Skip Navigation
 Search | Directories | Reference Tools
UW Home > UWIN > Computing and Networking > Support > UW Domains 

Windows Domains at the University of Washington

This Web site is for information about the Windows environment at the University of Washington. You'll find helpful resources from UW Technology (formerly known as Computing & Communications) and other administrators, a UW Technology provided Windows management solution, and information about how to leverage existing enterprise resources. Please feel free to contact us with any suggestion of additional information you think would be useful to the community at large.

The University of Washington has independent forests, a shared forest known as the UW Forest, and a centrally supported Windows authentication service called the UW Windows Infrastructure (UWWI). In addition, UW Technology offers a managed workstation service called Nebula.

Below you'll find an introduction explaining use of Windows in a domain environment, and a history of Windows domain usage at the UW.

Introduction

With the advent of Windows 2000, Microsoft introduced the concept of multiple Windows domains sharing a common source for authentication and authorization in a forest. This common source of authentication and authorization is usually referred to as Active Directory. This information is distributed across many domain controllers, and a subset of all the information is stored centrally on special domain controllers called global catalogs. Computers and users in a forest can easily share file, printer, and other resources. In addition, Microsoft wedded the Windows domain concept to DNS. Prior to this, Windows domains only used Netbios for name resolution. With this change, every Windows 2000 or later domain must correspond to a DNS zone, and each domain controller requires specific DNS records in order to operationally function. This change meant that a Windows domain service could finally be resolved globally.

History

UW Technology led an effort to deploy a shared forest, called the UW forest. This forest is a loose confederation of domains with no special integration with other computing infrastructure (aside from DNS), and was a valid design at its inception. However, early in 2002 Microsoft announced a vulnerability which changed their stated assumptions about the security boundaries. Prior to this, the domain was a clear security boundary. With this announcement, it was clear that the forest was the security boundary. In other words, a domain admin in one domain might be able to impersonate a domain admin in another domain. For this reason, UW Technology began actively discouraging further implementation in the UW forest. In addition, a number of security related policies were implemented to minimize the risk via this vulnerability. In the future, the UW forest service will be retired, but no end of life date has been determined at this time.

Within the UW forest, a special domain called the labs domain was created that held a subset of UWNetIDs. This domain was provided as a service to EPLT (now known as Catalyst) for use in the centrally-provided general purpose computing labs for Windows authentication purposes. Because the labs service was only intended for use by a single client no domain trusts were permitted to it. However, some members of the UW forest took (unsupported) advantage of it's existence to leverage their Windows-based services. This service is replaced by the UW Windows Infrastructure (UWWI). EPLT has embraced UWWI as a replacement, and the labs service has an end of life date of July 2007.

UWWI is a standalone forest with all UWNetIDs with an active kerberos principal. UWWI permits domain and forest trusts. In the future, UWWI may allow departments to join it (i.e. join computers to it and provide delegated OUs for administration of Windows computing resources).

If you don't have a Windows domain and would like to setup a new one, we recommend that you create a domain that is an independent forest. If you need to share Windows resources with another department, you can either setup a domain trust with that department's domain and make use of the user accounts in your respective domains, or if you both trust UWWI you can leverage use of the centrally-provided Windows user accounts.

For more details on multiple forest scenarios, we suggest you read the Microsoft Multiple Forest Considerations whitepaper, and reference the many cross-forest topics listed in the UWWI FAQ - How Things Work.

Using a Windows Domain at the UW

We suggest that all UW domains get a trust to the UW Windows Infrastructure. This will accomodate shared Windows resources, and over time you may be able to use the central accounts instead of provisioning your own.

In addition, we suggest you read Windows Domain DNS reliance and Domains and Firewalls as they are informational topics that will save you time.