The Groups container was accidentally deleted in the OID test database today and had to be re-created based on priv data in the Summit database.
Here are the steps we had to do to recover everything:
1. Recreate the Groups container.
Export the Groups container definition (as an LDIF command) from the OID production instance, and import it into OID test. You’ll need an LDAP browser tool to do this, like JXplorer.
2. Recreate all the AD groups.
Set the status of all the pugetsound domain groups in the privilege table to PA and run
privcmd.resolve_pending_privdef on each one.
3. Recreate the members in the AD groups.
Set the status of all AD person_privilege records to PA and run privcmd.resolve_pending_privs.
4. Recreate the portal group container.
Export the portal.070109.134036.113589000 container definition (as an LDIF command) from the OID production instance, and import it into OID test. You’ll need an LDAP browser tool to do this, like JXplorer.
5. Recreate all the portal groups.
Set the status of all the portal groups in the privilege table to PA and run
privcmd.resolve_pending_privdef on each one.
6. Recreate the members in the portal groups.
Set the status of all portal person_privilege records to PA and run privcmd.resolve_pending_privs.
7. Address any unusual configuration issues.
ViewsFlash groups have a special setup, the administrator group is a member of the creator group, so that has to be done manually.
Office 2007 Compatibility Files Installed on Campus Computers
In preparation for the Office 2007 deployment in late July, Microsoft Office Compatibility files will be installed on campus computers this evening. In addition, we will be performing system scans over the next few days to ensure PCs meet the minimum requirements for Office 2007.
No action is needed from the campus community and the files will be automatically applied upon rebooting after June 23, 2009. The reboot may take a minute or two as files are applied.
To install the Microsoft Office Compatibility Pack on your home computer, follow the links on our download page.
Visit our Web site for information on today’s preparation phase or the coming Office 2007 project.
[Complete] Pre-Production Patch Window 6/18/09 7am-9am
Only the following servers were patched due to limited staff availability:
- EXDEV
- FIDALGO
- GALAXY
- KETRON
- PORTAL
- VS0
During this month’s pre-production patch window the following servers will be patched from 7am-9am on Thursday 6/18/09:
- lummi
- pilchuck
- kickstart
- moodle2
- EXDEV
- FIDALGO
- GALAXY
- KETRON
- PORTAL
- VS0
\merlin2oiscommonnssgdocumentationpatchprocessjune2009june2009.docx
[Resolved] Spam Sent From The E-mail System 6/4/09
A spammer gained control of a user account today when the account owner responded to a phishing message. The spammer sent a large volume of spam. This was noted at 9:30 PM and the user account was locked. TS staff will be checking with several recipient sites such as HotMail and Yahoo to make sure that the college has not been placed on blacklists, but you may experience E-mail delivery problems because of this incident.
[resolved] Web forms was down this morning
Web forms was down this morning which included Cascade, Famis and Banner (a separate announcement has been posted to the Help Desk site for public viewing).
Patches were applied on the sanjuan server yesterday, and it wasn’t working after that. Paul fixed something in the configuration and bounced the server and now it’s working again.
[Resolved] Web Forms are Unavailable
[Update 6/1/2009 7:53 AM] Service has been restored.
Cascade, Banner and Famis web forms are experiencing errors. TS is working on this problem and will update with a resolution time when we know more.
5/31/09 Maintenance Details
See the post in the “Maintenance Windows” catagory for the public communication. This post is to expand on what servers were patched, and basic changes. All of the following patches were applied by noon.
The following windows servers were patched (Windows updates):
ALEXANDRIA
BE1
BE2
BE3
CLTACC1
CLTACC2
CMS
DHCP-1
DM-1 to DM-8
EPO
FE1
FE2
ILLIAD
INTCHK
KEEPER
MAURY2
MBS1
MBS2
MBS3
MEDIA
MERLIN2
PROJECTS
SANJUAN
VASHON
VERONICA
VIAWARP
VMMON
WEBSERVER1 (SP2 applied)
WEBSERVER2 (SP2 applied)
VMWare:
vmhost1
Linux (all available OS and Dell RAID FW/Drives as applicable):
orcas
tahoma
purgatory
styx
hades
gehenna
Additional changes on Sophos PMX servers:
Purgatory:
Turned Perc write cache on (write back), and changed linux readahead:
sudo blockdev –setra 8388608 /dev/sda
Rest:
policy on
adaptive read ahead
[Complete] Maintenance Window 5/31/09
[Update 5/31/2009 1:00 PM] All service has been restored, and this maintenance window is complete.
[Update 5/31/2009 12:15 PM] Many services have been restored, with the exception of Database Applications: Cascade, FAMIS, Millennium, and Banner. They are expected to be available by 4:00 PM as planned.
The next production maintenance window is Sunday, May 31, from 8:00 AM to 4:00 PM.
From 8:00 AM to Noon, all services may be intermittently or entirely unavailable, including:
- Personal and departmental file shares (on Alexandria and Merlin2)
- Database Applications: Cascade, FAMIS, Millennium, and Banner
Please note that Database Applications will continue to be unavailable until 4:00 PM.
[Resolved] Power Outage at Fieldhouse
[Update 5/29/2009 7:34 AM] Power, network and wireless service have all been restored.
The power was unexpectedly cut to the fieldhouse this morning at 6:00 AM. The campus network and wireless server are unavailable off-line until power is restored.
ViaWarp Antivirus Upgrade
Upgraded “Norton Symantec Virus” on server Viawarp to “McAfee VirusScan Enterprise.”
Directory Server (OID-AD sync) debug logging set on
We set the debug level back to 63 to troubleshoot the password sync errors due to AD password policy problem. Here are the commands, executed as oracle on whidbey:
oidctl connect=AS1012P server=odisrv instance=1 configset=1 flags=”port=3636 sslauth=2″ stop
oidctl connect=AS1012P server=odisrv instance=1 configset=1 flags=”port=3636 sslauth=2 debug=63″ start
Active Directory password policy was temporarily too restrictive
The Active Directory password policy was inadvertently set to reject passwords that did not contain any special (non-alphanumeric) character, such as *#$% etc.
The problem began about 3/21/2009 and was corrected at 3:15pm on 3/26/2009. During this period, anyone changing a password using Windows was instructed to include a special character.
Passwords changed using Cascade Web during this period were not synchronized to Active Directory, so the new password did not work for Webmail, Windows, etc. This can now be corrected by changing either the AD or OID password.
The problem was corrected by deselecting the special character requirement in the AD password policy.
Here is an example of the error in the ActiveExportUsers_Groups.trc log:
Error in executing mapping DIP_LDAPWRITER_ERROR_MODIFY
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
]
[resolved] Pre-Production Patch Window 5/21 – 7:00 to 9:00am
The following non production systems were patched today:
pilchuck (OS, RAID firmware, powerpath)
fidalgo
lummi
vmhost2
kickstart
moodle2
sage
webdev
All patches progressed as expected and no lingering issues are expected. Please see the following share for more information:
\merlin2oiscommonNSSGDocumentationPatchProcess
[Resolved] Webmail briefly unavailable 5/20/2009
Webmail was unavailable for about 15 minutes at 8:30 PM tonight. Technology Services staff was notified and has resolved the problem.
New Impulse Point NAC server implementation
The new Impulse Point NAC server had been implemented for the residential network. It will check machines for virus software, windows updates and shared music and movie files. It will ask to have a profile key installed on the machine for identification, but will be transparent unless a machine is non-compliant.