|
Is it practical to create an AD environment at home for training? Could you run a few VMs on a few computers each for that? I've never run more than one VM per PC, would I end up needing a bunch of keys or would AD not notice if several were being reused/Windows wasn't authenticated?
|
# ? Feb 6, 2017 18:30 |
|
|
# ? May 19, 2024 16:28 |
|
22 Eargesplitten posted:Is it practical to create an AD environment at home for training? Could you run a few VMs on a few computers each for that? I've never run more than one VM per PC, would I end up needing a bunch of keys or would AD not notice if several were being reused/Windows wasn't authenticated? Definitely; I have a pretty extensive domain at home. Get a Server 2012 or 2016 Datacenter Key (pretty easy via MS Imagine if youre a student, I think), and fire it up. Use AMVA (automatic virtual machine activation) keys and they will auto-active inside Hyper-V VMs so long as the host is running an activated copy of Server Datacenter edition.
|
# ? Feb 6, 2017 18:35 |
|
Not sure if I should ask this here or the Working in IT thread, but does anyone use an in-line content filtering device that they're happy with? Being able to manage policies through AD security groups is a must. Last year, my previous boss had me deploy Sophos' Cloud based content filtering solution and it has been pretty garbage to work with. My old boss is gone, we're up for renewal and my current boss is asking for better options. I'm currently looking at Barracuda or even moving to a physical device from Sophos.
|
# ? Feb 6, 2017 20:58 |
|
When you say in-line content filtering, are you ruling out the likes of OpenDNS? I have been very happy with their content filtering and you can do AD groups / non-LAN devices with their agents. I've heard good things about Sophos, though. Are you sure it's not just a configuration issue? When you say you're considering a physical appliance from them... why? Is your issue performance? If so, could it be an underlying virtual infrastructure issue?
|
# ? Feb 6, 2017 21:41 |
|
Internet Explorer posted:When you say in-line content filtering, are you ruling out the likes of OpenDNS? I have been very happy with their content filtering and you can do AD groups / non-LAN devices with their agents. I forgot about OpenDNS. I'll look into that too. So basically the issue we're having with Sophos Web Gateway is the lack of real granular reporting. I deployed the solution for a call center and the CIO and call center Directors are very strict about what is and isn't allowed. At least once a week the CIO walks into my office complaining that they saw someone on Netflix or 123movies and wants remediation. Of course he doesn't have the persons name and I have no way of creating a report for any hits on Netflix. In the past we've discovered that agents aren't automatically updating and wont process new policies so we wanted to generate a weekly report of out of date agents. Can't do that. The information exists if you look up one computer at a time, but nothing that can be generated into an actionable report. As an SCCM guy, I live and die by reporting and providing my company with that kind of granular data. When they come to me asking for this stuff from Sophos, the only thing I tell them is which does not look good on my part. The reporting on the appliances looks much more comprehensive then the poo poo they have on their cloud only services which is why I'm considering a change. Sacred Cow fucked around with this message at 22:19 on Feb 6, 2017 |
# ? Feb 6, 2017 22:17 |
|
Check out Cisco Web Security too. We use that and the reporting is pretty good. We ditched Sophos for it.
|
# ? Feb 6, 2017 22:24 |
|
GreenNight posted:Check out Cisco Web Security too. We use that and the reporting is pretty good. We ditched Sophos for it. Is this agent based? I'm not terribly familiar with it. We use Ironport WSAs for content filtering (including HTTPS) and the whole platform and how it operates makes me want to die. All those tickets about bad certs...
|
# ? Feb 8, 2017 04:44 |
|
Not agent based. You forward all port 80 traffic to it. There is only an agent if you want it to filter traffic when the device is outside your network such as laptops.
|
# ? Feb 8, 2017 05:02 |
|
I posted this same question in the CoC Powershell thread, but I'm desperate enough to ask here as well: is it possible to script the installation and setup of RD Gateway on Server 2012? It's a requirement for the project I'm on, but I can only seem to find the steps to do so with Powershell for Connection Broker/Session Host/Web Access. I configured it by hand through the GUI but we do infra as code etc, so the use case is that it needs to be automated. This is will be a standalone instance used to control access to a few other application hosts, I don't think as part of a domain/AD. If it can't be done, I'm happy to bring that back as the answer and find another strategy(pre-baked image most likely) but it'd be real swell to have that confirmed one way or the other. I'm not a Windows admin guy for the most part(not since about 2003 at least) so I'm a bit out of my depth, and any assistance is appreciated. Cheers! Edit: I should clarify that I'm not just looking to do the installation - that's a single line. I need to generate and install a self-signed cert, as well as configure a RAP/CAP and anything else it requires to function. xpander fucked around with this message at 07:32 on Feb 8, 2017 |
# ? Feb 8, 2017 05:42 |
|
GreenNight posted:Not agent based. You forward all port 80 traffic to it. There is only an agent if you want it to filter traffic when the device is outside your network such as laptops. Oh, you're not bothering with SSL traffic? Lucky...
|
# ? Feb 8, 2017 19:02 |
|
We're not, but it supports 443 traffic if you want to push down a certificate to everyone.
|
# ? Feb 8, 2017 19:26 |
|
Sacred Cow posted:Not sure if I should ask this here or the Working in IT thread, but does anyone use an in-line content filtering device that they're happy with? Being able to manage policies through AD security groups is a must. I used the Sophos Appliances in our call center environment (1100 users across 2 sites) and they worked really well. (We had the management appliance and 2 WS1100's) Under the hood they're running RedHat, Squid, and some sort of blocker type program that hooks into squid, but what you're paying for is the subscription and the fancy front end. (Before we bought the Sophos boxes we rolled our own with Cent/Squid/Squidguard and it sucked). We used them as proxy servers though, didn't have them intercept traffic. They do what you want, AD Groups can have different permissions, reports are customizable. They did what we needed them to do at a reasonable price. BlueCoat is the gold standard, but the pricing shows it. Websense is another option.
|
# ? Feb 8, 2017 19:37 |
|
Those guys just released a paper re HTTPS interception: https://zakird.com/papers/https_interception.pdf Executive summary is that inspecting HTTPS traffic is retarded because you essentially downgrade security to the lowest common denominator of the browser and the traffic inspection device/software. And unlike browsers which have large and competent development teams, and are audited constantly, nobody bothers to do the same with every minor antivirus engine patch. Meanwhile you could've scanned possible viruses as they were being saved to the local disk cache before execution anyway. xpander posted:Edit: I should clarify that I'm not just looking to do the installation - that's a single line. I need to generate and install a self-signed cert, as well as configure a RAP/CAP and anything else it requires to function. One thing I know: Powershell can only create certificates starting with Server 2016, with earlier OSs you need to use makecert.exe peak debt fucked around with this message at 10:48 on Feb 9, 2017 |
# ? Feb 9, 2017 10:37 |
|
peak debt posted:Those guys just released a paper re HTTPS interception: https://zakird.com/papers/https_interception.pdf Most companies just wanna know what sites you are browsing to exactly.
|
# ? Feb 9, 2017 10:50 |
|
peak debt posted:One thing I know: Powershell can only create certificates starting with Server 2016, with earlier OSs you need to use makecert.exe That's literally all I needed to know. If I can't do one step, then I can't automate the whole thing. This is seriously helpful, thank you!!
|
# ? Feb 9, 2017 21:40 |
|
How would you go about cloning and expanding a bitlocker/tpm enabled HD? Disabling bitlocker isn't really an option as the company who enabled is the company we are doing contract work for.
|
# ? Feb 11, 2017 07:18 |
|
lol internet. posted:How would you go about cloning and expanding a bitlocker/tpm enabled HD? You have to ask that company to provide the encryption key so that you can suspend Bitlocker encryption, then you can clone or resize the drive. There's no way around that, even a sector-by-sector clone won't work.
|
# ? Feb 11, 2017 07:36 |
|
lol internet. posted:How would you go about cloning and expanding a bitlocker/tpm enabled HD? You can't, that's the point.
|
# ? Feb 11, 2017 07:43 |
|
Disclaimer: I have no idea what I am doing but it needs doing. Our company just acquired (more like adopted or rescued) another company with atrocious IT management (really no management) and now I have to become a sysadmin. It took four weeks of working 10 hours a day, 7 days a week, but I've managed to migrate just about all the physical servers to clean, sparkly Windows Server 2016 VMs. Some were totally unpatched Server 2012 (not even R2) installs, two boxes were Windows XP. Anyway, got the VMs up, got WSUS up and running, and am using MS OMS (plus an Ops VM which acts as the WSUS server) to keep an eye on things. Next step is backups of individual files within the VMs (the VMs themselves will be backed up by the hypervisor). I've got Maintenance Plans on the SQL Servers, so the DBs are taken care of. Next, I am thinking of using Veeam Endpoint (the free one) on each VM to do weekly full backups and nightly incrementals to the NAS (w/ syncing to cloud storage). Does this make sense or is there a better approach? Also, what types of tools are you guys using to monitor everything? OMS + Server Manager seems to fit the bill, so far, but not sure if there's a better solution out there.
|
# ? Feb 12, 2017 18:21 |
|
One thing I want to warn you about is that it's kinda easy to set up cloud sync on a NAS, then write 10 GB of changes to it per day, only to find out that the sync app is rate limited to maybe 1 GB of transfers a day. So you end up with a device that never finishes its sync job and cloud storage that never contains an internally consistent set of data worthy of a restore. So make sure that sync actually works.
|
# ? Feb 13, 2017 15:31 |
|
FreelanceSocialist posted:Disclaimer: I have no idea what I am doing but it needs doing. I'd gladly take that over 15 years of tech debt where we still have 2003 (not R2!) in production along with a bunch of 2008 R2 servers on original IBM hardware that have been plugging along for 6+ years.
|
# ? Feb 13, 2017 21:46 |
|
peak debt posted:One thing I want to warn you about is that it's kinda easy to set up cloud sync on a NAS, then write 10 GB of changes to it per day, only to find out that the sync app is rate limited to maybe 1 GB of transfers a day. So you end up with a device that never finishes its sync job and cloud storage that never contains an internally consistent set of data worthy of a restore. So make sure that sync actually works. That won't be an issue - just trying to figure out the best approach. Have each VM run its own application to push scheduled backups to the NAS and have my Operations VM handle the push to the cloud? I'm thinking that the extra "middleman" step in the process would also dodge something like cryptolocker, should that ever happen.
|
# ? Feb 14, 2017 00:54 |
|
https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/ Cool
|
# ? Feb 14, 2017 17:37 |
|
Man, these all in one updates sure were a great idea!
|
# ? Feb 14, 2017 17:57 |
|
At least they caught it
|
# ? Feb 14, 2017 17:59 |
|
wyoak posted:At least they caught it this time
|
# ? Feb 14, 2017 17:59 |
|
People will complain no matter what they do so they might as well just make a decision and run with it, which they've done. No complaints here.
|
# ? Feb 15, 2017 05:49 |
|
I've been brought in to a site with a domain controller that has a single boot drive which has gone bad. It's running right now but I have good reason to suspect it won't come back if I try to reboot it. The Windows Server Backup system state backup doesn't work, it fails with I/O errors. I'm not really a Windows Is there any other way I can back up the AD configuration so I could restore it to the reinstalled machine (which will be properly set up for RAID)? Preferably in a way where the retrieval of data could be done from another machine with the bad disk attached over USB. It's only a 5 computer + 1 server environment with maybe a half dozen GPOs, so rebuilding and reconfiguring from zero won't be too bad, but if I can avoid it I'd obviously like to.
|
# ? Feb 16, 2017 18:24 |
|
Make a new machine and promote it to a domain controller.
|
# ? Feb 16, 2017 18:27 |
|
anthonypants posted:Make a new machine and promote it to a domain controller. Yeah this. Stand up a new DC immediately, let replication happen and then hand all FSMO roles over to it then demote the other one and trash it.
|
# ? Feb 16, 2017 18:31 |
|
I do not have any additional hardware available within a reasonable amount of time. How idiotic would it be to try to bring that up as a VM running on the good drive in the system? The existing DC is being run as a VM on the machine, so I could stand a temporary one up next to it using the good drive, transfer everything over, then take down the bad one permanently. I'd then shut down the new one, export the VM to the backup NAS, and rebuild the host machine. I'd then import that backup in to the newly rebuilt system and if all the stars align I think I'd be set. Does this sound reasonable, or more likely to cause problems than just rebuilding? The host OS is currently running off the bad SSD as well, so that's where the question comes in.
|
# ? Feb 16, 2017 18:41 |
|
If the DC is actually a VM why can't you just move the vmdk or whatever to another machine? If you've got a workstation with enough ram/disk you could host it there.
|
# ? Feb 16, 2017 18:46 |
|
anthonypants posted:If the DC is actually a VM why can't you just move the vmdk or whatever to another machine? If you've got a workstation with enough ram/disk you could host it there. The broken disk is where the VHD is stored, and attempts to do this with the other VM on the machine resulted in about half the file actually copying and now that VM won't boot back up. I will of course try doing this, but since it's running now I want to try anything I can do with the system live before I shut it down and likely lose access to it as a running machine forever. At that point it'll be just a VHD with some unknown level of corruption. AD services are installing on the temporary VM on the good drives so we'll see how it goes. I'm at about 50/50 that it actually successfully replicates, but it'll sure be nice if it does. edit: New server up, took over all FSMO roles, looking reasonable. Tried to export the old one and barfed out with a disk read error almost immediately. Surprisingly it does actually boot back up, though it threw errors when demoting so it looks like I'll have to treat it like a failed DC once I have things fully back together, but that's still easier than rebuilding from scratch. wolrah fucked around with this message at 20:26 on Feb 16, 2017 |
# ? Feb 16, 2017 19:27 |
|
The alternative if you need to get it off that hardware is to build a VPN tunnel to Azure and bring a domain controller up there.
|
# ? Feb 16, 2017 20:54 |
|
Thanks Ants posted:The alternative if you need to get it off that hardware is to build a VPN tunnel to Azure and bring a domain controller up there. That was my first thought, but their web site strongly implies that Azure AD only works with Windows 10 and this is a 7 shop. That doesn't really make sense so I'm sure it's wrong, but it wasn't worth putting time in to researching since it's such a small environment. The secondary DC came up seemingly fine on the good drives, was able to be made primary, and looked good. I exported it to the NAS as planned and that worked too, so the host now has a fresh pair of SSDs replacing the single one and is currently reinstalling. Assuming nothing completely retarded happens I should be able to restore the new DC to it when it's done installing and things should be relatively painless from there. --- Every time I have to dig in to something like this I wonder why Microsoft always feels the need to have their services use obscure NTFS features and ties irrelevant system data in to the stored data. On any of my Linux systems I can pretty much universally just copy over the config/data files to the right place and it just works. Microsoft doesn't play that way for whatever stupid reason, and recovering anything meaningful from a Microsoft service on a broken system is made harder than it needs to be as a result. wolrah fucked around with this message at 21:42 on Feb 16, 2017 |
# ? Feb 16, 2017 21:39 |
|
wolrah posted:That was my first thought, but their web site strongly implies that Azure AD only works with Windows 10 and this is a 7 shop. That doesn't really make sense so I'm sure it's wrong, but it wasn't worth putting time in to researching since it's such a small environment. He wasn't suggesting Azure AD, but actually spinning up a server VM in Azure running regular AD.
|
# ? Feb 16, 2017 21:48 |
|
So is sound quality on Server 2008 R2 Remote desktop meant to be crap, or am I missing something? This old 2008 box used to service a satellite office a few years ago before moving to a single office, now I'm trying to re-purpose it to enable home workers. I'm having a tough time trying to get it redirecting sound with decent quality, it doesn't have to be mind blowing but at least acceptable enough for VOIP soft phone calls. Now remoting in from my personal Win 10 machine the sound quality from making a phone call is just about ok but skips and pops every now and then but I need to find a microphone for proper testing, however when remoting in from an Axel thin client the sound is awful and basically unusable. Now I'm asking for budget to buy in a new up to date machine along with licensing for server 2012 or 2016, but this is what I've got at the moment... am I missing anything obvious?
|
# ? Feb 16, 2017 21:56 |
|
I know that sound quality is noticeably worse from ThinPro 3 to Server 2008 R2 than from Windows Embedded 7 to Server 2008 R2. It's probably a codec thing.
|
# ? Feb 16, 2017 22:13 |
|
Can confirm that I get poo poo audio on 2008 R2 RDP. I get distortion and skips that aren't present w/ 2016 SP1.
|
# ? Feb 16, 2017 22:42 |
|
|
# ? May 19, 2024 16:28 |
|
The Fool posted:He wasn't suggesting Azure AD, but actually spinning up a server VM in Azure running regular AD. Ahh, that makes sense. I'll have to look in to that just in general tomorrow, I have a few customers like this one with a single server (that often also like this one was configured somewhat idiotically) so a remote spare DC would be nice. I wish Samba4 was usable so I could run secondary DCs without licensing concerns, but AFAIK its still missing enough to matter and I've been burned by that idea once before (ran a NT4 domain on Samba 3 for a few years, gently caress that). On the plus side, 2012 R2 installs nice and fast. The replacement DC thing worked perfectly (and I feel stupid for not thinking of that, thanks guys). I was able to pivot it over to the reinstalled host OS with no drama and then one more install plus restore from backups for their database server. Fortunately they're closed tomorrow so I can deal with running Windows Update and the like then rather than having to finish it tonight. wolrah fucked around with this message at 00:06 on Feb 17, 2017 |
# ? Feb 17, 2017 00:04 |