|
slowly replace them with things that have some kind of ipmi
|
#
?
Nov 8, 2013 19:46
|
|
|
|
| # ? May 14, 2024 16:28 |
|
|
hihifellow posted:Microsoft Security Compliance Manager I'll give this a try, thank you very much! Swink posted:There's a MS program I'm recalling that has a shitload of 'best practice' GPOs for specific OSs. You punch in "2008R2" and it spits out a GPO that you can review and import. I cannot for the life of me remember what its called. He says a firewall would be "one more thing we have to overcome during setup" but yeah especially trusting me, a relative n00b to secure a web-facing machine is a little haphazard. I'll tell him it needs to be behind the firewall.
|
|
#
?
Nov 9, 2013 00:04
|
|
|
Docjowles posted:I've never seen anything in that price range skipdogg posted:Same here. Never seen anything that cheap. I explored a IOGear unit once for a remote office and that was still around 200 bucks and had iffy reviews. Power control is going to be even more expensive. argh.  not the answer I was hoping for. it seems like something a raspberry pi could handle with aplomb. maybe I'll try to hack something together, but I really wish there was something out there...
|
|
#
?
Nov 9, 2013 01:38
|
|
|
This is probably more networking related, but I don't know if it's some sort of best practices or maybe worst practices or something else. At work, we've got a Windows Server 2008 r2 server handling DHCP. We have a group of address pools at each building, so it's 10.90.0.0/16 at building A, 10.110.0.0/16 at building B and so on. Since access points get statically assigned X.X.20.0 addresses, copiers X.X.40.0, switches X.X.10.0, and desktops get dynamically assigned X.X.30.0 addresses, the address pool is restricted to X.X.30.1 to X.X.35.254... There's a group of addresses in the reserved pool, 10.90.30.255, 10.90.31.255, 10.90.32.255 and so on. This rule is the same for each building, 10.110.30.255, 10.110.31.255, and so on. With a subnet of 255.255.0.0, the broadcast address should simply be X.X.255.255 right? Why are the X.X.X.255 all reserved? I saw this at my last job too, but it doesn't make sense if it's meant to reserve broadcast addresses. Is this just common practice or is there something else that I'm missing here? Is this network related or something else to do with Windows Server DHCP?
|
|
#
?
Nov 9, 2013 02:58
|
|
|
mindphlux posted:Does anyone know of a KVM over Ethernet type deal that's decent and under $100? Bonus points if you can use it to control the power switch on a machine. Definitely see if you can install management/IPMI modules into the servers, like ILO on HP servers for example. I have only messed with ILO, but that can do remote cold boots on a server that's totally hosed and not even talking to the network. It also has a remote console in a browser, but you have to pay extra to license that kind of feature. Without the extra license, I can still check failed hard drives, memory modules and PSUs when a remote server crashes. I have no idea if that would fit your price range, but they'll probably be cheaper than an enterprise KVM, which are stupidly expensive. That being said, I did find a $800 KVM new in the box for $100 from a surpluser on eBay.
|
|
#
?
Nov 10, 2013 00:21
|
|
|
CAn someone describe a scenario where I would use RemoteApp or RemoteApp via Web Gateway. Currently we have remote users log into a full Remote Desktop session where they have access to all our applications. For what reason would I need to deliver a single specific application? (I have a feeling RemoteApp solves a problem that my company doesn't have, but i'm interested in it)
|
|
#
?
Nov 10, 2013 23:59
|
|
|
We used RemoteApp for some of our remote users because they hated having to do more than like 2 steps. So the two steps would be - 1. Connect to VPN, and 2. Launch RemoteApp. That eliminated the need to RDP to the terminal server.
|
|
#
?
Nov 11, 2013 00:27
|
|
|
Swink posted:CAn someone describe a scenario where I would use RemoteApp or RemoteApp via Web Gateway. A not poo poo version of Outlook for Mac users without having to gently caress around with a full desktop.
|
|
#
?
Nov 11, 2013 02:02
|
|
|
Demie posted:Definitely see if you can install management/IPMI modules into the servers, like ILO on HP servers for example. I have only messed with ILO, but that can do remote cold boots on a server that's totally hosed and not even talking to the network. It also has a remote console in a browser, but you have to pay extra to license that kind of feature. Without the extra license, I can still check failed hard drives, memory modules and PSUs when a remote server crashes. Thanks everyone, I'd only ever heard of IPMI stuff in the context of enterprise networks - I'll definitely look into this though.
|
|
#
?
Nov 11, 2013 06:36
|
|
|
I feel like a real loving dope. Can anyone help me with this/tell me if it's possible. I want to use our internal Windows DNS server to point one of our external domain names to an internal IP. The domain name is separate from our windows domain. Is this even possible?
|
|
#
?
Nov 11, 2013 23:45
|
|
|
LmaoTheKid posted:I feel like a real loving dope. If you only need to do one record, you could also create a zone just for that record (so you'd create a zone for internal.company.com), and set the A record for the zone to your internal address. wyoak fucked around with this message at 23:54 on Nov 11, 2013 |
|
#
?
Nov 11, 2013 23:52
|
|
|
Don't forget to add a record for www if required.
|
|
#
?
Nov 12, 2013 01:00
|
|
|
wyoak posted:If you only need to do one record, you could also create a zone just for that record (so you'd create a zone for internal.company.com), and set the A record for the zone to your internal address. I've done this, it works like a champ and you don't have to waste your time keeping the rest of the zone up to date.
|
|
#
?
Nov 12, 2013 20:36
|
|
|
Has anyone done a domain migration before? We're acquiring another company and have been informed the timeline to fully integrate them with our company is going to be very aggressive. I basically have about 6 weeks to plan and execute a migration for 450 users into our existing company of 3300 users. I have and can get appropriate funding for tools and consultants. I know ADMT is free, but I'm not sure if our already busy team has time to get to know the product well enough to pull this off.
|
|
#
?
Nov 15, 2013 23:21
|
|
|
skipdogg posted:Has anyone done a domain migration before? We're acquiring another company and have been informed the timeline to fully integrate them with our company is going to be very aggressive. I basically have about 6 weeks to plan and execute a migration for 450 users into our existing company of 3300 users. I have and can get appropriate funding for tools and consultants. I have, on my own, for just 15 users, and it was a loving royal pain in the rear end. some DNS stuff still is wacky. Especially tricky if you're dealing with different versions of windows server (I was merging a 2003 domain with a 2008) If you haven't done it before and have funding for a consultant, find one with the cred to help you not make first-timer mistakes. and start your search soon, 6 weeks is really quick.
|
|
#
?
Nov 15, 2013 23:44
|
|
|
skipdogg posted:Has anyone done a domain migration before? We're acquiring another company and have been informed the timeline to fully integrate them with our company is going to be very aggressive. I basically have about 6 weeks to plan and execute a migration for 450 users into our existing company of 3300 users. I have and can get appropriate funding for tools and consultants. I've done a ton of them over the years, but if you have no free time it's going to suck, as you're going to need some time to plan, test and get familiar with the tools that willw ork the best in your environment. Bringing in someone can't hurt.
|
|
#
?
Nov 15, 2013 23:50
|
|
|
Post your experience! We're acquiring 50 peeps next year and I don't have consultant money.
|
|
#
?
Nov 16, 2013 22:52
|
|
|
skipdogg posted:Has anyone done a domain migration before? We're acquiring another company and have been informed the timeline to fully integrate them with our company is going to be very aggressive. I basically have about 6 weeks to plan and execute a migration for 450 users into our existing company of 3300 users. I have and can get appropriate funding for tools and consultants. My company was just acquired. We were 500 staff joining an international company of 2500. We were very aggressive as well, with the actual acquisition occurring on September 3rd and our migration kick-off happening October 18th. I would say that if you have dedicated IT staff who can make time available, the actual user/workstation migration isn't too complicated. First actionable step would be creating a domain trust. Then you'll want to use ADMT for sure, and so begin reading the admin guide for it right away. I had successful tests up and running with about 4 hours of reading and prep. With ADMT you can migrate users and groups to the new domain (with SID History being populated so that permissions don't need to change), do security translation on the workstations (so that the new domain users can sign into the exact same Windows profiles) and then a computer account migration which will auto-join the workstation to the new domain and reboot it. Make sure you test extensively so that you know what may break for your new domain accounts accessing existing resources. We had a lot of additional steps since we were replacing 80 workstations, had to update our WDS images with a lot of custom software, and were migrating all our users to Office 365 at the same time. We still haven't (and probably won't) migrate server-side resources because with the domain trust there isn't much reason to. I'd be happy to answer any specific questions.
|
|
#
?
Nov 17, 2013 04:38
|
|
|
Not sure if this is the right thread for this, but hopefully it's close enough. Can anyone recommend some resources for managing and optimizing Citrix? XenApp 6.5 and XenDesktop 5.5, if it matters. They're starting to push hard for VDI here and while we've got something running, it's dog-slow and prone to crapping out when the wind gusts.
|
|
#
?
Nov 20, 2013 19:13
|
|
|
The VM thread would help, though many people here mingle in the same threads.
|
|
#
?
Nov 20, 2013 19:16
|
|
|
incoherent posted:The VM thread would help, though many people here mingle in the same threads. I'll cross-post over there, then. Thanks!
|
|
#
?
Nov 20, 2013 19:33
|
|
|
On Server 2008 R2 FSRM, under Share and Storage Management when I list shares, what would cause a normal file share to appear under the section for "SMB shared folder (partial)"? The only other entry in this section is IPC$. Nothing is different about this share from the other shares on this system, and every other share is in the other section labelled "SMB shared folder".
|
|
#
?
Nov 20, 2013 20:01
|
|
|
We're looking at dropping Trend AV for something new and better next year. I've talked to ESET about Endpoint AV, and one of my contractors suggested Sophos. Does anyone have any feedback on either of those products in a corporate environment? We would need to manage about 200-225 PCs. Is there anything else we should be considering in addition? I'm not really sure what the gold standard in corporate AV is these days since we've been running Trend for the last hundred years or so.
|
|
#
?
Dec 3, 2013 16:24
|
|
|
geera posted:We're looking at dropping Trend AV for something new and better next year. I've talked to ESET about Endpoint AV, and one of my contractors suggested Sophos. Does anyone have any feedback on either of those products in a corporate environment? We would need to manage about 200-225 PCs. I switched us from Symantec to ESET years ago and haven't looked back. Deployment is easy as long as you completely remove your previous AV software from workstations (you can use either their mechanism in the management server or AD deployment). Aside from the occasional obfuscated javascript causing the software to get mad it's been great. Just make sure you get your exceptions in there right away.
|
|
#
?
Dec 3, 2013 16:27
|
|
|
Is Forefront or whatever it's called now still essentially free if you have the right sort of Volume License and System Center?
|
|
#
?
Dec 3, 2013 16:28
|
|
|
I really like Sophos for a corporate environment. We use it and it does it's job.
|
|
#
?
Dec 3, 2013 16:51
|
|
|
We still use Trend unfortunately and I hate it. A friend of mine who works in government uses Sophos and he swears by it. Says it is amazing, works great and easy to manage. One day I'll convince my boss to make the switch.
|
|
#
?
Dec 3, 2013 16:52
|
|
|
We got sophos, easy and simple to deploy. Patrols AD for new machines and auto installs. They'll give hell of a deal near end of month so prepare to buy then.
|
|
#
?
Dec 3, 2013 17:02
|
|
|
We also run Sophos in our environment, someone else has been doing the management so I haven't been in the console much but it works well and hasn't been as big of a resource drain as our previous AV, McAffee. It can be a little difficult to pull off of a machine if you're sitting in front of it but I can see why and it's probably easier at the console.
|
|
#
?
Dec 3, 2013 17:10
|
|
|
We have Sophos AV, the email appliance and web appliance. All work very well. We recently switched from Sophos to Microsoft AV since it comes free with System Center, but I have no complaints about Sophos. Very easy to admin and push out. Removing Sophos can't be done via admin console. There is a bitch of a batch file you need to setup to remove the software. I had to do it for ~250 machines.
|
|
#
?
Dec 3, 2013 17:42
|
|
|
skipdogg posted:Has anyone done a domain migration before? I have a similar question here. I want to preface this with saying I don't have any experience in this area and am learning all this on the fly so I realize my questions may be ignorant on this and I am very grateful for any feedback anyone is willing to give. I've never had to deal with anything like this before (the only place I've set up/managed AD is in my now deceased old home lab), but I will be working with actual server/AD admins and network engineers. I want to read up on this before we get any further to make sure I understand the situation properly and don't look too dumb. Company A acquired an asset from Company B, which is a separate site currently part of B's WAN relying on B's enterprise infrastructure (AD, exchange etc). It includes about 300 workstations, maybe 30 servers and a couple NAS units serving file shares. The way the migration is structured the networks of A and B companies are NOT going to be joined at all, no trusts set up between domains etc. I didn't have any input in this unfortunately. We need to migrate all the users, most of the servers and data from B into company A. They are assuming the physical site, and basically disconnecting it from the current owner's (B) WAN and plugging it into their own. There will be a cut over weekend in the future, at which point they will have waiting domain controllers, exchange etc. Domain controllers for B at the site will be decommissioned. All the users, groups and so on will be recreated (the client's direction not mine) prior to the cut over so that we can use them to apply security, replace service accounts etc. Edit - this is going to be 'cleaned up' at the same time since there will be some changes in org structure etc. At a very high level the way I understand it we will need to: Prep steps: - Recreate all the user accounts, groups etc in the new domain. Told that someone has already defined what needs to happen here, though I haven't seen it yet. - Migrate as much data and as many applications over to the new owner's network as possible to cut down on work on the cut over weekend. Migration Steps - Prior to cutting over the network remove all the servers from their current domain - Cut over the network to the new owners network. - Add the servers to the new domain. - for each server have to manually add it to the domain, - make sure all the new user accounts are added to the admin group, - All the file system permissions are updated to reference the new domain groups - Service accounts that are not local system updated to the appropriate new domain account. Each application will need a deeper inspection to make sure that such a move is supported and so on. For the most part it seems like most server data / apps is local service accounts and local users group on the server, so this should not require changing right? There is also file shares which will need the security totally redone. This should be a matter of removing the old groups and referencing the new groups right? I am not involved as much in the desktop side of it luckily. Is this totally off? GanjamonII fucked around with this message at 18:10 on Dec 3, 2013 |
|
#
?
Dec 3, 2013 18:06
|
|
|
Thanks for all the Sophos feedback, I'm glad to hear it's not horrible.
|
|
#
?
Dec 3, 2013 19:10
|
|
|
Maybe I'm missing something, but is there no way to install the WSUS 3.0 API on a Windows 8.1 client? I want to generate a few custom reports on my (8.1) laptop by pointing to our WSUS server, but I can't run the WSUS installer due to "compatibility issues". Should I be downloading something altogether different to just access the API? I'm kind of new to the whole WSUS API thing so maybe I'm just doing something wrong. I dunno.
|
|
#
?
Dec 3, 2013 19:20
|
|
|
Caged posted:Is Forefront or whatever it's called now still essentially free if you have the right sort of Volume License and System Center? It's confusingly called Endpoint Protection now, but yeah, since you can't get System Center parts piecemeal, if you've got one you've got 'em all.
|
|
#
?
Dec 3, 2013 21:45
|
|
|
GanjamonII posted:I have a similar question here. I want to preface this with saying I don't have any experience in this area and am learning all this on the fly so I realize my questions may be ignorant on this and I am very grateful for any feedback anyone is willing to give. This sounds like a loving nightmare and is probably going to take longer than a weekend. How many users? The no trust thing is really going to gently caress you as it takes away your easiest migration path. I'm going to guess you have no budget for software either right? A bunch of this could be scripted, but I somehow doubt you have the time to even write and test the scripts.
|
|
#
?
Dec 3, 2013 21:52
|
|
|
FISHMANPET posted:It's confusingly called Endpoint Protection now, but yeah, since you can't get System Center parts piecemeal, if you've got one you've got 'em all. For regular old Forefront Client Security, you didn't have to be using System Centre to deploy it. We have the licence but I just used Group Policy to deploy. I think I tried, unsuccessfully, with MOM too.
|
|
#
?
Dec 3, 2013 23:42
|
|
|
skipdogg posted:This sounds like a loving nightmare and is probably going to take longer than a weekend. How many users? Well the users don't all have to be cut over during the weekend luckily. Key users will get a new laptop on the new domain on day one and their current machines will get rebuilt and handed to others. If there is some particular software we can use that would be helpful.. the issue is that we don't manage AD for the old owners and their approval processes for getting permission to get data like this is ridiculously long and complicated. Im not even sure they would accept that request.
|
|
#
?
Dec 4, 2013 14:47
|
|
|
Is there some tool I can run that will give me all the membership of the local admin, remote desktop users, users? Specifically I need to identify any domain users/groups..
|
|
#
?
Dec 5, 2013 22:13
|
|
|
GanjamonII posted:Is there some tool I can run that will give me all the membership of the local admin, remote desktop users, users? Specifically I need to identify any domain users/groups.. This? http://www.quest.com/powershell/activeroles-server.aspx
|
|
#
?
Dec 5, 2013 22:34
|
|
|
|
| # ? May 14, 2024 16:28 |
|
|
Started a new job last week, first thing is to re-implement SCCM 2012. Just curious, how much has the software updating portion change from 2007? When I setup and tested in 2007, we concluded at the time, there was too much administrative overhead and just stuck with WSUS since there was a set and forget option. I heard this is the case for 2012 as well.
|
|
#
?
Dec 9, 2013 01:42
|
|