Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

Workstation migration to NetID domain update

Approximately 2,428 managed workstations, or about 78%, have been migrated from the nebula2 domain to the NetID domain. We will continue to attempt to migrate every managed workstation at 5:00 pm daily.

We are still unable to offer a self-service option for workstation migrations at this time. The technical issues that may be encountered are unlikely to lead to a positive experience.

What’s Next:

Migration are still taking place at 12:00 pm (noon) and 5:00 pm Monday – Friday for any non-migrated workstation.

We encourage customers to send us a migration request via help@uw.edu with “MWS Migration” in the subject line so we can migrate your managed workstation during this period.

Monday 7/10/2017 we will begin reaching out to Technical Contacts with non-migrated workstations to facilitate the migrations.

What do you need to know?

Computers that have not scheduled a migration date by 7/31 will be removed from the nebula2 domain.

If you have any questions, please send an email to help@uw.edu with “MWS Migration” in the subject line.

Dawn Cullerton
Service Manager
Managed Workstation
UW-IT

Workstation migration update

Approximately 2200 managed workstations, or about 66%, have been migrated. Every non-migrated managed workstation has been a candidate for nightly migration and has been attempted at least 3 times. At any given point only 75% of managed workstations are manageable over the network, so customers will need to work with us for further progress to occur.

If you have questions about the workstation migration, a FAQ is available and updated regularly.

There were a number of problems over the last 3 weeks, some with our workstation migration approach, others related to unanticipated file service issues. We’re sorry for any inconveniences this may have caused. We’ve worked hard to address these issues and adjust our approach.

We’d love to provide a self-service option for workstation migration, but the technical details make it extremely unlikely to lead to a positive experience.

What’s Next:

During the Workday go-live period, June 16th – 30th, we will not initiate any mass migrations of non-migrated workstations. However, our offer to schedule noon migrations on a given date for any non-migrated workstation still stands during that period.

We encourage customers to send us a migration request via help@uw.edu with “MWS Migration” in the subject line so we can migrate your managed workstation during that period. Department contacts will get a list of non-migrated workstations in their department via an email later today.

After June 30, we’ll go back to attempting to migrate all remaining non-migrated workstations each night. Beginning the week of July 3, we will begin to contact customers with an non-migrated workstation to facilitate migration.

Unmigrated computers left in late July will largely be those which are not regularly on the UW network. Computers in this state are not a good candidate for the Managed Workstation service, as they receive very little of the regular value we provide. We’d like to better understand that choice and whether there is a better option needed, so we invite customers who find themselves in that situation to have a dialog with us. Feel free to send an email to help@uw.edu, or start a dialog on mws-discuss@uw.edu.

Workstation migration FAQ

This page has frequently asked questions about the workstation migration from Nebula2 to the NETID domain.

Index of questions:

Does my managed workstation need to be migrated?

Yes. Every managed workstation must be migrated.

My computer was scheduled to be migrated, but wasn’t. When will it be migrated to the NetID domain?

We are aware that some computers were not migrated on their scheduled date. The computer was either not on the network or had some other issue which prevented migration. We will re-attempt to migrate those computers. If the computer is not on the UW network, then you should get it on the UW network. If you have power settings which put your computer to sleep, you should disable those settings until your computer is migrated. You can request to have your computer migrated at noon on any day–send an email to help@uw.edu with “MWS Migration” in the subject.

How do I find my computer name?

There are a few ways you can do this:

  • Go to Start > Control Panel > System and Security > System. Your computer name will be listed about halfway down the window
  • On a Windows 10 computer, you can type in the word “About” (No quotes) in the Cortana Search field and new window will open. At the top of the window, your computer name will appear next to “PC name”.
  • Open a command line (Type cmd in the search box, and hit enter). A command line screen will open. Type the word “hostname”  (No quotes) and hit the enter. Your computer name will appear underneath the command line.
  • Go to the login banner on your computer. From there, select “Other User”. In the user name field, type ” .\ ” (No quotes). At the bottom of the login fields, it should show “Sign in to:” followed by the computer name.

How do I know if my computer was migrated to the NetID domain?

Go to Start > Control Panel > System and Security > System. Your computer’s domain name will be listed near the bottom of the window. The new domain name when your computer has been migrated will be: netid.washington.edu (The old domain was nebula2.washington.edu)

How will I Remote Desktop Connect to my computer after it has been migrated?

  • You must use a VPN when you are off the UW Network
  • Then use Remote Desktop Connect with the following computer naming convention: computername.clients.uw.edu . In the screenshot example above, the full computer name is: aerosedanwin10.clients.uw.edu

What about managed workstations that are NOT physically on campus?

We expect there will be some number of computers which we can’t migrate automatically, but we encourage you to try to get the managed workstation onto the UW network before we retire the Nebula2 domain.

What do you mean by ‘on the UW network’? Is it better for a computer to be on campus and directly plugged into the network, or is the VPN an option for the migration?

The computer needs to be remotely reachable. Unfortunately, being connected via the VPN doesn’t meet that criteria. So yes, being physically at a UW campus and either plugged in or on UW wireless is needed.

For computers which can not get on the UW network during this period, will there be a manual option to migrate to the new domain?

There will not be a self-service option to migrate a computer that is not on the UW network. There are too many potential problems for that to be a positive experience.

We do have a plan for migrating computers which are not migrated before we retire the Nebula2 domain; see the question regarding more about the Nebula2 retirement.

Many of our people will be out of the country at this time.  Do you want them to notify you?

No, customers don’t need to contact us if they know their computer won’t be available when scheduled—in fact, we advise against it. We will contact customers when we find a computer isn’t available and try to find a solution.

What if my managed workstation is not migrated?

Any managed workstation that is not migrated to the NETID domain by the time we need to shut down the Nebula2 domain may need intervention to be usable. We will make every effort to contact customers to work out a solution before that time.

We do have a plan for migrating computers which are not migrated before we retire the Nebula2 domain; see the question regarding more about the Nebula2 retirement.

When will the Nebula2 domain go away?

We are currently anticipating that will happen in late July to August.

Can you say more about the Nebula2 domain retirement?

We plan to retire the Nebula2 domain in late July or early August. After we have retired the Nebula2 domain, customers that have a non-migrated workstation can anticipate the following:

  • While the computer is not on the UW network, it will continue to work unaffected. While off the UW network, users of these workstations use “cached credentials” to log on. If they connect to the VPN to get to file services or updates, there are some minor impacts:
    • updates will fail because they are directed to use a server in the Nebula2 domain which will no longer be available
    • if they go to a location on I: to which they have never gone previously, it is likely to fail
  • When these computers return to the UW network, they will have a long boot/startup time and will eventually get a “trust failed” error message. These computers will need to be manually moved to the NetID domain by Managed Workstation staff. As a temporary workaround to return that workstation to temporary use, the network can be pulled at computer boot and reattached after boot.

For customers still needing to have their workstation migrated to the NetID domain send an email to help@uw.edu, and in the subject line it should read “MWS Migration request”

What is the impact to me when my workstation is migrated?

There are two user impacts of this work:

  • computers that are being migrated will be rebooted. A second reboot will follow the first, approximately 15-45 minutes later.
  • the computer’s name will change from existingname.clients.nebula2.washington.edu to existingname.clients.uw.edu

After a workstation is migrated, users will continue to log into their managed workstation with their NETID user, and there is no other impact.

Will there be any sort of DNS aliasing to map host names from clients.nebula2.washington.edu to clients.uw.edu?

No, we don’t really have an option to do this for reasons tied to the technical details.

Why are we migrating to the NETID domain?

  • To reduce costs by consolidating the infrastructure needed to provide you with a managed workstation
  • To leverage improved capabilities provided by the NETID domain

Is there a change to how we build new computers?

For now, new computer builds will continue as is.

In other words, you’ll join them to the Nebula2 domain, with the added step that they will need to be migrated to the NETID domain after that. When you make a claim request, we should be able to migrate at that time, but if not, after the announced 2 week period, we’ll also regularly batch up Nebula2 computers on a nightly (or even more regular) basis and migrate them until it is time to pull down the Nebula2 domain. Of course, one of the things that needs to happen before we can remove the Nebula2 domain is delivering this new approach to computer builds & claiming.

We recognize this isn’t ideal, but we didn’t want to delay other progress to complete that detail, nor did we want to put additional new burdens on customers.

And to share a little more info to give you an idea of why we think it is worth waiting a little longer, our design for the new approach should be significantly improved . If you use lite-touch for builds, it will collect the needed “claiming” info up-front and join it to the domain. That will eliminate the need to talk to us to on-board a new computer, which we think is a win-win outcome.

We will announce this future planned change.

How do I use the NetID VPN after my workstation has been migrated?

Use the instructions on the MWS VPN Service page for configuring and using the NetID VPN

I got a notice about the Managed Workstation migration, but I don’t have a managed workstation. Can I stop getting notices?

You may not have a managed workstation, and you’ll need to talk to your sponsoring organization to adjust its eligibility group to better represent who actually uses the services we provide. As a service, we can’t arbitrate or override decisions made external to our service.

If you need help identifying which organization has made you eligible, we can help with that and give you the organization contacts. Send an email to help@uw.edu with ‘my MWS eligibility org’ in the subject.

You’ll then need to speak to those contacts about adjusting the Managed Workstation eligibility group they provided to us to exclude you.

You should be forewarned that depending on how eligibility is removed it may result in loss of access to services provided by Managed Workstation. We’d be happy to discuss eligibility further with the organization contacts to meet your organization’s needs.

See https://it.uw.edu/wares/nebula/adding-users/customer-accounts/#eligibilityGroups for more on the topic of Managed Workstation eligibility.

My workstation has an error and I can’t login: “The security database on the server does not have a computer account for this workstation trust relationship.” What should I do?

Rebooting your computer up to two times is the best first action to take.

If the error persists, contact UW-IT and let them know your managed workstation is experiencing an incident due to “invalid SPNs” from the migration. We’ll prioritize fixing your workstation.

This known error happens occasionally as part of the migration, and we’re working hard on finding ways to both prevent it and proactively detect and fix it. If you run into this error, we know the fix and can get you back up and running quickly.

Workstation migration – user notice

Managed Workstation is migrating workstations from the Nebula2 domain to the NETID domain. The impact to you is very low. Please ensure your managed workstation is on the UW network during the noted period.

What and When:

Beginning Monday, May 22nd at 5pm, and every night through Friday, June 2nd, we will attempt to automatically migrate managed workstations to the NETID domain. Any given managed workstation will be scheduled for one night during this period, as documented at https://it.uw.edu/wares/nebula/news/migration/schedule/.

Computers which are unavailable will be retried on every successive night during this period until successfully migrated.

There are two noticeable impacts of this work:

  • computers that are being migrated will be rebooted, with a visible 5 minute warning message when the migration agent is ready to initiate the reboot. A second reboot will follow the first, approximately 15-45 minutes later.
  • the computer’s name will change from existingname.clients.nebula2.washington.edu to existingname.clients.uw.edu

After a workstation is migrated, you will continue to log into your managed workstation with your NETID user account, and there is no other impact.

What you need to do:

Please plan to ensure your managed workstation is turned on and on the UW network on the night it is scheduled for migration. If your managed workstation is not located on the UW network, please bring it in and leave it on the network for its scheduled night.

If your managed workstation can not get on the UW network during this period, we will contact you to work out a solution, but it will require a little more effort.

If you remote desktop to your managed workstation, please adjust your practices after your computer is migrated:

  1. First, connect to the VPN,
  2. Then, remote desktop to your computer’s new fully qualified name (existingname.clients.uw.edu).

More info:

If you have a question about this change, please first see if your question is addressed in the frequently asked questions: https://it.uw.edu/wares/nebula/news/migration/faq/.

UW-IT has a lot of experience with this type of change, and the number of issues caused by this type of change are extremely low. However, if there are problems which result in an unusable workstation, we will treat it as an urgent issue and prioritize returning the workstation to service. You can call 221-5000 or send an email to help@uw.edu and let the UW-IT Service Center know that you are experiencing an incident with your managed workstation.

If you have a significant scheduling issue during this 2-week period, and need your managed workstation to not be migrated, please let us know and we will try to accommodate you.

Computer renames happening 5/17

A notification like the following one was sent to the primary user, last user, and department contacts for the ~380 computers with a name that included an underscore character (_).

———–

You are listed as a contact for the Managed Workstation (Nebula) department MAA.

The computers listed below all have the underscore character (“_”) in their name, which is no longer permitted in the name of Managed Workstation computers. This Wednesday, May 17, at 5pm we will be automatically renaming these computers to remove the underscore character from the computer’s name. In most cases, the process will simply remove the underscore and everything to the right of it (i.e. TK421_SW would become TK421). In some cases, we may have to change the name more significantly. The process will, unfortunately, require a reboot.

NetbiosName primaryUser Last User LogonTime
00542xx732_POT xxxxxxxx NETID\yyyy 5/9/2017 11:46:23 AM
SxxET2_POT xxxxxxx NETID\yyyy 5/14/2017 3:41:04 PM

Once completed, we will send you an updated list that includes the new name for each computer. If the process fails for some reason, such as the computer being turned off, we will be following up on these on Thursday.

Where we have it, we will be notifying the primary user of each computer about this work later today.

We apologize for the short notice on this work, but we have to get it done before we can star migrating computers to the NETID domain next week. A separate notice about that work will be going out later this morning.

Please contact us immediately if you have any questions.

Managed Workstation Service E: help@uw.edu | V: 206.221.5000

Migrating workstations to the NETID domain

Managed Workstation is migrating workstations from the Nebula2 domain to the NETID domain.

 

What and When:

Beginning Monday, May 22nd at 5pm, and every night through Friday June 2nd, we will attempt to automatically migrate a set of managed workstations to the NETID domain. Any given managed workstation will be scheduled for one night during this period, and we will publish the schedule next week.

 

There are two user impacts of this work:

-computers that are being migrated will be rebooted, with a user visible 5 minute warning message when the migration agent is ready to initiate the reboot

-the computer’s name will change from xxx.clients.nebula2.washington.edu to xxx.clients.uw.edu

 

Users will continue to log into their managed workstation with their NETID user.

 

Because all Managed Workstation customers are impacted by this work and may need to take action, we also plan to notify all users via the mws-users@uw.edu mailing list. That notification is planned for Wednesday, May 17th and will include a link to the schedule so users can take appropriate action when needed.

 

What you need to do:

If you are a department contact, we’d appreciate if you make sure folks in your department know to expect a notification from us via the mws-users mailing list. We don’t often use that mailing list, so there may not be strong trust associated with it. It also wouldn’t hurt for folks to hear about this planned work more than once.

 

Plan to ensure your managed workstation is turned on and on the UW network on the day it is scheduled for migration.

 

If you remote desktop to your managed workstation, adjust your practices after your computer is migrated. First, connect to the VPN, then remote desktop to your computer’s new name.

 

More info:

Domain migrations are a pretty standard activity, and UW-IT’s Microsoft Infrastructure service (who we are leveraging) has experience doing tens of thousands of these migrations using the same automated toolset as planned here. Failure rates are extremely low. So we do not expect significant problems, but with ~3500 computers to migrate, there will be a few which encounter problems. if there are problems which result in an unusable workstation, we will treat it as an urgent issue and prioritize returning the workstation to service. You can call 221-5000 or send an email to help@uw.edu and let the UW-IT Service Center know that you are experiencing an incident with your managed workstation.

 

Managed workstations, which have an underscore character (_) in their name, will need some extra preparation. Early this week, we plan to send a notification to the primary user and contacts of the 381 computers, which have an underscore, character in their name, to let them know about our plans to resolve that.

 

If your managed workstation cannot be migrated on the day it is scheduled, it will be for one of several reasons. We will attempt to contact customers to resolve any issues and re-attempt a later migration.

 

Migration scheduling is not planned to follow department boundaries. This is for several reasons, which include avoiding the potential to impact an entire department. If your department has a significant scheduling issue during this 2-week period, please let us know and we will try to accommodate you.

 

Dawn Cullerton

Service Manager

Managed Workstation

UW Information Technology

Phone: 206-685-3071

Office 2007 End of Life (EOL)

Office 2007 (along with Vista) will got its last security updates in April 2017.

What and When:

Office 2007 reached its end of support lifecycle on 4/11/2017.

What does this mean?

This means there will be no new security updates, non-security updates, free or paid assisted support options. Customers who are using Office 2007 products and services should move to Office 2016. See our Operating System lifecycle and support page for additional info.

What You Need to Do:

If you have a computer running Office 2007, we recommend you upgrade to Office 2016.

If your department wants us to automatically remove Office 2007 from a list of machines, or automatically upgrade your devices to 2016, let us know.

2017 April

Here’s our semi-annual newsletter update on recent happenings with the Microsoft Infrastructure.

 

==== New Capabilities and Improvements ====

 

* Self-service Entra ID application identities. On 2/15/2017, we enabled UW users to create and integrate Entra ID application identities. This provides an easy way for developers to integrate with UW identities, but also allows a variety of 3rd party applications to easily be integrated. Users are advised to carefully evaluate the risk of application integrations. This new capability also introduces the ability for users to individually consent to applications acting on their behalf with other applications. More info is available at https://it.uw.edu/wares/msinf/aad/apps/.

 

* Preferred name data source. On 3/1/2017, we added the preferred name data source to existing data sources that result in the name commonly shown in a variety of locations like Exchange. This improvement means that all UW NetIDs now have a self-service method to update their Microsoft Infrastructure user name value, and significantly increased control of the resulting value. Via a customer survey 8 years ago, you indicated this was your top desired change for this service, and we have been advocating for this type of solution over that entire time period, so we are very pleased to be able to have implemented this. Detailed documentation about how your Microsoft Infrastructure user name value is chosen is at: https://it.uw.edu/wares/msinf/design/arch/id-data-mapping/#name.

 

* Entra ID Connect. On 1/6/2017, we replaced our aging Entra ID Dirsync infrastructure with the latest Entra ID sync tool. This did not result in immediate new capabilities, but does set us up to take advantage of some new capabilities in the future.

 

====Spotlights====

 

* Microsoft Technology Community. Brian Smith has formed a new community for those active with Microsoft technologies, and the Microsoft Infrastructure service team are active participants. In fact, we’ve given a couple presentations on Microsoft Infrastructure capabilities there. We encourage you to consider joining this community. See https://it.uw.edu/work/resources/ms-tech/ for how to join.

 

* Microsoft LAPS in the NETID domain. Many of you have asked for a solution to managing local admin passwords. We evaluated the need and possible solutions, and explored whether LAPS met UW security expectations or not. At the April meeting of the Microsoft Technology community (4/19 1:30-3p, Odegaard 220), Patrick Lavielle will present our findings and discuss our plans to provide a solution.

 

* Entra ID  monitoring. Eric Kool-Brown has built special tools for our service to identify Entra ID configurations which are risky in nature, so we are alerted and can take action. Part of this work included exploring the Entra ID Audit API (which is still in preview) and leveraging data from it. One of the user-visible aspects of this effort will be a tool we’ll release that allows you to find Entra ID app user consent details. More info will be provided when that tool is released.

 

==== What’s Next ====

Our objectives for the 6 months from April through October 2017 include:

* Support Managed Workstation migration into the NETID domain (~3300 computers)

* Identity a delegation and support model to release MBAM for Bitlocker recovery key support. We deployed MBAM in the last 6 months, but still need to find a way to delegate access before releasing it for use.

* ADFS modernization. We’re now 2 major versions behind and plan to jump ahead to ADFS 2016. We’ll work with existing customers to migrate, when ready.

* DC modernization. We need to upgrade all the NETID domain controllers to WS2016. 3 of the 5 DCs are also near end of life, so need to be replaced. Expect lots of communication about this.

* AD-CS stabilization. The issuing CA’s cert is very short-lived, which limits the lifetime of certs it issues and creates maintenance friction. We’ll be replacing the existing issuing CA cert with a longer term one. Expect communication on this planned change.

* Engage with UW MFA program to add future capabilities for Microsoft technologies

* Software deployment capability via central SCCM based service option

* Computer domain join refactor. Supporting the Managed Workstation adoption of the NETID domain, along with plans to move some MWS capabilities (like SCCM) to the Microsoft Infrastructure service, has given us a fresh opportunity to tweak the existing approach and add some new options. We’ll share more when these new options are ready, but know that the existing approach will continue to work as is.

* Release a ‘UW network’ Windows firewall GPO for re-use by delegated OU customers. This reference GPO will be maintained by us, and you’d be able to make a copy (and refresh your copy), without doing any of the work of building it or keeping current on what the existing definition of the UW network space is.

 

* Refactored identity data integration. This is a longer-running goal to replace our integration based on MIM and file-based data to an event-based architecture. This likely won’t come to fruition for a while, but we are investing in it. The upside for customers will be lower latency of identity data changes, more stability, and increased agility.

* Invest in mitigations to reduce risks from privilege escalation

Of the 13 objectives listed in the last MI news, here’s a review of how they turned out:

  • 7 were successfully completed: LAPS analysis, forms refactor, Entra ID monitoring, Entra ID Connect, RMS, self-svc Entra ID Apps, Preferred name
  • 5 were started and continue: MBAM, SCCM, reference firewall, ID agent refactor, Entra ID Audit API
  • 1 was started by dependent service, but hasn’t yet reached the point where we can start: MWS migration
  • 0 were not started

 

==== Trends ====

* Since September, MI has sustained growth: +6 delegated OUs (135 total), 0 trusts (51 total), +~1200 computers (16356 total), +63k users (900K total), +9k groups (113K total).

* MI support requests are up 48%. 432 MI support records resolved between 9/30/16 and 3/31/2017 (vs. 292 in prior period).

==== Your Feedback ====

Supporting your needs for MI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the MI service more valuable to you.

The MI service has a capability map publicly visible at https://it.uw.edu/wares/msinf/design/capability-map/, which was just updated.

Many more details are available about the 6 month objectives listed above, and you are welcome to engage with us to find out more.

For broad discussion about the Microsoft Infrastructure, the mi-discuss@uw.edu mailing list is a great option.

You can voice your support for future objectives to help us rank priorities by voting in customer surveys when we have them, ask for things that aren’t yet on our radar, or simply contact us via help@uw.edu.

Brian Arkills

UW-IT, MI Service Manager

LAPS – Local Administrator Password Solution

A new capability is available to delegated OU customers.

 

What and When:

As of yesterday, a new capability is available allowing automated management of a Windows computer local admin password. This includes delegated password escrow.

 

What you need to do:

Use of this capability is optional and requires you to take action if you want to leverage it

 

Good management of your computer local admin passwords mitigates a key risk in the Microsoft ecosystem. This mitigation reduces the severity of compromises by helping to prevent lateral movement and subsequent privilege escalation.

 

Delegated OUs are strongly encouraged to consider implementing it. Please reference our customer documentation, https://it.uw.edu/wares/msinf/ous/laps/, for details on how to get started.

 

More info:

Background on this capability was presented by Patrick Lavielle at the April meeting of the Microsoft Technology community, and a copy of the slide deck will be shared with that community–so follow the link and join that community, if you want that deck.

 

An analysis paper documenting our process of evaluating the problem of managing local admin passwords is published at https://wiki.cac.washington.edu/x/HFCIB. This includes our review of other solutions, the appropriateness of the plaintext password storage used by LAPS, and other details. Most of the content of this paper is in the slide deck mentioned above.

 

Brian Arkills

Microsoft Infrastructure service manager

UW-IT

 

Disabling SMBv1

We are disabling SMBv1 (a file service protocol) on all Managed Workstations

What and When

We are disabling SMBv1, which is a file service protocol used by Windows, on all Managed Workstations.  The change is going out starting now, but it will not take effect until the next time each computer is rebooted.

More Info

As you may have seen from media reports over the weekend, several vulnerabilities in Windows were reported on Friday.  These reports were mostly overblown, as Microsoft had already patched most of these vulnerabilities, and basic security configurations would block or mitigate the remaining ones.  SMBv1, which is a very old file service protocol that is generally not used today, is still vulnerable in certain configurations.  To ensure that there is no risk to Managed Workstations, we are disabling SMBv1.  This change requires a reboot for it to take effect, however we are not forcing reboots on computers at this time.

If you are using a very old printer or network storage device, it’s possible that it may still be using SMBv1 and thus it will no longer be accessible after this change.  Please contact us, via help@uw.edu, if you run into this issue or have any questions or concerns.


James Morris
Managed Workstation Service
UW Information Technology