Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

RE: NETID DC promotions and demotions

All previously announced DC refresh work has been completed, and the UWWI firewall document has been updated to reflect this. A temporary DC change is planned for the UWWI NETID domain service.

 

What and When:

A temporary domain controller will be promoted and demoted late next week. This temporary DC will be on a network not previously on the UWWI firewall document.

 

What you need to do:

If you have a firewall or network filters, you may need to adjust them (see link below).

 

More info:

Another network has been added to the UWWI firewall list:

172.2.1.0/24 (172.22.1.0-172.22.1.255).

 

Three networks previously on the UWWI firewall list have been removed to reflect completion of prior DC refresh work. For reference, the networks removed are:

-172.22.15.0/27 (172.22.15.0-172.22.15.31)

-172.22.16.64/27 (172.22.16.64-172.22.16.95)

-172.22.238.128/25 (172.22.238.128-172.22.238.255)

 

You can find the list of networks that correspond to NETID DCs to configure in your firewalls at http://www.netid.washington.edu/documentation/trustWithFirewall.aspx.

 

The temporary DC promotion/demotion is to facilitate an offline recovery test of the NETID domain via the Microsoft Active Directory Recovery Execution Services program that will happen the 2nd week of July. We need to have a temporary domain controller promoted and demoted in preparation for this exercise, and due to the nature of how this opportunity came about, we were unable to provide you more advanced warning of this change. We are still exploring ways to “hide” this temporary DC from customers to minimize the impact of not giving folks the customary 2 week warning about a change to the UWWI firewall list, but those explorations are still in process and need to be tempered by maintaining operational stability.

 

From: Brian Arkills Sent: Monday, November 05, 2012 12:02 PM To: ‘uwwi-announce@uw.edu’ (uwwi-announce@uw.edu) Subject: NETID DC promotions and demotions

 

Several changes are planned for the UWWI NETID domain service. These changes will close the existing temporary service capacity gap, which was noted in the email below sent 2 weeks ago.

 

What and When:

Several new domain controllers on a network not previously in the UWWI firewall documentation will be promoted beginning this Thursday, 11/8. One DC will be promoted on 11/8, with 2 additional DCs following over the following week for a total of 3 new NETID domain controllers.

 

After these 3 new DCs have been added, 2 of the existing domain controllers will be demoted as they have reached end of life.

 

What you need to do:

If you have a firewall or network filters, you may need to adjust them (see link below).

 

If you’ve hard-coded specific domain controller names in applications or code, you will need to adjust that configuration. If you have hard-coded either mace.netid.washington.edu or yoda.netid.washington.edu, please change that configuration.

 

If neither of these situations apply to you, then you don’t need to do anything.

 

More info:

Another network has been added to the UWWI firewall list: 172.16.31.0/24 (172.16.31.0-172.16.31.255).

 

The network that leia.netid.washington.edu was on has been removed from the UWWI firewall list. For reference that network was: 172.22.14.0/27 (172.22.14.0-172.22.14.31).

 

You can find the list of networks that correspond to NETID DCs to configure in your firewalls at http://www.netid.washington.edu/documentation/trustWithFirewall.aspx.

 

When all DC demotions are complete, we will remove two of the networks listed in that document, so if you do manage network filters you may want to check back in 3-4 weeks to remove unnecessary networks in your filters in the future.

 

> —–Original Message—–

> From: Brian Arkills

> Sent: Tuesday, October 23, 2012 12:38 PM

> To: ‘uwwi-announce@uw.edu’ (uwwi-announce@uw.edu)

> Subject: Netid domain controller (leia) forcible demotion planned ~1pm

> today

>

> Due to internal AD database corruption on Leia.netid.washington.edu and

> replication problems it was having, we have determined that we need to

> demote leia.netid.washington.edu, one of 5 existing domain controllers

> providing the NETID domain service in the UWWI service line. Leia has been

> offline since yesterday evening and won’t be coming back online. You may

> have experienced odd problems because of Leia’s AD corruption. If you think

> you’ve got a lingering issue caused by this, please do open a help request via

> help@uw.edu with UWWI somewhere in the subject line, and we’ll try to

> assist you.

>

> We have already replaced leia as the DNS primary for clients.uw.edu, the

> DDNS zone provided for delegated OU customers, and there has been no

> impact to customers of that service.

>

> This work represents a minor degradation in service capacity, but this is

> expected to be the case only for a short period, as leia was planned to be

> replaced in the coming months.

>

> If, for some reason, you’ve hard-coded something to

> leia.netid.washington.edu, you will want to change that.

>

> Brian Arkills

> UW-IT, Identity and Access Management

> UW Windows Infrastructure technical lead

 

NETID domain schema changes 5/8/2013: Exchange 2010 SP3

What and When:

On Wednesday, May 8th, the NETID domain schema will be modified. Schema changes associated with Exchange 2010 SP3 will be applied.

 

What you need to do:

Nothing, this is purely informational. There is no expected impact to customers.

 

More info:

Please see http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=5401 for more information about the schema changes.

 

Please send email to help@uw.edu with “UWWI schema work” in the subject if you have any questions about this work.

 

Brian Arkills

UW-IT Identity and Access Management

UW Windows Infrastructure Service Manager

 

 

Spring quarter NETID domain controller work

Several changes are planned for the UWWI NETID domain service.

 

What and When:

Domain controller demotions and promotion work will span the Spring quarter. This work is intended to bring the NETID domain to WS2012 functional level.

 

Two existing domain controllers will be demoted, rebuilt with Windows Server 2012, then promoted at a later time.

 

The first demotion will happen next Friday, 4/19. The timing of the other events is unknown, but are expected at some point during Spring quarter.

 

After both of these existing domain controllers are demoted, a third domain controller will be demoted and retired.

 

At the conclusion of this work, we’ll change the domain/forest functional level to WS2012.

 

We do not plan to send other notices about the DC demotions and promotions associated with this work.

 

What you need to do:

If you have a firewall or network filters, you may need to adjust them if they only include specific IP addresses as opposed to the subnet guidance (see link below). All DC promotions are expected to be on networks already in the UWWI firewall guidance documentation.

 

If you’ve hard-coded specific domain controller names in applications or code, you will need to adjust that configuration. If you have hard-coded these domain controllers:

chewie.netid.washington.edu

han.netid.washington.edu,

yoda.netid.washington.edu

 

please change that configuration.

 

If neither of these situations apply to you, then you don’t need to do anything.

 

More info:

Chewie.netid.washington.edu will be demoted on 4/19/2013.

Han.netid.washington.edu will be demoted at some point after a rebuilt chewie is promoted.

Yoda.netid.washington.edu will be demoted at some point after a rebuilt han is promoted.

 

You can find the list of networks that correspond to NETID DCs to configure in your firewalls at http://www.netid.washington.edu/documentation/trustWithFirewall.aspx.

 

Please send email to help@uw.edu with “UWWI DC work” in the subject if you have any questions about this work.

 

Brian Arkills

UW-IT Identity and Access Management

UW Windows Infrastructure Service Manager

 

UWWI NETID domain service change and policy change: domain trusts

A significant change has happened to the NETID domain service.

 

What and When:

 

The NETID domain service has changed its service design and policy. Under specific conditions, the NETID domain will trust another Windows domain. The conditions required are significant.

 

What you need to do:

 

Nothing. One of the key conditions required is that selective authentication is employed on the NETID side of the trust. This means that unless you explicitly permit users/groups from a trusted domain the ‘allowed to authenticate’ permissions on your computer objects, you are completely unaffected.

 

If you have concerns or questions, please send an email to help@uw.edu with “UWWI trust policy change” in the subject.

 

More details:

 

This change is being made for multiple reasons:

  • to enable UW-IT to consolidate its Windows domains into the NETID domain without adversely affecting some of the most critical IT assets of the University
  • to permit a key initiative of the University’s enterprise data warehouse to move forward in providing data visualization capabilities
  • to allow other UW organizations in similar positions an easier way forward, without adversely affecting existing NETID domain customers

 

You can read about the conditions required in the trust section of the revised UWWI policy: http://www.netid.washington.edu/documentation/policy.aspx#trusts

 

Brian Arkills

UW-IT, Identity and Access Management

UWWI Technical Lead

2013 January

Here’s an update on recent happenings with the UW Windows Infrastructure.

 

==== New Capabilities and Improvements ====

 

* Work to replace aging NETID domain controllers has resulted in 3 new DCs. This work included applying the WS2012 schema and also partially addressed some geo-redundant disaster recovery goals by locating a domain controller out of the Puget Sound region. Work to refresh existing WS2008R2 DCs to WS2012 continues.

 

* Windows 8, Windows Server 2012, and Office 2013 license activation capabilities were added by replacing the campus KMS server.

 

* The mail attribute value for all UWWI user accounts was changed to <uwnetid>@uw.edu to facilitate Office 365 integration, eliminate user errors, and prevent multiple users from having the same email value.

 

* Work to refactor the UWWI Group Sync Agent to provide near real-time sync for all UW group changes has been completed and deployed. Notable improvements include:

                * Group Service latency to UWWI is significantly reduced

                * UWWI groups are reconciled with the Groups Service now, which self-corrects any errors on UWWI groups that might creep in

                * Course group changes are provisioned to UWWI in near-real time

 

====Spotlights====

 

* A majority of delegated OU customers have misconfigured their computers primary DNS suffix–with greater than 90% of all computers misconfigured. This problem subtly affects functionality, most notably reducing negotiated security levels. A separate announcement will include more details on this issue and plans to address it.

 

* A project to decommission the UW Forest by mid-February 2013 continues. All remaining domains are in the process of domain migrations either to a delegated OU or to a new Windows forest, and all are making good progress.

 

==== Trends ====

 

* Since June, UWWI has added: 10 delegated OUs (62 total), 1 trusts (54 total), ~1100 computers (5600 total), ~17k users (579k total).

* UWWI support requests remain steady. 119 UWWI support tickets resolved since June (vs. 122 in prior period).

* UWWI supports all the new types of institutional groups being piloted in the Groups Service: by degree level, class standing, curriculum, etc.

 

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

 

==== What’s Next ====

 

Our objectives for the months ahead include:

 

* Continued support of the university-wide Business Continuity Initiative by creating geo-redundancy continuity plans for UWWI NETID domain services.

* Continued support of the Office 365 project and the UW Exchange service as it integrates the UWWI NETID domain services with an Office 365 deployment.

* Continue to investigate how Active Directory Federation Services (ADFS) integrates into our overall authentication architecture for customers.

* Invest in changes needed for Unix integration

* Support UW-IT effort to investigate SCCM 2012 delegation features to enable OU customers to deploy SCCM for computer management within the NETID domain.

 

==== Your Feedback ====

 

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

 

The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we’ve been doing. You can “vote” for items in the backlog to help us rank priorities, or you can contact us via iam-support@uw.edu.

 

RE: UWWI user mail attribute change

 

This change is beginning. We expect the change to take more than 24 hours, and possibly as much as 72 hours.

 

From: Brian Arkills Sent: Friday, November 09, 2012 12:28 PM To: ‘uwwi-announce@uw.edu’ (uwwi-announce@uw.edu) Subject: UWWI user mail attribute change

 

A significant change is planned to the NETID domain service.

 

What and When:

 

During the break between fall quarter and winter quarter, UW-IT will be changing the mail attribute value to <uwnetid>@uw.edu for *all* UWWI users. For example, for NETID\barkills, the mail value will change from barkills@washington.edu to barkills@uw.edu.

 

The mail attribute provides a reliable email address for a UWWI user. For example, Exchange uses it in forming its off-line address book.

 

This change will likely span several days. After this change, the UW Exchange service will manage the mail value.

 

What you need to do:

 

Nothing, unless you have a service that leverages the UWWI user mail attribute. If you do, you may need to adjust your service accordingly. Note that users can still direct where email is delivered by changing their UW email forwarding settings, via the UW NetID Manage page.

 

If you have concerns or questions, please send an email to help@uw.edu with “UWWI mail attribute” in the subject.

 

More details:

 

This change is being made for multiple reasons:

  • to address lack of user input validation
  • to reduce the complexity around how the mail value is provisioned
  • to enforce uniqueness, preventing multiple users from having the same email address
  • to enable Office 365 integration with the UWWI NETID domain services; Office 365 has several rules that necessitate this change

 

Brian Arkills

UW-IT, Identity and Access Management

UWWI Technical Lead

UWWI user mail attribute change

A significant change is planned to the NETID domain service.

 

What and When:

 

During the break between fall quarter and winter quarter, UW-IT will be changing the mail attribute value to <uwnetid>@uw.edu for *all* UWWI users. For example, for NETID\barkills, the mail value will change from barkills@washington.edu to barkills@uw.edu.

 

The mail attribute provides a reliable email address for a UWWI user. For example, Exchange uses it in forming its off-line address book.

 

This change will likely span several days. After this change, the UW Exchange service will manage the mail value.

 

What you need to do:

 

Nothing, unless you have a service that leverages the UWWI user mail attribute. If you do, you may need to adjust your service accordingly. Note that users can still direct where email is delivered by changing their UW email forwarding settings, via the UW NetID Manage page.

 

If you have concerns or questions, please send an email to help@uw.edu with “UWWI mail attribute” in the subject.

 

More details:

 

This change is being made for multiple reasons:

  • to address lack of user input validation
  • to reduce the complexity around how the mail value is provisioned
  • to enforce uniqueness, preventing multiple users from having the same email address
  • to enable Office 365 integration with the UWWI NETID domain services; Office 365 has several rules that necessitate this change

 

Brian Arkills

UW-IT, Identity and Access Management

UWWI Technical Lead

NETID DC promotions and demotions

Several changes are planned for the UWWI NETID domain service. These changes will close the existing temporary service capacity gap, which was noted in the email below sent 2 weeks ago.

 

What and When:

Several new domain controllers on a network not previously in the UWWI firewall documentation will be promoted beginning this Thursday, 11/8. One DC will be promoted on 11/8, with 2 additional DCs following over the following week for a total of 3 new NETID domain controllers.

 

After these 3 new DCs have been added, 2 of the existing domain controllers will be demoted as they have reached end of life.

 

What you need to do:

If you have a firewall or network filters, you may need to adjust them (see link below).

 

If you’ve hard-coded specific domain controller names in applications or code, you will need to adjust that configuration. If you have hard-coded either mace.netid.washington.edu or yoda.netid.washington.edu, please change that configuration.

 

If neither of these situations apply to you, then you don’t need to do anything.

 

More info:

Another network has been added to the UWWI firewall list: 172.16.31.0/24 (172.16.31.0-172.16.31.255).

 

The network that leia.netid.washington.edu was on has been removed from the UWWI firewall list. For reference that network was: 172.22.14.0/27 (172.22.14.0-172.22.14.31).

 

You can find the list of networks that correspond to NETID DCs to configure in your firewalls at http://www.netid.washington.edu/documentation/trustWithFirewall.aspx.

 

When all DC demotions are complete, we will remove two of the networks listed in that document, so if you do manage network filters you may want to check back in 3-4 weeks to remove unnecessary networks in your filters in the future.

 

> —–Original Message—–

> From: Brian Arkills

> Sent: Tuesday, October 23, 2012 12:38 PM

> To: ‘uwwi-announce@uw.edu’ (uwwi-announce@uw.edu)

> Subject: Netid domain controller (leia) forcible demotion planned ~1pm

> today

>

> Due to internal AD database corruption on Leia.netid.washington.edu and

> replication problems it was having, we have determined that we need to

> demote leia.netid.washington.edu, one of 5 existing domain controllers

> providing the NETID domain service in the UWWI service line. Leia has been

> offline since yesterday evening and won’t be coming back online. You may

> have experienced odd problems because of Leia’s AD corruption. If you think

> you’ve got a lingering issue caused by this, please do open a help request via

> help@uw.edu with UWWI somewhere in the subject line, and we’ll try to

> assist you.

>

> We have already replaced leia as the DNS primary for clients.uw.edu, the

> DDNS zone provided for delegated OU customers, and there has been no

> impact to customers of that service.

>

> This work represents a minor degradation in service capacity, but this is

> expected to be the case only for a short period, as leia was planned to be

> replaced in the coming months.

>

> If, for some reason, you’ve hard-coded something to

> leia.netid.washington.edu, you will want to change that.

>

> Brian Arkills

> UW-IT, Identity and Access Management

> UW Windows Infrastructure technical lead

 

Netid domain controller (leia) forcible demotion planned ~1pm today

Due to internal AD database corruption on Leia.netid.washington.edu and replication problems it was having, we have determined that we need to demote leia.netid.washington.edu, one of 5 existing domain controllers providing the NETID domain service in the UWWI service line. Leia has been offline since yesterday evening and won’t be coming back online. You may have experienced odd problems because of Leia’s AD corruption. If you think you’ve got a lingering issue caused by this, please do open a help request via help@uw.edu with UWWI somewhere in the subject line, and we’ll try to assist you.

 

We have already replaced leia as the DNS primary for clients.uw.edu, the DDNS zone provided for delegated OU customers, and there has been no impact to customers of that service.

 

This work represents a minor degradation in service capacity, but this is expected to be the case only for a short period, as leia was planned to be replaced in the coming months.

 

If, for some reason, you’ve hard-coded something to leia.netid.washington.edu, you will want to change that.

 

Brian Arkills

UW-IT, Identity and Access Management

UW Windows Infrastructure technical lead

 

Minor UWWI course group naming adjustment

This communication informs you of changes planned to the NETID domain.

 

What and When:

On this Friday 9/7, UW-IT will be renaming approximately 10000 existing course groups which are out of alignment with UW Groups Service naming.

 

What you need to do:

Nothing, unless you have specially hard-coded one of the affected course groups by name. This should be very rare, if at all. If you have hard-coded, then you should make adjustments so that you use the new name after Friday.

 

More details:

Back in 2006, there was no UW Groups Service naming policy, and course groups had no “group id” in the only customer accessible interface available at the time (GDS). UWWI invented its own group id to represent course groups. As the Groups Service has evolved, course groups names have emerged. This work brings UWWI into alignment with the course group names in the Groups service. Most UWWI customers rely on a SID underlying a course group, so a group name change doesn’t affect functionality–it only affects how GUIs display the group’s that are referenced.

 

In specific, the affected course groups are those which have a space character in their curriculum code. The UW Groups service doesn’t allow spaces, but UWWI has been allowing spaces in these course group names since 2006. UWWI will follow the UW Groups service practice of replacing a space in the curriculum code with a hyphen. For example:

 

course_2011aut-A A198A will become course_2011aut-A-A198A

 

This change is needed to facilitate a larger change to real-time UWWI group sync processing. When we make the switch to real-time UWWI group sync processing, all new course group names will be lowercase, but existing course groups will remain mixed case (until they are deleted, per the UW Groups course group lifecycle).

 

If you have any questions about this change, please send an email to help@uw.edu with “UWWI course group change” in the subject.

 

Thanks!

 

Brian Arkills

UW-IT, UWWI service technical lead