|
https://technet.microsoft.com/en-us/library/security/ms15-127.aspx MS15-127 is out. Custom crafted DNS packets can execute remote code on the host server (which for lots of us is a DC). Really loving bad and who knows how long it's been around
|
# ? Dec 8, 2015 19:59 |
|
|
# ? May 28, 2024 14:15 |
|
Roargasm posted:https://technet.microsoft.com/en-us/library/security/ms15-127.aspx gently caress off MS
|
# ? Dec 8, 2015 21:22 |
|
Hold off on it for a bit, the first two DCs I've done so far are sitting on a black screen after spinning in the booting logo for 10 minutes. They're not critical so its not a big deal, it doesn't give me warm fuzzies for the other 10 I have to do.
|
# ? Dec 8, 2015 21:45 |
|
devmd01 posted:Hold off on it for a bit, the first two DCs I've done so far are sitting on a black screen after spinning in the booting logo for 10 minutes. They're not critical so its not a big deal, it doesn't give me warm fuzzies for the other 10 I have to do. Just patched my DCs with no issues. You might have another problem
|
# ? Dec 8, 2015 21:59 |
|
I do, I forgot that the iscsi backing our vmware sucks. For some wierd reason reboots sometimes take forever.
|
# ? Dec 8, 2015 22:16 |
|
Had a user issue today that stumped my other co-workers and even the seniors I spoke to. A client submitted a ticket that the internet was not working on their computer in IE. Established a remote session so SOME of the internet was working, was able to load msn.com, unable to load google.com, <company>.com, etc. Upon futher investigation ALL websites would load in Firefox or Chrome. Reset all IE settings to default, verified trusted zones. User was on a DOMAIN\Guest account, MSE.exe was also non-functional, creating DOMAIN\Test was able to use IE perfectly fine. At this point we had a few easy resolutions to the ticket, "Advise user not to use IE", "Advise client to disable DOMAIN\Guest and substitute DOMAIN\Visitor" both the 'easy' way out. By this point I had pieced together that the issue was with https websites, verified on another client's network that their DOMAIN\Guest account (which nobody uses) was able to work perfectly fine. Further reading of answers.microsoft.com and some technet articles presented some resolutions to do with verifying that IE11 had some issues with some SSL and TLS versions, suggested disabling SSL 1.0 and TLS <1.2 and verifying that IE11 was using 128bit encryption. I did not get around to checking either of those options for a successful resolution. I stumbled upon what I consider to be a bit of a band-aid fix at this point which is partially what we ended up going with, but granting the Guest account Read access to HKLM\Software\Policy\Microsoft resolved the problem on the spot, but I'm unconvinced that this was a permanent solution. I suggested pushing the policy as a GPO until a more permanent solution could be found but the Sr working the case went with a local edit on only the machine the client was calling about. Mind the client has 200+ workstations across 3 remote locations, but I didn't want to push the issue any further. Has anyone come across anything like this before?
|
# ? Dec 9, 2015 07:36 |
|
No, but that sounds like something that should have been reimaged as soon as you said MSE was not working. Also unless something changed recently MSE is not licensed for business use over (25?) PCs.
|
# ? Dec 9, 2015 15:54 |
|
I've gone through every GPO I can possibly see and do not see anything managing Internet Explorer anymore, yet after a gpupdate, everything is still greyed out in internet explorer and it still says "some things are manged by your system administrator". Why the gently caress?
|
# ? Dec 9, 2015 16:03 |
|
kiwid posted:I've gone through every GPO I can possibly see and do not see anything managing Internet Explorer anymore, yet after a gpupdate, everything is still greyed out in internet explorer and it still says "some things are manged by your system administrator". Why the gently caress? Local policy? Is this one machine, or many?
|
# ? Dec 9, 2015 16:06 |
|
Walked posted:Local policy? Is this one machine, or many? Many. Edit: nevermind, I think I found the rogue GPO causing issues. kiwid fucked around with this message at 16:18 on Dec 9, 2015 |
# ? Dec 9, 2015 16:09 |
|
Not sure if I found this in this thread or somewhere else. In any event it wouldnt hurt to repost it. This link is awesome for searching for a group policy or task but you arent sure where to find it buried. http://gpsearch.azurewebsites.net
|
# ? Dec 9, 2015 16:35 |
|
MS DNS services are apparently open to exploit by way of crafted DNS-related requests. https://technet.microsoft.com/en-us/library/security/ms15-127.aspx Today is two weeks from when we set up a good DNS scheme for redundancy, so we can patch it right now.
|
# ? Dec 9, 2015 20:20 |
|
Extra dangerous because DNS is basically never going to be firewalled off from your DCs and critical infrastructure no matter how you're set up. Keep strangers off your network and assume you've already been owned
|
# ? Dec 9, 2015 20:36 |
|
Roargasm posted:Keep strangers off your network Public Wifi and Production network segments go hand in hand.
|
# ? Dec 9, 2015 20:37 |
|
Potato Salad posted:MS DNS services are apparently open to exploit by way of crafted DNS-related requests. I patched all 16 domain controllers across the six domains I administer in this middle of this day yesterday, nobody complained. Just do them one at a time, clients can always go to another DNS server/global catalog.
|
# ? Dec 9, 2015 21:35 |
|
Potato Salad posted:MS DNS services are apparently open to exploit by way of crafted DNS-related requests. And you all laughed at me when I said to just run DNS off the core switch instead. Who's laughing now? No patching plus I don't gotta buy CALS!
|
# ? Dec 9, 2015 21:41 |
|
Installing sccm/scom/scvmm sucks so much
|
# ? Dec 10, 2015 00:34 |
|
Methanar posted:Installing sccm/scom/scvmm sucks so much I did an initial deployment/config about 4 years ago. It definitely wasn't the most straight forward thing in the world.
|
# ? Dec 10, 2015 00:41 |
|
Methanar posted:Installing sccm/scom/scvmm sucks so much Are you installing the newest version? SCCM 2012 R2 CU4 Rev 5 Alpha LE? Good luck, the install is a pain. I remember just trying to get a handle on the hardware requirements was a pain.
|
# ? Dec 10, 2015 15:00 |
|
1511 is out now, by the way.
|
# ? Dec 10, 2015 18:37 |
|
SQL needs a specific collation BaseballPCHiker posted:Are you installing the newest version? SCCM 2012 R2 CU4 Rev 5 Alpha LE? I can't tell if that's a real version or not. But no, I am doing sccm 2016 technical preview 4 right now. http://www.microsoft.com/en-us/evalcenter/evaluate-system-center-2012-r2-configuration-manager-and-endpoint-protection
|
# ? Dec 10, 2015 19:12 |
|
The most recent version before 1511 was jut released was 2012 R2 SP1 CU2. So not quite but pretty close. So glad that word salad is going away.
|
# ? Dec 10, 2015 22:06 |
|
No sure where else to put this, but I have a SQL question. Is there an easy way to audit/determine what privileges an account truly needs for database access? I'm building out a new environment for an application we run and the web tier goes in our DMZ, with a pinhole back to the alwayson availability group IP. The vendor wants the account to be SA and i'm saying gently caress that, but they won't give me any details on specific requirements. I granted the account db_owner and everything else to the specific database once I took SA away, and i'm still getting errors about SELECT being denied.
|
# ? Dec 11, 2015 15:59 |
|
Question: Can an NLB cluster live on top of a failover cluster? We want hardware level resiliency (obviously), but also have an internally developed web application that we'd like to have have multiple web-server nodes. They're not heavy load enough to justify multiple hardware nodes, but we'd like the resiliency at the web server VM level as well. Doable? No go? I have NLB stuff living in VMware, and Hyper-V, but I've never sat it upon a failover cluster.
|
# ? Dec 11, 2015 19:43 |
|
NLB and failover are mutually exclusive. Methanar fucked around with this message at 20:23 on Dec 11, 2015 |
# ? Dec 11, 2015 19:58 |
|
Methanar posted:NLB and failover are mutually exclusive. I think you're referring to on a single host. I want to have VMs running NLB on top of a Hyper-V failover cluster.
|
# ? Dec 11, 2015 20:38 |
|
Walked posted:I think you're referring to on a single host. Oh a hyperV failover, I misread your question. I'd imagine you can then, one is a VM level redundancy and one is a host level. But I'm not 100% sure and google doesn't show much either.
|
# ? Dec 11, 2015 20:50 |
|
Methanar posted:Oh a hyperV failover, I misread your question. Yeah; same - I'm just wondering it is against any best practices to do so due to the MAC spoofing that NLB does; but I dont think it'll cause any issues really. Probably put this one into a lab environment first - failover cluster some NUCs to test I guess
|
# ? Dec 11, 2015 21:19 |
|
Walked posted:Yeah; same - I'm just wondering it is against any best practices to do so due to the MAC spoofing that NLB does; but I dont think it'll cause any issues really. Probably put this one into a lab environment first - failover cluster some NUCs to test I guess I asked one of my mentors your original question and he had an interesting response quote:The two technologies will not run concurrently on the same install as they are intended for different purposes, thus what could be done:
|
# ? Dec 11, 2015 22:59 |
|
Can anyone explain to me what Orchestrator is for? Not what it does, I get that, but really, [i]what is it for?[/url] It gives you this fancy interface for automating tasks, but more often than not it just ends up being that the integration packs don't do what you want, so you're just back to writing Powershell code anyway. At which point I'd rather just write clean powershell code instead of all the nonsense it takes to shove a script into Orchestrator.
|
# ? Dec 11, 2015 23:12 |
|
Methanar posted:I asked one of my mentors your original question and he had an interesting response Thanks - kinda a different approach but not far off what I'm looking to do. Going to set this up in a lab and see where we end up.
|
# ? Dec 12, 2015 00:32 |
|
FISHMANPET posted:Can anyone explain to me what Orchestrator is for? Not what it does, I get that, but really, [i]what is it for?[/url] You understand it completely. The vision is drag and drop automation with Integration Packs providing all of the actions you need. The reality is as you have already said a tool to string together powershell scripts. Granted there are some benefits in having Orchestrator as the launch platform for them such as Allowing unpriledged users do tasks that would require elevated privledges or using it as an integration piece with Service Manager (building workflows into SCSM MPs is horrific compared to simply connecting up a runbook activity).
|
# ? Dec 12, 2015 21:07 |
|
IT Manager and my boss (Manager of Operations) have tasked me with assisting our IT dept with setting up an AD infra to replace an aging Apple OpenDirectory installation that serves both as a fileserver and authentication point for 4 or so sites. I guess being the only person at the company with AD experience has it's drawbacks We have a remote domain controller (sitename#-dc1) and a domain name (company.xyz) and multiple sites (sitename1, sitename2, sitename3). Is it better to just put everything under the main domain naming structure (so domain controllers are named like sitename#-dc#.company.xyz) or actually separate out everything into via dns structure (sitename#-dc#.sitename#.company.xyz) or not even worry about that, and (as needed) create sub-domains in the AD DNS server to match those site names?
|
# ? Dec 13, 2015 02:20 |
|
How big are your sites (users, servers, etc) and what are the network links between them? You need to provide more information since what you're basically asking is help with standing up a new AD environment, and there are a lot of things to consider when doing so. Stick with the one existing domain unless there is some compelling need to be different from that. Don't bother with a subdomain unless there are good organizational reasons to do so. Given that it sounds like you're not using AD currently, get the basics stood up first and stable then worry about it from there.
|
# ? Dec 13, 2015 03:17 |
|
devmd01 posted:How big are your sites (users, servers, etc) and what are the network links between them? You need to provide more information since what you're basically asking is help with standing up a new AD environment, and there are a lot of things to consider when doing so. Not really sure, one site I think has ~50 or so users, the other 100+ and growing, the main site is probably around 100 as well. The intra-site links are via IPsec VPN & standard business class internet.
|
# ? Dec 14, 2015 04:42 |
|
devmd01 posted:No sure where else to put this, but I have a SQL question. Is there an easy way to audit/determine what privileges an account truly needs for database access? I'm building out a new environment for an application we run and the web tier goes in our DMZ, with a pinhole back to the alwayson availability group IP. The vendor wants the account to be SA and i'm saying gently caress that, but they won't give me any details on specific requirements. I granted the account db_owner and everything else to the specific database once I took SA away, and i'm still getting errors about SELECT being denied.
|
# ? Dec 14, 2015 23:27 |
|
wyoak posted:If 'everything else' includes the db_denydatareader and db_denydatawriter roles ...I'm a god damned idiot. But apparently our dba/business apps guy is too, because he missed that as well when I ran it by him for a sanity check. Thanks!
|
# ? Dec 15, 2015 01:54 |
|
Can anyone run me through baby's first Server documentation and change-request process? I have a small shop but I want to go through the motions so I know how to handle a big shop. I just spun up a VM for a new application. Lets say it's Sophos Safeguard + its SQL database. What do I put in the documentation about this server? When and why would I do a change request, and what would it contain?
|
# ? Dec 15, 2015 05:28 |
|
Swink posted:Can anyone run me through baby's first Server documentation and change-request process? I have a small shop but I want to go through the motions so I know how to handle a big shop. Whatever you changed from the default configuration. Whenever you change the configuration.
|
# ? Dec 15, 2015 10:07 |
|
|
# ? May 28, 2024 14:15 |
|
SCCM 2012 R2 sanity check. I'm still very new to SCCM. I'm working on a deployment of Office 2013 (One Click Installer from Office 365) and I've got most of the kinks worked out. Office 2013 superscedes Office 2010 and Lync 2010. Took awhile to get this all sorted, but it's working. I had to build App's in SCCM for each of those as well so the uninstall script would run properly and cleanly. Office 2013 will NOT install while Visio 2013 is installed. Since Visio 2013 isn't part of the Office 2013 package, I need to uninstall it, and then re-install after the Office 2013 deployment (Unless there is something I'm missing). I thought I could Build an App for Visio 2013 (with install and uninstall info), supercede this Visio install with Office 2013 (so the Office 2013 deployment uninstalls Visio) and then create another Visio 2013 App that has the Office 2013 installation as a pre-req. Deploy both Visio apps to the usergroup which needs it, and that should cover it. Does that seem to make sense? Am I going about this in a stupid way?
|
# ? Dec 15, 2015 17:36 |