1

www.xkcd.com/773Hat tip to Nick Silkey for bringing this one to my attention.

What is the “Windows Roundtable” ?

An informal gathering of people who “do Windows” at Yale to facilitate communication of common goals, problems and solutions across the Yale IT community.

Usually there will be a “headline topic” as a launching point for discussion and then general (moderated) discussion on whatever topics the group wants to cover.

Ground Rules:– The Roundtable is a Yale-internal discussion– The Roundtable is a “no-powerpoint zone”– Participation in discussions is encouraged to both bring your

questions and share your solutions.

2

Yale Windows UniverseUpdate 2011Ken HooverManager, ITS Windows Systems Group (WINSYS)ken.hoover@yale.edu

July 8, 2011

3

DISCLAIMER: Some of this talk is about initiatives that are still in the pre-release stages. It is intended to give you outlines that you can use as you make plans for Windows-based services in your area of responsibility. Except where noted, dates listed are target dates only and may change due to collisions with reality.

ITS Windows Systems Group (WINSYS)

WINSYS manages Windows servers in Yale’s data centers.

4

Agenda

• A few quick highlights and interesting statistics

• Things that have changed in the last couple of years

• Services that are being revamped and upgraded

• Question Time

5

6

Quick Yale AD Highlights• By the numbers…

– 100K users– 31K computers– 13K groups– 3500 OU’s– 1300 GPO’s

– Domain Controllers process 8.4 Million Kerberos AuthN’s on a typical weekday (and generate 26GB of logs!)

7

Changes in the last few years…• Exchange introduced in Summer 2007

– Processing ~500K messages per day– ~11,000 mailboxes (and growing)– ~6TB of email store– Quota increased from 1GB to 2GB in 2009

• Active Directory taking over from MIT Kerberos– now backing CAS, for example

• Sharepoint & Project server in operation

• Shared SQL Servers

8

Revamped services and a look ahead

NEW: Enterprise License Agreement

• Microsoft enterprise license agreement for all faculty and staff

• Includes:– Windows Desktop OS– Windows Server OS (all versions)– Office for Windows and Mac

• Free upgrades for those clinging to Office 2003, etc.– Enterprise Client licenses for Exchange, Sharepoint, and

others

• Foundational for exciting activity in the Microsoft space…

9

10

BEING REBOOTED: Central File Service

• Secure/managed file storage for users and departments• ~40TB of capacity added since September 1, 2010• LOWER RATE for FY12: $1/GB/month• Available to anyone with a PTAEO we can charge• 3-lock approved

• New “flattened” CFS security model– Role-based access for departmental shares– Support for single-user “home” shares (finally!)– No mucking about with file/subfolder permission– Existing shares will have their structure and permissions

revamped to use new operating model during 2H CY2011

11

CHANGED: WINSYS Patch Release Cycle• Monthly patches for servers released in four cycles

– Cycle “A” – 2nd Tuesday (Rapid Response pool)– Cycle “B” – 3rd Tuesday (Development and “below”)– Cycle “C” – 4th Tuesday (Test/Pre-prod and “below”)– Cycle “D” – 1st Tuesday (Production)

• Keep this cycle in mind if WINSYS runs a server for your department. Remember to test!

• Applies only to WINSYS-managed machines but a good approach in any multi-environment Windows-based application.

12

NEW SERVICE: “Lync” Internal Comms• Secure, encrypted IM with AD backing• Online meetings/presentations

– Yes, with audio and video• Good for business purposes within Yale• Free* for faculty and staff to use• Works on non-routable Yale subnets• Works from outside too without VPN**• Integrates with Exchange, Office 2007+

and Sharepoint• Native client included with Office 2011

for Mac

* Covered by new Microsoft Enterprise agreement** But some ISP’s block SIP so sometimes VPN is needed anyway.

PilotPilotrolloutrollout

13

NEW SERVICE: Secure LDAP against AD• New Secure AD LDAP alias ad.its.yale.edu

– Secure LDAP (ldaps://) with a Verisign certificate– Highly available through use of F5 load balancers– For applications that want to bind to the AD for any purpose

• NAS devices and other appliances• LDAP-based AD browser tools• Any code that uses LDAP to talk to the AD• Web applications using AD authentication• etc.

– PLEASE update your applications and NAS boxes to use this alias (test first!)

– Samba clients binding to the AD should still use “yu.yale.edu”• Make sure you’re not using the defunct “windows-auth”

names!

Use Use ThisThisNow!Now!

14

NEW SERVICE: Managed SQL Server

• Centrally-hosted SQL2008 R2– Proposed cost $1k/yr per 5 DB’s / 5GB of data– APPROVED for use with 3-lock data– Servers managed by ITS DBA team and WINSYS– ODBC access, secure/encrypted connections required– On-disk encryption of databases available– You “own” your own data with SQL Management Studio– Good for:

• Cost-sensitive customers who need a SQL server• Most small to medium-size databases under normal use

– Not good for:• Very large databases• Databases with heavy transactional activity

SummerSummer2011?2011?

15

PLANNED UPGRADE: Domain Controllers• Refresh hardware and upgrade to 2008R2

– All DC’s will become eight-core 32GB x64 servers– Known issues with Samba versions before v3.3 which

are domain-joined• Fix/workaround information available• Better yet, upgrade Samba

• SYSVOL conversion– Uses DFS for replication– Transparent but needs testing– 2H CY2011

• Forest functional level upgrade to 2008R2 level– Winter 2011/201

16

Oh, one more thing…Oh, one more thing…

17

EXCHANGE 2010• Robust multi-browser web interface

– Mac users, rejoice!– And people running Linux on their toaster ovens…

• 5GB 8GB default mailbox quota– More space than 99.98% of Yale Exchange users use now– …and more than Gmail

• Currently in pilot deployment with early adopters

• Target: Everyone upgraded by Sep 1

Exchange 2010 details…• Adjusted Mailbox Quotas

– 8GB Quota• 7.75GB – warnings• 8.00GB – prohibit send• 8.25GB – prohibit receive (mail bounces)

• De-supported clients – Outlook 2000, XP

• … and you shouldn’t use Outlook 2003 either– Entourage 2004– Entourage 2008 pre-EWS– Upgrade these first… or dump them entirely.

18

Exchange 2010 OWA Supported Browsers

19

“Full” Interface

•Windows XP and higher– IE 7+– Firefox 3.0.1+– Chrome 3.0.195.127+

•MacOS– Safari 3.1+– Firefox 3.0.1+

•Linux– Firefox 3.0.1+

“Light” interface

•Broadest compatibility•Accommodates visually impaired•Good for slow connections•Better than Horde

•Examples:– IE6– Chrome on Linux– Safari on Windows & iPad– Android web browsers– Opera

20

Exchange 2010 OWA Demo?Exchange 2010 OWA Demo?

Summary

• New Microsoft Enterprise Agreement– Lots of stuff is now “free” which used to cost extra.– Upgrade Office!

• Central File Service revamped– New operating model with better security and auditability– Lower cost to users - $1/GB (includes backup)

• New SQL2008 database service being launched– $1000/yr per 5 DB’s or 5GB/data, 3-lock OK– Platform operated by ITS DBA team and you manage your data

• Lync being piloted– Secure Yale-owned IM– Includes online meetings/presentations

• Exchange 2010– Any-web-browser-friendly– 8GB quota

21

22

Questions / Discussion

• What do you think of this format?

• Should this become a repeating conversation once again? How often?