uwwi-discuss mailing list

This email is to inform you that there is another mailing list you might be interested in joining.

uwwi-discuss@uw.edu is a mailman list with the following two intentions:

a) Enable more detailed information about the UWWI service to be communicated than the uwwi-announce list

b) Enable two-way conversation, i.e. anyone on the list can post to it

With respect to a), the UWWI service plans to send change notifications that we generally wouldn’t send to uwwi-announce. There are quite a few changes that happen to the UWWI service which are not judged to be impactful, but whose details may be of interest, so we don’t bother everyone on uwwi-announce with them. As an example, we made a fairly big architectural change to the UWWI Group Sync Agent in January that we didn’t send to the uwwi-announce mailing list, but likely would be interesting to some number of customers. If they are notable, they make it into our semi-annual newsletters, but not much detail is shared even then. Near the end of each month, I’m also planning on sending a monthly operational update to the uwwi-discuss list which will give you a sense of what’s going on, and what planned changes we think are coming up in the next month.

With respect to b), there currently isn’t a good way for the UWWI service to do customer outreach, where we capture your input about the service. By having 2-way conversations, we’d like to enable you to have a smaller feedback loop (and hear what other customers think/want). There also isn’t a good way for you to share solutions with each other. If I had a nickel for how many times I’ve sent one of you to another because I knew you had done some work in a particular area, I’d be rich. 🙂 But that targeted direction isn’t really fair, and I think a mailing list allows folks to choose to contribute as time allows instead of being put on the spot.

Go to https://mailman1.u.washington.edu/mailman/listinfo/uwwi-discuss to join the uwwi-discuss mailing list.

And again, it’s not required, but it may be something you’d like to join.

Brian Arkills

UW-IT, Identity and Access Management

UWWI Service Manager

2014 January

Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.

==== New Capabilities and Improvements ====

* A PowerShell script for creating computer objects in your delegated OU is now available. See http://www.netid.washington.edu/documentation/newUWWIComputer.aspx for more info.

* Limited GPO recovery now available. Each 1st and 15th of the month, we backup all GPOs, with a retention of 1 month. If you’d like a GPO restored from those backups, we can easily support that need.

* Basic document published on how to add a Mac to a delegated OU: http://www.netid.washington.edu/documentation/addMac.aspx. Please feel free to send us your recommended improvements.

* A variety of authentication modernization happened:

-NT4Crypto support disabled,

-FAST support (Kerberos armoring) enabled,

-attempt to turn off NTLMv1 (which was rolled back)

* Additional computer permissions for each delegated OU’s computerjoiners group

* InCommon CA root cert trust added to all NETID computers via domain group policy

* Improved request process for elevated NETID directory access

====Spotlights====

* During July, we successfully tested a bare-metal offline recovery of the NETID domain from backup. Work to ensure that the business critical systems in the UWWI service are geo-redundant has progressed from 50% complete to 80% complete. This work is part of the university’s Business Continuity initiative.

* We’re still licking our wounds over the failed attempt to turn off the NTLMv1 authentication protocol. During the Winter 2014 quarter, we’ll regroup & analyze NTLMv1 authentication afresh with the benefit of knowing which applications had problems during this summer’s failed attempt. We already have a list of known problems and workarounds, but we need to complete the analysis before attempting this change again. It’s possible we’ll be ready to try again in Spring 2014. Expect to see more detailed information via the uwwi-announce mailing list when we’ve completed our analysis of the problems and workarounds. If you’d like an earlier peek at what we’ve got so far or would like to partner with us, please let us know.

* Over the past 6 months, UWWI has performed lots of maintenance activities–mostly of the non-deferrable kind. While it’s not exciting, I think sharing this kind of work occasionally is useful to give you an idea of the level of operational activity happening behind the scenes. Here’s a list of things we’ve done to keep things running and current:

-Sysvol replication changed to DFS-R (older replication is dead in Windows Server 2012 R2),

-KMS support extended to Windows 8.1/Windows Server 2012 R2,

-UWWI user reconciliation with the UW NetID service (cleanup from a January 2012 incident)

-Windows Firewall enabled on domain controllers (and all other UWWI service servers)

-Domain controller time configuration updated (to reflect updated best practice guidance from Microsoft)

-DNS zone move to AD-integrated DNS (this happened on 12/29)

-Progress on implementing security protections for use of Kerberos Delegation (the ability to get a logon token without the user providing their credentials)

* As of November 27th, 2013, the UW Forest service option reached end of life. This service option has been around for 13 years, and was a precursor to the UWWI service. This milestone marks the end of a long-running and highly useful collaboration across UW departments. Our congratulations to everyone who survived migration!! 🙂

==== Trends ====

* Since January, UWWI has added: 3 delegated OUs (76 total), 0 trusts (57 total), ~1200 computers (7750 total), ~16k users (638k total), ~5k groups (102k total).

* UWWI support requests have grown by 17%. 176 UWWI support tickets resolved since July (vs. 151 in prior period).

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

==== What’s Next ====

Our objectives for the 6 months ahead include:

* Release of a refactored version of the UWWI Group Sync Agent that leverages the Amazon Message Bus, instead of an ActiveMQ message queue that is no longer supported. We anticipate this will be released in Winter quarter 2014.

* Release of self-service Group Managed Service Account (gMSA) capability, which provides service accounts with passwords that no human ever sees, with automatic password updates built-in. We plan to encourage gMSAs over Application UW NetIDs, where applicable. A proposal to release this capability is complete, and we anticipate this will be released in Winter quarter 2014.

* Replacement for our aging ILM component that provides “white page” person data to UWWI with FIM. We anticipate this will be released early in Winter quarter 2014. Beyond that, we’ll also partner with the PersonReg and Directory Service service teams to investigate architecturally improved approaches to get this data, via events on a message bus.

* Partnership with a UW-IT Azure project team to identify how UWWI can best support customers deploying Azure based services, including VMs. We anticipate this will likely result in a NETID DC in Azure, along with a new AD Site. This likely won’t happen until Spring quarter 2014 or beyond.

* Evaluate Dynamic Access Control capability, and how UWWI can support customers that want to use this capability via having Central Access Policies support. Design support approach, document, and release. If you have a desire for this capability, please let us know (to date, no one has asked for this capability, so this item could be de-prioritized)

* Operational improvements to improve our business continuity stance. Add a new AD site for the NETID DC located at the data center in Spokane. Move the UWWI Group Sync Agent to an active-active architecture, deploying a second agent on an Azure VM.

* Investigation of audit log retention and reporting

* Evaluate the new Protected Users group and Authentication Policy Silo capabilities for their appropriateness to university use cases and known security gaps.

* Evaluate the feasibility of deploying an AD-integrated Certificate Authority to support automated certificate deployment and renewal and possible future multi-factor authentication use cases

==== Your Feedback ====

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

You can voice your support for items in the backlog to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via iam-support@uw.edu.

Brian Arkills

UW-IT, UWWI Service Manager

NETID domain changes

Two service changes are planned for the UWWI NETID domain service.

What and When:

Over the next 3 weeks we will be making two changes that affect the NETID domain controllers. The timing of these changes is not exact, due to various dependency issues.

The planned changes are:

We will turn on Windows Firewall on the NETID domain controllers. Access to the NETID domain controllers will remain unchanged–all campus networks will be permitted by the Windows Firewall configuration. We expect to make this change tomorrow.
The private view of the netid.washington.edu DNS zone will move from campus DNS to AD-integrated DNS. The public view of this zone will remain as is. DNS records in the zone will remain identical. This change is dependent on other services (and their design) so there is a possibility this won’t happen in the next 3 weeks.What you need to do:
More info:
That said, both of these changes have the potential to cause significant impact should something not go as expected. So while we don’t expect impact, we do want you to be aware that this work is planned. Should you encounter a wide-spread issue, please contact UW-IT via help@uw.edu or via the UW-IT Operations phone number (206-221-5000).
You should *not* change the DNS settings on your computers–continuing to use the campus DNS servers for DNS resolution is the right configuration.
No impact is expected. Both of these changes have already been tested and implemented in our evaluation environment.

We are implementing Windows Firewall on our domain controllers for a number of reasons. Those reasons include:

Due diligence in security configuration to meet various policies
Having the future ability to easily block specific IP addresses on UW networks across all the domain controllers, to limit exposure to an identified threat

We are moving our DNS zone for a variety of reasons. Those reasons include:

Support for self-service DNS registration
Rapid server provisioning. We’ll be able to promote/demote a domain controller without involvement from others, and in far less time (~2 hours vs. 12-18 hours)
Improved control of who can get a record in this DNS zone

This change helps us to support a couple important outcomes:

Better support for the UW Geo-Redundancy scenarios (e.g. allowing us to quickly bring up replacement domain controllers without waiting on other services that might be down)
Paves the way for putting a domain controller in Azure, possibly in 2014
Improves the experience of adding support for multiple Active Directory Sites (in 2014, we anticipate adding a site for our Tierpoint data center and probably Azure)

If you have questions about this planned work, please send email to help@uw.edu with “UWWI firewall and DNS work” in the subject line.

-B

NETID user expiration and related changes

A service change is planned for the UWWI NETID domain service.

What and When:

Next week we will mark approximately 50,000 NETID user accounts as expired, to bring these accounts into closer alignment with their current UW NetID status. All 50,000 of these NETID user accounts no longer have a valid UW NetID.

What you need to do:

No impact is expected. All of these NETID user accounts no longer have an associated UW NetID. None of these accounts have logged in over the course of the past 20 months.

More info:

In early 2012, the NETID domain experienced a significant incident as an outcome of a change made in late 2011. As a workaround to that incident, we unexpired user accounts that were expired at that time. Reconciling which accounts actually should be expired has been outstanding work that until now hasn’t been prioritized.

The NETID domain service tries to align as closely with the UW NetID service as it can, but there are notable differences due to the technology constraints and business rules required. When a UW NetID loses its password, the NETID domain service doesn’t delete the user account, but instead marks the account as expired and resets the password to a long random string unknown to anyone. This is primarily to retain the objectSID in case access to resources via user account is needed again, but there are also auditing reasons to retain the objectSID.

There is other work scheduled later this quarter that will adjust our practices around UW NetIDs that lose their password (i.e. UW NetIDs that are no longer valid). This work will result in a couple changes.

NETID users which go into this state will:

be expired
get random password
get renamed cn/samAccountName values slightly to values that clearly indicate the user account is dead, but still retain the original UW NetID string

be moved to a new OU set aside for “dead” NETID users
be disabled
have all optional attribute values removed

Users which have been in this “dead” state for 7 years will be deleted
Users which have been in this “dead” state, which are determined to be part of a transitory population, will be deleted after 1 year. An example of a transitory user would be an applicant.

We don’t plan on additionally announcing when that work happens, because that work is judged to be very low impact due to the fact that it doesn’t affect active users. However, we do think there is value in being transparent about the kinds of lifecycle practices we are employing.

Questions and Answers:

I thought UW NetIDs were good for ever. Did something change?No, nothing changed. It’s just that amongst the large number of UW NetIDs there are always exceptions to the rule. There are several populations of UW NetIDs that can “lose” their UW NetID, where “lose” means the UW NetID still exists (i.e. can’t be issued to someone else) but the password is removed, and the associated accounts are no longer active. The populations that this can happen to include (but are not limited to):

Former Applicants (i.e. students that applied but never enrolled)
Former Shared UW NetIDs
Former Clinicians
Former Cascadia
Former Admin UW NetIDs

Further questions about UW NetIDs and their lifecycle should be directed to the UW NetID service via help@uw.edu with “UW NetID lifecycle question” in the subject line.

Why don’t you just delete the NETID user account tied to these dead UW NetIDs?

Because once we delete the user account, the objectSID is effectively gone. That objectSID is distributed to some unknown number of resource objects throughout the UW environment in access controls. If any part of the UW environment goes through an audit and has a resource which references that objectSID, they will be left baffled as to who *had* access to that resource. Unfortunately, this distributed nature of Windows access control is such that there is no easy way to “clean up” objectSIDs which are no longer meaningful.

Why 7 years?

Because this is the longest regulatory period we are aware of where auditing logs need to be kept. If you are aware of a longer period, let us know.

Why only 1 year for transitory users?

Two reasons: Because there are a lot of them. And it’s pretty unlikely that there are many resources they were granted access to which are significant in nature.

Why are there so many NETID user accounts without an associated UW NetID?

Because the populations noted above have a lot of turnover and churn. Applicants in particular contribute quite a bit to the overall number. The NETID domain service is so far out of alignment because back in early 2012 as a workaround to a significant incident, we removed ~3 year’s worth of expirations. That’s where the 50k comes from, but additionally there are other expired NETID users (all the users which have expired in the past 20 months). So the total number after this work will be ~90k. That number will get cut down when we run the first 1 year deletion, but in general it will continue to grow.

RE: Removal of support for NTLMv1 authentication in the NETID domain

Because multiple dependent services have encountered significant numbers of problems with this change, this service change has been partially rolled back. In specific, we have reverted the NETID domain controllers to permit NTLMv1 (as previously configured). We have *not* reverted the domain level configuration.

Dependent services with servers in the NETID domain that experienced problems supporting NTLMv2 only will need to implement a group policy that overrides the domain level setting in order to return to the configuration in effect prior to this change.

We are purposely not rolling back the change at the domain level because:

a) this sets an expectation of the right configuration, and those that can’t support it are exceptions

b) this allows each affected service to separately configure their LMCompatibilityLevel settings and move to compliance when ready

There will be future communication about next steps, known problems and workarounds, and when we’ll try to make this service change.

NETID domain SYSVOL change

A service change is planned for the UWWI NETID domain service.

What and When:

On Friday July 26 2013 after business hours, we will migrate the NETID domain SYSVOL share from FRS to DFSR.

What you need to do:

Users may experience brief errors or logon failures if they logon during a small window of time after business hours on 7/26. Users will just need to logon again a minute later if affected. Otherwise no impact is expected.

More info:

During the transition period, each NETID domain controller will stop sharing SYSVOL and then start sharing it again. This brief period of time between can cause logon problems.

The DFSR technology has been available with SYSVOL for some time, but we haven’t prioritized making this transition previously. DFSR is more resilient than FRS and plays better across sites. FRS is also deprecated with the next release of Windows Server (expected this year), so we must move off this technology before we introduce any domain controllers with the next release.

We have tested this transition with an offline copy of the NETID domain, so expect no problems.

-B

2013 July

Here’s an update on recent happenings with the UW Windows Infrastructure.

==== New Capabilities and Improvements ====

* Work to refresh aging NETID domain controllers is complete. All NETID domain controllers are running Windows Server 2012, and the domain and forest functional levels are at Windows Server 2012.

* Work to add item-level recovery (via the Active Directory Recycle Bin feature) is complete. If you accidentally delete objects in your delegated OU, we can now recover them. See http://www.netid.washington.edu/documentation/netidItemLevelRestore.aspx for details.

* Work to provide OU admins access to operational attributes on all NETID user accounts is complete. This provides more information to OU admins to support troubleshooting efforts. A separate email was sent to OU admins about this.

* The UWWI trust policy was changed. You can review this at http://www.netid.washington.edu/documentation/policy.aspx.

* A recovery test plan for the NETID domain was created as part of the university’s Business Continuity initiative.

* Unix integration capabilities were added to UWWI services. See the spotlight for more info.

* The NETID domain has been extended to Microsoft’s Azure Active Directory. See the spotlight for more info.

* For web-based applications that only support authentication via Active Directory Federation Services (ADFS), UW-IT is offering limited support for ADFS 2.0 to enable the standard “weblogin” user experience. Contact iam-support@uw.edu for additional information.

====Spotlights====

* Customers such as Kris Shaw are eagerly taking advantage of new Unix integration capabilities. These new capabilities make it much easier to join Unix/linux computers to the NETID domain. Work included: extending uidNumber assignment to a larger user population, assigning GIDs to all groups in the Groups Service and syncing that data to UWWI, and assigning gidNumber values to all UWWI user accounts. We appreciate the partnership and patience that Kris and others have provided while we’ve worked on this work over several quarters.

* UWWI has deployed the Azure Active Directory Sync tool. While this capability was deployed in support of ongoing Office 365 efforts, it has broader usefulness. You can leverage Azure Active Directory (AAD) identities from on-premise applications that are written to take advantage of AAD and from cloud-based applications. This greatly extends the usefulness of the NETID domain services beyond the confines of the p172 network space. Microsoft is investing heavily in this area, with an Azure Active Authentication (preview) capability that permits your smartphone to be used as an additional authentication factor announced recently. We expect this new Azure Active Directory aspect of the UW-IT portfolio to be an active area of growth.

* Delegated OU customers that have misconfigured their computer’s primary DNS suffix will see individualized notification efforts to fix this beginning August 1. Related to this, in partnership with efforts at the Library and ISchool, we’ve identified a potential issue that can occur in a limited scenario that can result in the error message “The security database on the server does not have a computer account for this workstation trust relationship.” As a mitigation for this issue, we’ve decided to amend the permissions granted to all computerjoiners groups, granting your computerjoiners group full control permissions to computer objects within your OU. We’ll be making that change in the near future.

* Support for the NTLMv1 authentication protocol will be turned off on August 1. UW identity assurance initiatives and improved capabilities in breaking NTLMv1, plus the fact that the exception to UW policies via the UW Privacy Assurance and System Security (PASS) Council was granted 6 years ago, mean it’s time for NTLMv1 to go. A separate announcement will include more details.

==== Trends ====

* Since January, UWWI has added: 11 delegated OUs (73 total), 3 trusts (57 total), ~1000 computers (6600 total), ~43k users (622k total).

* UWWI support requests have grown by 30%. 151 UWWI support tickets resolved since January (vs. 119 in prior period).

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

==== What’s Next ====

Our objectives for the months ahead include:

* During July, we will test an offline recovery of the NETID domain via the Microsoft Active Directory Recovery Execution Services program, as well as getting a health assessment via Microsoft’s Active Directory Risk Assessment Program. You may see a temporary domain controller promoted and demoted in preparation for this exercise–we’re still working out the details. 🙂

* Operational improvements to improve our business continuity stance

* Investigation of replacement for our aging ILM component that provides “white page” data to UWWI.

* Investigation of improved audit log retention and reporting

* Investigation of providing Group Managed Service Account (gMSA) capability, which provides service accounts with passwords that no human ever sees, with automatic password updates built-in.

* Continued support of the Office 365 projects as they integrate the UWWI NETID domain services with Office 365 application deployments.

* Support for a project internal to UW-IT, helping to consolidate the UCSADMIN domain to the NETID domain

==== Your Feedback ====

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we’ve been doing. You can “vote” for items in the backlog to help us rank priorities, or you can contact us via iam-support@uw.edu.

Removal of support for NTLMv1 authentication in the NETID domain

A service change is planned for the UWWI NETID domain service.

What and When:

On August 1 2013, we’ll remove support for the NTLMv1 authentication protocol from both the NETID domain controllers and at the domain level.

What you need to do:

If you have a service that is unable to support Kerberos or NTLMv2 authentication and uses user accounts that aren’t NETID domain user accounts, then you can turn on support for NTLMv1 at your OU level as a workaround. If you do this, we strongly recommend that you begin exploring alternatives as the threat profile for NTLMv1 has greatly increased.

If your service requires NETID domain authentication and NLTMv1, we’d be happy to explore alternative solutions with you. Based on an audit over a 24 hour period, we are unaware of any such services.

More info:

At service inception in 2006, the NETID domain did not support NTLMv1 authentication. Due to customer requests, in 2007 NTLMv1 support was added after obtaining an exception to UW policies via the UW Privacy Assurance and System Security (PASS) Council. Growing pressures due to UW identity assurance initiatives and a greatly increased threat profile based on cloud-based NTLMv1 cracking tools mean it is time for NTLMv1 to be retired.

As implied above, we’ve audited NTLMv1 use via NETID domain user accounts for a 24 hour period and found no use of concern. So we believe this change to be of minimal impact.

We are unable to verify the configuration in domains trusting the NETID domain, and a configuration mismatch between trusting domains and the NETID domain is the most likely source of potential issues, but default settings make the possibility of problems unlikely. If you’d like to audit your own Windows domain for NTLMv1 use, if all of your DCs are WS2008 or better, we can share a PowerShell script with you that will extract relevant events over a 24 hour period. If your DCs are at a prior OS level, it is not possible to differentiate NTLMv1 use from NTLMv2 use without doing network captures.

Another possible source of issues are non-domain joined computers running Windows XP or previous in a default configuration. In that case, the configuration settings will be incompatible. Windows XP is no longer in mainstream support from Microsoft, and extended support ends in a year, so this potential source of problem should also be limited.

More background information about the LMCompatibilityLevel setting is available at http://technet.microsoft.com/en-us/magazine/2006.08.securitywatch.aspx.

-B

RE: NETID DC promotions and demotions

All previously announced DC refresh work has been completed, and the UWWI firewall document has been updated to reflect this. A temporary DC change is planned for the UWWI NETID domain service.

What and When:

A temporary domain controller will be promoted and demoted late next week. This temporary DC will be on a network not previously on the UWWI firewall document.

What you need to do:

If you have a firewall or network filters, you may need to adjust them (see link below).

More info:

Another network has been added to the UWWI firewall list:

172.2.1.0/24 (172.22.1.0-172.22.1.255).

Three networks previously on the UWWI firewall list have been removed to reflect completion of prior DC refresh work. For reference, the networks removed are:

-172.22.15.0/27 (172.22.15.0-172.22.15.31)

-172.22.16.64/27 (172.22.16.64-172.22.16.95)

-172.22.238.128/25 (172.22.238.128-172.22.238.255)

You can find the list of networks that correspond to NETID DCs to configure in your firewalls at http://www.netid.washington.edu/documentation/trustWithFirewall.aspx.

The temporary DC promotion/demotion is to facilitate an offline recovery test of the NETID domain via the Microsoft Active Directory Recovery Execution Services program that will happen the 2nd week of July. We need to have a temporary domain controller promoted and demoted in preparation for this exercise, and due to the nature of how this opportunity came about, we were unable to provide you more advanced warning of this change. We are still exploring ways to “hide” this temporary DC from customers to minimize the impact of not giving folks the customary 2 week warning about a change to the UWWI firewall list, but those explorations are still in process and need to be tempered by maintaining operational stability.

From: Brian Arkills Sent: Monday, November 05, 2012 12:02 PM To: ‘uwwi-announce@uw.edu’ (uwwi-announce@uw.edu) Subject: NETID DC promotions and demotions

Several changes are planned for the UWWI NETID domain service. These changes will close the existing temporary service capacity gap, which was noted in the email below sent 2 weeks ago.

What and When:

Several new domain controllers on a network not previously in the UWWI firewall documentation will be promoted beginning this Thursday, 11/8. One DC will be promoted on 11/8, with 2 additional DCs following over the following week for a total of 3 new NETID domain controllers.

After these 3 new DCs have been added, 2 of the existing domain controllers will be demoted as they have reached end of life.

What you need to do:

If you have a firewall or network filters, you may need to adjust them (see link below).

If you’ve hard-coded specific domain controller names in applications or code, you will need to adjust that configuration. If you have hard-coded either mace.netid.washington.edu or yoda.netid.washington.edu, please change that configuration.

If neither of these situations apply to you, then you don’t need to do anything.

More info:

Another network has been added to the UWWI firewall list: 172.16.31.0/24 (172.16.31.0-172.16.31.255).

The network that leia.netid.washington.edu was on has been removed from the UWWI firewall list. For reference that network was: 172.22.14.0/27 (172.22.14.0-172.22.14.31).

You can find the list of networks that correspond to NETID DCs to configure in your firewalls at http://www.netid.washington.edu/documentation/trustWithFirewall.aspx.

When all DC demotions are complete, we will remove two of the networks listed in that document, so if you do manage network filters you may want to check back in 3-4 weeks to remove unnecessary networks in your filters in the future.

> —–Original Message—–

> From: Brian Arkills

> Sent: Tuesday, October 23, 2012 12:38 PM

> To: ‘uwwi-announce@uw.edu’ (uwwi-announce@uw.edu)

> Subject: Netid domain controller (leia) forcible demotion planned ~1pm

> today

> Due to internal AD database corruption on Leia.netid.washington.edu and

> replication problems it was having, we have determined that we need to

> demote leia.netid.washington.edu, one of 5 existing domain controllers

> providing the NETID domain service in the UWWI service line. Leia has been

> offline since yesterday evening and won’t be coming back online. You may

> have experienced odd problems because of Leia’s AD corruption. If you think

> you’ve got a lingering issue caused by this, please do open a help request via

> help@uw.edu with UWWI somewhere in the subject line, and we’ll try to

> assist you.

> We have already replaced leia as the DNS primary for clients.uw.edu, the

> DDNS zone provided for delegated OU customers, and there has been no

> impact to customers of that service.

> This work represents a minor degradation in service capacity, but this is

> expected to be the case only for a short period, as leia was planned to be

> replaced in the coming months.

> If, for some reason, you’ve hard-coded something to

> leia.netid.washington.edu, you will want to change that.

> Brian Arkills

> UW-IT, Identity and Access Management

> UW Windows Infrastructure technical lead

NETID domain schema changes 5/8/2013: Exchange 2010 SP3

What and When:

On Wednesday, May 8th, the NETID domain schema will be modified. Schema changes associated with Exchange 2010 SP3 will be applied.

What you need to do:

Nothing, this is purely informational. There is no expected impact to customers.

More info:

Please see http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=5401 for more information about the schema changes.

Please send email to help@uw.edu with “UWWI schema work” in the subject if you have any questions about this work.

Brian Arkills

UW-IT Identity and Access Management

UW Windows Infrastructure Service Manager