. This should prove much easier to secure that publishing all of DFS. :-)

I've done a quick peek on the Apache configuration on web00.

We "include" other config files in this order:

Include conf.d/*.conf

<IfModule mod_ssl.c>
    Include conf/ssl.conf
</IfModule>

Include conf/php5.conf

I would suggest that we do the following:

1. Include the conditional ssl.conf in the main config file, so that we can refer to ssl things in our specific config files in conf.d


2. Move php5.conf into conf.d


3. Move the inclusion of conf.d to the end of the main config file.

Anybody object to this course?

Using mod_auth_sspi, WEB00 was configured with to serve the new pilot workstation installaion ISO file to certain authenticated users.

The ISO download page is HERE. The download page doesn't require authentication. The URL where the ISO file resides does. It is located HERE.

The ISO file actually resides on WDS00. I created an alias directly to this location rather than copying the ISO somewhere else because the ISO is generated automatically in this location. I will eventually link this into DFS.

The Apache conf file is called download-install-sspi.conf and resides in the conf.d directory on WEB00. This is what it looks like (Note: the greater than and less than signs were removed because the blog wouldn't allow them):

Alias /download/installation "//wds00.unity.ad.ncsu.edu/distribution$/boot"

IfModule !mod_auth_sspi.c
LoadModule sspi_auth_module modules/mod_auth_sspi.so
/IfModule

# Use SSL
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/download/installation/(.*) https://microsys.unity.ncsu.edu/download/installation/$1 [L,R]

IfModule mod_auth_sspi.c
Location /download/installation/
AuthName "the Unity Active Directory domain"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIOmitDomain On
# SSPIBasicPreferred
# SSPIUsernameCase lower
require group "UNITY\Domain local group name"
/Location
/IfModule