Search | Directories | Reference Tools
UW Windows Infrastructure Service banner image
Skip Navigation LinksUW Home > Computing and Networking > Support > UW Domains > UW Windows Infrastructure > UWWI Architecture Guide

UW Windows Infrastructure Architecture Guide

This document is for Windows computing professionals who wish to learn about how the UW Windows Infrastructure is designed and implemented.

Directory Configuration

The UW Windows Infrastructure is built upon Microsoft Active Directory across multiple domain controllers. The operating system of these domain controllers is kept within one major rev of the latest released operating system.

LDAP configuration settings are generally set to the Active Directory defaults (MaxValRange is 1500--that's mistakenly omitted in the Microsoft document that is linked).

Schema

The UW Windows Infrastructure schema is open to changes, and includes both vendor and UW custom schema elements. See the UWWI Schema for details.

Object Creation

There are some directory objects which Windows administrators can not create regardless of the permissions they have been delegated. These include: users, contacts, and groups. This is because these objects have the potential to cause a namespace collision with institutionally provisioned objects.

All user accounts are created via the UW NetID account system. Where appropriate, you should use application NetIDs for non-person entities that have a need to authenticate; service accounts, scheduled tasks, and the like should use an application NetID.

All groups are created via the Groups Web Service which is an interface to the Groups Directory Service which are then subsequently synchronized to UWWI. If, for some reason, the namespace enforced by GDS isn't compatible with your needs, e.g. a vendor product that is hard-coded for a specific group name, then feel free to escalate this issue.

Passwords

Users do not reset their NETID account passwords directly; instead passwords are changed with the UW NetID system using the Manage Your UW NetID site.

Directory Structure

UW Windows Infrastructure Directory Diagram

The above diagram shows the UWWI directory structure or directory information tree (DIT), leaving out all the built-in containers which are largely unused by UWWI.

All groups within UWWI are under the top-level Groups OU. Groups based on data synchronized from the Groups Directory Service (GDS) are within OU=GDS. These GDS groups are separated into OUs by affiliation groups, course groups, privacy groups, and basic or standard groups. Affiliation groups have large numbers of members in them. Course and privacy groups have private membership. There are a very large number of course groups. Groups which have no institutional value as re-usable outside UWWI are within OU=UWWI. In other words, this is the location for groups whose source directory is UWWI. Groups used for AD administration are an example of groups which reside here. If you had a vendor-required group which didn't meet the GDS naming policy, it might go here.

All personal and shared UW NetIDs are under the top-level UWNetID OU. There are greater than 300000 Windows user accounts within this OU.

All non-personal and non-shared UW NetIDs are under the top-level Other NetIDs OU. These other UW NetIDs are separated into OUs by NetID type: admin NetIDs, application NetIDs, and resource NetIDs. See ### for more info on NetID types.

All computers and other directory objects specific to UWWI clients are under the top-level Delegated OU. This is where departments, schools, and other UW organizations will be able to get a delegated OU at some point in the future. For the time being, only UW Technology has an OU in this area. When delegated OUs are ready, this is the only part of the UWWI directory structure that campus Windows administrators will be granted a non-default level of permissions.

Provisioning and Synchronization Integration with UW Infrastructure

There are four connectors integrating UWWI provisioning with the larger campus computing infrastructure. There is an account and password provisioning component, called Kiwi. The UWWI kiwi agent is called fuzzy_kiwi. There is a person directory synchronization component, called ILM. There is a service provisioning component, called SubMan or Subscriptions Manager. And there is a groups directory synchronization component, called Slurpee. Together these components automatically provision accounts, groups, passwords, personal directory information, and help computing services to work with UWWI.

This set of connectors is responsible for all user creations, and almost all group creations. This set of connectors is also responsible for almost all modifications to users or groups. Direct creation or modification of users and groups is not kosher without very good reason, because these components assume responsibility and authority for these functions, and in some cases will overwrite direct changes made, possibly resulting in disastrous consequences.

For more detailed information about these key architectural components, please follow the links to each component above. You may also want to investigate documents nested within the links above, notably:

User Attributes

The full set of all UWWI possible user attributes is documented here. Not all possible UWWI user attributes are in use. The subset of all UWWI user attributes in use and centrally managed are documented here.

User Attribute Visibility

The following user attributes are not visible, beyond your own user account, without special permissions:

instanceType
whenCreated
whenChanged
uSNCreated
memberOf
uSNChanged
userAccountControl
badPwdCount
badPasswordTime
lastLogon
pwdLastSet
accountExpires
logonCount
dSCorePropagationData
lastLogonTimestamp
uwRegID
eduPersonAffiliation

It is possible to request additional read permissions to users, but this requires both Registrar and UW Technology approval for a valid business requirement.

SPNs

Service Principal Names (SPNs) are the Kerberos principal identity for services which make use of a Ticket Granting Service (TGS). SPNs are very similar to the User Principal Name (UPN) that all Windows users accounts have. Every computer in a given Windows domain has two default SPNs, and additional SPN values for non-default Windows services must be added. Some Windows services run under the context of a user account, instead of the System account (which maps to the computer account object). For these services, an SPN is needed that represents the Windows service(s).

By default, only domain admins can set SPNs because assigning SPNs is a security sensitive operation.

For the purposes of computer accounts, the ability to set SPNs has been delegated to the OU admins for any given computer. SPN conflicts will be mediated by UWWI Enterprise Admins in consultation with the UWWI governance body and affected clients. UWWI Enterprise Admins may act quickly if critical University business is threatened.

For the purposes of user accounts, at this time, you should send requests to the UW Technology help desk.

Delegation and Impersonation

Kerberos delegation allows a service account (i.e. an application NetID) to be permitted to act on behalf of any account which passes that service account its login token on other computers. This is different than Windows impersonation, which allows a service account to act on behalf of any account on the same computer where a login token was passed. Kerberos delegation requires Domain Administrator privileges to enable. Open delegation permits login token reuse to any computer (even computers in other domains or that aren't Windows based). Constrained delegation limits where login token reuse can occur to specific computers paired with specific network services and network ports.

See UWWI Policy, Kerberos Delegation for UWWI policy with regards to use of this technology.

Note that all non-personal UW NetIDs are marked as sensitive, which means that they can not be used with delegation. In other words, only personal NetIDs (not shared NetIDs, not admin NetIDs, not application NetIDs, etc) can be used with delegation, and have their login tokens re-used by accounts that have been granted this permission.