|
dox posted:I'm truly shocked this works for you... I would never recommend doing this, or really anything with OneDrive to anyone. But its a Pro-tip damnit.
|
# ? Oct 8, 2015 17:11 |
|
|
# ? May 14, 2024 19:23 |
|
What's the good way to map network drives via group policy? I have usually done it by setting up one GPO per security group, and if users are in that group they get the lettered drive mapped. However I have seen in a couple of environments where there is just one GPO for department drive mappings, and within that GPO various drives are set with item-level targeting to the security group. I feel like the second one is more difficult to manage. Am I wrong?
|
# ? Oct 8, 2015 18:44 |
|
We give everyone in the company the same drive mappings and deal with access via permissions.
|
# ? Oct 8, 2015 18:46 |
|
Tab8715 posted:Curious, what's everyone experience with modifying intra/inter AD Replication timing? Tony's response has lots of good information in it. Wanted to touch on a few things as well The bandwidth thing isn't much of an issue on modern links. Even some of the current MS documentation still touches on sites that may have 64K ISDN or 256Kb leased lines and poo poo. If you're on any kind of remotely decent connection bandwidth between DC's isn't worth thinking about. Now if you have a DC in outer loving Mongolia on a 33.6K dial up connection, yeah, it's something to think about. It's mostly a holdover from a time when WAN connections were slow and very very expensive. Anyway, with that being said, it is technically possible to set a link to immediate replication for all AD changes (and I have done it in my environment for a few site links), but I would avoid doing it unless you have a really really good reason to do so. Also certain types of AD notifications don't wait for the standard change notification time period (15 minutes). Certain AD changes like password changes, account lockout events, those bypass the standard notification period. So if you have an actual legit reason to look into this more, you can do it.
|
# ? Oct 8, 2015 19:25 |
|
Tony Montana posted:Give me an example of your implementation of roaming profiles. I've never seen it work right, and I've seen a lot of troubleshooting lost on it. I'm going to put about as much effort in as a Wikipedia link (seriously a Wikipedia link for pros/cons of an IT technology?). Roaming Profiles work just fine. It's not the year 2000 anymore. Once the world figured out that you need to use Folder Redirection with your Roaming Profiles things got a lot better. Add v2 profiles and it works just fine and is better than the alternative. If you have needs for something more than that you have options like AppSense Environment Manager, Citrix Profile Management, or Microsoft User Experience Virtualization. The second paragraph about the power of Web2.0 confuses me and I'll just pass on that. Your third paragraph is just lazy IT. "we just don't give a poo poo about what's on someone's desktop... it's part of their [user's] job to keep their work in a safe place." Yeah, welcome to the year 2000, please store all files in your Home Drive. Zero VGS posted:As everyone said, AppData can gently caress up a lot of things, it was redirected at one of my previous places and it would do all sorts of crazy poo poo, such as if someone was logged into two computers at once, Firefox would refuse to open on the second computer because it was "already in use", among other anomalies. This is just about the worst loving idea I've ever heard. Ignoring everything terrible about it, you seriously went to 500+ users and dragged all the "Desktop, Documents, Pictures, Videos, etc" into OneDrive? Are you kidding me? And what happens when that breaks for all 500+ users at once because of some dumb Windows or OneDrive patch? Some of you people are the IT guys I want to murder.
|
# ? Oct 9, 2015 04:14 |
|
While we're on the subject of cloud storage, how do you guys give access to users files remotely? Our company want's to be more mobile and I have no idea where to start. Ideally it would just kind of replicate what we have on our servers.
|
# ? Oct 9, 2015 04:21 |
|
dox posted:I'm truly shocked this works for you... I would never recommend doing this, or really anything with OneDrive to anyone. To be fair, OneDrive for Business is actually Sharepoint with a sync client. The files are hosted on Sharepoint. It's not really like the consumer OneDrive. We already trust our department shares to it so why not? Internet Explorer posted:This is just about the worst loving idea I've ever heard. Ignoring everything terrible about it, you seriously went to 500+ users and dragged all the "Desktop, Documents, Pictures, Videos, etc" into OneDrive? Are you kidding me? And what happens when that breaks for all 500+ users at once because of some dumb Windows or OneDrive patch? Well, I did the 200 users when I first got there then we made the redirection part of provisioning new PCs as we scaled up another 300. But a Windows or OneDrive patch wouldn't: a) Remove any of the files from the "%userprofile%\OneDrive for Business" folder b) Delete the files off Sharepoint c) If by some insanity it did, there's a Sharepoint recycle bin and second stage recycle bin I think you're overreacting a bit. It's been fine for a year and a half across Win7, 8, and 10. gently caress, I even used the automatic sync and version history to recover every file for a guy who managed to get his whole PC Cryptolocker'ed. Best part is if you have even the most basic O365 tier then it's free for the whole organization and it's set-it-and-forget it, 30 seconds to set up for each user. LmaoTheKid posted:While we're on the subject of cloud storage, how do you guys give access to users files remotely? If you go my route, the user just logs into portal.office.com from anything, then click the OneDrive tile, and they have all their files in their original folder structure. They can for instance browse to their desktop, open up an Excel file in the Excel Online web browser app, edit it on their iPad, come back to their desk in the morning and it has synced itself back. Zero VGS fucked around with this message at 04:40 on Oct 9, 2015 |
# ? Oct 9, 2015 04:38 |
|
Internet Explorer posted:I'm going to put about as much effort in as a Wikipedia link (seriously a Wikipedia link for pros/cons of an IT technology?). Roaming Profiles work just fine. It's not the year 2000 anymore. Once the world figured out that you need to use Folder Redirection with your Roaming Profiles things got a lot better. Add v2 profiles and it works just fine and is better than the alternative. If you have needs for something more than that you have options like AppSense Environment Manager, Citrix Profile Management, or Microsoft User Experience Virtualization. Hang on.. Roaming Profiles.. I bet you're the guy.. Yeah, you're the guy that said working for a major vendor is a mark against you. It's like trying to explain colour to a blind man, I'm sorry but you just have no frame of reference and I'm wasting my time. NevergirlsOFFICIAL posted:What's the good way to map network drives via group policy? GPO Preferences. You can tie maps to sec groups or a number of things, whatever makes more business sense. Depends on the GPO structure and strategy, some places like everything in nicely named sec groups so low level staff can add and remove (or even managers with a delegated ADUC console). But if helpdesk is already filling in the Department field with a new hire and it's accurate, then why add another sec group that needs to be managed? It doesn't have to be one sec group per drive either.. but if your shares are DFS then just end up with something that takes the least administrative effort, is the most automated and the most robust. A mix is fine too, perhaps that Finance-Restricted sec group should be provisioned in a different way that the general drive. GreenNight posted:We give everyone in the company the same drive mappings and deal with access via permissions. Depends on the size of the network. If you gave everyone every drive in some of the places I've worked you either run out of letters or use a good percentage of them. Tony Montana fucked around with this message at 07:57 on Oct 9, 2015 |
# ? Oct 9, 2015 07:54 |
|
Tony Montana posted:Hang on.. Roaming Profiles.. I bet you're the guy.. Yeah, I am definitely that guy and you further prove my point with such gems as a Wikipedia link of "drawbacks" in a technical discussion and "who cares about user files, let God sort it out." Don't exert yourself with all that effort.
|
# ? Oct 9, 2015 14:04 |
|
Honestly I'm just still laughing at your cloud apps and Roaming Profiles = "users should out things in the right places!" responses. Both show you have no idea what you're talking about. And you totally missed the low hanging fruit about Microsoft UEV, no one uses that poo poo. It's garbage.
|
# ? Oct 9, 2015 14:32 |
|
If you've got remote users using Windows, DirectAccess is goddamn awesome for whatever ails you. I've always tried to keep it simple as far as shares - one root with directories for each major department, everyone maps to the root. That way S: is always S:. Access-based enumeration or not. Breaks down if you have too many departments obviously. wyoak fucked around with this message at 17:24 on Oct 9, 2015 |
# ? Oct 9, 2015 17:19 |
|
wyoak posted:If you've got remote users using Windows, DirectAccess is goddamn awesome for whatever ails you. DirectAccess also seems to be going the way of the dinosaur, according to Microsoft program managers. At Ignite I talked to people responsible for remote access stuff in windows server and they said while they aren't killing off DirectAccess, they aren't dumping a ton more resources into it either. I guess we'll see how things look in server 2016
|
# ? Oct 9, 2015 17:27 |
|
Probably part of their push to Who needs DA when you have OneDrive for business? PC Management? Oh well how about some InTune licenses? On premise hosted business apps? How about Azure AD Premium, and setting up some Application Proxies until you move them to Azure or get the SaaS version?
|
# ? Oct 9, 2015 17:31 |
|
Maneki Neko posted:DirectAccess also seems to be going the way of the dinosaur, according to Microsoft program managers. At Ignite I talked to people responsible for remote access stuff in windows server and they said while they aren't killing off DirectAccess, they aren't dumping a ton more resources into it either. I guess we'll see how things look in server 2016
|
# ? Oct 9, 2015 17:53 |
|
skipdogg posted:Probably part of their push to I just kind of got the sense they were pushing more towards making VPN experience which many different vendors can hook into a lot better for everyone, since yeah, probably not a huge adoption rate compared to folks with existing VPN setups.
|
# ? Oct 9, 2015 17:58 |
|
The issue I found with DirectAccess was that as great as it is for Windows clients, you still needed something else for your iPads / Mac users. At which point you could just use the 'something else' for your Windows clients as well and not have to manage two environments.
|
# ? Oct 9, 2015 19:37 |
|
Thanks Ants posted:The issue I found with DirectAccess was that as great as it is for Windows clients, you still needed something else for your iPads / Mac users. At which point you could just use the 'something else' for your Windows clients as well and not have to manage two environments. Supposing I go with something else, does anything exist to actually mimic an "always-on" VPN? The closest I've seen is Log Me In Hamachi, though I don't know if I'd trust that at an enterprise level. I mean, the built-in VPN client in Windows 10 would be fine if I could get a non-convoluted script to make sure it connects at login (at bootup would be even better) and does everything it can to reconnect if ever down. Naturally, Microsoft would prefer you pay for that, but I don't see what's stopping someone from reverse engineering something.
|
# ? Oct 9, 2015 23:01 |
|
I'm not really sure - MDM can provide a VPN-on-demand system where opening a certain app or requesting certain URLs will automatically dial the VPN, but I am not aware of a way of doing that in Windows. Question time: How long does Windows Server cache NXDOMAIN responses obtained from forwarders (so internet addresses, not internal zones), and can you change this? My Google-fu is weak because everything I can find refers to making changes to the DNS client caching expiry. We have a dev team adding DNS entries externally, immediately trying to hit them from inside the network and then having to wait an hour for the negative response to time out.
|
# ? Oct 9, 2015 23:11 |
|
Thanks Ants posted:Question time: How long does Windows Server cache NXDOMAIN responses obtained from forwarders (so internet addresses, not internal zones), and can you change this? My Google-fu is weak because everything I can find refers to making changes to the DNS client caching expiry. We have a dev team adding DNS entries externally, immediately trying to hit them from inside the network and then having to wait an hour for the negative response to time out. The term you want to Google is "negative caching".
|
# ? Oct 10, 2015 00:10 |
|
I actually found that article (but thanks), but it looks like it's relating to setting the TTL on NXDOMAIN responses generated by a query to a zone that you are hosting yourself, not forwarding on to Google or resolving through the root servers.
|
# ? Oct 10, 2015 00:25 |
|
Win10 has some Per-App VPN stuff going on which is interesting. It started in Win8 and it seems like the direction they're gonna take. As already stated, DA is Windows only and also kinda poo poo to support.
|
# ? Oct 10, 2015 02:05 |
|
Zero VGS posted:Supposing I go with something else, does anything exist to actually mimic an "always-on" VPN? The closest I've seen is Log Me In Hamachi, though I don't know if I'd trust that at an enterprise level. I think Cisco AnyConnect can do this if setup correctly. I know I've used it in the past for iPads that needed VPN connections right away (the horror).
|
# ? Oct 12, 2015 15:23 |
|
Rumor: Windows server licensing is moving to SQL style licensing. https://www.reddit.com/r/sysadmin/comments/3okd38/you_thought_microsoft_sql_server_licensing_was/ Sounds like something they'd do to increase revenue.
|
# ? Oct 14, 2015 15:59 |
|
incoherent posted:Rumor: Windows server licensing is moving to SQL style licensing. I posted over there; and unfortunately this seems way too plausible to me. I hope its wrong though
|
# ? Oct 14, 2015 16:34 |
|
Makes sense for them to do this. Our latest hosts are E5-2699v3's with 36 physical cores per box. Licensing has been trying to keep up with core density and virtualization for a while. Spending only 6K per host for unlimited Windows VM's is awesome, so I'm not surprised they're going to change it.
|
# ? Oct 14, 2015 16:48 |
|
That loud sound you hear is the collective sigh of Intel and AMD engineers as they find out they have to completely redesign their architecture again because of stupid licensing reasons.
|
# ? Oct 14, 2015 18:58 |
|
incoherent posted:Rumor: Windows server licensing is moving to SQL style licensing. Hhaha, we just had a conversation about that internally last week (all speculation of course), that is going to super gently caress us over if that happens (we're a service provider with SPLA). EDIT: In other random speculation move, Ignite got moved from May (in chicago) to September (in Atlanta). I'm guessing Server 2016 won't be coming out until Q3 of 2016 then http://blogs.microsoft.com/blog/2015/10/14/microsofts-2016-event-lineup/ Maneki Neko fucked around with this message at 19:31 on Oct 14, 2015 |
# ? Oct 14, 2015 19:00 |
|
Yo Zero VGS, you're getting a little closer to having your AD in the Cloud you want https://azure.microsoft.com/en-us/pricing/details/active-directory-ds/
|
# ? Oct 14, 2015 21:54 |
|
skipdogg posted:Yo Zero VGS, you're getting a little closer to having your AD in the Cloud you want He's just going to put his Active Directory in OneDrive, it'll work fine.
|
# ? Oct 14, 2015 22:15 |
|
skipdogg posted:Yo Zero VGS, you're getting a little closer to having your AD in the Cloud you want At last. I was about to experiment with Amazon's Simple AD but I can't help thinking something from Microsoft is going to work better.
|
# ? Oct 14, 2015 22:53 |
|
Looking at the docs, it looks like it's still not designed to service end users and normal computers. *yet*
|
# ? Oct 14, 2015 23:10 |
|
skipdogg posted:Looking at the docs, it looks like it's still not designed to service end users and normal computers. *yet* As long as it can authenticate my O365 users against LDAP so we can sign into my on site NAS, Wi-Fi, and VPN instead of having to maintain separate logins for those, I'm all over that poo poo. It's loving charity-level pricing for a change, too.
|
# ? Oct 14, 2015 23:20 |
|
Zero VGS posted:As long as it can authenticate my O365 users against LDAP so we can sign into my on site NAS, Wi-Fi, and VPN instead of having to maintain separate logins for those, I'm all over that poo poo. It's loving charity-level pricing for a change, too. Gotta get you hooked for cheap before they gently caress you in the rear end for renewals.
|
# ? Oct 14, 2015 23:26 |
|
skipdogg posted:Looking at the docs, it looks like it's still not designed to service end users and normal computers. *yet* Yeah, I was getting a touch carried away. It's an AD domain that I guess runs using the Azure AD Connect tool and you can bind Azure VMs to it, but it doesn't yet work across a VPN link. Still, a 'proper' domain replicated in the cloud for that sort of pricing is decent.
|
# ? Oct 14, 2015 23:27 |
|
I have a DNS architecture across 4 separate forests/domains (with trusts between them) that i'm trying to simplify and make consistent due to turnover in staff over the years. Depending on the domain some use conditional forwarding for DNS to the other namespaces, some use zone transfers, and one uses a mixture of both. The eventual goal is to consolidate all resources to DomainA, but this is going to be a multi-year process. First up will be the end users/email/client devices, and I need to re-architect and document the DHCP/DNS configuration to support not only the eventual collapsing of domains, but adding on additional trusts/domain migrations to DomainA from other partner companies. Each domain has of course the primary DNS suffix as a zone, but a couple also have some additional zones for the external dns name for split-brain. We are also doing a mixture of full zone transfers/conditional forwarders of the DNS namespaces of some additional partner companies that do not have a trust through our MPLS. DomainA, DomainB, and DomainC all live in Site1. DomainD is in Site2, which is also DR for DomainA/DomainB, so they have DCs for those domains as well. 100Mbit direct pipe between Site1 and Site2. Branch locations are a mixture of hub and spoke from Site2 with site to site VPNs or direct to the MPLS. None are large enough to warrant a DC on site. Like all things AD architecture and DNS related, everyone has their own opinion. I have full ownership and control of all 4 domains so I don't have to coordinate with anyone else for DC changes, etc. What would be the current best practice for this situation? As I see it, I have three options: - Full Zone Transfers between all domains every which way. Obnoxious to set up and maintain with 11 DCs. - Stub Zones. Much easier to maintain, need to make sure that SOA, etc is set up correctly for each namespace. - Conditional forwarders. Easiest, but not sure it's the best solution. devmd01 fucked around with this message at 16:23 on Oct 15, 2015 |
# ? Oct 15, 2015 16:14 |
|
Tony Montana posted:GPO Preferences. You can tie maps to sec groups or a number of things, whatever makes more business sense. Depends on the GPO structure and strategy, some places like everything in nicely named sec groups so low level staff can add and remove (or even managers with a delegated ADUC console). But if helpdesk is already filling in the Department field with a new hire and it's accurate, then why add another sec group that needs to be managed? It doesn't have to be one sec group per drive either.. but if your shares are DFS then just end up with something that takes the least administrative effort, is the most automated and the most robust. A mix is fine too, perhaps that Finance-Restricted sec group should be provisioned in a different way that the general drive. ok thanks!
|
# ? Oct 15, 2015 16:55 |
|
devmd01 posted:I have a DNS architecture across 4 separate forests/domains (with trusts between them) that i'm trying to simplify and make consistent due to turnover in staff over the years. Depending on the domain some use conditional forwarding for DNS to the other namespaces, some use zone transfers, and one uses a mixture of both. The eventual goal is to consolidate all resources to DomainA, but this is going to be a multi-year process. First up will be the end users/email/client devices, and I need to re-architect and document the DHCP/DNS configuration to support not only the eventual collapsing of domains, but adding on additional trusts/domain migrations to DomainA from other partner companies. I will jump into this and give a detailed response, but you'll have a wait a few days. I've got a new contract starting Monday in our nation's capital, working on the Defense network! Pretty excited, fly-in-fly-out role for stupid money. Network engineering, these guys don't want me for Wintel.. even with just a CCNA you can do all sorts of interesting stuff in that space.
|
# ? Oct 16, 2015 04:08 |
|
Maybe it's just Friday and I am tired, but I have a server that I can't log into. We use GP to put the Domain Admins into the Local Admins on every domain member machine, but it's not working. - The machine returns MACHINENAME.DOMAIN.LOCAL from the IP in NSLOOKUP. Would the DNS servers accept information from non-domain machines? And clearly the context there would indicate that it's on the domain. - There is no machine account I can find in AD. That's weird. What am I missing here? Does GP not get applied to machines that are mysteriously on the domain somehow without a computer account?
|
# ? Oct 16, 2015 21:25 |
|
AlternateAccount posted:- The machine returns MACHINENAME.DOMAIN.LOCAL from the IP in NSLOOKUP. Would the DNS servers accept information from non-domain machines? And clearly the context there would indicate that it's on the domain. Yes. DNS doesn't care if the machine is a domain member or not, only that it (or an authority like a DHCP server) has the rights to name itself in DNS. AlternateAccount posted:- There is no machine account I can find in AD. That's weird. Yeah that ain't good, re-add the computer to the domain. No machine account, no authentication to the domain. Also you don't have to put domain admins in to the local admin group, it's added automatically as part of a domain join.
|
# ? Oct 16, 2015 21:33 |
|
|
# ? May 14, 2024 19:23 |
|
AlternateAccount posted:Maybe it's just Friday and I am tired, but I have a server that I can't log into. We use GP to put the Domain Admins into the Local Admins on every domain member machine, but it's not working. devmd01 posted:- Full Zone Transfers between all domains every which way. Obnoxious to set up and maintain with 11 DCs.
|
# ? Oct 16, 2015 21:33 |