|
Nebulis01 posted:Have used DPM since 2006, currently 2007 in production and rolling out 2010 in the next month. I have no major issues with it it runs and does its thing just fine. You backing up to disk only or to tape as well? We currently backup to tape and also have Veeam on some sites. Honey Im Homme fucked around with this message at 00:40 on Mar 3, 2012 |
#
?
Mar 3, 2012 00:38
|
|
|
|
| # ? May 21, 2024 11:46 |
|
|
So I'm in the process of moving us away from thin clients and citrix in our remote offices to full desktops and AD setups. Our main office has been on AD for a long time. The consultant who set up the place didnt define sites or subnets in AD. In our remote offices, there are a few machines connecting to AD over the VPN. My question is, if I start defining subnets and sites without DCs in those sites, will it affect connectivity or will they still be able to go over the VPN until I can get out there over the next few months to set up a DC?
|
|
#
?
Mar 6, 2012 16:35
|
|
|
IT Guy posted:For those of you with Dell servers, does anyone use the new OpenManage Essentials (formerly OpenManage IT Assistant) to manage their server hardware? We are in the process of rolling this out. All of our Dell servers are now on it, and Dell promises that they'll have the mibs for HP servers by the end of Q1 so we can trash hpsim. Prior to this, we were using a batch file that executed blat to fire off an email with the disk alert. Do yourself a favor and get a group policy together before you begin the ome install to set up snmp permitted managers and where to send the traps - gently caress manually configuring that. We also ran into a bug wherein it won't email off to anything but localhost, so we had to set up smtp services on the machine and have it relay over to our actual smtp server. If you are having issues or have some questions, I can get you in touch with the lead dell systems engineer who reports back to the development group directly. We had him come on-site to stand it up and run us through the product, but we also spend $lots with dell and our sales rep is awesome. No complaints so far, though the email reporting is...verbose, and you have to pare down what it fires off otherwise your inbox will quickly be full.
|
|
#
?
Mar 6, 2012 17:16
|
|
|
How do you guys handle the annoying fact that Java and Adobe both enable automatic updates by default for all users? None of our standard users roll with admin privileges  , but I understand it can be pretty annoying getting the Java/Adobe Reader update check every time you login.I haven't done much research on the topic (yet), but I imagine that there is some AD GPO/Registry setting I can change for everyone to disable these notifications?
|
|
#
?
Mar 7, 2012 15:26
|
|
|
IT Guy posted:For those of you with Dell servers, does anyone use the new OpenManage Essentials (formerly OpenManage IT Assistant) to manage their server hardware? I've been tooling around with it in our office environment, and it's quite nice to finally get some sort of insight into our hardware status. It's by no means a 100% perfect product, but it's words better than having to manage 50+ OMSA installations separately.
|
|
#
?
Mar 7, 2012 15:35
|
|
|
Wicaeed posted:How do you guys handle the annoying fact that Java and Adobe both enable automatic updates by default for all users? None of our standard users roll with admin privileges appdeploy.com is your friend. For Flash, there's the MMS.cfg file. For Java... I forget. gently caress Java.
|
|
#
?
Mar 7, 2012 16:33
|
|
|
quackquackquack posted:appdeploy.com is your friend. MMS.cfg for Flash, Adobe Acrobat Customization Wizard for Reader/Acrobat. For java, just kill yourself. I don't think the updater runs if the user isn't an admin, so users never see it (I'm not sure about this, but I've never seen a popup on user's computers and never heard any complaints, so I cross my fingers) but it can be disabled. Appdeploy is good, I also like wpkg.org. Here's how to disable automatic updates. You'll need to be able to read the wpkg syntax enough to know what to strip out, in that example you can clearly see the msiexec command they're running to remove the updater service.
|
|
#
?
Mar 7, 2012 16:53
|
|
|
LmaoTheKid posted:Will the Microservers make decent multifunction servers for small branch offices? AD traffic should be negligible across the WAN provided you have any sort of modern WAN link. Your remote sites can also be configured to get approvals from your WSUS server but source the downloads directly from Microsoft via their internet links. Of course your AV may be another issue but I wouldnt worry about a server at every site just for AD and WSUS.
|
|
#
?
Mar 7, 2012 17:01
|
|
|
Syano posted:AD traffic should be negligible across the WAN provided you have any sort of modern WAN link. Your remote sites can also be configured to get approvals from your WSUS server but source the downloads directly from Microsoft via their internet links. Of course your AV may be another issue but I wouldnt worry about a server at every site just for AD and WSUS. Two of our offices have not so great T1s, they'd be doing print serving, home directories and shared data too. I'd be repurposing our NAS as a backup area. 5 or 6 clients doing email over the VPN, Av updates, windows update, it can choke a T1 pretty quickly, especially if someone decides to watch a video or something.
|
|
#
?
Mar 7, 2012 17:04
|
|
|
LmaoTheKid posted:Two of our offices have not so great T1s, they'd be doing print serving, home directories and shared data too. I'd be repurposing our NAS as a backup area. (USER WAS PUT ON PROBATION FOR THIS POST)
|
|
#
?
Mar 7, 2012 17:20
|
|
|
Syano posted:Well thats a completely different story and totally not the impression your first post gives off. Yes if you are talking print and file share traffic then yes you should probably have a local server. Jesus, I was simply asking if the Microserver makes a good low cost low power DC/multi function server, not your opinion on whether I need a DC in the site. But hey, thanks!
|
|
#
?
Mar 7, 2012 18:19
|
|
|
LmaoTheKid posted:Jesus, I was simply asking if the Microserver makes a good low cost low power DC/multi function server, not your opinion on whether I need a DC in the site. But hey, thanks! Just trying to help you save some money dude. But whatever, put a server on every desk if it makes you feel better.
|
|
#
?
Mar 7, 2012 19:45
|
|
|
Syano posted:Just trying to help you save some money dude. But whatever, put a server on every desk if it makes you feel better. Thanks, what servers do you recommend to be using as desktops? Also, are there any questions I never asked in my original post that you think you can answer? (USER WAS PUT ON PROBATION FOR THIS POST)
|
|
#
?
Mar 7, 2012 20:49
|
|
|
What makes a service start with the Local System Account and not a Domain Admin account? We have this very old piece of poo poo software running on a server. Recently, we want it to access our file server with a Domain Account rather than the local system account. We've change file permissions on a public access file share from the Everyone built in group to "Domain Users", basically to stop guests from seeing the share. This very old software seems to be connecting to the file share with whatever account is starting the service which is why it worked with the everyone group but not Domain Users. Anyway, I want to change the service logon user to a domain admin so it has access to the file share but when I do so it won't start. What do I need to do here?
|
|
#
?
Mar 9, 2012 00:53
|
|
|
IT Guy posted:What makes a service start with the Local System Account and not a Domain Admin account? Does your domain admin have Log on as a service rights to the machine you're trying to start the service on? You can find this out by running secpol.msc > Local Policies > User Rights Assignment > Log on as a service. By default this access is not given to domain admins
|
|
#
?
Mar 9, 2012 01:42
|
|
|
IT Guy posted:What makes a service start with the Local System Account and not a Domain Admin account? The log on tab of the service properties window. Also, you'll have to add a group policy object to allow that account to run as a service. You should use an account that's not a domain admin if possible. Just make an AD user for that service.
|
|
#
?
Mar 9, 2012 01:45
|
|
|
How do you Windows admins health check or manage your file server permissions? We run into these types of issues frequently: http://serverfault.com/questions/31709/how-to-workaround-the-ntfs-move-copy-design-flaw where users are moving folders and the file permissions don't inherit and somebody who isn't supposed to have permission gets permission. The top answer on that link is to setup multiple shares. The way we're currently doing it is one share \\fileserver\data and NTFS permissions to control access. How do you guys do it?
|
|
#
?
Mar 15, 2012 15:47
|
|
|
I think I mentioned Varonis in this thread before, but that's what we use to check permissions (as well as auditing, which I think is what I brought it up for before). The window shows file structure on the left, and AD accounts on the right. Double-click a user on the right and the folder structure on the left changes color to show where they have access and where they don't. Pick an individual folder to find out WHY they have access (e.g. they're in the dongs group which is in the buttes group). For the problem you're having, it can send you a report each morning if a user suddenly has access to something they shouldn't. Or even if something changes at all. Or if it found a file with a regex match (say credit card or social security numbers) that is accessible to someone it shouldn't be. If a user moved a folder and exposed it to someone it shouldn't be exposed to, you'll get an alert (assuming you've set that up), and you can find out who moved it and when.
|
|
#
?
Mar 15, 2012 16:08
|
|
|
Erwin posted:I think I mentioned Varonis in this thread before, but that's what we use to check permissions (as well as auditing, which I think is what I brought it up for before). The window shows file structure on the left, and AD accounts on the right. Double-click a user on the right and the folder structure on the left changes color to show where they have access and where they don't. Pick an individual folder to find out WHY they have access (e.g. they're in the dongs group which is in the buttes group). Ah yes, you had suggested to me Varonis when I was asking about group policy auditing I think. Glad to hear it does this too. I haven't demo'd it yet but likely will before summer time. Thanks.
|
|
#
?
Mar 15, 2012 16:11
|
|
|
IT Guy posted:What makes a service start with the Local System Account and not a Domain Admin account? If you don't have guests logging in to domain-joined computers, you could try adding "Domain Computers" to the file share since local service accounts authenticate using the computer account (domain\CompName$), or you could always explicitly add just the name of the computer the service runs on. In general it is a bad idea to have services running with Domain Admin credentials.
|
|
#
?
Mar 15, 2012 20:29
|
|
|
parasyte posted:If you don't have guests logging in to domain-joined computers, you could try adding "Domain Computers" to the file share since local service accounts authenticate using the computer account (domain\CompName$), or you could always explicitly add just the name of the computer the service runs on. Ah, that is good to know. I had this account already set to logon as service but the software is so old I didn't want to gently caress with it anymore. I'm just going to add that computer to the file share and be done with it.
|
|
#
?
Mar 15, 2012 21:21
|
|
|
Showed off Run Advertised Programs to my Supervisor and Manager today. They're amazed and confused as to why they didn't use it before. And I honestly have no answer for them. In the six months I've been here I've taken the imaging process from taking two days to complete, to 80 minutes. It would be awesome to get it done to under an hour. Feeling surprisingly good at my job today. Now I get to bear the hatred of the rest of the team because I'm showing off how an SCCM environment should work. But I do have a question: Does anyone work with encrypted systems? Right now we're using Symantec Endpoint Encryption on our laptops, the issue arises that if we start the imaging process from within Windows the WIM file is encrypted, so when the computer restarts and tries to use the encrypted data, the imaging process fails.
|
|
#
?
Mar 16, 2012 03:29
|
|
|
spidoman posted:Showed off Run Advertised Programs to my Supervisor and Manager today. They're amazed and confused as to why they didn't use it before. And I honestly have no answer for them. I haven't used it myself, but apparently Bitlocker works pretty well with everything. E: I'm reinstalling SCCM from scratch on a new domain while the guy that did it last time is on vacation, let's hope I don't gently caress it up too badly.
|
|
#
?
Mar 16, 2012 03:33
|
|
|
FISHMANPET posted:I haven't used it myself, but apparently Bitlocker works pretty well with everything. I wish we could use Bitlocker. But we're stuck with terrible Symantec EndPoint Encryption for the foreseeable future.
|
|
#
?
Mar 16, 2012 03:42
|
|
|
Anyone use this software? http://www.backupassist.com/ It was recommended to me but I'd rather have the goon opinion. It would be for some small non critical servers backing up ~40GB of data and we're kind of looking for a cheap solution rather than buying 12ish backup exec licenses at $1200/each
|
|
#
?
Mar 19, 2012 20:23
|
|
|
IT Guy posted:Anyone use this software? http://www.backupassist.com/ I used it at my old job for fileserver and Exchange backups as an alternative to upgrading our horribly out of date BackupExec licenses. It seemed to work pretty well from what I saw. However, I only used it for about a year before I left and I don't think I ever had to use it for a restore (other than during testing), so I'm not 100% comfortable giving it my stamp of approval. Like I said, my experience with it was good so it's not like I'd point people away from it, I just haven't used it nearly as long as I've used BE so I'm not quite as comfortable recommending it. They've got a 30-day trial, I'd definitely suggest giving it an eval to see if it works in your environment. Unless they've drastically changed the product, it's basically just a frontend to NTBackup/wbadmin and the Windows task scheduler. There are scripts out there for NTBackup that can do a lot of the same stuff, but they lack the benefits of a GUI management interface and technical support and all that. This also has the benefit of allowing you to restore data to any server using the native tools.
|
|
#
?
Mar 19, 2012 23:00
|
|
|
After running an OSD from "Run Advertised Programs" the advertisement status of other software advertisements isn't getting cleared out. So when we check the reports we see that program x was installed successfully, when it hasn't actually been ran at all since the reimage, is there anyway to clear the reports after a reimage? If we PXE booted it would create a duplicate record which solves the problem but no duplicate is created when we start the reimage from within windows.
|
|
#
?
Mar 21, 2012 00:41
|
|
|
Jesus H. Christ. I haven't been on any server 2008 R2 courses so someone please explain what is going on here. We have this old piece of poo poo file server, running Server 2k3. At the moment we use NTFS permissions with one root data share. We often run into the NTFS design (flaw?) where if users move files on the same volume (move not copy) then the NTFS permissions do not inherit from their parent folder, rather the permissions persist with whatever was already there. This was by design according to Microsoft and I can see why one would want it this way due to accidental file moves. Well, we just got a brand new server running Server 2k8 R2. I've got it all set-up and I was just doing some testing between NTFS permissions and share permissions. If I move a file to a different folder on the same volume where the folder permissions are different, the file is inheriting the parent folder permissions. This is what I would like to see, but I don't understand why it is doing this since this is not the way NTFS permissions design work. I should be seeing the NTFS permissions moving with the file rather than inheriting from the parent when doing a move on the same volume. What is going on here? Did something change with Server 2k8 R2? Edit: Seems I'm not the only one here: http://answers.microsoft.com/en-us/...a1-8556dfe9345d I can't find an actual answer to this though. Edit 2: Apparently there was a change. http://www.expta.com/2009/11/ntfs-inheritance-rule-change.html I still can't find a Microsoft explanation though other than this KB linked in the above article: http://support.microsoft.com/kb/320246 IT Guy fucked around with this message at 14:42 on Mar 22, 2012 |
|
#
?
Mar 22, 2012 14:27
|
|
|
Jesus christ Microsoft, is it really so hard to find documents related to Log Retention and other best practice in an HIPAA environment?  Even your stupid Security Compliance Management tool doesn't shed any loving light on this...
|
|
#
?
Mar 22, 2012 15:17
|
|
|
I'm working on a Windows 7 deployment for a lab I work and I want the users in the lab to be able to search indexed shares on our Windows 2008 R2 Server. I've got it working when I search shares that are mapped directly to the server name, \\SERVERNAME\Share1, but if I use the FQDN, \\servername.lab.edu\Share1, I can't search the shares. The research I've done indicates that the problem is that Windows Search Service doesn't support DFS shares. How do you guys handle this problem on your networks? Would Search Server 2010 solve these problems?
|
|
#
?
Mar 22, 2012 16:55
|
|
|
If I had 10 Server 2008 boxes and 100 users, would I need 1000 CALs? Or does 1 CAL license a user to access all instances of Server 2008 in an organisation?
|
|
#
?
Mar 26, 2012 15:15
|
|
|
ryo posted:If I had 10 Server 2008 boxes and 100 users, would I need 1000 CALs? Or does 1 CAL license a user to access all instances of Server 2008 in an organisation? It's 1 CAL per user (or device) regardless of how many servers. Be aware that you may need additional CALs for other services like Exchange and RDS. You may also want some alcohol to cope with the frustration of figuring out MS licensing.
|
|
#
?
Mar 26, 2012 16:24
|
|
|
I've seen the Core Suite CAL which looks like the most sensible option, just wanted to make sure we didn't need to buy hundreds of CALs every time we add a new 2008 server!
|
|
#
?
Mar 26, 2012 16:28
|
|
|
Has anyone set up Dell DRAC 5/6 to use AD authentication? I'm going through the Dell docs right now on how to configure it, and am not finding dick-all about troubleshooting, aside from the usual "Make sure you typed the ROOT domain name correctly" stuff. These Dell docs don't even explain if I need to set up the Administrator level group mappings using the FQDNs or not...
|
|
#
?
Mar 26, 2012 19:35
|
|
|
ryo posted:I've seen the Core Suite CAL which looks like the most sensible option, just wanted to make sure we didn't need to buy hundreds of CALs every time we add a new 2008 server! This model still exists (licensing "by server"), but it rarely makes sense. As long as you've got enough user or device cals to cover your usage, you're good. Maneki Neko fucked around with this message at 19:47 on Mar 26, 2012 |
|
#
?
Mar 26, 2012 19:42
|
|
|
Anyone have any guides to recommend for creating a child domain for 2003? I know there are quite a few but do it with completely different methods. I begged for a 2008R2 license for this but "no money," is what I got  I would like to find a guide that someone can recommend that runs through the entire process, and things/gotchas you should do after dcpromo.exe. The technet guide isn't bad but I would like to see another suggestion. ghostinmyshell fucked around with this message at 15:45 on Mar 29, 2012 |
|
#
?
Mar 29, 2012 15:39
|
|
|
If the parent domain has a forest functional level of 2008 you're hosed. Its domain functional level doesn't matter though. And the procedure is pretty straightforward, start dcpromo on the new to-be domain controller, choose advanced mode, check "new domain in an existing forest" and provide a password to an enterprise admin in the parent domain.
|
|
#
?
Mar 29, 2012 16:57
|
|
|
Wicaeed posted:Has anyone set up Dell DRAC 5/6 to use AD authentication? Yeah, its kind of loving wonky. There should be a test button to check if it can authenticate. Where does it fail at?
|
|
#
?
Mar 30, 2012 06:39
|
|
|
I'm trying to sysprep an Windows 7 image with an autounattend.xml through command prompt. The sysprep runs through fine, but when i boot the machine it none of the settings in the autounattend configuration take effect. I've also been making images with physical computers. Now i've been thinking of switching to use VMWare workstation to make the base image as a virtual machine. Does anybody have any experience on creating images from virtual machines?
|
|
#
?
Mar 30, 2012 06:40
|
|
|
|
| # ? May 21, 2024 11:46 |
|
|
Had a pretty productive day. I had the file name wrong, i shouldn't use autounattend.xml when sysprepping from command prompt. Autounattend.xml works when installing from a DVD and you insert a usb stick with the autounattend.xml file in it. When sysprepping from a command promt i should use unattend.xml.
|
|
#
?
Mar 30, 2012 14:15
|
|