|
Does Windows have a documented printer discovery method like macOS does? For example, if someone connects a Mac to our Wi-Fi network then I am advertising the printers into that VLAN by using the various mDNS helper services that access points, switches, firewalls etc. have baked into them now. I'd like Windows to work the same way, as there are times when non-managed clients that don't have the printers deployed to them will need to be able to print. I think Windows tends to prefer setting printers up as WSD devices if it detects them on the local network - is there a way to get this working across subnets without just bouncing all multicast or broadcast traffic between them? Even if I just need to manually create a bunch of DNS records that the clients try and lookup in the same zone they're assigned via DHCP would be fine as a solution, but the stuff I am finding seems really hacky. Edit: Something along the lines of how this works, https://www.papercut.com/support/resources/manuals/mobility-print/mobility-print-server/topics/discover-printers-dns.html but without the third-party software and app install requirements. Thanks Ants fucked around with this message at 13:00 on Dec 5, 2018 |
# ? Dec 5, 2018 12:41 |
|
|
# ? May 30, 2024 12:11 |
|
Thanks Ants posted:Does Windows have a documented printer discovery method like macOS does? For example, if someone connects a Mac to our Wi-Fi network then I am advertising the printers into that VLAN by using the various mDNS helper services that access points, switches, firewalls etc. have baked into them now. I can't say for sure, but if it's possible it's probably a bit of a pain, because PaperCut (which is dope, by the way) relies on discovery apps for Windows and Android, but macOS and iOS clients just see the printers with AirPrint. Presumably they'd avoid the hassle of developing those apps if they could. Toast Museum fucked around with this message at 13:15 on Dec 5, 2018 |
# ? Dec 5, 2018 13:13 |
|
I'd be fine with PaperCut if this were a BYOD thing, but it's for guest users who might not be able to install an app. I'm really only focused on Windows as Macs are covered with AirPrint. Currently we are resorting to the print-by-email feature for guest printing but it's poo poo and the experience is massively different between each vendor.
|
# ? Dec 5, 2018 13:20 |
|
Thanks Ants posted:I'd be fine with PaperCut if this were a BYOD thing, but it's for guest users who might not be able to install an app. I'm really only focused on Windows as Macs are covered with AirPrint. Currently we are resorting to the print-by-email feature for guest printing but it's poo poo and the experience is massively different between each vendor. Do you mean email-to-print built into your printers? If so, at the risk of sounding like a PaperCut shill, it does also feature email- and web-based printing, so users would have a consistent experience regardless of which device they printed to. It also supports Google Cloud Print, but I've found that to be a hassle on the client side. As a caveat, we didn't have much of a use case for those features, so I only tried them a couple times before pushing our users to the app. They seemed fine, but I'm not in a position to totally vouch for them.
|
# ? Dec 5, 2018 16:35 |
|
Anyone actually use VMM to create clusters? Just curious if it works out as expected or if you find yourself going back and still manually doing some configurations on the clusters. Also does anyone work at a place that doesn't automatically append the domain name dns suffix? (ie. your domain is company.com and when you do lookups by default it appends computer.company.com) ipconfig shows company.com in the DNS suffix. I am at a place that doesn't have it, this is the first place I've been that doesn't have it and I'm not actually sure what the best practices is for this. lol internet. fucked around with this message at 04:54 on Dec 6, 2018 |
# ? Dec 6, 2018 03:13 |
|
I'm having issues resolving one specific domain name from our site. We have two Windows 2016 DCs/DNS servers using our ISPs DNS servers as forwarders. I can't seem to resolve the "linode.com" domain. If I manually set my DNS servers to my ISPs then it works. If I use Google's DNS servers, it works. But when I set my DNS servers to our domain controllers, it doesn't resolve. Again, it seems to be only this one specific domain and it's been like this for about 4 days now. I also can't resolve from the domain controller itself so it's not my machine or anything. Does anyone have any ideas?
|
# ? Dec 10, 2018 14:50 |
|
Are you doing TCP lookups internally and UDP externally (or vice-versa)?
|
# ? Dec 10, 2018 19:18 |
|
Thanks Ants posted:Are you doing TCP lookups internally and UDP externally (or vice-versa)? What happened to your forwarder question? Also, you can try clearing your servers cache by running pre:Clear-DnsServerCache
|
# ? Dec 10, 2018 19:23 |
|
The Fool posted:What happened to your forwarder question? It was in the OP and I missed it. I guess another thing to check is that your forwarders are actually being used, and you're not going to the root zones for each request.
|
# ? Dec 10, 2018 19:33 |
|
Turned out to be our SonicWalls doing some funky rear end poo poo. Weird cause this only started last week. what a waste of my loving life. I hate this profession.
|
# ? Dec 11, 2018 21:24 |
|
kiwid posted:Turned out to be our SonicWalls doing some funky rear end poo poo. Just yesterday I had a situation where one was dropping most incoming RTP packets even while pings and any other traffic was fine. Their VoIP ALGs have been a constant source of problems as long as I've had to deal with them, but usually they gently caress up the SIP traffic so one or both legs of audio simply don't connect at all. This was a new failure mode I hadn't seen before, which doesn't happen often. edit: Also it was so out of date that the IT vendor had to RDP to a 2008 server that had an outdated copy of IE installed to connect to it. No up-to-date browsers would agree on encryption algorithms. This is also a recurring theme, I assume because some form of ongoing licensing is involved to access software updates. wolrah fucked around with this message at 23:56 on Dec 11, 2018 |
# ? Dec 11, 2018 23:54 |
|
wolrah posted:This is such a recurring theme with my customers who have SonicWalls that I've never been able to understand how they're so popular. I had a SonicWall at a client once where it would work fine in the shop, but when deployed it would shut the internet down after about 5 minutes. Turns out the client ISP had some weird broadcast traffic happening, and the SonicWall saw it as an attack and shut down the WAN port.
|
# ? Dec 11, 2018 23:57 |
|
Sonicwalls have their own quirks like all other UTM boxes do, the first software releases on the Gen6 boxes were buggy garbage, and the throughput vs. cost calculation doesn't look great compared to options from Fortinet. But it's not their fault if somebody buys a box, never bothers to keep the software on a current release and then stops paying the maintenance on it.
|
# ? Dec 12, 2018 00:08 |
|
kiwid posted:Turned out to be our SonicWalls doing some funky rear end poo poo. Was it dpi-ssl?
|
# ? Dec 12, 2018 00:46 |
|
wolrah posted:edit: Also it was so out of date that the IT vendor had to RDP to a 2008 server that had an outdated copy of IE installed to connect to it. No up-to-date browsers would agree on encryption algorithms. This is also a recurring theme, I assume because some form of ongoing licensing is involved to access software updates. This is not an issue with sonicwalls, this is an issue with cheap fuckers that don't want to pay for on-going support (which is what you need to continue downloading software updates... also UTM updates). Fortigate's have the same issue with VOIP traffic, we basically turn their sip helper off as a standard deployment method, the ONLY VOIP traffic it doesn't 100% of the time gently caress up is some softphone stuff (close.io is one I can think of), anything originating from/going to a physical phone will be hosed.
|
# ? Dec 12, 2018 00:51 |
|
I love SonicWalls, actually. They're pretty darned user friendly. Maybe I'm biased though, since I've been working with them for something like 7-8 years. I can find my way around a Cisco, but I have no idea how people live with them. Having said that, yes, I have had to call SonicWall support way too many times for weird poo poo. One time LDAP connection broke because the password was too...complicated...?
|
# ? Dec 12, 2018 01:52 |
|
if you think sonicwall's are user friendly, you should meet fortigates, they are way better (in my opinion)
|
# ? Dec 12, 2018 01:57 |
|
MF_James posted:This is not an issue with sonicwalls, this is an issue with cheap fuckers that don't want to pay for on-going support (which is what you need to continue downloading software updates... also UTM updates). As I see it that's both a Sonicwall (and a lot of the rest of the industry) issue and a user issue. The people buying them should be aware of the requirement for an ongoing subscription, but I don't think it's right to gate security updates behind a paywall. Technical support, extended warranties, and features requiring constant updates from the vendor (AV, content filter, IDS, etc.) are fine to have in subscriptions, but cutting off security updates pretty much defeats the purpose of the device. At that point it's more honest IMO to just go full Meraki and have the device actually neuter itself when you stop paying, rather than letting outdated and likely vulnerability-laden devices keep operating normally as far as their owners are concerned. There are options that don't do it this way, but they aren't as good at marketing so they're unfortunately rare.
|
# ? Dec 12, 2018 16:14 |
|
snackcakes posted:Was it dpi-ssl? Nah we're not licensed for that. wolrah posted:This is such a recurring theme with my customers who have SonicWalls that I've never been able to understand how they're so popular. They're half the price of the next guy. Get what you pay for I suppose. We paid ~$45,000 for SonicWall + Analyser. Barracuda came in at ~$75,000 and Fortigate was like ~$95,000. We didn't even bother pricing Palo Alto. My biggest gripe with SonicWalls is that they don't seem to log everything. I've tried loving around with the logging config but they just don't seem to log everything even in debug mode. Also, their Analyser virtual appliance sucks too. kiwid fucked around with this message at 17:36 on Dec 12, 2018 |
# ? Dec 12, 2018 17:31 |
|
kiwid posted:Nah we're not licensed for that. Yeah, I support a few hundred sonicwalls and I loving hate their logging; I'm glad someone else is confirming my suspicions that they don't actually present you with all the info you would expect.
|
# ? Dec 12, 2018 17:54 |
|
Thanks Ants posted:Does Windows have a documented printer discovery method like macOS does? For example, if someone connects a Mac to our Wi-Fi network then I am advertising the printers into that VLAN by using the various mDNS helper services that access points, switches, firewalls etc. have baked into them now. For anybody wanting some closure on this, I stopped reading the documentation I could find about WS-Discovery and just ran Wireshark while I clicked the option in Windows 10 to discover printers, and saw a load of SSDP traffic coming from my machine to a multicast IP (239.255.255.250, UDP port 1900). I think this is covered by every IP helper that does DLNA, so just use that. The printers seeing this multicast traffic then responded by multicasting as MDNS for some reason, which any Bonjour IP helper will cover. Once I found out that the client and the printer used different protocols it was pretty easy to set up, and now when I click "Add Printers" in Windows 10 I can see the printers in that VLAN.
|
# ? Dec 13, 2018 16:37 |
|
Anybody know how to fix a situation where a user has managed to shrink all the wizard windows in Visual Studio to ant versions? Everything else is normal, but the wizards are fun sized.
|
# ? Dec 14, 2018 17:42 |
|
Call Paul Rudd?
|
# ? Dec 14, 2018 19:09 |
|
I'd like to do a dumb thing as correctly as possible. I manage the computers for one business unit in a moderately large organization. My unit's devices aren't part of the organization's Active Directory infrastructure, and joining it is untenable for dumb political reasons. I have no access to the organization's networking infrastructure beyond maybe getting a static IP assigned to a device. Given these constraints, is it possible for me to create a new AD forest for my unit? My main goal is to join the devices I manage to a domain so I can push computer policies to them. I don't need any kind of interaction between this new forest and the organization's extant forest. DNS seems like the sticking point. I don't have any control over the organization's DNS servers, and I don't want to gently caress with DNS for anyone outside my unit. My unit does have its own DNS subdomain, for what that's worth. What are my options here?
|
# ? Dec 14, 2018 20:32 |
|
If you have a modern Windows OS then your options are probably Intune with the limitations that go with that (e.g. it's not a drop-in GPO replacement by any stretch).
|
# ? Dec 14, 2018 20:38 |
|
Toast Museum posted:I'd like to do a dumb thing as correctly as possible. If you want to be able to have your own domain, you need to be on a separate network with your own DNS and DHCP. If that's not possible, and you have all Windows 10 machines, Intune is probably your best bet as Thanks Ants said above.
|
# ? Dec 14, 2018 20:49 |
|
If you can get the higher ups to put some SRV records in place for your subdomain (or a subdomain of that domain that's just AD) you can do it.
|
# ? Dec 14, 2018 21:13 |
|
The Fool posted:If you want to be able to have your own domain, you need to be on a separate network with your own DNS and DHCP. If that's not possible, and you have all Windows 10 machines, Intune is probably your best bet as Thanks Ants said above. DHCP is not a requirement for AD. DNS is, however you'll need to manually point everything at the DC IPs in your DNS config but its possible and you'll be touching everything during enrollment anyhow. Assuming you can get static IPs allocated and have outbound access to some other upstream DNS resolver (even the other AD DNS servers would work) you can build your own domain. If you suspect that at some point you're going to merge this new AD and the other one in the future, maybe make your life easier and name it something like [DivisionNameAD].[OtherAdName].whatever FISHMANPET posted:If you can get the higher ups to put some SRV records in place for your subdomain (or a subdomain of that domain that's just AD) you can do it. If all the clients are pointed at these new DCs for the new DNS, you won't even need to do that. You're authoritative for that new domain name and you can point your upstream resolver to the other DCs for resolution of those system names. Might have screw around with DNS suffix search orders to handle your non-FQDN addresses but that can be pushed out over GPO once you have the AD hook on endpoints. BangersInMyKnickers fucked around with this message at 21:23 on Dec 14, 2018 |
# ? Dec 14, 2018 21:21 |
|
DHCP, while not a requirement, is not something I would want to live without if I had to manage more than 2 computers.
|
# ? Dec 14, 2018 21:25 |
|
Yeah you could do it without SRV records in parent DNS, but it would probably suck. Depends a lot on the types of devices I would say, as well. If it's all desktops that don't move, a bit easier. If you've got got laptop users using wireless, probably a bit trickier. I have done basically the same thing, with the parent organization putting SRV records into DNS for us, so I can speak specifically to that solution.
|
# ? Dec 14, 2018 21:40 |
|
Toast Museum posted:I'd like to do a dumb thing as correctly as possible. If all you need is to push some policies or configs, try looking into Ansible, Chef, Puppet or some sort of configuration management software. Most policies are registry keys that can be set on clients. There's some other options available, but that one might be easiest. So these machines are all just workgroup machines, no domain at all? That's an odd scenario.
|
# ? Dec 14, 2018 22:06 |
|
FISHMANPET posted:Yeah you could do it without SRV records in parent DNS, but it would probably suck. Depends a lot on the types of devices I would say, as well. If it's all desktops that don't move, a bit easier. If you've got got laptop users using wireless, probably a bit trickier. I've set up to be able to bind machines to a customer's domain from my office by just establishing as VPN that can talk to their AD DC and DNS servers and having a record in my forwarder set up so all queries for customerdomain.com go to the right place. No real rocket surgery involved, nothing special in DHCP, etc. just one DNS setting and the ability to communicate with the right servers.
|
# ? Dec 14, 2018 22:47 |
|
That big dumb political reason you can't join the extant AD forest better be legit for all the trouble it may cause. is it an intellectual property issue? financial firewalling issue? have you exhausted all options with counsel for, say, drafting a contract for "managed services" with the AD owner?
|
# ? Dec 15, 2018 00:03 |
|
Toast Museum posted:I'd like to do a dumb thing as correctly as possible. Terrible website aside, PolicyPak might take care of your needs: https://www.policypak.com/ Potato Salad posted:That big dumb political reason you can't join the extant AD forest better be legit for all the trouble it may cause. Sounds like a terrible university setup or something to me.
|
# ? Dec 15, 2018 00:52 |
|
skipdogg posted:So these machines are all just workgroup machines, no domain at all? That's an odd scenario. Maneki Neko posted:Sounds like a terrible university setup or something to me. YUP For a variety of goofy historical reasons, the IT unit that's supposed to manage the enterprise only manages about 40% of its devices, and there are at least five other IT departments supporting individual business units. Since nobody trusts the enterprise IT unit, I'm under orders to keep them from being able to manage my unit's machines. On top of that, the guy I'm replacing was some special kind of fuckup who managed to make it to retirement without learning a goddamn thing about how to do his job, so everything to do with management is ad-hoc as hell. Thank you both for the software recommendations, and everyone else for the AD setup suggestions. I'll have to mull it over this weekend.
|
# ? Dec 15, 2018 01:34 |
|
Toast Museum posted:YUP lol the central IT people are going to have your head one day
|
# ? Dec 17, 2018 16:19 |
|
the way the story goes, in my experience, is someone gets to have central IT's head after a massive fuckup over a system that has been lied about for X months or Y years.
|
# ? Dec 17, 2018 16:46 |
|
University IT is a wild beast. Toast Museum, you don't work at a university in Minnesota do you?
|
# ? Dec 17, 2018 19:27 |
|
BangersInMyKnickers posted:lol the central IT people are going to have your head one day If this place made more sense, totally. As it is, they know that everyone is doing their own thing, and they don't seem to be making any effort to change that. I hate this square peg/round hole poo poo, and if it were up to me, I'd have gotten on board with their AD/Jamf situation on my first day. I got overruled, so I'm just trying to keep the wheels on the bus until something better comes along. Edit: FISHMANPET posted:University IT is a wild beast. I don't, but I bet it's exactly the same shitshow as wherever you have in mind. Toast Museum fucked around with this message at 19:57 on Dec 17, 2018 |
# ? Dec 17, 2018 19:54 |
|
|
# ? May 30, 2024 12:11 |
|
I started at my University in one of the departments that resisted central IT, and now I work for central IT, so I've seen it all. It would just be hella funny if you work at my institution and I could learn all sorts of drama/probably teach you some as well.
|
# ? Dec 17, 2018 19:58 |