|
If you offer training and certification in licensing your product and it's impossible to turn your licensing into a online flowchart thing where you shove in numbers of users and spit out a licensing schedule that isn't caveated with "check with an MS Partner, we aren't going to be bound by what we just told you. Make sure you ask three partners to get three different answers." then your licensing is too loving complicated.
|
#
?
Oct 2, 2016 15:02
|
|
|
|
| # ? May 29, 2024 17:52 |
|
|
SCOM and SCCM definitely aren't packaged together as far as licensing goes unless you have a "gently caress you, have all the products" EA. SCOM is in a higher licensing tier. Same for SCOR.
|
|
#
?
Oct 2, 2016 15:38
|
|
http://download.microsoft.com/download/8/9/A/89A3F8B9-94DE-4956-A56E-F6D2B215D0E6/SystemCenter2012R2_Licensing_Guide.pdf I don't know wtf this thing is trying to tell me tbf
|
|
|
#
?
Oct 2, 2016 15:54
|
|
|
Wrath of the Bitch King posted:SCOM and SCCM definitely aren't packaged together as far as licensing goes unless you have a "gently caress you, have all the products" EA. My understanding was that every tier of System Center licensing gave you every product under the family. SCCM, SCOM, SCVMM, Orchestrator, etc. The difference between the tiers was how you were allowed to spread the applications around. Basic tier you're limited to two, higher tiers allow more. It even includes the SQL licenses to run mssql for everything.
|
|
#
?
Oct 2, 2016 16:12
|
|
|
I can tell you that in my organization we only own SCCM, nothing else. We didn't itemize for it either, it was part of the EA. The System Center product family gives you SQL entitlement for their products, meaning you can have a single SQL instance (full) that all of their stuff rides on. Not an instance per product, but a single instance for ALL of them. The lovely thing is that this means you can't set the WSUS DB on that instance, so you either use the WID or throw it on another SQL box that you pay a license for.
|
|
#
?
Oct 2, 2016 17:02
|
|
|
Or SQL Express. And I don't think there's any limit to the number of SQL instances you can run, you're just only licensed for SQL instances used for running System Center.
|
|
#
?
Oct 2, 2016 17:15
|
|
|
FISHMANPET posted:Was that a long time ago? Because I think they're the same license now (unless SCOM is in a different ML, but if it is it's a higher level than SCCM so a SCOM ML would include SCCM). 2 years ago? It was for 2012 licensing. If I recall we had System Center Management Suite? licenses but the ones we needed was specifically System Center *something* Client licenses?
|
|
#
?
Oct 2, 2016 20:57
|
|
|
lol internet. posted:2 years ago? It was for 2012 licensing. If I recall we had System Center Management Suite? licenses but the ones we needed was specifically System Center *something* Client licenses? System center needs licensing for both the server side and the client side. I see a lot of customers with System Center rolled into their client licenses in some form or fashion.
|
|
#
?
Oct 2, 2016 21:37
|
|
|
Wrath of the Bitch King posted:I can tell you that in my organization we only own SCCM, nothing else. We didn't itemize for it either, it was part of the EA. If WSUS, SCCM and SQL are all running on the same server you are allowed to use SQL for WSUS. Also for parts of MDT is it is also all hosted on the same server. It's really convoluted but That's Microsoft 
|
|
#
?
Oct 4, 2016 01:16
|
|
|
Number19 posted:If WSUS, SCCM and SQL are all running on the same server you are allowed to use SQL for WSUS. Also for parts of MDT is it is also all hosted on the same server. I'll have to check that out if true. I remember reading some article online (or reddit, its been a long time since implementation) that said they couldn't be on the same machine.
|
|
#
?
Oct 4, 2016 01:26
|
|
|
I think once upon a time you were supposed to install them separately, but I'm not sure I believe that, because I've been using SCCM since 2007 and until recently every SCCM install I've done had the Site server and DB on the same system. But it's fine now to do.
|
|
#
?
Oct 4, 2016 17:40
|
|
|
FISHMANPET posted:I think once upon a time you were supposed to install them separately, but I'm not sure I believe that, because I've been using SCCM since 2007 and until recently every SCCM install I've done had the Site server and DB on the same system. Back in the SMS days there were some issues around remote SQL instances and SMS (never ran into them myself on 2003 or later). The mantra that the SQL instance must be co-located with the site server has persisted much like Network Admins who still want to statically set Speed and Duplex on switch ports. I typically do a remote SQL so I can do nifty things like Clustering or (now) Always On to provide SOME level of HA/DR for an SCCM instance.
|
|
#
?
Oct 4, 2016 17:47
|
|
|
Dunno where else to ask, but here goes... Just got "tablets" dumped on my lap. We have about 50-60 windows 8.1 tablets out in the field, previously they were all 'hand' configured. The guy before me created a policy file that he manually imported on all the machines as well as a few other manual steps prior to that. Well, we are getting windows 10 tablets now (even replaced tablets come back with 10 and not 8.1, it's not the same tablet, but I figured we would get what OS we had previously...) and I'd like to make this process not poo poo. Basically I need to do a few things: 1) disable built-in admin/guest accounts 2) create another admin account (named the same across all systems) 3) create a lesser privileged account that will essentially operate in a kiosk type mode 4) lock down said account 5) install our monitoring solution 6) patch machine Steps 1-4 are what i want to stream line, 5 and 6 can be done manually for now. I typically don't handle client type devices, just servers.. a lot of them, but the way we handle spinning up servers will not work for what I'm doing.
|
|
#
?
Oct 4, 2016 22:19
|
|
|
MF_James posted:Dunno where else to ask, but here goes... What do the desktop guys use for imaging? MDT/WDS or MDT and SCCM would work quite nicely for these. Everything you're talking about can be rolled into a task sequence.
|
|
#
?
Oct 4, 2016 22:31
|
|
|
Zaepho posted:What do the desktop guys use for imaging? MDT/WDS or MDT and SCCM would work quite nicely for these. Everything you're talking about can be rolled into a task sequence. Yeahhhhhhhhhhhhhhhhhhhhhhhhhhhh........................ we don't do any desktop stuff except internal poo poo for like 20 users. I figured that was going to be the answer though.
|
|
#
?
Oct 4, 2016 22:37
|
|
|
You can do all those things by GPO if they regularly have domain access. You'd still have to install the OS or go the WSUS route, UT I'd rather use GPO than a script if it's possible.
|
|
#
?
Oct 5, 2016 00:16
|
|
|
Yeah they aren't attached to a domain sadly. I'll probably create a new registry file and then script everything else that I can. Updates are handled by our monitoring solution (N-Able), so that's no biggie, I'll just script the import of the policy file, the install of n-able and a few other things so all someone (hopefully) has to do is move a folder onto the device and then run the script inside.
|
|
#
?
Oct 5, 2016 00:33
|
|
|
Have any of you implementing an NDES AD CS server in a DMZ? I'm baffled by some of the network communication I'm seeing on the firewall for this service.
|
|
#
?
Oct 7, 2016 20:02
|
|
|
I thought the ideal of DMZ is y'all don't really trust those devices at all except for the specific and only role those machines play. Why would you enroll them in your AD CS? A stand alone CS, sure. But not a CS tied to my domain...
|
|
#
?
Oct 7, 2016 22:16
|
|
|
incoherent posted:I thought the ideal of DMZ is y'all don't really trust those devices at all except for the specific and only role those machines play. Why would you enroll them in your AD CS? A stand alone CS, sure. But not a CS tied to my domain...
|
|
#
?
Oct 7, 2016 22:21
|
|
|
incoherent posted:I thought the ideal of DMZ is y'all don't really trust those devices at all except for the specific and only role those machines play. Why would you enroll them in your AD CS? A stand alone CS, sure. But not a CS tied to my domain... I'm not really able to share details of our architecture, sorry. I can share that the purpose of this NDES/SCEP server is for mobile device certificates through our MDM system, so it's in a DMZ segment.
|
|
#
?
Oct 7, 2016 22:46
|
|
|
What about throwing a Web Application Proxy in front of it? Put that in the DMZ, leave NDES inside.
|
|
#
?
Oct 7, 2016 22:54
|
|
|
skipdogg posted:What about throwing a Web Application Proxy in front of it? Put that in the DMZ, leave NDES inside. I like that idea better, nice, thanks. Hadn't thought of that.
|
|
#
?
Oct 7, 2016 23:02
|
|
|
anthonypants posted:We have servers on our domain in the DMZ, but we can't run DHCP on machines in the DMZ, because it's supposed to be segregated Haha. I don't even bother joining my DMZ servers to our domain, unless there is some dire need to because of whatever software.
|
|
#
?
Oct 9, 2016 19:31
|
|
|
Hmm, we had what looks to be a security breach in a test environment. I don't have a tremendous amount of exposure to this environment, but I'm told that a particular password is kinda handed out as the standard. New users get this password, and who even knows who's changing it once they've received it There's about 200 users in this environment, and I want to see who's using this password. Is there any way I'm going to be able to just enter a list of usernames with a particular password and see whose account is using that password? I am trying to do this in a legit, aboveboard way. I'm brain storming an approach and I'm coming up with non starters like "a Powershell script which maps a drive with credentials and records success or failure" but actions like that run into issues with multiple connections to a server from the same login. Any suggestions for an angle to look at here? Ultimately, instead of just having to blow up the entire domain, what I am trying to accomplish is to narrow down to people using a particular password and force them to change their password.
|
|
#
?
Oct 10, 2016 03:04
|
|
|
If you think there's been a security breach, you should probably go scorched earth and reset the password of absolutely everyone who has access to the environment. For all you know, they immediately changed the password on the compromised account and it wouldn't even get caught by your analysis. Edit: to avoid doing the same thing I got mad at people for doing to me in this thread... maybe look up standard password cracking tools? Assuming you have admin access to this environment you should be able to get password hashes and then run them against the shared problem password super quickly. Docjowles fucked around with this message at 03:42 on Oct 10, 2016 |
|
#
?
Oct 10, 2016 03:33
|
|
|
MC Fruit Stripe posted:Hmm, we had what looks to be a security breach in a test environment. I don't have a tremendous amount of exposure to this environment, but I'm told that a particular password is kinda handed out as the standard. New users get this password, and who even knows who's changing it once they've received it This looks like what you need to do: http://security.stackexchange.com/questions/100271/extract-password-hashes-from-active-directory-ldap
|
|
#
?
Oct 10, 2016 08:54
|
|
|
I found that one too and I think it's going to be my approach tomorrow. Should be fun. Trying to exercise a bit of nuance - rather than blowing up the entire domain, I'd like to just rid it of a particular password, since I know beyond any doubt that this 'default' password was the problem. e: It's probably obvious based on the few technical questions I ask around here - this, my "make every email on this Exchange server go away" line of posts, a few others - that my job description is basically 'inherit messes'. Eh, it puts food on the table. Hell, when I had my first meeting with my current director, he asked what my role in the organization was. My answer was "when it happens, you'll know" - cryptic, but he knows now. MC Fruit Stripe fucked around with this message at 09:19 on Oct 10, 2016 |
|
#
?
Oct 10, 2016 09:13
|
|
|
MC Fruit Stripe posted:I found that one too and I think it's going to be my approach tomorrow. Should be fun. Trying to exercise a bit of nuance - rather than blowing up the entire domain, I'd like to just rid it of a particular password, since I know beyond any doubt that this 'default' password was the problem. If it's active directory, couldn't you just compare the account creation time/date and the password last set time/date?
|
|
#
?
Oct 12, 2016 00:52
|
|
|
Weird issue with Group Policy, specifically with Server 2008 SP2 clients. These machines fail to pull machine policy, meaning they never update, change, or remove policy that they have from whenever they initially DID pull it. This is unilaterally all Server 2008 SP2 clients. 2003, 2008 R2, 2012, and 2012 R2 don't have this issue. Anyone familiar with this problem? Google is failing me so far. Domain is 2008 R2 functional level.
|
|
#
?
Oct 12, 2016 01:52
|
|
|
Check event viewer, gpresult, the usual.
|
|
#
?
Oct 12, 2016 02:01
|
|
|
Could make sure they can see/have permissions on that specific folder in the sysvol. Have you tried unjoining/rejoining and see if that has any effect? Also, those machines aren't being filtered with WMI or security filtering right?
|
|
#
?
Oct 12, 2016 02:18
|
|
|
Running an HTML gpresult will definitely tell you a lot of info, if the event log is clean.
|
|
#
?
Oct 12, 2016 02:22
|
|
|
I start with the modeling wizard, then go all /h gpreport.html on one of those computers asses like suggested (especially if there are WMI filters) Edit: ive had situations where group policies got stuck on machines for some reason or another. It always ended with a reimage. Never seen it happen on a large scale to everything in a domain though. milk milk lemonade fucked around with this message at 02:33 on Oct 12, 2016 |
|
|
#
?
Oct 12, 2016 02:28
|
|
|
I've gone through most of the common steps, the scope is highly unusual. You can build a brand new 2008 SP2 server and attach it to the domain. It will initially pull policy, but after that initial pull it becomes completely unable to change any of those policies ever again. No updates, no removals, nothing. Only 2008 SP2. No filters are in place, these servers share a common OU/container with other server variants and are subject to identical policies. Guess I'll keep digging. My guess is there is an ADMX template that 2008 SP2 is choking on; GPResult is displaying the normal results you'd expect for a working instance barring any changes made after the initial pull. User policy is functioning, but machine policy isn't. Wrath of the Bitch King fucked around with this message at 18:16 on Oct 12, 2016 |
|
#
?
Oct 12, 2016 18:12
|
|
|
Wrath of the Bitch King posted:I've gone through most of the common steps, the scope is highly unusual. Do you see any errors in Event Viewer? Filter by non-informational. What about gpresult /h? Do you see any errors or warnings noted? Link or inheritance problems? Processing errors?
|
|
#
?
Oct 12, 2016 18:17
|
|
|
Wrath of the Bitch King posted:I've gone through most of the common steps, the scope is highly unusual. What if you blow away the machine policy, does it pull it down again?
|
|
#
?
Oct 12, 2016 18:17
|
|
|
e: nm
|
|
#
?
Oct 12, 2016 18:17
|
|
|
Is your sysvol corrupted? Do you have anything scanning/accessing that directory for any reason?
|
|
|
#
?
Oct 12, 2016 18:58
|
|
|
|
| # ? May 29, 2024 17:52 |
|
|
I'd point at a corrupted sysvol as well. Not sure if this would relate, but do keep in mind there is a local cache of GPOs, maybe an issue with the template you are using? https://macgyveritblog.wordpress.com/2014/01/27/recreate-the-local-group-policy-cache-in-windows/
|
|
#
?
Oct 12, 2016 19:03
|
|