|
The best practice these days is subdomain.domain.com, not domain.local or an equivalent. So internal.wiggleyssprockets.com as opposed to wiggleyssprockets.local. It makes hybrid cloud and SSO easier in the long run. On naming... It's a bit like server names. If you put any truly accurate description in the name it can always be a liability, but if you don't, what's the point of a name? Obviously if you're dealing with cattle and not pets this argument goes away, but for the rest of us it's a bit of a balance. I say include the company name in some fashion. If you are getting bought out changing that type of stuff (or setting up a domain trust) is going to happen either way. I wouldn't put a physical address in a server name... But company name in your AD domain seems appropriate. Internet Explorer fucked around with this message at 17:01 on Apr 24, 2016 |
# ? Apr 24, 2016 15:35 |
|
|
# ? May 14, 2024 09:15 |
|
Agreed, the use of .local is a bad practice and while there are workarounds it still makes things complicated.
|
# ? Apr 24, 2016 16:24 |
|
Tab8715 posted:Agreed, the use of .local is a bad practice and while there are workarounds it still makes things complicated. I see people say this all the time, but never really any good reasons why, other than possible issues with Bonjour/Apple products and internal use SSL certificates. Our domain is a .local; it was created many years ago when this was still considered best practice. The only thing we ran into was no longer being able to get SSL certs from an already trusted vendor, which prompted us to finally setup our own CA. This turned out to be a much better arrangement anyways. stevewm fucked around with this message at 16:39 on Apr 25, 2016 |
# ? Apr 25, 2016 13:58 |
|
stevewm posted:I see people say this all the time, but never really any good reasons why, other than possible issues with Bonjour/Apple products and internal use SSL certificates. There's plenty of blog posts and article about why not to do it online. http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html is one of them. Yeah it works, but it's not best practice. We run a .internal, it's a pain in the rear end sometimes, luckily it's going away and the company that bought us does it the right way. One of the things I worry about is all the new TLD's coming out. In 5 or 10 years it's very possible there is an actual .local TLD out there and then all sorts of problems will pop up.
|
# ? Apr 25, 2016 16:52 |
|
Agreed, it's breaks multiple RFCs too but if the domains already .local then leave it as is but if you're creating a new one just don't.
|
# ? Apr 25, 2016 16:55 |
|
AFAIK the Bonjour issue is only if you have a domain called 'local', 'domain.local' is less of an issue. It's still bad because of the certificate issue and there just being no good reason to do it. I would be very surprised if there was ever a .local TLD though.
|
# ? Apr 25, 2016 22:55 |
|
Zero VGS posted:When I started this gig a few years ago we had 300 PCs all on "workgroup" with no domain controller in sight. How does this work? Does it still show the PCs are members of contoso.com? Zero VGS posted:It is overall pretty great with some bugs and poo poo not hooked up yet. People log in to the PC with their Office 365 username and password, and if I change the password they're completely locked out (especially with BitLocker enabled). When they sign in, Windows 10 passes the token to IE and Edge to give them single-sign-on to Azure stuff like portal.office.com, and things that I'd enabled for O365 Azure AD SAML such as Freshdesk. I still haven't figured out how to get the SSO working on Chrome but people just save their O365 password on Chrome anyways. What's Freshdesk? Zero VGS posted:Bugs include the fact that 10% of my users over the last year had the pin login option magically vanish, so that they have to go back to using their O365 password to sign in (usually you can toggle to choose between either, which is nice if they forget one, they have two ways to log in), and 1% of people had both pin and password just complete stop working properly, so I'd have to unjoin the laptop from Azure AD Join and rejoin to fix the issue. Microsoft just loving shrugged at me when I put in a ticket for it. When they closed out the ticket and send the customer survey, did you complete it? Did you speak with your Account Rep? Some problems are incredibly tough to solve but that's no excuse. Zero VGS posted:So, I can't answer your questions on how Okta/DomainJoin/DirectAccess work because I don't use any of those. I just have a domain-free environment with logins managed with Azure AD Join and Apps / Group Policy pushed out by PDQ Deploy (you can set local group policy on one PC and just push the GP folder to other PCs, works fine. Could you go deeper into PDQ Deploy? How exactly does this work? Zero VGS posted:As far as Azure AD Join maturing, Microsoft needs to get their heads out of their asses and make a loving "Azure AD Domain Services" that actually works. It was supposed to be an Azure-hosted IP that you can connect to as a cloud domain controller that could pass group policy and run LDAP against your O365 users, but it's only in their VPN, and it's loving rocket science to get my site-to-site VPN to connect to it. Basically they want it to only work to give Azure VMs a domain controller and never connect your endpoints to it.[] Where or whom gave you the idea that Azure AD Domain Services were a Domain Controller replacement? They're not and it's just an alternative to deploying a pair of Azure IaaS VMs Windows Server AD DS in an Availability Set (Azure AD DS). A VPN to an Azure Virtual Network is well documented with configuration examples on Github Azure VPN Network Configs. Azure AD is somewhat LDAP-Compliant but it's honestly completely custom directory service and you don't want LDAP Queries going across the internet. The best options are AD Powershell or the Azure AD Graph API. What exactly are you trying to accomplish with the VPN or Wifi? A lot of this functionality exists only in On-Premises solutions and not - at least today - in the cloud. Zero VGS posted:The insulting thing is even it is considered "Preview", and yet you still have to pay them like $40/month to even try it. Welcome to agile development. Customers want solutions now and they're even willing to pay for unfinished products. Zero VGS posted:It's OK, I think the real problem is just that that Azure portal is way, way harder to use than AWS. I got a secure site-to-site up on that perfectly fine where Azure is some heinous jumble of powershell commands and garbage. A jumble of commands? It's nearly the exact same thing as any command-line interface, VMware, Bash, etc but simplified.
|
# ? Apr 26, 2016 04:19 |
|
|
# ? Apr 26, 2016 05:44 |
|
devmd01 posted:talk to me about powershell remoting, after reading this i'm convinced I need it. At its most basic, you can do code:
Or, if you only want to run a single command, you can use code:
And the probably coolest thing, if you want to run cmdlets that the local machine does not know, you can use (example for Exchange) code:
|
# ? Apr 26, 2016 16:50 |
|
Tab8715 posted:How does this work? Does it still show the PCs are members of contoso.com? The PCs are in a weird purgatory where "This PC -> Properties" has a blank domain, and Workgroup: WORKGROUP. But if you go to Windows 10 "PC Settings -> System -> About", it says Organization: ourOrganization with a "Disconnect from organization" button. That's how Windows 10 Cloud Join works. Tab8715 posted:What's Freshdesk? It is a freemium online IT Helpdesk SaaS. It's actually very nice, I prefer it to Zendesk and Spiceworks as a helpdesk software. I was just using it as an example of one of the SaaS sites which supports Single Sign On with Azure's SAML. Basically, you log into the PC with your email and password, then go to ourOrganization.freshdesk.com in IE or Edge, and the Microsoft Portal intercepts the login page and automatically signs the user in. It's great, but it'd be better if it worked on Chrome with no hacks. Tab8715 posted:When they closed out the ticket and send the customer survey, did you complete it? Did you speak with your Account Rep? Some problems are incredibly tough to solve but that's no excuse. Sure did... hell, when I was signing into the three-year, I said "I see you have a super expensive American support tier, and the normal Indian one, can I try the fancy tier to see if it's any good?" So they gave me one complimentary ticket I could submit with their God tier, and that was the one. They all just scratched their heads and eventually it got routed to an internal Indian support group who couldn't see it remotely since it is during login, I sent smartphone snaps of it and they went weeks between contacting me so I pretty much just gave up because it was becoming a shitshow when the workaround was "Just have everyone keep using passwords instead of the pin". I told my Microsoft rep I was declining their expensive support because their one example ticket was unsolved and the guy says "Well, that's not characteristic of the typical experience with the Premier Support" and I'm like well whatever. Tab8715 posted:Could you go deeper into PDQ Deploy? How exactly does this work? With PDQ Deploy you put in the lcoal admin credentials for all the PCs into it, then have it go scan a network range and deploy a script or program to all known PCs with elevated permissions. It keeps track of what PCs weren't online at the time and you can have it keep checking for ones it missed. There is a hidden "GroupPolicy" folder in "C:\Windows\System32\" If you take a fresh PC and set all the Group Policy on it, you can tell PDQ Deploy to copy that GroupPolicy folder to all other users' GroupPolicy folders and do a "gpupdate /force" command and then all those PCs will have the same Group Policy. It actually does work perfectly to deploy a policy to an organization without a domain or domain controller, provided all the PCs have Windows Pro or better (Home has no GroupPolicy folder or GPO support). Tab8715 posted:Where or whom gave you the idea that Azure AD Domain Services were a Domain Controller replacement? I just want my VPN and Wifi to say "Oh, you want to log in? What is your organization email address and password? Yup, that's it, you're in." This is what Freshdesk can do right now, because it is a website SaaS which uses SAML to query against Azure AD. VPN and Wifi appliances all use LDAP or local Active Directory or RADIUS, and there's no solution for that. My gripe is that if SAML works with Azure AD perfectly fine, why can't they just find a way to bridge in LDAP or Radius authentication to it. There's a dozen companies like OneLogin I've asked and they all don't do it, but none have explained why. Maybe I'm just too niche? Tab8715 posted:Welcome to agile development. Customers want solutions now and they're even willing to pay for unfinished products. I'm fine with this when it's something like the phone system I'm building with FreePBX. When I use the unfinished things, I can say "hey, a bug!" and then a real developer appears in the forum and goes "oh poo poo, you're right, there, I think I fixed it, try now". That's just something I can't get with Microsoft. I'm just getting more bitter because there's all these cool quality of life things dangling in front of me that I can't implement because they're too hulking to give a gently caress. The small FreshDesk and FreePBX and PepLink support desks are all fantastic yet Microsoft can't get even the most basic tickets answered. Tab8715 posted:A jumble of commands? It's nearly the exact same thing as any command-line interface, VMware, Bash, etc but simplified. I don't know; I'm slowly learning Linux poo poo over the past few weeks, cat/ls/rm/cp/wget and all that good stuff, I'm decent at Cisco IOS, but PowerShell is a special kind of annoying. I think it's that all the technet guides for everything I'm trying to do all use a combination of out-of-date Powershell commands with clicking things in out-of-date Azure Portal screenshots. Then there's like a Powershell built into Windows, and a separate download for an "Azure Powershell" and then I still have to download a .net expansion for it, just put a bullet in my head now. Glad my misery is so entertaining, you bastard!
|
# ? Apr 27, 2016 17:38 |
|
I have no idea why you are so opposed to running a couple of domain controllers in Azure to throw RADIUS requests at.
|
# ? Apr 27, 2016 19:43 |
|
Zero VGS posted:The PCs are in a weird purgatory where "This PC -> Properties" has a blank domain, and Workgroup: WORKGROUP. But if you go to Windows 10 "PC Settings -> System -> About", it says Organization: ourOrganization with a "Disconnect from organization" button. That's how Windows 10 Cloud Join works. Is there any reason you haven't looked into OpenLDAP or similar for your kerberos/RADIUS needs?
|
# ? Apr 27, 2016 19:55 |
|
Note, everything below is the opinion of my own and is no way a reflection of that of my employer.Zero VGS posted:The PCs are in a weird purgatory where "This PC -> Properties" has a blank domain, and Workgroup: WORKGROUP. But if you go to Windows 10 "PC Settings -> System -> About", it says Organization: ourOrganization with a "Disconnect from organization" button. That's how Windows 10 Cloud Join works. This is really creepy and gross but I guess it works? Zero VGS posted:It is a freemium online IT Helpdesk SaaS. It's actually very nice, I prefer it to Zendesk and Spiceworks as a helpdesk software. I was just using it as an example of one of the SaaS sites which supports Single Sign On with Azure's SAML. Basically, you log into the PC with your email and password, then go to ourOrganization.freshdesk.com in IE or Edge, and the Microsoft Portal intercepts the login page and automatically signs the user in. It's great, but it'd be better if it worked on Chrome with no hacks. Zero VGS posted:Sure did... hell, when I was signing into the three-year, I said "I see you have a super expensive American support tier, and the normal Indian one, can I try the fancy tier to see if it's any good?" Despite being a MSFT-FTE I have very little insight into how exactly support is provided as I'm not an account manager however I will say there's no such thing such thing as a expensive American Support or Indian Support tier. I'd recommend if anything make sure you keep the ticket at a high severity and no matter how terrible the web forums are - hopefully they're better than they were a few years ago - fill out closing ticket survey in as much detail as possible. Upper-Upper-Management drills down into these and it's serious business. Zero VGS posted:With PDQ Deploy you put in the lcoal admin credentials for all the PCs into it, then have it go scan a network range and deploy a script or program to all known PCs with elevated permissions. It keeps track of what PCs weren't online at the time and you can have it keep checking for ones it missed. Interesting, I'll have to play around this on my own time. Zero VGS posted:I just want my VPN and Wifi to say "Oh, you want to log in? What is your organization email address and password? Yup, that's it, you're in." The technology simply doesn't exist without protocols like Kerberos/NTLM. Maybe one day it will but until then you need a real domain controller. Zero VGS posted:I don't know; I'm slowly learning Linux poo poo over the past few weeks, cat/ls/rm/cp/wget and all that good stuff, I'm decent at Cisco IOS, but PowerShell is a special kind of annoying. Powershell is literally a direct 1:1 copy of Bash but without irritating nuisances. Zero VGS posted:I think it's that all the technet guides for everything I'm trying to do all use a combination of out-of-date Powershell commands with clicking things in out-of-date Azure Portal screenshots. Then there's like a Powershell built into Windows, and a separate download for an "Azure Powershell" and then I still have to download a .net expansion for it, just put a bullet in my head now. Which guides are you reading? The only drawback with Azure Powershell is that we've unfortunately got two versions of Azure (ASM vs. ARM) and they happen to update it every few weeks and there isn't really an automated way to identify if it's been updated until something breaks which then notice you need to update. Azure Powershell modules are separate from standard Powershell Modules, separate from Windows Server, SharePoint, Exchange and then there's a differentiation with cloud flavors. It takes less than 5 minutes to install the required packages... Honestly, no matter what the hell anyone tells you the cloud is not a direct one-to-one replacement for all your IT Infrastructure. Maybe one day it will be but as today just it's not and more than likely there will never be a complete cloudification. IT Admins will be bouncing around between Cloud Providers and trying to figure out which workloads fits best or if they should just leave it On-Premise. Gucci Loafers fucked around with this message at 03:38 on Apr 30, 2016 |
# ? Apr 30, 2016 03:08 |
|
Would I be better off adding an existing AD setup to my domain from another company with 5 or 6 employees or just starting over with them on our current setup? Is there any way I can map their new profile locally to the old one?
|
# ? May 3, 2016 19:26 |
|
LmaoTheKid posted:Would I be better off adding an existing AD setup to my domain from another company with 5 or 6 employees or just starting over with them on our current setup? You can do this with ADMT but it might be more effort than it's worth. With ADMT you would build a trust between the 2 forests, use ADMT to build the AD Accounts and "migrate" the workstation. The workstation migration piece will flip the domain and re-ACL/re-point the profiles to the new SIDs. It's not a quick and easy thing to do. With 5-6 users you're probably better off issuing a new machine, copy profile contents from old machine to new.
|
# ? May 3, 2016 20:12 |
|
Zaepho posted:You can do this with ADMT but it might be more effort than it's worth. Instead of a new machine, anything I should look out for by leaving the old domain, joining the new one, and copying over the profile locally?
|
# ? May 3, 2016 20:48 |
|
Ah, geez. I just had the first mention of WINDOWS 10 MICRO-VIRTUALIZATION FOR SECURITY!!!! Executives need to stop going to presentations.
|
# ? May 3, 2016 21:37 |
|
LmaoTheKid posted:Instead of a new machine, anything I should look out for by leaving the old domain, joining the new one, and copying over the profile locally? Not really. the only annoyance here is the possibility for Wonky settings from old GPOs (there probably aren't any with this few users) and the fact that there is no really great backout if things go pear shaped. Granted you should be able to push forward and recover without too much pain in this case.
|
# ? May 3, 2016 22:21 |
|
A vulnerability in Microsoft Office 365 SAML Service Provider implementation allowed for cross domain authentication bypass affecting all federated domains. Holy poo poo. Also, anyone have any tips or tricks for going through Event Viewer? I'm usually just scrolling through until I find something useful but I'm curious anyone could point me towards something solid.
|
# ? May 7, 2016 18:46 |
|
Tab8715 posted:Also, anyone have any tips or tricks for going through Event Viewer? I'm usually just scrolling through until I find something useful but I'm curious anyone could point me towards something solid. PowerShell helps get-winevent logname log | where-object -filter {whatever} get-eventlog logname log | where-object -filter {whatever} AreWeDrunkYet fucked around with this message at 18:53 on May 7, 2016 |
# ? May 7, 2016 18:50 |
|
Tab8715 posted:A vulnerability in Microsoft Office 365 SAML Service Provider implementation allowed for cross domain authentication bypass affecting all federated domains. Wow, that's pretty bad.
|
# ? May 7, 2016 18:55 |
|
We have Office 2016 installations blocked in the O365 admin portal. We got a flood of reports yesterday and today that users are being prompted to upgrade via a banner in Office apps. Seems like Windows 10 all over again. Anyone else seeing this?
|
# ? May 9, 2016 20:06 |
|
KS posted:We have Office 2016 installations blocked in the O365 admin portal. We got a flood of reports yesterday and today that users are being prompted to upgrade via a banner in Office apps. Help desk came to me this morning with the same complaints from users. Double checked our settings and nothing has changed. I (and management) will be pretty pissed if there's no way to block this.
|
# ? May 9, 2016 20:24 |
|
I have a domain with four domain controllers running Server 2008R2. There were Server 2003 servers, but they're all gone now. I would like to raise the forest and domain functional level from 2003 to 2008R2. Everything I've come across says, basically, that all the difficult work has been done already and that I should just raise the level. However, I haven't seen anything that describes in what order I should start. One machine has the FSMO roles and is in the office, two machines are in a datacenter nearby, and the fourth DC is across the country. Do I need to do any FSMO role juggling or worry about replication to our remote site, or can I just raise the level?
|
# ? May 9, 2016 21:25 |
|
What you've described is how I understand things to work - get all your DCs up to the same OS version, move the FSMO and GC roles to a DC running that release, raise the domain functional level. I'm wary of taking the lack of anything from MS saying that's wrong to be an endorsement of doing it that way but I can't find anything that disagrees with the approach. In terms of aiding in replication I would say that depends on your topology - if you have a fairly obvious central location then make the change on one of those DCs rather than one at a branch.
|
# ? May 9, 2016 21:35 |
|
Do a replication check (repadmin /showrepl from one of the domain controllers, look for any failures) and then just raise the level. It's one of the easiest and least troublesome things to do in AD.
|
# ? May 9, 2016 21:46 |
|
And once you're done and the replication has happened, enable the AD recycle bin.
|
# ? May 9, 2016 21:56 |
|
God yes, AD recycle bin is amazing. Saved my rear end a couple of times in the last year, or at the very least made my life way easier. For example, I disabled a service account, waited for a month to make sure it didn't break anything, then deleted it. Turns out some idiot used that account to create some reports in SSRS, and when I deleted the account it disabled all of the subscriptions to it. A quick restore (but not re-enable) and it was back in business. If I didn't have that option, reassigning a report creator in SSRS is a major pain in the rear end from the last time I researched it.
|
# ? May 9, 2016 23:30 |
|
Maybe run a dcdiag to see if there are any outstanding issues beforehand.
|
# ? May 10, 2016 01:20 |
|
Thanks Ants posted:And once you're done and the replication has happened, enable the AD recycle bin. For anyone else that's looking at moving from a 2003 functional level, here's some reading material: https://blogs.technet.microsoft.com/glennl/2009/08/21/w2k3-to-w2k8-and-w2k8r2-active-directory-upgrade-considerations/ https://blogs.technet.microsoft.com/askds/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level/ https://blogs.technet.microsoft.com/exchange/2015/02/13/considering-updating-your-domain-functional-level-from-windows-2003-read-this/
|
# ? May 10, 2016 18:50 |
|
AD Recycle bin is nice to have but the only benefit to deleting accounts is less objects to see in AD. You're never getting that RID back and that's your finite* resource. *nobody runs out of RIDs unless they got hella AD problems
|
# ? May 10, 2016 20:58 |
|
Has anyone disabled Credential Manager in its entirety? We have serious issues with old poo poo getting cached and not getting updated/changed when user passwords are changed, causing lockouts, etc. It's a loving epedemic and i'm tired of dealing with it. If I disable the credential manager service via GPO will that break anything?
|
# ? May 17, 2016 13:58 |
|
https://blogs.technet.microsoft.com/windowsitpro/2016/05/17/simplifying-updates-for-windows-7-and-8-1/ One giant rollup for everything between sp1 and April 2016
|
# ? May 17, 2016 19:01 |
|
About time.
|
# ? May 17, 2016 19:06 |
|
loving finally. E: ffs, its not going to be on WSUS. Matt Zerella fucked around with this message at 19:10 on May 17, 2016 |
# ? May 17, 2016 19:07 |
|
LmaoTheKid posted:loving finally.
|
# ? May 17, 2016 19:17 |
|
ugh why is this not on WSUS
|
# ? May 17, 2016 19:19 |
|
Thank gently caress.
|
# ? May 17, 2016 19:21 |
|
Uh, it makes sense that it isn't on WSUS because they want you to apply it to your base image instead of installing Windows and then applying patches.
|
# ? May 17, 2016 20:12 |
|
|
# ? May 14, 2024 09:15 |
|
A few months too late for me to make any use of it I just finished doing my company's image refresh.
|
# ? May 17, 2016 21:56 |