|
Docjowles posted:Sure, it's nice to get less email. But if that one email is "THE PRIMARY FILE SERVER HAS 50KB OF FREE SPACE " you're going to be wishing you got notified at 20%. We have something like 30:1 utilization of VM cpu to physical CPU; pretty much everything gets it's own server with it's own 10GB D: drive (of which usually 2-3 GB are used), that's about 200 servers worth; the primary file server is a whole different beast with it's own set of monitoring notes and email alerts. On a regular VM if your utilization goes above 30% something is horribly wrong and you probably need a share setup on the primary file server which loops back to 1) your file management plan is terrible Every setup is different, this is just the mess that I inherited. FISHMANPET posted:poo poo like that makes feel like I'm jumping into a bottomless hole every time I start thinking about setting up our monitoring system. Like, yeah, I can configure the checks just fine, but like, man, what is monitoring, man . We recently absorbed the group that does the monitoring for our server farm, SCOM is an awesome tool but if you let morons manage it, it ends up as this red headed stepchild that shoots out a bunch of emails screaming about how all the servers are on fire 24/7 and eventually people set their email filters to circular file anything that comes from scomalerts@corp.com. I am this close >.< to torching the entire SCOM configuration and re-configuring the whole thing from the ground up. Doing SCOM properly is a daunting task and the fact that microsoft pubishes a literal "survival guide" doesn't help much
|
# ? Jun 17, 2014 09:43 |
|
|
# ? May 14, 2024 18:59 |
|
Hadlock posted:Doing SCOM properly is a daunting task and the fact that microsoft pubishes a literal "survival guide" doesn't help much It's all about going slow. Import 1 MP at a time and get it configured and tuned (no the product groups have no frigging clue what works in reality). THEN think about which one to tackle first. Don't disable it if you don't have to. I have a 3 buckets approach to tuning. Bucket 1: Oh poo poo fix it now! Bucket 2: I don't care and never will (Defrag alerts anyone?) Bucket 3: Wow we should probably fix that eventually but not until things aren't on fire. The Bucket 3 MP gets deleted 3-6 months after the initial tuning effort.
|
# ? Jun 18, 2014 01:45 |
|
^ I will take another look at this, thanks! We had a product demo for some software called Guard Rail, it sort of scans the servers to make sure they have the right configurations, etc and builds you a DSC file. they sent me some more details on how to integrate our CMDB with their software. Well this was new to me, turns out there are a lot of CMDB products out there, Configuration Manager Data Base; Chef and Puppet Labs seem to be two top contenders. Can anyone suggest anything in this vein? Drift configuration etc? Guard Rail looks to be more of our speed; it's designed more for a tool for a small group of people to use; Chef on the other hand seems like the whole kit and kaboodle for software development, package management and deployment as well as some desired state configuration tacked on the side for good measure. I think Chef is what we ultimately want but we would have to sell the entire, rather large, IT department on it and integrate it with a lot of our tools; and that's outside of the scope of our project.
|
# ? Jun 18, 2014 02:09 |
|
Anyone have any suggestions for an automated user backup solution? I'm aiming to backup a users C:\users files and create a folder on a network share and move them that way. I guess I'd also have it scan for any .pst files and back those up. I was thinking User State Migration Tool but that doesnt copy files if my memory is correct. Am I looking at a powershell script here?
|
# ? Jun 18, 2014 14:01 |
|
Folder redirections?
|
# ? Jun 18, 2014 17:03 |
|
Gyshall posted:Folder redirections? No I'm an idiot, usmt does backup the c:\users profile by default and you can specify and exclude additional folders. Looks like I can just write a powershell script to run this and backup to a network share.
|
# ? Jun 18, 2014 17:16 |
|
I'm curious if anyone else is having this issue: If I set up a computer from scratch (either using a DVD or Flash drive to install Windows 7), the policy "Microsoft Network Client: Digitally Sign Communications (always)" is set to disabled (this appears to be the default). However, if I deploy using MDT/WDS for some reason it's set to enabled. I've not seen anywhere in MDT where that setting can be changed, so I'm not sure why it's deciding to enable that. I'd like to see if there is a way I can either keep MDT from enabling that or if I can run a script after deployment to disable it. I've been Googling and all of the solutions I've found online keep showing how to disable it through the GUI. With as much as MS is pushing Powershell, I would think that they would be showing how to do it that way instead (or at least, in addition to). Any ideas?
|
# ? Jun 18, 2014 18:05 |
|
Try manipulating the registry key directly with a script. I'm on my phone right now but this might get you headed in the right direction http://social.technet.microsoft.com...w7itprosecurity
|
# ? Jun 18, 2014 18:13 |
|
Your problem is probably the "Apply Local GPO Package" step in the task sequence, which will automatically apply a set of GPOs on the local machine. Your options are to disable this step (probably a good idea) or alter the GPO package that it applies.
|
# ? Jun 18, 2014 18:30 |
|
Thanks, I'll have to give that a try. ***edit*** Parasyte posted:Your problem is probably the "Apply Local GPO Package" step in the task sequence, which will automatically apply a set of GPOs on the local machine. Your options are to disable this step (probably a good idea) or alter the GPO package that it applies. Ah, yeah, that could be. I'll take a look at that script/sequence. TWBalls fucked around with this message at 18:33 on Jun 18, 2014 |
# ? Jun 18, 2014 18:30 |
|
Sacred Cow posted:Question for the SCCM people here. I'm running into an issue where any new package deployments will sit at 0% or "downloading information" and never move. Looking at the local logs, all our clients are getting "404, Not Found" "0x87d0027e". I test the site link and it pulls up just fine and has all the correct permissions. I've checked out the TechNet forums and the only answer I've found has been to rebuild the DP or the whole site. I've tried rebuilding the DP but still no luck. I was hoping someone else has a better answer before I redo the whole site. In case anyone is interested, the issue was as stupid as I thought it was going to be. Either someone thought my IIS wasn't secure enough or a security update change something but "Authenticated Users" was removed from the application pool that pointed to the DP so no one was able to access the site. It took 2 hours with MS support to figure this out. I think I'll be removing some peoples permissions tomorrow morning.
|
# ? Jun 20, 2014 03:07 |
|
parasyte posted:Your problem is probably the "Apply Local GPO Package" step in the task sequence, which will automatically apply a set of GPOs on the local machine. Your options are to disable this step (probably a good idea) or alter the GPO package that it applies. This was the issue. Had to look through a couple of scripts and found that one of them was adding a registry entry to apply this. Not sure why it was doing that, as it says in the policy editor that the default is 'disabled'. Anyway, ended up modifying that entry and tested it. Now it's deploying with that option disabled. Thanks!
|
# ? Jun 26, 2014 02:27 |
|
Is anyone deploying Windows 8.1 with WDS? I have approval needed for unknown computers on, and after approving the machine and running through setup, it fails to join the domain, saying the machine name already exists. The exact same setup and script work fine for Windows 7 however. Approving causes the machine to be created in AD, but it should just be a pre-staged setup, just like Windows 7, right? Edit: It also has Problem 4003 (insuff_access_rights) in the log file, which again doesn't make sense, I'm even trying this as the domain administrator account, same thing. Edit 2: Ok, I've figured out why it is failing to join the domain, machine account password changes and reset is set to deny in security, but why would this start happening now? Serfer fucked around with this message at 21:09 on Jun 26, 2014 |
# ? Jun 26, 2014 03:19 |
|
Ok, so while the forums were down I had asked this on the goon Linked-in group page. I figured I'd ask here now that the forums are back up as I'm hoping to get more suggestions. We're needing to change the local admin passwords on our systems. We were hoping to be able to do this via Group Policy. While there is a Group Policy Preference that will do this, it's not really secure. Well, apparently that isn't even an option now because there's been an update that disables the password boxes, so it's now impossible to change the password that way. At this time, I'm seeing 2 ways of doing this. I've seen some scripts that can be used that will do this. But again, I'd like to make sure that this is encrypted to keep it from prying eyes. The other option is PsPassword from Sysinternals. My concern with that is, our OU is quite the mess. I've been slowly trying to clean it up, but the other techs don't seem to be helping (they're making things worse, if anything). So, it may be a bit of a pain to get a list of computer names that are actually in use. The other possible issue would be if Windows Firewall prevents the program from connecting. Anyway, I'm hoping that someone may have had to do this before and maybe they know of an easy way to accomplish this. For now, I'm going to try testing the PsPassword on a test OU.
|
# ? Jun 27, 2014 22:17 |
|
Serfer posted:Edit 2: Ok, I've figured out why it is failing to join the domain, machine account password changes and reset is set to deny in security, but why would this start happening now?
|
# ? Jun 27, 2014 22:35 |
|
I just interviewed for a lead tech position, it's in the same organization I'm already in. If I get the job I'll be handling migration to Active Directory (with the help of a tech from another department that has already done this), creating inventory for IT, getting a ticket system running(none exists there!), creating documentation for everything, handling issue resolution, and providing purchase recommendations. I'll be looking for existing inventory, which may not exist. I'll be using Spiceworks for live inventory and tickets, and using an existing manual inventory system to document what we are supposed to have. Unfortunately, the previous IT lead left on bad terms, so I'll have to make sure everybody knows I am there to help. I'll be coming from working for multiple years in a regular desktop support position where I also helped a bit with servers and getting AD going at our site. Any gotchas I should know about when moving between these two types of positions? Any tips the pros can provide? I'm so excited! I hope I can get it. Yaos fucked around with this message at 22:55 on Jun 27, 2014 |
# ? Jun 27, 2014 22:53 |
|
TWBalls posted:Ok, so while the forums were down I had asked this on the goon Linked-in group page. I figured I'd ask here now that the forums are back up as I'm hoping to get more suggestions. We used PsPassword when it turned out someone had all the local admin passwords in a .txt file on our management server. It worked pretty well. And now you have a good excuse to sort out your OUs
|
# ? Jun 28, 2014 11:41 |
|
Yaos posted:I just interviewed for a lead tech position, it's in the same organization I'm already in. If I get the job I'll be handling migration to Active Directory (with the help of a tech from another department that has already done this), creating inventory for IT, getting a ticket system running(none exists there!), creating documentation for everything, handling issue resolution, and providing purchase recommendations. I'll be looking for existing inventory, which may not exist. I'll be using Spiceworks for live inventory and tickets, and using an existing manual inventory system to document what we are supposed to have. Unfortunately, the previous IT lead left on bad terms, so I'll have to make sure everybody knows I am there to help. What was the type of identity management did they have on the machines (identity management = some sort of authentication to access resources in the organization)?
|
# ? Jun 30, 2014 08:06 |
|
incoherent posted:What was the type of identity management did they have on the machines (identity management = some sort of authentication to access resources in the organization)?
|
# ? Jun 30, 2014 13:35 |
|
You've got a poo poo ton of work to do. For documentation, get on Confluence. I use it to jot down configuration stuff https://www.atlassian.com/software/confluence For AD/domain configuration. Follow all modern best practices, take away local admin privileges, and audit audit audit.
|
# ? Jun 30, 2014 18:25 |
|
One other thing... Is anyone using SCCM and has Windows 8.1 machines? It seems that SCCM Remote Control doesn't handle scaling well, so the mouse is totally off on 8.1 machines. Anyone else run into this? Serfer fucked around with this message at 23:18 on Jun 30, 2014 |
# ? Jun 30, 2014 23:15 |
|
Serfer posted:One other thing... Is anyone using SCCM and has Windows 8.1 machines? It seems that SCCM Remote Control doesn't handle scaling well, so the mouse is totally off on 8.1 machines. Not this exact problem but SCCM itself but I've ran into similar issues when remoting onto Win 7 machines with multiple displays. SCCM related and I can't believe I never learned this sooner. Apparently you're not supposed to click the maximize button in service manager console! It heavily strains your sccm and sql servers as well as your desktop I guess. You can stretch it out to fit your monitor however and that is fine.
|
# ? Jul 1, 2014 16:51 |
|
BaseballPCHiker posted:Not this exact problem but SCCM itself but I've ran into similar issues when remoting onto Win 7 machines with multiple displays. I don't see that problem in 2012 R2 CU1.
|
# ? Jul 1, 2014 16:58 |
|
Bit of a dumb question here. I have a Windows 7 DVD that I erased the EI.cfg from (this is for ease of use so we don't have to have multiple editions of Windows around). I want to inject a bunch of Windows Updates into the WIM using DISM. Do I need to mount, install updates and commit for each Windows edition in the WIM, or can I get away with just updating one edition?
|
# ? Jul 1, 2014 19:00 |
|
Hopefully this is the correct thread for this request, if not, I apologize. I have a NAS that holds weekly full database backups from multiple SQL clusters. The folder structure is as follows: <drive>:\<backup share>\<server name>\<database name>\FULL\<backup file name> This is all well and good, but we need to get these backups offsite somehow. Until we can get a better solution in place, I've been stuck with two sets of six USB drives. These will be rotated out on a regular basis (one set offsite, one set ready to copy stuff to). Here's where it gets retarded. I need to save the two most recent weekly full backups, along with the first weekly full backup of each month. I wrote a console app to run through the NAS each week to clean up the unneeded files, that works fine. Where I'm stuck is how to get the backups to the multiple USB drives and keep them in sync with what's on the NAS. I don't want to just delete what's on the USB drives every week and copy everything over again because it's a lot of data (like 16TB at this point and growing). I need something that's smart enough to check what's already on the drives, delete any backups that are no longer needed, then copy over any new backups. I don't care where the files end up on the USB drives, they just need to get there somehow. Basically, I need some kind of directory sync tool that is smart enough to know how to span files across multiple volumes. I started writing a C# app to do all of this, but it's been ages since I've dug into coding and I'm pretty much just wasting my time and not getting anywhere with it at this point. Is there anything out there that handles file syncs with these requirements?
|
# ? Jul 2, 2014 16:09 |
|
Right now I'm trying to stop a group of users (can be either an OU or Security Group) from logging in to any workstations. I don't want to disable their email or other web application access, so I can't just disable the AD account. I can't find any group policy that will do this, so right now I'm looking at a powershell script that will change the account's LogonWorkstations property from All computers to an invalid computer name. Not ideal, but it seems to work. The problem I'm running into this with is I don't know how to change it back to All computers en masse. Anyone have any ideas?
|
# ? Jul 2, 2014 16:38 |
|
Orcs and Ostriches posted:Right now I'm trying to stop a group of users (can be either an OU or Security Group) from logging in to any workstations. I don't want to disable their email or other web application access, so I can't just disable the AD account. Put the users in a group and add that group to the Deny log on locally setting in a GPO (Computer Configuration\Policies\Security Policies\Local Polices\User Rights Assignment). Apply that GPO to the OU where the workstations reside and put the target computers in a security group to filter it further if you need to.
|
# ? Jul 2, 2014 16:54 |
|
You want to deny them the 'log on locally' right. Put all your users in a security group, create the GPO, link it to the OU's the machines are in. http://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/ Log on Locally will stop them from logging into a workstation, but should still allow the account to authenticate to email and web apps. As for the powershell script and the LogonWorkstations value, setting it to $null should clear the value out if you're using the quest extensions. I'm pretty sure you want to be using the userWorkstation attribute instead though.
|
# ? Jul 2, 2014 17:05 |
|
I have a unique enterprise licensing situation I'm running into and since our resident "Enterprise Licensing Expert" can't answer my question and is just asking his retail sales rep the wrong questions anyway, I hope someone here can help shed some light. We have our main corporate network with servers, PC's, etc. We also have two VLANs, one for each of our production divisions. For security reasons they're isolated and insular. No internet access and the only cross network traffic is to a single NetApp appliance for storage on the corporate side. We run a couple of domain controllers on our side as well as a small file server. The problem is we're running Server2k3 on hardware servers with no DR. I have the option of getting some virtual servers from the corp side with 2k8R2 or 2012 for free because of our enterprise licensing agreement. That's all well and good. The question is about user CALs. If the users on our VLAN segment already have a user CAL on the corp network, under enterprise licensing, or any kind of licensing, can those CALs also be used on our VLAN domain or do we have to buy new ones? This is a visual of our setup. Two domains that do not communicate or share info, two VLANs, same user group. Do I have to buy CALs for both domains if it's under the same server licensing agreement?
|
# ? Jul 2, 2014 18:52 |
|
permanoob posted:If the users on our VLAN segment already have a user CAL on the corp network, under enterprise licensing, or any kind of licensing, can those CALs also be used on our VLAN domain or do we have to buy new ones? As far as I see your users are covered for all of your corporation's servers (for the products they have CALs for, of course). CALs allow the licensed user or device to access the specified version (or lower) of any server software your company has licensed, not limited to a particular domain or a single server. In other words one Windows CAL allows access to all Windows servers licensed to your company, no matter where they are located or how isolated they are.
|
# ? Jul 2, 2014 19:43 |
|
Is there any best practice for where to install legacy programs that insist on putting everything in program files and letting every user write there? One vendor's solution was to put their stuff in C:\vendorname, another vendors was to put it under public documents\vendorname. Would a legacy app folder similar to /opt on linux be the right thing? I'm finally getting rid of some XP machines for 7 and I'd like to start out right.
|
# ? Jul 3, 2014 21:20 |
|
Maybe I'm loving blind, but where do you disable Validate Server Certificate for 802.1x on a Windows 7 machine? I'm trying to play around with AD-integration for WiFi authentication, but I don't want to buy a server cert for my NPS server until I'm sure this works. I'm able to connect with my Win8 laptop because it seems to just ask me whether I'm expecting to see this SSID here (likely due to the lovely self signed cert) rather than rejecting it outright. My win7 laptop I'm having no luck with. It can't connect and everything points to the self signed cert but I have no idea where to go to disable the Win7 machine's validation of the cert.
|
# ? Jul 3, 2014 21:22 |
|
I usually make a "Data" folder at the C:\ root and install to that.
|
# ? Jul 3, 2014 21:24 |
|
Martytoof posted:Maybe I'm loving blind, but where do you disable Validate Server Certificate for 802.1x on a Windows 7 machine? I'm trying to play around with AD-integration for WiFi authentication, but I don't want to buy a server cert for my NPS server until I'm sure this works. Has to be done in the wireless GPO itself. I'm working off of an XP wireless policy so this might be in a different area for Vista+ policies; in IEEE 802.1x properties in the wireless network properties, make sure your EAP is set to PEAP, go in to its settings and uncheck "Verify the server's identity by validating the certificate". Also make sure Authentication Mode is set to User or Computer and that "Authenticate as computer when computer information is available" is checked so the laptop can auth to the 802.1x wireless before someone signs in. edit: well if there's no GPO pushing out the wireless settings then the setting will be in the same spot locally. I have wireless GPO's on the brain.
|
# ? Jul 3, 2014 21:29 |
|
Martytoof posted:Maybe I'm loving blind, but where do you disable Validate Server Certificate for 802.1x on a Windows 7 machine? I'm trying to play around with AD-integration for WiFi authentication, but I don't want to buy a server cert for my NPS server until I'm sure this works. You should really do this with a wireless gpo and just add yourself as a user, test that way. As hihifellow said, you can set this in the gpo itself.
|
# ? Jul 3, 2014 23:55 |
|
I'm specifically trying to do this without a GPO because a subset of the devices will not be bound to the domain; the AD credentials would just be a better way of allowing network access than the SSID password they have in place now which gets changed infrequently due to management pushback at an organization with high turnover. I can only do so much, so I'm hoping that this is painless enough that it'll get approved. I could be mistaking what you guys are recommending for something else though, on second read. Though between the time I posted and then read the replies I managed to fumble a solution. I just created a WiFi profile with the appropriate SSID, set it to WPA2-Ent/AES, then it gave me the option to modify the security settings once the profile was created. Disabled the cert check and everything came up perfectly with no issues. Now my next hurdle will be trying to figure out how to create a server cert request on this machine because apparently Certificate Enrollment Policy is preventing me from doing something. God this just exposes how little I know about the inner workings of AD and its underpinnings beyond the basics. some kinda jackal fucked around with this message at 00:11 on Jul 4, 2014 |
# ? Jul 4, 2014 00:04 |
|
Gyshall posted:I usually make a "Data" folder at the C:\ root and install to that. There's a c:/ProgramData/ already for that, just hidden by default for Microsoft awesome reasons.
|
# ? Jul 4, 2014 01:32 |
|
MrMoo posted:There's a c:/ProgramData/ already for that, just hidden by default for Microsoft awesome reasons. I saw that and assumed it was for something else.
|
# ? Jul 4, 2014 04:49 |
|
thebigcow posted:Is there any best practice for where to install legacy programs that insist on putting everything in program files and letting every user write there? One vendor's solution was to put their stuff in C:\vendorname, another vendors was to put it under public documents\vendorname. Would a legacy app folder similar to /opt on linux be the right thing? Try installing it in %PROGRAMDATA%, that sounds like what you have in mind.
|
# ? Jul 4, 2014 06:27 |
|
|
# ? May 14, 2024 18:59 |
|
I'm got a few DCs In Branch offices that I want to replace with RODCs. Is there any issue with demoting them and then re promoting as RODCs, or is it better practice to introduce an entirely new server?
|
# ? Jul 7, 2014 07:27 |