|
anthonypants posted:docs.microsoft.com is really good, and if you have problems or see errors you can address them on GitHub. Maybe they should send some staff from the docs website over to the Windows Update team. It would be nice to have a month where a Windows Update didn't break something.
|
#
?
Apr 16, 2018 15:23
|
|
|
|
| # ? May 29, 2024 02:54 |
|
|
stevewm posted:Maybe they should send some staff from the docs website over to the Windows Update team. I look at this every month to see what bullshit I need to deal with. https://support.office.com/en-us/ar...&rs=en-US&ad=US
|
|
#
?
Apr 16, 2018 15:31
|
|
|
FISHMANPET posted:Ok a few notes in no particular order OK, I figured this out and it was caused by a boneheaded mistake on my part. Since in the past I'd only been dealing with legacy 32bit clients, I had disabled all of the x64 boot images in WDS, figuring that they were unnecessary. Once I right click/enabled the "Lite Touch Windows PC(x64)" boot image everything began to work as it should. Thanks to all that helped me out with this issue, it's greatly appreciated.
|
|
#
?
Apr 16, 2018 17:02
|
|
|
I was able to convince the customer to just monitor the login events instead of block them. That was a LOT simpler to implement and their ability to log in no longer depends on our software which made their risk team happy. 
|
|
#
?
Apr 23, 2018 17:40
|
|
|
Anyone know of a good VAR that handles Microsoft EA licensing? SoftChoice burned me once, jumped over to CDW, and they're pissing me off.
|
|
#
?
Apr 23, 2018 21:35
|
|
|
Philthy posted:Anyone know of a good VAR that handles Microsoft EA licensing? SoftChoice burned me once, jumped over to CDW, and they're pissing me off. Dude I've been having the same issue. Insight has been the best for me but that's a super low bar (I do not like Insight at all) I'd love a good VAR
|
|
#
?
Apr 23, 2018 21:36
|
|
|
As someone who worked at a major IT distributor, all VARs suck. Regional VARs suck less than national ones.
|
|
#
?
Apr 23, 2018 21:53
|
|
|
Philthy posted:Anyone know of a good VAR that handles Microsoft EA licensing? SoftChoice burned me once, jumped over to CDW, and they're pissing me off. Do you do business with Dell on the hardware side? They'll generally cut you some good deals on other stuff like licensing (which as a reseller has a fairly decent margin). I've also worked with some good people at SHI, also some terrible people. 
|
|
#
?
Apr 23, 2018 22:46
|
|
|
We use Softchoice, our last rep was terrible, our current rep is pretty good except one incident where they added new PowerBI licenses to the wrong EA and we had to rush to get them re-provisioned in time for a big meeting.
|
|
#
?
Apr 23, 2018 23:08
|
|
|
We've had good luck with Softchoice too. SHI calls me once a week every week for the past 3 years and I never ever answer. I've never worked with them and I have no idea where they got my number.
|
|
#
?
Apr 24, 2018 00:29
|
|
|
SoftChoice was good until they replaced our rep without telling me. I was at a conference in Vegas and got a priority request from my boss, so I called my rep and woke him up at 10am on a weekday. He proceeded to tell me he was let go a few weeks back. I could only get a hold of their help desk so they had to open a loving ticket for me. Yeah.
|
|
#
?
Apr 24, 2018 17:01
|
|
|
I got a call in the next few weeks with PCM for Microsoft license crap, I'll report back on how it goes.
|
|
#
?
Apr 24, 2018 17:43
|
|
|
We've used Dell in the past and currently use SHI for our EA. No real complaints, but my experience is skewed positively by our size and spend. People get real helpful and responsive when you're spending as much as the org I work for does. I think your team matters more than the company, most of the VAR's are the same, it's the people that made the difference.
|
|
#
?
Apr 24, 2018 17:51
|
|
|
I'm looking to create a high-availability setup involving physical and VM failover support. The business is small enough that it can only afford to buy 2-4 servers, but big enough that it needs HA. Their workloads aren't big, so performance isn't a huge issue. I've been looking at stretched clusters, storage replica, and Hyper-v failovers in Server 2016 Datacenter, as well as starwind virtual SAN. The business has two physical buildings linked with 10G fibre. For testing at least, I'm going to hook 2 physical machines at each end of the fibre and try and make it so either of them could fail, with nothing lost. I want this to be my test setup. code:Is this crazy? Do I need starwind? Am I approaching this totally wrongly? At what level does the storage replication happen? Do I need clusters within clusters? The physical cluster for VM failover, and the VM cluster for services and data. It's very new territory for me! I've been reading this as inspiration and guidance, but I can't work out if the nodes are physical or virtual. Any advice and guidance welcome.
|
|
#
?
Apr 24, 2018 23:16
|
|
|
Not sure about 2016, but for 2012r2 we had to do a cluster for the hosts, then cluster other resources inside? that, so yeah, clusters inside of clusters. Again, not sure if things changed for 2016.
|
|
#
?
Apr 24, 2018 23:25
|
|
|
 gently caress WMI for making me parse an XML just to extract a tab formatted string that has to be parsed again with regular expressions to get such esoteric information as "Who logged in?"
|
|
#
?
Apr 25, 2018 06:27
|
|
|
KillHour posted:
Do you not have some kind of log aggregation server you can forward the security event log to? WMI is a hell of a hammer for that job.
|
|
#
?
Apr 25, 2018 22:03
|
|
|
I need a way to get the logs into our program via .NET so we can do stuff with it. And it has to be done in real time, as the events are raised. It's working though, so I'm happy.
|
|
#
?
Apr 26, 2018 00:20
|
|
|
KillHour posted:I need a way to get the logs into our program via .NET so we can do stuff with it. And it has to be done in real time, as the events are raised.
|
|
#
?
Apr 26, 2018 01:01
|
|
|
anthonypants posted:Are you able to see the post right above yours? We need to be able to do it without third party software like Splunk or whatever. Don't those use WMI or something similar on the backend anyways?
|
|
#
?
Apr 26, 2018 03:09
|
|
|
KillHour posted:We need to be able to do it without third party software like Splunk or whatever. Don't those use WMI or something similar on the backend anyways? Event Logs get forwarded and processed then thrown into a database where they can be searched. I can run a logon activity report with some parameters (source workstation for example) and it'll return the data. Looks like you're parsing local event logs, without knowing anything about your project, I would use powershell to do that, but powershell is my hammer of choice when I run into a nail https://blogs.technet.microsoft.com/heyscriptingguy/2011/01/25/use-powershell-to-parse-saved-event-logs-for-errors/ I'm sure that can be modified to find the data you're looking for. There has to be a better way than WMI though.
|
|
#
?
Apr 26, 2018 04:04
|
|
|
You can configure event triggers from the event log to fire off jobs under specific conditions getting written out. There must be some kind of third party way to hook an application in.
|
|
#
?
Apr 26, 2018 04:23
|
|
|
^^ That's basically what I'm doing. I'm parsing the logs from a DC. I need to get login events as they happen in real time and I can't add custom software to the DC, so it has to be something that can be done remotely using standard Windows stuff. I'm just subscribing to WMI events remotely with the following code: code: Edit: I want to be clear that this isn't just me going "I want to search through a bunch of existing Windows logs," which this would absolutely be overkill for. I need to have something that always runs in the background and forwards the logs I care about to another application, and said application uses a .NET API for communication. Here's an example from the documentation: https://msdn.microsoft.com/en-us/library/bb746335.aspx. KillHour fucked around with this message at 04:48 on Apr 26, 2018 |
|
#
?
Apr 26, 2018 04:35
|
|
|
Can you forward the logs somewhere else or do they have to stay on the DC? You can use Windows Event Forwarding, and forward the events to a Windows Event Collector or even another type of system. No custom or 3rd party software. Sounds like you have a solution that works though so on to the next challenge right?
|
|
#
?
Apr 26, 2018 06:03
|
|
|
skipdogg posted:Can you forward the logs somewhere else or do they have to stay on the DC? You can use Windows Event Forwarding, and forward the events to a Windows Event Collector or even another type of system. No custom or 3rd party software. I tried that first but there's a nasty surprise hidden in the documentation: https://msdn.microsoft.com/en-us/library/system.diagnostics.eventlog.entrywritten(v=vs.110).aspx quote:The system responds to WriteEntry only if the last write event occurred at least six seconds previously. This implies you will only receive one EntryWritten event notification within a six-second interval, even if more than one event log change occurs. If you insert a sufficiently long sleep interval (around 10 seconds) between calls to WriteEntry, you are less likely to miss an event. However, if write events occur more frequently, you might not recieve the event notification until the next interval. Typically, missed event notifications are not lost, but delayed. "You won't typically lose data" and "1 event per 6 seconds max" doesn't exactly fill me with confidence when this has to monitor all the login events for a large network. And yeah, I just have to package it up all nice and give it to my dev team to make it into something that is a real product and not a half-baked mess. But hey, I finally "get" regular expressions for super realsies this time.
KillHour fucked around with this message at 06:43 on Apr 26, 2018 |
|
#
?
Apr 26, 2018 06:41
|
|
|
KillHour posted:
|
|
#
?
Apr 26, 2018 07:16
|
|
|
Or I'm going to take the solution that works and move on with my life.
|
|
#
?
Apr 26, 2018 15:15
|
|
|
Isn't setting up an ELK stack free? And I don't mean free in the TCO sense obviously. It's probably not worth it for this project since you're already done, but having a place to collect and concatenate logs is incredibly useful.
|
|
#
?
Apr 26, 2018 15:42
|
|
|
If there are no logs there are no problems.
|
|
#
?
Apr 26, 2018 15:54
|
|
|
You guys have to remember that he's selling a custom software solution to a client. He's not in-house IT, not a consultant being hired to set up infrastructure, his job is to sell a custom software. So from his point of view WMI is great because it just means that the customer has to have the firewall port open and have the service enabled, their software will do the rest. It doesn't matter if the solution is less than ideal or isn't flexible or robust. What does make me wince though is saying that Event Log shipping is somehow less reliable than WMI. If you're ruling out Event Log shipping due to technical issues, WMI isn't any better. If it's for business reasons, that's a different discussion.
|
|
#
?
Apr 26, 2018 16:00
|
|
|
Internet Explorer posted:You guys have to remember that he's selling a custom software solution to a client. He's not in-house IT, not a consultant being hired to set up infrastructure, his job is to sell a custom software. So from his point of view WMI is great because it just means that the customer has to have the firewall port open and have the service enabled, their software will do the rest. It doesn't matter if the solution is less than ideal or isn't flexible or robust. Are you saying software vendors are playing fast and loose with important design decisions?"
|
|
#
?
Apr 26, 2018 16:04
|
|
|
Sickening posted:Are you saying software vendors are playing fast and loose with important design decisions?" Nooo.... I would never! And I quote myself from the earlier conversation: Internet Explorer posted:Ah, so I have met my mortal enemy.
|
|
#
?
Apr 26, 2018 16:07
|
|
|
That's a fair point, just keep in mind that most people don't keep an index of posters and their career paths. Most of this stuff I read in a context-less vacuum.
|
|
#
?
Apr 26, 2018 16:12
|
|
|
Wrath of the Bitch King posted:That's a fair point, just keep in mind that most people don't keep an index of posters and their career paths. Most of this stuff I read in a context-less vacuum. Not faulting anyone for it, just reminding.
|
|
#
?
Apr 26, 2018 17:10
|
|
|
Well yes, from my customer's standpoint, anything that reduces the requirements on their end is preferable. We also only need a very specific subset of logs (login events) and both have no interest in and won't have permission to get anything that isn't relevant. I do genuinely want to offer the best solution for my customer within the bounds of their requirements (which is why, based on the thread advice and that of other people I trust to know better, I pushed them towards monitoring the logins over the initial request to block them). Based on that, it seemed like WMI was the right tool for the job, even though it meant more work on my side. If there is a reason not to use it, please let me know. And I know event log shipping is fine, it's just that the built in .NET functionality for receiving events from local logs has a maximum throughput of one event every 6 seconds, as per the documentation. And the documentation literally said you "probably won't miss events." That doesn't fill me with the warm and fuzzies. I'm sure I could poll the logs for changes manually but I'm not sure how that's better than just using WMI. Again, please let me know if I'm missing something. Edit: To make it crystal clear, I'm not exactly an expert in Windows logging. It's not obvious to me why one solution would be better than another other than what I'm reading in the documentation and MSDN saying to use WMI. Even if it's irrelevant to this situation, I'd like to know why people seem to dislike WMI for stuff like this. Double edit: There might also be a future requirement to get a list of all workstations on the domain that we can cache in our database so we can make different decisions/actions based on where the login took place. I think WMI could be used for that too, so that's two birds with one stone. If that's a dumb idea please let me know what to use instead. KillHour fucked around with this message at 01:06 on Apr 27, 2018 |
|
#
?
Apr 27, 2018 00:47
|
|
|
KillHour posted:Well yes, from my customer's standpoint, anything that reduces the requirements on their end is preferable. We also only need a very specific subset of logs (login events) and both have no interest in and won't have permission to get anything that isn't relevant. I do genuinely want to offer the best solution for my customer within the bounds of their requirements (which is why, based on the thread advice and that of other people I trust to know better, I pushed them towards monitoring the logins over the initial request to block them). This kind of sounds like a similar situation to what I had to do recent. In my case it was building a (hopefully) more robust monitoring of Hyper-V replication based on event log monitoring of the hosts, but in general it was: Monitor event log on client > event occurs > do something I don't know the timeliness of what I ended up doing down to the second, as that wasn't a requirement for us, but it sent out an email that was received by our ticketing system in about 2 minutes. I *think* I could have made it do a remote event log using the NTEventLogEventConsumer instead of the SMTP consumer, but I didn't test that. PM me if you want some more details.
|
|
#
?
Apr 27, 2018 19:05
|
|
|
sloshmonger posted:NTEventLogEventConsumer This is exactly what I'm using  Good to see that it's been done before. No issues?
|
|
#
?
Apr 27, 2018 19:24
|
|
|
KillHour posted:This is exactly what I'm using I didn't use NTEventLogConsumer, but instead SMTPEventConsumer. No issues on the WMI side.
|
|
#
?
Apr 27, 2018 19:28
|
|
|
I'd be interested to hear any thoughts or opinions on ServiceNow's CMDB option, since my company wants to look into it. The initial ask was "evaluate ServiceNow and their offerings," which feels like it would take a literal year to do since they have so many products.
|
|
#
?
May 2, 2018 14:27
|
|
|
|
| # ? May 29, 2024 02:54 |
|
|
WMI is the worst possible performing thing for this, and if you're running it on a DC that's... You need to be forwarding logs to an aggregation server and consuming them / starting your orchestration tasks from there.
|
|
#
?
May 3, 2018 09:31
|
|
