|
GobiasIndustries posted:I've been getting the following error recently in my home lab: "the security database on the server does not have a computer account for this workstation trust relationship" when I try to log into my client VM (Windows Server 2012 R2 server and Windows 8.1 client); I was able to log into the VM after disconnecting the ethernet on my server, where do I start looking to resolve this? It happened with both my main user account and the Administrator account. Reverting VM snapshots? If so your machine account passwords don't match. Disconnect network, signin, connect network, re-join domain, all go again. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006764 https://support.microsoft.com/en-us/kb/295049 It's possible to disable these password updates in a lab environment where you're reverting snapshots a lot.
|
#
?
Jun 10, 2015 12:25
|
|
|
|
| # ? May 23, 2024 23:04 |
|
|
GobiasIndustries posted:I've been getting the following error recently in my home lab: "the security database on the server does not have a computer account for this workstation trust relationship" when I try to log into my client VM (Windows Server 2012 R2 server and Windows 8.1 client); I was able to log into the VM after disconnecting the ethernet on my server, where do I start looking to resolve this? It happened with both my main user account and the Administrator account. Did you maybe restore a snapshot of the client computer from before it updated its computer account password? Then you'll have to rejoin it to the domain. There is a group policy to disable computer account password expiration if you want to avoid that in the future.
|
|
#
?
Jun 10, 2015 12:45
|
|
|
I haven't reverted any snapshots at all, but the passwords for both the Admin and my account expired recently...no idea why that would affect things, but that's the only change I've made to the VM since the problem started. I re-connected the computer to the domain, and even though it's apparently re-creating the Administrator and my personal user accounts for some reason, I'm at least logging in with no issues.
|
|
#
?
Jun 10, 2015 17:29
|
|
|
Quick question, backup and restoring a SQL database to a difference server hostname\instance name shouldn't have any problems correct? (For a migration\upgrade to 2012 R2)
|
|
#
?
Jun 12, 2015 14:13
|
|
|
Agrikk posted:Wait what? The author is apparently being a dick about it and if the non-sourceforge links don't contain the malware yet, I'm sure they will. filezilla guy posted:
|
|
#
?
Jun 12, 2015 14:23
|
|
|
Erwin posted:The author is apparently being a dick about it and if the non-sourceforge links don't contain the malware yet, I'm sure they will. I wonder how much money he is making with this crap vs just a donation link somewhere.
|
|
#
?
Jun 12, 2015 17:37
|
|
|
lol internet. posted:Quick question, backup and restoring a SQL database to a difference server hostname\instance name shouldn't have any problems correct? (For a migration\upgrade to 2012 R2) You should be fine.
|
|
#
?
Jun 12, 2015 17:58
|
|
|
Did anyone see that Microsoft has just announced they'll be treating Ask Toolbar and "similar software" as spyware in MSE/Defender? Could finally spell curtains for all these fuckin' toolbars finally.
|
|
#
?
Jun 12, 2015 23:12
|
|
|
Yeah old news, the latest dats remove it.
|
|
#
?
Jun 13, 2015 00:01
|
|
|
We currently have an old as gently caress AD domain, started way back with Windows 2000. We want to create a new domain and migrate people over to it rather than upgrade the current one. Reasons for this is a lot of ghost DCs, manual ADSI edits, and other general security concerns. Anyway, our current domain is corp.example.com. I guess I can't really reuse the "corp" domain, so I was wondering what other short but to the point domains you guys use? I was thinking of maybe using internal.example.com, but that's a whole 4 extra characters to type every time I need to use the domain\username login convention.
|
|
#
?
Jun 16, 2015 14:08
|
|
|
Not entirely sure if this goes here but I have been tasked with looking into a Microsoft service to deploy on our servers called SPLUNK. This is mostly a research mission because we found it mysteriously on our servers and we are hoping to use it for reporting for logs etc. Has anyone used this service before? And can they give me some info on how easy it is to use, little quirks that could bring the sky down around our ears, that sort of thing. I am looking at the website for the service now and of course they say it does EVERYTHING and that makes me suspicious that it's poo poo in a pretty GUI package. Edit: I should clarify that we really want this program to report on logging and production data, just in case I was not clear. Edit 2: Apologies for all the edits. I keep getting additional information from people. I have been told that the version of SPLUNK that we have access to is the Enterprise edition. Version 6.4.1 friendbot2000 fucked around with this message at 14:55 on Jun 16, 2015 |
|
#
?
Jun 16, 2015 14:17
|
|
|
Get a consultant to get you started off right, splunk can get you a ton of data, but if you don't set it up right from the start nobody will use it/care because there's too much noise. I haven't worked with it, but someone I know exclusively consults on splunk and is gone on 1-2 week engagements at a time.
|
|
#
?
Jun 16, 2015 14:59
|
|
|
kiwid posted:We currently have an old as gently caress AD domain, started way back with Windows 2000.
|
|
#
?
Jun 16, 2015 16:26
|
|
|
kiwid posted:We currently have an old as gently caress AD domain, started way back with Windows 2000. ad.company.com works just fine, ds.company.com pretty much whatever. When you bring up the new domain you can choose an appropriate Netbios short name for the domain which is usually the COMPANY\username part you see. Be careful though, you can't use the same Netbios name for the domain if you want to setup a trust and migrate things over. It's probaly COMPANY right now, maybe COMPANYAD will work. Decent article about naming Active Directory. http://maxmahem.net/wp/active-directory-naming-faq/
|
|
#
?
Jun 16, 2015 16:26
|
|
|
Okay. Thanks for the recommendation on getting a consultant. It looks like this thing crunches a lot of data...
|
|
#
?
Jun 16, 2015 16:41
|
|
|
skipdogg posted:ad.company.com works just fine, ds.company.com pretty much whatever. When you bring up the new domain you can choose an appropriate Netbios short name for the domain which is usually the COMPANY\username part you see. Be careful though, you can't use the same Netbios name for the domain if you want to setup a trust and migrate things over. Cool, thanks for the article.
|
|
#
?
Jun 16, 2015 18:05
|
|
|
I got an ~~urgent~~ request to install Office 365 Pro on one of our new 2012 R2 Remote Desktop Services instances yesterday. Things I learned: 1) You cannot specify which applications you want to install from the default Click 2 Run application. 2) You cannot remove applications post install. It is all or nothing. 3) You need to use the office deployment toolkit to download the installer. 4) The config file needs to NOT specify a path to download locally. MS Technet was kinda vague about this. The article said you could specify a different path for download, but I couldn't get it to work. 5) For RDS, you have to put a config flag in for 'shared installation'. 6) Using the config file, you can exclude the applications you don't want. Annoying, but its pretty cool in action. User logs into a session and is prompted to authenticate to O365 to activate the E3 license.
|
|
#
?
Jun 16, 2015 18:32
|
|
|
mayodreams posted:I got an ~~urgent~~ request to install Office 365 Pro on one of our new 2012 R2 Remote Desktop Services instances yesterday. Things I learned: I was able to specify a download path when I did this. I don't remember what I did though. and yeah using the config file is the way to go, but don't forget to turn off all the million things you need to turn off via GPO (like if you don't want them using onedrive on RDS)
|
|
#
?
Jun 16, 2015 18:47
|
|
|
Also I remember when I did this on an existing server that already had Office 2010 on it, I removed 2010, installed proplus, and proplus was extremely slow to "paint". I did all the things google told me to do, no help. When I built a new RDS vanilla and installed proplus, worked fine. Are your users seeing any slowness with Office 2013 applications on RDS? just curious This was all on server 2008r2 by the way
|
|
#
?
Jun 16, 2015 18:49
|
|
|
And be glad you weren't doing it a year ago when you'd have to buy a seat of Office 2013 ProPlus through volume licensing to get a version that would work in RDP.
|
|
#
?
Jun 16, 2015 19:03
|
|
|
NevergirlsOFFICIAL posted:Also I remember when I did this on an existing server that already had Office 2010 on it, I removed 2010, installed proplus, and proplus was extremely slow to "paint". I did all the things google told me to do, no help. When I built a new RDS vanilla and installed proplus, worked fine. Are your users seeing any slowness with Office 2013 applications on RDS? just curious They have done some rudimentary testing but that's it. We are building out a huge AX deployment and Excel was needed for some of the reports.
|
|
#
?
Jun 16, 2015 19:14
|
|
|
I have a group of like 5 users revolting because I'm trying to force them to upgrade from Office 2010 to 2013, like the other 500 users are on. They're saying that they in particular use large Excel files in some way that it is ultra slow in 2013 and when they downgraded to 2010 it was fast again. Some cursory Googling says I can disable "Animate controls and elements inside windows" and that'll resolve it but I was wondering if there's anything else I should be looking for.
|
|
#
?
Jun 16, 2015 23:58
|
|
|
Zero VGS posted:Some cursory Googling says I can disable "Animate controls and elements inside windows" and that'll resolve it but I was wondering if there's anything else I should be looking for. Eh that's probably it. Seems like animations were the only thing that got added to 2013 so it would make sense if they were broken. You can disable them remotely with a 2 line Powershell script, let me know if you want it
|
|
#
?
Jun 17, 2015 02:04
|
|
|
Has anyone in here used the Windows Performance Analyzer before? I'm really loving it. It's helped me really dig super deep into some performance issues on a server I have. Lot's of cool graphing as well. I'd recommend it if anyone is getting stuck just looking at resmon and wondering what could be going on.
|
|
#
?
Jun 17, 2015 15:53
|
|
|
I have to deploy 50 Win8 laptops what's the coolest way to do it? I usually use WDS but I also usually only deploy 10-15 at a time. I remember there's some other microsoft thing to use instead of WDS but last time I looked at it it looked like a lot of work for 10 machines. If I'm doing 50 worth it?
|
|
#
?
Jun 18, 2015 20:08
|
|
|
You might be thinking of MDT.
|
|
#
?
Jun 18, 2015 20:10
|
|
|
So for those of you who spend most of your time maintaining SCCM, how much do you pay attention to the multitude of logs the site systems put out? I'm the SCCM guy, but my lead probably knows more about SCCM (at least this specific environment since he helped build it) and also is maybe a cyborg so he'll send me emails that he looked in some random log on one of the 15 component servers and saw some random error and my default response is "So?" The way I see it SCCM is just absolute poo poo software and shits all over itself all the time and if I chased down every single transient error that just goes away the next time X runs, I wouldn't have time to do anything else. The logs are just too full of random meaningless garbage for me to waste my time with it, unless there's an actual problem. Reading documentation on this stuff is also really bad because it seems like I can get a serviceable answer for the "what" of an error message but not really a "how" or "why."
|
|
#
?
Jun 18, 2015 21:00
|
|
|
FISHMANPET posted:So for those of you who spend most of your time maintaining SCCM, how much do you pay attention to the multitude of logs the site systems put out? I only read the logs when I'm digging into something that's gone wrong, which with SCCM seems like everyday. I don't ever just casually peruse them for fun. Even if you did look at the logs through CMTrace there are so many harmless or false alarms that get marked red and yellow that you would spend weeks just looking into all of that poo poo. I'm going through a site upgrade from 2012 RTM that's all sorts of hosed up to a new instance of 2012 R2 and I cannot wait to be done with SCCM. At first I really liked it (still kind of do) but I'm just done with it at this point. There are so many little things that can trip it up and cause something to fail. Granted a lot of that is the mess I inherited and it will get better but I just can't see myself devoting a lot of time and energy into learning it more. I was excited for a while thinking I had found my nice in IT, now I can't wait to be away from it. Sorry for the E/N SCCM derail but seriously it's so frustrating to work with.
|
|
#
?
Jun 18, 2015 21:23
|
|
|
TWBalls posted:You might be thinking of MDT. yes thanks
|
|
#
?
Jun 18, 2015 21:24
|
|
|
BaseballPCHiker posted:Sorry for the E/N SCCM derail but seriously it's so frustrating to work with. I started this thread... *checks* Jesus, I started this thread five years ago, when I was just getting started with SCCM and trying to deploy an Operating System. Now here I am, in charge of an SCCM instance for the entire campus, with some 20k objects, and, gently caress, I hate it. I mean, I like using the tool, but holy gently caress is administering it awful. And in this position, I hardly get to actually use it! It's all administering the servers. Trying to figure out other niches where I can do the things I like about SCCM because I think I really want to get away from the tool itself.
|
|
#
?
Jun 18, 2015 21:30
|
|
|
FISHMANPET posted:So for those of you who spend most of your time maintaining SCCM, how much do you pay attention to the multitude of logs the site systems put out? I always just try to keep the 15 components looking good. I absolutely hate the amount of logs and digging SCCM requires so I tend to follow my hunch on issues, and logs are completely the last resort. I'm considered the head SCCM guy at my current and last place of employment.I built both enviroments basically and make most major changes to them so.. there tends to be no issues. NevergirlsOFFICIAL posted:I have to deploy 50 Win8 laptops what's the coolest way to do it? I usually use WDS but I also usually only deploy 10-15 at a time. I remember there's some other microsoft thing to use instead of WDS but last time I looked at it it looked like a lot of work for 10 machines. If I'm doing 50 worth it? MDT is worth it...Assuming you plan to roll with it in the long run and this isn't just a one time thing. Just keep in mind there might be very little interaction to kick off the OS deployment for each computer depending on how far you go into setting it up. lol internet. fucked around with this message at 21:40 on Jun 18, 2015 |
|
#
?
Jun 18, 2015 21:38
|
|
|
In large corps SCOM/SCCM is basically rolled in together and you have the 'Monitoring and Deployment Team' or whatever. It basically means alerts and patching.. that's from the server side. What the desktop support teams choose to do to provision workstations, who knows, there is a pretty clear line in the sand between the desktop effort (scrubs) and the server teams. I had a manager ask me how to push Windows events into syslog and the answer is you basically don't, syslog is a Unix thing and we in Windows-land push the event logs you're interested in to SCOM which retains them. The whole 'making sure the server is patched and not at 100% CPU and it's disks aren't full and blah loving blah' is generally referred to as Server Maintenance and taken care of by lesser skilled guys than infrastructure specialists. There will be a Messaging team with Exchange gurus, a DirOps team with AD gurus, a virtualization team with usually still ESX gurus but Hyper-V is gaining ground. You don't bother any of these guys with routine server bullshit.. that's what we have L1 and L2 for. That's how it was when I was the AD Lead for HP.
|
|
#
?
Jun 19, 2015 00:54
|
|
|
On the other hand, i'm glad I got out of large corps, because there is some serious bullshit that goes on with being so siloed. Every systems management tool has its problems, two places ago I was the Symantec Management Platform administrator for a 4000+, 250+ site company. The tool itself was awesome because I could make miracles happen, but gently caress the maintenance to ensure it was running smoothly. But also gently caress Symantec forever. I'm glad I'm no longer dealing with it, though it does look like i'm going to have to learn some SCCM/SCOM at this new job eventually, since it's a much smaller shop, multiple hats, etc.
|
|
#
?
Jun 19, 2015 01:13
|
|
|
devmd01 posted:On the other hand, i'm glad I got out of large corps, because there is some serious bullshit that goes on with being so siloed. yeah, this is one of the oldest choices in IT, generalist or specialist. The reality I've found that this is only a choice or even a reality in the smaller places. At HP everything was super-siloed and a big part of your skillset is getting what you want out of the other teams. If you're some crazy sperglord sitting in a corner and can't muster the humanity to go and actually talk to the backup team or AV team about what they're doing with what you're charged with taking care of.. you'll just flounder and get nothing done. But, the backup team really were the experts of the backup solution. The AV guys knew their poo poo, had all their groups configured and constantly maintained, etc. It's a level of professionalism a bunch of generalists can never aspire to. Many of these solutions are extremely complex and only increasingly so. When you hear someone says 'oh I do AD, Exchange, Sharepoint and I can do SCCM' what that really means is they're not great at any of them. Each one of those is a career in it's own right if you really are an 'expert'. At HP if the system management software that ran on the server (SIM) did silly poo poo, I could arrange a meeting with the developers themselves and talk about how to fix it. It took effort and a lot of poking, but you could do it. Compared to a shop just using vendor's products and declaring that works or that's poo poo, your firm actually building the products you use takes the whole thing to another level. Now, because I've taken two years off I had to leave my sweet HP gig and I'm working for a consultancy being the AD Lead for a major airline. It sucks.. someone asked if there was AV on the domain controllers and I don't know.. so I go look and no there isn't. So put it on, they say. You spend time now faffing around in some AV console doing some menial poo poo, everyone sticking their fingers in trying to just get their bit done with no-one really owning it and making sure it hums. What happens in corps that don't have dedicated DirOps guys because 'everyone does a bit of AD'? Group Policy turns into a loving mess (when you see forced policies 9/10 times that means people don't know what they're doing) and you'll soon have a fragmented and indecipherable OU structure. But as I said at the start, you'll only find this in the 'bush leagues' because real corporate networks have specialists making sure each component is working just as the vendor promised. edit:I'm home sick today so why not type on the Internet. Just a couple of other 'why HP was the best job I ever had, and what enterprise IT means to me as a result' points. Training is regular and they have their own training centers and can sign the certs, its considered a privilege so those who kick rear end get lots of training. I did a good thing and when my TL is emailed the next ITIL round is up, I was sent. That's a week of classroom led training (on work time, for the next week go to school don't come to the office) with a HP dude that is from the Education department and does nothing but run ITIL courses and.. hah yeah.. I remember they had their own loving boardgame. As in one day the tutor said 'ok lets play the HP ITIL Boardgame' and he took out of the cupboard a boardgames of the quality like anything you'd buy. On the front of the box it said some cool name and inside there were little cards for servers and incidents and the whole bit and you reconstructed and ran through Service Delivery concepts. Then at the end of the week you take the exam (pass lol, don't go back to the office and tell them you failed :P) and you have yet another cert on your toolbet. You just keep doing this and that's why the real enterprise guys have every cert and all the upgrades because their work sorts it all for them and on their time.. who wants to go home to study when you've worked a 40 hour week? HP was split into TS and ES, Technical Services are the actual engineers (with degrees, in engineering) doing hardware and software design and releasing products. I was part of ES, or Enterprise Services which is the managed services arm. Being able to call on TS resources is awesome in-itself but because ES is so huge with so many clients (we're HP after all) the siloed teams can become really, really amazing. You have to caveat this with politics because it happens everywhere humans gather to do something so it's not always some perfect meritocracy or something.. but at times and in places it almost was. If the AV team is using their product on say 20 of the biggest networks in the country, each with their own requirements and quirks and they bounce between these networks making sure the AV hums on all of them.. they pretty much end up on the same level as the AV vendor's own techs. The Unix teams have lots of representation due to products such as HP UX. I'm a Windows guy but you'll be running into some form or derivative of Unix probably for the rest of my career so guys having my back in that was great. I'd enjoy going over to ask the Unix guys something and just hanging out and chatting about how poo poo worked in their world. The business alliance between MS and HP is ancient and strong and you'll keep seeing this in things like every HP staff member has a full MSDN subscription, free, just because you're a HP employee. All the software, updated every year, a ton of keys for each.. free.. because you're one of us. So now I'm back at a small firm, no more than 150 staff.. ugh. If you're reading HP, please take me back. I'll even patch servers or whatever, just please let me back in. edit2: ha yeah I took a picture of the boardgame on my phone and I've still got it. Race to Results! you had to both appreciate it and laugh at the absurdity 
Tony Montana fucked around with this message at 02:22 on Jun 19, 2015 |
|
#
?
Jun 19, 2015 01:43
|
|
|
lol internet. posted:MDT is worth it...Assuming you plan to roll with it in the long run and this isn't just a one time thing. Just keep in mind there might be very little interaction to kick off the OS deployment for each computer depending on how far you go into setting it up. If it is a one-time thing, then what's the best thing to use? Let's say I'll need to do 50 every 3 years. Is that long run enough?
|
|
#
?
Jun 19, 2015 02:07
|
|
|
FISHMANPET posted:So for those of you who spend most of your time maintaining SCCM, how much do you pay attention to the multitude of logs the site systems put out? Maybe a little late here, but don't get wrapped around all of the SCCM logs. Just looking at my single site setup, there's about 600+ logs. If you go looking at every red log in CMTrace you'll never get any actual work done. You'll get errors if SCCM is trying to contact a computer that is no longer on the domain. I went through the same thing at another job and had to constantly tell them "working as intended". FISHMANPET posted:I started this thread... *checks* BaseballPCHiker posted:I only read the logs when I'm digging into something that's gone wrong, which with SCCM seems like everyday. I don't ever just casually peruse them for fun. Even if you did look at the logs through CMTrace there are so many harmless or false alarms that get marked red and yellow that you would spend weeks just looking into all of that poo poo. I just came from a government contract that had a massive SCCM infrastructure that was a complete mess. Instead of trying to fix it they kept placing "temporary" fixes to get around any issues until it was an unmanageable mess. It almost killed my desire to continue in SCCM. I'm now working for a smaller government agency where their previous SCCM guy had no idea what he was doing (full fat images for OS deployments and using Task Sequences to deploy Windows updates  ) but now that I'm steering the ship again, I remembered why I liked it so much in the first place. Any patching/monitoring/OSD software is going to be finicky since it needs to be able to talk to EVERYTHING in your infrastructure. The large government contract was trying to move over to IBM BigFix as an alternative and it was just as much of a nightmare as SCCM while simultaneously being even less intuitive. Patching and OSD might not be for everyone but don't let a single job experience kill your drive to keep learning if you have any interest in it.
|
|
#
?
Jun 19, 2015 15:06
|
|
|
NevergirlsOFFICIAL posted:If it is a one-time thing, then what's the best thing to use? Kinda long yes.. nothing in between the 3 years at all? New hires? New machine re-deployments\re-wipes? If that's the case, not too sure then. Maybe good old ghost. (If that even still exists?)
|
|
#
?
Jun 19, 2015 18:28
|
|
|
If I was interested in monitoring SCCM logs, I would find a tool to analyze them. The signal to noise ratio makes them useless unless you're trying to fix something specific.
|
|
#
?
Jun 21, 2015 20:19
|
|
|
Has anyone deployed WorkFolders? Do you need ADFS if all your machines are domain joined?
|
|
#
?
Jun 30, 2015 01:22
|
|
|
|
| # ? May 23, 2024 23:04 |
|
|
I'm a systems admin, and I've been asked to redesign our network architecture for greater security. We are using a Sonicwall device as our main router/firewall. We have one subnet for servers and desktops, another for IP phones, and another for development servers, but they are not separated into security zones at all. My plan so far is to separate the desktops into their own subnet, which should be easy because of DHCP. But we have public web servers and databases that have customer data. Should I put the web servers in a DMZ and databases in a seperate secure zone? Can print and file servers still be in the same zone as the desktops? I feel a little out of my depth here, and if someone could point me to a book or document with basic network security principles I'd appreciate it.
|
|
#
?
Jun 30, 2015 15:35
|
|