Fun with Certificates

Fun with certificates. Wow. Certificates in an enterprise are a delicate item to undertake, even just end-point certificates such as users, workstations and SCEP/NDES devices.I finally issued my first certificate to an iPad as a -computer- account following a lot of the blogs on the internet. Now it is time to see if that cert can be used for device authentication on our new wireless overlay. Yeah, we could do generic accounts on the device which is the fall back plan. We've found anything we have to rely on the end point user tends to require a certain amount of support costs. I'll fully document everything this weekend if it works and we are to deploy a successful test (10-100 units). 1 is easy. 10 is work. 100 needs automation. Have to get it relatively automated if possible. No comment on the lack of documentation except on microsoft oriented sites. To those who have created the content, I thank you! My basic sites I visited and followed.

• http://www.kurtdillard.com/StudyGuides/70-640/6.html
• http://marckean.wordpress.com/2010/07/28/build-an-offline-root-ca-with-a-subordinate-ca/
• http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx 
• bounty of sub-links to read and understand
• http://security-24-7.com/windows-2008-r2-certification-authority-installation-guide/
• http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

Notice the lack of apple content. there is a reason! Bad Apple! You will need to download the iphone configuration utility too. The issue I had is with the X.500 name. There is hints and direction, but people are stingy on this one. My entry looked like

O=mycompany.com, CN=iPad123456

O is our domain listed in the certificate signing piece. If your CA signs certs for devices in mycompany.com, then put O=mycompany.com.

CN is the devices name you gave it. We use our asset tag system. This doesn't have to match much along the way. Until I fixed those I was getting 0x800094001. The other flavored the request subject name is invalid or too long is addressed by the authors above.

The O should be capitalized. So should the CN. including a comma and space might be necessary. Haven't chased the rabbit that far down the hole yet.

Onto the next fun part. Cisco ISE. Oh boy! 1.1 release software is fun.

Quick update

We've been busy! The summer projects are about to start. We ran school late this year. Short list of items:

• When deploying workstation certificates, check which servers can issue the certificates.Things you learn along the way.
• Having new team members is fun. New blood. New perspective. New questions. Nice thing to have. 
• Having issues with whatsupgold "crashing". Trying to have it read some WMI from windows servers and it just stops scanning. Everything. Not good.
• Good is the VM discovery features in whatsup. Check that discover vm environment!
• Updating, verifying, 3500 edge switches is a pain in the ... well, its a pain. Once verified, whatsconfigured will take over and rule. Voice config and security and a few other configs to update.
• Emergency construction is fun. And smelly. Broken water lines, of all flavors! Have to move our equipment (workstations, network stuff, others) out of the way. 
• Every 3rd party application wants to do upgrades this week such as our bus route software, special ed *2, energy management, food service, and a couple of others. Not a bad thing, but they asked -- Yesterday. Saying no isn't a real option. At least most of these the vendors will webex/remote-in and do the upgrade. So Veeam snapshot before starting in case they -aw !@#$- it. 
• Google Calendar is awesome. Sharing a calendar with vendors/resellers regarding schedules at schools is beneficial. Having to train them how to sign up and use it, but all in all it is good. Better than having to continually export a ics from exchange. 

That has been the last week. And my people are busier than me. Its good to have a team to run $1M mostly on their own.

Nothing Technical

The only downside to summer planning is all that happens is meetings. And once those are done, you have to schedule more meetings. Nature of the beast. The kids are going. The teachers are going. The buildings are about to empty. Facilities, Construction, Training, Summer School, Technology all want a chance at the empty buildings to do tasks, whether it be painting, waxing, moving AC units, continuing ed credits, credit recovery, and whatever we are supposed to do (phones, wireless, ipads, nooks, etc). Time to get on the same page to start. We all know best laid plans, etc, but at least if you start on the same page you can adjust. Here's hoping we get to the same page. Thats why the lack of technical fun recently. And I'm tired of getting errors with ipads trying to register as a device with NDES/SCEP. grrr. Need those 4-6 hours uninterrupted to turn up the debugging to really see what the errors are.

Coordination

Woo! Summer is almost here! Welcome to the beginning of an organized train wreck called summer project time. Well, not quite a train wreck, but does it ever feel like it. Trying to cram all work that was put off during the year cause it was too intrusive, too expensive, too time intensive into 8-10 weeks. I think we need a bigger shoe horn sometimes. Here are the few items we are trying to coordinate.

1. Construction at 6 sites
2. Summer School
3. Summer Cleaning/Waxing Schedule
4. Summer painting schedules
5. Technology projects
6. Start of new school year stuff
7. Vacations
8. Politics 

Ok. It is only 7 items. Each has anywhere between 2-20 sub-items beneath it. For example, who cares about summer cleaning, right? Well, everyone in the district does. The floors gotta -shine- the first day those kids come back. First impressions matter. And a shine with my big ol' hoof print in it isn't going to win me any points. So we have to schedule around that process which takes about 5 days per school with 4 schools going at a time. 

I'll even break out item 5, cause, well, that's what I do for a living.

• 5a -- deploy new phones to 40 sites!
• Pick up old phones
• What do we with the wall where the old phone was mounted? Yikes!
• deploy new phones
• verify extensions
• verify e911
• configure a fax solution now that we are all IP
• 5b -- deploy 1000 access points to 40 sites!
• Verify student, staff, and guest ssid's work right
• install about 100 switches to light up said APs
• 5c -- implement new email policy
• 5d -- deploy out 300 ipads
• 5e -- deploy out 300 nooks
• 5f -- deploy out 1200 new workstations/laptops
• 5g -- Upgrade internet pipe to larger size
• 5h -- implement new content filter

I'm sure if i polled my group, they'd add 2 or 3 more each. 

Anyhow that's what we do during the summer. Working with the other departments is fun. Teamwork matters. 

Microsoft CA's & DNS entries

Important lesson on implementing Microsoft CA and autoenroll. Make sure your primary dns suffix and such is set to your CA's domain. We had broken out our workstations to be register in their campus locations for dns such as workstationa.mydomain.org. Yeah, not so good when you setup auto enroll on your CA. After following guides from http://www.kurtdillard.com/StudyGuides/70-640/6.html and http://security-24-7.com/windows-2008-r2-certification-authority-installation-guide/, I got a sub CA with hidden root running. Lesson learned for future designs of networks. Always, Always, Always buy enterprise server licenses for your CA. Anyhow the registration entries errors on both the CA and client would give a DNS entry not found error (sorry, not rdp'd into pull the exact language). We've since modified our GPO to have the primary dns suffix be only mydomain.org. auto-enroll is working great now.

Next up is how to get an iPad with a workstation cert. following a few of the guides. will let you know.

Intermittent

Wanted to say these are the worst problems to troubleshoot. Especially when they are happening to your own equipment. AIGH! Probably should reboot the workstation and not blame the network. always always step one (after whining and bitching). reboot.

Writing Tech Cabling Needs for Architects and Installers

When building or updating a new school, it can appear to be a daunting task to write out a data cable plan design especially for infrastructure to give to the architect. However, one of my professors a long time ago told me something very important. Make it into smaller problems. 

Our process starts thinking what type of rooms are in a school? Classrooms, Offices, Libraries, Science Labs, Computer labs, Cafeterias, Gyms, Hallways, and maybe a few others. 

Lets break one of those down. Whats in a classroom? A teachers computer station, a projector of some sort, maybe a few student stations, and perhaps kids with student devices (ipads, nooks, kindles, etc). What connectivity is needed at a teacher computer station? A data drop, a phone drop (likely a data), an interface to the projector, power outlet, and maybe something else? So that makes 2 data drops, an AV plug, and power for a teacher computer location. Maybe we want to define the AV plug a bit more. Most projectors have 2 SVGAs, HDMI, mini audio, and svideo, RCA crap. Well, we get lots of tech support calls on svideo and RCA so we don't install them. No reason to create a headache in the future for both groups. If you give people a spot to plug in a cable, they will. simple but important lesson. The cables will need to be run to the projector so that fact will need to be notated (btw, there are some cool solution that will fit in a 3/4" to 1" conduit for this). 

Now onto the projector. Lets call this the ceiling since more things will be up here. You have the projector which will need power and the matching AV from the teacher location. If there are lots of wireless devices, maybe a network drop. Most rooms have speakers too. some are getting cameras. We do all these over IP in our house. lets count. 1 data for the projector for management, 1 for wireless, 1 for speaker, and for camera/future. 4 data in the ceiling plus an AV box and don't forget power for the porjector. Using a custom ceiling tile here works well. Other things the designers will want to know is the throw of the projector so learn to dig up cut-sheets. 

Next student drops. Data and power, just how many. We do 2 or 4 depending on the age. we are dropping to two since all devices now are wireless. no reason to put data on the wall not to be used.

It looks like we've just defined a classroom? A teacher station location, an AV/ceiling location, and student data locations. Other notes to add for the designers, projectors do not like hot air. do not place a vent in front of the projector. It works great...until the first cold day. You'll find you can reuse a lot of your definitions as you go. Our spec to hand to architects and designers is about 8-10 pages.We add stuff for IDFs, MDFs, etc. We even cover service loops, support structure and other items. It ends up taking about 1-2 days to write it out with another to clean it up.

And thanks again to my professor who taught me solve a bunch of small problems.

All in a day

i like days like today. mostly. except for the crazy stuff. i think they are called people. And not my own. i like my people's version of crazy. Anyhow...todays quick recap

the vmware, S.I.S. issue.

followed by the veeam issue since it still running after 8 hrs and had a snapshot. not good. tried to cancel the job. stuck. rebooted the server. cleared the job. cleared the snapshot. notified friday will be a full backup with new start point do to the disk size increases etc. 

construction site visit. Fun!

fiber locate for an orchard at a school. yeah, really. find outside plant fiber pathway to make sure the orchard would not be on top of it. Good news it wasn't.

Figure out what our KACE box is crashing every day at 2AM. found somethings. have a case open KACE case. pizza pizza. anyhow, more to come. Our ftp backup was running at 2am. Maybe conflicting with the zipping of the databases? Backed our ftp backup to 4am. Straws, grasping, i know.

and i hate PKI & certificates. Actually, i hate trying to -fix- PKI and certificates. Going behind 3 years of issues isn't fun. Trying to document and track something that wasn't done by you or your team is a chore. Especially when its not your specialty. But the intertubes being great and all, have wonderful articles on how to implement MS certificates. The lesson learned was, buy MS server enterprise (or better) for PKI in an MS environment. They almost shouldn't put it in standard since it has limited functionality. If you are going to do anything cert based and have ms, don't use standard. 

And board meeting...

Vmware and unable to expand a disk

I have this rule about losing a technical person. in about a month, some service that person knew the most about will have an issue. And like clockwork, it happens. So, our student info system decided to grow to its full capacity on the disk and max out the vmware disk. No problem, expand the lun, scan for changes, have vmware expand its disk. ah, not so much. vmware could see the change in size, but couldn't expand. after spending time on the phone with support, going directly into the vmware host, not the management piece, we could expand the disk in vmware. then we were able to go into windows etc and do that virtual host piece. Lesson learned and notated.

Construction

Ok, it is always fun visiting construction sites. Watching a building go up or a renovation is impressive.We have a project right in the drywall stage, so right before cabling is installed in the walls. Our data junction boxes & conduits are set by the electrical contractor so that's not our scope. Making sure they put them in the right places and they'll work is! We've tried consultants and 3rd parties, but getting them onsite and on the contractors butt has been difficult. Even the very good installers will take short cuts, miss something and sometimes just plain screw up. One, make sure you had a good RFP. Two, catch issues early or even as they are happening, most of the installers will fix it and not gripe too much. The other reason we like doing our own rfps and cabling is cause we learn a lot from both the GC and the installers....and my thoughts trail off to another subject. we'll come back to this

KACE Devices with multiple NICS

Here is a script we use to find both NICs MAC addresses within KACE. Using the default scripts from KACE only selects on the Machine table. We used this to find our laptops & both nics. AGain, not a SQL person by any stretch. Probably could be cleaner etc.


SELECT DISTINCT NAME, BIOS_SERIAL_NUMBER, OS_NAME, CS_MODEL, CHASSIS_TYPE, MACHINE.MAC as MAC1,
  (SELECT NIC
  FROM ORG1.MACHINE_NICS
  WHERE ((ORG1.MACHINE_NICS.ID=ORG1.MACHINE.ID) AND (MAC1 = MAC)) LIMIT 1 ) as NIC1,
  (SELECT MAC
  FROM ORG1.MACHINE_NICS
  WHERE ((ORG1.MACHINE_NICS.ID=ORG1.MACHINE.ID) AND (MAC1 != MAC)) LIMIT 1 ) as MAC2,
  (SELECT NIC
  FROM ORG1.MACHINE_NICS
  WHERE ((ORG1.MACHINE_NICS.ID=ORG1.MACHINE.ID) AND (MAC1 != MAC)) LIMIT 1 ) as NIC2
FROM `ORG1`.`MACHINE`
JOIN `ORG1`.`MACHINE_NICS`
ON ORG1.MACHINE.ID=ORG1.MACHINE_NICS.ID
WHERE ORG1.MACHINE.CHASSIS_TYPE='laptop'
ORDER BY NAME, NIC1;

Weird Days

Days where 90% of the job is awesome, but the 10% does it in and tanks it are no fun. That was one of those. Just when you have a handle on what you can do and will do as a team, poof, it changes. I know it happens, but this was far beyond the ordinary. I'll do the fun parts.

Phone calls with your vendors, resellers, and others that are actually fun, useful and on target. Had a conference call with our implementor, wireless hardware provider and us. Our implementation team from our reseller stepped up and spoke up on our behalf. The hardware vendor themselves worked to help resolve our issue. Those are good calls. Even with 7 people on a con-call with no true "organizer". 5 tech people with 2 sales creatures on the same call are interesting. I genuinely like our implementation person. Smart, sharp, savvy, and in my corner. good cloning material.

Before that I found out my zoning was 23/24 correct. freaking misclicks. Easily corrected and non-production storage. Anyhow. created the servers onto the ISE so i could provision storage. Next step to do, create adequate storage and offload busier arrays onto these units. However, adding the array to our management system...whats this yellow hardware error (and my previous storage person took another job 3 weeks ago). ah, crap. support call. We've had it happen before. And my boss wondered why i built-in redundancy at every layer possible, hardware software, cabling. CCR will save the day when we have to go offline on the array with error for the rebuild. About the only issue our users will see....is none unless they happen to be do something that 1-4 minutes we failover the ccr on sunday morning.

During the lunch hour we got to play host to our eRate company. It was informational for them so one of their new people could put the terms to the physical items. either they were polite or i was informative. 90 minutes of me doing a data center tour. i'm going with the former.

Anyhow, those were the fun parts.

KACE & Skyward - Part 2

I really did more research into this project. Kinda hit a sticking point. So our Skyward system sends email to a Reforma printer spooler (by Fabsoft) that put data in certain locations ..into a pdf which is emailed. Well, crap. as stated before KACE wants emails with
@'fieldname' blah blah blah.
I can direct the email to our system based on key fields in the print stream. that's not a problem. I'm stuck on how to elegantly get the data from the print stream (or pdf) into a formatted email.
That's where i'm stuck, but it's moved down on the priority list. From my poking around in reforma and other products I can pull field locations from pdfs and put them into a flat file or similar. that file or document can then be sent as contents of an email. As I told my boss...good programmer, 2 weeks to 2 months depending on how good we want it. damn. Filed under the list of doable, but no time.

following on this. I learned whatsupgold let us format the emails however we want. Yep. it can create the work order automagically into KACE. Just have create the rules to send email to the KACE smtp listener when an event or status changes to something bad. Can even set status as open or closed, but that can be a headache. having the system open a work order and close it without human interaction shouldn't count. such as...custodial staff unplugs device from wall for vacuum. work order create! custodial plugs device back in! close work order. (I should add the assignment to me so I get the credit right? :) The hard part on this is writing the policy and rules so we get work orders for what is "real" for our environment. having 1000 switches our users can touch makes this a challenge. A layer 8-12 (your environment, politics, religion, money!) decision.

interviewing people

I've always found this interesting process. meeting people. Trying to judge them both technically and personally in 60 minutes is a challenge. A few notes from the interviewer side of the table.

1) Please don't put down something on your resume as a talent or skill if you've never really done it. Especially if it is in the job descriptions or requirement. wow. If you have familiarity with administering exchange, be prepped for some decent questions or quickly define what you've done! What have you done? what are the server types? ever done clustering? how about policy rules? what have you done in powershell? those are the starter questions. I'm going to try to gauge your depth of knowledge. The thought process is, do you have enough basic knowledge to start. ok, how much do i have to train you on our products. what skillset do you bring that i don't have on my team. <--extra bonus points for you here.  

2) Be ready to tell about your successes on a recent job or project. Why was it a success? To the company? to you?

3) Be ready to tell about where you either failed, or not done your best and what you learned. Seriously. we are all in tech. If you administer, design, maintain, or implement large systems its likely you've had a few learning moments. An example: I've had my contractors send a directional bore for a fiber run through geo-thermal system on the coldest day of the year knocking out the heat. Not good. Lesson I learned was to gather exact details! the info i had wasn't precise about -which- northside parking lot had geos under them. I also learned that geos go up and down between 36-48" and our bores at 48". last, i got the best pick me up that day from our construction sup..."if your 20k issue is the biggest we encounter in this project, I'll be estatic"

4) I'd say be ready for an oddball question or two, but prepping for that is hard. Just be prepared for an awkward, weird, unusual question. Its to put you on your toes. catch your reaction. 

5) have questions for us. Anything. Ask about the work environment? how often are weekends? how often unscheduled weekends? Do you like working here? what do you do to assist with family life such as work from home or comp time, etc? Does your office do anything to keep it fun and friendly? Remember, you want to find out if you want to work for us too!

Construction Meetings

These are fun. Seriously. Where else do you get to listen to the architect talk how the color of the walls and carpet will affect "x". Followed by how this type of toilet flusher thingie won't work cause kids beat the bejesus out of stuff causing it to break or flood? or as you are working on your iPad hear that the are swapping out all AC units at a campus this summer. That causes a pucker factor. hey, wait. no ac. what about our mdfs? idfs? so, these new units, the go...on the roof. awesome. so, are you doing anything about ceiling. Oh, just removing the entire grid.All my APs are going to go offline. and cameras. and speaker. crap. When do you expect to finish. Oh the friday before all staff returns. uh, houston, we have a problem. no security and paging will cause some uh, issues and not just for my staff. Then we have to work coordinate teams to get this stuff done. take down, put back up. I actually like listening to a couple of the guys from the construction company cause how well they can do logistics in their heads. quite impressive talent to behold. And plan and schedule is born.

then back to work. The most favorite word uttered during any meeting is..asbestos. the fact i know the general idea of the law in the state is...sad? 10 days to post notice. no access during the removal. anything left in the area is gone once the abatement start. Then pray they don't find anything else. 10 days doesn't seem like much, until you factor in summer is effectively 10-12 weeks long. Plus the abatement time. Losing 2-4 weeks out of that is a huge hit.

That was the highlight of the day.

Technology Companies Failing to Embrace New Technologies

After having, lets call them discussions, with some of our vendors, I've started to wonder why some "technology companies" fail to embrace new technologies and methodologies. For example, one of our vendors is -requiring-  us to have them fly a goober (technical dork) to our site to install the new version of their program on a new server which is on a virtual machine. So, they are requiring the person to be here, take up space in order to remote into a console onto a server that they could have access to remotely. To click next a bunch of time. and watch the vm restart really fast. Example 2, another vendor does not support backup tools on a vm machine. thats right. no veeam or third party product. only vmware's back utility. So, since we a re a school district, i see a script coming up to avoid this issue. Followed by the lecture from the vendor, that's not best practice and yeah, i'm not made out of money.

We are in technology damn it! move forward. If someone questions your reason for doing something (especially as a company) and the best you got is, 'its the way we've always done it'. you need to re-examine your practices. We do it all the time. If we get called on that statement, and you have a possibly better idea, flesh it out, explain it, show me.

Explaining New Services Impact to Non-Tech Peers

Trying to explain to peers when they want to implement a new service how it affect us. Yeah, our process are lacking so bear with me. The conversation typical goes,
My Peer: The vendor said we can turn on x feature and let all these people register, login and do all sorts of cool stuff. Its all web based and doesn't require anything from your group. It even integrates with ldap and you have to do nothing. Plus everyone else is doing it.

Me: red flags. Vendor said...vendors will say anything for a sale. And everyone else is doing it? seriously? in a k-12 environment using that argument. wow. Just wow. Yellow flags: Logins = username and password issues, who are our customers going to call? Who is going to fix the logins? When do the customers login?
(There are good answers to these questions, but I'm not sharing). Next, Please god, tell me they use ssl and some decent security standards on passwords. LDAP. Ah, share my directory environment across the internet. yeah, thats a bit scary. (non-verbal, yes, i know i can limit access to ip, require a certain username and password {preferrably something that looks like the cat stepped on the keyboard}scope the ldap searches and a bunch of other things, but my group has to do this). Last, who and when do you want to this? I have to dedicate a resource to contact the vendor, contact the vendors tech people to ask questions (and yes those are 2 separate steps. We usually have to call the product AM. Then be polite to get the tech people so we can ask nuts and bolts questions).

The part that is hard to hiding your cards so to speak. Sometimes, it really is a good idea and product, but the questions need to be asked and answered. Trying to balance the questions so I don't look like I'm out and out saying no, but getting them to understand vendors, uh oh hell, lets be blunt, LIE, and it will have some impact on us anytime a new service turned on cause something will break and all technology items go through my help desk to start. Whether we "fix" the problem or route the call appropriately is something to discuss.

Frayed at the edges

Ah, people and processes and other things that go crazy during the day. I love my group. I love our version of crazy, our version of insanity within our little sanctum, but wow some days are trying. Not on me necessarily, but on my folks. Its spring. the reality of crazy season is hitting everyone within my group. Millions of dollars in equipment coming in and having to be deployed during the next 4 months. (may, june, july, aug if I counted right). Edges are fraying. So its manager time. And no, i have no delusions of being superman. like i said, it is my weakest suit and requires the most attention. Thats what kept me busy today. No more sharing on that cause personnel are personal. and probably most of tomorrow. Ok. one thing...

Day in the life

Fun day...Lets recap! Sad when you google for your own blog for documentation.

Interview for application support specialist. I love acronyms! What an A.S.S.! we wanted Imaging and App Support Specialist from Im an ASS as the title. No go. Damn. 

zoned out 2 new storage arrays for access by 6 servers on a Cisco MDS 9509. Lovely. In the GUI. Taking notes so I can train someone else on how to do it. Usually, I just console in and paste a script with the pieces and parts. Give each device an alias. make sure you have a convention since most of the HBA's are duals. We do server name P0 and P1 for servers. The storage arrays have lots more ports and controllers. We use XIO so the "friendly" names look like Xio2MRC1P1 and Xio2MRC2P5. MRC has ports 1-4, MRC has ports 5-8. We only patch port 1&5 for now. Create the zone. and the zones to the zoneset, activate. wait for the zoneset to update. listen for screaming. nothing, good. scan for hosts on the arrays. done! well, not really, but done enough for now.

install Cisco ISE on 3 VMs from item 2. ISE on ISE. yeah. now talk to your group about it. I've gotta work on the ISE. what? the arrays are down? What? the policy engines are messed up? Confusing! And I love Cisco, but they need to kick whoever is keeping them from officially support VMWare 5.x on their applications. Unreal. 

Provide documentation to a reseller/implementer for wireless IP schemes. Spreadsheets. eye bleed. Making sure you have enough IPs to scale from 150 to 4000 nodes at a campus is fun. Do you break it up? what if the require layer 3 mobility. Not like users walk-around or anything. Do you anchor? do you do something else. choices! This outta make tomorrow a good conversation with the reseller.

End of year budgeting! We should have a few bucks to roll back to the general fund. yay my team. I just click ok on order approvals. Or not. Deny is a good one too!

Then people. Dealing with the human side of the job. We are emotional beasts. This is actual the most time consuming part of the job. People need. period. they just need. Need you. Need backing. Need a pat on the back. Need an ear. Need a moment of your time. Need feedback. Need guidance. Need. None of these things are bad. Some need more than others, but all people have their needs. This is the part of the job that I continue to learn. Simple visits with everyone. Actually listening to them talk about their problems (and as a tech person this is hard. just listening. give me a problem, i'll solve it. Not always what folks are looking for!). 

And that's a day without meetings! I'll doc one of those up some day.

Wireless Considerations

Figure I would do a brief recap of our wireless solution selection. We had 3 primary vendors, Cisco, Aruba, and Entrasys as finalist. Cisco was the encumbant and the eventual winner. Each had pieces we liked, and each had portions we didn't like.

Aruba -- far and away the best software and management pieces out of all the vendors. the ability to manage clients outshone cisco and entrasys greatly. Their AmigoPod appliance for access control was a game changer. The access points themselves were solid with an almost industry standard 3*3 MiMO. It seemed obvious to us that Aruba focused a lot of their work on the development of the client and administrator experience.

Cisco -- Ah, my love-hate relationship. Cisco's ability to develop some of the most powerful and industry leading technology such as the 3600 series access points put them clearly above their competitors on the hardware side. Clean air, 4 spatial streams all good things. Then their issues. Developing a good back-end management and-or user experience is secondary (and i'm being nice here). Cisco, from my experience, does not know how to develop management tools nor completely understand customer user requirements. Trying to figure out how to get MSE, ISE, and NCS to all play nicely and work well is ..a challenge. Luckily, we did hire an integrator to help deploy the solution and we are finding our way. I'll delve more into this as we go along.

Entrasys -- was very inexpensive. The ability to integrate policy for APs and entrasys switches was impressive. The management tools were ok. It wasn't like they were completely integrated, but they did all exist under a common "launcher". However, we did not have entrasys switches and this caused the solution to lose some luster. The ability to track over time wasn't quite as good as the two other competitors. We tend to get complaints after the frustration is built-up. For example, a campus will not tell us for -months- that they had wireless issues in hallway b on thursday until they tell a board member. So, we are left scrambling. Unfortunately, entrasys could not replay the wireless maps as well as cisco or aruba. Perusing a log file isn't enough nowadays.

Anyhow, basic coverage on what we saw and considered. There were others (not Meru) but did not make it to the finalist for a variety of reason.

Typical Summer Projects and Tasks

Ah, a typical summer. There isn't one! Maybe. Usually there is some large project(s) taking place such as rolling out a new imaging and app tool (KACE), or migrating email from groupwise to exchange, or deploying new teacher stations to our teacher, deploying new phones, deploying new wireless, deploying MDM solutions, etc. The projecs will eat a large percentage of everyones time.. There are vacations which happen. The rest of the time is doing maintenance type work. Reimage all the labs back to a good image. Leaving computers with kids during the school year invites a lot of ..um..interesting modifications to both the machine and OS. I heartily thank those teachers and campuses who manage to keep their kids on task and not destroying the equipment. I know it isn't easy, so thanks. Also, we consider summer only from the last day of school to when administrators come back. That is about 6-8 weeks at most.

Restarting

Let's see if I can keep this going. Another document to write at the end of a day of composing and reading mail seems like a bundle of joy. Maybe treat use this as catharsis. or documentation for the therapist. either way.

Its spring, but it is summer for Technology is schools. Yeah, school is taking place, the kids, teachers, campus admins, and parents are going through the testing grinders (sorry boys & girls), but Technology is moving into summer mode. Project mode. This going to be a fun one! Here are the projects:

First, lets migrate from a mixed PBX/IP phone to a fully IP based phone solution. And implement Cisco Emergency Responder. And Cisco Presence. Swapping out ~3000 phones is going to be a logistical exercise. Summer starts June 11. People return about Aug 1 (campus admins). 8 weeks. I don't like the math there a whole lot. Scary.

We are also deploying about 1000 access points to 40ish sites. Yay. Wireless everywhere! We have to cable, hang aps, configure guest and user policies. align those with BYOD policies, local and state policies. (policy one more time cause). Again, the math there is scary. 1000 aps, 40 locations, 8 weeks.

Turn up another 25TB of storage for...something. Goldfish theory explained! user data is like a goldfish. It'll grow to the size of the bowl. so, if you buy a bigger bowl, you end up with a bigger goldfish. So, do you police your goldfish or buy a bigger bowl. yeah, you see my answer. Actually, the majority of the people in environments, once notified of excessive use will reduce their usage or delete the copy of the copy of the copy...Even then, the goldfish grows. Baffling.

Those are the ones I have direct control over. now the ones technology is a participant, but not necessarily a driver or implementer.

Construction! yes, these folks are our frienemies. We get along well, but we but heads on occasion with architects, engineers and the actual construction people. No one wins every battle, but we've all come to fairly good standing with each other on our needs. Architects want pretty and useful (and to meet the customers needs, which is technically my employer too, but that's another story). Engineers have to provide some services within those pretty and useful spaces while keeping it pretty. Sometimes pretty makes it difficult to hide 8" water mains, hvac ducts and returns, lights, alarms, cameras in a confined spaces which leads us to the construction people. They get to build the dream and have everyone meet deadlines, play nice-ish, and tell the architect and engineers, that you cant fit a 8" water main through a 6" chase. As we joke in meetings, yeah, size matters. then technology comes along and makes it more difficult, btw, i'm running an assload (technical term) of cable in this hallway, putting projectors here right where you want a heating vent (btw, this problem rears it head the first cold day of school. projectors do not like hot air blown into them), access points every room, speakers all over, etc. its actually kinda fun with a good set of people to be part of putting up a new building.

Renovations. the killer. Assume if there is construction doing renovation, you are ...well, not well off. they are just killer. No one knows exactly what they'll find and break. Cabling? Power? what was that orange cable, fiber? chunk a ceiling tile with a speaker or camera? oooo, then the big winner asbestos! awesome. It all comes down. we can't go in for weeks while its being abated. Hopefully we can get in a remove our electronics and expensive pieces before the abatement. Anyhow, there are a handful of renovations this summer. 5-8 out of 40 sites. Again, don't like the math.

Ill do typical summer work tomorrow. that is the work that has to be done regardless of the above.