2014 January

January 16, 2014

Here’s our semi-annual newsletter update on recent happenings with the UW Windows Infrastructure.


==== New Capabilities and Improvements ====


* A PowerShell script for creating computer objects in your delegated OU is now available. See http://www.netid.washington.edu/documentation/newUWWIComputer.aspx for more info.


* Limited GPO recovery now available. Each 1st and 15th of the month, we backup all GPOs, with a retention of 1 month. If you’d like a GPO restored from those backups, we can easily support that need.


* Basic document published on how to add a Mac to a delegated OU: http://www.netid.washington.edu/documentation/addMac.aspx. Please feel free to send us your recommended improvements.


* A variety of authentication modernization happened:

                -NT4Crypto support disabled,

                -FAST support (Kerberos armoring) enabled,

                -attempt to turn off NTLMv1 (which was rolled back)


* Additional computer permissions for each delegated OU’s computerjoiners group


* InCommon CA root cert trust added to all NETID computers via domain group policy


* Improved request process for elevated NETID directory access




* During July, we successfully tested a bare-metal offline recovery of the NETID domain from backup. Work to ensure that the business critical systems in the UWWI service are geo-redundant has progressed from 50% complete to 80% complete. This work is part of the university’s Business Continuity initiative.


* We’re still licking our wounds over the failed attempt to turn off the NTLMv1 authentication protocol. During the Winter 2014 quarter, we’ll regroup & analyze NTLMv1 authentication afresh with the benefit of knowing which applications had problems during this summer’s failed attempt. We already have a list of known problems and workarounds, but we need to complete the analysis before attempting this change again. It’s possible we’ll be ready to try again in Spring 2014. Expect to see more detailed information via the uwwi-announce mailing list when we’ve completed our analysis of the problems and workarounds. If you’d like an earlier peek at what we’ve got so far or would like to partner with us, please let us know.


* Over the past 6 months, UWWI has performed lots of maintenance activities–mostly of the non-deferrable kind. While it’s not exciting, I think sharing this kind of work occasionally is useful to give you an idea of the level of operational activity happening behind the scenes. Here’s a list of things we’ve done to keep things running and current:

                -Sysvol replication changed to DFS-R (older replication is dead in Windows Server 2012 R2),

                -KMS support extended to Windows 8.1/Windows Server 2012 R2,

                -UWWI user reconciliation with the UW NetID service (cleanup from a January 2012 incident)

                -Windows Firewall enabled on domain controllers (and all other UWWI service servers)

                -Domain controller time configuration updated (to reflect updated best practice guidance from Microsoft)

                -DNS zone move to AD-integrated DNS (this happened on 12/29)              

                -Progress on implementing security protections for use of Kerberos Delegation (the ability to get a logon token without the user providing their credentials)


* As of November 27th, 2013, the UW Forest service option reached end of life. This service option has been around for 13 years, and was a precursor to the UWWI service. This milestone marks the end of a long-running and highly useful collaboration across UW departments. Our congratulations to everyone who survived migration!! 🙂


==== Trends ====


* Since January, UWWI has added: 3 delegated OUs (76 total), 0 trusts (57 total), ~1200 computers (7750 total), ~16k users (638k total), ~5k groups (102k total).

* UWWI support requests have grown by 17%. 176 UWWI support tickets resolved since July (vs. 151 in prior period).


You can see metrics about UWWI at http://www.netid.washington.edu/dirinfo/stats.


==== What’s Next ====


Our objectives for the 6 months ahead include:


* Release of a refactored version of the UWWI Group Sync Agent that leverages the Amazon Message Bus, instead of an ActiveMQ message queue that is no longer supported. We anticipate this will be released in Winter quarter 2014.

* Release of self-service Group Managed Service Account (gMSA) capability, which provides service accounts with passwords that no human ever sees, with automatic password updates built-in. We plan to encourage gMSAs over Application UW NetIDs, where applicable. A proposal to release this capability is complete, and we anticipate this will be released in Winter quarter 2014.

* Replacement for our aging ILM component that provides “white page” person data to UWWI with FIM. We anticipate this will be released early in Winter quarter 2014. Beyond that, we’ll also partner with the PersonReg and Directory Service service teams to investigate architecturally improved approaches to get this data, via events on a message bus.

* Partnership with a UW-IT Azure project team to identify how UWWI can best support customers deploying Azure based services, including VMs. We anticipate this will likely result in a NETID DC in Azure, along with a new AD Site. This likely won’t happen until Spring quarter 2014 or beyond.

* Evaluate Dynamic Access Control capability, and how UWWI can support customers that want to use this capability via having Central Access Policies support. Design support approach, document, and release. If you have a desire for this capability, please let us know (to date, no one has asked for this capability, so this item could be de-prioritized)

* Operational improvements to improve our business continuity stance. Add a new AD site for the NETID DC located at the data center in Spokane. Move the UWWI Group Sync Agent to an active-active architecture, deploying a second agent on an Azure VM.

* Investigation of audit log retention and reporting

* Evaluate the new Protected Users group and Authentication Policy Silo capabilities for their appropriateness to university use cases and known security gaps.

* Evaluate the feasibility of deploying an AD-integrated Certificate Authority to support automated certificate deployment and renewal and possible future multi-factor authentication use cases


==== Your Feedback ====


Supporting your needs for UWWI capabilities offered via the Basic Services Bundle is our priority, so we welcome feedback on how we can make the UWWI service more valuable to you.


The UWWI service has a backlog visible to customers at https://jira.cac.washington.edu/browse/UWWI where you can get more details about possible improvements, current prioritization of that work, and even what we’ve been doing.


You can voice your support for items in the backlog to help us rank priorities, ask for things that aren’t yet on our radar, or simply contact us via iam-support@uw.edu.


Brian Arkills

UW-IT, UWWI Service Manager