The rise of personal computer usage in the 1990's caught the University unprepared to cope with the demand for traditional "LAN" services (File storage services, network print services). As a result, many departments deployed their own LAN server solutions. When local systems administrators moved on to new positions, or departmental technology funds dried up, these departments found themselves reliant on rapidly aging, unreliable equipment.
To address the needs of these and other departments, ETS has provided free traditional LAN services to all UVM-affiliated faculty and staff departments since 1997. "Windows Services" represents the third iteration of these services. As network services have continued to grow and evolve, so have ours. "Windows Services" is a tightly-coupled suite of services which includes traditional file and print services, but now includes integrated desktop login, Windows operating system security management, software distribution services, pre-configured operating system distribution, web-based collaboration tools, and PKI certificate services.
The Windows Services Administrators pledge to provide highly-available services with an emphasis on system integrity and security, rapid support, and clear and consistent documentation.
A minimal set of security policies is pushed to every computer joined to the Active Directory domain. These policies are designed to protect the domain from common attacks. Use of any of the offered Windows Services implies consent to the application of these security policies. There will be no "opt-out" option for security policy application.
All Windows-based operating systems joined to the Active Directory domain are subjected to automated installation operating system patches. Automated patch distribution is necessary to ensure the integrity of computers in the domain. Use of any of the offered Windows Services implies consent to the application of these patches. There will be no "opt-out" option for automated patch distribution.
A variety of software installation packages are offered though the LiteTouch depolyment system, general "software" and Campus Agreement "mca" file shared, and via extensions to automated patch distribution system. By default, critical updates to third party software will be pushed to all workstations in the domain. An "opt-out" option will be made available under special circumstances.
ETS maintains an Active Directory-integrated Certificate Server to satisfy the requirements of several Windows Services. Certificate Servers are used to provide encryption keys for secure web services, secure LDAP connections, IPsec channels, and VPN services. Users of Windows Services may leverage the central Certificate Servers for departmental servers and applications if desired.
ETS maintains several Windows OS deployment systems. ETS uses Windows "LiteTouch" for preparation of new computers purchased through the depot. However, individuals wishing to leverage ETS's investment in deployment systems for storage if their own system images may do so. Use of ETS's deployment servers is governed by the policies in section 8 of this document.
Access to a Windows SharePoint Services (formerly "SharePoint Team Services") web-site will be granted to all Windows Services users. Users will be able to create their own SharePoint team sites without intervention from a system administrator. All sites will be subject to automatic expiration and removal if left unused for over one year. Site owners will be notified via email prior to site deletion.
Individual SharePoint sites will be restricted to a 5-Gigabyte quota. If more storage space is required for your site, your quota may be extended at the discretion of the Windows Services Administrators.
All SharePoint databases are backed up are backed up on a nightly basis. Backup files are retained for 2-4 months before being purged from tape.
Windows Services are supported on the following computer operating systems:
Access to Windows Services from most Macintosh systems may require the use of the Thursby ADMitMac, or other third-party Active Directory integration software. Web-based access to Windows Services will work from any Macintosh OS X platform. Reliable support for AD/Macintosh integration is an ongoing project within ETS.
Windows Services can be accessed from Linux operating systems, but owing to the changing and diverse Linux desktop offerings, ETS cannot offer official support for these configurations at this time.
See section 6 of this document for information on supported network printing equipment.
ETS will provide file storage services to all University-affiliated Faculty and Staff members. File storage services are available in three formats:
ETS will provide access to files through multiple protocols. The primary access methods will be:
All files stored via Windows Services will be backed up nightly. Up to three months of file revisions will be available via the enterprise backup system. Additionally, twice-daily "snapshots" will be taken on all files. Snapshot will allow users retrieve revised or deleted files from the storage system "volume shapshots" without requiring the intervention of a systems administrator.
Owing to the high-cost of enterprise-class storage systems (and associated backup systems), storage quotas will be placed on the total amount of storage provided to individuals and to departments.
At present, individual file storage (combined Home directory and "My Documents" directories) may not exceed ten Gigabytes (10 Gb) in size. For users will a legitimate need for larger volumes of storage, a quota increase to twenty five Gigabytes (25 Gb) can be requested.
Quotas on departmental shared directories will be negotiated at the time the department signs on for Windows Services. Total quota size for departments will depend upon:
Requests for expansion of departmental quotas always will be approved provided that the following criteria have been met:
Notification of quota over-run will be provided to users prior to terminating file-write privileges. Notifications are provided via University email, and are generated hourly.
ETS will integrate and support all approved print sharing devices and approved network ready printers. Printers must have a connection to the campus network. If one is not available currently, it may be ordered from ETS, Network Services at 656-8888. Please consult with ETS Client Services prior to the purchase of your network printer. Consultation is available through the contacts web page. ETS has extensive experience with a wide range of printer models, and easily can find one which will meet the needs of your department. If you purchase a printer that does not meet with our approval, we may not be able to support it for use on our network.
ETS will provide assistance with the networking configuration of your printer only. Assistance will not be provided with the physical installation of printing devices. Assistance will not be provided with the physical maintenance of printers (changing of toner, clearing of paper jams, etc.).
Because of the rapidly changing offerings of printer manufacturers, ETS cannot maintain a list of pre-approved network ready printers. However, ETS has been working with purchasing to ensure that all network-capable printers sold through University-approved purchasing contracts will be Windows-services compatible. Additionally, ETS expresses a strong preference for HP-brand workgroup and enterprise-class printers. The use of smaller Home/Home Office/Small Office printer models is discouraged strongly.
In order to maintain a more secure network environment, ETS reserves the right to distribute automatic software updates, computer security policies, and operating system patches. Use of any of the ETS-provided Windows Services implies consent to this policy.
Security policies will be distributed using a combination of Windows Group Policy settings and login scripts. Software package distribution may be accomplished through the use of Group Policy software distribution policies, Microsoft System Center Configuration Manager agents, and logon policies. Patch distribution will be accomplished using Microsoft's Windows Server Update Services (WSUS) in combination with Group Policy-enforced settings on the Windows Automatic Update agent which runs on every Microsoft Windows operating system.
Blocking of these central policies by local OU administrators is not permitted without written consent of the Active Directory Enterprise Administrators.
Distribution of custom security policies is possible by registering to become a Container Administrator.
ETS maintains several systems to facilitate deployment of Windows computers in the Active Directory environment. These services are the Microsoft Deployment "LiteTouch" system, and Windows Deployment Services (or "Windows DS"). These servers also are used by consultants in ETS Client Services in the restoration of damaged operating systems to their original state. All users of Windows Services may access these stock system images from any campus network-connected system. Support will NOT be provided for all models of systems in use on the campus network. Compatibility of Windows DS system images with any given computer system is NOT guaranteed. Re-installation using central ETS servers is likely to take over one hour (with LiteTouch), or over 30 minutes (with Windows DS).
Some departments may require specialized systems images. These departments will be allowed to store up to two system images for every model of computer currently offered by the Microcomputer Services Depot. Departments will be responsible for maintaining their own system images. The Windows Services Administrators reserve the right to remove old, obsolescent, or un-patched images from the central image store; however, every effort will be made to contact a responsible party in the affected department before taking this action.
Deployment of non-Microsoft operating systems is not supported at this time.
The UVM Windows Services are a loosely coupled suite of servers, application services, and consulting services. This section outlines the distribution of responsibility for these services, and the obligations of the responsible parties.
A group within ETS Client Services serve as the Windows Services Administrators. They install, configure, and maintain all services in the Windows Services suite, and provide integration of these services with the greater UVM Active Directory infrastructure. There is significant overlap between the Windows Services Administrators and the Active Directory Enterprise Administrators. Active Directory Enterprise Administrators maintain the directory which ties toegther all of the Windows Services. The ETS Technical Support Group maintain the "uvm.edu" Kerberos Authentication servers (the UVM NetID authentication service), and the UVM LDAP Directory which feeds account information to the Active Directory.
All general-usage problems with Windows Services should be reported to your departmental IT contact.
If your contact is not available, or the problem is of a pressing nature, contact the ETS Helpdesk. Your problem will be routed to an on-duty Windows Services Administrator.
For general discussion, this group can be contacted via e-mail.
The responsibilities of the Windows Services Administrators are:
Departments making use of Windows Services will perform the following duties: