|
I'm having an issue with a 2012 server where over the course of 2-3 days DNS.exe will eat many thousands of ports, so many that we can't get into it with RDP or TeamViewer either locally or remote. It's so bad that an hour after reboot DNS.exe has taken up ~13,000 ports in the upper ranges. Everything from 52k+. What can I do to make the DNS service stop eating up so many ports? Originally we thought it was FileMaker Pro but that's not the PID i'm getting.
|
#
?
Nov 17, 2016 16:24
|
|
|
|
| # ? May 30, 2024 12:06 |
|
|
Sterling_Archer posted:I'm having an issue with a 2012 server where over the course of 2-3 days DNS.exe will eat many thousands of ports, so many that we can't get into it with RDP or TeamViewer either locally or remote. It's so bad that an hour after reboot DNS.exe has taken up ~13,000 ports in the upper ranges. Everything from 52k+. What can I do to make the DNS service stop eating up so many ports? Originally we thought it was FileMaker Pro but that's not the PID i'm getting. I googled dns.exe port exhaustion and found a couple supposed fixes. One of them is for 2008R2 where the behavior is supposed to be fixed in 2012. You're fully patched and all that right? Both solutions seem to be modifying the registry. last post here https://social.technet.microsoft.co...rum=winserverPN or here https://community.spiceworks.com/topic/337059-if-you-have-to-reboot-your-servers-often-its-probably-port-exhaustion hope this helps This is a decent troubleshooting article https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/
|
|
#
?
Nov 17, 2016 16:38
|
|
|
Super Slash posted:Is there some kind of information source about best practices for Windows 10 group policies? http://www.grouppolicy.biz/2012/11/how-to-use-group-policy-to-change-the-default-lock-screen-image-in-windows-8/ You can also customize the start-menu, by exporting a startmenu layout from one computer and then applying it via group policy (it's an xml file). I could dig up my information on that if you need. I had to do some work to get win10 tablets locked down, I got about 95% of the way done and the work was scrapped... As far as a single spot to find a ton of info? I couldn't find one, I dug through dozens, maybe even 100+ websites to gather all the stuff I did.
|
|
#
?
Nov 17, 2016 21:00
|
|
|
This site always comes up whenever I google some random Windows 10 GPO setting. They have some pretty good stuff, either under the Windows 10 or GPO links at the top of the page. https://4sysops.com
|
|
#
?
Nov 17, 2016 21:27
|
|
|
Sterling_Archer posted:I'm having an issue with a 2012 server where over the course of 2-3 days DNS.exe will eat many thousands of ports, so many that we can't get into it with RDP or TeamViewer either locally or remote. It's so bad that an hour after reboot DNS.exe has taken up ~13,000 ports in the upper ranges. Everything from 52k+. What can I do to make the DNS service stop eating up so many ports? Originally we thought it was FileMaker Pro but that's not the PID i'm getting. If this is a legit DNS server, running dnscmd.exe /info /socketpoolsize will show you the socket pool size, 2500 is the default - in a default configuration, the DNS server is going to reserve double that amount for itself (IPv4 and IPv6). This article has more info, and gets into memory allocations, so maybe if the pool size is bigger than default and your server is underpowered you'd run into kernel memory issues.
|
|
#
?
Nov 17, 2016 21:50
|
|
|
You can bet your rear end your problem is FileMaker and it's your fault for using such a huge piece of poo poo.
|
|
|
#
?
Nov 18, 2016 00:59
|
|
|
milk milk lemonade posted:You can bet your rear end your problem is FileMaker and it's your fault for using such a huge piece of poo poo. This is the correct opinion. If you have FileMaker in your env, and it doesn't look like FileMaker is causing the problem...  it's still FileMaker.
|
|
#
?
Nov 18, 2016 02:50
|
|
|
milk milk lemonade posted:You can bet your rear end your problem is FileMaker and it's your fault for using such a huge piece of poo poo. You are probably right but as an MSP I can't exactly force them to stop using it. That they are using it on a DC is also a problem.
|
|
#
?
Nov 18, 2016 20:43
|
|
|
You can make suggestions to your client, explain the problems they are causing for themselves and ultimately just drop them as a client if they aren't willing to take advice. A lot of the problems that MSPs have are self-inflicted by chasing revenue at any cost, regardless of how loving much of a pain in the dick each client is.
|
|
#
?
Nov 18, 2016 21:17
|
|
Sterling_Archer posted:You are probably right but as an MSP I can't exactly force them to stop using it. That they are using it on a DC is also a problem. Have you tried increasing the ports assigned for TCP?
|
|
|
#
?
Nov 19, 2016 03:47
|
|
Thanks Ants posted:You can make suggestions to your client, explain the problems they are causing for themselves and ultimately just drop them as a client if they aren't willing to take advice. A lot of the problems that MSPs have are self-inflicted by chasing revenue at any cost, regardless of how loving much of a pain in the dick each client is. I had this argument the other day with a sales guy. I do consulting/project work, but sometimes I get dragged into managed services bullshit and I can't believe how stupid it is. Anyways I told the sales guy we need to start firing lovely clients and stop letting them walk all over us. He acted like I shot his dog.
|
|
|
#
?
Nov 19, 2016 03:49
|
|
|
Sterling_Archer posted:You are probably right but as an MSP I can't exactly force them to stop using it. That they are using it on a DC is also a problem.
|
|
#
?
Nov 21, 2016 16:40
|
|
|
But then the customer has to pay $xxx dollars a month for us to support that server! And another Windows license. And several of them if they are using a virtualization cluster! A lot of MSPs still charge by server/device. It makes for really dumb decisions.
|
|
#
?
Nov 21, 2016 16:48
|
|
|
Ok so I spent a bunch of time trying to tidy up OEM Win 10 pro installs, but there's a massive snag in that some GPOs straight up don't work with Pro and only with Enterprise; namely configuring the lock/login screen graphics/wallpaper. It's amazingly bullshit that they would lock something so simple behind the most expensive version of their OS, I got in touch with our MSP to get some prices for enterprise volume licensing for 60 machines... I'm sure I'm going to be captain popular dropping a £15k upgrade price tag, plus server licensing for extra VMs as well.
|
|
#
?
Nov 23, 2016 20:57
|
|
|
Super Slash posted:I'm sure I'm going to be captain popular dropping a £15k upgrade price tag Holy poo poo
|
|
#
?
Nov 23, 2016 21:19
|
|
|
That might literally be the worst quote in the history of information technology.
|
|
#
?
Nov 24, 2016 07:33
|
|
|
Can I please just stay on Windows 7 for like, forever? And this was going through our manged guys who have a better handle on MS licensing, rather than our tech supplier who doesn't; £244.31 (ex VAT) per unit of a VL agreement of Windows 10 Enterprise. Additionally it's probably not helped with the exchange rate of our now loving loopy currency.
|
|
#
?
Nov 24, 2016 10:44
|
|
|
If you're already an Office 365 customer then just move to one of the Secure Productive Enterprise suites, if you aren't then Windows 10 Enterprise E3 is also a thing.
|
|
#
?
Nov 24, 2016 10:57
|
|
|
Windows 8.1 is good until 2023 and doesn't have a lot of the endless amounts of bullshit you have to deal with in Windows 10.
|
|
#
?
Nov 24, 2016 16:33
|
|
|
peak debt posted:Windows 8.1 is good until 2023 and doesn't have a lot of the endless amounts of bullshit you have to deal with in Windows 10. From a business perspective Windows 10 is worthwhile upgrade from Windows 7.
|
|
#
?
Nov 25, 2016 04:43
|
|
|
In this brave new Windows as a Service world, how is Microsoft going to be getting their money where they traditionally have by releasing a new OS. They can't be banking on Office 365 alone.
|
|
#
?
Nov 25, 2016 05:01
|
|
|
They're moving Windows into a Service offering with continual updates and no more monolithic releases.
|
|
#
?
Nov 25, 2016 05:03
|
|
|
Yes, but is there/going to be a Windows 10 Enterprise subscription or are they going to charge for the right to a use a LTSB branch. Do we know yet?
|
|
#
?
Nov 25, 2016 05:18
|
|
|
There's a offering through O365 or there will soonish.
|
|
#
?
Nov 25, 2016 05:19
|
|
|
How Group Policy will be handled within Windows 10 moving forward has been one primary concern of mine. I couldn't help but notice that each time there's been a major update (1511, 1607, etc.), they've added/modified/removed various configurable policy options. So each update has resulted in the need to update administrative templates on both the workstations and servers. That doesn't even include the changes they've made between Pro/Enterprise in that regard. So how do they plan to approach this moving forward? Just keep on loving around with group policy every time they push a major update as they continue to force the subscription model? Sounds like an IT nightmare in the making. It's going to require constant maintenance of the Group Policy structure alone. Another issue is their ongoing loving of RSAT for Windows 10. Missing options, broken features, etc. I imagine RSAT will need to be updated after each major update, too. How about the lack of QA recently? Just all around belligerent.
|
|
#
?
Nov 25, 2016 05:48
|
|
|
Methanar posted:Yes, but is there/going to be a Windows 10 Enterprise subscription or are they going to charge for the right to a use a LTSB branch. Windows 10 Enterprise subscriptions already exist (they ar using the E3/E5 name for them) but currently you can only get it onto CBB, not LTSB. Pretty sure LTSB requires an enterprise agreement, which is recurring $$$ for Microsoft anyway: https://blogs.windows.com/business/...UgucIAVYgIHA.97
|
|
#
?
Nov 25, 2016 06:20
|
|
|
Methanar posted:Yes, but is there/going to be a Windows 10 Enterprise subscription or are they going to charge for the right to a use a LTSB branch. Windows 10 Professional is also way more neutered for businesses compared to earlier versions. Right now you can't do the following in Windows 10 Pro: - Sideload Metro apps - Use the business store - Disable the store completely - Disable telemetry / data leaking - Customize the start menu - Disable the "are you sure you don't want to open this file with a Microsoft application" nag screens If you want all your employees to have access to a certain Metro app and you run Professional, the only way you can do that is to have them install it themselves, pay with their own credit card, then handle that over expenses or whatever. If they quit the company, the license is lost forever.
|
|
#
?
Nov 25, 2016 10:18
|
|
|
PUBLIC TOILET posted:How Group Policy will be handled within Windows 10 moving forward has been one primary concern of mine. I couldn't help but notice that each time there's been a major update (1511, 1607, etc.), they've added/modified/removed various configurable policy options. So each update has resulted in the need to update administrative templates on both the workstations and servers. That doesn't even include the changes they've made between Pro/Enterprise in that regard. So how do they plan to approach this moving forward? Just keep on loving around with group policy every time they push a major update as they continue to force the subscription model? Sounds like an IT nightmare in the making. It's going to require constant maintenance of the Group Policy structure alone Are you talking about the ADMXs and ADMs? Just make a central store.
|
|
#
?
Nov 25, 2016 12:34
|
|
|
peak debt posted:Windows 10 Professional is also way more neutered for businesses compared to earlier versions. It's a drat shame since we have practically zero power users, all the staff need is a barebones Windows machine with access to Google Chrome, MS Word and Outlook and that's it. I made a bit of progress with customisation by enforcing a locked start menu layout GPO set by an XML file, and also a log in script to execute a PS script to remove a big list of "Apps".
|
|
#
?
Nov 25, 2016 15:10
|
|
|
This seems crazy but apparently Samba since version 4 is able to act as an AD DC. Anyone here have any experience with this or have any thoughts or comments on it? From looking at things it seems that AWS Simple AD makes use of this this so it might not be as harebrained as it sounds.
|
|
#
?
Nov 25, 2016 15:32
|
|
|
Sheep posted:This seems crazy but apparently Samba since version 4 is able to act as an AD DC. Anyone here have any experience with this or have any thoughts or comments on it? From looking at things it seems that AWS Simple AD makes use of this this so it might not be as harebrained as it sounds.
|
|
#
?
Nov 25, 2016 17:18
|
|
|
I'm seeing repeated Security-Kerberos event ID 4 errors in my domain controllers. Based on what I'm seeing this is due to a duplicate SPN associated with the cifs/domainname.com service, but every time I delete a duplicate SPN and reregister it, the error comes back, but only with a different server target. For example, on my PDC I see this Kerberos error originating from two separate servers. I manually added a SPN entry for the PDC for the cifs service, but this isn't resolving the problem. Can somebody give me an explanation on how SPN works and how I might fix this issue? Based on my understanding it's some kind of failure in certificate revocation but Windows Server isn't my primary area of expertise. I've tried following this blog article but it didn't resolve the issue: https://blogs.technet.microsoft.com/dcaro/2013/07/04/fixing-the-security-kerberos-4-error/ I'm probably just going to get the assistance of a consultant that we have on retainer, but I want to have a better understanding of the issue before I go to them.
|
|
#
?
Dec 1, 2016 14:32
|
|
|
Can someone confirm that I'm an idiot? I've got a CI setup in SCCM, set to Compliance condition reg key must not exist on client device. It does the exact opposite once deployed, and puts computers that do have the key in compliance and vice versa. What the crap is going on?
|
|
#
?
Dec 1, 2016 17:57
|
|
|
Office 365 admins, I got a question for you. I've recently discovered that several users at my company have email addresses that are completely desynced from Active Directory. Their email has its own separate password, is listed as In cloud, and their AD account shows up separately as an .onmicrosoft.com address instead of our domain.  Anyone know of any way to merge these two so that the proper domain email syncs with AD? My best guess right now is to export, delete and reimport. I'm hoping there's a method that's less of a pain in the rear end.
|
|
#
?
Jan 4, 2017 19:34
|
|
|
Sorry I can't answer your question because we don't use O365, but I wanted to post here to state that on-prem
|
|
#
?
Jan 4, 2017 19:36
|
|
|
Eschatos posted:Office 365 admins, I got a question for you. I've recently discovered that several users at my company have email addresses that are completely desynced from Active Directory. Their email has its own separate password, is listed as In cloud, and their AD account shows up separately as an .onmicrosoft.com address instead of our domain. If you have just one account it's simple enough to do in ADUC's Attribute Editor, just edit the proxyAddresses attribute and enter in "SMTP:username@domain.com". If you have secondary email addresses, the smtp: prefix should be in lowercase: "smtp:username@domain.net". If you have a domain that isn't attached to your Office 365 tenant, e.g., domain.local, you can leave those in there, but they won't get imported into Office 365. Also, IdFix will identify errors like this for you. anthonypants fucked around with this message at 19:46 on Jan 4, 2017 |
|
#
?
Jan 4, 2017 19:40
|
|
|
I'm trying to get away from putting my own account - user@contoso.com - into Domain Admins to do domain stuff but this is obliviously a bad practice. What's the best way to read up on AD Permissions? That hopefully isn't the entirety of all those MCS novels.
|
|
#
?
Jan 4, 2017 21:09
|
|
|
Tab8715 posted:I'm trying to get away from putting my own account - user@contoso.com - into Domain Admins to do domain stuff but this is obliviously a bad practice. Best practice is to have a second account for elevated permissions. Usually ends up being something like user.admin@contoso.com. I also like putting those objects, and the associated groups/acls, in another root OU in the domain so they cant be automatically modified by other applications and tools. This also assumes that there is a root OU for the organization that holds all of your users, groups, and workstations objects. I delegate permissions on that OU to elevated accounts for service/help desk so they can bind, reset passwords, do group modifications, etc. But they do not have advanced permission to modify that administrative OU with higher level access to systems, like VMware, storage, etc, and also not the Servers OU.
|
|
#
?
Jan 4, 2017 22:34
|
|
|
Eschatos posted:Office 365 admins, I got a question for you. I've recently discovered that several users at my company have email addresses that are completely desynced from Active Directory. Their email has its own separate password, is listed as In cloud, and their AD account shows up separately as an .onmicrosoft.com address instead of our domain. I just had to fix one of those. I setup a user but screwed up because they have a .local domain and i let that sync. I changed it in AD to be @contoso.com instead of @contoso.local Then went to AD and manually editted the user and removed the .onmicrosoft.com and just had their user as @contoso.com, that seems to have fixed it (although this was a whopping 20 minutes ago, but their password to O365 was definitely their AD password because the user was able to log in)
|
|
#
?
Jan 4, 2017 23:13
|
|
|
|
| # ? May 30, 2024 12:06 |
|
|
anthonypants posted:Add their email address to the proxyAddresses property on that account in AD. Afraid that doesn't seem to have worked. Do both accounts need to have a license assigned?
|
|
#
?
Jan 6, 2017 17:28
|
|