UVM Active Directory and Windows Services
Frequently Asked Questions (FAQ)
Active Directory is the database of user accounts, groups, computers, and other resources that comprise a Windows Server based network environment. The user accounts in our Active Directory are created by and synchronized with the UVM NetIDs that provide access to email and other resources.
We currently provide server-based file storage for shared and personal files. We also provided shared network printing, integrated desktop login, and options for desktop management.
The Windows servers are in a secure data center, with generator back-up power, nightly back-up of data, ongoing monitoring, and staff charged with maintaining and administering them.
Additional services and application take advantage of Active Directory, such as Citrix and Hyperion. More services may be offered in the future.
The services which comprise the Windows Services suite are available free-of-charge to all University-affiliated faculty and staff. However, departments will be required to provide their own equipment to utilize these services (i.e. Printers, Microcomputers).
Microsoft servers have taken their fair share of knocks from hackers over the years. This has led to the general impression that Microsoft servers cannot be secured against Internet attacks. In point of fact, no server (be it a Microsoft, Linux, Solaris, or mainframe system) can be considered secure unless it is properly maintained. The UVM Active Directory and Windows Services administrators strive to keep all of our servers up-to-date with security patches, and to follow security best-practices to reduce the likelihood of a successful attack against our services.
Some of the precautions we take include:
- Placing our servers behind network firewalls. This greatly reduces the attackable surface of our systems.
- Use of Group Policy and other scripts to distribute advanced security settings to our servers.
- Use of only highly-secure, encrypted authentication mechanisms. No passwords of other credentials will be allowed to pass across the network in clear-text.
- Routine, scheduled application of operating system and application security patches.
- Exclusive use of operating systems and applications for which support is available from the supplying vendor.
In addition to security concerns, many people are under the impression that Windows systems are not stable enough to use as servers. This impression is largely historical. Releases of Windows operating systems since 2000 have had excellent stability. Our Windows 2000 and 2003 servers have had very few unscheduled service outages. However, no system is perfect, and unscheduled outages still can occur. We have taken additional steps to ensure the uptime and availablility of our core services. These include:
- Deployment of redundant domain controllers and authentication servers. This ensures that login and policy processing will continue to be available, even in the event of failure of a single server.
- Deployment of servers in multiple locations. This ensures that the loss of a data server will not necessarily cripple all services in the UVM Active Directory/Windows Services suite.
- Use of Windows Server Clustering technology. Most of the Windows Services are operated on a failover cluster to prevent software or hardware faults from taking down services.
- Use of monitoring software to detect problems as they occur, or as they are arising.
We all know that mistakes happen... files get deleted accidentally, their contents get scrambled. Despite the best efforts of system administrators, servers can and do go down on occasion, and file storage arrays can fail. As detailed in the question above, we do take many measures to reduce the likelihood of a system failure. We recognize these truths and have developed a backup and recovery system to handle problems.
All servers are subjected to nightly backup using ETS's enterprise backup services. All file changes are preserved over a three month period. Any accidental file deletions or changes can be recovered within this timeframe.
Our NetApp storage system takes frequent "snapshots" of all files in the system. These snapshots represent point-in-time versions of your files. Users easily can access these snapshots to recover previous versions of deleted or damaged files. No intervention from ETS is required to restore your own files within the last two weeks!
We use Microsoft's ASR (Automated System Recovery) service to enable bare-metal recovery of our systems. In the event that a server is irreparably damaged or destroyed, we can initiate a full recovery of the lost system on new or repaired hardware without the traditional need to first perform a separate operating system installation. This reduces time to recovery for a failed system, and reduces the number of errors from system mis-configuration.
Fortunately, most accidental file deletion or file corruption problems do not require intervention from ETS Technical Support staff. If you are accessing your files from an Active Directory integrated Windows 2000 or Windows XP workstation, you can retrieve most of your files within a few seconds! (Note: These directions apply ONLY to files stored on the network. File stored on your local computer (i.e., locations other than your Home directory, your My Documents directory, or your department's shared directory) are NOT backed up, and CANNOT be recovered!).
To retrieve a pervious version of a damaged file, locate the file in your Windows Explorer, and right-click the file. Select "Properties" from the pop-up menu. Click the "Previous Versions" tab. You will see a list of available previous versions of your file. Click the version you want to recover, then click either "Copy" to make a separate copy of the recovered file in a location of your choice, or select "restore" to overwrite the existing (damaged) version of the file.
To retrieve a deleted file, located the folder in which the file was located in your Windows Explorer. Right-click the folder, then select "properties" from the pop-up menu. Click the "Previous Versions" tab. You will see a list of available previous versions of the folder. Select a version of the folder dated prior to the file deletion event. Click "view" to see the contents of this folder from the selected date. Copy your deleted file from this view. the same procedure can be performed on deleted folders/directories.
While a single personal files directory might be less confusing, it would also be less functional. We provide different network storage locations for different purposes. Fortunately, you can get to both storage locations from a single network UNC: \\files.campus.ad.uvm.edu\<NetID> (where <NetID> is your personal UVM network identification). Inside this share, you will find both a "MyDocs" and a "winhome" directory. These are, respectively, the targets for your My Documents and Home directories.
Network storage of "My Documents" makes it easier for users to store their files on the network. Because the "My Documents" directory is the default target for the "save" command in most applications, you need do no more than name your file to make sure that it is stored in a secure location that is subjected to nightly backups. Also, the "My Documents" directory is made available to you even when disconnected from the network! this is accomplished through the use of the "Offline Files" feature of Windows 2000 and XP. All files in the "My Documents" directory are synchronized to your local computer automatically. This allows for faster access to your files, and ensures that they remain available should you become disconnected from the network. Unfortunately, "My Documents" redirection is not available to all users, and is inappropriate for some file types.
Macintosh and Linux users do not support "My Documents" redirection, and they do not support "offline files" synchronization. By contrast, the traditional Home directory (H: drive) is available from all supported operating system types, including Macintosh OS X. Some file types, such as MS Access and Lotus Approach database files, may experience errors if accessed from an offline state. For this reason, synchronization of these file types is prohibited by policy. The traditional Home directory is an ideal storage location for these file types.
Setting up a connection to your department's network printer is easy. There are two ways to do it:
- Go to Start->Control Panel->Printers and Faxes, then select "Add new printer". You will want to select the "connect to a network printer" option, then select the "Find a printer in the Directory" option. You can search for printers by location (e.g. "Waterman"), or by department (e.g. "CIT" or other department abbreviation). Select the printer to which you want to connect from the search results, then click "OK". The printer should now be available to all Windows applications.
- Go to Start->Run. In the "Open" text box, enter "\\printers". An explorer window will open with a list of all available print shares on our central print server. Just double-click the printer you want to access, and it will become available in your "Printers and Faxes" control panel (and henceforth accessible from al Windows applications).
Absolutely yes. ETS is committed to providing services to a variety of client computers.
Unfortunately, we cannot support ALL versions of the Macintosh OS. Currently, OS X version 10.4 or higher is required for access to Widows Services.
Presently we do not recommend binding Macintosh computer to the CAMPUS Active Directory domain, as the Acive Directory client on the Macintosh has not been very stable during the OS update process. The Apple Home Sync feature also is not recommended for use with Windows file services as it has been historically unreliable.
The Internet is a dangerous place for un-maintained computers. Many of the networking protocols still in use have documented vulnerabilities which have been deemed an unacceptable risk by the Active Directory Enterprise Administrators. In order maintain the level of systems availability and security we promise to our clients, we cannot allow default security settings.
We realize that to some, this policy seems an unwelcome violation of their "academic freedoms". To that end, no one is required to participate in Windows Services; but use of our services implies consent to the enforcement of these policies.
The answer to this question is very similar to the one above. Un-patched computers are vulnerable to ongoing Internet attacks. If left un-patched, and computer can initiate attacks on other vulnerable systems, both inside of the campus network, and on systems at other institutions. Tracking down compromised systems and cleaning them has consumed countless hours of or support technicians time. We cannot allow these problems to continue without compromising the quality of our services.
Utilization of UVM Active Directory or Windows Services implies consent to this policy.
ETS provides several mechanisms through which you can stay informed about these services, so you never have to feel left out in the cold:
In some cases, departments may need to run their own servers. If you require a service which is not provided by ETS (e.g. specialized application server), you may need your own. In almost every other case, use of a departmental server incurs a needless expense on your department.
Why? Because servers are expensive. Do not be fooled by advertising. A server may cost only two to three thousand dollars, the associated licenses may be only a few hundred dollars, but this is just the beginning of the costs. Have you purchased a reliable backup system? Have you tested your backup system? Do you have a designated systems administrator? Do you have a disaster recovery plan? When all of the expenses have been totaled, running a departmental server can cost you over $10,000 per year! UVM's Active Directory and Windows Services are free to use. We take care of backup, maintenance, management, and support tasks, allowing you to focus on the business of your department.
Owing the the high cost of networked storage, we cannot provide infinite amounts of storage for everyone. We feel that the three Gigabytes of personal storage provided to our clients (applied against your Home directory (H: drive) and "My Documents" directory) should be adequate to meet the critical storage needs of over 99% of our clients.
Because the storage needs of departments vary greatly, we have no arbitrary or fixed quotas on department's shared directories. No department should feel that they cannot use our services due to inadequate storage capacity. If your department has extremely large storage needs (greater than 100 Gigabytes), we can work out a deal for the purchase and management of more storage. While this arrangement may entail an ongoing (as replacement requires) chargeback to your department, it certainly will be less expensive that purchasing your own storage systems and associated support hardware.
We strive to provide support to a wide variety of operating system platforms. Unfortunately, security demands and support constraints have dictated that a large number of operating systems which previously were supported cannot be supported with these services.
Older operating systems such as Windows 95, 98, and NT 4.0, and Mac OS prior to 10.2 cannot perform Kerberos authentication to our services. Kerberos forms the backbone of our secure authentication services Additionally, Apple and Microsoft have pulled support for several of these operating systems entirely. We do not have sufficient support resources at UVM to maintain these systems without the help of the original vendor.
University Training and Development offers courses in the use of newer operating systems and software. The CAP program provides assistance in the replacement of aging and obsolescent computer systems.
Older printers often will not interact with newer network printing architectures. It is outside of our abilities to control the behavior of printer vendors. Fortunately, many network printer vendors provide frequent firmware updates to ensure the ongoing compatibility of your printer with out network. Hewlett Packard excels in this area, which is why we are able to provide ongoing support for all but the lowest-end HP network printers and printing devices.
Some printer manufacturers do not design their network printers with a managed network printing environment in mind. Support of these "peer-to-peer" printers is very time consuming to our technicians. This compromises the quality of support we can provide to our other clients. While you are free to purchase these printers, we simply cannot provide support for them.
We encourage you to seek approval for your printer from the Windows Services Administrators prior to making a printer purchase. Doing so will save time in configuring the new printer, and will help to prevent costly returns and replacements.