|
Eikre posted:Is there a built-in method to create a new user in your Active Directory when you're sitting at a client system, logged in as a domain admin? Like, say I'm orienting a new employee, show him his desk, oh by the way I guess nobody's set him up with an account yet. Obviously I can go walk to the server and but if I could just log in as myself and then do a thing in the control panel that would be pretty neat. Tell them to wait a couple of hours and their manager will provide their login credentials because the peoplesoft active directory user processor won't create an account until the day the user is supposed to start. Oh yeah make sure your manager puts in the appropriate system access request for any additional distribution lists/security groups beyond what is usually automatically applied for your job code. 
|
#
?
Mar 8, 2013 23:25
|
|
|
|
| # ? May 14, 2024 00:15 |
|
|
TXT BOOTY7 2 47474 posted:Does anyone know of a group video calling service a la Skype or Oovoo that can link accounts to AD? (Or Google, even?) We can't have users manage individual accounts for one of those services because due to some security issues we have to cut off access immediately when someone leaves the company. Zoom.us amazingly simple, integrates with google login and can be centrally managed. Created by the same team that created webex.
|
|
#
?
Mar 9, 2013 07:12
|
|
|
Just got a call from a panicked coworker (at 12:30am on a Sunday) who committed the ultimate SCCM 2007 R2 mistake - he accidentally deleted a couple of collections, including the All Systems collection. From initial searching it looks like this can effectively recreate the All Systems collection (the alternative being to reinstall SP2 apparently) but it's looking like the other collection is gone forever and I have no idea exactly what was/wasn't advertised to it. I was hoping I could help this guy restore the collections without involving the sysadmin team and managers, but it's beginning to look like I'll have no choice but to get them involved. Have any of you been through this sort of experience with SCCM collection deletion? I'm surprised there doesn't seem to be any sort of undelete function at all.
|
|
#
?
Mar 9, 2013 18:15
|
|
|
jassa posted:Just got a call from a panicked coworker (at 12:30am on a Sunday) who committed the ultimate SCCM 2007 R2 mistake - he accidentally deleted a couple of collections, including the All Systems collection. From initial searching it looks like this can effectively recreate the All Systems collection (the alternative being to reinstall SP2 apparently) but it's looking like the other collection is gone forever and I have no idea exactly what was/wasn't advertised to it. I was hoping I could help this guy restore the collections without involving the sysadmin team and managers, but it's beginning to look like I'll have no choice but to get them involved. In the SCCM backup directory in the SiteDBServer subdirectory you will have a backup of the SQL database as an MDF file. You can restore that to a different database under a temporary name, then you can get the rules back from the v_CollectionRuleQuery view.
|
|
#
?
Mar 10, 2013 00:26
|
|
|
peak debt posted:In the SCCM backup directory in the SiteDBServer subdirectory you will have a backup of the SQL database as an MDF file. You can restore that to a different database under a temporary name, then you can get the rules back from the v_CollectionRuleQuery view. Thanks, will (hopefully) get a DBA to help with that on Monday. 
|
|
#
?
Mar 10, 2013 16:08
|
|
|
What's the best way to start handling image deployment for a ~300 PC environment without spending a bunch of money on System Center licensing? Is System Center Essentials still a thing? Can we get by with just MDT/WAIK? edit: well looks like SC Essentials is deprecated in favor of SC 2012.
|
|
#
?
Mar 11, 2013 21:21
|
|
|
We use MDT for imaging and it works great. It's completely free and you can PXE boot from your own server or use WDS to perform PXE boot.
Yaos fucked around with this message at 23:57 on Mar 11, 2013 |
|
#
?
Mar 11, 2013 23:54
|
|
|
As long as you only have 1-3 sites, WDS/MDT is more than enough to image PCs. SCCM only starts to really shine on complex environments with dozens of locations, different forests and varying languages. But note that if you already use System Center for patching, software deployment or something else, you don't need to pay any additional money for imaging. You pay your flat $60 per client no matter how many features you use.
|
|
#
?
Mar 12, 2013 01:20
|
|
|
Is System Center in its entirety a $60 client fee? We have SCCM 2007 running at the moment for patching, OSD and software distribution, but I'd love to get SCOM and SCSM running, at least as a proof of concept with the idea that there's no software expenditure required to move to production. Or is the $60 CAL just for SCCM?
|
|
#
?
Mar 13, 2013 20:09
|
|
|
Anyone deployed ADFS in a midsized environment? We're moving more and more crap to "THE CLOUD" and right now were kicking around the idea of going with OneLogin (MORE CLOUD) or implementing ADFS in house. We're Global with ~ 3300 employees. OneLogin is going to cost a fortune at 60 bucks a year/pperson, while ADFS will set us back a few WinServer licenses. It seems pretty straight forward according to the docs I've read on technet, but we're overwhelmed right now and internal resources are a bit thin. We always have MS Premier Support to fall back on, but the cloud solution does make life easier. dotalchemy posted:Is System Center in its entirety a $60 client fee? The 60 dollar CAL is just Config Manager. If you want Ops Manager and Service Manager you need the System Center Client Management Suite CAL @ 108 each. Or it's part of the Enterprise CAL if you're on an EA.
|
|
#
?
Mar 13, 2013 20:34
|
|
|
skipdogg posted:The 60 dollar CAL is just Config Manager. If you want Ops Manager and Service Manager you need the System Center Client Management Suite CAL @ 108 each. Or it's part of the Enterprise CAL if you're on an EA. Ah, I think we are. Thanks! This might avoid us paying out of the arse for a Remedy replacement. Anyone using System Center Service Manager as a ticketing / helpdesk / CMDB solution? Is it worth exploring?
|
|
#
?
Mar 13, 2013 20:38
|
|
|
HAHAH! We're moving to Remedy in the Cloud! Remedyforce is what they're calling it.
|
|
#
?
Mar 13, 2013 20:52
|
|
|
ADFS is piss easy. With 3300 peeps I'm surprised you're not on that train yet.
|
|
#
?
Mar 18, 2013 16:06
|
|
|
I've just had a physical domain controller half die at one of our sites. It's a stand alone domain because it is from an acquisition we haven't yet integrated. I say half dead because it's got a dead disk and has been behaving unreliably since. I've been told that replacing the disk isn't a simple job because apparently they have no record of the servers serial number and so can't determine where it is being leased from and who should be responsible for fixing it. Also it was the PDC and the Certificate Authority and a file server and a print server and... ANYWAY I've got the problem server in a working state after some changes and a reboot. I've spun up a new virtual DC and moved the Active Directory operational masters to it. The one thing I'm not sure about is the certificate authority. I've taken a backup of the CA with the intention of migrating it elsewhere and the next cert to expire is a week away, which should give me enough time to bring up a new CA and do a migration, but in the interim is there any impact to having no CA in an environment if either this server dies or we turn it off? Loten fucked around with this message at 07:27 on Mar 19, 2013 |
|
#
?
Mar 19, 2013 07:22
|
|
|
I just joined my computer to the domain here and have come across an issue where I can't remote control my computer with any account, but I am able to remote control other computers with the same accounts. The error is "the user has requested a type of logon (e.g., interactive or network) that has not been granted." I'm not sure what's going on since this only effects my computer. I did not think you could specifically deny remote control to a certain computer. I've already left and joined the domain which did not fix it. Edit: Something is just messed up on my computer, remote assistance does not work either. Guess it's time for a reinstall. Yaos fucked around with this message at 20:57 on Mar 19, 2013 |
|
#
?
Mar 19, 2013 17:46
|
|
|
Loten posted:CA stuff Having been through this before: there's no real downside to not having a CA in your org, unless you rely a lot on internal self-signed certs for web sites, etc. We had a physical-DC-that-was-also-our-CA die, and it was a pretty simple call to Microsoft PSS to have it ripped out of the domain manually until we could spin a new one up on a VM. We didn't even bother for a few weeks until we had a need for it.
|
|
#
?
Mar 19, 2013 18:02
|
|
|
Yaos posted:I just joined my computer to the domain here and have come across an issue where I can't remote control my computer with any account, but I am able to remote control other computers with the same accounts. The error is "the user has requested a type of logon (e.g., interactive or network) that has not been granted." It's simple, but are you sure you have RDP/Remote Assistance enabled on your PC, with appropriate accounts/groups granted access?
|
|
#
?
Mar 19, 2013 22:27
|
|
|
Wizard of the Deep posted:It's simple, but are you sure you have RDP/Remote Assistance enabled on your PC, with appropriate accounts/groups granted access? It should be unless joining the domain changed it. I will have to check it out. Thanks.
|
|
#
?
Mar 20, 2013 02:33
|
|
|
Yaos posted:It should be unless joining the domain changed it. I will have to check it out. Thanks. Joining the domain shouldn't turn off RDP, but you will need to add domain accounts/groups to the "Can log in via RDP" group. I've got the settings configured through a GPO now, so it's completely automated. Computer joins domain, RDP is forced on, and certain groups are automatically added 
|
|
#
?
Mar 20, 2013 02:56
|
|
|
Mierdaan posted:Having been through this before: there's no real downside to not having a CA in your org, unless you rely a lot on internal self-signed certs for web sites, etc. We had a physical-DC-that-was-also-our-CA die, and it was a pretty simple call to Microsoft PSS to have it ripped out of the domain manually until we could spin a new one up on a VM. We didn't even bother for a few weeks until we had a need for it. Awesome - this is pretty much what my research suggested too. Thanks for your reply.
|
|
#
?
Mar 20, 2013 03:49
|
|
|
Wizard of the Deep posted:It's simple, but are you sure you have RDP/Remote Assistance enabled on your PC, with appropriate accounts/groups granted access? This settings appears to have also caused a few remote services in the remote admin pack to not work either. Yaos fucked around with this message at 13:14 on Mar 20, 2013 |
|
#
?
Mar 20, 2013 13:09
|
|
|
dotalchemy posted:Ah, I think we are. Thanks! We have enterprise cals so I played around with the idea of testing Service Manager. Watched a video of some guy going through basic functions and "how easy it is to do x and y", and he ended up with alot of "ok this should have worked" "we have to wait a while for this to work" "i'll just skip this because it takes a while". Not very impressed. I could have the wrong impression though, but I just don't have the time to fight with another half-assed Microsoft product in production, I do enough of that with Sharepoint.
|
|
#
?
Mar 21, 2013 09:54
|
|
|
Because SCCM is designed to scale better, it also means some poo poo takes forever, and there's quite a few gotchas.
|
|
#
?
Mar 21, 2013 14:34
|
|
|
Yeah, I took the official Microsoft SCCM 2012 admin class a few weeks ago, and one thing the instructor kept stressing was that it's "not a real-time product.". As I've been (slowly) working on getting things set up in our environment, I have to keep reminding myself of that. Even with the tricks they use in the lab instructions to speed things along (forcing a policy/eval to run on the client or forcing a full discovery from the server or whatever), there's still times where I just have to say "okay, I'm gonna let that settle in and work on something else for an hour or two.....then if it's still not working I can start doing some troubleshooting."
|
|
#
?
Mar 22, 2013 00:48
|
|
|
Has anyone here had any experience with AccelOps? http://www.accelops.com/ Our company has bought it with the plan to replace all our various monitoring packages/panes of glass. I'm curious to know how good it is and if it can replace SCOM/Nagios///////?
|
|
#
?
Mar 27, 2013 06:57
|
|
|
chizad posted:Yeah, I took the official Microsoft SCCM 2012 admin class a few weeks ago, and one thing the instructor kept stressing was that it's "not a real-time product.". As I've been (slowly) working on getting things set up in our environment, I have to keep reminding myself of that. Even with the tricks they use in the lab instructions to speed things along (forcing a policy/eval to run on the client or forcing a full discovery from the server or whatever), there's still times where I just have to say "okay, I'm gonna let that settle in and work on something else for an hour or two.....then if it's still not working I can start doing some troubleshooting." A couple hours? poo poo sometimes I just check it tomorrow.
|
|
#
?
Mar 27, 2013 17:52
|
|
|
Yeah, there's been a couple of occasions with SCCM when I've resorted to just saying "It'll happen when SCCM decides it wants it to happen, I'll let you know when that is." Side question - is there anything out there that does an initial inventory like SCCM, has historical data in the same way but handles current data and software pushes in real-time "do this now" style?
|
|
#
?
Mar 27, 2013 18:44
|
|
|
I don't know what you mean by "initial inventory like sccm," but I'm currently the Symantec Management Platform administrator at my company and it can get as crazy as you want it to. Our needs aren't all that complex, something like 50 software packages and 6 images. I haven't used SCCM at all, but SMP is extremely powerful. Conversely, it is also incredibly complex. Thankfully we keep a very homogenized environment except for corporate, so it's easy to keep things the same. I use software management policies to handle automatic upgrades of things like flash, reader, etc, but the packages are also available to be installed instantly by the helpdesk should someone call in. We don't use it for patch management, WSUS still fits our needs even with a central server for 250 sites. I'm just now getting into utilizing the imaging, but the deployanywhere functionality is impressive. I sucked up a basic XP install on one model that only had the network driver installed, deployed it to an entirely different machine with a different network card, and all drivers were installed automatically, no need to keep them in the image. Downside is that it's crazy expensive, and you really need someone who knows what the gently caress is going on to get full use out of the platform. I am not that person, because I have 3 other hats to juggle.
|
|
#
?
Mar 27, 2013 23:19
|
|
|
Is this the general Windows Enterprise thread now? I have some Active Directory best practice questions but I don't know where to throw them.
|
|
#
?
Mar 28, 2013 22:22
|
|
|
Martytoof posted:Is this the general Windows Enterprise thread now? I have some Active Directory best practice questions but I don't know where to throw them. Yeah, it seems to be. If it related to enterprise Windows, which I'd classify as being MS Server products, MS DNS / DHCP / AD, client management, software packaging, anything else "corporate Windows", I'd say fire away.
|
|
#
?
Mar 29, 2013 02:20
|
|
|
I'm working on getting a better grasp of bringing an Active Directory infrastructure up from scratch, seeing as how every AD environment I've been in have been implemented before my arrival. Right now my lab consists of two 2008R2 DC VMs, each running the AD and DNS roles. Both were built up from scratch (no cloning, etc) then individually promoted to start a new domain/forest, and to join that domain in that order. Each DC is running the DNS role and is acting as a secondary DNS server to the other server, so they basically rely on each other. Since this is a lab I offline both DCs regularly when I'm not using them. This has the unfortunate effect that when it's time to bring them back online they take forever to boot, spinning on "Applying Computer Settings". I've pretty much concluded that this is because there is no DNS server active at boot time. If Server 1 relies on a) Itself, b) DC2 for DNS, and Server 2 relies on a) Itself, b) DC1 for DNS, then at bootup neither has access to working DNS resolution. In the event log it looks like the AD service comes up before DNS Server service (which makes little sense to me), and there are numerous errors which point to name resolution as a cause. So I guess my question is whether it's best practice to have a third server with the DNS role on my network and use that as the primary or at least secondary nameserver for each DC to utilize, or if there is a better way of handling a cold boot of an entire Active Directory infrastructure? Moreover I'm looking for a good reference or whitepaper for separating Active Directory roles out by physical (or virtual) hosts. What is best practice to keep consolidated on one server and what is best to separate out for fault tolerance. Sorry if this is a little bit of a ramble, I'm not entirely sure I'm articulating my problem correctly.
|
|
#
?
Mar 29, 2013 13:55
|
|
|
From what I've seen on the BPA when I run it, 127.0.0.1 should not be first on your list of DNS servers under IP settings. The way I do it with my company is our FMSO machine is in our DR facility in Phuilly, and all AD/DNS servers in my offices use it as their first DNS server, then I'll usually use another DNS server that's geographically close (In our Paris office, it uses the London DC as it's secondary, in NY we have 2 AD servers so no problems there, and LA uses NY). Then localhost. As for the long loading times, I'll let someone else chime in here as I haven't ever cold booted an entire domain, except afeter Sandy took us out for a week and even then, my servers powered back up while I was asleep like magic.
|
|
#
?
Mar 29, 2013 14:26
|
|
|
Thanks for the insight. The "long" boot time only equates to like six to ten minutes which is really only "forever" when you're waiting for a server to boot  Everything I read says that throwing 127.0.0.1 first is more efficient, but I seriously doubt it makes a huge difference these days. I need to bone up on best practices one of these days.
|
|
#
?
Mar 29, 2013 14:42
|
|
|
The odd thing is, Applying Computer Settings is the Group Policy kicking in which should be stored locally on the DC. Maybe set up a policy telling the DC not to wait for it to load or cache it locally?
|
|
#
?
Mar 29, 2013 15:04
|
|
|
The eventlog for the GP errors are always something like this: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. So it's kind of weird that it can't connect to a DC when it IS a DC. I don't know AD intimately enough to say exactly why that is. Does a DC rely on seeing its host defined in DNS to know it's a DC? That's plausible I guess. I hate to poo poo up this thread with babby's first AD guesses so I'm trying to stick entirely to what I know to be true 
|
|
#
?
Mar 29, 2013 18:59
|
|
|
Martytoof posted:The eventlog for the GP errors are always something like this: Not sure if this is helpful, but group policy tends to access its crap by using the well-known share \\{domain}\sysvol\{domain}\policies so if that's not accessable/resolvable it'll be all confused.
|
|
#
?
Mar 29, 2013 20:30
|
|
|
Hmm. So even if DNS were available, it looks like perhaps that wouldn't help unless the SYSVOL share were accessible. I don't know where CIFS starts in the boot order. I'm going to try throwing a standalone DNS server in the lab so my DCs have something to resolve against and see if it still spins for a half dozen minutes. Thanks for the valuable info guys.
|
|
#
?
Mar 29, 2013 20:41
|
|
|
Hey guys, so we're finally moving from Zenworks 11 to System Center Config Mgr 2012 SP1. Currently in a 5 day admin class. Good times or great times?  Can't wait though.
|
|
#
?
Apr 3, 2013 01:48
|
|
|
The class was terrible. It's paced for the lowest common denominator, tons of dead time. I was able to work the entire time I was attending the class without missing much of a beat.
|
|
#
?
Apr 3, 2013 01:52
|
|
|
|
| # ? May 14, 2024 00:15 |
|
|
You must have had a terrible class. This one is a beast. We start at 8:30am and we don't get done until 4:30. The book is something like 15 or 16 chapters and we're doing all of them, and every single lab. I'm not complaining by any means but my brain is fried. I've taken a ton of MS classes and this is one of the busiest. Today we spent a couple hours writing loving SQL queries and getting the reporting server stuff working.
|
|
#
?
Apr 3, 2013 02:13
|
|