Apple says:

Snow Leopard includes out-of-the-box support for Microsoft Exchange 2007

Does this mean just mail, or mail+calendar, or the whole package? Note that even Microsoft Entourage does not sync Notes or Tasks with Exchange Server.

On a related note, Jon Udell has built a small script (exchange2ical) to publish iCal feeds for Exchange calendars!

I wonder which approach will bear fruit most quickly.

tags: exchange, ical

Mary Beth Herkert
Archives Division, Information Resource Management Unit

Work on home computers is part of public record
Records retention schedules
Preserve only for as long as it is needed to accurately document agency functions
Core Elements of a Good Policy
- appropriate use statement
- access to employee computers and accounts; privacy notice
- retention of e-records
- policy awareness
- training
- compliance
Email management manual online (state archives)
Alternative communication devices
- IM
- PDAs
- Chat roms
- Blogs
Public employees -- no expectation of privacy
Individual employees make decisions about what to retain (realistic?)
"Knowingly destroy public records" - okay if it's a mistake
Synchronizing email to home computer -- yes, the home computer could be subpenead
Messages that need to be saved for a long period of time should be exported from the email system
Create a filing system that is the same for both electronic and paper records (e.g., naming conventions)
Voicemail is not a public record for retention in Oregon
No jurisdiction over a private school -- subject to federal requirements
Audio recordings need to be kept for one year, even if minutes were taken
May not need to capture email messages if records are documented elsewhere (e.g., teacher communicates progress report to parents)

Mary Beth Herkert
Archives Division, Information Resource Management Unit
http://arcweb.sos.state.or.us



tags: acpe08

In August, we implemented Cisco Clean Access (also knows as Network Access Control) in order to limit the school wireless network to known users and scan desktop computers for running antivirus and the latest OS patches. Unfortunately, our implementation has hit a few snags, to the point where most of our user population is pretty cynical about the impact of Clean Access on their ability to operate and the supposed benefits it brings.

We currently have the following concerns about our implementation of Clean Access.

• It's mid-December and Cisco has not yet released a Leopard-compatible agent.
  
• CCA login times vary from a few seconds to several minutes.
  
• The current agent is not dual-NIC aware, trying to authenticate users against the secondary connection.
  
• The Windows client often crashes, requiring a reboot before the user may log in.
  
• One or two users per day end up in the temporary role for reasons unknown.
  
• The agent often becomes unresponsive when a user switches VLANs.
  
• A new patch that came out in September was incompatible with AdAware 2007 and booted half our user base from the network.
  

How has Clean Access been for you? Are these typical problems, or do we have a unique situation?

Update 1/8/2008: We successfully installed a secure certificate and upgraded the server and agent to new versions (4.1.3.0 on the Mac). First tests show improvement in client behavior. We are looking forward to further testing with real users to see how many of our issues the new client software solves.

Update 1/10/2008: I have the new CCAAgent 4.1.3.0 running on Leopard. We noticed right away a processor utilization issue -- CCAAgent was using 100% of the processor every few seconds, not good for laptops trying to conserve battery power during a long school day. Cisco sent the following fix.

First, create a preference.plist file for youself: Show Package Contents on Applications - CCAAgent and copy Resources - setting.plist to your user Library - Application Support - Cisco Systems - CCAAgent and then rename it preference.plist. Create these folders if they don't exist.

Run the following script in terminal (all on one line):
osascript -e 'tell application "System Events"' -e 'set the thePListPath to "~/Library/Application Support/Cisco Systems/CCAAgent/preference.plist"' -e 'tell application "System Events"' -e 'tell property list file thePListPath' -e 'tell contents' -e 'set previousValue to value' -e 'set value to ({|VlanDetectInterval|:"0"} & previousValue)' -e 'end tell' -e 'end tell' -e 'end tell' -e 'end tell'

This turns off automatic VLAN detection in the Clean Access agent, which solves the processor utilization problem.

Update March 27, 2008
You can package the above into an executable AppleScript. Look closely -- the shell command actually executes AppleScript!

Dear Blogosphere,

Like many schools, we are deeply invested in Microsoft Outlook and Exchange Server. Yet, we struggle with these products' limited calendaring abilities. We would really like a modern calendaring system that allows users to turn layers on and off for different public resources. Rather than having dozens of individual, mutually exclusive calendars, my users want dozens of layers in a single multi-calendar. Additionally, portability would be key -- the ability for a single user to include an item from a public calendar in one's personal calendar without unnecessary duplication. I have heard of Zimbra but not given it a close look. We must continue to use Outlook, and frankly, we would like to continue to use Exchange if we can, to minimize the amount of change in our system.

Do you know any open-source tools that can layer on top of Exchange to provide these meta-calendaring services?

One of our best purchases this year is the Sonicwall SSL-VPN 200, a $500, web-based VPN solution that allows up to ten concurrent users to get on the LAN from any location using a web browser and an Active Directory login. The software provides two choices for the browser plug-in used to present the terminal window: ActiveX or Java. Having eliminated Microsoft Windows from our home, we use the Java client exclusively. I have noticed that the Java client is so much faster on Linux than Mac OS. It practically feels like I'm on the LAN. I find the same difference with the Java applet that Menalto Gallery uses for bulk uploads. Do you know why Java applets run so slowly on a Mac? Can anything be done about this?

So our daylight savings transition has gone no better or worse than expected. As explained before, we followed all the Microsoft instructions, yet their timezone move tool only correctly handled about half of the incorrect calendar entries. The only solution left is to manually open each item and re-save it. Although tedious, at least this finally resolves the problem. Have you found a way to do this on a global scale?

Oh, and the Blackberry DST update blew up partway through, and I had to reinstall all my handheld software. We have lost a lot of time on this daylight savings time change!

Before break, we spent a day decluttering and rewiring the entire server room. It was both a cathartic and productive day. Now we can sleep better at night knowing that each server has one power supply connected to a newly beefed-up UPS and the other connected to filtered power. This will no doubt pay off down the line in reduced power supply failure and cleaner shutdowns when we lose power.

You may know how the web address for Outlook Web Access always ends in /exchange, which is okay in a link but not if you're trying to tell people the address. If anyone happens to go to the home page of the site, they get a "no home page" error.

Exchange server default home page!

Since the webroot for IIS on Exchange server is just about empty, so you can easily replace the default page if you like with a permanent redirect. I also found a great summary of this technique applied in different programming languages at Permanent Redirects with HTTP 301. Here's the code for ASP, which is enabled by default on your Exchange server.

<%@ Language=VBScript %>
<%
' Permanent redirection
Response.Status = "301 Moved Permanently"
Response.AddHeader "Location", "http://www.yourdomain.com/"
Response.End
%>

This technique is useful anywhere you would like an easy redirect to another directory and you don't have access to a .htaccess file (Linux) or the IIS admin interface (Windows).

Of course, it's easier in PERL with CGI.pm or in PHP.

header("Location:http://www.yourdomain.com");

I found out today how to manage Active Directory users and groups directly from my pc. After four years of terminaling into servers to access Active Directory, this helps consolidate administrative applications on my computer. It's also a plus that I am running Windows under Parallels. This is a tech note that our former employee Jonathan wrote up.

Installing “Active Directory Users and Computers” Module with Exchange Features on Windows XP SP2 Workstations, using Exchange 2003

In Windows XP SP2, the SMTP snap-in is installed with the IIS snap-in. The SMTP Service is a separate component that is not required. The WWW Publishing Service is also not required. The Windows Server 2003 Administration Tools Pack is still required, because it provides the NNTP snap-in and the Active Directory Users and Computers snap-in.

1. Verify that you are using Windows XP SP2

2. Install IIS Snap-In (Add/Remove Programs – Windows Components)
a. Select “Internet Information Services (IIS)” and click the “Details” button [requires Windows XP CD]
b. The “SMTP Service” and “World Wide Web Service” can be unchecked

3. In Services, disable SMTP and WWW services, if applicable

4. Install Windows Server 2003 Administration Tools Pack [We had this on our network. It's probably on the Server 2003 install CD.]

5. Install Exchange System Management Tools:
a. Insert the Exchange Server 2003 CD—When the installation splash screen comes up, click on Exchange Deployment Tools under the Deployment section
b. On the Welcome to the Exchange Server Deployment Tools screen, click Install Exchange System Management Tools Only
c. The following screen explains some of the prerequisites for installation… scroll to the bottom of the screen and click “Run Setup now”
d. In the Exchange installation “Component Selection” screen change the Action for the “Microsoft Exchange” heading to Install or Custom
e. Change the Action for “Microsoft Exchange System Management Tools” to Install
f. Complete installation

User and group management tabs

I have succeeded in configuring DAF5 on our new IIS6 web server. DAF is the linchpin of our web intranet, as it permits our web site to authenticate parents without creating network accounts for them. It also provides a standard HTML login form instead of the default Windows popup dialog.

DAF permits a web site to authenticate users against two databases. We authenticate our network users against Active Directory and our parents and guest users against an Access database. DAF checks the Access database first and then forwards unknown users to IIS for Active Directory authentication. I don't know of another product that does this function, so I was thrilled to be able to configure it correctly. Since DAF5 is in perpetual beta, documentation is scarce.

I found the correct configuration through educated trial-and-error. Here are the key steps.

IIS Manager --> [your web site] --> Properties --> Directory Security --> Authentication and Access Control --> Enable Anonymous Access

You must allow IIS to enable anonymous access in order for DAF to take over authentication for this web site.

Security Handler --> Always use a SSL connection

This is essential to prevent the plain text transmission of user passwords. Windows is no help in this regard, since Windows basic authentication is required in order to authenticate non-Internet Explorer users. Instead, I have purchased a SSL certificate for this web site, which in conjunction with DAF will make login encrypted for all users.

Security Handler --> Login Form Type --> HTML Login form

This points DAF to a HTML form instead of using a standard popup dialog. The form is located in /session in your web site. You can modify the HTML there, as long as you leave the form mechanics and includes intact. Check out our modified login form.

By default, login failure brings up a different web page. I pointed our failure page back to the same login form page, on which the error message appears. Later, it would be preferable to either make the error messages more verbose or to redirect to a different failure page with more information about what the user can do to correct the problem.

Security Handler --> User ID & Session --> HTML Login Form (using Cookies)

I used the defaults for HTML form.

Security Handler --> Advanced --> Default DAFAUTH.INI file

This step is critical to protect all of the directories in your web site at once. By default, a dafauth.ini file must be present in each directory in your web site. Since this is impractical, it is easier and more secure to choose an appropriate ini file here. Mine has the following simple settings:

[PreAuthentication]
Anonymous = disable
Authenticated = enable

Then I set NT folder security as appropriate for the access permissions I want.

Security Handler --> Count as ONE Registered Protected Site

If you don't register with DAF, then only ten users can connect to your site.

Security Handler --> Logs

Enable Write to log file. DAF keeps different sets of error logs for different purposes. The most useful logs for debugging configuration are site-specific and found in /dafdata just outside the web site directory that you specified during installation. Note that /dafdata has the web site resource id appended to its directory name.

User DB --> Data Store --> Primary Data Store --> ODBC Data Source --> Settings

User your server's Administrative Tools --> Data Sources (ODBC) to set up an ODBC link to your external database containing non-network user information. I wrote a separate PERL script to populate this database with registered parent login information.

Source & Connection tab: Select the ODBC source for your database and provide login information if necessary.

Table & Columns tab: Match the columns in your ODBC database to DAF standards.

Advanced tab: Use defaults

User DB --> Data Store --> Secondary Data Store --> NT User DB --> Settings

Default NT Domain: Select NT Domain User Database and specify the default NT domain. This step seemed helped in order to successfully authenticate network users without requiring them to specify their domain.

NT Account Mapping: Select Forward credentials to NT/IIS. This step permits IIS to authenticate network users, e.g., those who aren't in the DAF database.

User DB --> Session

Enable session state. This is required for this approach, but I don't recall why.

Other settings keep their defaults.

User DB --> NT Accounts

Default mapped NT account: This is an easy way to control privileges for the parent users on our network. As it happens, my parent registration script creates a static mapping in the DAF database, so I leave this setting empty.

Data source Login NT account: A server user that has privileges to read and write the DAF database. If this is improperly set, you will see corresponding error messages in the site error log.

User DB --> Encryption

I would like to use encryption, but it is easier to set this up for a clean install than to migrate existing, unencrypted passwords to this system. I will work on this soon.

User DB --> Logs

Write to log file

We got all our users up and running on the new, single-domain servers this morning. For a disaster recovery situation, 24 hours was not too bad. How many tries did this take to get right?

Days after recovering from our failed network migration, we have had another server blowup. The air conditioning system in our server room failed this weekend, the room heated to 150 degrees F, and our Exchange server drives failed. We did get a good backup of the data store last night before the failure, but now we are left without both an Exchange server and the internal expertise to reinstall Exchange in a multi-domain environment.

At the same time, I have gathered a lot of feedback from other BAISNet tech directors and discovered that we are the only school among the respondents that is running multiple Active Directory domains. So, in this state of emergency, we have decided to immediately rebuild our new servers in a single domain environment, test it this afternoon, and migrate users to it tomorrow.

The simplified approach has reaped dividends within the first hour of adoption. Our systems administrator already worked up the primary domain controller the other day, so all he has to do now is to prep the domain for Exchange and install that. Without the multiple domain issues, we should be able to test the new server environment with user accounts by this afternoon. Our tech department users will spend the night logged into the new servers, and we will migrate others users if all is still well tomorrow morning. We may even recover all mail if we can mount the backed-up data store in an offline Exchange server and spin off the PSTs one final time.

Wish us good luck.

This feels familiar. We have twice this week unsuccessfully attempted to migrate to new servers. The problems all involve Exchange server communication between parent and child domains. I finally decided to pull in some external expertise and discovered that we are doing things the hard way at a couple of levels. First, our four-domain architecture runs counter to the conventional wisdom for organizations of our size and complexity. Microsoft and our consultant recommend a one domain architecture with organizational unit/group policy management of user privileges. Second, we manually complete a number of steps that the consultant has figured out ways to automate or shortcut. For example, we spend 20 minutes per user unjoining them from the old domain, joining them to the new domain, and then setting up their new profile. Apparently, there is a way to edit the user's registry to move a user to a new domain without changing their profile. After the third attempt to reinstall and correctly configure our new servers, we rolled back to the old servers and returned to the drawing board.

On another note, I confirmed that my struggles obtaining PERL debugging information in the browser is a new IIS6 security feature. I found a description of the problem that indicates that there is not a good way around this feature. Too bad that I have not yet found error handling options in Activestate PERL similar to those found in PHP. While it was convenient to see error messages when PERL scripts did not compile correctly, this forces me to get a legitimate PERL development enrivonment that can provide debugging information live and write my scripts to capture errors on the fly. These are good things.

Today, I continued work on our new WIMP server configuration. As opposed to LAMP, or even WAMP, WIMP stands for:

Windows
IIS
MySQL
PHP/PERL

Our WIMPy setup is coming along just fine, aside from a few speedbumps. The first occurred when PHP repeatedly failed to load the php_mysql.dll library. It took me three hours to realize that PHP was pointing to \Windows instead of \php to find the php.ini configuration file. This despite the fact that php.ini was only located in \php, and I had added that to the PATH server environment variable! A test script with the phpinfo() command was essential to discover this fault.

I am still working on the second roadblock. PERL is not returning informative error messages. When a script does not compile properly, the browser only returns an "incomplete set of headers" error message. In our old IIS5 setup, this would usually be followed by "the headers it did return are ...", which would provide the substance of the error message. Not this time! I need to determine whether this is a normal consequence of an incomplete set of PERL modules, or whether there is a way to turn on more verbose error messaging. I suspect that my answer lies in some command-line testing.

In other news, Richard Bender has completed most of the new server setup and will begin the migration tomorrow. Ina upgraded Raiser's Edge to version seven, and we are aiming to join the first admin users to the new domains on Monday.

Our beloved student.user network account graduated today. It first entered the school in the fall of 2002 as a test account for student network privileges. Needing a security group, it joined the new class of 2006. For four years, student.user made its way through the ninth grade curriculum, found a new group of friends during sophomore year, unsuccessfully ran for V.P. of Diversity junior year, and experienced a vicious senior slump this year. College really isn't in the cards for student.user. We think it is going to take some well-deserved time off and contemplate what to do next. A return to the class of 2010 is pretty much out of the question, since our current practice is to create a student test user account for each class. So, 2008.user and 2009.user are currently making their way through the rigorous UHS program, and the tech department will have many graduations to celebrate in the future. One thing for sure -- the tuition payments are killing us!

p.s. Teacher.User appears to be a lifer.

Today, the Class of 2006 graduated from San Francisco University High School. On Monday, I will continue our four-year tradition of disabling the students' network accounts two days after graduation. This is one of the more unpopular policies I have. Many students would like me to keep the accounts active through the summer, until they have established their college accounts.

Fellow tech directors, what policies do you follow for graduating seniors?


Arguments for closing accounts right away

You don't attend the school anymore.

You've graduated. It's time to let go and move on.

Acceptable use agreements no longer govern account use.

We need the summer to remove old accounts, reclaim disk space, and establish new accounts.

Email services cannot exist independently of other network services.

Some colleges have already made network accounts available to new students.

Most of you already have personal email accounts.

Take this opportunity to update your UHS Alumni profile with a permanent email address!


Arguments for keeping network accounts active through August

Not all colleges make network accounts available right away.

You deserve the opportunity to reach each other easily before you go to college.

Departing seniors can be trusted to use accounts appropriately for the duration of the summer.

It doesn't take that much work to perform the necessary account management.

You might use your network accounts to participate in forum discussions.

It's just plain mean to suspend the accounts right away.

I am starting to build our our new web server today. It is exciting to start from a completely blank slate!



Over the winter break, I built out this web server once, when we thought we were going to launch the new servers then. Since we postponed to summer, I have the opportunity to learn from that experience and create a cleaner install this time around. Last time, I thought I would install PERL, PHP, and mySQL on the C: (system) drive in order to keep all applications there. This time, I am going to reserve C: for the operating system and default Windows applications and put everything web-related on D:. This way, we can image D: once before launch and keep that image as a snapshot of the web server configuration in case of disaster recovery. Also, if the system ever has problems, we can wipe and re-image the C: drive without affecting the web server contents.

Blue = blocked (rate control)
Red = blocked (spam)
Green = allowed

Our filter tells us that most of our incoming mail is spam. Though I am happy to have a spam appliance (from Barracuda), the overall increase in spam volume leads to a corresponding increase in false negatives. Users start receiving several spam messages each day, reminiscent of a few years ago when that is all the spam that existed. It is a shame that we have not been able to pass effective anti-spam legislation to thwart this problem.

While in Botswana last week, I was introduced to a class of history students as the person who first introduced student email accounts to Maru-a-Pula School. To my surprise, the students applauded! At University High School, several students have taken the time to thank me for their accounts. Yes, it requires more work (though not as much as you might think) to manage 400 (or more) additional email accounts. Students do tend to come to school with a personal account at another service. However, school email accounts provide added value in several ways.

A user-friendly email system for those who have an unfriendly one

A standardized naming convention so that students are easy to find

A searchable email directory, such as Exchange Global Address Book

An easy way to create class mailing lists

The foundation for a culture of open, rapid communication among teachers, staff, students, and parents.

A "professional" address for students to use with the outside world, such as colleges and prospective employers

An easy way to transfer files between school and home

A straightforward link into email-enabled community web software such as Moodle and bulletin boards

... and perhaps most importantly,

A sense of pride that the school trusts them with a branded email address

The last item has convinced me the most of the value of a student email system. The enthusiasm and pride is evident when the school helps students communicate more esaily and effectively. The gratitude is palpable.

To make administration easier, choose an email system that integrates with your authentication system. Set up mailbox size limits to avoid filling up your server or overloading your backup system. Allow a variety of protocols for reading mail, such as webmail, POP, IMAP, and/or RPC over HTTP (if your sysadmin feels they are secure enough). Document procedures for students to solve common problems, such as how to fix a full mailbox or set up an IMAP client.

We have learned one more lesson about the server migration: it ain't over 'till it's over! In the stretch run of the installation, we ran into a number of unanticipated time sinks with regard to setting up groups, folder permissions, and DNS. As a result, we decided it would be better to more thoroughly test the migration during the spring semester and cut over in June than to sick 500 users onto immature servers this week. As there was no critical reason to move to the new servers now, the main consequence of this change is that we have had to "unprepare" our users for the switch. Users who had anticipated downtime and new passwords are now surprised to find that the status quo remains in place.

As we come to the end of our server transition, here are some lessons learned:

- There was much less actual downtime than anticipated. Richard B. had to down the servers only when migrating data, but then he could bring the old servers back up again and test the data on the new servers.

- My attempts to promise a specific day for the cutover were defeated, twice. It would have been better to have told users that the new network would be in place when they saw it in place.

- The new web server was a useful place to post status announcements even while I was building it out. I had thought the entire server would be out of commission for much longer.

- Winter break was the best time to do this transition all year. It was quieter here than at any time during the summer, and users will return gradually over the next week and a half.

- The only big obstacle was the mass migrating of Exchange server accounts from one server to the other. The export utility worked fine, but the import failed. However, since the export creates an individual PST file for each user, it should not be a problem to import them into the new mail accounts individually or to provide users with instructions to import their own PST files if they so desire.

- AD Infinitum has been an essential tool, creating all AD accounts and generating secure, initial passwords for the new accounts on the fly. It's a great deal for $100.

Related: The Quietest Week of the Year, Preparing the New Servers

We have begun installation on our new servers in earnest, coincident with the departure of our students, faculty and staff for vacation. This process will take about two weeks and will result in nine new servers in our collection of eleven. The main challenge is how to sequence the installation steps in order to minimize disruption to our 500 users. My colleague Richard has devoted the week to nstalling Win2k3 server software on the machines and testing user and mail account migration from the old servers to the new. Once we take the old servers down and interrupt service, he will have to move quickly in order to restore service ASAP. Importantly, we learned that passwords will not migrate -- all of our users will have to create new ones when they first log on upon return from vacation! Exchange accounts will be moved via an export utility that spins off a PST file for each user, a process that will take a long time. Active Directory accounts will move by way of an application that can create and modify batches of accounts. This application will create new, temporary passwords for our users and save them in a file for us to distribute manually to users.

I spent today prepping our new web server. Here are some lessons I learned from doing this for the first time. IIS installation went quickly, though I forgot to enable server-side includes the first time through. As a result, the server returned 404 (not found) errors for my .shtml files until I figured that out. Activestate PERL was a piece of cake, though I neglected to add .cgi to the application mapping table and got stuck on that for a while. PHP was surprisingly hard work, since the documentation indicates that the Windows installer should not be used on production servers! The manual process was more tedious, though a couple of hours' work finished the job. I elected the ISAPI method for PHP execution instead of CGI, because of the superior performance and security promised by that method. Finally, I have improved the structure of the cgi-bin and PHP script virtual directories, in order to minimize the chance of a user gaining script source access. One great new feature in IIS 6 is the Windows equivalent of a chroot "jail," which automatically restricts their FTP activity to an AD-defined user directory.

There is a lot more pressure on us to quickly migrate popular services than there was to introduce these functions the first time. At least they are familiar to us and therefore quicker to configure than when we did not know anything about them.

Our big server upgrade is coming up in just a couple of weeks. Our intrepid network administrator has chosen Christmas week to take down the old servers and bring up the new servers in their place. Exchange is projected to be down for a couple of days, the admin servers for the better part of a week, and the academic side of the network for at least a week, if not longer. Why perform a server migration halfway through a school year? It appears to be the time when the least users are active on the systems. There is actually quite a lot of administrative, teacher planning, and student email activity during the summer. A network migration would be more disruptive then than it will be during Christmas week.

Of course, the pressure will be on us to bring the servers back as quickly as possible. Note that we made this more difficult for ourselves by choosing to change our network structure. If all we were doing was to upgrade the servers, then the migration would be a lot more seamless, involving only data migration.

An article at Newsforge presents a concise overview of nine security architecture principles. This confirms the importance of having a highly capable network administrator, which we are very lucky to have. It also underscores my favorite point about security: our network is only as secure as the least well-kept password in our user base. This article on password security outlines the problems with passwords and the new technologies that may replace them.

Source: Stuart Yeates

We are finalizing architectural plans for our new building on Sacramento St., two blocks away from the three main buildings in our campus. Linking a satellite facility is a new problem for us, so we have to learn quickly. Here are some preliminary thoughts -- comments and advice are most welcome.

We seem to have two options to create a data link between the buildings: leased T1 and radio frequency. Luckily, we do have line of sight from the roof of our lower campus building to the Sacramento St. building. A dish would appear to offer faster connection speeds, and a leased T1 better reliability.

We realized today that it would be a good idea to put a domain controller and file server in the new building, so that employees and specific academic programs will have fast access to authentication information and storage space without having to cross the new connection to the servers in the main campus. For example, digital photography students will have to move large PSD files among various computers, so they had better have fast access there.

Our old buildings have one switch and then individual data runs to all floors. We plan to put a switch in at least two of the three floors in the new building, to keep the data runs shorter. This way, if they break, it will be less difficult to replace the wire run.

Finally, we plan to run gigabit fiber to the film/photo suite, so that those users have gigabit access to their storage server.

School was hit by the MyTob worm this week. We plugged the hole with tighter restrictions on SMTP traffic within our network, but the successful infection underscores a larger problem with networks on the whole. Schools and other institutions typically protect their networks with firewall, antivirus software, and spam filters. This kind of worm defies all three of these in the typical network, because it only takes one infected laptop carried onto campus to bypass these server-based, externally-focused defenses. In a mobile world, we need to focus more attention on protective measures for internal traffic. Unfortunately, this creates more work to implement these measures and deal with restrictions on legitimate uses that will undoubtedly arise.

Since we are releasing a new server architecture in the middle of the school year, we do not have the usual luxury of lots of unstructured summer days to sit down and plan every last detail of the network in advance. Instead, we find little bits of time here and there to have short conversations with each other, document them in our shared online workspace, and reflect about the changes on our own. Thankfully, this strategy has proven very effective so far.

We had our first network design department meeting yesterday, and we were all well-versed in the issues on the table. We thought that we had figured out what network design we were going to select. To my surprise, we ended the meeting in a very different place from where we started.

Our current design was created by network consultants three and a half years ago. It called for a parent domain for administrators and a child domain for teachers and students. At the meeting, we came up with a new design: one parent domain and three child domains: one for admins, one for teachers, and one for students. This will streamline the exchange of information among different domains and create a new security barrier between student and teacher data. All of the user data will reside in the child domains, and shared services (mail, list, and web servers) will reside in the parent domain.

I am convinced that we would not have been able to move to a new network design had we not already had our individual conversations, personal reflections, and shared documentation. At the same time, we would not have been able to move to a new model without our hour and a half group meeting. We intend to continue to employ this design method for the other aspects of our network.