|
Noob WDS Question: Do you have to use Enterprise Win 7 licensing with WDS? Employer keeps buying OEM Dell laptops that have Windows pre-installed. Currently I am forced to install a pre-configured image I've built that contains their custom apps and some other settings. The problem right now is that it is fairly hardware dependent. Currently if the partition on the machine that needs imaging doesn't match what the imaged machine had, the imaging process fails. I really want to learn WDS/WAIK but I can't seem to find an answer to the licensing question...
|
#
¿
Mar 10, 2011 03:37
|
|
|
|
| # ¿ May 6, 2024 07:43 |
|
|
So what do people use for server configuration documentation? Right now my current company just throws poo poo into Google Docs, which is an admittedly lovely way to do things. I'm looking for something that we can use to keep track of configurations/documents/software installed on the machines/etc.
|
|
#
¿
Jun 24, 2011 22:32
|
|
|
For those of you in the know for WDS & Windows 7, is it possible to have a sysprepped Win 7 image prompt the user for a CD key the first time it is deployed/run (for use with an OEM key) as opposed to specifying a KMS/MAK key at image build time?
Wicaeed fucked around with this message at 17:08 on Oct 27, 2011 |
|
#
¿
Oct 27, 2011 16:30
|
|
|
IT Guy posted:We just got our first Windows 2008 R2 server. All of our other servers are still 2003 R2. I noticed the integrated Windows Backup doesn't seem to suck as much as the 2003 version does. Currently we use Symantec Backup Exec on the 2003 servers. What do you guys recommend for the 2008 server? Is Windows Backup viable now or should I still be using Backup Exec? Haha, you haven't even tried Server 2008 R2 backup have you  It has some STUPID limitations such as: Requiring a dedicated/partition disk to save incremental backups to (ie can't save to network drive) Can't save a backup to same disk you are backing up (Makes sense at first blush, but sucks when combined with the above feature, in short you NEED a second hard drive to do incremental backups.) Cannot save incremential/non-full disk backups to a network shares. A lack of such basic features kill it for me. My boss had to write a script on our Confluence server to run an incremental backup separately for each drive, rename the WindowsImageBackup folder to something else, and then copy it to a network share since you can't save incremental backups to a network location directly. Have fun if you only have a single disk You CAN work around this problem by creating a new VHD for backups and mounting it from a network share, but that's pretty ghetto.
|
|
#
¿
Nov 11, 2011 18:04
|
|
|
IT Guy posted:
Wait who do you do this? Everything I found said that this isn't possible :o
|
|
#
¿
Nov 18, 2011 19:53
|
|
|
Italy's Chicken posted:Is there anyway I can get Windows 7's "Previous Versions" of files to make a copy of whatever the user touches on a network share, but then store it on the user's local machine? I know it's not a proper backup solution, but my outfit has a huge server drive space problem that's going to last awhile and I need a quick and cheap solution. No, there is no way to do this. It would completely defeat the point of having a Previous Version of a network file if only one person could access it.
|
|
#
¿
Dec 10, 2011 07:19
|
|
|
incoherent posted:The reporting function is a life saver and really gives you heads up on whos backing up their iTunes to their network drive. (Which is not allowed in our organization to begin with) Isn't that what File Screens are for in the first place? Prevent users from saving .wav .mp3 .flac .mp4 files, voila!
|
|
#
¿
Dec 27, 2011 16:48
|
|
|
So what is going to be the best way for me to remove 3 network printers from about 30-40 user accounts? We are in the process of commissioning a new print server, and are rolling out the new printers via Desktop Authority. We want to make it so that any old printers hosted on our old print server are removed from the users computers, but I haven't found any way to do this in Desktop Authority (yet). Suggestions?
|
|
#
¿
Jan 10, 2012 23:24
|
|
|
How do you guys handle the annoying fact that Java and Adobe both enable automatic updates by default for all users? None of our standard users roll with admin privileges  , but I understand it can be pretty annoying getting the Java/Adobe Reader update check every time you login.I haven't done much research on the topic (yet), but I imagine that there is some AD GPO/Registry setting I can change for everyone to disable these notifications?
|
|
#
¿
Mar 7, 2012 15:26
|
|
|
IT Guy posted:For those of you with Dell servers, does anyone use the new OpenManage Essentials (formerly OpenManage IT Assistant) to manage their server hardware? I've been tooling around with it in our office environment, and it's quite nice to finally get some sort of insight into our hardware status. It's by no means a 100% perfect product, but it's words better than having to manage 50+ OMSA installations separately.
|
|
#
¿
Mar 7, 2012 15:35
|
|
|
Jesus christ Microsoft, is it really so hard to find documents related to Log Retention and other best practice in an HIPAA environment?  Even your stupid Security Compliance Management tool doesn't shed any loving light on this...
|
|
#
¿
Mar 22, 2012 15:17
|
|
|
Has anyone set up Dell DRAC 5/6 to use AD authentication? I'm going through the Dell docs right now on how to configure it, and am not finding dick-all about troubleshooting, aside from the usual "Make sure you typed the ROOT domain name correctly" stuff. These Dell docs don't even explain if I need to set up the Administrator level group mappings using the FQDNs or not...
|
|
#
¿
Mar 26, 2012 19:35
|
|
|
incoherent posted:Yeah, its kind of loving wonky. There should be a test button to check if it can authenticate. Where does it fail at? The part that allows me to log in  It just errors out with a generic username/password invalid error. It doesn't tell me anything else. I've tried every combination of domain/username, username@domain, etc etc I can think of to no avail.I'm going to be asking our Sr. Sysadmin about it but damnit I really wanted to do this myself 
|
|
#
¿
Mar 30, 2012 15:00
|
|
|
I'm actually curious, which of these products that we currently use could we replace with SCCM 2012, and would it even be worth it? Symantec Endpoint Protection Vmware Shavlik patch management Scriptlogic Assetmanager Desktop Authority Manager (with licenses for 215 devices) and possibly an additional ~50 servers Symantec PGP Symantec Web Security.Cloud
|
|
#
¿
Aug 10, 2012 21:55
|
|
|
skipdogg posted:System Center could replace the first 4 programs on your list. With some caveats though. Thanks for the clarification. I'm not really clued into the licensing/management costs of those systems, so I'm not really sure how much we pay for them. Which features is Microsofts AV program lacking in compared to Symantec? Honestly I would rather be doing all of our group log on stuff through GPO rather than with DA. There are some nasty as poo poo caveats when doing registry changes with the Scriptlogic software that WILL bite you in the rear end unless you've read all the tiny fine print in their documentation. Making REZ_MULTI_SZ changes? Better be sure as gently caress you're writing your reg key like 'entry1|entry2|entry3' instead of separating them with a space!...and stuff like that. The one big thing we would be losing would be the remote desktop agent that DA uses, which I will admit is fairly handy.
|
|
#
¿
Aug 13, 2012 17:17
|
|
|
While not technically "software", has anyone seen or heard of a script that can take a list of Dell service tags and grab a list of installed components such as CPU, Memory, HDD, etc off of the Dell website at the Dell Support Website?
|
|
#
¿
Sep 26, 2012 02:48
|
|
|
Quick question: Our company is looking to deploy a bunch of servers in Europe. We already have a team over there that operates semi-independently from our company. These servers there need to talk to our production domain, and in some case use the same user that auto-logs on to production servers. Would we be better off just making a new AD site for our new EU datacenter and then install some RODC's there, and host the various roles (dhcp/dns) on those RODC's, or should we create a new child domain in this case? I realize it's a really open-ended question, but any help is appreciated.
|
|
#
¿
Aug 1, 2013 21:00
|
|
|
I am in the process of configuring a Windows Server 2008 R2 failover cluster that will be hosting MSSQL when we get it running. I also just built a tools server that I am going to be using to manage the failover node, however it appears that you cannot manage a 2008 Failover Cluster from a Windows Server 2012 box. Does anyone know of a workaround for this?
|
|
#
¿
Aug 14, 2013 02:22
|
|
|
Our company has an upcoming project to build a new Failover cluster for a billing environment (first time I'm touching clustering), and I am entertaining the option of using Windows Server 2012. For those that run Windows clusters & SQL clusters, if you had to, would would choose to make a new Windows Server 2008 R2 Failover cluster for MSSQL 2008 R2, or go with a Windows Server 2012 Failover cluster running MSSQL 2008 R2? How is Windows Server 2012 as a platform for Failover Clustering right now?
|
|
#
¿
Aug 23, 2013 07:15
|
|
|
incoherent posted:IS your current SQL data on a SAN or locally on the server? It will be on a SAN when we rebuild it. We are currently doing a HW refresh for this project.
|
|
#
¿
Aug 23, 2013 09:51
|
|
|
Are there any Microsoft official documents on the best way to go from a Windows 2003 domain level (running std ADDS roles + DHCP server) all the way to a Server 2012 domain?
|
|
#
¿
Aug 29, 2013 22:00
|
|
|
Has anyone had issues on Windows Server 2012, when configuring a new SQL Cluster, at the Service Accounts configuration page after you specify an account name for the SQL Server Agent and SQL Server Database Engine, the installer completely freezes for 2-3 minutes while it does something? I know it's kind of a stretch but right now this is pissing me off to no end as it's failing to find any of my service accounts, which results in a 2-3 minute wait every time I type a username
|
|
#
¿
Sep 18, 2013 22:41
|
|
|
For those in the know: I've finished building up two 2012 Domain Controllers to replace two aging Server 2003 domain controllers. They've been running for about a week now, however client machines (mostly server OS) on the domain are showing their %logonserver% as one of the two old domain controllers. When I demote the older domain controllers, what happens when the client machines check the %logonserver% that is no longer available? Does it gracefully go and check for another logonserver?
|
|
#
¿
Oct 22, 2013 21:00
|
|
|
I can't really find it anywhere, but what is the period that a client will keep a domain controllers record in the %logonserver% value before it attempts to verify or locate a valid record?
Wicaeed fucked around with this message at 22:15 on Oct 22, 2013 |
|
#
¿
Oct 22, 2013 22:07
|
|
|
Caged posted:I should have looked into this more when I decomissioned a 2008 DC (SBS2008) in favour of a 2008 R2 one, but my memory is a bit hazy of the situation. If I remember correctly I demoted the old DC (after bringing the new one up and checking DNS replication, transferring FSMO roles etc). When the old DC had disappeared the next logon that happened on the client had %logonserver% set to the new one. Good to know. Last domain controller question of the day, I swear. I've set my two new DC's to use an upstream NTP server in my own network, which in turn synchronizes to a source such as time-a.nist.gov Of the two DC's, the clock time is about 2 minutes off. The PDC has shows the following when I run the w32tm /monitor /computer:upstreamntpserver: code:code:What matter of voodoo magic do I need to use to get Windows to recognize that the goddamn time is too far off? I realize that for Kerberos purposes, 5 minutes clock skew is close enough, but for our own internal application usage, we need to be fairly accurate with our time setting across 3-400 servers.
|
|
#
¿
Oct 23, 2013 02:28
|
|
|
Caged posted:Are these machines virtualised? Have you made sure to turn off time synchronisation between the VM host and the guests? No, these are both physical machines
|
|
#
¿
Oct 23, 2013 03:08
|
|
|
Actually read what is probably that same article, performed those steps and now the PDC is functioning perfectly. Now to replicate those steps on the rest of the DC's I need to.
|
|
#
¿
Oct 23, 2013 06:48
|
|
|
skipdogg posted:Yup, that should work. A post I found mentions adding a W32tm /resync /rediscover before restarting the service, but it should be fine. Another thing I quickly discovered: The contents of the registry key 'w32tm /dumpreg /subkey:parameters' does not actively reflect the configuration. To actually get the real configuration you need to run 'w32tm /query /configuration' I believe if values are set to 'Policy', those are GPO enforced settings.
|
|
#
¿
Oct 29, 2013 03:42
|
|
|
Alrght those in the know, help me deal with some somewhat political bullshit that's going on in my workplace: Long story short: Our company has been the victim of some rather large security breaches in the near past. This was caused by myriad of factors, including over-privileged accounts, sloppy firewall rules and no auditing. We have an overzealous IT Manager who somehow got put in charge of everything security related after said breaches. He is under the impression that the best way to deal with security between different data center sites (both Linux and Windows servers running in each, with authentication to AD) is to create a different domain with a different set of credentials for each physical site. Because he can't 100% know that the network is secure between each site, he reasons that this is the only way to prevent users from crossing network boundaries and affecting another data center. Currently we have servers in 4 different data centers, and with his approach he would need to create 7 (!!!!!) different domains for our data centers. His main (and somewhat valid, I grudgingly admit) point of concern is overly privileged (Domain Admin) accounts accessing servers (domain controllers) in other physical sites ie If a domain admin account becomes compromised, all of your Domain Controllers are compromised across all of your sites. My suggestion to this is to simply control who has access to Domain Administrators (and audit that poo poo regularly), which he does not think is a valid approach. Another suggestion was to create a site-specific domain administrators role, but the same applies to that example as well (the users being assigned that role would probably have that role assigned for all of our sites, negating any effectiveness). He doesn't really seem to understand that the administrative and hardware (best practice says redundant domain controllers for each domain) overhead for this approach is extremely large, almost bordering on unrealistic. And we have a relatively small enterprise network. How do my fellow Sysadmins approach similar security concerns?
|
|
#
¿
Dec 13, 2013 04:01
|
|
|
FISHMANPET posted:Slap your boss? Hahah, it's not really that the sites aren't secure, it's that they want their own employees to be prevented from compromising multiple sites. No. Really. It's been a problem on the mainland in the past. Go on. Just guess where this company is based out of. They pay their employees jack poo poo and then act surprised when they steal from them.
|
|
#
¿
Dec 13, 2013 05:00
|
|
|
Alright, I loving hate RPC (probably because I don't really understand how it works). We have an overzelous security guy that insists on us explicitly telling him what firewall rules we need when we talk across networks. Is my understanding incorrect that even when you have a client talking back to a server (such as a domain controller) with RPC, you specifically need to tell your firewall to allow RPC to talk BACK to the client (basically initiate a connection) on the high numbered ports that RPC uses?
|
|
#
¿
Apr 4, 2014 02:40
|
|
|
What's the general consensus on securing domain controller to domain controller traffic with IPSec? I'm tired of having a constant back and forth with my Firewall guy about what ports are needed and which ones aren't. In my mind it would just be simpler to secure everything with IPSec and be done with it.
|
|
#
¿
Jun 9, 2014 22:57
|
|
|
Gyshall posted:On the Firewall or router, make a policy to allow all of these goddamn ports between the two domain controller IP addresses. On most modern firewalls, you can do this for either the ports or "all/any" traffic. I usually do "all/any" over a site-to-site (Branch Office) VPN tunnel. If you want to restrict ports, read that article on how you'll have to change the replication port on your Domain Controllers (hint: don't do this.) Trust me, if the guy I'm dealing with was sane, this would have been done months ago 
|
|
#
¿
Jun 10, 2014 02:38
|
|
|
Looking at secpol.msc, I know that if a policy has a computer icon that means that that specific policy is being controlled by a GPO. When you assign a user to the permission to log on as a service through a GPO, does it overwrite or add to the existing permissioned users that can hold that privilege?
|
|
#
¿
Sep 3, 2014 01:50
|
|
|
Maybe Powershell DSC as well? Honestly I have 0 experience with it, but I've heard it's supposed to be quite neat.
|
|
#
¿
Sep 4, 2014 02:07
|
|
|
So after a few days of hitting my head against Windows Deployment Services, does anyone think they can explain to me the differences with the various points you can choose unattend options? By this I mean the following: Within WDS itself, there are various places in which you can choose an unattend file: #1: Within the WDS server client architecture options for an unattend file #2: Within the Install image option itself (The allow image to install in unattended mode option) #3: And you can also choose to Sysprep and capture an image, to which you can then apply option #2 above during the image deployment I'm having a hell of a time figuring out of any of these steps can overlap, or if you have to apply various options at each state you can specify an unattended option.
|
|
#
¿
Jan 2, 2015 23:51
|
|
|
incoherent posted:Like 700 bones or some such? Per server to use SCCM? Holy gently caress, I'm used to Microsoft gouging but 
|
|
#
¿
Jan 7, 2015 11:05
|
|
|
With MDT 2013, is there any way to re-run portions of a deployment to see if fixes you have put in work correctly, without re running the deployment from scratch?
|
|
#
¿
Apr 16, 2015 02:49
|
|
|
For the last part you can use something like Nessus, it supports scanning files for things like HIPAA or PCI info. I think Dell offers some software tools that didn't seem so bad at my last job, but I'm drawing a blank on the name of the software suite right now. edit: Quest software makes the tools in question, and they are owned by Dell Wicaeed fucked around with this message at 04:55 on Apr 18, 2015 |
|
#
¿
Apr 17, 2015 21:46
|
|
|
|
| # ¿ May 6, 2024 07:43 |
|
|
IT Manager and my boss (Manager of Operations) have tasked me with assisting our IT dept with setting up an AD infra to replace an aging Apple OpenDirectory installation that serves both as a fileserver and authentication point for 4 or so sites. I guess being the only person at the company with AD experience has it's drawbacks  We have a remote domain controller (sitename#-dc1) and a domain name (company.xyz) and multiple sites (sitename1, sitename2, sitename3). Is it better to just put everything under the main domain naming structure (so domain controllers are named like sitename#-dc#.company.xyz) or actually separate out everything into via dns structure (sitename#-dc#.sitename#.company.xyz) or not even worry about that, and (as needed) create sub-domains in the AD DNS server to match those site names?
|
|
#
¿
Dec 13, 2015 02:20
|
|