|
Zero VGS posted:Maybe this guy: https://www.magicaljellybean.com/keyfinder/ Nope  These guys installed 2013 against policy anyway so I'll wash my hands of it
|
#
?
Apr 14, 2015 17:01
|
|
|
|
| # ? May 29, 2024 21:38 |
|
|
Chances of it actually being a 365 subscription?
|
|
#
?
Apr 14, 2015 21:02
|
|
|
FISHMANPET posted:Is it Enterprise Windows? Do you have a question? Is it Enterprise related (hint: AD is). Do you hate Small Business Server Forever? Then join us! This is a long one... About 5 years ago, I was hired on as 'the computer guy' for a company with ~50 employees, we had a corporate office with 8 or so people and a handful of retail locations, each location having 3-5 employees. When I was brought on, everything was a mess... Employees just used a local admin account on their machine,and being admins, they would constantly mess up machines, install viruses, ransomware, etc. Outlook was just set up to POP emails out of a godaddy account, so when the computer inevitably succummed to viruses, all the emails would just be gone. I got a LogMeIn account, got it onto all the machines, created a seperate admin account and then made local non-admin accounts for employees. There was an initial storm of complaints about not being able to install software or change certain settings, but that eventually died down. This transition had a large amount of resistance, I had to demonstrate that we were spending more than $1500 a month on service calls to have computers recovered or cleaned. Over the next couple years, I migrated all company email to IMAP, developed IT policy, wrote a few internal applications, found better vendors for almost every service, from WebHosting to Internet to Phones. I've probably saved the company tens of thousands of dollars just on equipment costs every year. I eventually migrated all company email off of GoDaddy and onto office365, along with replacing retail copies of Office with subscriptions. Godaddy's email service is terrible, and their customer support is non existant, emails taking an hour plus to arrive was consitered normal SLA for them. Over the years, the company has grown, we have 20 people here at HQ, and we have about almost 20 retail offices, along with a couple other support branches, we have just over 150 employees total... and this brings me to my question, because I can't seem to find a straightforward answer or even know if this is possible. Bear with me because I probably have a misunderstanding of these technologies, so I may be using the wrong terminology, or expecting something that is not possible. As it is now, when we hire an employee, I remote into their assigned machine and, as an admin, create a local normal windows user account. I assign the user a password, and tag the account as 'cannot change password', then on the employees start date, I relay that password to the employee. I also create an account for them in Office365. I would like to have some way to centrally manage windows logons, it is my understanding that AD is the way to do this, and I've even set up such a system in my own home as an exercise to make sure I was barking up the right tree; the issue is that our sales centers are all remote. And by remote I mean in the boonies, as such I don't trust them to have a server on site and not bury it under papers or keep it dusted. In additon I don't know if their connectivity is good enough to really support a traditional vpn. It is my understanding that I need to have an on premises AD server that replicates AD data from a central controller? Is there any way to make this a 'cloud' or azure hosted system? I don't want full roaming profiles, just for windows to authenticate. We use office365 for almost everything so there's not going to be much data that is local only. I would think that what I'm asking for is not really that outlandish, but I'm not sure I'm searching for the right things. I looked into Hamachi, but posts on their forums indicate that AD is not reliable over Hamachi.
|
|
#
?
Apr 14, 2015 21:40
|
|
|
 You don't have to have a server onsite, just network connectivity via site to site VPN or mpls. If the site link goes down the credentials are cached locally for that user.
|
|
#
?
Apr 14, 2015 21:46
|
|
|
We're currently running Symantec Endpoint Protection and as this thread knows, Symantec is the great Satan and I'd like to get rid of them by the end of the contract this year. I've had good experiences with Forefront at a previous employer, the problem is that we don't have any System Center licenses at work right now. Can we just get FEP client licenses (saving SCCM client licenses for next year)? Ugh I never had to worry about licensing before 
|
|
#
?
Apr 14, 2015 21:57
|
|
|
devmd01 posted:
That was my understanding, as employees are almost never actually moving from one machine to another. That was why I was hoping for some kind of remote hosted solution, we have Azure Directory included with office365, and even a windows 2008 server that can have the AD roles added, the issue becomes how do you tell windows to authenticate against those remote systems, as you would normally need to have an on site AD server providing DNS. kzin602 fucked around with this message at 22:05 on Apr 14, 2015 |
|
#
?
Apr 14, 2015 22:00
|
|
|
I'll tell you how we got a bunch of computers that lived on another org's network to be managed on our domain. We set these computers up to dial in to a VPN on startup (batch file calling rasdial dialing in to a VPN connection pushed via GPO) and since they had a private VPN back in to our network they acted as if they were on our network. Now we could process logins and map drives and give access to resources on our network while they technically were not. It's not the perfect solution, but it works.
|
|
#
?
Apr 14, 2015 22:00
|
|
|
Pick an ISP that you are happy with dealing with - it might even be your current provider. When the contracts at your remote locations come up for renewal, move them onto the same ISP and let the ISP handle the L2 VPN for you (MPLS/VPLS). This can work over ADSL if you really can't get anything better, and there's no firewall configuration to mess around with (at least, not that would be your responsibility). This would get all the locations onto "your" network. If that's not going to work for cost reasons then seriously consider deploying Meraki network hardware to these branch locations - you can create a VPN tunnel with one-click and have cloud-based insight and management into the networking requirements of all your locations on one dashboard. They aren't massively feature rich but it's perfect for your use case. Once you have the VPN in place then you can bind computers to AD for policies, central management of accounts etc.
|
|
#
?
Apr 14, 2015 22:18
|
|
|
Thanks Ants posted:This can work over ADSL if you really can't get anything better, and there's no firewall configuration to mess around with (at least, not that would be your responsibility). This would get all the locations onto "your" network. Why even do that? If you're going the "cheapy" route, just set up a VPN tunnel from each location (via the router at each locations) pointing back to your main office. That's gets everyone on-net and you don't have to wait for contracts to renew.
|
|
#
?
Apr 14, 2015 22:37
|
|
|
Should you ever use domain.local anymore? I'm pretty confident that one should not but I'm not an expert either.
|
|
#
?
Apr 14, 2015 22:43
|
|
|
Microsoft best practices says no, and a bunch of apple poo poo uses .local so it'll probably cause conflicts if they ever come together.
|
|
#
?
Apr 14, 2015 22:59
|
|
|
Orcs and Ostriches posted:Microsoft best practices says no, and a bunch of apple poo poo uses .local so it'll probably cause conflicts if they ever come together. Do you have a link to a official white paper?
|
|
#
?
Apr 14, 2015 23:01
|
|
|
Tab8715 posted:Do you have a link to a official white paper? Scroll down to the caution box. Use a subdomain of something you own. ad.contoso.com https://technet.microsoft.com/en-us/library/cc726016%28v=ws.10%29.aspx/
|
|
#
?
Apr 14, 2015 23:10
|
|
|
nexxai posted:Why even do that? If you're going the "cheapy" route, just set up a VPN tunnel from each location (via the router at each locations) pointing back to your main office. That's gets everyone on-net and you don't have to wait for contracts to renew. In my experience it provides more consistent performance and makes a huge difference on low-bandwidth connections. You are no longer linking sites to each other over the Internet, with all the potential bottlenecks or congestion that can occur. Everything is contained within your providers network, and they are in a position to be able to offer quality assurances that you won't get on Internet traffic.
|
|
#
?
Apr 14, 2015 23:16
|
|
|
Pretty much what you want is not quite there yet, it's coming with Windows 10 letting you auth straight from Azure AD but anything else at this point is going to be a mess of workarounds and VPN/Tunnels.
|
|
#
?
Apr 14, 2015 23:18
|
|
|
Moey posted:Scroll down to the caution box. Use a subdomain of something you own. ad.contoso.com That's good but why the change after so long? Also, what potentially breaks?
|
|
#
?
Apr 14, 2015 23:57
|
|
|
Tab8715 posted:That's good but why the change after so long? Also, what potentially breaks? It's been non-recommended practice since at least 2008. It has a lot to do with publicly available servers and certificate services. As of last year you can't get a certificate with a non publicly reachable FQDN in the CN or SAN
|
|
#
?
Apr 15, 2015 03:21
|
|
|
ok, I cloned (not properly using the actual method which requires access to PDC Emulator at all times) a prod DC into a ESX 'bubble' which is disconnected from the prod network for testing. It's basically restoring a snapshot. The plan is I can then use it for various testing and stuff. The idea was get it restored, seize the fsmo roles (operational masters roles for those newer to the game) and then use it as the DC in my test network. Set it's DNS to look to itself and yeah.. that might work. This is Server 2012. So the fsmo seize worked but AD is broken and it's acting as if it's not a domain controller. Now Server 2012 through the Generation ID attrib which is exposed in VMWare (5.5 is our prod) knows that it's been cloned and it's not the VM it was. This kicks off the 'Directory Security' features which were recently introduced, but that shouldn't prevent it operating as a DC. However I'm getting some errors in the DNS logs about AD being broken so DNS can't start properly and AD logs about DNS being broken so it can't start properly. Before I mess around with it again and try and tease out what I'm missing, anyone know a step I might have missed? I updated the DNS server config pulling out the forwarders it can't access (any of the them, because it's an 'air-gaped' bubble). Running a dcdiag and it has a poo poo about all the DCs it can't now see but it says it's ok and it passes the DNS tests.
|
|
#
?
Apr 15, 2015 04:10
|
|
|
Nebulis01 posted:It's been non-recommended practice since at least 2008. It has a lot to do with publicly available servers and certificate services. As of last year you can't get a certificate with a non publicly reachable FQDN in the CN or SAN Can't wait to register the .local TLD!
|
|
#
?
Apr 15, 2015 06:40
|
|
|
Potato Salad posted:" I guess in operation CommVault does a standard OS level file copy of these files within the same drive. In our case from J: to J:. (I'm not the backup guy so this is all secondhand). If I do a drag and drop in the GUI of these same files it's pretty fast for the big files, and then when it gets to all the tiny files the speed nosedives. " So I had a meeting with the backup guy, and I made the assumption that whatever we were doing is a normal thing that other customers are doing just fine. Turns out we're using unreleased features in a basically experimental configuration. So gently caress me. People keep telling me this backup guy is a poo poo, I think they're right.
|
|
#
?
Apr 15, 2015 06:46
|
|
|
Do domain trusts work as they should or is it a huge clusterfuck? We have a VMM and App Controller on our lab domain (domain lab.local) and we want to allow our main domain (domain company.local) users to access the App Controller resources so we're thinking of building a trust relationship. However, I don't know if I can use security groups from company.local to grant rights in VMM/App Controller. Has anyone done this? Does it work seamlessly?
|
|
#
?
Apr 15, 2015 10:43
|
|
|
As they should, yes, yes. My environment has 5 different forest trusts (sister companies that we're merging it infrastructures), and we have lots of cross domain auth set up, particularly for shared ssrs and a couple of file shares. Jump back a page and look at the issue I had yesterday, make sure your _msdcs.domain.suffix zones get replicated to each domains DNS servers.
|
|
#
?
Apr 15, 2015 10:59
|
|
|
devmd01 posted:As they should, yes, yes. My environment has 5 different forest trusts (sister companies that we're merging it infrastructures), and we have lots of cross domain auth set up, particularly for shared ssrs and a couple of file shares. Jump back a page and look at the issue I had yesterday, make sure your _msdcs.domain.suffix zones get replicated to each domains DNS servers. Cool, thanks a lot. 
|
|
#
?
Apr 15, 2015 11:01
|
|
|
kzin602 posted:LOGIN THINGIES You could just set up a baby server 2012, sync AD with office 365 and be done with your problem. (not saying its best, dont try to change passwords or do multiple authentication changes before replication ASK ME HOW I KNOW.....) edit* I guess i implied joining machines to the domain, vaguely. and vpn is p darn easy to set up just for purposes of authentication. TehRedWheelbarrow fucked around with this message at 13:05 on Apr 15, 2015 |
|
#
?
Apr 15, 2015 13:03
|
|
|
Tony Montana posted:This is Server 2012. So the fsmo seize worked but AD is broken and it's acting as if it's not a domain controller. Now Server 2012 through the Generation ID attrib which is exposed in VMWare (5.5 is our prod) knows that it's been cloned and it's not the VM it was. This kicks off the 'Directory Security' features which were recently introduced, but that shouldn't prevent it operating as a DC. However I'm getting some errors in the DNS logs about AD being broken so DNS can't start properly and AD logs about DNS being broken so it can't start properly. keep calm and ignore it for a half hour or so. AD does this crazy thing where it tries to do an initial sync from another DC after it boots up before it starts acting as a DC. Add into that the fact that DNS won't start until AD does and you're in for a good time! After about half an hour AD gives up trying an initial sync and starts, allowing DNS to start up as well. Clean out the rest of the domain controllers in your "new" lab domain and you should be able to avoid the start-up delay in the future.
|
|
#
?
Apr 15, 2015 14:49
|
|
|
Well, this is nifty. https://technet.microsoft.com/library/security/MS15-034
|
|
#
?
Apr 15, 2015 17:26
|
|
|
m.hache posted:Well, this is nifty. ahahahaha gently caress me where's the liquor
|
|
#
?
Apr 15, 2015 17:48
|
|
|
Any of you SCCM guys have any luck getting a Mac to enroll? I can't get my SCCM server to trust its own loving certs. I've even been working with a PFE that can't get this poo poo to work in a greenfield lab. I'm ready to just try getting my boss to convince the client to use Parallels instead.
|
|
#
?
Apr 15, 2015 18:09
|
|
|
Skype for Business is out. This "intuitive design" that is "familiar to existing Skype users" is a glorified reskin of Lync done as bad as possible. Tabs don't clearly separate themselves. Elements of the UI flash huge color changes at you on brief hover-over (not subtle -- like hovering over elements in Office 2013), and absolutely none of the windowing, icons, grouping, lists, etc etc from Skype are carried over. Mind, I have no stake in it. It's just a illustriously-awful result for something lauded to merge the look and feel of Skype and Lync.
|
|
#
?
Apr 15, 2015 19:59
|
|
|
Our users love it, the emojis are animated
|
|
#
?
Apr 15, 2015 20:01
|
|
|
skipdogg posted:Our users love it, the emojis are animated You can also create a guy fisting a goat now with the emojis. 10/10, at least they don't suck up CPU usage anymore! And yeah, just about halfway through development did they bother actually renaming it to Skype for Business instead of Lync (we beta-tested (TAP) it).
|
|
#
?
Apr 15, 2015 20:04
|
|
|
Potato Salad posted:Skype for Business is out. This "intuitive design" that is "familiar to existing Skype users" is a glorified reskin of Lync done as bad as possible. Tabs don't clearly separate themselves. Elements of the UI flash huge color changes at you on brief hover-over (not subtle -- like hovering over elements in Office 2013), and absolutely none of the windowing, icons, grouping, lists, etc etc from Skype are carried over. So pretty much what everyone thought was going to happen. No surprise here! 
|
|
#
?
Apr 15, 2015 20:58
|
|
|
Do they at least fix any of the bullshit restrictions I was having with Lync on Office 365, such as: 1) no more than 200 contacts in a group 2) you can only add a Skype user to your Lync contact list if it was originally created with a Microsoft account as opposed to a Skype account 3) no way to centrally add user pictures as an admin on O365 portal Also, I'm in the portal.office.com admin portal and there's still no place to download it, it still only shows Lync.
|
|
#
?
Apr 15, 2015 23:57
|
|
|
Zero VGS posted:Do they at least fix any of the bullshit restrictions I was having with Lync on Office 365, such as: I can only answer the question you didn't really ask. Download lync, it's a new installer and is the new Skype version.
|
|
#
?
Apr 16, 2015 00:53
|
|
|
Zero VGS posted:Do they at least fix any of the bullshit restrictions I was having with Lync on Office 365, such as: For #3 I assume you can do it in powershell like I've been doing in exchange (on prem)
|
|
#
?
Apr 16, 2015 02:22
|
|
|
We're able to do #3 in our environment, but only as a black-magic hack somehow running alongside ADFS.
|
|
#
?
Apr 16, 2015 02:28
|
|
|
I think its dumb they named it Skype for business - why not just kill Skype or Lync and eliminate the other product?
|
|
#
?
Apr 16, 2015 02:37
|
|
|
With MDT 2013, is there any way to re-run portions of a deployment to see if fixes you have put in work correctly, without re running the deployment from scratch?
|
|
#
?
Apr 16, 2015 02:49
|
|
|
For better or worse, MS has long ago decided to name their Skype products by platform. There's Skype for Android, Skype for iPhone, Skype for Desktop, Skype for Business.... If you're on 8.1 or later, you'll notice that the non-RT/metro version of Skype was named "Skype for Desktop" from the outset. Even in Windows 7 Enterprise, updates for the Skype desktop client are named as, "Update for Skype for Desktop."
|
|
#
?
Apr 16, 2015 02:49
|
|
|
|
| # ? May 29, 2024 21:38 |
|
|
Good god that just seems redundant. Also, while Lync/Skype are relatively good for messaging there are so many other solutions that are just as good if not better - Oracle Beehive? It still irks me you can't copy/paste a picture into Lync.
|
|
#
?
Apr 16, 2015 03:27
|
|