2013 July

July 16, 2013

Here’s an update on recent happenings with the UW Windows Infrastructure.

 

==== New Capabilities and Improvements ====

 

* Work to refresh aging NETID domain controllers is complete. All NETID domain controllers are running Windows Server 2012, and the domain and forest functional levels are at Windows Server 2012.

 

* Work to add item-level recovery (via the Active Directory Recycle Bin feature) is complete. If you accidentally delete objects in your delegated OU, we can now recover them. See http://www.netid.washington.edu/documentation/netidItemLevelRestore.aspx for details.

 

* Work to provide OU admins access to operational attributes on all NETID user accounts is complete. This provides more information to OU admins to support troubleshooting efforts. A separate email was sent to OU admins about this.

 

* The UWWI trust policy was changed. You can review this at http://www.netid.washington.edu/documentation/policy.aspx.

 

* A recovery test plan for the NETID domain was created as part of the university’s Business Continuity initiative.

 

* Unix integration capabilities were added to UWWI services. See the spotlight for more info.

 

* The NETID domain has been extended to Microsoft’s Azure Active Directory. See the spotlight for more info.

 

* For web-based applications that only support authentication via Active Directory Federation Services (ADFS), UW-IT is offering limited support for ADFS 2.0 to enable the standard “weblogin” user experience. Contact iam-support@uw.edu for additional information.

 

====Spotlights====

 

* Customers such as Kris Shaw are eagerly taking advantage of new Unix integration capabilities. These new capabilities make it much easier to join Unix/linux computers to the NETID domain. Work included: extending uidNumber assignment to a larger user population, assigning GIDs to all groups in the Groups Service and syncing that data to UWWI, and assigning gidNumber values to all UWWI user accounts. We appreciate the partnership and patience that Kris and others have provided while we’ve worked on this work over several quarters.

 

* UWWI has deployed the Azure Active Directory Sync tool. While this capability was deployed in support of ongoing Office 365 efforts, it has broader usefulness. You can leverage Azure Active Directory (AAD) identities from on-premise applications that are written to take advantage of AAD and from cloud-based applications. This greatly extends the usefulness of the NETID domain services beyond the confines of the p172 network space. Microsoft is investing heavily in this area, with an Azure Active Authentication (preview) capability that permits your smartphone to be used as an additional authentication factor announced recently. We expect this new Azure Active Directory aspect of the UW-IT portfolio to be an active area of growth.

 

* Delegated OU customers that have misconfigured their computer’s primary DNS suffix will see individualized notification efforts to fix this beginning August 1. Related to this, in partnership with efforts at the Library and ISchool, we’ve identified a potential issue that can occur in a limited scenario that can result in the error message “The security database on the server does not have a computer account for this workstation trust relationship.” As a mitigation for this issue, we’ve decided to amend the permissions granted to all computerjoiners groups, granting your computerjoiners group full control permissions to computer objects within your OU. We’ll be making that change in the near future.

 

* Support for the NTLMv1 authentication protocol will be turned off on August 1. UW identity assurance initiatives and improved capabilities in breaking NTLMv1, plus the fact that the exception to UW policies via the UW Privacy Assurance and System Security (PASS) Council was granted 6 years ago, mean it’s time for NTLMv1 to go. A separate announcement will include more details.

 

==== Trends ====

 

* Since January, UWWI has added: 11 delegated OUs (73 total), 3 trusts (57 total), ~1000 computers (6600 total), ~43k users (622k total).

* UWWI support requests have grown by 30%. 151 UWWI support tickets resolved since January (vs. 119 in prior period).

 

You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.

 

==== What’s Next ====

 

Our objectives for the months ahead include:

 

* During July, we will test an offline recovery of the NETID domain via the Microsoft Active Directory Recovery Execution Services program, as well as getting a health assessment via Microsoft’s Active Directory Risk Assessment Program. You may see a temporary domain controller promoted and demoted in preparation for this exercise–we’re still working out the details. 🙂

* Operational improvements to improve our business continuity stance

* Investigation of replacement for our aging ILM component that provides “white page” data to UWWI.

* Investigation of improved audit log retention and reporting

* Investigation of providing Group Managed Service Account (gMSA) capability, which provides service accounts with passwords that no human ever sees, with automatic password updates built-in.

* Continued support of the Office 365 projects as they integrate the UWWI NETID domain services with Office 365 application deployments.

* Support for a project internal to UW-IT, helping to consolidate the UCSADMIN domain to the NETID domain

 

==== Your Feedback ====

 

Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.

 

The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we’ve been doing. You can “vote” for items in the backlog to help us rank priorities, or you can contact us via iam-support@uw.edu.