|
Not sure if this is a thread for here, the VM thread, or some unknown third option but does anyone know what stopping a VM inside Azure does? I get that you can power off the machine and de-allocate resources, but does it initiate a graceful shutdown first? Or am I better off shutting down the VM from within the OS, and then stopping it? This has been surprisingly hard to google.
|
# ¿ Jul 14, 2018 16:29 |
|
|
# ¿ May 14, 2024 19:27 |
|
I'm glad intune just came up. We just moved our first ever client to Azure AD and all the computers are demanding users enter a PIN. I do not want this. I read that you can go to windows enrollments and disable windows hello but the computers are ignoring this. Anyone know what I must do to... say goodbye to hello?
|
# ¿ Jul 27, 2018 22:22 |
|
This is what I did...and yet it still haunts me. Maybe I have no choice but to get support involved.
|
# ¿ Jul 28, 2018 18:06 |
|
JackDRipper posted:Do yourself the favor, the second you put in a ticket via the web and get called, tell them you want INTUNE support and to transfer . Or if your enterprise customer don't waste time and just select the intune group and wait. The Intune team hasn't been all that helpful. Apparently since I joined the computer to Azure AD with my admin account that doesn't have an Intune license it's just going to apply Hello to the computers anyway. For that matter, they tell me that I have to talk to another team to get Hello disabled for these computers because the damage is done. So far, really loving Azure AD
|
# ¿ Jul 30, 2018 22:58 |
|
Thanks Ants posted:The best way to avoid what you've done is to set up Azure AD so that people can't do an Azure AD Join unless they are in a group that also has an EM+S / Intune license. Thanks, I honestly have no idea what Intune is. All I wanted was for users to log into Windows with their Office 365 credentials. I had no idea I would be greeted at every workstation with the requirement of entering a PIN. I'll keep that in mind for the future though. For now I'm just going to have to hit local group policy on each machine since that seems to be the fix.
|
# ¿ Jul 30, 2018 23:17 |
|
lol internet. posted:Blah There's a hard coded cert validity period. 2 years by default. Run command prompt as admin and run "certutil -setreg CA\ValidityPeriodUnits 5" if you want to change it to 5 years. You'll need to restart the CA service and then re-do the cert.
|
# ¿ Sep 3, 2018 17:20 |
|
Potato Salad posted:Nonprofit, 100 users? You should be able to get migrationwiz for three figures. This is really the only answer I can think of that will prevent you from having a mental breakdown. One thing I should mention is that for those few people who have personal distros/contact groups in their accounts, MigrationWiz cannot migrate these. Everything else will move over. This has caused problems for me in the past
|
# ¿ Sep 21, 2018 13:27 |
|
Zero VGS posted:Ha, I wish, but his lucky rear end got a Powershell script working with a CSV, it is recovering emails back to the proper folders. Only problem now is that it takes ~20 minutes per user, and Microsoft allegedly limits an organization to 3 simultaneous sessions, to protect against DDOS (according to them, though I'm sure it's more about saving costs on CPU burst). So now we're splitting the CSV into 3 and running it in 3 different sessions. I would love to see this script, if you wouldn't mind. It could come in handy one day
|
# ¿ Sep 27, 2018 01:05 |
|
Zero VGS posted:Sure, here ya go That is much easier than I reckoned it would be thank you
|
# ¿ Sep 27, 2018 03:07 |
|
So I've never successfully setup RADIUS authentication from scratch for wireless clients, but in the near future I'm going to need to make it work for something like 25-30 WAPs (Ruckus) which use their cloud based controller for management. I have two(and a half) questions: 1. Does anyone know of a good guide for setting up the Windows side for authentication? 2. How do I get tell the server that the WAPs are cool? Previously I've done this by putting the IP address of a WAP in the server. With this cloud console you can't tell a WAP what to use as an IP, so if I want to set it statically I'd have to create like 25-30 DHCP reservations. Is there an easier/better way?
|
# ¿ Oct 6, 2018 13:15 |
|
Thanks Ants posted:Specify the management VLAN you want the WAPs to use and then whitelist this subnet on your RADIUS server This answer is so simple that I never would have thought of it. I'll give the WAPs their own management VLAN. Thanks Thanks Ants!
|
# ¿ Oct 7, 2018 14:58 |
|
kiwid posted:Turned out to be our SonicWalls doing some funky rear end poo poo. Was it dpi-ssl?
|
# ¿ Dec 12, 2018 00:46 |
|
I love SonicWalls, actually. They're pretty darned user friendly. Maybe I'm biased though, since I've been working with them for something like 7-8 years. I can find my way around a Cisco, but I have no idea how people live with them. Having said that, yes, I have had to call SonicWall support way too many times for weird poo poo. One time LDAP connection broke because the password was too...complicated...?
|
# ¿ Dec 12, 2018 01:52 |
|
Does anyone else do a lot of Office 365 MFA setup? We recently started pushing for that with our clients, but it seems like unless I want to recreate a new Outlook profile, it will prompt for a password and only accept the app password. There was like a week where I could reliably get an MFA prompt in Office 2016, and also in 2013 if I added the EnableADAL registry key, but now I'm consistently being forced to use the app password.
|
# ¿ Jan 15, 2019 04:45 |
|
The Fool posted:While it should be on by default at this point, it's fairly easy to check the status and turn it on if needed. I have it enabled for the tenant, but my issue is that I'm rolling it out to existing Office 365 users and I don't want to recreate their Outlook profile. I purge their password from credential manager, reboot, and only get a password prompt that accepts app passwords. Seems like there's two types of prompts. The grey looking box that wants a username/ password. Or the fancy white microsoft page that works with MFA
|
# ¿ Jan 15, 2019 14:34 |
|
The Fool posted:
It would seem our RPC is all kinds of hosed up thank you for your magical registry fix!
|
# ¿ Jan 17, 2019 01:42 |
|
Well, here's a weird one that I don't know how to Google... We fixed up folder permissions to use groups instead of explicit permissions. Now some users can't access the folder despite being part of the group. We made sure they log out and back in. NTFS permissions are good, Share permissions are set to full control for everyone, the way god intended. Oddly enough, if you navigate to the folder by IP address it works but not using DNS name. I immediately checked if offline files was enabled since that has hosed me before, but nope. The first time it happened I figured gently caress that user, their computer is hosed up. It just happened to another person. Anyone run into something like this before?
|
# ¿ Feb 15, 2019 22:39 |
|
Tried FQDN and hostname. I also thought it was a DNS issue, since it's always DNS but in this case it does not seem to be.. So you can do \\SERVER\SHARE and get there If you do \\SERVER\SHARE\FOLDER you get told that you don't have permission If you do \\IP\SHARE\FOLDER you're golden Pinging server by FQDN or hostname return the same result
|
# ¿ Feb 15, 2019 23:48 |
|
buffbus posted:Is it access denied just for accessing the share or is the issue specifically when trying to create a new file/folder? Also, does it work when reading a file by exact path instead of browsing to it? Access to the share is fine, but accessing a specific folder is denied, unless you browse by IP. FISHMANPET posted:There is a traverse permission that exists. One other thing that probably doesn't apply but I'll mention it anyway, you can't make multiple connections to a single file server with different connect-as values. So if you're logged in as userA and map a drive to SERVER then try to map another share as userB that will fail. It's a client side thing, so if you make that mapping as UserB to the ip address or a cname it will be fine. This gives me an idea, maybe there's something stored in the credential manager. The users have laptops though, so sadly I will have to wait a few days to check for that.
|
# ¿ Feb 16, 2019 15:48 |
|
buffbus posted:Assuming the intention is for all folders to have the same permissions. You might just reset all access rights down the structure in case there are lingering user specific denies. Unless there's something I deeply do not understand about permissions I don't see how it could be a permissions issue if it works by IP but not DNS name. If it was permissions wouldn't it not work either way?
|
# ¿ Feb 16, 2019 16:36 |
|
I got stuck trying to upgrade FRS to DFSR and it turns out windows firewall was blocking me. Oops
|
# ¿ Mar 14, 2019 02:08 |
|
Thanks Ants posted:About 250 out into five separate companies. I’m pretty sure that’s not enough to make the MS consultancy costs anywhere near worth it. Your plan seems pretty sound from my own experience. But yeah lol sharepoint, onedrive, archive mailboxes. Reclaiming a domain is usually pretty quick, but there have been instances where I've had to wait hours. Never a fun time when that's the case.
|
# ¿ Mar 26, 2019 19:45 |
|
SEKCobra posted:Migrating On-Premise Exchange 2010 (currently SP1) to O365. Basically every step I take I have to completely upgrade their infrastructure just to keep going. Already had to upgrade the whole AD schema, next is gonna be Exchange upgrade to SP3. Also, somehow microsoft removed Exchange from their original tenant because it was unused for too long (WTF??) and we had to recreate the tenant, which meant waiting a day just to remove the domain... This seems like a lot more effort than I usually have to go through... What are you using for the migration? Their built-in tools? If you aren't already in too deep, you may want to look into something like MigrationWiz. You'll need to migrate things like public folders on your own, and it won't grab things like contact groups local to the mailbox, but it is very convenient. I typically also use their own sync tool to migrate distribution groups to the cloud, because once you lose Exchange it's kind of a pain to manage things like whether or not external senders can mail the distro, or hiding from address book.
|
# ¿ Mar 31, 2019 23:21 |
|
BangersInMyKnickers posted:you say that but 2008r2 is still supported and its easy to not know you need to convert I've been migrating so many Sysvols to DFSR lately, and it shows no signs of slowing down. On another note, does anyone have any good reading on Azure AD DS? So far I've been able to ascertain that it ties to a domain name, and that it is neither AD DS nor Azure Active Directory. My company wants to start moving in that direction and I'm not entirely sure why
|
# ¿ Apr 4, 2019 23:20 |
|
Pretty sure 2016 is fine with FRS replication but 2019 100% is not. If your oldest DC is 2008 raise the functional levels and see if you can make this server a DC. Worst case scenario it fails at the pre req check
|
# ¿ May 6, 2019 13:31 |
|
GreatGreen posted:Your comment made me curious so I looked it up. It seems that earlier versions of Server 2016 did support FRS, but version 1709 and beyond does not. Thanks for the correction! I had no idea. We deploy 2019 now so I haven't had to deploy 2016 in a 2003 environment in a while
|
# ¿ May 6, 2019 23:07 |
|
This is too real. I had to assembly line setup a bunch of horrible, horrible Win 10 tablets that a client bought and I couldn't hit the mute button(s) fast enough Re: Hold music. I was on hold the other day and this song started playing. https://www.youtube.com/watch?v=zh9h4KZpnJU It was funny at first, but by the third play through I wanted to die.
|
# ¿ May 25, 2019 15:27 |
|
Found this cool thing It is a PowerShell function that lets you connect to multiple Office 365 services. Exchange, Azure AD, Sharepoint, Teams, Security and Compliance center, etc. Even has an argument for if you have MFA enabled. Not sure if it'll be useful for anyone else here, but I am thrilled.
|
# ¿ Jun 5, 2019 23:51 |
|
Anyone well versed in Azure able to see a way out of the hole I dug for myself? Seems that when I setup an Azure network I picked the VpnGw1 SKU instead of Basic SKU. This costs ~$100 more per month. I'm not even sure if Basic was an option when I tried creating it, but whateverrrr. Anyhow, there's no way to change the Virtual Network Gateway from VpnGw1 to Basic, so I need to make a new one. The problem is, from what I am seeing, I am going to have to destroy the entire virtual network and start from scratch. Is that true, or is there a way to shift everything over to a new Gateway that I'm not seeing?
|
# ¿ Jun 7, 2019 01:16 |
|
We are finally delving into the mysterious world of Azure AD DS. It's less complicated than I thought, but this article is telling me that you can't move users out of the default OU. Most of our clients are coming from on-premise Exchange and AD or a combo of Office 365 and AD. My current strategy is to Azure AD Connect from On-Prem to Office 365. Then sync those users to Azure AD DS so their password doesn't change. After the move is complete I'll disable AD Connect This leads me to being stuck with a terrible, horrible, no good, very bad OU structure and I hate it.
|
# ¿ Jul 17, 2019 01:39 |
|
skipdogg posted:That article is a couple years old which is several lifetimes for cloud stuff. Last I checked azure ad ds still isn’t a full replacement for on prem AD yet. That article points to this article which says the same thing. I appreciate the link to updated documentation though. The 2016 timestamp on my article didn't fill me with much confidence. Sickening posted:Isn't the point of AD DS is that OU's don't matter? What would the point of AD DS OU's be? Like skipdogg said, Azure AD DS doesn't seem like a full replacement for on prem but so far lot of what I need is there. I still have the ability to do group policy, so that's cool. I'm not really losing much functionality right now but that one OU is unpleasant to look at. I guess that's my main gripe. I also miss being able to do DFS stuff.
|
# ¿ Jul 17, 2019 04:11 |
|
I know they say you should keep an exchange server in the environment but what are you really losing? I've done a few hybrid to O365 only migrations and haven't witnessed any terrible repercussions
|
# ¿ Sep 10, 2019 13:21 |
|
The Fool posted:Just integrate your CNC machines with sharepoint online. top tier post
|
# ¿ Sep 13, 2019 13:15 |
|
All of our client office 365 tenants have MFA enabled now, but that has made my life difficult when it comes to powershell. If I want to connect to any service, I have to log in again. So, say I want to connect to Teams, MSOL, and Exchange. That means I enter the password 3x and respond to MFA prompt 3x. From what I've seen the answer is no, but has anyone found a good way to work around this? It wouldn't be so bad but since we're an MSP and many people need access to these accounts it works the following way: Log into office 365 -> text message is sent to an external service -> service emails an O365 team -> code appears in designated MFA code channel. It works great except for when it doesn't (which is often)
|
# ¿ Sep 24, 2019 16:22 |
|
The Fool posted:Can you use conditional access to set your office as a trusted ip? I don't think this will work because of the licensing requirement? Can't tell my clients to pay extra money because it makes life easier for me Jeoh posted:why not just use TOTP? I'm not sure how I'd make that work, care to elaborate? (I'm not being sassy, just stupid)
|
# ¿ Sep 24, 2019 18:38 |
|
The Fool posted:Are you using a shared admin account or your own account is delegated admin access to your client? ...the former. I don't think I can convince my company to make individual admin accounts for every technical member of my company for each of our many clients We are delegated admin as well with our own accounts but there's only so much you can do with that
|
# ¿ Sep 24, 2019 19:08 |
|
Thanks Ants posted:If you're an MSP then you should be using your own Office 365 accounts with delegated admin permissions to admin the tenants, you get seats of EM+S E3 licensing free with a Silver partner status and you can use that to configure conditional MFA. Hey, this looks cool. I'm going to do check this out more in-depth after I get some caffeine in me. Thanks!
|
# ¿ Sep 26, 2019 13:18 |
|
I've come across a problem in Azure that has been pretty hard for me to google. I've got a WVD Hostpool and a Standard Load Balancer so my VMs can share a Public IP Address Somehow I've broken it so that when I add new VMs to the hostpool they have no external internet access, until I add them to the Backend Pool of the Load Balancer This is preventing the VMs from having the Windows Virtual Desktop Agent and Bootloader installed, which means they don't join the hostpool automatically. Azure considers the VM deployment a failure because of this As a result I have to add the VM to the Load Balancer Backend Pool manually, and then manually install the agents and register it with the hostpool Life is hell
|
# ¿ Aug 4, 2020 00:18 |
|
Wizard of the Deep posted:Are you putting them behind a restrictive Network Security Group? Not a restrictive NSG, definitely a working and correct subnet Someone who wasn't me setup a basic load balancer for old VDIs (which are gone now) which I replaced with a standard load balancer. I see no reason why this would be an issue but... the problem started soon after. It's probably something stupid and unrelated that I'm not seeing
|
# ¿ Aug 4, 2020 02:17 |
|
|
# ¿ May 14, 2024 19:27 |
|
Zaepho posted:Would this not be what a NAT gateway would be used for? More of an outbound thing. One of the web apps they use is locked down so you have to get your IP address whitelisted and this is how we cut costs I guess. Anyhow I took a break from it today. Tomorrow I'll look into it again and let y'all know when(if) I discover the problem
|
# ¿ Aug 5, 2020 03:18 |