NETID domain controller upgrades: 8/2 – 8/28/2017

July 21, 2017

Several changes are planned for the NETID domain service.

What:
All NETID domain controllers (DCs) will be replaced with new servers running Windows Server 2016. An additional design change will happen during this process of relying on InCommon CA issued certificates for LDAPS access, replacing the existing design that leverages UW CA issued certificates.

When:
8/2/2017: First new WS2016 DC promoted
8/7 – 8/9/2017: 4 new WS2016 DCs promoted and 4 existing WS2012R2 DCs demoted, handled in a +1 new DC, -1 old DC fashion
8/28/2017: Last WS2012R2 DC demoted

What you need to do:
If you have an application or code which relies on the NETID domain service, you may need to adjust its configuration.

Known problems which your application may have include:
-if it does not automatically use the Microsoft DC locator process, but instead hard-codes domain controller names or caches domain controller names for an inordinate period of time
-your system does not trust the InCommon CA

It’s also worth noting that if you have system firewalls that do not follow the published NETID domain service firewall guidance, https://itconnect.uw.edu/wares/msinf/authn/firewalls-with-netid-domain/, you may need to adjust your firewalls.

We have purposely delayed the last WS2012R2 DC demotion for several weeks to allow customers to discover and address unknown problems with their applications.

More info:
All Windows computers joined to the NETID domain are configured via domain group policy to trust the InCommon CA, which accounts for ~99% of all systems which perform LDAPS operations with the NETID domain service. However, non-Windows systems and Windows systems in other domains which trust the NETID domain may not be configured to trust the InCommon CA. Whether they are or not is subject to the platform, vendor defaults, and system operator configuration. If your system does not trust the InCommon CA, you’ll need to configure it to do so. More information about the InCommon CA and UW’s use of it is at: https://itconnect.uw.edu/service/certificate-services/.

All Windows computers use the Microsoft DC locator process. Non-Windows computers generally do not, although there are exceptions. If your system does not automatically locate domain controllers, you may need to manually configure it and/or take actions that clear any cached information.

After the last WS2012R2 DC is demoted, we also plan to raise the domain and forest functional level to WS2016.

If you have questions, concerns, or encounter problems during these changes, please contact us by sending email to help@uw.edu with “MI DC changes” somewhere in the subject line.

Brian Arkills
Microsoft Infrastructure service manager
UW-IT