|
MF_James posted:Nah let's just manage our domain by doing edits on EVERY loving MACHINE. artisanal group policies
|
# ? Aug 25, 2016 21:11 |
|
|
# ? May 28, 2024 14:51 |
|
MF_James posted:Nah let's just manage our domain by doing edits on EVERY loving MACHINE.
|
# ? Aug 25, 2016 21:13 |
|
Jeoh posted:artisanal group policies
|
# ? Aug 25, 2016 21:26 |
|
I think I'm going to go back and make a list of everything I have done that should have been done with group policy and try to make a case for giving me group policy access.
|
# ? Aug 25, 2016 21:36 |
|
If your company has SA and therefore MDOP then you can have them stand up AGPM if they are worried about untraceable ad-hoc changes. https://technet.microsoft.com/en-us/windows/hh826067.aspx
|
# ? Aug 25, 2016 21:43 |
|
22 Eargesplitten posted:I think I'm going to go back and make a list of everything I have done that should have been done with group policy and try to make a case for giving me group policy access. if they're sincerely panicky about giving you access, consider advanced group policy management. It's an add-on for GP that allows you to submit changes for them to approve. Giving you GP access IS DOMAIN access for a majority of the scenarios needed for Group policy so this will give them a bit of delegating power about it. e:f,b
|
# ? Aug 25, 2016 21:44 |
|
my googlefu is failing me atm. We've got an RDS farm, 2 brokers and 2 session hosts. The farm itself is fine, but for some reason people can individually connect to servers via IP. Let's say the loadbalanced name is "RDSGateway" and our 2 session hosts are 1.1.1.1 and 1.1.1.2. Load balancing works fine overall, but I can plug in 1.1.1.1 or 1.1.1.2 to individually hit the servers, which shouldn't be possible, or at least it wasn't when terminal services was the thing on our 2003 servers. Is this just a change in behavior or do we have something set incorrectly? We do not have an RD gateway server configured, just the 2 connection brokers and 2 session hosts.
|
# ? Aug 26, 2016 18:22 |
|
MF_James posted:my googlefu is failing me atm. Did you do a round robin for DNS on the session hosts? From what I remember, you shouldn't be allowed to RDP to a session host directly if you have a broker and farm configured right. 2012/R2 makes the config a little awkward with the drop down boxes in Server Manager. I setup a 2008 R2 and 2012 R2 farm using the MS guides, so I'd review those to see if you have the farm configured 100%.
|
# ? Aug 26, 2016 19:17 |
|
It was recommended by MS (I believe, I'll double check though) to not setup DNS roundrobin anymore on 2012 and beyond, I could have misread I'll go back and look through.
|
# ? Aug 26, 2016 19:34 |
|
Anyone have a primer for MDT? I'm coming into this a little blind and would like to slim down my deployments of new hardware. We're about to do a hardware refresh with 2-3 standardized models and I'd like to do some reading before wading into it.
|
# ? Aug 27, 2016 01:04 |
|
The young dox turned me onto this guy. Very detailed walkthroughs. http://deploymentresearch.com
|
# ? Aug 27, 2016 01:28 |
|
SeaborneClink posted:Anyone have a primer for MDT? I'm coming into this a little blind and would like to slim down my deployments of new hardware. We're about to do a hardware refresh with 2-3 standardized models and I'd like to do some reading before wading into it. Moey posted:The young dox turned me onto this guy. Very detailed walkthroughs. Be sure to follow the guidelines for drivers, that's the part that gets bloated and unwieldy the most quickly if you don't know what you're doing.
|
# ? Aug 27, 2016 02:02 |
Internet Explorer posted:Has anyone been involved in rolling out ticketing/documentation software to a more general audience, not just IT? We are undergoing some management changes at my small company and we are considering having the administrative staff (Accounting, Billing, HR) run in a more organized fashion. We've looked at ZenDesk and JIRA, but both seem to have their flaws. ZenDesk doesn't really do sub-tickets or sub-tasks, making things like a new hire ticket that creates sub-tickets for the other departments, kind of difficult. JIRA seems like it could fit the bill, but the learning curve and time to implement seem somewhat daunting for us. On the documentation side, we are just looking to allow departments to better document their processes and share that knowledge with other departments. I have used Confluence extensively in the past and I am sure that would fit the bill, but so would ZenDesk's knowledge base or whatever. Going to also suggest ServiceNow. It is the absolute best for this. If there's a superior option out there I'd love to see it.
|
|
# ? Aug 27, 2016 02:12 |
|
I've just about had it up to my eye balls with Offline Files. For reference, all of my users have Win7 Pro laptops, and we have their "Documents" folder set to be always available offline. This is hit or miss, and pretty much always has been. It just goes online/offline seemingly randomly (perhaps related to sleep/walking around/switching access points in the building/etc). About a month ago I moved all our network shares/mapped drives over to DFS-N instead of direct shares. Cool, no problem. Except Offline Files goes all loving wonky. New path to documents (old: \\servershare\users\%username%\Documents new: \\dfs\namespace\users\%username%\Documents). Won't auto-sync for a lot of people. Manual syncing usually fixes it. This SEEMS to be mostly sorted as of 3 weeks ago. Last week someone posted that neat reg hack to tell Offline Files to keep the newest version without asking. Cool, put that in place via GP! (Thanks for that stevewm). Now my users roam, a lot. Laptops go from one end of the building to the other non-stop. 80% of them work from home at least 1 day a week. They'll be out of state for client meetings every couple weeks. This is why we set up Offline Files in the first place. Perhaps you're on a train and need to work on a presentation, go for it. I do not allow them to save files on their local drive period. So Tuesday, we started getting a few (3) people unable to access a single mapped drive (\\dfs\namespace\departments -> U:). Odd, no rhyme or reason as to who could and couldn't access that. Different teams, different security groups, but others that are on the same team/groups were fine. Never really sorted this out. Tuesday night, the problem spreads, so I start digging in to it for real. What I essentially found out is that if a single Offline Files folder in a DFS Namespace goes offline (latency perhaps), the entire DFS Namespace goes offline with it. I basically created a new \\dfs\namespace2 and put all the non-offline shares/mappings in that one, so the \\dfs\namespace doesn't affect them. OK, fine, it's working for now, but it's still dumb. I've been looking at Work Folders (thanks to Thanks Ants) though, and it seems like a better version of Offline Files. But it turns out, as best I can tell, it doesn't support network volumes (SAN/NAS/iSCSI), which essentially removes it as a possibility for me (we use a VNXe for our storage). I guess the question here is, what the hell do I do from here? Work Folders looks good, but it basically can't be used in my situation. Gerdalti fucked around with this message at 17:02 on Sep 1, 2016 |
# ? Sep 1, 2016 17:00 |
|
semi joking answer? Get everyone OneDrive and move their docs there.
|
# ? Sep 1, 2016 18:17 |
|
skipdogg posted:semi joking answer? Get everyone OneDrive and move their docs there. We actually do use Office 365, if OneDrive didn't suck so much I'd consider it at this point.
|
# ? Sep 1, 2016 18:23 |
|
Gerdalti posted:I've just about had it up to my eye balls with Offline Files. Not sure if you've seen these, but I have heard bad things about Offline Files and DFS. I think it was mentioned in this thread as well. http://emtunc.org/blog/01/2015/dfs-and-offline-files-a-match-made-in-hell/ https://www.reddit.com/r/sysadmin/comments/2rmfiw/moving_to_dfs_but_have_offline_files_and_folder/
|
# ? Sep 1, 2016 18:39 |
|
Gerdalti posted:We actually do use Office 365, if OneDrive didn't suck so much I'd consider it at this point. As much as I have tried pushing some clients into OneDrive as part of their E3 O365 licenses, nothing is beating Dropbox for Business in terms of ease of use and reliability for those who can afford it, especially in the BYOD crowd I feel like Work Folders could have been so much more. drat it. With respect to OneDrive vs Dropbox and others, we see here a case of Microsoft having a clear set of examples they can follow on how to Do It Right (TM) yet stubbornly insisting they architect the drat thing their own way. Again. We still have a goddamn hot mess of a product at the end of the day. I'm not the only one frustrated to no end with the NEXT GENERATION ONE DRIVE CLIENT, WE FIXED IT I PROMISE thing, no? Potato Salad fucked around with this message at 19:15 on Sep 1, 2016 |
# ? Sep 1, 2016 19:12 |
|
Internet Explorer posted:Not sure if you've seen these, but I have heard bad things about Offline Files and DFS. I think it was mentioned in this thread as well. Yeah, found similar things to those, which is how I ended up with two distinct namespaces. I didn't think of just separating the netbios vs fqdn, that's clever. It does seem to be working for now though. I might just hold off until Server 2016 comes out and see what advances they do with Work Folders. Some light reading showed they at least know people want to use NAS and fISCAL.
|
# ? Sep 1, 2016 19:18 |
|
Gerdalti posted:Yeah, found similar things to those, which is how I ended up with two distinct namespaces. I didn't think of just separating the netbios vs fqdn, that's clever. It does seem to be working for now though. I wouldn't hold your breath for Server 2016 to have anything related to offline files... Unless you can put offline files in containers!!
|
# ? Sep 1, 2016 19:31 |
|
I had a 5 day Server 2016 class and the only new poo poo was basically Nano and Hyper V stuff.
|
# ? Sep 1, 2016 19:34 |
|
Here's a noodle-scratcher please help: I'm on a Win2k8R2 domain and having an issue with a user changing his password. When he tries to change his Windows password he gets the error message saying the password doesn't meet the length, complexity, history etc requirements. When we try to change his password to that same new password through ADUC, the password is accepted. This tells me it's a password age or history issue. However we confirmed it is a completely brand new password, and it is a complex password. I also have the minimum password age set to 0 for testing purposes. Next thing I'm trying is to check the "user must change password at next logon" and see if that allows him to change his own password. Anything else I can look at? Dans Macabre fucked around with this message at 20:50 on Sep 1, 2016 |
# ? Sep 1, 2016 20:45 |
|
NevergirlsOFFICIAL posted:Here's a noodle-scratcher please help: I've had issues with the 'force change on next login' if a user is trying to change via OWA. How are they trying to change it? Directly on a workstation or RDP? OWA? My own question: What's the best solution of password self-service including resetting forgotten & expired passwords? We're not using Azure AD Premium at the moment but it wouldn't be a big jump to get that working, we already have Azure AD (Free) in place for O365. Premium seems to support Self-Service as well as Writeback for on-prem. Edit: I have some remote users who are non-domain joined w/ Macs in the UK & HK to support so ideally they would be able to self-serve outside of normal business hours and outside of our internal network, though all have access to RDS. SeaborneClink fucked around with this message at 21:21 on Sep 1, 2016 |
# ? Sep 1, 2016 21:06 |
|
SeaborneClink posted:I've had issues with the 'force change on next login' if a user is trying to change via OWA. How are they trying to change it? Directly on a workstation or RDP? OWA? Since we are on O365 with no AD Premium (like you) they cannot change via OWA. User attempted to change directly on Windows workstation with ctrl+alt+del, on RDP, and via our SSLVPN client. BTW I found one other user who has reported the same issue (but I didn't follow up directly yet so may be a user error) and I confirmed two other users do not have this issue at all.
|
# ? Sep 1, 2016 21:12 |
|
That's easy! Use the new AD Integration features of Spicew- I worked not too long ago with a T1 desktop support guy in a parallel environment who only referred to AD credentials as "Spiceworks passwords." That's fine for a 6-month-new-to-IT guy, but when it's someone who is clearly over 35 and has been around for a while....
|
# ? Sep 1, 2016 21:14 |
|
NevergirlsOFFICIAL posted:Here's a noodle-scratcher please help: "User must change password" worked, so clearly this is a password age issue. Need to see why it's not respecting my 0 day min age setting.
|
# ? Sep 1, 2016 21:34 |
|
NevergirlsOFFICIAL posted:"User must change password" worked, so clearly this is a password age issue. Need to see why it's not respecting my 0 day min age setting. Stale GP I'd reckon
|
# ? Sep 1, 2016 21:47 |
|
GreenNight posted:I had a 5 day Server 2016 class and the only new poo poo was basically Nano and Hyper V stuff. Then it was a bad class. Hit https://blogs.technet.microsoft.com/ausoemteam/2016/08/14/whats-new-in-windows-server-2016-standard-edition-part-1/ and go through the parts. Tons of stuff has been changed, improved, modified, and added from 2012 R2, and this is just on Standard Server, not Datacenter. GPF fucked around with this message at 19:49 on Sep 2, 2016 |
# ? Sep 2, 2016 19:45 |
|
Going over migrations plans for server 2003 (ugh) to 2012. There are a myriad of file shares and special permissions that have built up over the years. Since I am running a VMware environment, is there any reason I could not just: 1. detach vmdk from current 2003 VM 2. attach vmdk to new 2012 VM 3. migrate shares from whatever registry key they are stored in 4. create DNS CNAME to point old server to the new one 5. done? These are straight file shares, meaning there are no installed programs on this server that this should cause problems for. I am just so tired of this server. Barring that, does anyone have experience with the File Server Migration Toolkit from MS?
|
# ? Sep 2, 2016 19:54 |
|
I was looking at it the other day, seemed pretty reasonable. I have a 2008R2 server that could greatly benefit from the 2012R2 deduplication, but I can't make that a priority right now.
|
# ? Sep 2, 2016 20:38 |
|
GreenNight posted:I had a 5 day Server 2016 class and the only new poo poo was basically Nano and Hyper V stuff. What was the course number out of curiosity. I had scheduled course 10983A for late October and I just got notification it was being changed to course 20743A
|
# ? Sep 2, 2016 20:44 |
|
skipdogg posted:What was the course number out of curiosity. I had scheduled course 10983A for late October and I just got notification it was being changed to course 20743A M10983 It wasn't as bad as I made it seem. That's just the stuff that stood out to me and what we spent most time on. That and bullshit Azure connectivity.
|
# ? Sep 2, 2016 20:48 |
|
Has anyone started using/testing Enterprise State Roaming yet? I'm in the process of moving my company away from Roaming Profiles and setting up UE-V. It seems like a cool idea but I'm wondering if it's even worth exploring at this stage.
|
# ? Sep 2, 2016 21:53 |
|
This isn't really an enterprise question because I hope workgroups are pretty rare in 'real' networks but people here might know the answer... What functionality does a workgroup provide (in windows)? Computers in different workgroups on the same network can access each other's SMB shares fine (as long as credentials are shared). Domain computers can access workgroup systems as well and vice versa (again, if credentials are shared). It doesn't seem to affect network discovery. edit: Ok, it does actually affect network discovery, is that their only purpose? wyoak fucked around with this message at 17:19 on Sep 6, 2016 |
# ? Sep 6, 2016 17:17 |
|
wyoak posted:This isn't really an enterprise question because I hope workgroups are pretty rare in 'real' networks but people here might know the answer... Network discovery and nothing else I know of. If you want cross subnet workgroups you need a WINS server. If you don't need that you might want to look into Homegroups. They handle computers appearing and disappearing pretty quickly, and if everyone is using a Microsoft account to log in are still allow fairly granular permissions. No Microsoft accounts means its read, read/write, or nothing. They work over IPv6 link local addresses so there is no way I know of for them to talk across subnets.
|
# ? Sep 6, 2016 17:24 |
|
I'm having a lovely time building a Hyper-V cluster on top of volumes hosted on an Equallogic SAN. For some reason, the Dell engineer who originally helped the original admin setup the SAN just created 2 volumes on the Equallogic and treated it like a very expensive NAS. One volume on the Equallogic hosts some hyper-v virtual machines that connect via iscsi connector to one server 2012 host server and the other volume connects some other hyper-v machines to an identical server on a separate iscsi session (5 different Hyper-V machines on 2 different volumes w/3 machines hosted on the first server and 2 hosted on the other). The old admin did me the solid favor of (apparently) losing the Dell Equallogic disk that has the proprietary software for the Dell Equallogic MPIO kit. That's not the end of the world, it just means there are features potentially missing if I wanted to connect new servers to the Equallogic without paying Dell for a new support contract. The networking side of the configuration looks fine. They created the SAN network separately (let's call it 10.0.0.0/24) from the external/public network (let's call it 192.168.0.0/24) and the servers each have 2 gigabit ports dedicated to the SAN network. There are 2 gigabit switches dedicated to the SAN network and they connect the Equallogic and to the servers and the switches are connected to each other for redundancy. Is there a supported way to cluster the 2 host VMM servers and the virtual machines on the 2 separate volumes or is the best way to just expand one volume and move all the virtual machines to it and then point both servers to the one volume? The cluster validation tests make it look like the cluster service would elect one volume as a disk witness at this point (which would make all the VMs on that volume unavailable) so I would need to add a separate volume as a disk witness if there is a way to cluster the 2 host machines and their 2 volumes. It's like I feel like this would be straight forward if I were starting from scratch because then I could configure this whole thing from the ground up for myself but I'm starting with a very convoluted scenario created years ago with no documentation to work from. tl;dr: gently caress local clustering with Hyper-V.
|
# ? Sep 8, 2016 07:36 |
In all seriousness, good luck with that. I don't have any advice other than I wouldn't take a job like that if it was offered to me because I've seen what a bitch it can be.
|
|
# ? Sep 8, 2016 14:00 |
|
I don't know anything about HyperV, but you can download what you need from EqualLogic's support site. Why would you need a CD in 2016? And I'm not sure what you mean by configuring it as "an expensive NAS." Like, I get what you're saying about putting one volume on one server and another volume on the second server, but that has nothing to do with SAN vs NAS and everything to do with some dumb person not knowing what they're doing. That's an issue on the HyperV side, and they could have set it up correctly on a NAS. If there is space on the array just make another volume, set it up correctly, and move machines over. If there's not, I think EqualLogics support shrinking of volumes. Shrink them and see if you have enough space. If that doesn't do it, buy some cheap storage, move things over, fix the configuration, and move things back. Shouldn't be too hard of a task unless working with shared storage with HyperV is somehow impossible, which as lovely as it is, I somehow doubt.
|
# ? Sep 8, 2016 14:10 |
|
You know what, gently caress Windows 10. I've been deploying it in enterprise environments and the hoops you have to jump to loving change ANYTHING are tremendously stupid. You can't even do a dism /online /import-defaultappassociations anymore, because the online change doesn't work! Wanna change anything? Sure, you can, just run 20 scripts!
|
# ? Sep 8, 2016 14:32 |
|
|
# ? May 28, 2024 14:51 |
|
Internet Explorer posted:I don't know anything about HyperV, but you can download what you need from EqualLogic's support site. Why would you need a CD in 2016? I think he's saying the EQL is out of support. The MPIO driver is behind a paywall.
|
# ? Sep 8, 2016 14:43 |