|
MF_James posted:Ugh going to go loving crazy trying to figure this out, wonder if maybe one of you guys could help. I haven't had the misfortune of supporting local accounts in a domain setting but a possibility is applying the user side preference as a loop back gpo linked to the computer ou.
|
# ? Jun 22, 2016 04:56 |
|
|
# ? May 14, 2024 17:23 |
|
buffbus posted:I haven't had the misfortune of supporting local accounts in a domain setting but a possibility is applying the user side preference as a loop back gpo linked to the computer ou. Hmm this sounds crazy enough to work, I'll give that a go, worst case I waste 30 minutes.
|
# ? Jun 22, 2016 05:52 |
|
I've got Domain Controllers running on HyperV 2012R2. The VM infrastructure cannot update group policy from the domain controllers, while physical infrastructure can. This includes other virtualised domain controllers - sysvol replication doesnt occur. Everything else is fine - DNS and AD objects replicates fine, all clients can use the DNS services with no issues. The problem is specifically with other virtual machines trying to update GP. This includes other VMs running on other HyperV hosts and even VMs running on my PC with virtualbox. (my Physical PC has no problem) The clients get errors like this: code:
|
# ? Jun 22, 2016 10:43 |
|
Does a local account login process go looking for GPOs applying to its computer account?
|
# ? Jun 22, 2016 12:59 |
|
Potato Salad posted:Does a local account login process go looking for GPOs applying to its computer account? Yes, computer side GPO settings will process before the user even logs in (aside for some async processing in the case of a very fast logon).
|
# ? Jun 22, 2016 14:27 |
|
Then the real question is whether loopback will apply to a non domain account -- that is, whether loopback even matters if the system isn't looking for user policies in the first place. Unless..."Authenticated Users" or "Everyone" includes local accounts? I need to learn this poo poo. Time for me to read on exactly the sequence of events involved in a system searching for and electing to apply policies.
|
# ? Jun 22, 2016 14:53 |
|
Swink posted:I've got Domain Controllers running on HyperV 2012R2. The VM infrastructure cannot update group policy from the domain controllers, while physical infrastructure can. Where the problematic domain controllers p2v'd? I"ve had issues with p2v corrupting or locking the SYSVOL, which requires rebuilding it.
|
# ? Jun 22, 2016 15:03 |
|
mayodreams posted:Where the problematic domain controllers p2v'd? I"ve had issues with p2v corrupting or locking the SYSVOL, which requires rebuilding it. I can confirm, a p2p usually involves some sort of drive snapshot which can thoroughly piss off a domain controller.
|
# ? Jun 22, 2016 15:08 |
|
Swink posted:I've got Domain Controllers running on HyperV 2012R2. The VM infrastructure cannot update group policy from the domain controllers, while physical infrastructure can.
|
# ? Jun 22, 2016 20:55 |
|
Swink posted:I've got Domain Controllers running on HyperV 2012R2. The VM infrastructure cannot update group policy from the domain controllers, while physical infrastructure can. You are selecting the correct VLAN on the virtual switch, right? The NICs on your virtual machines are also configured correctly (domain suffixes etc), right?
|
# ? Jun 22, 2016 20:57 |
|
Everything can ping fine. They can all do nslookups fine. There are no VLANs on this network. It's possible this DC was snapshotted or P2vd in the past. Ami going to be able to build a new DC without having to hose the whole domain?
|
# ? Jun 23, 2016 00:26 |
|
If the DCs are replicating, bringing up new DCs and migrating the roles should work. I think the issue everyone is concerned with is that maybe the DCs aren't replicating properly. Have you gone through dcdaig? [Edit: And just in case... are you sure you're not getting bit by this? https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP ]
|
# ? Jun 23, 2016 01:08 |
|
No SYSVOL replication is happening though. Could I manually copy and share that folder on a new DC? I'm severely lacking lab hardware to test all this
|
# ? Jun 23, 2016 02:41 |
|
Swink posted:No SYSVOL replication is happening though. Could I manually copy and share that folder on a new DC? You can start here: https://technet.microsoft.com/en-us/library/cc816596(v=ws.10).aspx
|
# ? Jun 23, 2016 03:15 |
|
Swink posted:No SYSVOL replication is happening though. Could I manually copy and share that folder on a new DC? Sorry, I forgot that you mentioned that. Yes, things are seriously broken and standing up a new DC is not going to help. You need to fix the problem.
|
# ? Jun 23, 2016 13:46 |
|
Any insights as to why it's just virtual infra with the problem? Could it be driver related? Clock? Shits messed up.
|
# ? Jun 24, 2016 04:45 |
|
Swink posted:Any insights as to why it's just virtual infra with the problem? Could it be driver related? Clock?
|
# ? Jun 24, 2016 21:28 |
|
Christ, I posted in here about raising the functional level on our forest and domain from 2003 almost two months ago, and we still haven't done it yet, and we're still not going to do it until the middle of next month, because my loving boss is so ridiculously paranoid.
|
# ? Jun 28, 2016 18:08 |
|
anthonypants posted:Christ, I posted in here about raising the functional level on our forest and domain from 2003 almost two months ago, and we still haven't done it yet, and we're still not going to do it until the middle of next month, because my loving boss is so ridiculously paranoid. As long as you dont have any old oddball appliances like a firewall or email gateway that dont support a newer forest level you will be fine. Its super easy, like one line in powershell and another to confirm.
|
# ? Jun 28, 2016 19:09 |
|
BaseballPCHiker posted:As long as you dont have any old oddball appliances like a firewall or email gateway that dont support a newer forest level you will be fine. Its super easy, like one line in powershell and another to confirm.
|
# ? Jun 28, 2016 21:11 |
|
Mr. Clark2 posted:The version I got from MS tech bench seems to work but now I'm running into what looks to be driver problems. For those of you doing this, did you make a new deployment share just for Win10? I stuck my Win10 images/drivers/task sequences on the same deployment share as all my Win7 crap but I fear that may be causing me problems. All instructions that I'm finding online are starting clean in a lab environment, I'm not finding much about running it in production. I advise following this model, if you can: http://deploymentresearch.com/Research/Post/325/MDT-2013-Lite-Touch-Driver-Management Generally you want your selection profiles to only pertain to drivers of a particular operating system from within the Task Sequence context. PnP is great, but it isn't infallible; I'm a big fan of "Option 3" from the link above.
|
# ? Jun 28, 2016 21:17 |
|
anthonypants posted:What would a firewall or email gateway have to do with the functional level? We have VPN and email gateways that use LDAP but I don't know how that would be affected, do you have something I could read up on? If those appliances have any sort of integration with AD for things like tracking users or using existing OUs for anything. For example we had a lovely old spam filter that used LDAP and AD but was only supported up to 2008. As soon as I could get rid of that spam filter I could raise the forest level past 2008. Nothing I can really link to, it's going to be specific for device and appliance. If you dont have anything like that that integrates with AD or does something with LDAP you're probably fine, just make sure to double check first.
|
# ? Jun 29, 2016 17:02 |
|
Domain functional level only affects the minimum OS version for a DC though. LDAP isn't affected by it.
|
# ? Jun 29, 2016 17:15 |
|
Wrath of the Bitch King posted:I advise following this model, if you can: Thanks, that got me sorted. I've gone ahead and ordered his "Deployment Fundamentals Volume 6".
|
# ? Jun 29, 2016 21:17 |
|
Has anyone seen Windows Update Standalone take 10-20 minutes to search for an update when you manually start the process by clicking an .msu file? They are the same files I used a dozen other times that took maybe 2 minutes. Actually, I have 2 copies on here, could that cause it?
|
# ? Jun 29, 2016 22:50 |
|
How are you guys handling start menu layout in Win10 Pro? I dont know who at MS thought it was a good idea to include a bunch of bullshit 'apps' (xbox, minecraft, twitter) in the default menu and then not give you a way of managing it via GPO. I know that there is a GPO to define a start menu layout, but that has it's own drawbacks...you have to set it up on a refernece machine, need a separate file for x86 and x64, users cant add items, etc.
|
# ? Jul 1, 2016 21:01 |
|
Mr. Clark2 posted:How are you guys handling start menu layout in Win10 Pro?
|
# ? Jul 1, 2016 21:05 |
|
Mr. Clark2 posted:How are you guys handling start menu layout in Win10 Pro? I powershell them out in my capture image.
|
# ? Jul 1, 2016 21:12 |
|
GreenNight posted:I powershell them out in my capture image. Any scripts you'd care to share? Right now I'm doing in-place upgrades so I wish I had some way of doing it programmatically, but when I start doing clean installs some scripts would be helpful.
|
# ? Jul 1, 2016 21:36 |
|
Mr. Clark2 posted:Any scripts you'd care to share? Right now I'm doing in-place upgrades so I wish I had some way of doing it programmatically, but when I start doing clean installs some scripts would be helpful. Basically this stuff. http://www.howtogeek.com/224798/how-to-uninstall-windows-10s-built-in-apps-and-how-to-reinstall-them/ If you Google around, a few people built all in one powershell scripts and a few other cool commands.
|
# ? Jul 1, 2016 21:50 |
|
Mr. Clark2 posted:Any scripts you'd care to share? Right now I'm doing in-place upgrades so I wish I had some way of doing it programmatically, but when I start doing clean installs some scripts would be helpful. There are also a ton of Windows 10 specific GPOs that you can use to lock down the store, using metro apps, location services, etc.
|
# ? Jul 1, 2016 21:54 |
|
BaseballPCHiker posted:There are also a ton of Windows 10 specific GPOs that you can use to lock down the store, using metro apps, location services, etc. Yeah, I saw those while poking around yesterday but most of them are actually for Win10 Enterprise/Education editions only...even though there's no mention of that in the description of the GPO :\
|
# ? Jul 1, 2016 22:00 |
|
Oh god this thread is triggering me I've been fighting with the Win10 apps in the Enterprise edition this is the dumbest loving thing who puts xbox apps in an enterprise software? Holy poo poo. I uninstalled them in the reference machine, I'm using copyprofile with my unattend and the loving thing STILL INSTALLS everything when I create a new profile. I think it silently connects to Windows Update and downloads the stuff or something. We even tried the remove-appxprovisionedpackage thing but when we create a new profile there it is. Who thought this was a good idea and made it so hard to get through? gently caress you buddy.
|
# ? Jul 1, 2016 22:05 |
|
orange sky posted:Oh god this thread is triggering me I've been fighting with the Win10 apps in the Enterprise edition this is the dumbest loving thing who puts xbox apps in an enterprise software? Holy poo poo. Glad to see it's not just me *update* Banged out a quick ps script to remove all the included apps and ran it as admin, success! Reboot, log in as a standard user...they're all back. gently caress me :\ Mr. Clark2 fucked around with this message at 23:21 on Jul 1, 2016 |
# ? Jul 1, 2016 22:13 |
|
Has anyone definitively figured out if LTSB or CBB is the best choice for your average office worker? I'm failing to see the downside of LTSB other than losing Edge.
|
# ? Jul 2, 2016 17:40 |
|
If you have licenses for 10 Enterprise, why wouldn't you run LTSB?
|
# ? Jul 2, 2016 17:44 |
|
anthonypants posted:If you have licenses for 10 Enterprise, why wouldn't you run LTSB? That's basically my question. It SEEMS obvious to me, but MS' stance on it is that CBB is what you should be going for for normal use cases while LTSB should be on your outliers. What I'm trying to determine is if there is a legitimate reason for using CBB or if this is just Microsoft trying to push the platform that will present and market their new features more readily.
|
# ? Jul 2, 2016 17:58 |
|
Deer Lourde do not run LTSB on regular staff machines. Windows and it's ecosystem moves fast now. Outdated ideas like waiting X years before moving products into production or running the previous version or whatever just don't cut it anymore. If you can't handle CB and CBB then you need to look at your business processes and figure out why.
|
# ? Jul 2, 2016 18:57 |
|
I threw out a preset start menu to staff. They couldn't change it so I had to ensure it had all the apps required. It's sucks because it annoys the staff who know and want to customise their layout. I had to do it this way because for some users, if it's not in the start menu, it doesn't exist. If you have different software load outs on different machines then you're in a world of pain but it is doable.
|
# ? Jul 3, 2016 09:20 |
|
|
# ? May 14, 2024 17:23 |
|
Swink posted:I threw out a preset start menu to staff. They couldn't change it so I had to ensure it had all the apps required. The current situation with managing the start menu in win10 is pretty much a mess. Hopefully MS will provide some more robust tools at some point but I'm not gonna hold my breath.
|
# ? Jul 3, 2016 18:25 |