|
wyoak posted:At my old job we used NIC teaming in failover mode (some servers going all the way back to 2003), but we always used the functionality built in to the drivers (so Broadcom or Intel's utilities). Broadcom's were a pile of poo poo and I convinced them to not bother on those, but Intel's utilities seemed to work pretty well. Cheers, these Dells R420s have Broadcom adapters and I agree the Broadcom suite is a pile of lovely garbage trash, I'd rather use the OS teaming functionality in 2012 R2 because I've done it before and it definitely seems more reliable. To elaborate on my last phonepost, my DCs are all physical and I have 2 per site. Our server racks have redundant everything, network, power, etc, so teaming isn't a terrible idea even if it's mostly unnecessary with 2 DCs. Basically one of my big focuses right now on servers is redundancy, DR, and high availability, so if a 2012 R2 DC works great with a failover team and I have the hardware available I don't see any reason why not to do it.
|
# ? Jul 8, 2015 18:42 |
|
|
# ? May 29, 2024 19:50 |
|
Zero VGS posted:Is anyone else up on the Skype for Business Cloud PBX and Conference Call preview? How the hell did I not know this was public, thanks, signing up now!
|
# ? Jul 8, 2015 18:56 |
|
Hey I have a TLS question which I'll ask here because I did it on IIS even though it doesn't matter that it's IIS. We have a PCI compliance scan on one web server and the new thing is that TLS 1.0 needs to be disabled. Deadline for this is some time in 2016 but someone wanted it done now. So we disabled TLS 1.0 and some weaker ciphers and now the web guy is getting calls from some users that they cannot access the web site (because I guess older browsers). So anyway when I take this to the CFO he's going to ask "well how does Amazon deal with it" what should my answer be?
|
# ? Jul 9, 2015 14:06 |
|
NevergirlsOFFICIAL posted:Hey I have a TLS question which I'll ask here because I did it on IIS even though it doesn't matter that it's IIS. Our customer base is older and lower middle class, so this has been a problem for us too. We have disabled SSLv2, SSLv3, and TLS 1.0 on our IIS and Apache instances in the last year or so to comply with PCI standards. We know this cuts into sales, but the fact of the matter is that XP and IE6 are so old and insecure we can't accommodate them and still comply with PCI. I think we put a page up to the user to install Firefox or Chrome.
|
# ? Jul 9, 2015 16:16 |
|
Earl of Lavender posted:Quick sanity check, if you'd all be so kind: I'm considering running Server 2012 on a Pentium G3258 machine (at stock clocks), and using it as a Hyper-V host with a maximum of two concurrent guests. Am I literally insane? Would my next step up, an i3-4360, be more appropriate, or perhaps, still underpowered? As long as its not for production. If its production i'd do everything in my power to run on a xenon/ECC memory machine. No ECC will ffffuuucccckkk you Tony Montana posted:Let's talk some Enterprise Windows.. or more specifically.. what a career in this space means in 2015. Those jobs will be back. Most Indian IT knowledge is surface level and they're behind the curve on modern tech. "everyone can do a bit of windows" is going away right quick with Powershell parity in the next version of windows server. incoherent fucked around with this message at 18:37 on Jul 9, 2015 |
# ? Jul 9, 2015 18:34 |
|
incoherent posted:"everyone can do a bit of windows" is going away right quick with Powershell parity in the next version of windows server. This is the loving truth right here. Myself and 1 other admin are the only people on our team that are even close to being competent with powershell, and it's come in super useful now we're deploying 2012R2 servers. People that don't hop on the PS train will get left behind.
|
# ? Jul 9, 2015 18:58 |
|
If you can get over the hurdle of installing vnext without googling it, you can be a windows admin.
|
# ? Jul 9, 2015 19:11 |
|
Powershell is fantastic too, if you're an enterprise Windows admin you should definitely learn it and use it!
|
# ? Jul 9, 2015 19:13 |
|
What's a good way to move files to another server and not have to add/change drive mappings on individual computers? If the current drive is M: it's not a big deal to add the new server and map it to N:, but there are so many shortcuts and things in other programs that are expecting the M: drive I thought you could do links of some sort on oldserver\share\folder1 ---> newserver\folder1 And then once everything is moved over, just switch the mounts on night/weekend.
|
# ? Jul 9, 2015 19:16 |
|
I was hoping you guys could help me with this issue since we've been going around in circles and I can't seem to find an answer. Is it possible to filter traffic in TMG, requiring a machine certificate, and then after it checks the certificate send it to a CAS server (Exchange 2013)? For all protocols (OWA, OA, EAS)?
|
# ? Jul 9, 2015 19:17 |
|
Bob Morales posted:What's a good way to move files to another server and not have to add/change drive mappings on individual computers? DFS. set it up as server and not domain, and have it point to the new location. It will show up as a share on the old server.
|
# ? Jul 9, 2015 19:20 |
|
Earl of Lavender posted:Quick sanity check, if you'd all be so kind: I'm considering running Server 2012 on a Pentium G3258 machine (at stock clocks), and using it as a Hyper-V host with a maximum of two concurrent guests. Am I literally insane? Would my next step up, an i3-4360, be more appropriate, or perhaps, still underpowered? is reliability any kind of concern? you should be using xeon's with ecc ram for anything virtualized in my book
|
# ? Jul 9, 2015 19:38 |
|
NevergirlsOFFICIAL posted:Hey I have a TLS question which I'll ask here because I did it on IIS even though it doesn't matter that it's IIS. Tell them that turning off TLS 1.0/1.1 is absolute idiocy because you'll break too much client access and not even amazon or anyone else is trying that at this point. Wait until SSL Labs or whoever is telling you to turn it off, right now it has known issues but isn't totally broken. It's going to take years before we hit a reasonable compatibility rate for a TLS 1.2-only site. https://www.ssllabs.com/ssltest/analyze.html?d=amazon.com&s=72.21.206.6&hideResults=on The following clients do not support TLS 1.2 https://www.ssllabs.com/ssltest/clients.html Android 2.3 Android 4.0-4.3 IE 6 / XP IE 7 / Vista IE 8 / XP IE 8-10 / Win 7 IE Mobile 10 / Win Phone 8.0 Java 6 Java 7 Safari 5.1.9 / OS X 10.6.8 Safari 6.0.4 / OS X 10.8.4 BangersInMyKnickers fucked around with this message at 19:48 on Jul 9, 2015 |
# ? Jul 9, 2015 19:45 |
|
Thanks this exactly the answer I needed so we can turn it back on. Safe & secure!
|
# ? Jul 9, 2015 20:07 |
|
Tony Montana posted:Who has been affected by this? Who has interesting Knowledge Transfer stories to tell? Is becoming an Enterprise Windows guy a dangerous thing to do these days.. because you'll probably be replaced with someone that is paid a fraction of what you are? I don't do "Knowledge Transfer", when given warning that layoffs were happening but "Totally not affecting your department" while under orders to teach our intern "Everything my job entails" I gave that dude the mushroom treatment. Sorry but my now coming up on 12 years of experience in my field is worth money. He'll just have to read my documentation: and I wrote it originally assuming that another network/systems admin would be reading it. Not a desktop tech. When my boss and I finally got laid off, the kid was the only IT person left in the organization. And he didn't even know active directory enough to do our terminations. Frantic phonecalls after the layoff were responded to with my independent contractor rates, which were something close to my old monthly salary a day, two day minimum.
|
# ? Jul 9, 2015 21:53 |
|
Rhymenoserous posted:I don't do "Knowledge Transfer", when given warning that layoffs were happening but "Totally not affecting your department" while under orders to teach our intern "Everything my job entails" I gave that dude the mushroom treatment. Sorry but my now coming up on 12 years of experience in my field is worth money. He'll just have to read my documentation: and I wrote it originally assuming that another network/systems admin would be reading it. Not a desktop tech. How many days did they hire you on for post-layoff?
|
# ? Jul 9, 2015 21:55 |
|
GreenNight posted:How many days did they hire you on for post-layoff? Absolutely none, the ridiculous rate is basically a fancy way of saying "gently caress off" without actually saying it. It wasn't a legit offer anyways since I was a government contractor and the waiver process for bringing an independent contractor in for a day would have taken forever. I had already been hired at my new job after a week of being unemployed and set my start date so I could laze around taking a mental break till the end of the month while supping on all that vacation money (I had 3 weeks saved up) and my severance package. I was offered another job for another gov't contract in the same building two offices down, but turned it down because the fed was getting really volatile with the shutdown threats/budget cuts. So even if they offered to bring me back on I'd have just laughed in their faces.
|
# ? Jul 9, 2015 22:05 |
|
Maybe someone has an idea how to achieve this here... I have several users that utilize some design software that constantly updates itself. These updates require UAC elevation to work. Normally I do not allow local admin access anywhere, but had to make an exception for these users. To that end I created a GPO to add a security group "Workstation Admins" to the builtin\administrators group. Any users I want to give local admin I add them to this security group. The problem is this then allows them to access the admin$ or c$ administrative shares on any domain joined machine! Edit: We utilize the admin shares for pushing software, so cannot disable them. Is there any way to make it so local administrators cannot access administrative shares? Or prevent them from accessing domain network resources? stevewm fucked around with this message at 14:25 on Jul 10, 2015 |
# ? Jul 10, 2015 14:22 |
|
So you want a specific group of users to only have local admin on their individual workstation right? I don't know how off the top of my head but my instinct is you should use powershell to give users in X OU access to the assigned computer. Give it a csv with each user name and their assigned computer. There's probably a much easier way to do it though.
|
# ? Jul 10, 2015 14:33 |
|
Another and imho better option may be to create a local user that's admin on each of the machines, and give them those credentials to use when updating. That way they're not logged in as admin constantly and only elevating when needed.
|
# ? Jul 10, 2015 14:34 |
|
stevewm posted:Maybe someone has an idea how to achieve this here... Just create a separate OU for these machines and enforce the GPO there. Computer Config -> Policies -> Windows Settings -> Security Settings -> Restricted Groups. The restricted group you create can be local to the machine, maybe yours was created as part of the domain?
|
# ? Jul 10, 2015 15:05 |
|
https://www.microsoft.com/en-us/download/details.aspx?id=46899 There's a tool for that.
|
# ? Jul 10, 2015 15:08 |
|
Jeoh posted:https://www.microsoft.com/en-us/download/details.aspx?id=46899 I will never understand why this isn't built in to AD.
|
# ? Jul 10, 2015 15:23 |
|
Jeoh posted:https://www.microsoft.com/en-us/download/details.aspx?id=46899 Jesus Christ, now I can sync all the various local admin accounts across my domain. Why have I never heard of this tool before.
|
# ? Jul 10, 2015 17:20 |
|
stevewm posted:Maybe someone has an idea how to achieve this here... Typically the app needs Elevation because it is writing to a specific protected location (in this case probably Program Files). Grant the local users group full control over the application's folder and see if that removes the need for elevation when updating this app.
|
# ? Jul 11, 2015 05:18 |
|
GreenNight posted:Jesus Christ, now I can sync all the various local admin accounts across my domain. Why have I never heard of this tool before. The tool was originally released not long ago (I think May of this year?) but I see they have a new version up from this week. I personally haven't used it yet but I've also mentioned it to higher-ups who should be lighting fires to get this poo poo in place, but unfortunately they aren't. Maybe I just have too much foresight into how not utilizing this may result in a future data breach of PHI?
|
# ? Jul 11, 2015 15:53 |
|
Zaepho posted:Typically the app needs Elevation because it is writing to a specific protected location (in this case probably Program Files). Grant the local users group full control over the application's folder and see if that removes the need for elevation when updating this app. this too
|
# ? Jul 11, 2015 20:02 |
|
I use the users and groups GP client extension along with item level targeting to grant a single user local admin on specific workstations. It's a huge pain to set up the first time but once it's done it's pretty good.
|
# ? Jul 11, 2015 22:29 |
|
PUBLIC TOILET posted:The tool was originally released not long ago (I think May of this year?) but I see they have a new version up from this week. I personally haven't used it yet but I've also mentioned it to higher-ups who should be lighting fires to get this poo poo in place, but unfortunately they aren't. Maybe I just have too much foresight into how not utilizing this may result in a future data breach of PHI? The tool has been around much longer, but was only available to partners.
|
# ? Jul 12, 2015 00:19 |
|
Zaepho posted:Typically the app needs Elevation because it is writing to a specific protected location (in this case probably Program Files). Grant the local users group full control over the application's folder and see if that removes the need for elevation when updating this app. I wish it was that easy... These installers seem to have a manifest set to elevate, as they prompt immediately before even attempting to access any directories. (according to Process Monitor).
|
# ? Jul 13, 2015 14:38 |
|
Number19 posted:I use the users and groups GP client extension along with item level targeting to grant a single user local admin on specific workstations. It's a huge pain to set up the first time but once it's done it's pretty good. But does this prevent them from accessing administrative shares? The GPO I have setup right now ads the user to the local/built-in administrators group, but this also gives them access to administrative shares.
|
# ? Jul 13, 2015 14:45 |
|
stevewm posted:I wish it was that easy... These installers seem to have a manifest set to elevate, as they prompt immediately before even attempting to access any directories. (according to Process Monitor). you can use a hex editor to modify the manifest in installers or executables to not prompt for admin. I've had to do it to quite a few lovely programs the tool shop guys buy
|
# ? Jul 13, 2015 18:33 |
|
stevewm posted:I wish it was that easy... These installers seem to have a manifest set to elevate, as they prompt immediately before even attempting to access any directories. (according to Process Monitor). I used it on a few major versions of UPS WorldShip as it required UAC once or twice a week when new shipping rates came down. The trick in my case was to check the "RunAsInvoker" box. Once I installed the database on the user's local machine the update process ran in usermode just fine.
|
# ? Jul 13, 2015 19:28 |
|
I need a way for users to log in as a local admin on workstation. However: 1. I want each user to have to log in separately in other words I don't want their everyday account to be elevated 2. I want each user to only be able to log in as admin on their own laptop and not someone else's laptop Right now the thought is to create a separate local admin account on each laptop and give the user the password for their laptop's admin account. Is this the best thing to do? If it is, how can I automate it rather than going to each workstation and creating a user and password. edit: I should use LAPS right? edit: yes I should Dans Macabre fucked around with this message at 20:26 on Jul 13, 2015 |
# ? Jul 13, 2015 19:36 |
|
Karthe posted:UPS WorldShip Uggghhhhh.
|
# ? Jul 13, 2015 20:58 |
|
I have been seeing this really weird error with file shares today. Windows 7 clients, Windows 2008 domain. New domain (global) security group, let's call it read_only_users. I am in this group. I've rebooted my PC several times since joining the group. I make a share on my PC, and for the Share Permissions, only give read access to read_only_users. Let's call the share read_only_share. If I type in \\localhost\read_only_share, I get a sharing permissions error. This happens repeatedly. If I then add myself explicitly to the share (read-only) and try accessing it, I'm good. Here's the weird part: if I remove myself explicitly (back to only read_only_users in the share permissions), it still works. In fact, I can make new shares the same way, and they all work. I can remove read_only_share completely, then put it back with just read_only_users, and it still works. It's like once I get into the share with explicit permissions (or Everyone domain object), I can get into all future shares using that group. If I try to access the share over the network (while in a broken state), it works fine. So I can get to the share with my account from other computers, just not with localhost/my PC name. I've repro'd this exact case on a handful of other PCs with those local users, so it's not my PC or my account.
|
# ? Jul 13, 2015 22:55 |
|
madsushi posted:I have been seeing this really weird error with file shares today. Windows 7 clients, Windows 2008 domain. It sounds like you're not updating your kerberos ticket with your security group membership on your computer. Domain security group membership doesn't actually update until you logout and back in on the computer you're accessing the resource from. This has to do with the security group SIDs being baked in to your kerberos ticket which is then passed to any resource to verify you have access to it. When you give yourself rights to an object, your own SID is already a part of your kerberos ticket so it succeeds; same with the "everyone" SID. This goes in to a little more depth about it. edit; nevermind, saw the part about rebooting after joining the group. Still sounds like a kerberos thing but
|
# ? Jul 13, 2015 23:13 |
|
hihifellow posted:It sounds like you're not updating your kerberos ticket with your security group membership on your computer. Domain security group membership doesn't actually update until you logout and back in on the computer you're accessing the resource from. This has to do with the security group SIDs being baked in to your kerberos ticket which is then passed to any resource to verify you have access to it. When you give yourself rights to an object, your own SID is already a part of your kerberos ticket so it succeeds; same with the "everyone" SID. This goes in to a little more depth about it. Yeah, that's what it felt like. I also checked to make sure the kerberos ticket sizes weren't too big / too many groups, and that isn't the case.
|
# ? Jul 13, 2015 23:24 |
|
Curious, any goons here work with Azure or Identity? AD DS, CS, FS. Azure AD and whatever flavor of DirSync.
|
# ? Jul 14, 2015 00:57 |
|
|
# ? May 29, 2024 19:50 |
|
I'm pretty familiar with O365, managed identities, etc. We have a Azure ADP sub, and all that jazz.
|
# ? Jul 14, 2015 01:14 |