|
I'm looking for a step-by-step on how to migrate the domain time server. While I was migrating my PDC to a new physical server a while back, I made the time server to be a tertiary domain controller (literally a domain controller of last resort that's a virtual machine) and now I cannot for the life of me get our workstations to stop syncing their time to that backup domain controller instead of the PDC. This is an issue because the backup domain controller is on a Hyper-V VM so its time is not reliable (this was only supposed to be this way for a couple days). I have added a scope option to DHCP to make the PDC the time server and I setup the registry entries on the PDC to make it a time server. I went to the backup DC and, i think, changed all the registry settings that would make it the time source instead of the PDC. All of the servers in our environment except for the one that was the backup domain controller will sync with the PDC. All the workstations and the backup domain controller sync to the backup domain controller.  E: Also, I looked at our Group Policies and there isn't even an option for time server in there (it has to be corrected via hotfix) so I did not make any group policies about the time server.
|
#
?
Jan 9, 2017 16:22
|
|
|
|
| # ? May 29, 2024 20:43 |
|
|
These are a pretty decent set of things to pass around your team if you have people struggling with PowerShell https://twitter.com/TechNetUK/status/818507887924379649
|
|
#
?
Jan 9, 2017 18:30
|
|
|
tadashi posted:I'm looking for a step-by-step on how to migrate the domain time server. While I was migrating my PDC to a new physical server a while back, I made the time server to be a tertiary domain controller (literally a domain controller of last resort that's a virtual machine) and now I cannot for the life of me get our workstations to stop syncing their time to that backup domain controller instead of the PDC. This is an issue because the backup domain controller is on a Hyper-V VM so its time is not reliable (this was only supposed to be this way for a couple days). Ahh this should help you, what version of server are you running? https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
|
|
#
?
Jan 9, 2017 18:48
|
|
|
Is there an easy way to fix poodle on exchange 2010 OWA? Does disabling sslv3 through regsitry work?
|
|
#
?
Jan 9, 2017 18:49
|
|
|
SEKCobra posted:Is there an easy way to fix poodle on exchange 2010 OWA? Does disabling sslv3 through regsitry work?
|
|
#
?
Jan 9, 2017 18:58
|
|
|
I think the fix is called Office 365
|
|
#
?
Jan 9, 2017 18:59
|
|
|
anthonypants posted:This is a hell of a thing to be worrying about in 2017. I'm not the one who decides when our clients update their mail servers and I don't have the time to do it anyway. My Exchange is fine but I still gotta fix theirs.
|
|
#
?
Jan 9, 2017 19:02
|
|
|
SEKCobra posted:I'm not the one who decides when our clients update their mail servers and I don't have the time to do it anyway. My Exchange is fine but I still gotta fix theirs. Why weren't your clients aware of POODLE when it was a serious urgent "patch now" concern in 2014?
|
|
#
?
Jan 9, 2017 19:06
|
|
|
CLAM DOWN posted:Why weren't your clients aware of POODLE when it was a serious urgent "patch now" concern in 2014? I don't care, I wasn't even here back then.
|
|
#
?
Jan 9, 2017 19:17
|
|
|
CLAM DOWN posted:Why weren't your clients aware of POODLE when it was a serious urgent "patch now" concern in 2014?
|
|
#
?
Jan 9, 2017 19:20
|
|
|
We have Exchange 2010 as well, it's not EOL yet.
|
|
#
?
Jan 9, 2017 19:57
|
|
|
MF_James posted:Ahh this should help you, what version of server are you running? https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/ Server 2012. That's the other issue is that most guides are written for 2003 so some commands can be a little different.
|
|
#
?
Jan 9, 2017 20:49
|
|
|
SEKCobra posted:Is there an easy way to fix poodle on exchange 2010 OWA? Does disabling sslv3 through regsitry work? https://www.nartac.com/Products/IISCrypto
|
|
#
?
Jan 9, 2017 20:52
|
|
|
Neat, thanks.
|
|
#
?
Jan 9, 2017 21:16
|
|
|
tadashi posted:Server 2012. That's the other issue is that most guides are written for 2003 so some commands can be a little different. Most things (that I've noticed) have remained the same, you might need to ? and perhaps google slightly more, but the linked article should get you to where you want, I mean basically you want to tell the PDC it's the da boss (and have it get NTP from somewhere?) and then have everything else sync to it.
|
|
#
?
Jan 10, 2017 01:37
|
|
|
I don't know if there's a more appropriate thread, but it takes us an appalling amount of time to spin up new test machines (I want to say 2-3 days) because the vast majority of our deployments are "Only run when no user is logged in" which appears to only trigger on a logoff, and we only get them in bits and pieces by popping in to the lab and manually logging on/off several times a day to get the next batch kicked off. Any suggestions on some automated way to trigger the proper logoff events to keep this rolling? I do have local and domain accounts I can just throw plaintext passwords at because ~~the lab~~ if you think just mocking up a scheduled task would work.
|
|
#
?
Jan 10, 2017 16:14
|
|
|
Toshimo posted:I don't know if there's a more appropriate thread, but it takes us an appalling amount of time to spin up new test machines (I want to say 2-3 days) because the vast majority of our deployments are "Only run when no user is logged in" which appears to only trigger on a logoff, and we only get them in bits and pieces by popping in to the lab and manually logging on/off several times a day to get the next batch kicked off. Are you talking about SCCM? If so why do you have a test machine deployment task sequence that doesn't install all the required applications?
|
|
#
?
Jan 10, 2017 18:54
|
|
|
FISHMANPET posted:Are you talking about SCCM? If so why do you have a test machine deployment task sequence that doesn't install all the required applications? Yes, SCCM. And because we're dumb and bad, but I can't change that. We image the box (not using SCCM), but our VM template image is a year old, so it just sits there and gets wrecked by the last year's worth of packages as it recognizes the advertisements for 2 days until it's done.
|
|
#
?
Jan 10, 2017 20:36
|
|
|
"How can I fix my broken process without fixing my broken process." You need to either drop the VM template and do an SCCM task sequence or deploy an updated template. If your organization doesn't want to do either of those then it doesn't actually want to solve the problem.
|
|
#
?
Jan 10, 2017 20:40
|
|
|
FISHMANPET posted:"How can I fix my broken process without fixing my broken process." Well, yes. I am, in fact, looking for a way to work around my agency's grotesque policies, since changing them is not in my option list.
|
|
#
?
Jan 10, 2017 21:59
|
|
|
Toshimo posted:Yes, SCCM. And because we're dumb and bad, but I can't change that. We image the box (not using SCCM), but our VM template image is a year old, so it just sits there and gets wrecked by the last year's worth of packages as it recognizes the advertisements for 2 days until it's done. Create a "Catch Up" Task Sequence with all of the Patches/Applications/Packages built into it. Task sequences do not necessarily have to be for OS deployments. It's not the recommended way to use them but they can definitely be abused for this sort of thing to good effect.
|
|
#
?
Jan 10, 2017 23:30
|
|
|
Zaepho posted:Create a "Catch Up" Task Sequence with all of the Patches/Applications/Packages built into it. Task sequences do not necessarily have to be for OS deployments. It's not the recommended way to use them but they can definitely be abused for this sort of thing to good effect. If only. Our patch targeting is so horrific and archaic that I'd be spending infinite time trying to create machine-specific sequences.
|
|
#
?
Jan 10, 2017 23:43
|
|
|
This is a hilarious conversation.
|
|
#
?
Jan 10, 2017 23:44
|
|
|
No, seriously. For every patch, they build a series of custom collections that are patch-specific and non-descriptive (outside of having the patch name in them), and the only option there is to unravel every patch in the last year to determine if it should target the machine I want to build, which would take longer than letting it patch naturally.
|
|
#
?
Jan 10, 2017 23:48
|
|
|
"How can I make SCCM finish deploying all the stuff quicker without actually fixing SCCM" What does an acceptable fix look like to you? An intern to do the logging off / logging on until it's done?
|
|
#
?
Jan 10, 2017 23:51
|
|
|
Thanks Ants posted:"How can I make SCCM finish deploying all the stuff quicker without actually fixing SCCM" We do that now, but with FTEs, not interns. I was hoping for ideas on a way to script something I could leave running as a scheduled task for a day that would log-on/log-off every 10 minutes. [A]sk me how much fun it is with the laptops where the full-disk encryption kicks in and you have to run down to the lab every time it reboots, get past the FDE, login, logout, and then fridge back to your desk despairing in the knowledge that you'll be back to do it again in an hour.
|
|
#
?
Jan 10, 2017 23:55
|
|
|
Toshimo posted:We do that now, but with FTEs, not interns. I was hoping for ideas on a way to script something I could leave running as a scheduled task for a day that would log-on/log-off every 10 minutes. No because I would never do that. Fix SCCM.
|
|
#
?
Jan 10, 2017 23:56
|
|
|
I mean, in a year or two when we actually go live with win10, this won't be an issue since some people with goddamn sense got hold of the reins of how we are implementing stuff going forward, but until such point, we're p hosed and there is no way they are going to rip it all down and fix it.
|
|
#
?
Jan 10, 2017 23:57
|
|
|
You could  of course
|
|
#
?
Jan 11, 2017 00:01
|
|
|
Thanks Ants posted:You could I mean, yeah, sure, but if I don't fix this, it's not like they are going to do anything to me, so I just thought I'd make my life a little easier, but ultimately, if the answer is "gently caress it", that's on the agency. Methanar posted:No because I would never do that. Fix SCCM. I love you, bro, but this is kinda harsh coming from someone whose IT resume includes "Cleaned chicken coops in Sub-Zero conditions". Sometimes  is .
|
|
#
?
Jan 11, 2017 00:05
|
|
|
Toshimo posted:I mean, yeah, sure, but if I don't fix this, it's not like they are going to do anything to me, so I just thought I'd make my life a little easier, but ultimately, if the answer is "gently caress it", that's on the agency. I'll have you know there were no chickens involved.
|
|
#
?
Jan 11, 2017 00:21
|
|
|
Just a lot of cocks.
|
|
#
?
Jan 11, 2017 05:19
|
|
|
Have I imagined Office 365 E3 including Azure AD with password write-back, or does it exist? The service descriptor just says "Azure Active Directory services = Yes".
|
|
#
?
Jan 12, 2017 11:17
|
|
|
Thanks Ants posted:Have I imagined Office 365 E3 including Azure AD with password write-back, or does it exist? The service descriptor just says "Azure Active Directory services = Yes". It's part of all O365 licensing now as "Azure AD Basic". You'll want to use AAD Connect for it: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect Looks like on-prem writeback is locked to AAD Premium still though, which iirc is part of EMS/E5 licensing. https://azure.microsoft.com/en-us/pricing/details/active-directory/
|
|
#
?
Jan 12, 2017 13:33
|
|
|
AAB posted:It's part of all O365 licensing now as "Azure AD Basic". You'll want to use AAD Connect for it: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect
|
|
#
?
Jan 12, 2017 17:28
|
|
|
you can write the passwords from your local domain to AAD, but not back. Which is better than nothing 
|
|
#
?
Jan 12, 2017 17:32
|
|
|
Toshimo posted:I mean, in a year or two when we actually go live with win10, this won't be an issue since some people with goddamn sense got hold of the reins of how we are implementing stuff going forward, but until such point, we're p hosed and there is no way they are going to rip it all down and fix it. Clearly the solution is: get-adcomputer -filter * | shutdown -m $_ -r -t 1 Edit: As a scheduled hourly task.
|
|
#
?
Jan 12, 2017 17:33
|
|
|
I know basic IT stuff... desktop support, some unix over the years... most of my job as of late is troubleshooting PC/Mac stuff... so my knowledge/training has really dropped off... I was given a server and asked to purchase an OS as inexpensive as possible. They wanted something recent... so reading the versions we decided/agreed upon Windows Server 2012 R2 Essentials as the comparison chart we saw limited it to 25 users with no CAL stuff to pay additionally for... ram and other limits but all those fell within our needs... so it seems like an inexpensive option so it was purchased. It was bought for remote desktop (the people who work from home can login since another server in the building is old - it runs Server 2003 & running Windows 2000 for remoting in on and it's always in use) for some of our employees and run shipworks primarily... After installing it was realized that it can't join our existing domain and that it's pretty much the wrong version of server we purchased.  I know we need something else to work... not sure of my options. Someone I know mentioning in passing that I should check out Xenserver as that might be something worth exploring... but that's as far as that went (they've never actually used it).Can anyone provide advice/suggestions on where to go from here? Trying to think of a good inexpensive solution for coworkers to remote desktop in as well as something to run Shipworks (and eventually other things I assume).
|
|
#
?
Jan 16, 2017 21:44
|
|
|
What do you guys use for enterprise 3rd party patch management? Don't care about the costs, just want it to be easy to use.
|
|
#
?
Jan 16, 2017 21:47
|
|
|
|
| # ? May 29, 2024 20:43 |
|
|
GreenNight posted:What do you guys use for enterprise 3rd party patch management? Don't care about the costs, just want it to be easy to use. N-Able is our monitoring solution, it also handles patching and can do other stuff depending on what you pay for. The patching sucks, I wish we just dropped a WSUS server at all our clients
|
|
#
?
Jan 16, 2017 21:51
|
|