Skip to content

Archives: Service News

News content type for use by UW-IT Services on IT Connect

2013 January

Here’s an update on recent happenings with the UW Windows Infrastructure.

 

==== New Capabilities and Improvements ====

 

* Work to replace aging NETID domain controllers has resulted in 3 new DCs. This work included applying the WS2012 schema and also partially addressed some geo-redundant disaster recovery goals by locating a domain controller out of the Puget Sound region. Work to refresh existing WS2008R2 DCs to WS2012 continues.

 

* Windows 8, Windows Server 2012, and Office 2013 license activation capabilities were added by replacing the campus KMS server.

 

* The mail attribute value for all UWWI user accounts was changed to <uwnetid>@uw.edu to facilitate Office 365 integration, eliminate user errors, and prevent multiple users from having the same email value.

 

* Work to refactor the UWWI Group Sync Agent to provide near real-time sync for all UW group changes has been completed and deployed. Notable improvements include:

                * Group Service latency to UWWI is significantly reduced

                * UWWI groups are reconciled with the Groups Service now, which self-corrects any errors on UWWI groups that might creep in

                * Course group changes are provisioned to UWWI in near-real time

 

====Spotlights====

 

* A majority of delegated OU customers have misconfigured their computers primary DNS suffix–with greater than 90% of all computers misconfigured. This problem subtly affects functionality, most notably reducing negotiated security levels. A separate announcement will include more details on this issue and plans to address it.

 

* A project to decommission the UW Forest by mid-February 2013 continues. All remaining domains are in the process of domain migrations either to a delegated OU or to a new Windows forest, and all are making good progress.

 

==== Trends ====

 

* Since June, UWWI has added: 10 delegated OUs (62 total), 1 trusts (54 total), ~1100 computers (5600 total), ~17k users (579k total).

* UWWI support requests remain steady. 119 UWWI support tickets resolved since June (vs. 122 in prior period).

* UWWI supports all the new types of institutional groups being piloted in the Groups Service: by degree level, class standing, curriculum, etc.

 

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

 

==== What’s Next ====

 

Our objectives for the months ahead include:

 

* Continued support of the university-wide Business Continuity Initiative by creating geo-redundancy continuity plans for UWWI NETID domain services.

* Continued support of the Office 365 project and the UW Exchange service as it integrates the UWWI NETID domain services with an Office 365 deployment.

* Continue to investigate how Active Directory Federation Services (ADFS) integrates into our overall authentication architecture for customers.

* Invest in changes needed for Unix integration

* Support UW-IT effort to investigate SCCM 2012 delegation features to enable OU customers to deploy SCCM for computer management within the NETID domain.

 

==== Your Feedback ====

 

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

 

The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we’ve been doing. You can “vote” for items in the backlog to help us rank priorities, or you can contact us via iam-support@uw.edu.

 

RE: UWWI user mail attribute change

 

This change is beginning. We expect the change to take more than 24 hours, and possibly as much as 72 hours.

 

From: Brian Arkills Sent: Friday, November 09, 2012 12:28 PM To: ‘uwwi-announce@uw.edu’ (uwwi-announce@uw.edu) Subject: UWWI user mail attribute change

 

A significant change is planned to the NETID domain service.

 

What and When:

 

During the break between fall quarter and winter quarter, UW-IT will be changing the mail attribute value to <uwnetid>@uw.edu for *all* UWWI users. For example, for NETID\barkills, the mail value will change from barkills@washington.edu to barkills@uw.edu.

 

The mail attribute provides a reliable email address for a UWWI user. For example, Exchange uses it in forming its off-line address book.

 

This change will likely span several days. After this change, the UW Exchange service will manage the mail value.

 

What you need to do:

 

Nothing, unless you have a service that leverages the UWWI user mail attribute. If you do, you may need to adjust your service accordingly. Note that users can still direct where email is delivered by changing their UW email forwarding settings, via the UW NetID Manage page.

 

If you have concerns or questions, please send an email to help@uw.edu with “UWWI mail attribute” in the subject.

 

More details:

 

This change is being made for multiple reasons:

  • to address lack of user input validation
  • to reduce the complexity around how the mail value is provisioned
  • to enforce uniqueness, preventing multiple users from having the same email address
  • to enable Office 365 integration with the UWWI NETID domain services; Office 365 has several rules that necessitate this change

 

Brian Arkills

UW-IT, Identity and Access Management

UWWI Technical Lead

UWWI user mail attribute change

A significant change is planned to the NETID domain service.

 

What and When:

 

During the break between fall quarter and winter quarter, UW-IT will be changing the mail attribute value to <uwnetid>@uw.edu for *all* UWWI users. For example, for NETID\barkills, the mail value will change from barkills@washington.edu to barkills@uw.edu.

 

The mail attribute provides a reliable email address for a UWWI user. For example, Exchange uses it in forming its off-line address book.

 

This change will likely span several days. After this change, the UW Exchange service will manage the mail value.

 

What you need to do:

 

Nothing, unless you have a service that leverages the UWWI user mail attribute. If you do, you may need to adjust your service accordingly. Note that users can still direct where email is delivered by changing their UW email forwarding settings, via the UW NetID Manage page.

 

If you have concerns or questions, please send an email to help@uw.edu with “UWWI mail attribute” in the subject.

 

More details:

 

This change is being made for multiple reasons:

  • to address lack of user input validation
  • to reduce the complexity around how the mail value is provisioned
  • to enforce uniqueness, preventing multiple users from having the same email address
  • to enable Office 365 integration with the UWWI NETID domain services; Office 365 has several rules that necessitate this change

 

Brian Arkills

UW-IT, Identity and Access Management

UWWI Technical Lead

NETID DC promotions and demotions

Several changes are planned for the UWWI NETID domain service. These changes will close the existing temporary service capacity gap, which was noted in the email below sent 2 weeks ago.

 

What and When:

Several new domain controllers on a network not previously in the UWWI firewall documentation will be promoted beginning this Thursday, 11/8. One DC will be promoted on 11/8, with 2 additional DCs following over the following week for a total of 3 new NETID domain controllers.

 

After these 3 new DCs have been added, 2 of the existing domain controllers will be demoted as they have reached end of life.

 

What you need to do:

If you have a firewall or network filters, you may need to adjust them (see link below).

 

If you’ve hard-coded specific domain controller names in applications or code, you will need to adjust that configuration. If you have hard-coded either mace.netid.washington.edu or yoda.netid.washington.edu, please change that configuration.

 

If neither of these situations apply to you, then you don’t need to do anything.

 

More info:

Another network has been added to the UWWI firewall list: 172.16.31.0/24 (172.16.31.0-172.16.31.255).

 

The network that leia.netid.washington.edu was on has been removed from the UWWI firewall list. For reference that network was: 172.22.14.0/27 (172.22.14.0-172.22.14.31).

 

You can find the list of networks that correspond to NETID DCs to configure in your firewalls at http://www.netid.washington.edu/documentation/trustWithFirewall.aspx.

 

When all DC demotions are complete, we will remove two of the networks listed in that document, so if you do manage network filters you may want to check back in 3-4 weeks to remove unnecessary networks in your filters in the future.

 

> —–Original Message—–

> From: Brian Arkills

> Sent: Tuesday, October 23, 2012 12:38 PM

> To: ‘uwwi-announce@uw.edu’ (uwwi-announce@uw.edu)

> Subject: Netid domain controller (leia) forcible demotion planned ~1pm

> today

>

> Due to internal AD database corruption on Leia.netid.washington.edu and

> replication problems it was having, we have determined that we need to

> demote leia.netid.washington.edu, one of 5 existing domain controllers

> providing the NETID domain service in the UWWI service line. Leia has been

> offline since yesterday evening and won’t be coming back online. You may

> have experienced odd problems because of Leia’s AD corruption. If you think

> you’ve got a lingering issue caused by this, please do open a help request via

> help@uw.edu with UWWI somewhere in the subject line, and we’ll try to

> assist you.

>

> We have already replaced leia as the DNS primary for clients.uw.edu, the

> DDNS zone provided for delegated OU customers, and there has been no

> impact to customers of that service.

>

> This work represents a minor degradation in service capacity, but this is

> expected to be the case only for a short period, as leia was planned to be

> replaced in the coming months.

>

> If, for some reason, you’ve hard-coded something to

> leia.netid.washington.edu, you will want to change that.

>

> Brian Arkills

> UW-IT, Identity and Access Management

> UW Windows Infrastructure technical lead

 

Netid domain controller (leia) forcible demotion planned ~1pm today

Due to internal AD database corruption on Leia.netid.washington.edu and replication problems it was having, we have determined that we need to demote leia.netid.washington.edu, one of 5 existing domain controllers providing the NETID domain service in the UWWI service line. Leia has been offline since yesterday evening and won’t be coming back online. You may have experienced odd problems because of Leia’s AD corruption. If you think you’ve got a lingering issue caused by this, please do open a help request via help@uw.edu with UWWI somewhere in the subject line, and we’ll try to assist you.

 

We have already replaced leia as the DNS primary for clients.uw.edu, the DDNS zone provided for delegated OU customers, and there has been no impact to customers of that service.

 

This work represents a minor degradation in service capacity, but this is expected to be the case only for a short period, as leia was planned to be replaced in the coming months.

 

If, for some reason, you’ve hard-coded something to leia.netid.washington.edu, you will want to change that.

 

Brian Arkills

UW-IT, Identity and Access Management

UW Windows Infrastructure technical lead

 

Minor UWWI course group naming adjustment

This communication informs you of changes planned to the NETID domain.

 

What and When:

On this Friday 9/7, UW-IT will be renaming approximately 10000 existing course groups which are out of alignment with UW Groups Service naming.

 

What you need to do:

Nothing, unless you have specially hard-coded one of the affected course groups by name. This should be very rare, if at all. If you have hard-coded, then you should make adjustments so that you use the new name after Friday.

 

More details:

Back in 2006, there was no UW Groups Service naming policy, and course groups had no “group id” in the only customer accessible interface available at the time (GDS). UWWI invented its own group id to represent course groups. As the Groups Service has evolved, course groups names have emerged. This work brings UWWI into alignment with the course group names in the Groups service. Most UWWI customers rely on a SID underlying a course group, so a group name change doesn’t affect functionality–it only affects how GUIs display the group’s that are referenced.

 

In specific, the affected course groups are those which have a space character in their curriculum code. The UW Groups service doesn’t allow spaces, but UWWI has been allowing spaces in these course group names since 2006. UWWI will follow the UW Groups service practice of replacing a space in the curriculum code with a hyphen. For example:

 

course_2011aut-A A198A will become course_2011aut-A-A198A

 

This change is needed to facilitate a larger change to real-time UWWI group sync processing. When we make the switch to real-time UWWI group sync processing, all new course group names will be lowercase, but existing course groups will remain mixed case (until they are deleted, per the UW Groups course group lifecycle).

 

If you have any questions about this change, please send an email to help@uw.edu with “UWWI course group change” in the subject.

 

Thanks!

 

Brian Arkills

UW-IT, UWWI service technical lead

 

UWWI schema changes

This communications informs you of changes planned to the NETID domain.

 

What and When:

UW-IT will be applying 2 schema changes on Thursday, August 23.

 

What you need to do:

Nothing! 🙂

 

More details:

We’ll be modifying a custom object class we added back in 2006 to address an issue with our ongoing group integration refactor work. That work seeks to move Group Service integration with UWWI to near real-time synchronization (and that work is nearing completion). Specifics about this schema change will be documented at http://www.netid.washington.edu/documentation/schema.aspx as all schema changes are.

 

We’ll also be applying the Windows Server 2012 schema, whose details can be found at Microsoft’s website, to enable the various features it brings.

 

————————

Change Look Ahead:

We expect there to be more changes coming in the next month or so. These will include customer requested schema change and the mail attribute value change we’ve mentioned previously. Looking slightly more than a month ahead, we also expect to begin adding WS2012 domain controllers.

 

2012 July

Here’s an update on recent happenings with the UW Windows Infrastructure.

 

Readers should give special attention to the planned change to the UWWI user mail attribute values, as detailed below.

 

==== New Capabilities and Improvements ====

 

* Reflecting the heavy growth of the UWWI line of business, UW-IT has increased the staff allocation:

                -Will Kaufman, a technical support representative who also works with UW-IT’s managed workstation service, has begun fielding some 1st tier tickets.

                -Eric Kool-Brown, a new hire, is going through on-board training. During his career at Microsoft, Eric worked on the original design of Active Directory Users and Computers–among many other things.

 

====Spotlights====

 

* Work with the Office 365 project team has identified an urgent need to change the UWWI user mail attribute provisioning algorithm. Known problems include:

-lack of user input validation (misspellings abound),

-no constraints around the DNS subdomain specified,

-the ability for more than a single user account to have the same address.

 

A plan to address this has been formed:

-During the summer, we’ll reset all UWWI user account’s mail value to <uwnetid>@uw.edu.

-We’ll add a capability to the UW NetID Manage page to allow users to change from this default value. The UW NetID Manage page will:

-enforce input validation,

-know about “accepted DNS domains”, and

-not allow more than a single user account to have the same address.

 

The UW NetID Manage page will also provide a method for users to control whether they are included in the UW Exchange/Office 365 global address list (GAL).

 

We’ll have more info about this change as it approaches. If you have an application that integrates with the NETID domain which leverages the UWWI user mail attribute and you have concerns about this change, please let us know. We expect this change to happen in the next 3-6 weeks.

 

* An Annual Service Assessment for the UW Windows Infrastructure line of business was completed. UW-IT has plans to make these customer visible, as they include relevant information like 1 and 3 year forecasts.

 

* UW-IT kicked off a project to decommission the UW Forest. Customers in the forest have plans to migrate out by February 2013. 2 domains have shut down since the project started, 8 customer domains remain. Most of these customers plan to migrate to a delegated OU.

 

* Brian Arkills, UW-IT’s technical lead for the UW Windows Infrastructure line of business, was recently honored by Microsoft with their MVP award for his contributions in Directory Services technical communities during the past year.

 

==== Trends ====

 

* Since December, UWWI has added: 14 delegated OUs (52 total), 2 trusts (53 total), ~1100 computers (4500 total), ~42k users (562k total).

* UWWI support requests remain steady. 122 UWWI support tickets resolved since December.

* OU utilization rates (based on requestor’s projections) indicate that a lot of OUs are getting started. 16 OUs have more adoption than planned, 9 are making progress towards their plans, and 27 are getting started.

 

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

 

==== What’s Next ====

 

Our objectives for the months ahead include:

 

* Continued work and changes to support the Office 365 project. As noted above, this will include a change to the UWWI user mail attribute, and we may replace our existing ILM deployment with the newest FIM release.

* Continue to refactor the UWWI Group Sync Agent to provide near real-time sync with reduced latency for all UW group changes. We think this work will be deployed in August. This improvement, together with another imminent improvement to the way course groups are provisioned to the Groups service, will result in near real-time course groups in the NETID domain.

* Support of the university-wide Business Continuity Initiative by placing a NETID DC in a separate geo-zone. Other critical UWWI infrastructure will also be considered in the future.

* Support the many delegated OU customers getting started and in the midst of migrations over the summer.

 

Additionally, some possibilities given enough resources:

 

* Investigate what’s needed to provide a scalable ADFS service that customers can leverage for federated authentication to/from the Windows platform.

* Invest in changes needed for Unix integration

* Investigate SCCM 2012 delegation features to enable OU customers to deploy SCCM for computer management within the NETID domain.

 

==== Your Feedback ====

 

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

 

The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we’ve been doing. You can “vote” for items in the backlog to help us rank priorities, or you can contact us via iam-support@uw.edu.

 

RE: new subnet added to UWWI firewall guidance

An update:

 

We’ve decided to not proceed with moving this DC across networks as the data center for this DC doesn’t have 1Gb network capabilities available. Instead, we’ll closely monitor network utilization for the remaining lifetime of this DC and address the network capacity issue on this particular DC when we replace it (which will be sometime in the next year). Current network utilization over the past week is substantially reduced (was temporarily elevated to capacity during the period that UW Exchange experienced issues).

 

The firewall guidance document has been updated to remove the network we had planned on moving to. A careful reader noted a mistake in that document, and that mistake has also been addressed.

 

From: Brian Arkills [mailto:barkills@washington.edu] Sent: Friday, January 20, 2012 7:38 AM To: ‘uwwi-announce@uw.edu’ (uwwi-announce@uw.edu) Subject: new subnet added to UWWI firewall guidance

 

What you need to do:

If you have a firewall or network filters, you may need to adjust them (see link below).

 

When:

An existing DC will be moved to a new network sometime after Friday, February 3.

 

More info:

Mace.netid.washington.edu will move to 172.22.15.64/27 to facilitate upgrading its network connection from 100Mb to 1Gb. Mace is experiencing high network utilization near its existing network capacity from the existing UW Exchange issues, so this is a preventative measure for future high load situations. After Mace has been moved, the firewall guidance doc will be revised to remove Mace’s old network.

 

See http://www.netid.washington.edu/documentation/trustWithFirewall.aspx for full information about firewall guidance from your domain controllers or clients that need to connect to the NETID domain controllers.

 

Brian Arkills

UW-IT, Identity and Access Management

 

New subnet added to UWWI firewall guidance

What you need to do:

If you have a firewall or network filters, you may need to adjust them (see link below).

 

When:

An existing DC will be moved to a new network sometime after Friday, February 3.

 

More info:

Mace.netid.washington.edu will move to 172.22.15.64/27 to facilitate upgrading its network connection from 100Mb to 1Gb. Mace is experiencing high network utilization near its existing network capacity from the existing UW Exchange issues, so this is a preventative measure for future high load situations. After Mace has been moved, the firewall guidance doc will be revised to remove Mace’s old network.

 

See http://www.netid.washington.edu/documentation/trustWithFirewall.aspx for full information about firewall guidance from your domain controllers or clients that need to connect to the NETID domain controllers.

 

Brian Arkills

UW-IT, Identity and Access Management