New Hostname Policy

1. New Hostname Policy Service Managers experience and feedback IT/OIS

2. Issues for Service Managers • AD & LanDB: "Object oriented" database • deviceADIFFERENT from InterfaceA DIFFERENT from AliasA • LanDBsets NOT possible with aliases • XLDAP queries: on which object ?? • Monitoring & management require computer name • AuthN, AuthZ, group memberships • Need the computer object name • Major source of mistake • Remote access • Secure channels NOT working out of the box with DNS aliases • Certificates and Kerberos • Cannot automate their distribution on Aliases New Hostname Policy - 2

3. Reasons for this policy ? • Serial number / order number MUST be an attribute • Are we named by our CERNID ? • Reasons behind are obscure • Database synchronization problems ? Primary Key ? • A technical issue should not be distributed to all IT. • System was designed for batch and hypervisor nodes • Works for random anonymous nodes, fails for service specific dedicated nodes • No idea of what others in IT are doing ? • Reinventing DNS • 137.138.12.13 -> P2013412334352324353 -> TOTO01 New Hostname Policy - 3

4. Policy application • Mr. P201300433339113 • If you can’t adapt, you’ll have to redo your services differently • Mr. P201255300322125 • Sorry guys, it’s a departmental policy • Started with Exceptions (batch orders Fall 2013) • Proves using any name is possible • Shows that these exceptions can be a rule • Continues with Exceptions • Must be justified by the Group leader (memo ? EDH document ?) New Hostname Policy - 4

5. Summary • Imposing this policy will lead to: • Random service failure • IT internal misunderstanding • Rework the policy • Get knowledge of other services • Ask for ideas • Everyone is willing to contribute and collaborate • Design a system without exceptions where everyone can work efficiently New Hostname Policy - 5

6. Backup Slide Issues in using alias names (instead of host names)... • Active directory (core Windows feature): "object oriented" databasecomputerAobject DIFFERENT from aliasA object • DC,LDAP requests: lot of scripts using dynamic criteria (e.g. 'select * where hostname like 'XLDAP') NOT working with aliases • Permissions, certificates, delegation, attributes, group memberships and policies NOT applicable to 'alias' objects • Windows Management tools NOT working remotely with alias names • WMI (Windows Management Instrumentation) => NOT always working remotely • Quota subsystem • Powershell: signed and/or encrypted scripts • WINS (NetBIOS) infrastructure NOT working with aliases • Front-end/back-end applications NOT working with aliases AD based => authentication, authorization, permissions, group memberships => targeting computer objects • Network load balancing (machines sharing the same resources: e.g. adfs, ldap, exchange, sharepoint, web, etc.) • DFS replication, Exchange replication • SCOM (System Center Operations Manager - Monitoring) • SCCM (System Center Configuration Manager - Installation/Configuration) • SCVMM (System Center Virtual Machine Manager - Virtual infrastructure) • CMF (Computer Management Framework - Software deployment) • lanDB : "Object oriented" database as welldeviceADIFFERENT from InterfaceA DIFFERENT from AliasA • manipulation in lanDB sets NOT possible with aliases • round robin definitions NOT feasible with aliases • DFS access • \\aliasA\sharename NOT working out of the box • Aliases not directly exposed to end-users (except in lanDB!) • Backup/restore operations (service-desk 2nd,3rd levels + sysadmins) impacted • DFS servers working as pairs (data11/12, data13/14, etc.), association not anymore with Pxxx/Pyyy • Remote accesses • Secure channels NOT working out of the box with DNS aliases • RDP => specific certificates required • SCOM (Monitoring) • E-mail and SMS notifications raised by alerts containing host-names (not aliases) • how to identify CERNDCxx , AFSDBxx, DFSrootxx ? • Internally: (AD based) proxying, permissions, delegation NOT possible with aliases New Hostname Policy - 6