Status Updates

UM System wide outages can be found on the UM IT System Status website.

Current Outages

Currently there are no outages.

Upcoming Outages

 System Center ConfigMgr Upgrade (5/23/2016 8:00:00 AM - 5/24/2016 5:00:00 PM)

The System Center ConfigMgr environment will be unavailable while an upgrade is performed.

Past Outages (Last 72 Hours)

There have been no outages over the last 72 hours.

Current and Upcoming Change Management Notices

 Cleanup of old computer objects in AD (10/22/2015 12:00:00 PM)

A cleanup of old computer objects in AD will be performed.

Any non-Mac computer object that has not had a password change in 10 months, which indicates the machine has not talked to Active Directory for at least 9 months, will be removed.

For computers that are lost, stolen, or otherwise locked away longer than 9 months, we can recover the bitlocker contents of these computers when they return to campus with a special recovery key.

 Roll out of Splunk agent to Windows servers at boot time (12/17/2015 8:00:00 AM)

Windows servers at UMKC current log to an old Symantec log collection system. Starting on the 17th, servers at boot time will uninstall the old agent used to collect these logs, and will install a new agent to send logs to our Splunk log collection system. Most Windows server systems will reboot on Monday December 21st at 2am to install patches, and will switch over at that time to the new logging agent. This is currently being testing on IS Security servers.

 Storage Array Maintenance (12/21/2015 7:00:00 AM)

We will be performing maintenance on our storage arrays. This could result in reduced performance during the process. Our DR array will be worked on first, followed by the production array.

 Update to Microsoft encryption cipher suite order (12/21/2015 8:00:00 AM)

Microsoft released some additional encryption cipher suites for Windows. Since we manually manage the cipher suite order list, we must manually add these to campus machines.

In order to facilitate this addition, a change will be made to client computers to allow the new cipher suites.

The cipher suites are briefly described at:

This will be put in for new bootups after Monday morning December 21st.

This has been initially tested, and no side-effects have been seen.

This will enhance the cipher list for Windows clients and Windows servers.

 vCenter Patching (12/23/2015 7:00:00 AM)

We will be applying patches to our vCenter instance. VMs will be unaffected, but no changes to existing VMs will be possible during the upgrade process.

 Campus edge firewall firmware upgrade (1/9/2016 10:00:00 PM)

The firmware on the campus edge firewall will be upgraded to a new feature set and update version. This is a rolling upgrade, with two expected 20-second Internet outages as the live unit reboots, and during fail-back to live. (secondary unit will be rebooted first to avoid more outages) There is a risk that the upgrade will have complications resulting in a longer outage.

 Set IPv6 enabled servers to use persistent IPv6 addresses (2/19/2016 8:00:00 AM)

A bootup script change will be made, so that IPv6 enabled Windows servers keep the same IPv6 address for the life of the installed OS on their particular virtual machine or physical machine. The specific change is to run these two commands at bootup time:

netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set privacy state=disabled

which disables two IPv6 privacy functions that can randomize the IPv6 address per day and at each bootup.

This will ensure that campus edge firewall rules will correctly point to the same IPv6 address between subsequent reboots.

This will be made active in group policy on February the 19th, for any reboots that day or later. The campus wide patch installation day is February 22nd, so most Windows servers would pickup the change on that day after installing patches.

This will be activated on IS Security servers now, with actual activation next week when patches are released to pre-deployment testing, or sooner if a particular IS Security server needs a reboot.

This should have no significant impact other than stabilizing IPv6 addresses for Windows servers.

 Emergency campus edge firewall firmware upgrade (2/27/2016 10:00:00 PM)

Due to a pair of vulnerabilities patched this week that will soon be disclosed, we will be doing an emergency upgrade of the campus edge firewalls. The firewalls are setup in a redundant manner, so there should only be two brief 10-second outages as each of the two units is updated.

The brief outage should generally not be noticeable. This will affect inbound traffic to servers on campus from off campus users, and for on campus users accessing content on the Internet.

 4747 Troost UPS reconfigure (3/11/2016 7:00:00 AM)

I will be moving the access and distribution switches from building power over to UPS power. This will cause a brief phone and network outage while the switch reloads.

 Change to set Outlook to consistently use Cached Mode (3/11/2016 8:00:00 AM)

A change in group policy will be applied, that will set Outlook to use Cached Mode consistently. This change helps reduce certain stresses on the Exchange server that live mode has been causing across the UM-System campuses.

This change will be applied on Information Services computers first, and will later be extended to other departments on campus. As the change causes live Outlook to download full mailboxes to switch to cached mode, this change will be rolled out department by department to reduce the impact of a sudden change.

 HHPS UPS reconfigure (3/14/2016 7:00:00 AM)

I will be moving the access and distribution switches from building power over to UPS power. This will cause a brief phone and network outage while the switch reloads.

 Windows 10 change to use WSUS (3/22/2016 8:00:00 AM)

Windows 10 systems will be set to use the campus WSUS server for updates in late March. This will ensure that we can remove bad updates, such as a problematic update for Microsoft Office that caused Office 2013 to freeze on Windows 10 machines.

 A change will be made to group policy, to remove DHE ciphers from Windows systems on campus. (3/26/2016 10:00:00 PM)

Of the long list of supported encryption ciphers, the two allowed DHE ciphers are now a concern. Microsoft has a lower DHE bit security level, and so far a way to increase this to a stronger bit level has not been found. So removal of the two DHE ciphers is best. The two ciphers that will be removed are:

As this is a group policy change, it will not take full effect on Windows Servers until April 25th at 2am when the April WSUS updates are applied and systems rebooted. Workstations will have the change on March 28th at 2am as they reboot weekly.

Linux/Unix and Apache/Tomcat administrators are encouraged to retest their sites using: and make adjustments to ensure their SSL protection passes at a Grade-A. These systems are each controlled by local settings files, and cannot be centrally managed to use new recommended settings.

 IP address change for KC-DC06 (3/27/2016 7:00:00 AM)

An IP address change will occur on KC-DC06 due to a need to retire a VLAN in Columbia. The new IP address will become, and the old retiring IP is . Only Exchange should be affected by this as it uses this server for pulling UMKC data. Other systems should be using DNS to find Active Directory and should update automatically.

 Group policy bootup script to backup drive encryption keys (3/30/2016 12:00:00 PM)

A bootup script is being put into place, to ensure that the bitlocker encryption keys for a machine are properly backed up into Active Directory. Normally this process occurs automatically at the time the drive is encrypted, but we are seeing some corner cases where the backup may fail. This backup is necessary to recover a drive, such as a bad patch that makes a machine unbootable, the key would be necessary to restore the machine to a usable state.

 Yearly password change for PassTheHash protection (4/2/2016 10:00:00 PM)

The krbtgt account will get a yearly password change to protect against certain versions of PassTheHash type attacks.
This was last changed a year ago, and no ill effects occurred.

 Addition of new primary Windows Update server for UMKC (4/5/2016 8:00:00 AM)

Computers at UMKC will be moved from the current WSUS server to a new server at KC-IS-WSUS4. This will reduce the load on the primary management WSUS server. This change will occur between update cycles, and should not otherwise directly impact users or updates. The new server will be setup before the change, and clients will receive the new server name starting April 5th.

 Apply Oracle CPU patch on KC-ISIA-ORAPRD1 (4/7/2016 9:00:00 PM)

Apply Oracle JAN CPU patch on KC-ISIA-ORAPRD1. Server will be unavailable during the maintenance

 Increase SSL security on Active Directory to TLS 1.0 minimum (4/9/2016 8:00:00 AM)

Active Directory SSL will be increased from a minimum of SSLv3 to TLS 1.0. This will match the requirements of other servers and workstations on campus. The DCs were missed in the last encryption improvement round, and will be brought into compliance with the rest of the campus encryption.

This may affect old LDAP clients such as Oracle and ColdFusion that talk directly to Active Directory, but which should be using TLS encryption. These products should all be up to date, but will be monitored to see if they have any issues with the change.

 Data Center Firewall Change (4/9/2016 10:00:00 PM)

A change will be made to the main data center network, and the firewall for this network. This will result in a likely 2 hour outage on the night of Saturday April 9th. Routing changes will also occur with this change to more successfully apply this change.

Servers on campus will be unreachable at this time, email will still function, but users on campus may have connectivity issues reaching the Internet during this time window.

 Urgent routing change for campus data center (4/14/2016 9:00:00 PM)

Due to some routing loops being seen on campus from the recent data center firewall work, changes will be made to the data center routing. This is likely to cause some 1-minute long network outages as adjustments are made to correct the routing errors. Currently some locations on campus are having problems reaching other areas of campus with this problem active, so it is urgent to correct this routing as quickly as possible.

 Data Center Firewall OS rebuild (4/24/2016 11:00:00 PM)

Due to error found in the OS installation on the Data Center firewalls, the OS will be rebuilt on each. As these units are redundant to each other, the work will be done on each unit while it is set passive or offline, allowing the online unit to remain undisturbed. (then swapping which unit is active to get the peer device up to date)

This should only result in two 1 minute outages as the units switch between active and passive.

There are currently 3 issues on the firewalls we are attempting to fix, this is the known fix for one of the problems. The other two are suspected to be related to this problem, and we are hoping this will resolve these other two issues.

This will be done overnight to avoid disturbing any production traffic during the brief active/passive transition periods.

This process is being tested ahead of time on a stand-alone unit with the same software level as the current units.

 New Hire Notification Process (5/5/2016 8:00:00 AM)

Updating the process to notify IT liaisons, fiscal officers, and key departmental staff regarding each new email account created from the daily HR New Hire report.

 Upgrade to EMET 5.5 (5/16/2016 8:00:00 AM)

The EMET software used to protect campus Windows machines, will be upgraded to version 5.5. This will include additional feature capabilities. This will be released after 8am, so that only machines rebooted after that time will get the update, allowing a controlled roll out over the week.

Information on EMET 5.5 is available at:

Testing will be conducted ahead of time on the upgrade and new feature implementations.

 Enable DNSsec on UMKC managed DNS zones (5/16/2016 12:00:00 PM)

DNSsec signing will be enabled on DNS zones managed by UMKC. This is the first of two parts to better ensuring UMKC DNS information is not tampered with by end ISPs. The second step is to publish the signing key with our registrars, so that outside sites can validate the signing. This will take place at a later date after we confirm the signing is working. (second step can result in loss of name resolution if the first step has any errors)

 Respondus Lockdown Browser Lab Edition Update (5/16/2016 10:00:00 PM)

Version 1.7.x of the Respondus Lockdown Browser will be EOL in June 2016. We will be updating RLB in all ILE classrooms and IS image supported labs to version prior to 1.7.x reaching EOL.

 Disable IPv6 Source Routing capability on Windows OS devices (5/17/2016 8:00:00 AM)

IPv6 Source Routing is likely enabled by default on Windows OS devices. This will be disabled via a group policy registry key. This will only take effect after a reboot, after the group policy change is put into place. Source Routing is normally only used for testing and diagnostics, and should not be used for production, and can be abused by attackers trying to get around network security devices.

 DNSsec public keys will be posted to DNS domain name registrars (5/20/2016 8:00:00 AM)

Once the initial DNSsec signing has been validated, the DNSsec public keys will be posted to our DNS registrars. At that point enforcement of the signing will take effect. This will be done on May 20th, a few days after the initial signing has started, and once the signing has been validated.

 Java 8u92 Campus Update (5/28/2016 10:00:00 PM)

Java 8u92 will be replacing previous versions of Java on all faculty, staff, and lab computers.