Date: Sat, 16 Jan 1999 18:05:40 -0500
From: Mike Barker <mbarker@mit.edu>
Sender: owner-virtnet@list.cren.net
To: poepping@cmu.edu
Cc: "CSG Mailing List" <virtnet@list.cren.net>, "Paul B. Hill" <pbh@mit.edu>,
        "Ken Klingenstein" <Ken.Klingenstein@Colorado.edu>,
        "Walter Wong" <wcw+@cmu.edu>, "Vijay Kumar" <vkumar@mit.edu>,
        <tytso@mit.edu>, <mbarker@mit.edu>, <jones@SPOT.COLORADO.EDU>,
        "Ryan Troll" <ryan@andrew.cmu.edu>,
        "Len Lanphar" <jl8z+@andrew.cmu.edu>
Message-Id: <4.1.19990116180251.00c018a0@po8.mit.edu>
Subject: raw notes on 1/6/1999
In-Reply-To: <001501be3833$ed56d150$d9240280@CC.CMU.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

Not sure these will do anyone any good, but...

Utterly Idiosyncratic Notes

>From the end of the day -- brought forward to here for the 
people who won't read any farther:

Summation questions for CSG to take forward to Microsoft
1. The PAC formats need to be made public.
2. Release dates?  Planning really needs some firm dates.
3. What capacity testing has Microsoft done?  What are the 
results?
4. The IPSEC API needs to be released.
5. What is the "wire protocol" to talk to the ADS?  Can you 
provide a simple diagram showing the relationship of 
ADSI, LDAP, LDIF, etc. in the client and in the domain 
controller?
6. How do we deal with one person who has multiple roles 
using GPO clusters?  (I hope someone else knows that this 
is, because I don't)
7. Mixed mode NT 4/5
8. Does exchange support Kerberos?
9. Convert lease/rental to license in the campus agreement.
10. Logo MSI stuff.
11. How to start -- what is a simple template for people 
to use.
12. When will third party products begin to take advantage 
of Kerberos?

[my apologies for the lack of completeness on these, the 
discussion was a bit too fast for my pencil...]

And now, detailed notes on the day (Jan. 6, 1999)

Mark Poepping presented an agenda with times.  This was in 
PowerPoint on his laptop (remember this, it comes back 
later).

Ken Klingenstein suggested that in the interest of saving 
time, Bob Morgan tell us all once what happened to his leg.

Bob thoughtfully said, "The moral of the story has three 
points -- if you ride a bike and are carrying coffee, avoid 
speed bumps."

Ken Klingenstein then reported on the University of 
Colorado experience.  They are in the sixth month beginning 
of being a rapid deployment program (RDP) site.  Ken said 
that Microsoft has shown a migration from "NT will solve 
everything" to an understanding that "you guys are at the 
mercy of your interfaces."

Microsoft thinks it is important for the University of 
Colorado to have premier support, which is priced at 
$50,000 per year for a site their size.

The goals of their effort are to incorporate NT into the 
existing Unix environment and to provide a campus wide LAN. 
(later discussion by Ken indicates he means enterprise 
services or campus services, not the simple networking that 
the term "campus wide LAN" might seem to indicate.)

Ken reported that Texas is looking at two goals: DAV -- 
distributed authorship; and TCO -- total cost of ownership.

BYU reportedly tried NT servers, then switched back for 
performance.

Notre Dame: see www.nd.edu/~dobbins/ntarch

There are rumors that the AFS NT client has bad 
performance, with cache problems, memory leaks, and random 
errors.

There was a quick reminder of Walter Wong's four types of 
deployment options:

Minimal - make sure that NT5 machines do not break the 
existing infrastructure 
Basic - integrate core authentication, maybe authorization 
and directories 
Full - full part of the infrastructure 
Extended - use of DAV, web tools, application development

Ken quickly flipped through his slideshow on "Why Is 
Academia Different?"  Some points:

Geography: customers are nomadic, resources are shared, and 
everything is portable.

Sociology: the closest research colleagues probably are 
done the same campus.  Highly experimental.  And the 
turnover in users is constant.

Economics: the sources of funding are spread, and onetime 
funds are easier than recurring funding.

Political science: diversity comes first.  And the Commons 
is sacred ground.

Are we different?  Yes in some ways, but no in others.  In 
fact, we are the mass-market in a microcosm.

[No points for noticing that I missed some of Ken's bullets 
and probably warped others out of recognition]

Paul Hill next talked about Pismere.  He noted that there 
is a strong difference in philosophy between Athena with 
"one service, one machine" and the domain controller built 
with "all-in-one" thinking.  He then pointed to Walter's 
types and suggested that we span the continuum, with the 
servers being in the minimum part, and our plan for 
authorizations feeding the domain controllers being at 
least basic.

See http://web.mit.edu/pismere/

Mike Barker talked about the recent draft report on the 
business model for Pismere.  He suggested that the main 
part of the report at this point is a number of questions, 
falling mostly in six areas:

1. Scope -- e.g., what is included and what is not 
included; what is the core software of Pismere; what 
are the layers of Pismere; etc.?
2. Dollars (or budget) -- life-cycle costs; cost 
recovery; inventory; renewal model?
3. Customers -- what is the customer base; what kind of 
service level agreements are needed?
4. Organization -- what kind of an organization is 
needed for Pismere; how do we handle private, 
departmental, and enterprise systems?
5. Athena and Pismere -- how do the two impact each 
other?
6. Scenarios -- what are various scenarios for Pismere?

There are also a few "grabbag" issues such as what staffing 
is needed, what are the change management issues of 
Pismere, how does information policy impact Pismere, and 
what are the business continuity plans for Pismere.

The business model will be developed by a team.  We expect 
the model will raise issues and at least recommend 
approaches which will be of use to other members of the 
Common Solutions Group.

Nick Rawlings from Yale asked if there were any firm 
indications of when Windows 2000 and Pismere would be 
available.  There was discussion and some laughter about 
whether having Windows 2000 available late in 1999 would 
result in postponement of roll-out to free up resources to 
deal with Y2K issues.

Next, Walter Wong from CMU talked about their approach.  He 
said they are doing minimal NT.  They basically supply DHCP 
and WINS service.  There is a software image repository.  
There is no central domain.  They do provide a Gina for the 
labs.

Build a core, then layer on file service, peer-to-peer, 
printing with LPRng, and local disk backup.  Build 1946.

Interested in ZAW, logo requirements, and network boot.

See http://asg.web.cmu.edu/orpheus

(For the full story behind "orpheus" talk to Walter.  
Something to do with the Gates of Hell, though, I think.)

Gavin Eadie from University of Michigan talked about 
experiments with the domain controller capacity.  He said 
he did not have much experience, but he had loaded 10,000 
plus objects.  He said the tools did not work well -- pick 
lists, for example, are unwieldy.

Ted T'so talked about the PAC and Kerberos.  Microsoft 
recommends using cross realm trust mapping.  MIT is looking 
at modifying the KDC to generate PACs.

Bob Morgan from Stanford talked about the Microsoft Service 
Principal Names Proposal.  This provides a three-part 
principal name:

Protocol/Host name/Service Instance

This has security issues, especially in reference to 
service names in DNS.

Ted then reported that MIT has triple DES support for the 
ticket granting ticket key in the k5 KDC, and for the k5 in 
k4 compatibility mode.

IPSEC -- two big uses: client/server authentication (API 
being worked on); and IPSEC for virtual LAN.

Ryan Troll talked about the project orpheus network issues.  
WINS feeds DNS, with WINS handling clients.

DHCP has an automatic fallback useful for setting up small 
personal networks.  Unfortunately, it can cause problems on 
networks where the DHCP service refuses to provide service 
to a machine (one that hasn't registered for service yet, 
for example).  Ryan is working with Microsoft on a proposed 
extension to DHCP to allow the DHCP service to say "I'm not 
providing you with an address, and don't autoconfigure."

[That sure this next set of notes makes much sense...]

DNS -- dynamic update -- user settable names -- secure DNS 
dynamic update with k5 wings -- A, PTR records -- 
classless, Internet domain resident (CINDR) not okay.  
Questions about DNS character sets.

CMU -- using Unix DHCP and DNS.  No dynamic DNS.  ISC DHCP.  
Will be evaluating the Microsoft DNS extensions, 
particularly in relation to non-ASCII interoperability and 
dynamic update in CINDR.  Also looking at autonet DHCP 
extensions.

Paul Hill led a discussion of strategies for network file 
systems.  Alternatives included AFS, Microsoft file 
servers, SAMBA, and ARLA (a free implementation of the 
client AFS programs.  ARLA consist of two processes, one 
kernel level and one user level.  The user level process 
"talks" AFS.

See ftp://ftp.stacken.kth.se/pub/arla

University of Michigan -- disconnected (?).

We discussed Transarc briefly, including questions of 
source, the need to move to NT 5, and the desirability of 
putting triple DES support in.

Then we went to lunch.  At about this time, Mark was 
noticed adjusting the times on the agenda so that we were 
"on-time" throughout the day.

The next topic was directory services.  ADS is the core of 
the new domain controller.  We discussed the use of LDAP 
and ADSI.  We believe the interface is ADSI "on the wire" 
and that using LDAP for replication is not standardized.

Paul suggested there are four basic approaches:

1. Evaluate the impact on existing directory services
2. use ADS in addition to existing services
3. keep the data where it is; minimal use of ADS
4. phase out LDAP and use ADS

Domain Design
	minimal reliance on NT ADS
	single domain, single OU
	single domain, multiple OU
	multiple domains
	multiple domains and forest

One domain, one OU
	has the advantage of simple administrative setup
	low overhead as changes occur across departments
	there are concerns about scalability

Single domain, multiple OU
	fewer scaling worries
	allows more control via group policies
	increases overhead as people migrate across 
departments and roles

Where do you keep bookmarks and profiles?  Discussion of 
this led to comments that ??? has loaded 40,000 objects 
into ADS.

Multiple domains
	more control at departmental level
	more overhead
	schema must be consistent for the global catalog

Trees and forests
	problems with politics
	departments creating own domains/names may like this
	departments wanting to maintain maximum control

Interoperability
	How well does Microsoft ADS interoperate with existing 
LDAP servers?  Are there problems with bulk import/export 
tool which supports LDIF?  ADS on other OSes?

Walter reported on using an existing LDIF file to test 
loading.  The tool supports add, replace, and delete.  
However, it requires that objects being added not exist in 
the database and that objects being replaced must exist in 
the database.  This makes it difficult to use without 
carefully matching it to the current condition of the 
database.

(Walter had not tested whether delete required that the 
object exist.  However, it seems likely...)

Some concerns: schema extensions without guidelines or 
understanding; the lack of bidirectional data feeds; 
immaturity of the software resulting in lack of stability.

[I missed part of the meeting here...]

Len Lanphar from Carnegie Mellon discussed the Group Policy 
Objects (GPO).  In his usage, he often has to apply a GPO 
to everyone, and then filter with ACL to get the desired 
result.  Part of the problem is that there is no nesting of 
GPO, although security groups can be.  He believes we need 
better support for GPO's.

[During discussion, the development of "market-tectures" 
(architectures that only exist in marketing department 
literature) was mentioned as a serious problem]

Ken Klingenstein closed up the day with some thoughts on:
	- distinguished names; how do you put a label on 
people?  Names vs. UUID
	- the campus wide LAN (campus printing; campus file 
services; etc.)
	- how do we compare service offerings?
	- campus standards?  Who decides?
	- the problem of staff development, where as soon as 
people are trained, they move on to better opportunities.
	- end user training -- how?  When?  Etc.

Summation questions for CSG to take forward to Microsoft
1. The PAC formats need to be made public.
2. Release dates?  Planning really needs some firm dates.
3. What capacity testing has Microsoft done?  What are the 
results?
4. The IPSEC API needs to be released.
5. What is the "wire protocol" to talk to the ADS?  Can you 
provide a simple diagram showing the relationship of 
ADSI, LDAP, LDIF, etc. in the client and in the domain 
controller?
6. How do we deal with one person who has multiple roles 
using GPO clusters?  (I hope someone else knows that this 
is, because I don't)
7. Mixed mode NT 4/5
8. Does exchange support Kerberos?
9. Convert lease/rental to license in the campus agreement.
10. Logo MSI stuff.
11. How to start -- what is a simple template for people 
to use.
12. When will third party products begin to take advantage 
of Kerberos?

[my apologies for the lack of completeness on these, the 
discussion was a bit too fast for my pencil...]