|
I'm a bit out of my depth with planning this. I need a truly redundant setup, and I have an almost unlimited budget. I basically need constant uptime of a domain and ~2TB of files housed in SMB shares. In all my previous challenges, I've used 2+ DCs, and used DFS for the file sharing. In this case, however, I have an ancient application that uses flatfile (CSV) "database" and basic file locking to handle its operation, and an accounting package that uses FoxPro databases. Both of these rule out DFS as it's not sensitive enough to low level file operations. My basic understanding of what I need is: File Storage (SANs) File Server Cluster Fall over Hyper V pointing to VHDX on cluster. Forgive my ignorance, and PLEASE help me understand the basic segments of this operation! Many thanks.
|
#
¿
Sep 25, 2014 21:14
|
|
|
|
| # ¿ May 14, 2024 08:19 |
|
|
thebigcow posted:FYI the FoxPro thing and probably the CSV thing will choke and mysteriously corrupt themselves on SMB 2. FoxPro is Opera II which is a massive accounting package, and seldom has problems, and the CSV file has been working for 6 years without too many problems. It's terrible, but surprisingly resilient!
|
|
#
¿
Sep 25, 2014 22:42
|
|
|
skipdogg posted:We handle our really important replication at the block level on our EMC SAN's with Recoverpoint. Not cheap but it works for what we need it to do. The main concerns I have with SANs, is the sensitivity of the CSV files. In order for the program to work, we have to disable write-behind cache on the servers AND the client PCs! The program has thrown locking errors before, and I wonder if a SAN fabric will even work. The software doesn't even function on a Samba 4 share on Ubuntu. The environment does have multiple sites, but it's departmental so the satellite offices have their own servers (on domain). They access the CSV app via Remote Desktop to avoid VPN latency in the CSV file writes. Recovery isn't too bad, as the majority of the 2TB data is images of various items, and could probably be ignored for a week without too much complaining. The CSV app runs the business, however, and needs almost 24/7 uptime.
|
|
#
¿
Sep 26, 2014 00:05
|
|
|
skipdogg posted:I can't imagine something that runs off a CSV file couldn't be ported to a SQL database. I know how critical some of these legacy apps can be though so I feel your pain. There are actually times where I am paid to basically sit on site and do nothing (because uptime is so critical) and I've written a JS / RESTFUL alternative, which I am trying to sell. Backup at the moment is powershell scripts running wbadmin to various folders on a NAS for disaster recovery. The CSV is all zipped and stuck on memory sticks periodically too, the AD is protected with DCs at the satellite sites. thebigcow posted:I'm sure know what you're doing and you've thought about this already but just in case, have you looked into moving to something that wasn't designed to run on a single win9x machine? They are definitely looking at alternatives, including mine. I am a contractor, so have very little say in the product itself.
|
|
#
¿
Sep 26, 2014 10:42
|
|
|
I'm looking to create a high-availability setup involving physical and VM failover support. The business is small enough that it can only afford to buy 2-4 servers, but big enough that it needs HA. Their workloads aren't big, so performance isn't a huge issue. I've been looking at stretched clusters, storage replica, and Hyper-v failovers in Server 2016 Datacenter, as well as starwind virtual SAN. The business has two physical buildings linked with 10G fibre. For testing at least, I'm going to hook 2 physical machines at each end of the fibre and try and make it so either of them could fail, with nothing lost. I want this to be my test setup. code:Is this crazy? Do I need starwind? Am I approaching this totally wrongly? At what level does the storage replication happen? Do I need clusters within clusters? The physical cluster for VM failover, and the VM cluster for services and data. It's very new territory for me! I've been reading this as inspiration and guidance, but I can't work out if the nodes are physical or virtual. Any advice and guidance welcome.
|
|
#
¿
Apr 24, 2018 23:16
|
|
|
I have a CSV based on a three-way mirror using storage spaces direct. These three physical servers also need to host HA HyperV guests. When configuring the hosts to point to the VHDX files, can I use C:\ClusterStorage\file.vhdx, or do I need to have a SoFS and reference them \\cluser\share\file.vhdx? I only ask because during a migration, one physical server went down (!!!) and the migration (on another server) failed when referencing C:\ClusterStorage. This strikes me as odd, as I would have predicted the three-way mirror meant that the migration should continue regardless of if one node goes down? Cheers
|
|
#
¿
May 30, 2018 14:08
|
|
|
Couple of questions 1) School I work at has a lot of iPads and we're potentially moving to Intune for Education. Everything is done except the WiFi profile. The WiFi uses RADIUS, but I can't seem to see anywhere to enter static credentials anywhere on the portal. I've read some docs about scep and other certs but that sounds massively engineered. Before you ask whether I can just setup a separate WPA2 network because the login is static: the school filtering system uses RADIUS to authenticate and thus manage access. 2) A client has a mailbox mailbox@domain.com and alias@domain.com. They want these separated so they just set alias@domain.com on their phone. These are Office 365 accounts. My current thought is to make mailbox@domain.com a shared mailbox, and alias@domain.com their primary mailbox? Is that the right way to go about this.
|
|
#
¿
Oct 12, 2018 15:42
|
|
|
Beefstorm posted:If you are using static credentials, and not a certificate, or user based credentials, then why use RADIUS at all? Just have a WPA2 key that is static on all of the iPads. The RADIUS does use AD user based credentials, because the majority of non-ipad devices using the WiFi will authenticate with their AD credentials. The iPads are for very young kids who just need filtered internet. We don't need to confuse them with shared ipads. We just want a way of setting the relevant AD username / password in Intune so they don't have to worry about it. Apple Server's Profile manager allows for this very scenario.
|
|
#
¿
Oct 12, 2018 21:34
|
|
|
Beefstorm posted:Ah. Then what you want is a Device Enrollment Manager. Yeah that sounds a bit crazy. Any ideas on using certificates? I've never set up RADIUS to be handled in that way, rather than AD credentials. It seems like Intune supports it in some way....
|
|
#
¿
Oct 15, 2018 15:52
|
|
|
One of my clients has had a GDPR request for all e-mails pertaining to a person. They're on Office 365. Is there a way to text search across mailboxes, or shall we tell staff to search their mailboxes individually?
|
|
#
¿
Mar 18, 2019 21:27
|
|
|
Running Azure AD connect on our domain to sync users and use Single Sign On. The user logs onto their domain account, and they can visit an office application and not be prompted for their password. We had a problem with Office / Outlook sign on, but that seems OK, as long as we use an older version of Office (newer ones don't automatically activate). We are using Shared Computer Licensing. The issue is that newer versions of Office don't seem to want to activate, and OneDrive doesn't seamlessly sign on. I've been reading about Hybrid setups, and I wonder if the clients needs to be authenticated to the domain AND to Azure AD in the background before these processes fully work? Is this the case? I know on newer versions, OneDrive and Office bring up "Sign in for this app only" which suggests there's some kind of broader account stuff going on. If it IS the case that I need to sign users on to Azure AD too, is there a guide to automate this process? It's a school and so it's very hot-desky.
|
|
#
¿
Apr 3, 2019 13:53
|
|
|
The Fool posted:The users only need to sign in to AD. Thanks. Modern Auth is enabled, and on the version of Office we're using, it activates and connects to Exchange no problem; i.e. SSO is configured correctly and so is Modern Auth in Exchange. I've read the MS documentation a lot and can't seem to find why newer builds of Office fail to work, and OneDrive SSO doesn't work either.
|
|
#
¿
Apr 3, 2019 15:09
|
|
|
Have a client that needs guest WiFi on their system. I want to separate this on to a VLAN but they want RADIUS authentication from the server. I have used VLANs before but not ones that can go one way. I have never done anything like this. As for the tech, all the switches are Unifi, as are the access points, and the DC is 2012 R2. Router is a Draytek 2860. Because Unifi Switches are only Layer 2, I can't do any layer 3 stuff (not that I know how to anyway), which makes me think I need to route through the Draytek. Is this the case? Will it be able to handle this? I have a small budget so I could purchase more. They also have one 10G Edge Router which CAN handle layer three, but it's not the core switch at the moment.
|
|
#
¿
May 15, 2019 20:38
|
|
|
GreenNight posted:So they want to setup an AD account for every guest that comes on site? Perhaps guest was ambiguous wording. These are BYOD devices that aren't managed by IT. When I heard the theory of VLAN recommended this way I sorta scratched my head and read up about it, but apparently people DO indeed put some items on subnets. EDIT: And they have a Smooth Wall filtering product so RADIUS is required to make sure the students aren't looking at bad things.
|
|
#
¿
May 15, 2019 20:50
|
|
|
Digital_Jesus posted:In fact UniFi has a built in guest SSID feature you can enable with like two mouseclicks and it even firewalls off RFC1918 ranges for you. (The APs will handle the extra network for you without any switch side config required.) Because we want them to use the (filtered) internet. I suppose they could use the filter's webpage login, but radius will be remembered on their device. I know it would piss me off as a student, having to enter my username and password often.
|
|
#
¿
May 16, 2019 11:09
|
|
|
Thanks Ants posted:You don't need to use RADIUS to send guest users to their own VLAN - just map the guest SSID to whatever VLAN you want to use. Unless I am missing something it sounds like you're making this too complicated. As I mentioned up, they aren't guest users. They are students who bring their own devices, laptops, tablets etc, and need the filtered internet. The smooth wall filtering system needs authentication from the user. This can be passed via radius or through HTTP authentication in the web browser. We can't have a conventional guest network as we need to track web activity for safe guarding etc etc
|
|
#
¿
May 16, 2019 14:54
|
|
|
Thanks Ants posted:Are you in the UK? Yes we are
|
|
#
¿
May 16, 2019 15:02
|
|
|
I'm not sure if I've worded the situation well, so forgive me. Students at the institution can have managed (Intune) or bring their own device which we do not manage. However, because we don't manage them, we can't install proxy cert for MITM and thus want to isolate them on a network without ssl decryption but still with domain filtering to offer at least some protection. We need to track if these students try and access illicit sites, and thus they need to authenticate to the filtering system. Intune connected devices use radius for WiFi but I know a "BYOD" network is needed too. Same credentials, same principal, different subnet. My issue is how to achieve this, I assume I create a wireless subnet, give it a VLAN, and on the draytek allow interlan routing. The issue is whether this lock down will achieve anything as they'll need access to radius.
|
|
#
¿
May 16, 2019 21:54
|
|
|
I have 2 old domain controllers that are still active servers. They've been demoted from domain controllers, but seemingly not 100%. I can't use the ntdsutil tool to connect to them, and I had to remove them in AD sites. There's a lot of entries in DNS but when I remove them, they refresh back in a few seconds. Any ideas?
|
|
#
¿
Nov 14, 2019 13:47
|
|
|
MF_James posted:Are they still listed in DNS zones as name servers? You have to manually remove servers from sites and services and name servers list in DNS zones. No they're not listed as name servers
|
|
#
¿
Nov 15, 2019 00:14
|
|
|
I am getting to grips with intune. I migrated the iPad airs across, but because they don't support shared user scenarios, I've only ever used MDM on a device centric way. Intune seems way more user centric. For BYOD windows devices, I'm confused as to how domain joined devices will be affected, as scopes only affect users (I think) I don't want the same policies on BYOD devices as devices onsite. We have SSO with AD connect which has a habit of signing the device into the MDM by adding a work account. Should I really be designing policies in a way that intune is meant for both scenarios, or is there a way to achieve what I want? If I should be using intune for both, not everyone needs a license. On shared computers I don't know what will happen if some users sign in with / without an intune license. Any help is appreciated!
|
|
#
¿
Feb 19, 2020 22:35
|
|
|
I have a client with 5 or so laptops. They're all encrypted with BitLocker. Every few months, a Windows Update comes along and basically bricks the laptops (although not all at once); they BSOD with Inaccessible Boot Device. The only way I've found to fix them is to decrypt the laptop via the command prompt in recovery mode. This is incredibly tedious, and it is very hard to do remotely as so many of the steps are outside of Windows. I either need to visit site, collect the laptop, or explain commands over the phone. I can find very little on Google about this. Weirdly, I have other clients with encrypted devices who run without problem! It's truly bizarre. Has anyne got any thoughts on this? This morning's headache is that we left bitlocker off on one device as part of testing. I got a call that the same problem had occured, which shocked me as there was meant to be no encryption. Turns out, Bitlocker has enabled itself again, but of course the recovery key wasn't saved! No way back into the device at all. gently caress bitlocker.
|
|
#
¿
Jul 15, 2021 09:00
|
|
|
Thanks Ants posted:Are you getting UEFI updates pushed out via Windows Update? Or are you running an OEM-specific updater? BitLocker is meant to be suspended before firmware updates are done and then re-enabled afterwards to avoid this problem. Are you tracking UEFI versions anywhere that would correlate with issues coming about? There are firmware updates being done, but not frequently enough to relate to this issue. I think something else is going on here, but I'm doing a trial with VeraCrypt to see if that makes a difference,
|
|
#
¿
Jul 19, 2021 09:28
|
|
|
|
| # ¿ May 14, 2024 08:19 |
|
|
Arishtat posted:It sounds like Windows Update isn't able to gracefully suspend BitLocker, but is proceeding with the update which then pisses off the TPM's integrity check and results in the 'Inaccessible Boot Device' BSOD. There are a couple of ways to deal with this but how you go about it depends on the capabilities of the client's network infrastructure. For a small client your best bet would be to schedule Windows Updates and push a pre-update script which suspends BitLocker temporarily, runs the update(s), and then a post script which re-enables BitLocker. The devices need fully decrypting for this to happen. Interestingly, it's only my clients who run a mortgage pricing program that have this problem. Although it makes no sense to me that it would affect windows update, it seemingly is. I am advising them to manually suspend Bitlocker from control panel at the moment. The client just uses share point, so unless I can get them on intune or similar, I don't have GPO or easy management for scripts and update scheduling. There might be a way to do this via local policy though, so I'll investigate
|
|
#
¿
Jul 21, 2021 10:46
|
|