Search | Directories | Reference Tools
UW Home > UWIN > Computing and Networking > Support > UW Domains 

Minutes of Windows 2000 UW forest administrator meetings

UW Windows Domains Menu

UW Windows Infrastructure

UWNetIDs and Windows

UW Forest

Nebula

Community Resources

How to Setup a Domain

Diagnosing domain controller issues

Windows Domains Site Map

 

Feb 5, 2003 1-3pm

Statistics and security

Brad Greer summarized some current forest statistics.

Slides from this talk are available.

There are 41 domains, a number that continues to increase. Because the security boundary is now at the forest, the more domain controllers there are, the higher the security risk to members of the forest. It is beneficial to collapse domains where possible.

Brad then discussed ongoing security issues in the context of a new set of reports that C&C will run and provide to domain contacts on a regular basis. These include:

  • Check/verify number of DCs
  • Size of domain
  • Missing service packs or hotfixes on DCs
  • Risky 3rd party software on DCs
  • External trusts without SID filtering

Action on these reports is voluntary, but C&C will use the information from the reports to help plan further direction for the forest. Initial data seems to suggest that 100% compliance won't occur without some sort of enforcement. So, initially, we'll need cooperative involvement from domain administrators, and then we'll have to decide about a course of action if compliance lags.

Q. Can you use DCPROMO to demote a current DC with risky software?

A. Yes, and this has yet to be disruptive to existing services in Brad's experience. You must be sure to update C&C with appropriate DNS changes for new and/or demoted domain controllers.

Given the need for inter-domain trust and security, essentially 3 strategies exist to ensure compliance:

  1. Disband the forest with implementation of Windows 2003 Server, making each domain its own forest.
  2. Require agreements of all forest participants.
  3. Trim/combine domains so only willing participants remain.

If signed agreements about physical access and trusted administrator policies are the preferred route, the choices for domain administrators are:

  1. Sign or leave.
  2. Have C&C run DCs for you.
  3. Combine domain with department that can comply.

Decision time for implementing this agreement approach is at Windows 2003 Server rollout, which will be no earlier than late April given current release schedules. The consensus was for Brad to circulate a draft agreement for domain administrators to comment on.

Replication issues

Brian Arkills discussed common problems with replication, which he is spending a fair amount of time troubleshooting.

Slides from this talk are available.

The most common is when a DC goes down for several days and generates errors on replication partners. Brian suggested that administrators send email to win2k@u when a DC is out, along with an estimated time for service to be restored, so that other administrators know why the errors are occurring.

Other cases included

  • "Disappearing DC" A DC is taken down without proper notification and needs to be manually removed. Please notify C&C when removing a DC from the forest.
  • "Tardy DC" Time synchronization is not configured properly, and numerous other problems result. The required step is documented at http://www.washington.edu/computing/support/windows/UWdomains/domainSetup.htm.
  • "Overly efficient admin" A DC was promoted, then demoted after problems, but then was re-promoted before the 20 minute replication interval happened. This causes name collisions and lingering domain problems. It's happened twice in the forest.

Brian then gave a primer on how replication works. (See slides).

Q: Can domain admins set up global catalog servers?

A: While this is possible, it doesn't work, because the forest schema limits the role to servers run by C&C.

Q: Can replication be forced?

A: Yes, one way is with the 'replmon' tool. This will not work properly across domains, but can be used between DCs in a single domain.

AltSecID

Ryan discussed issues related to implementing AltSecID authentication with the UW KDC.

Discussion surrounded failures due to services that are known to have problems, such as SQL Server authentication, Samba server authentication, and use of domain administrator privileges.

Brian offered to search for and share a document that he recalled that itemizes known problems with use of AltSecID.

Brian also suggested use of the 'setSPN' tool to fix problems with the Service Principal Name with specific servers.

Brad pointed out that it is possible to enable both AltSecID and domain authentication for testing purposes, to see what breaks when using AltSecID.

Labs domain

Much discussion followed about the possible role of the Labs domain as a resource for other departments with labs who need to create/administer/delete accounts based on membership in specific user communities.

There remain significant challenges associated with automating account creation and administration, as well as assigning privileges based on group memberships.

Administrators defined a wide range of needs, including creating new accounts, granting specific privileges, and delegating account and password administration.

There was consensus that having C&C investigate a fee-based, centrally managed service to meet these needs was unnecessary, because current budget constraints limit what departments could afford to pay for it.

So, there was discussion about what could be done for free. It was proposed and generally accepted that C&C explore better tools for:

  • Using LDAP to query publicly accessible information.
  • Using class list data for account and group management.
  • Identifying departmental affiliation and declared major for account management.
  • Integration of these tools into stand alone programs and scripts. An example script is available.