Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

Yeah just raise it, it'll be fine. All it really does is extend the schema.

Adbot
ADBOT LOVES YOU

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.
Raising the domain to 2008 + level provides amazing quality of life things such as:

- DFS replication
- DFS Access Based Enumeration (ie. have one drive map for all your users and use NTFS permissions to restrict access and visibility for sub folders)
- Being able to delete/demote domain controllers from AD users and computers snapin (ie. no dcpromo for removal)
- Service accounts
- Better security logging

There is basically no reason not to do this, and your old 2000/2003/2008/2008 r2 servers will work with the updated schema et el.

Dr. Arbitrary
Mar 15, 2006

Bleak Gremlin
I've never done this kind of thing before and I'm studying for the MCSA exam, does this sound like a reasonable upgrade path?

Current setup is SiteA-DC01, SiteA-DC02, SiteB-DC01, SiteB-DC02. All 2003 virtual machines.

I'm thinking of spinning up 4 2012R2 server core machines.
Take snapshots of SiteA-DC01 and SiteB-DC01, place SiteA-DC02 and SiteB-DC02 on an isolated virtual switch. If something goes really wrong, we can use them to bring everything back.
I'll add two 2012 machines to replace the DC02's. They'll be added using the AD account for the old ones and get the same IP addresses.
Next, install AD DS services and DNS. This should extend the schema to 2012R2, but won't upgrade the functional level, not sure what the difference is.
Make SiteA-DC02 the Primary Domain Controller. I'm not sure how Schema masters, etc. work.
Shut down the DC01's. Now all online Domain Controllers are 2012R2's running at the 2003 level (with a 2012R2 schema?)
Raise the functional level to 2012R2.
Join the other two 2012R2 servers to the domain to replace the old ones.

Am I on the right track?

SquirrelGrip
Jul 4, 2012
cross posting as im struggling

SquirrelGrip posted:

I am a moron who agreed to take over a small managed service team that provides basic monitoring and reactive support for sharepoint.

Now has come the time where i make my life as simple as possible, but i require a decent monitoring agent so i can sit back and let monkeys do the rest.

Can any goons recommend me something that;
- will monitor event logs for windows server (virtualised)
-will monitor drive sizes
- can monitor SQL
- preferably agentless
- works over vpn/anyconnect/whatever backwards connector the client uses

errr most helpful gets an av or whatever

Nitr0
Aug 17, 2005

IT'S FREE REAL ESTATE

Dr. Arbitrary posted:

I've never done this kind of thing before and I'm studying for the MCSA exam, does this sound like a reasonable upgrade path?

Current setup is SiteA-DC01, SiteA-DC02, SiteB-DC01, SiteB-DC02. All 2003 virtual machines.

I'm thinking of spinning up 4 2012R2 server core machines.
Take snapshots of SiteA-DC01 and SiteB-DC01, place SiteA-DC02 and SiteB-DC02 on an isolated virtual switch. If something goes really wrong, we can use them to bring everything back.
I'll add two 2012 machines to replace the DC02's. They'll be added using the AD account for the old ones and get the same IP addresses.
Next, install AD DS services and DNS. This should extend the schema to 2012R2, but won't upgrade the functional level, not sure what the difference is.
Make SiteA-DC02 the Primary Domain Controller. I'm not sure how Schema masters, etc. work.
Shut down the DC01's. Now all online Domain Controllers are 2012R2's running at the 2003 level (with a 2012R2 schema?)
Raise the functional level to 2012R2.
Join the other two 2012R2 servers to the domain to replace the old ones.

Am I on the right track?

Never snapshot a 2003 2008 domain controller.

Dans Macabre
Apr 24, 2004


SquirrelGrip posted:

cross posting as im struggling

I think just use kaseya

CLAM DOWN
Feb 13, 2007




Nitr0 posted:

Never snapshot a 2003 2008 domain controller.

Is 2012 R2 more snapshot friendly for a DC? I'd still be hesitant.

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010
You'll need to get familiar with the restoration process for a domain controller (both authoritative and non). Of all the things microsoft is stickler about, its domain controller consistency.

skipdogg
Nov 29, 2004
Resident SRT-4 Expert

CLAM DOWN posted:

Is 2012 R2 more snapshot friendly for a DC? I'd still be hesitant.

It's snapshot aware.... it really doesn't take long to deploy a DC, not sure why it's a thing but it is.

http://blogs.technet.com/b/keithmay...pro-vmware.aspx

I've taken snapshots of 2003 and 2008 DC's but they never ever touch the production network, they go into an isolated testing network.

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.
You can snapshot them, just don't expect to roll back cleanly.

ZetsurinPower
Dec 14, 2003

I looooove leftovers!
edit: nevermind

ZetsurinPower fucked around with this message at 16:19 on Dec 8, 2014

alanthecat
Dec 19, 2005

Gyshall posted:

Raising the domain to 2008 + level provides amazing quality of life things such as:

- DFS replication

I don't think it does this automatically, though. I'm going to follow this guide once I get rid of old FRS errors (caused by restoring the DC from backup).

Gyshall
Feb 24, 2009

Had a couple of drinks.
Saw a couple of things.
Correct, you need to configure the Sysvol and Netlogon shares to use DFS, but if you have things like remote offices it can be a bandwidth lifesaver.

mewse
May 2, 2006

I am locking down a couple of laptops with deep freeze. I will be redirecting "my documents" to a thawed partition so they can save files, but I want to lock down the desktop so they can't save there and call in super pissed off when their dumb spreadsheet vanishes.

Apparently setting the desktop folder to read-only is not enough.

Is there an easy way to get this done? We do it on our virtual desktops using group policy (I believe, I didn't do it myself), these are standalone laptops not on a domain.

Thank you for any help.

Orcs and Ostriches
Aug 26, 2010


The Great Twist
I don't know off the top of my head, but are there local policies you can apply to enact the same as the group policies?

e: There are also a couple of problems that can arise by restricting too much write-access to the local user folder. I've experienced Office completely making GBS threads itself, for one. There might be some amount of responsibility on the user not to gently caress themselves over, no matter how hard you lock the system down.

Orcs and Ostriches fucked around with this message at 23:22 on Aug 27, 2014

SquirrelGrip
Jul 4, 2012

NevergirlsOFFICIAL posted:

I think just use kaseya

I have come to the realisation that we will be building our own monitor

lol internet.
Sep 4, 2007
the internet makes you stupid
Question about o365 licenses.

If our users are licensed for the full office suite. Would it be a problem (from a MS standpoint) if I just installed the software on their computers using the media from the VLSC site? (So they don't have to login with their o365 account on the computers.)

Thanks Ants
May 21, 2004

#essereFerrari


That's how we were told to deploy it onto RDS - buy one Office Pro Plus seat to get access to the media and install it. The license is with the user so the idea is that they 'bring it with them' when they log in.

lol internet.
Sep 4, 2007
the internet makes you stupid
Trying to update GPO definitions and when I copy it to C:\Windows\PolicyDefinitions it says cannot overwrite for some of the admx files. Why's this?


edit: Nevermind should of been copying it to sysvol.

lol internet. fucked around with this message at 15:38 on Aug 29, 2014

peak debt
Mar 11, 2001
b& :(
Nap Ghost

Greg Jackson posted:

Is there an easy way to get this done? We do it on our virtual desktops using group policy (I believe, I didn't do it myself), these are standalone laptops not on a domain?

Everything you can do in group policy you can also do in local policy. Run rsop.msc on one of the virtual desktops to see what policies are set.

Demie
Apr 2, 2004

Greg Jackson posted:

I am locking down a couple of laptops with deep freeze. I will be redirecting "my documents" to a thawed partition so they can save files, but I want to lock down the desktop so they can't save there and call in super pissed off when their dumb spreadsheet vanishes.

Apparently setting the desktop folder to read-only is not enough.

Is there an easy way to get this done? We do it on our virtual desktops using group policy (I believe, I didn't do it myself), these are standalone laptops not on a domain.

Thank you for any help.

My guess is that you've set permissions on the "all users" desktop folder, which doesn't prevent them from writing the desktop folder in the user's own profile.

I have some experience with DF. You could redirect the user desktop folders to the live partition if you want them to just have their way. Or use Data Igloo to redirect entire profiles. But I have never actually used that, as we're trying to get rid of DF.

Personally, I think it's enough to just take away admin access if you can. DF is a pain to work with for reasons like this, and not worth it for anything but public facing PCs.

mewse
May 2, 2006

Thanks for the responses, guys.

peak debt posted:

Everything you can do in group policy you can also do in local policy. Run rsop.msc on one of the virtual desktops to see what policies are set.

The thing is that I think they redirected to a network folder with restricted domain permissions and that's why nobody can write files to the desktop. There are no network folders on these laptops.. maybe I could redirect to a folder with restricted ntfs permissions and different ownership..

Demie posted:

My guess is that you've set permissions on the "all users" desktop folder, which doesn't prevent them from writing the desktop folder in the user's own profile.

Nope I was working with their desktop folder. It wouldn't allow me to change ownership of the folder because it was inheriting permissions. I basically gave up.

quote:

I have some experience with DF. You could redirect the user desktop folders to the live partition if you want them to just have their way. Or use Data Igloo to redirect entire profiles. But I have never actually used that, as we're trying to get rid of DF.

Yeah, I've tested this before but if their whole user profile is writable they can do everything: change visual theme, fill the desktop with random files, pick up user-level malware. What I've currently settled on is redirecting "my documents" to a thawed partition and giving the warning "save files to the D: drive or they will disappear. Do not save files to the desktop."

quote:

Personally, I think it's enough to just take away admin access if you can. DF is a pain to work with for reasons like this, and not worth it for anything but public facing PCs.

It's fitting our needs for desktops really well but laptops need too much freedom which is why I'm struggling

BaseballPCHiker
Jan 16, 2006

So I'm at a loss here with getting Office 2013 to install as part of our lite touch deployment. I've got the application imported into SCCM. Ran the setup.exe /admin to make sure it installs silently without any user notice and gets our correct license key. It shows up as an option and seems to install without any problems but when the computer boots up it's just not there. I've checked the SMSTS.log and dont really see anything that would indicate and error but I guess I could copy the log to here. I did have the source files up on a network share that didnt have the correct read rights which I fixed, and I did notice that someone earlier had built a Lync stand alone installer using the same setup.exe /admin options file which I had to delete to get mine working. The strange thing is that the installer does work, if you go into the software center you can install it and run it fine as a user.

Wicaeed
Feb 8, 2005
Looking at secpol.msc, I know that if a policy has a computer icon that means that that specific policy is being controlled by a GPO.

When you assign a user to the permission to log on as a service through a GPO, does it overwrite or add to the existing permissioned users that can hold that privilege?

Zaepho
Oct 31, 2013

BaseballPCHiker posted:

So I'm at a loss here with getting Office 2013 to install as part of our lite touch deployment. I've got the application imported into SCCM. Ran the setup.exe /admin to make sure it installs silently without any user notice and gets our correct license key. It shows up as an option and seems to install without any problems but when the computer boots up it's just not there. I've checked the SMSTS.log and dont really see anything that would indicate and error but I guess I could copy the log to here. I did have the source files up on a network share that didnt have the correct read rights which I fixed, and I did notice that someone earlier had built a Lync stand alone installer using the same setup.exe /admin options file which I had to delete to get mine working. The strange thing is that the installer does work, if you go into the software center you can install it and run it fine as a user.

Did you add a step to the task sequence to install the App? If it's showing up available to be installed in software center, it would seem like the TS hasn't even tried to install it.

Also, make sure there is an Apply Updates step or 2 after all apps have been installed. It helps make sure things are really really patched when you're done.

jaegerx
Sep 10, 2012

Maybe this post will get me on your ignore list!


Sorry if this has been asked before. I've been tasked with adding windows into our environment and like a good *nix admin I immediately want to throw config management on them. How is puppet on windows?

CLAM DOWN
Feb 13, 2007




jaegerx posted:

Sorry if this has been asked before. I've been tasked with adding windows into our environment and like a good *nix admin I immediately want to throw config management on them. How is puppet on windows?

I've heard not very good, we're supposed to be testing it here in the coming months though. It looks like it has basic config management, but nothing remotely as powerful as MS tools. Can you use AD/SCCM/SCOM/SCORCH?

Wicaeed
Feb 8, 2005
Maybe Powershell DSC as well?

Honestly I have 0 experience with it, but I've heard it's supposed to be quite neat.

CLAM DOWN
Feb 13, 2007




Wicaeed posted:

Maybe Powershell DSC as well?

Honestly I have 0 experience with it, but I've heard it's supposed to be quite neat.

The Powershell 5.0 preview DSC stuff is rad, I've been playing around with it.

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams
I have a friend that works at MS, and he keeps harping on Puppet with DSC.

BaseballPCHiker
Jan 16, 2006

Zaepho posted:

Did you add a step to the task sequence to install the App? If it's showing up available to be installed in software center, it would seem like the TS hasn't even tried to install it.

Also, make sure there is an Apply Updates step or 2 after all apps have been installed. It helps make sure things are really really patched when you're done.

I had that checked and the apply updates. I got it working but can't for the life of me figure out what difference this would've made. So the application which I tested and installed fine through software center wouldnt work during my lite touch deployment. So on a whim I made it into a package and added it to the install apps task sequence. Totally works fine now. Why it wouldnt work as an application but works as a package is beyond me. It's using the same source files and installer.

Zaepho
Oct 31, 2013

BaseballPCHiker posted:

I had that checked and the apply updates. I got it working but can't for the life of me figure out what difference this would've made. So the application which I tested and installed fine through software center wouldnt work during my lite touch deployment. So on a whim I made it into a package and added it to the install apps task sequence. Totally works fine now. Why it wouldnt work as an application but works as a package is beyond me. It's using the same source files and installer.

SCCM 2012 SP1 or 2012 R2? There is a bug in SP1 that apps don't apply properly during task sequence installs. It's fixed in one of the CUs but the client is the non CU version during a TS and you have to take a bunch of steps to update it to make it work right. It's a bit fuzzy since it's been a while since I messed with that but i recall it being a lot of time and effort to get working.

The short story is R2 is better.

Docjowles
Apr 9, 2009

Supposedly Chef has really been going all-in on Windows/DSC support but I don't use it myself so I can't confirm. Doesn't really help if you're a Puppet shop anyway.

Honestly most of the config management tools come from *nix-land with Windows support poorly shoehorned in. I tend to agree with CLAM DOWN, see how far native tools like Group Policy can take you. Then if they're not enough, look at SCCM if you can get a budget for it. I'd only look at Puppet as a last resort.

Mierdaan
Sep 14, 2004

Pillbug
How boned am I, trying to get .NET 3.5 onto a Server 2008 RTM Core server? I'm trying to get the AppAssure agent installed on a production file server, which I think is bundled with .NET 4 and obviously errors out. 3.5 should work (I think) but I can't get it to install.

Even downloading the full package, I get an error on installation:
code:
[09/07/14,13:08:35] Optional Component 'Microsoft .Net Framework 3.0': [2] Error code 1168 for this component means "Element not found."
[09/07/14,13:08:35] Optional Component 'Microsoft .Net Framework 3.0': [2] Component Optional Component 'Microsoft .Net Framework 3.0' returned an unexpected value.
[09/07/14,13:08:35] Optional Component 'Microsoft .Net Framework 3.0': [2] Return from system messaging: Element not found.
[09/07/14,13:08:36] WapUI: [2] DepCheck indicates Optional Component 'Microsoft .Net Framework 3.0' is not installed.
The .NET 3.5 installer should install the 3.0 framework, if it's not installed already, by calling
code:
%windir%\system32\OCSetup.exe NetFx3 /quiet /norestart
If I do that manually, or if it's done as part of the .NET 3.5 installer, I get this error in the Setup event log:
code:
Log Name:      Setup
Source:        Microsoft-Windows-OcSetup
Date:          9/7/2014 1:11:12 PM
Event ID:      4
Task Category: None
Level:         Error
Keywords:      
User:          domain\admin
Computer:      fileserver.domain.local
Description:
The Windows component could not be configured because of an error: 1168 "Element not found." (Command line: "OCsetup.exe  NetFx3 /quiet /norestart")
Don't know where to go from here though.

Mierdaan fucked around with this message at 01:07 on Sep 8, 2014

Number19
May 14, 2003

HOCKEY OWNS
FUCK YEAH


The .NET Framework is a component of Sever 2008/2008 R2. You have you use DISM to install it:

32-bit: DISM /online /enable-feature /featurename:NetFx3-ServerCore-WOW64
64-bit: DISM /online /enable-feature /featurename:NetFx3-ServerCore

Number19 fucked around with this message at 21:55 on Sep 7, 2014

Mierdaan
Sep 14, 2004

Pillbug

Number19 posted:

The .NET Framework is a component of Sever 2008/2008 R2. You have you use DISM to install it:

32-bit: DISM /online /enable-feature /featurename:NetFx3-ServerCore-WOW64
64-bit: DISM /online /enable-feature /featurename:NetFx3-ServerCore

DISM looks like it was included with Win7/Server2008R2 - I don't seem to have it installed on this Server 2008 RTM box. I'll try downloading the WAIK and installing it - thanks.

edit: can't install the WAIK due to not having .NET 2.0 installed :smith:

Mierdaan fucked around with this message at 01:56 on Sep 8, 2014

Number19
May 14, 2003

HOCKEY OWNS
FUCK YEAH


Oh that's right 2008 is different. I skipped that one entirely so I keep forgetting how different 2008 and R2 are.

According to this post:

http://social.msdn.microsoft.com/Fo...orum=netfxsetup

that error seems to indicate some form of OS corruption. That post is talking about Vista though and it might be different on 2008.

Number19 fucked around with this message at 02:07 on Sep 8, 2014

Demie
Apr 2, 2004

Mierdaan posted:

The Windows component could not be configured because of an error: 1168 "Element not found." (Command line: "OCsetup.exe NetFx3 /quiet /norestart")[/code]

I hav never touched Server 2008, but I know that on 2008 R2 and above, the actual file content for the .Net feature is on the CD. With that kind of error code, I think it's complaining that i can't find those files. If you install using DISM, the command line should direct it to the \sources\sxs\ folder on the disc. I don't know why MS does this, but you're not the first person to be frustrated by it.

If you're only having trouble with this one server, try installing it as a Windows feature through the control panel. It will probably ask for the disc.

TheEffect
Aug 12, 2013
Does anyone know why Crystal Reports would run successfully for as long as I can remember but when I changed the format today to PDF now ALL of my reports fail due to a "Database Connector Error", regardless of format?

Adbot
ADBOT LOVES YOU

Orcs and Ostriches
Aug 26, 2010


The Great Twist

TheEffect posted:

Does anyone know why Crystal Reports would run successfully for as long as I can remember but when I changed the format today to PDF now ALL of my reports fail due to a "Database Connector Error", regardless of format?

It's a garbage program made by garbage humans?

Don't know if this is the case, but any time I need to interact with it I get violently ill from frustration.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply