Date: Fri, 12 Mar 1999 23:15:43 -0500
From: "Mark Poepping" <poepping@cmu.edu>
To: "Virtnet" <virtnet@list.cren.net>
Cc: "Charles Antonelli" <cja@umich.edu>
Subject: Georgia Workshop: CSG W2K notes
Message-ID: <001401be6d08$293a5fd0$c6310280@ELEPHANT.righty.adsl.net.cmu.edu>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Importance: Normal


Finally forwarding the notes from the Georgia Win2000 Workshop..
Sorry for the extended delay..
mark.

Will report on progress at the Virginia Meeting if there's time.


-- Notes from CSG NT5 (Win2K) Workshop - Jekyll Island 1/1999

Ken Klingenstein and Mark Poepping signed up to passing the
summary issues along to Microsoft as a single chunk (though
I presume people are asking about them in their own dealings
with Microsoft)..

Summary Notes/Questions
 1. The PAC formats need to be made public.  in order to
	allow a non-microsoft kdc to operate w/ microsoft apps.
 2. Release dates?  Planning really needs some firm dates.
	now mid-feb, b3rc0.. how many more betas?  final
	feature list?  what missed, what changed names:-)
    Timing of related apps?  support on Win2Kbetas? Office2K
      SQL, MTS, etc.
 3. What capacity testing has Microsoft done?  What are the 
    results?
    . AD
	- what parameters? number of objects, number queries,
	  read/write operations?  tested as admin directory,
	  mixed with other applications?
	- what loading factors under ordinary operation?..
	  authentication, authorization, nameservice, browsing,
        nt4 browsing compatibility?
    . what other capacity questions? network file?
 4. The IPSEC API needs to be released.
 5. What is the "wire protocol" to talk to the ADS?  Can you 
    provide a simple diagram showing the relationship of 
    ADSI, LDAP, LDIF, etc. in the client and in the domain 
    controller?
 6. How do we deal with one person who has multiple roles 
    using GPO clusters?  How to handle union/intersection of
    a single user with multiple simultaneous or sequential
    roles (eg1. student in dorm room need software from CS
    and Humanities; eg2. staff person is also a student
    taking classes
 7. Mixed mode NT 4/5 - is there a 'pure' Win2K environment
    (esp browsing and WINS)?  How much NT4 baggage will
    continue to clutter the net?
 8. Does Exchange support Kerberos? (MS-only or MIT-kdc)
 9. Logo stuff - how many logo's? what specific teeth in the
    requirements?  when settled?  conforming MS apps?
10. MSI - what tools/facilities for installation, distribution,
    plus verification and update?
11. How to start -- looking for a simple planning template for
    people to use: "from curiosity to production".  Start with
    technology roadmap; build test environment; evaluate the
    infrastructure services; application compatibility.. etc..    
12. When will third party products begin to take advantage 
    of Kerberos?
13. Convert lease/rental to license in the campus agreement.
    A lot of grave concern about the 'rental' arrangement.
14. What are the expected support options and costs for
    varying sizes of organizations?

15. [Non-Microsoft] What plans does Cisco have for a non-NT
    port of AD?  How extensive?  What platforms?


-- Specific Meeting Notes --

"If you're riding a bike with a cup of coffee, avoid speed
bumps" - rlmorgan

--Klingenstein - University of Colorado (plus others)

Ken Klingenstein reported on the University of Colorado
experience.  They are in the sixth month beginning of
being a rapid deployment program (RDP) site.  Ken said
that Microsoft has shown a migration from "NT will solve 
everything" to an understanding that "you guys are at
the mercy of your interfaces."

Microsoft thinks it is important for the University of 
Colorado to have premier support, which is priced at 
$50,000 per year for a site their size.

The goals of their effort are to incorporate NT into the 
existing Unix environment and to provide a campus wide LAN. 
(later discussion by Ken indicates he means enterprise 
services or campus services, not the simple networking that 
the term "campus wide LAN" might seem to indicate.)

Ken reported that Texas is looking at two goals: DAV -- 
distributed authorship; and TCO -- total cost of ownership.

BYU reportedly tried NT servers, then switched back for 
performance.

Notre Dame: see www.nd.edu/~dobbins/ntarch

There are rumors that the AFS NT client has bad performance,
with cache problems, memory leaks, and random errors.

There was a quick reminder of Walter Wong's four types of 
deployment options:
	Minimal - make sure that NT5 machines do not break
		the existing infrastructure 
	Basic - integrate core authentication, maybe
		authorization and directories 
	Full - full part of the infrastructure 
	Extended - DAV, web tools, application development

Ken quickly flipped through his slideshow on "Why Is Academia
Different?"  Some points:
	Geography: customers are nomadic, resources are shared,
		and everything is portable.
	Sociology: the closest research colleagues probably are 
		done the same campus.  Highly experimental.  And
		the turnover in users is constant.
	Economics: the sources of funding are spread, and onetime 
		funds are easier than recurring funding.
	Political science: diversity comes first.  And the Commons 
		is sacred ground.

	Are we different?  Yes in some ways, but no in others. 
	In fact, we are the mass-market in a microcosm.

Links:
http://asg.web.cmu.edu/Orpheus
http://web.mit.edu/pismere/
http://www.nd.edu/~dobbins/ntarch

--Paul Hill from MIT
Paul Hill next talked about Pismere.  He noted that there 
is a strong difference in philosophy between Athena with 
"one service, one machine" and the domain controller built 
with "all-in-one" thinking.  He then pointed to Walter's 
types and suggested that we span the continuum, with the 
servers being in the minimum part, and our plan for 
authorizations feeding the domain controllers being at 
least basic.

--Mike Barker from MIT
Business model for Pismere.  He suggested that the main 
part of the report is a number of questions, falling
mostly in six areas:

1. Scope -- e.g., what is included and what is not 
   included; what is the core software of Pismere; what 
   are the layers of Pismere; etc.?
2. Dollars (or budget) -- life-cycle costs; cost 
   recovery; inventory; renewal model?
3. Customers -- what is the customer base; what kind of 
   service level agreements are needed?
4. Organization -- what kind of an organization is 
   needed for Pismere; how do we handle private, 
   departmental, and enterprise systems?
5. Athena and Pismere -- how do the two impact each other?
6. Scenarios -- what are various scenarios for Pismere?

There are also a few "grabbag" issues such as what staffing 
is needed, what are the change management issues of 
Pismere, how does information policy impact Pismere, and 
what are the business continuity plans for Pismere.

Pismere business model will be developed by a team.  We
expect the model will raise issues and at least recommend 
approaches which will be of use to other members of the 
Common Solutions Group.

--Walter Wong from Carnegie Mellon

CMU's approach is to build a core, then layer on file
service, peer-to-peer, printing with LPRng, and local
disk backup.  Build 1946. Interested in ZAW, logo
requirements, and network boot. 

--Gavin Eadie from University of Michigan talked about 
experiments with the domain controller capacity.  He said 
he did not have much experience, but he had loaded 10,000 
plus objects.  He said the tools did not work well -- pick 
lists, for example, are unwieldy.

--Bob Morgan - Stanford
Talked about the Microsoft Service Principal Names Proposal.
This provides a three-part principal name:
	Protocol/Host name/Service Instance
This has security issues, especially in reference to 
service names in DNS.

--Ted T'so - MIT
Talked about the PAC and Kerberos.  Microsoft recommends
using cross realm trust mapping.  MIT is looking at
modifying the KDC to generate PACs.

Ted then reported that MIT has triple DES support for the 
ticket granting ticket key in the k5 KDC, and for the k5 in 
k4 compatibility mode.

IPSEC -- two big uses: client/server authentication (API 
being worked on); and IPSEC for virtual LAN.

--Ryan Troll - CMU
Talked about the project Orpheus network issues.  WINS and
DNS, browsing and etc (I think we didn't capture this one).

AutoNet.. DHCP has an automatic fallback useful for setting
up small personal networks.  Unfortunately, it can cause
problems on networks where the DHCP service refuses to provide
service to a machine (one that hasn't registered for service
yet, for example).  CMU is working with IETF and major vendors
(Microsoft included) on a proposed extension to DHCP to allow
the DHCP service to say "I'm not providing you with an address,
and don't autoconfigure."

DNS -- Win2K uses dynamic update (DDNS) -- user settable names,
secure DNS dynamic update with k5 -- for A, PTR records -- 
doesn't work for classless, Internet domain routing (CIDR)
since it doesn't comply with RFC2317. Also questions about
DNS character sets.

CMU -- using Unix DHCP and DNS.  No dynamic DNS.  ISC DHCP.  
Will be evaluating the Microsoft DNS extensions, particularly
in relation to non-ASCII interoperability and dynamic update in
CIDR.  Also looking at autonet DHCP extensions.

--Paul Hill led a discussion of strategies for network file 
systems.  Alternatives included AFS, Microsoft file servers,
SAMBA, and ARLA (a free implementation of the client AFS
programs.  ARLA consist of two processes, one kernel level
and one user level.  The user level process "talks" AFS.
	ftp://ftp.stacken.kth.se/pub/arla

We discussed Transarc briefly, including questions of 
source, the need to move to NT 5, and the desirability of 
putting triple DES support in.

Directory Services
ADS is the core of the new domain controller.  We discussed
the use of LDAP and ADSI.  We believe the interface is ADSI
"on the wire" (RPC's).  We also discussed the fact that LDUP
for replication is not standardized.

Paul suggested there are four basic approaches:

1. Evaluate the impact on existing directory services
2. use ADS in addition to existing services
3. keep the data where it is; minimal use of ADS
4. phase out LDAP and use ADS

Domain Design
	minimal reliance on NT ADS
	single domain, single OU
	single domain, multiple OU
	multiple domains
	multiple domains and forest

One domain, one OU
 	has the advantage of simple administrative setup
	low overhead as changes occur across departments
	there are concerns about scalability

Single domain, multiple OU
	fewer scaling worries
	allows more control via group policies
	increases overhead as people migrate across 
		departments and roles

Where do you keep bookmarks and profiles?  Discussion of 
this led to comments that Mike LaHaye at UMich [verified?]
has loaded 40,000 objects into ADS.

Multiple domains
	more control at departmental level
	more overhead
	schema must be consistent for the global catalog
		question of whether schema objects in trees
		'must' be entered in the global catalog..

Trees and forests
	problems with politics
	departments creating own domains/names may like this
	departments wanting to maintain maximum control

Interoperability
	How well does Microsoft ADS interoperate with existing 
	LDAP servers?  Are there problems with bulk import/export 
	tool which supports LDIF?  ADS on other OSes?

Walter reported on using an existing LDIF file to test 
loading.  The tool supports add, replace, and delete.  
However, it requires that objects being added not exist in 
the database and that objects being replaced must exist in 
the database.  This makes it difficult to use without 
carefully matching it to the current condition of the 
database (Walter had not tested whether delete required
that the object exist.  However, it seems likely).

Some concerns: schema extensions without guidelines or 
understanding; the lack of bidirectional data feeds; 
immaturity of the software resulting in lack of stability.

--Len Lanphar from Carnegie Mellon
Talked about confusion related to the Logo program.
Also talked about Group Policy Objects (GPO).  In his usage,
he often has to apply a GPO to everyone, and then filter
with ACL to get the desired result.  Part of the problem
is that there is no nesting of GPO, although security
groups can be.  He believes we need better support for GPO's.

 -GPOs. biggest problem is that they don't work that well if
    you have many different configurations to maintain within
    the same OU. The ACL filtering trick works (well, for CMU
    at least), but it seems in many ways to be a kludge
 -MSI/logo stuff. Len thinks it's important to try to get
    vendors on board with making MSI-compliant and logo-compliant
    apps. This will make many things easier in the long run,
    especially wrt cluster environments. We need more people
    to hammer on the ms logo team and stress the importance of
    getting these basic multi-user behavior points into the
    *basic* logo if we want companies to get better about making
    multiuser-friendly apps:
	-put files in correct location. specifically, don't put
	  temp files or user files in the application's directory;
	  use the blessed locations instead. ideally Len would like
	  to see this strengthened to say something like "assume no
	  write access to the application or system directory after
	  install time"
	-use HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE properly
	  - put user-specific data in HKCU, stuff that the app
		needs to run in HKLM
	  - app should be able to run without any settings in
		HKCU, i.e., one can install an app on a machine as
		one user and other users on the machine will be able
		to use it as well.
	  - open registry keys with proper requested access rights
		(too many apps out there try to open stuff in HKLM
		with KEY_ALL_ACCESS, which fails often for non-admins)
	  - it would be nice to eventually see MSI compliance be part
		of the basic logo requirements
These address the overwhelming majority of problems CMU's experienced
with making apps behave in a multiuser environment and with locking
down machines.

[During discussion, the development of "market-tectures" 
(architectures that only exist in marketing department 
literature) was mentioned as a serious problem]

--Ken Klingenstein closed up the day with some thoughts on:
 - distinguished names; how do you put a label on people? 
	Names vs. UUID
 - the campus wide LAN (campus printing; file services; etc.)
	o how do we compare service offerings?
	o campus standards?  Who decides?
	o the problem of staff development, where as soon as 
		people are trained, they move on to better
		opportunities.
	o end user training -- how?  When?  Etc.

Summary questions for CSG to take forward to Microsoft are
at top..

Poepping Notes for CSG (not presented due to lack of time) 
 - Moving target
	b3rc0 now, continuing code drops,
	changing functionality, release??
 - Much to do
	learning - what's there, how's it work?
	impact - does it break what's there now?
	Accommodation - can I use existing services in the
		new environment?
	Integration - 'single' set of services in the new
		environment
	Applications - NT as base
 - Deployment options - minimal, basic, full, extended
 - Win2K is part of forcing function for integrated
	infrastructure
	Directory-Enabled - integration at the next level of
		abstraction - unproven in enterprise
	ratcheting up the complexity
	web was the revolution on the desktop, directory is
		the revolution in the infrastructure
 - Messages to Microsoft [above]