|
We ran into a weird one last week that we're still fighting with. Server 2012 Hyper-V box. Has a single guest, a server 2008 VM that was created from a physical install via disk2vhd. Everything works great except the networking. Host can get out to the internet, talks to everything just fine. Guest can be connected to, but cannot talk out. It has proper network info, can ping other internal devices and the gateway with no problem, but can't get out. DNS (internal DNS server) resolves fine as well. It just never gets past the gateway. It's on a virtual switch configured as external along with the host, has the correct virtualized drivers to share the host nic, etc. Anyone ever seen anything like this?
|
# ¿ Jul 21, 2014 17:48 |
|
|
# ¿ May 14, 2024 05:36 |
|
Zaepho posted:This is an incredibly bad one, but is the Subnet mask set correctly? it really seems like you're getting traffic out (and I would guess even out beyond your local subnet) but not receiving it back when you go outside your local subnet. The subnet mask is correct. We did previously have an issue with multiple static routes showing up, so we blew out the route to the gateway and recreated it. It shows fine now, but still will not ping out or tracert to, for example, 8.8.8.8. This site runs a Cisco ASA, and I can see the traffic move through the gateway, but nothing ever comes back. We also have another site connected to this one via an ipsec vpn tunnel. Thin clients and computers at that site can RDP into this server and pass traffic to/from it with no problem at all over the tunnel.
|
# ¿ Jul 21, 2014 21:59 |
|
Disable ipv6 via reg key. I don't think it'll actually work, but I've seen the windows 10 implementation of ipv6 do some really weird things.
|
# ¿ Nov 29, 2022 06:52 |
|
My initial thought would be memory, depending on what's running on the host (security software etc). Drop the guest memory a bit and see if the problem changes at all? Also, is your vswitch configured properly?
|
# ¿ Dec 19, 2022 07:11 |
|
Please make sure to update us as well, this poo poo is fascinating. I'll throw my lot in with disk after memory given new information. I've never seen disk r/w times cause a problem like that, but I can totally see it with the hardware involved.
|
# ¿ Dec 22, 2022 07:40 |
|
sporkstand posted:I'm looking for a way for an Azure AD joined machine to ONLY allow logins from local accounts. This is for a machine that some of our computerless users will use to login and do their mandatory trainings. I'd like to have them log in using a local 'Training' account, then once logged in, launch a browser and log into the training system using their personal credentials. These are older machines (with no budget to purchase anything new) so I'd prefer to not have a bunch of user profiles taking up space on the machine if possible. I did this by using an unlicensed shared azure AD account named "training". You can trim the user, guests, and backup operators group to only include that account. Kiosk mode as mentioned above is the right answer though.
|
# ¿ Mar 27, 2023 05:04 |
|
I've got a weird situation and I need someone to point me in a direction for further research. I currently have a user base in 365 and azure. Some of these users are also members of legacy domains, some synced from on prem and some entirely separate. These legacy domains have file servers and such that need to stick around. I also have an azure ad ds environment with some servers and many laptops joined to it. This actually works fairly well, except I have to traditionally domain join the laptops to the aadds. What I would like to end up with is - scrap all legacy domains - all workstations company wide on azure ad - file servers joined to something that lets users automatically authenticate to them on their azure ad workstations Not sure if aadds joined servers can work that way - the azure object and ad user are the same identity, but I'm not finding much documentation on it. This has to be a solved problem, but I'm not sure where to go next.
|
# ¿ Apr 13, 2023 21:20 |
|
Thanks Ants posted:You can get part of the way there - you can have all the workstations AAD-only, and just run a legacy AD for servers. You need to create the users in AD and have them sync to Azure (use Azure AD Connect Cloud Sync) but with an AAD Premium P1 license or any bundle that includes that like EM+S, M365 Business Premium etc. you get password writeback so nobody will ever need to interact with AD. So aadds is basically that in reverse - it's a traditional AD synced from azure, rather than the other way around. You create users in azure, they become objects that can be addressed in AD. Everyone has security e3 licenses, so two of the legacy domains sort of work like this now, but I'd like to avoid converting my entire infra if I can.
|
# ¿ Apr 13, 2023 21:32 |
|
Thanks Ants posted:AADDS is poo poo, I would avoid it if at all possible. You're better off putting VMs into Azure and then buying three-year commitments for them. I'm stuck with it for the moment, I made a poor decision in 2019. Did further research, I'm basically boned if I want to use azure ad, looks like. Right now I've got two file servers joined to aadds (works fine, the users who access them are on aadds domain joined laptops), one file server on a legacy domain with user laptops on the same, no ad sync, and two user groups on legacy domains with a NetApp file server (azure based, on prem caching servers). It's starting to look like my best bet may just be to convert the one domain that only exists for it's file server to ad sync or the aadds and leave the rest of the mess alone. Putting all of the servers in azure, outside of the NetApp ones, is a no go due to needing to have a short distance to the files. Lots of huge cross linked engineering files that don't play well being accessed over a non-local network. Silly Newbie fucked around with this message at 21:44 on Apr 13, 2023 |
# ¿ Apr 13, 2023 21:42 |
|
bobua posted:Are you me? I keep asking google these same questions every few months and sorta head down different roads because it always seems like there's an answer, but it tends to all fall apart the second your infrastructure is anything more than shared ms office documents, or aren't willing to scrap 100k in hardware and pay 300k a year in cloud compute. At least working in an M&A environment isn't boring and we get to keep learning new things. I'm starting to understand why all of my counterparts seem to have these sloppy looking siloed environments though.
|
# ¿ Apr 13, 2023 22:19 |
|
Thanks Ants posted:Sorry when I said VMs into Azure I meant your domain controllers, as an AADDS alternative. At least then you can have a pair of DCs in each region you operate out of, and stuff works with it. That's a good call, I have DCs in azure already for my legacy domains. I'm just hoping for an option that isn't "make a new domain, create all the people from Azure/365 in it, sync back and hope nothing breaks". I think that's going to be a problem for 2024.
|
# ¿ Apr 13, 2023 22:41 |
|
To piggy back on that, my understanding is that the company needs to own a CAL for any user who accesses a particular server, but the CAL isn't bound to that server. For example, I have 100 users and 10 servers. Each of those servers are only accessed by 10 individual user, and no user accesses multiple servers. I need 10 user CALs. Is that correct?
|
# ¿ Apr 19, 2023 06:30 |
|
The Fool posted:if it mattered ms would put technical controls on it This is oddly reassuring.
|
# ¿ Apr 19, 2023 23:12 |
|
Thanks Ants posted:Microsoft 365 F3 licenses might be better suited to the type of employee I've got security and compliance e3 + office 365 e1, e3, and E5 rolled out to all my users. By my reading, I could swap all of my field techs to just Microsoft 365 F3 rather than Security E3 + Office E1 and the only downside is a smaller mailbox, is that right? I just need them to get company wide emails, maybe send vacation requests to their supervisors, and have MAM-WE licensing for personal phones.
|
# ¿ Jun 5, 2023 06:41 |
|
Cyks posted:I’m in the same boat and that’s my understanding. I’m about to swap a few maintenance techs over today. Update: talked to my CSP, we're right. Also https://m365maps.com is great.
|
# ¿ Jun 6, 2023 00:12 |
|
I'm exploring lifting and shifting a legacy file server to Azure vs replacing the on-prem hardware. The last time I did this was many years ago, when you would just spin up a windows VM and have the same file server but virtual. What's my best bet these days, Azure files or something else? Maybe 10-15TB of data, lots of individual files accessed but not a lot of data movement, it's all pictures and spreadsheets.
|
# ¿ Aug 24, 2023 05:28 |
|
sporkstand posted:I recently started a new job and I've been asked to get us set up with an Azure subscription so we can create VMs and do some WUfB reporting. Call your CDW person and they'll hook you up.
|
# ¿ Aug 24, 2023 05:29 |
|
The Fool posted:Don't do it We've got another business unit using Azure hosted NetApp and it works fine, may explore going that direction. Crosby B. Alfred posted:It just something hosting a shared drive? If it's just pictures and spreadsheets just through it in a SharePoint Library. Too much institutional culture inertia to make the cut in the time I need. Warranty on the server expires in a couple months, so I need to do some kind of conversion fast, and fast isn't a language these people speak with regard to how they access their data. It's a fight I could win, but it isn't worth it. Also on the table is just giving Dell like $14k for a new physical server that isn't obsolete garbage, which I haven't totally rejected, it's on my budget for the year.
|
# ¿ Aug 24, 2023 08:32 |
|
Crosby B. Alfred posted:As far as I remember - Azure Files or using Azure Storage as a file share is meant for applications not necessarily users. It's not going to be that user friendly, you might not have permission control or ability to backup data as much as you'd like. Thank you for that, it's the kind of hard to find knowledge that will prevent me from totally loving up. Anyone have recommendations on moving a file server from on prem to Azure, or is it really just same file server but someone else's hardware? No DFS or other distribution requirements or anything, I just don't want to have on prem hardware if I can help it and budgetarily justify it.
|
# ¿ Aug 25, 2023 05:32 |
|
Weirdly complicated situation and ask. I've got three on prem domains in play, and one cloud side. I'd like to make a conditional access policy that only computers joined to one of these domains can become registered devices in Azure (and thus have outlook and OneDrive sync to them). Full azure AD is out for the moment, but I can also control access via requiring an installed app if that's a possibility. Can it be done via standard conditional access policy, do I need to dig into Intune, is it impossible, or other answer? I tried googling for this but the results are a mishmash spread over the last ten years of MS changing how poo poo works.
|
# ¿ Oct 19, 2023 06:12 |
|
Thanks Ants posted:Do you mean registered? If they are devices you manage (which they are since they are domain joined) then would approaching this by having one domain Azure AD join through GPO, and set the other two domains to prevent people doing an Azure AD join? Essentially I'm looking to prevent devices that don't belong to a domain I control from being registered to a user in azure. Or, from another angle, stop people from configuring outlook and OneDrive on their home computers or random customer vms.
|
# ¿ Oct 20, 2023 02:44 |
|
Potato Salad posted:I'm rereading this and I think what you want is to be able to restrict OneDrive and Outlook access to corporate devices. That means you're looking for Joined-only conditional access rules (not registered). I'd even argue you want Intune-only rules if your business is this thoughtful about data access, so that you can enforce things like bitlocker as well. This is correct, but no devices are AzureAD joined. I'm welding four companies together, getting everything off their different on prem domains and into AzureAD is a 2024 task. That's why I was hoping to be able to do something with a CA like "allow outlook if a member of contoso.com or example.local".
|
# ¿ Oct 20, 2023 21:15 |
|
Thanks Ants posted:It might be worth looking at Cloud Sync which can sync multiple unconnected ADs into AAD and using that to sync the devices, and then seeing if conditional access works. I'd try and avoid AAD Hybrid but it could work alright for this application if your plans longer term were to ditch the domain join as hardware is refreshed. That's basically the long term plan. Build some back end, then determine a cut date where everything new device goes out azureAD joined and we explain to people how to temporarily authenticate to some legacy domain stuff until it's all converted.
|
# ¿ Oct 23, 2023 03:27 |
|
I'm gearing up for a 2024 project to convert my org to entra joined and Intune instead of legacy domains, and I've hit a stumbling block. I want to know if what I want is even possible before I chase my tail on it. I'm administratively setting the local Administrators group using an Account Protection policy in Endpoint Security in Intune. I would like the local admins group to consist of one local account controlled by LAPS and also the members of a group in Azure AD. I tried doing a manual policy to include the custom local account that I want and the SID of the azure ad group, and also just calling out azure ad users by domain\username, but I'm not having much luck. Is what I'm looking for possible? Edit - I figured this out, had to use a security policy to modify the name of the built in admin account used with laps. Silly Newbie fucked around with this message at 00:14 on Nov 16, 2023 |
# ¿ Nov 15, 2023 20:49 |
|
incoherent posted:You can't get rid of DNS you'll regret this!!!! We're using aadds. Azure spins up a couple DCs that mirror your Entra footprint, you tell Intune to make that their default DNS domain, and you're good for internal DNS.
|
# ¿ Dec 17, 2023 06:41 |
|
There's also a way to autopilot join during the oobe and then bail, leaving it intact without resetting. The autopilot join just registers the device and SN in your Intune environment, so when the oobe checks in with an Internet connection you get a customized experience that does a bunch of neat stuff. Shift+F10 to open a command line and do stuff during oobe.
|
# ¿ Jan 12, 2024 06:39 |
|
What kind of bloatware are you all seeing from Dell? Ours come with Command Update, which isn't bad, and Office, that's it. We also have a CTG agreement so that might put us in a different sales and delivery department. I give them under $500k/yr, but my sales team and support is pretty great.
|
# ¿ Jan 15, 2024 04:56 |
|
Oh yeah, our poo poo quit coming with Optimizer thank God. Took me like a loving week the first time to figure out why my tester laptop kept locking after 5 seconds (when I was out of frame for the webcam).
|
# ¿ Jan 16, 2024 06:17 |
|
I've got an issue that's starting to drive me crazy. I have a tenant where I allow sharing from OneDrive to "Anyone". SharePoint sites are internal only, but OneDrive can go out for vendor and customer collaboration etc. It's in my sharing policies for OneDrive in the SharePoint admin center and there are no more restrictive policies in play. I've got a small subset of users who can't share anonymous links. Their OneDrive manage sharing setting in the admin center is set to allow this. Anyone seen that before?
|
# ¿ Mar 18, 2024 22:12 |
|
tehinternet posted:I’d check your SharePoint sharing settings in the Sharepoint admin center. OneDrive permissions can be more restrictive but not less restrictive than SharePoint’s. Meaning if something is restricted in SharePoint, it’s restricted in OneDrive as well. Thanks, I'll re-check that. It's driving my insane that it's only happening to like 5% of my userbase at random.
|
# ¿ Mar 22, 2024 22:14 |
|
Thanks Ants is right and this is exactly what Entra Domain Services/AADDS was made for. Basically it spins up two domain controllers in your Azure environment that you can't log into directly. Point your VMs DNS at them and join them to contoso.com or whatever your Azure/Entra custom domain is. Your Entra accounts will sign in as domain\user just like in a traditional AD. No MFA. Install the DNS and ADUC modules on a server and point them at the virtual DCs to manage DNS, group policy, accounts, etc. Edit - I did find a way to regular Entra join windows VMs to sign in with regular Entra credentials, but it's a pain in the rear end, not worth it, and won't work for any other shared resources on the VM like file shares etc.
|
# ¿ Mar 26, 2024 07:09 |
|
|
# ¿ May 14, 2024 05:36 |
|
Alterian posted:Please let me know if there is a better thread to ask this in. I am guessing the answer is already "no" based on all of my googling looking for solutions. You can drop Planner directly into Loop workspaces, it's slick. Doesn't look like there's any time tracking available as yet though.
|
# ¿ Apr 27, 2024 05:45 |