|
I personally tend to discourage anything being installed on a domain controller. That kind of machine though is a good candidate to run hyper-v and then have the DC run under it. A 2008R2 DC doesn't need much in the way of resources. I have most of mine provisioned at 6 or 8GB of RAM and 2 cores and they run with no problems at all.
|
# ? Oct 18, 2013 16:32 |
|
|
# ? May 13, 2024 23:08 |
|
Yeah the worry there isn't that the machine can't handle it, it's that running software on it increases the risk of something happening that brings the machine to a halt, and the last thing you want is a situation where your DR DC is the only available DC (bad) and suddenly Openfire memory leaks into an important service and now nobody can log in (now much, much worse). Since it looks like you're only using it for a handful of people, just drop it on a desktop and put a stickit note over the power button. Its resource draw is pretty small, the Java VM it uses takes up more resources with that few users.
|
# ? Oct 18, 2013 17:23 |
|
EAT THE EGGS RICOLA posted:In the same domain? msra /offerra will give you Windows Remote Assistance. Thanks for this info, I knew it existed but couldnt think of the name. Set up a GPO to enable it, works like a charm
|
# ? Oct 18, 2013 23:56 |
|
Mr. Clark2 posted:Thanks for this info, I knew it existed but couldnt think of the name. Set up a GPO to enable it, works like a charm I've been using this a lot lately and everyone loses their mind. They don't quite realize they have to hit yes in order for me to see their screen.
|
# ? Oct 19, 2013 03:08 |
|
LmaoTheKid posted:I've been using this a lot lately and everyone loses their mind. They don't quite realize they have to hit yes in order for me to see their screen. I don't know if this works on Win 7 (and can't test it right now), but: Edit C:\WINDOWS\pchealth\helpctr\system\Remote Assistance\helpeeaccept.htm to add: btnAccept.disabled = false; btnDecline.disabled = false; btnDecline.focus(); DoAccept(); Edit C:\WINDOWS\pchealth\helpctr\system\Remote Assistance\Interaction\Server\TakeControlMsgs.htm to add: <BODY id="idBody" class="sys-inlineform-bgcolor1" onload=InitiateMsg();onClickHandler(0);> And it will auto-accept remote assistance offers. (I might be slightly off, but it's something super close to that)
|
# ? Oct 19, 2013 03:19 |
|
EAT THE EGGS RICOLA posted:I don't know if this works on Win 7 (and can't test it right now), but: Thanks, it's not even a big deal to me. I just find the paranoia to be pretty funny.
|
# ? Oct 19, 2013 03:20 |
|
For those in the know: I've finished building up two 2012 Domain Controllers to replace two aging Server 2003 domain controllers. They've been running for about a week now, however client machines (mostly server OS) on the domain are showing their %logonserver% as one of the two old domain controllers. When I demote the older domain controllers, what happens when the client machines check the %logonserver% that is no longer available? Does it gracefully go and check for another logonserver?
|
# ? Oct 22, 2013 21:00 |
|
In my experience, yes.
|
# ? Oct 22, 2013 21:09 |
|
Is your DNS setup properly, so that clients can actually find the new DCs? Also, before you demote the DCs, turn them off for a while and see what breaks. Much easier to turn on a DC because you missed something than to repromote a DC because you missed something.
|
# ? Oct 22, 2013 21:50 |
|
I can't really find it anywhere, but what is the period that a client will keep a domain controllers record in the %logonserver% value before it attempts to verify or locate a valid record?
Wicaeed fucked around with this message at 22:15 on Oct 22, 2013 |
# ? Oct 22, 2013 22:07 |
|
I should have looked into this more when I decomissioned a 2008 DC (SBS2008) in favour of a 2008 R2 one, but my memory is a bit hazy of the situation. If I remember correctly I demoted the old DC (after bringing the new one up and checking DNS replication, transferring FSMO roles etc). When the old DC had disappeared the next logon that happened on the client had %logonserver% set to the new one.
|
# ? Oct 22, 2013 22:42 |
|
Caged posted:I should have looked into this more when I decomissioned a 2008 DC (SBS2008) in favour of a 2008 R2 one, but my memory is a bit hazy of the situation. If I remember correctly I demoted the old DC (after bringing the new one up and checking DNS replication, transferring FSMO roles etc). When the old DC had disappeared the next logon that happened on the client had %logonserver% set to the new one. Good to know. Last domain controller question of the day, I swear. I've set my two new DC's to use an upstream NTP server in my own network, which in turn synchronizes to a source such as time-a.nist.gov Of the two DC's, the clock time is about 2 minutes off. The PDC has shows the following when I run the w32tm /monitor /computer:upstreamntpserver: code:
code:
What matter of voodoo magic do I need to use to get Windows to recognize that the goddamn time is too far off? I realize that for Kerberos purposes, 5 minutes clock skew is close enough, but for our own internal application usage, we need to be fairly accurate with our time setting across 3-400 servers.
|
# ? Oct 23, 2013 02:28 |
|
Are these machines virtualised? Have you made sure to turn off time synchronisation between the VM host and the guests?
|
# ? Oct 23, 2013 02:48 |
|
Caged posted:Are these machines virtualised? Have you made sure to turn off time synchronisation between the VM host and the guests? No, these are both physical machines
|
# ? Oct 23, 2013 03:08 |
|
Only the DC holding the PDC role should be using an external time source. All others should be configured to use the NT5DS and get their time from the PDC. In Windows land it's much more important to have a consistent time across the domain, than an accurate time. Make sure the DC holding the PDC emulator role is configured properly, and then make sure your other DC's are set to NT5DS. Interesting thing I learned in this article is if you have another DC marked at a reliable time source in the domain, the PDC emulator stops advertising http://technet.microsoft.com/en-us/library/cc794937%28v=ws.10%29.aspx On your PDC emulator run the following w32tm /config /manualpeerlist:<timeserver> /syncfromflags:manual /reliable:yes /update That should get you on the same page with whatever server you put in for <timeserver>, once thats fixed, tackle the rest of the DC's by setting them to NT5DS and restarting the windows time service.
|
# ? Oct 23, 2013 05:08 |
|
Actually read what is probably that same article, performed those steps and now the PDC is functioning perfectly. Now to replicate those steps on the rest of the DC's I need to.
|
# ? Oct 23, 2013 06:48 |
|
skipdogg posted:That should get you on the same page with whatever server you put in for <timeserver>, once thats fixed, tackle the rest of the DC's by setting them to NT5DS and restarting the windows time service. What's the command line for that? w32tm /config /syncfromflags:DOMHIER /update Then run a net stop w32time and net start w32time ?
|
# ? Oct 28, 2013 21:14 |
|
Yup, that should work. A post I found mentions adding a W32tm /resync /rediscover before restarting the service, but it should be fine.
|
# ? Oct 28, 2013 23:01 |
|
skipdogg posted:Yup, that should work. A post I found mentions adding a W32tm /resync /rediscover before restarting the service, but it should be fine. Another thing I quickly discovered: The contents of the registry key 'w32tm /dumpreg /subkey:parameters' does not actively reflect the configuration. To actually get the real configuration you need to run 'w32tm /query /configuration' I believe if values are set to 'Policy', those are GPO enforced settings.
|
# ? Oct 29, 2013 03:42 |
|
I want to setup RPC over HTTP (Outlook Anywhere) on our Exchange 2003 server. Can someone tell me what SSL cert I need to buy? What is the difference between a UC cert and an IIS cert, as seen here: http://www.entrust.net/microsoft/
|
# ? Nov 1, 2013 20:43 |
|
What are people using for web filtering and access logging? The two big requirements are of course to be able to block users from visiting sites by URL or category, and also have the ability to see all of a users web traffic for a time period. Boss was gone on Monday so you spent all day on coupon sites and playing poo poo on Pogo? You're in trouble! Right now we can do some very limited URL-based filtering through NOD32 (our AntiVirus solution) but the logging is non-existent since we have Endpoint Antivirus and not Endpoint Security. The later would give us category-based rules and logging. We have a Checkpoint Firewall so we could buy the web filtering 'blade' for like $6,000 a year but I'd rather not give another dime to them.
|
# ? Nov 6, 2013 16:38 |
|
We use Sophos which is great for blocking users from sites, but if you want to see web traffic, it's not that robust. You can definitely drill down to see what pages users were going to but it doesn't distinguish between legit sites and ads. For instance, while researching an issue via Google, many of the sites I went to had Facebook ads. Now it looks like I've been browsing Facebook for hours on end and so forth.
|
# ? Nov 6, 2013 16:48 |
|
The big players (expensive) in the web filter market are BlueCoat, Websense and Cisco. We use Sophos web filters and I really like them. All of these options are probably too expensive for you. Barracuda makes a decent box, or you can roll your own. Untangle has a web filter I think, or you can always setup squid on a linux box and install a blocking database type program. years ago I had to manage a squid+squidguard box and it worked well but manually updated the block lists loving sucked rear end. Most of these filters are just managed linux environments running squid and some other bits to log and report things.
|
# ? Nov 6, 2013 16:48 |
|
I setup squid a while back to see if we got any speed benefit out of it (we have dual T1's and 250 people so any speedup would be worth it) but only about 0.05% of requests actually went through the drat thing because of how the internet works now. But we also had some issues because we have internal websites that depend on what IP address the requests come from (yay ASP apps from 2003) among other things so it was a little goofy. I've used Websense before but what I like about ESET is that the filtering would be integrated with AV so there's one less program for computers to load up and run, and one less thing to administer.
|
# ? Nov 6, 2013 17:06 |
|
kiwid posted:I want to setup RPC over HTTP (Outlook Anywhere) on our Exchange 2003 server. Can someone tell me what SSL cert I need to buy? What is the difference between a UC cert and an IIS cert, as seen here: http://www.entrust.net/microsoft/ If you're screwing around you can get a free cert from http://www.comodo.com/ that will last 60 days. That'll get you up and running and give you enough time to figure out what you're doing. Edit - Assuming you are just securing the one server - eg mail.consoso.com, you probably just need the basic certificate. https://www.startssl.com will give you a suitable one for free. (dicky signup process but whatever). Swink fucked around with this message at 04:05 on Nov 7, 2013 |
# ? Nov 7, 2013 03:56 |
|
Has anyone used Dell KASE System Deployment (K2000)? My company is going to have a requirement in the near future for several remote sites that will have no IT support and we'll need the ability to image users machines remotely and with as little user interaction as possible. I've been toying around with MDT 2012 and getting LiteTouch up and running is no problem. ZeroTouch has been a nightmare. If there are any other file based imaging systems out there to check out, I am all ears.
|
# ? Nov 7, 2013 15:19 |
|
Bob Morales posted:What are people using for web filtering and access logging? transparent webcache proxy would probably be nice, because there would be no configuration on the user's end. But our network crew scrapped our's 10ish years ago, so there's probably serious drawbacks.
|
# ? Nov 7, 2013 15:27 |
|
Sacred Cow posted:Has anyone used Dell KASE System Deployment (K2000)? You'd really want to stand up SCCM to do Zero Touch well, if you need the rest of the configuration tools provided it's probably worth looking in to.
|
# ? Nov 7, 2013 20:16 |
|
Nebulis01 posted:You'd really want to stand up SCCM to do Zero Touch well, if you need the rest of the configuration tools provided it's probably worth looking in to. Thanks I didn't think of that. I've been banging my head against my desk with MDT so much I forgot SCCM has OS deployment. I feel really dumb now because if I remember correctly MDT and USMT were both prerequisites for installing SCCM 2012.
|
# ? Nov 7, 2013 21:27 |
|
Boss carted over a Proliant 320, our long-ago retired domain controller and said "install 2k8 R2 and harden it" went through the Security Configuration Wizard, unticked a few boxes... Now I'm kind of out of ideas. Boss tells me today that it is in fact going to be internet-facing which I was completely unaware of. What else can I do here? The machine is going to sit outside of our domain and store/manage video recordings from our new surveillance system. I've done a bit of googling looking for guidance, but I'm finding a lot of very sparse/zero detail "guides" which aren't all that helpful.
|
# ? Nov 8, 2013 02:11 |
|
Is there any chance of at least putting it behind a hardware firewall and running NAT? Windows (or anything really) directly siting on a public IP makes me
|
# ? Nov 8, 2013 02:17 |
|
drukqs posted:Boss carted over a Proliant 320, our long-ago retired domain controller and said "install 2k8 R2 and harden it" There's a MS program I'm recalling that has a shitload of 'best practice' GPOs for specific OSs. You punch in "2008R2" and it spits out a GPO that you can review and import. I cannot for the life of me remember what its called. Before all that you should ask if it actually needs to be internet facing. That's dumb.
|
# ? Nov 8, 2013 02:19 |
|
So it's actually going to be on a public IP and not just in a perimeter network? But even still, it doesn't need to be in a perimeter network.Swink posted:There's a MS program I'm recalling that has a shitload of 'best practice' GPOs for specific OSs. You punch in "2008R2" and it spits out a GPO that you can review and import. I cannot for the life of me remember what its called. If you remember what it's called, I'd love to look into it.
|
# ? Nov 8, 2013 02:35 |
|
kiwid posted:If you remember what it's called, I'd love to look into it. Probably not quite what he was was referring to, but the Security Configuration Wizard does sort of the same thing.
|
# ? Nov 8, 2013 03:30 |
|
Microsoft Security Compliance Manager I still remember the instructions for turning a 2003 server into a "bastion host", half the steps were "break IIS so it can't ever run".
|
# ? Nov 8, 2013 03:33 |
|
We had scripts to adjust NIC link speeds in our environment while using XP, mostly for optimizing remote connections. The guy in charge of the script insists that it's still necessary in Windows 7 (he insists that everything he does is necessary even when it's clearly been replaced.) Anyone have any experience with needing to set manual link speeds in Windows 7? We're doubtful that it's still necessar, as we haven't updated the script to account for new hardware in two years, and have heard no complaints.
|
# ? Nov 8, 2013 07:06 |
|
It sounds like a thing that would only be necessary if you had ancient switches or damaged cabling. I've no idea how dicking with link speeds helps remote connections.
|
# ? Nov 8, 2013 12:39 |
|
Does anyone know of a KVM over Ethernet type deal that's decent and under $100? Bonus points if you can use it to control the power switch on a machine. I have a bunch of servers in disparate locations I'd like "cold boot" access to, rather than have to drive out when something strange happens. Just wondering if it's possible in that price range, or if the only option are the $300ish units I'm seeing.
|
# ? Nov 8, 2013 17:47 |
|
I've never seen anything in that price range
|
# ? Nov 8, 2013 18:01 |
|
|
# ? May 13, 2024 23:08 |
|
Same here. Never seen anything that cheap. I explored a IOGear unit once for a remote office and that was still around 200 bucks and had iffy reviews. Power control is going to be even more expensive.
|
# ? Nov 8, 2013 18:28 |