|
Potato Salad posted:it seriously looks like one of my client domains was used as an inefficient but highly available rainbow table
|
# ? Apr 17, 2019 20:37 |
|
|
# ? May 30, 2024 13:22 |
|
Potato Salad posted:85,000 machine and user accounts haven't been used since 2010 We never delete a user account, but machine accounts? gently caress's sake. Those get nuked after 90 days of inactivity.
|
# ? Apr 17, 2019 20:41 |
|
Dirt Road Junglist posted:We never delete a user account, but machine accounts? gently caress's sake. Those get nuked after 90 days of inactivity. "But non-repudiation" fire your infosec if they're incompetent, folks, while you still can
|
# ? Apr 17, 2019 22:27 |
|
Potato Salad posted:it seriously looks like one of my client domains was used as an inefficient but highly available rainbow table
|
# ? Apr 18, 2019 04:19 |
|
How's dedupe for vhdx files on a san? I would assume it's not good but who knows.
|
# ? Apr 19, 2019 07:04 |
|
lol internet. posted:How's dedupe for vhdx files on a san? I would assume it's not good but who knows. if it's block level dedup you can get some pretty shocking space gains just by deduping all of the blocks the OS is sitting on in each VHDX.
|
# ? Apr 19, 2019 14:36 |
|
lol internet. posted:How's dedupe for vhdx files on a san? I would assume it's not good but who knows. Should see similar returns as pretty much any other deduplication tech on a virtualized platform, either at the hypervisor or storage layer. Most thinks dedupe on 64k blocks and there's a whole lot of duplicate files in more environments unless you're spinning everything off a single gold base image.
|
# ? Apr 19, 2019 16:19 |
|
Uhhh... wtf does AD put into attributes that have never been set? And why can't I just assign one $null?code:
|
# ? Apr 25, 2019 18:27 |
|
AlternateAccount posted:Uhhh... wtf does AD put into attributes that have never been set? And why can't I just assign one $null? code:
|
# ? Apr 25, 2019 19:16 |
|
Zaepho posted:You have to explicitly clear the attribute. It makes for some annoying code if you have to clear or set conditionally but it works. Well the issue is more that I need to know if the attribute is unset or not. On accounts where it has not been set, trying to do an -eq "" or -eq $null always return false. I can't figure out what it thinks is in there that I can compare against.
|
# ? Apr 25, 2019 21:32 |
|
I'm not sure if this is the right place to ask this question but here goes. It's about network shares. I'm doing some system admin work and have run into the following issue: Currently I have two servers each with file shares: \\Server 1\[a bunch of shares]\ \\Server 2\Share X\ What I want to do: move Server 2's Share X + contents to Server 1 and redirect so when people type in "\\Server 2\" into Windows explorer, they are instead pointed to the list of file shares on Server 1, and they can find "Share X" and proceed like normal. In other words: 1. create "\\Server 1\Share X\" 2. sync files between "\\Server 1\Share X\" and "\\Server 2\Share X\" (should be easy, just copy/paste) 3. delete \\Server 2\ from network 4. setup network so that typing in "\\Server 2\Share X\" will direct users to "\\Server 1\Share X\" There is another instance of this being done on my work network so I know it's possible, I just have no idea how to do it. Can anybody help? Simply making a DNS record to point Server 2 to Server 1's IP address doesn't seem to work. Pings work, but I get an error when typing "\\Server 2\" into Windows Explorer. GreatGreen fucked around with this message at 22:36 on Apr 25, 2019 |
# ? Apr 25, 2019 22:31 |
|
AlternateAccount posted:Well the issue is more that I need to know if the attribute is unset or not. On accounts where it has not been set, trying to do an -eq "" or -eq $null always return false. I can't figure out what it thinks is in there that I can compare against. get-aduser -Filter {(employeenumber -notlike "*")} works for me, or use an LDAP filter instead. Looks like you can query an objects employeenumber property and throw it in a variable and test that variable for $null
|
# ? Apr 25, 2019 22:52 |
|
GreatGreen posted:I'm not sure if this is the right place to ask this question but here goes. It's about network shares. I'm doing some system admin work and have run into the following issue: You can do a few things: 1) DFS share on server2 pointing to servers1 shareX or 2) add the "server 1" name to "server 2" and rename server 1 to "server 1a". Since 2008 R2 hosts can have multiple names (name aliases) which are supported and backed in a windows domain. you have to do funky, unsafe stuff to the OS to support cname smb shares. However, you should really consider consolidating everything as a DFS-N (unifined, consistent share folders) and DFS-R (replicating data to multiple servers, for availability) shares. Going to take some teeth gnashing, but it will help you in the long run. incoherent fucked around with this message at 23:29 on Apr 25, 2019 |
# ? Apr 25, 2019 23:26 |
|
GreatGreen posted:I'm not sure if this is the right place to ask this question but here goes. It's about network shares. I'm doing some system admin work and have run into the following issue: Youll want a cname record for server2’s hostname to resolve to server1s fqdn.
|
# ? Apr 25, 2019 23:37 |
|
incoherent posted:However, you should really consider consolidating everything as a DFS-N (unifined, consistent share folders) and DFS-R (replicating data to multiple servers, for availability) shares. Going to take some teeth gnashing, but it will help you in the long run. It's this, move to DFS-N and then you only need to do this move once.
|
# ? Apr 25, 2019 23:44 |
|
AlternateAccount posted:Uhhh... wtf does AD put into attributes that have never been set? And why can't I just assign one $null? Get-ADUser returns an ADUser object. The Properties parameter doesn't select the properties you specify; it just adds them to the object the command returns, so your second line is really asking whether the user object exists. It does, so you're getting $False. What you want is (Get-ADUser TESTUSER -Properties EmployeeNumber).EmployeeNumber -eq $Null or (Get-ADUser TESTUSER -Properties EmployeeNumber | Select -ExpandObject EmployeeNumber) -eq $Null Toast Museum fucked around with this message at 06:10 on Apr 26, 2019 |
# ? Apr 26, 2019 06:05 |
|
Toast Museum posted:Get-ADUser returns an ADUser object. The Properties parameter doesn't select the properties you specify; it just adds them to the object the command returns, so your second line is really asking whether the user object exists. It does, so you're getting $False. What you want is Bingo, you got it. Thank you. So I was testing whether Get-ADuser worked, not the variable. Makes total sense now that I see it. Thanks!!!!
|
# ? Apr 26, 2019 15:34 |
|
incoherent posted:You can do a few things: Thanks for the tips! However... I can't go with option 1 because Server 2 needs to be decommed. I'm also unable to do the steps outlined in the link. They don't work for me. I'm going to Server 2 and opening Powershell in admin mode and typing in netdom computername Server2 /add server1.fqdn.com and I'm getting an error. "Can't add this name to server, see: NETDOM HELP" but then typing in netdom computername Server2 /enum correctly shows both servers in the list. I've also added "DisableServerNameChecking=1" and added the servername to "OptionalNames" in the registry. Going back to my computer, flushing the dns, then typing in \\Server2\ in the explorer still gives me an error, while \\Server1\ still works fine. GreatGreen fucked around with this message at 16:03 on Apr 26, 2019 |
# ? Apr 26, 2019 15:49 |
|
What you are trying to do sounds like it should be simple, but it's not. I will reiterate that moving everything to DFS-N is the right solution. That being said, what you want to do is different for SMB1 and newer versions. Here's some reading. https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias https://md3v.com/enable-windows-server-smb-2-0-alias-cname
|
# ? Apr 26, 2019 15:56 |
|
The instructions from the 2nd link worked!!! SETSPN -a HOST/[SERVER2] [SERVER1] SETSPN -a HOST/[SERVER2.FQDN] [SERVER1] Those commands did the job. Thanks so much! One more thing...do you guys happen to know how to undo this in case I ever need to free up the name again? Reading up on it shows that you should change the above commands from "-a" to a "-d" to remove the record. Can anybody confirm? vvv edit: Thanks! edit2: accidentally typed back slashes above. Replaced with them with forward slashes. GreatGreen fucked around with this message at 20:01 on Apr 26, 2019 |
# ? Apr 26, 2019 16:12 |
|
Should be as simple as running the command with -d
|
# ? Apr 26, 2019 16:30 |
|
-d is the correct switch to delete an SPN record, I had to do that several times last week for a cranky SQL Server. Oh hey, guess who just got handed a list of about 1000 client machines that need to be migrated from SCCM 2007 to 2012 ? I pray they aren't in a hurry, I have a LOT of reading to do.
|
# ? Apr 26, 2019 18:01 |
|
Request below for how ATP works for your O365 Tenant vs. just EOP. What is good what is bad, etc. Currently we have a setup where our Student's email is hosted in our O365 Tenant and our Faculty / Staff are hosted locally in Exchange 2013, but AD is synced with that same O365 Tenant for Office and other services licensing. When I took over infrastructure here, O365 only had EOP in front of it, which was woefully under serving the security needs of the student email system. For on-prem we had Symantec Messaging Gateway VMs which were little better than an open relay. After some public phishing attacks etc. we finally got a little money to move to Local Sophos VMs for our Email gateways based on how awesome their AV has been to administer on campus. We wanted something like Proofpoint but the money just wasn't there. We have the incoming student O365 mail loop through our on campus filters, because again, EOP was sad at that point, which has worked pretty well at stopping a lot of the nonsense. However, we are finally ready to start looking at migrating the faculty/staff mailboxes up to the 365 tenant, and are re-evaluating mail filters. Because of some State oversight, "Cloud" solutions have to be considered and allowed which of course costs money and time to evaluate. O365 is already approved and we are looking at our new 3 year campus agreement coming up. We are looking at once we fully migrate our Faculty / Staff to just going all in and buying licenses for ATP. Does anyone have any advice or experience with ATP? Is it working well for you, does it make sense?
|
# ? Apr 29, 2019 13:38 |
|
Hey guys, I'm about to spin up a Windows Server 2016 domain controller server on my domain, but my domain functional level is Windows Server 2003, and my forest functional level is also Windows Server 2003. I'm reading that a domain controller hosted on Server 2016 won't work unless both the forest and domain functional level is set to Windows Server 2008 or higher.... but the posts I found that say that are from a couple years ago. Is this still true? Do I still need to bring the Domain and Forest functional levels up to 2008 in order to host a domain controller on Server 2016?
|
# ? May 6, 2019 02:59 |
|
FRS is deprecated and you need to migrate to DFSR I think you need 2008r2 functional for DFSR MF_James fucked around with this message at 03:34 on May 6, 2019 |
# ? May 6, 2019 03:24 |
|
MF_James posted:FRS is deprecated and you need to migrate to DFSR So I won't be able to spin up and promote a Windows Server 2016 DC without first migrating to DFSR?
|
# ? May 6, 2019 03:56 |
|
What is the oldest Windows version you have running on a DC? Is there a reason other than fear of change (which is fair, but needs to be dealt with eventually) you can't promote the functional level to 2012+? I actually went through more or less your same situation a couple months ago. I spun up a Server 2019 DC and it couldn't join the domain because our functional level was too low (I forget what it was at, maybe 2008) and we had never migrated to DFSR. Our oldest DC was 2012R2 so there was no excuse for any of this. Microsoft has gone to GREAT pains to ensure backwards compatibility throughout their history, but they've finally decided to rip this particular bandaid off. Upgrading the functional level and migrating to DFSR took like one afternoon. Massive Disclaimer we have a small, simple environment. I don't want to give the impression that this is a trivial thing you should just #YOLO out to a large AD forest. But for us, at least, it was painless.
|
# ? May 6, 2019 04:44 |
|
The reason I'm doing this is to decomm all the 2008 servers on the domain, of which there are several, and two of them are domain controllers. I'd go with a higher functional level but I have to stick with 2008 right now so the new 2016 servers can replicate from those old 2008 DC's. Maybe after they're all done and I turn the 2008's off for good, I'll increase the functional level to 2012 R2 (by then our oldest DCs will be 2012 R2). So my current plan is to upgrade the domain and forest functional levels to 2008 (it's currently 2003) and then to upgrade from FSR to D-FRS. One question though: is upgrading the SYSVOL once on one domain controller good enough to propagate that update to all the DCs, or am I going to need to update to D-FRS separately on every DC? GreatGreen fucked around with this message at 05:48 on May 6, 2019 |
# ? May 6, 2019 05:46 |
|
You do it once and wait for replication, the MS docs on the subject cover it https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd640019(v%3dws.10)
|
# ? May 6, 2019 10:01 |
|
Pretty sure 2016 is fine with FRS replication but 2019 100% is not. If your oldest DC is 2008 raise the functional levels and see if you can make this server a DC. Worst case scenario it fails at the pre req check
|
# ? May 6, 2019 13:31 |
|
Thanks Ants posted:You do it once and wait for replication, the MS docs on the subject cover it Awesome, thanks. snackcakes posted:Pretty sure 2016 is fine with FRS replication but 2019 100% is not. If your oldest DC is 2008 raise the functional levels and see if you can make this server a DC. Worst case scenario it fails at the pre req check Your comment made me curious so I looked it up. It seems that earlier versions of Server 2016 did support FRS, but version 1709 and beyond does not. https://support.microsoft.com/en-us/help/4025991/windows-server-version-1709-no-longer-supports-frs
|
# ? May 6, 2019 13:41 |
|
Yeah that was my experience. Toward the end of the promo wizard, 2019 tells you to get wrecked and upgrade to DFRS and aborts the promotion.
|
# ? May 6, 2019 13:42 |
|
GreatGreen posted:Your comment made me curious so I looked it up. It seems that earlier versions of Server 2016 did support FRS, but version 1709 and beyond does not. Thanks for the correction! I had no idea. We deploy 2019 now so I haven't had to deploy 2016 in a 2003 environment in a while
|
# ? May 6, 2019 23:07 |
|
FRS is trash, pull that ripcord baby
|
# ? May 9, 2019 00:30 |
|
I've been tasked to allow an external company access to our file server. We don't have SharePoint or any of that poo poo so my thoughts were to just create them AD accounts and provide VPN access for them. Is this the best solution or is there something better out there?
|
# ? May 9, 2019 16:39 |
|
kiwid posted:I've been tasked to allow an external company access to our file server. We don't have SharePoint or any of that poo poo so my thoughts were to just create them AD accounts and provide VPN access for them. Is this the best solution or is there something better out there? VPN + AD + terminal server?
|
# ? May 9, 2019 17:01 |
|
Sync to Azure and grant access from there? The though of an external company connecting to my main file shares via VPN gives me the willies. https://azure.microsoft.com/en-us/services/storage/files/
|
# ? May 9, 2019 17:07 |
|
kiwid posted:I've been tasked to allow an external company access to our file server. We don't have SharePoint or any of that poo poo so my thoughts were to just create them AD accounts and provide VPN access for them. Is this the best solution or is there something better out there? AD Account set to autoexpire at a determined interval. Ticket required to reenable. VPN with a dynamic policy allowed only to your terminal server, which they can then access a mapped share with read only rights?
|
# ? May 9, 2019 21:20 |
|
I’m upgrading a lot of VM operating systems at the moment. Specifically, I have about 10 VM’s still running server 2008. I’m going to upgrade them to server 2016. I don’t want to do an in-place upgrade, if that’s even possible. Instead, I plan on spinning up brand new servers, installing all the apps and migrating whatever data I need to, then re-naming and re-IP’ing the new ones to mimic the servers they are replacing. I have a feeling active directory is going to go a bit apeshit when I try to do this on the domain though. What’s the best practice for this in general? Having both servers on the domain at once but with different names, then when it’s time for the switch, take both servers off the domain, then put the new server back on using the old server’s name?
|
# ? May 10, 2019 01:12 |
|
|
# ? May 30, 2024 13:22 |
|
GreatGreen posted:I’m upgrading a lot of VM operating systems at the moment. Specifically, I have about 10 VM’s still running server 2008. I’m going to upgrade them to server 2016. I don’t want to do an in-place upgrade, if that’s even possible. Instead, I plan on spinning up brand new servers, installing all the apps and migrating whatever data I need to, then re-naming and re-IP’ing the new ones to mimic the servers they are replacing. I have a feeling active directory is going to go a bit apeshit when I try to do this on the domain though. name them different things and then cname
|
# ? May 10, 2019 01:13 |