That said, in pretty much every case of machines that we’ve done a P2V, while
they were successful, we later ended up rebuilding the VM or replacing it,
either because of weird failures or performance issues. I know that
*shouldn’t* happen, but after a few rounds of fighting it we just stopped
So if I understand, you're using hardware LBs so you can have multiple DCs on
the back end-that is actually something I'd like to consider for possible
future connections like this. We may not have budget for hardware LBs right
now, but I can bring it up as an option.
I'm not sure I
NetScalers come as a virtual appliance too, the VPX version
Despatched via Blackberry. Mock if you will, but it gets my email without a
fuss.
-Original Message-
From: Miller Bonnie L. mille...@mukilteo.wednet.edu
Sender: listsadmin@lists.myitforum.comDate: Fri, 6 Jun 2014 13:01:21
To:
Single domain environment at this time, but that is good to consider. The
Perimeter network mentioned isn't the same as our DMZ network. It would
basically be a new subnet, different from where most of the other servers are.
Hardware firewall rules block all traffic by default, and our
I suppose that was kind of my point. It’s odd. Despite my inherent ‘need to
know’ what causes this sort of thing, over the years I’ve come to realize that
some things just aren’t “knowable” and learned when to cut my losses and move
on. We too moved beyond the point of there being anything
We have come to a realization here that if after 15 minutes of troubleshooting
on a frontline machine to just reimage and move on.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Melvin Backus
Sent: Friday, June 06, 2014 9:22 AM
To:
Good to know-I will look at that option also. Not sure what we would run it on
though as our Hyper-V cluster doesn't include these additional networks, so we
would still need some other physical box for it.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf
They don't need their own username password.
I went round and round with Vircom about this years ago (and I don't know who
your vendor is, I'm just suggesting it's a common issue), and they didn't
believe me until I sent them code that proved it.
You will have a shared cert and what they do
I made this point in another response in the thread, but the access they will
have is quite wide ranging.
I don't know data laws in your state as they apply to EDUs, but if you were a
business, I'd recommend a mutual NDA.
From: listsad...@lists.myitforum.com
I'm admittedly (way) out of my league in this discussion, but can't this
sort of thing be addressed with claims-based auth, or other such
technologies without directly exposing the directory?
(Back to the shadows...)
On Fri, Jun 6, 2014 at 10:08 AM, Michael B. Smith mich...@smithcons.com
wrote:
You don’t need claims-based auth.
You need a tiny web-service, that runs behind an SSL certificate, that takes a
username/password, and returns success/failure. Basically FBA.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Richard Stovall
Sent:
What's the difference between P2V on a retail vs OEM license? How does it being
a DC complicate it?
Neil
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Jon Harris
Sent: Thursday, June 05, 2014 3:41 PM
To: ntsysadm@lists.myitforum.com
Subject: RE:
Hi Bonnie:
You got it, although I'm not sure if we're using the hardware
Netscalers or the virtual Netscaler appliances for this, we have both.
The point behind the VPN tunnel I believe was to avoid any
special DMZs or any special networking. I'm not a networking
I completely agree but having limited resources puts me at odds with having DCs
that are only DCs. If this were Burger King I'd do it differently.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Jon Harris
Sent: Thursday, June 05, 2014 4:13 PM
To:
Technically your license is only good on the original hardware if it's an OEM.
It can't be transferred. By P2V or server replacement for that matter, your
license is no longer valid.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
You'd grill the patties over a flame before you microwave them?
On Fri, Jun 6, 2014 at 11:34 AM, Neil Standley standl...@net-venture.com
wrote:
I completely agree but having limited resources puts me at odds with
having DCs that are only DCs. If this were Burger King I’d do it
differently.
Correct - OEM is tied to the hardware the sticker was put on, it's non
transferrable.
John W. Cook
Director of Network Operations
Partnership For Strong Families
5950 NW 1st Place
Gainesville, Fl 32607
Office (352) 244-1610
Cell (352) 215-6944
MCSE, MCP+I, MCTS,
CompTIA A+, N+, Security +
While I have yet to P2V a DC, I have converted several other member servers and
they were all relatively quick, roughly 90 minutes or so to perform the
conversion. Then once the new VM comes up configure the IP if necessary and
reboot, activate license, check event logs/services and done, at
Heh… I worked with a guy that used to work at BK. He told me that the grill
marks were painted on! ☺
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Richard Stovall
Sent: Friday, June 06, 2014 10:38 AM
To: ntsysadm@lists.myitforum.com
Subject: Re:
Thanks Michael-I will look at the specs on the username/password-that was an
assumption on my part, but thought I saw it somewhere.
I think I get what you're saying-if we allow them to connect and look up
against LDAP, there is nothing but trust and legal agreements to assure they
only query
Lol, I’d spit on it and walk away.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Richard Stovall
Sent: Friday, June 06, 2014 8:38 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] RE: P2V DC
You'd grill the patties over a flame before you
Well, you'll have X amount of time where your entire network is down. I
can't generally afford sustained downtime like that, even planned.
On Fri, Jun 6, 2014 at 11:43 AM, Neil Standley standl...@net-venture.com
wrote:
While I have yet to P2V a DC, I have converted several other member
I'm also having some trouble with understanding what the resource
contention issue is that would cause me to undertake a project to P2V DCs.
On Fri, Jun 6, 2014 at 11:53 AM, Jonathan Link jonathan.l...@gmail.com
wrote:
Well, you'll have X amount of time where your entire network is down. I
In my case it’s simply the time factor, I need to get it done and move on. I
alone am IT for the entire org, plus many small clients we have.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Jonathan Link
Sent: Friday, June 06, 2014 8:54 AM
To:
I'm having difficulty understanding why this is a case for an RO*C. Seems like
a federation scenario to me.
You simply need to AuthN your internal users to an external service, correct?
Is this a well-known external service or more of a one-off?
From: listsad...@lists.myitforum.com
You don't have time to do it twice, then. Is it possible to P2V a domain?
Yes, certainly, you've done a fair amount of research on the process.
During that process, I'm sure you've also seen indications that it isn't
recommended. Finally, you've come to peers, and we're confirming that it
Watching this thread reminds me of the old saying…”We ain’t got time to do it
right but we got time to do it over”
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Jonathan Link
Sent: Friday, June 06, 2014 9:19 AM
To: ntsysadm@lists.myitforum.com
AD DS provides no mechanism for an external application to access the
password hash. Trying reading unicodePwd (or any other attribute marked as
confidential) and see how far you get. :)
Yep, try doing SSO with Oracle DBs and see how fast it gets really uglyyou
want us to do what to AD?
I don't know how well-known they are, but it's a product called Blackboard
Engage, for web hosting, and Blackboard is pretty big in the edu space. I have
found some of the documents from the earlier meetings, and they have very
specific requirements, including all users in one domain, and it's
I think the special networking is already a done deal, and is more typical in
our environment for what our network admin would set up, so sounds like we can
skip VPN on this. I am reading a bit on ADFS from your and Bob's prompting,
but not sure it fits and/or falls within the guidelines of
Blackboard is widely used here as well. I’m just glad they’re not asking
us to do anything like that with AD!
It’s possible that our general LDAP is used for that, but I would have no
idea since I have nothing to do with it or Blackboard. If it would be
helpful for me to ask someone I can do
You’re right. I don’t have time to do it twice but that doesn’t mean I have
much of a choice. The OEM licensing aspect is going to cause delays as well,
I’ll need to find a solution for that. I’m hoping management will see the value
in VL/SA since we have roughly 15 machines (XP/2003)
Charles—do you use their Engage program, formerly known as Edline (they are
actively changing the name I guess)? We don’t have any of their other
services—just this one is coming online. I just found the link they originally
sent with requirements, and it also includes the more detailed LDAP
They only microwave the heel and the patty to reheat them (at least that's how
it was in the 80's lol)
Jean-Paul Natola
Date: Fri, 6 Jun 2014 11:37:59 -0400
Subject: Re: [NTSysADM] RE: P2V DC
From: rich...@gmail.com
To: ntsysadm@lists.myitforum.com
You'd grill the patties over a flame
An option to consider would be to spin up an ADLDS (ADAM) instance that
Blackboard would point to. Using ADAMSync
(http://blogs.technet.com/b/askds/archive/2012/11/12/adamsync-101.aspx) to sync
the subset of users from AD into the ADLDS instance as bind proxy objects
I know Blackboard. They've been a pain in my rear more than once over the years.
Brian Arkills at the University of Washington is probably the best person I
know when I comes to practical experiences with locking down AD for higher-ed.
He's a DS MVP. I'd recommend you ask him this question. I
Now THAT is very slick. I Like it. I've got to play with that in a lab, but it
sounds like a great solution for Bonnie - exactly what she needs.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Coleman, Hunter
Sent: Friday, June 6, 2014 2:17 PM
To:
Migrating DHCP takes no downtime. It can be done in about 5 minutes using
“netsh dhcp export” and “netsh dhcp import”.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Jonathan Link
Sent: Friday, June 6, 2014 12:19 PM
To: ntsysadm@lists.myitforum.com
Yes, if you let them connect to your real AD, they can basically look at
anything.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Miller Bonnie L.
Sent: Friday, June 6, 2014 11:49 AM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] RE: New RODC
Wow thanks, I'm going to take a serious look at this and see what it takes. I
don't want to do the easier thing just because it's easy, but we do have some
timelines to meet. I need to go read!
-Bonnie
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of
You're all about privacy... We understand. :)
*ASB **http://XeeMe.com/AndrewBaker* http://xeeme.com/AndrewBaker
*Providing Virtual CIO Services (IT Operations Information Security) for
the SMB market...*
On Thu, Jun 5, 2014 at 2:59 PM, Dave Lum li...@theitgarage.com wrote:
Wow, I
I can make the 24th... :)
*ASB **http://XeeMe.com/AndrewBaker* http://xeeme.com/AndrewBaker
*Providing Virtual CIO Services (IT Operations Information Security) for
the SMB market...*
On Thu, Jun 5, 2014 at 3:58 PM, Webster webs...@carlwebster.com wrote:
Sorry for the late notice but
GPG and OpenPGP are already there for people who *want* to understand.
Fact: Using GPG to send secured messages should be considered child's play
for every single person on this list... YET, I bet you that the usage of
GPG on this list for email usage is not significantly better than that of
As far as I can tell, we don’t use Edline/Engage, but I’ve sent an email to
the Blackboard Admin to confirm.
*From:* listsad...@lists.myitforum.com [mailto:
listsad...@lists.myitforum.com] *On Behalf Of *Miller Bonnie L.
*Sent:* Friday, June 06, 2014 2:12 PM
*To:* ntsysadm@lists.myitforum.com
lol
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of Andrew S. Baker
Sent: Friday, June 6, 2014 2:00 PM
To: ntsysadm
Subject: Re: [NTSysADM] New OpenSSL fixes across versions
You're all about privacy... We understand. :)
ASB
Hi all,
I have a domain that purchased a wildcard cert for the exchange 2013 rollout,
Today the SSL cert on the citrix server expired and was asked, if its a
wildcard cert, cant we just use that for the Citrix I thought I dont see why
not-
I went to IIS (on exchange) and exported the cert
Having once been a single man IT shop I usually just found it easier to setup
new and than spend my time dealing with the issues like trying to get an OEM
license to function once the P2V was done. The time to bring up a new DC is
going to be only slightly longer, if it is longer, than the
Last time (4 years ago) I worked on something like this with Blackboard I
pushed back that it needed to be in house not housed on their machines as I
could get no promises that there would not me malware running on the machine
capturing the user ID and password of the person during the usage.
it was SAN certificate they had purchased.
Jean-Paul Natola
From: jnat...@hotmail.com
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Wildcard cert for Citrix Fundamentals
Date: Fri, 6 Jun 2014 21:10:02 -0400
Hi all,
I have a domain that purchased a wildcard cert for the
49 matches
Mail list logo