[NTSysADM] RIP: John Perry Barlow, Internet Pioneer, 1947-2018 | Electronic Frontier Foundation

[Kurt Buff]

https://www.eff.org/deeplinks/2018/02/john-perry-barlow-
internet-pioneer-1947-2018

John Perry Barlow, Internet Pioneer, 1947-2018
Cindy Cohn 
February 7, 2018

With a broken heart I have to announce that EFF's founder,

visionary, and our ongoing inspiration, John Perry Barlow, passed away
quietly in his sleep this morning. We will miss Barlow and his wisdom for
decades to come, and he will always be an integral part of EFF.

It is no exaggeration to say that major parts of the Internet we all know
and love today exist and thrive because of Barlow’s vision and leadership.
He always saw the Internet as a fundamental place of freedom, where voices
long silenced can find an audience and people can connect with others
regardless of physical distance.

Barlow was sometimes held up as a straw man for a kind of naive
techno-utopianism that believed that the Internet could solve all of
humanity's problems without causing any more. As someone who spent the past
27 years working with him at EFF, I can say that nothing could be further
from the truth. Barlow knew that new technology could create and empower
evil as much as it could create and empower good. He made a conscious
decision to focus on the latter: "I knew it’s also true that a good way to
invent the future is to predict it. So I predicted Utopia, hoping to give
Liberty a running start before the laws of Moore and Metcalfe delivered up
what Ed Snowden now correctly calls 'turn-key totalitarianism.'”

Barlow’s lasting legacy is that he devoted his life to making the Internet
into  “a world that all may
enter without privilege or prejudice accorded by race, economic power,
military force, or station of birth . . . a world where anyone, anywhere
may express his or her beliefs, no matter how singular, without fear of
being coerced into silence or conformity.”

In the days and weeks to come, we will be talking and writing more about
what a extraordinary role Barlow played for the Internet and the world. And
as always, we will continue the work to fulfill his dream.

Re: [NTSysADM] VNX 5400 replacement hard drives

[Kurt Buff]

Look to someone like Curvature/SMS.


Kurt

On Tue, Feb 6, 2018 at 6:44 AM, David McSpadden  wrote:

> Just wondering if buying the hard direct from Seagate is an issue?
>
> Purchased a replacement HD from my VNX and the VNX does not recognize the
> drive?
>
> It is the replacement part number and right sized?
>
> It seems odd to me unless it has to be EMC/DELL formatted first?
>
>
>
>
>
> *David McSpadden*
>
> Systems Administrator
>
> Indiana Members Credit Union
>
> P: 317.554.8190 <(317)%20554-8190>| F: 317.554.8106 <(317)%20554-8106>
>
> [image: Description: imcu email icon]   [image:
> Description: facebook email icon]
>   [image: Description: twitter
> email icon] 
>
> [image: Description: email logo]
>
> [image: Image result for mcp logo]
> 
>
>
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
> Please consider the environment before printing this email.
>

Re: [NTSysADM] Re: Advice: migrate to new file server - UPDATE

[Kurt Buff]

Right you are...

But, if you want to see output on the console, and still log to a text
file, use both the /np and /tee switches.

I do that with some regularity for small jobs like this.

Kurt

On Mon, Feb 5, 2018 at 3:49 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> /NP is for the console display of progress.  As long as you are not
> logging by way of redirected output, this would have no effect.
>
> --
> Espi
>
>
> On Mon, Feb 5, 2018 at 6:37 AM, Michael Leone  wrote:
>
>> On Mon, Feb 5, 2018 at 9:23 AM, Melvin Backus 
>> wrote:
>>
>>> That would be the /NP switch. (no progress)
>>>
>>
>> No, I'm already using it, and still getting the 100% ...
>>
>>
>>>Options : *.* /NDL /NFL /S /E /COPYALL /ZB /NP /MT:20 /R:0 /W:0
>>>
>>
>>
>>
>

Re: [NTSysADM] Welcome a brand new CTP to the family

[Kurt Buff]

That is a great achievement.

Congratulations, and keep up the good work.

Kurt

On Thu, Feb 1, 2018 at 6:07 AM, Webster  wrote:
> Our very own James Rankin is a brand-new CTP. Welcome to the family James.
>
>
>
> https://www.citrix.com/blogs/2018/02/01/welcome-ctp-class-of-2018/
>
> https://www.citrix.com/community/ctp/awardees.html
>
>
>
> Thanks
>
>
>
>
>
> Carl Webster
>
> Citrix Technology Professional Fellow | iGel Tech Community Insider |
> Parallels VIPP
>
> http://www.CarlWebster.com
>
> The Accidental Citrix Admin
>
>

Re: [NTSysADM] Anyone using or familiar with Crowdstrike?

[Kurt Buff]

Second that. I went through a webinar from them recently, but don't
have any real experience.

I also attended a seminar on threat hunting from Carbon Black, and was
much more impressed with that than the CrowdStrike webinar - but still
no real experience.

Kurt

On Thu, Feb 1, 2018 at 6:42 AM, Melvin Backus  wrote:
> We’re researching and will be looking at them in the next few weeks, but I’m
> interested in any personal experience anyone might have.
>
>
>
> Thanks
>
>
>
> 
> Service Desk | 404-497-1599 | https://servicedesk.byers.com
>
> Melvin Backus | Sr. Systems Engineer | Byers Engineering Company |
> 404.497.1565
>
> --
> There are 10 kinds of people in the world...
>  those who understand binary and those who don't.
>
>

[NTSysADM] An Iconic brand dies

[Kurt Buff]

PARC is long gone, and now the rest of it fades
https://gizmodo.com/xerox-is-no-more-will-now-merge-into-japans-fujifilm-1822616885

Kurt

[NTSysADM] I chuckled...

[Kurt Buff]

I just got a notification from my WSUS box, containing the following

[image: Inline image 1]

Clicking on them lands you here:

https://support.microsoft.com/en-us/help/4078128/test-only-do-not-use-compatibility-update-for-upgrading-to-windows-10,
which says:

**TEST ONLY** **DO NOT USE** Compatibility update for upgrading to Windows
10 **TEST ONLY** **DO NOT USE**
I wonder what would happen if I approved it?

Kurt

Re: [NTSysADM] OT - IP/Cloud Phones

[Kurt Buff]

This is on-topic, so I'm going to keep it on list.

The answer is - it depends.

Do you have a complete understanding of how your current system is
used? Do you need complex hunt groups/work groups/IVR trees, and/or
use lots of voicemail? Do you use your current system for paging,
either through the phones or overhead speakers?

Do you have a reliable connection to the Internet - would your
business suffer if your connection went down for a few hours?

Are the features offered by your prospective vendors equal to or
better than your on-prem system?

Are your current desk phones completely IP already, or is there some
mix of analog and/or proprietary digital and/or SIP phones? Will the
cost for phones for going all SIP be a barrier?

Is your on-prem system end of life - as in unsupported and likely to fail?

Personally, I prefer on-prem, and am leery of off-prem stuff, having
no experience with it, but if I were directed to evaluate that option,
these are the questions I'd start with.

I'm sure others will come up with questions to ponder, but that's my short list.


Kurt

On Wed, Jan 31, 2018 at 5:28 AM, Bud Durland  wrote:
> First,  apologies for the OT post, but I´m sure there are people in this 
> group that have crossed this bridge before me.  Our purchasing guy is 
> evaluating keeping our on-prem phone system vs. going with a cloud provider 
> like 8x8.  I'm looking for input from anyone who has real-world experience 
> making the change, or changing (back) from cloud to on-prem.  Please contact 
> me off-list with war stories or on-line references.
>
> Thanks
>
> --
>
> Bud Durland   |   Director Of Information Technology
> Direct: 518.324.4850 | Cell: 518.726.0967 | Fax: 518.561.0017 | 
> b...@mrpcap.com
> 1 Plant St., Plattsburgh, NY 12901
> Website |  Twitter |  LinkedIn |  YouTube
>
>
>
>
>
>
> NOTE -- This message contains legally privileged and confidential information 
> and is intended only for the individual named.
> If you are not the named addressee you should not disseminate, distribute or 
> copy this e-mail.
> Please notify the sender immediately by e-mail if you have received this 
> e-mail by mistake and delete
> this e-mail from your system. Thank you.
>
>
>

Re: [NTSysADM] Advice: migrate to new file server

[Kurt Buff]

I don't ask permission, I notify the users and I take ownership and
grant Administrators permissions, and make sure permissions are
inherited.

Once that's done, I offer to work with them to get the permissions
rational. Normally that means moving subdirectories up the tree so
that breaking inheritance isn't required.

Kurt

On Wed, Jan 31, 2018 at 7:00 AM, Charles F Sullivan
 wrote:
> This happens almost every time. Someone who doesn't know what they're doing
> has the right to change permissions and they don't include Administrators.
> Usually the next issue I find is that when I try to take ownership and reset
> perms, there are stragglers, sometimes lots of them. It's good that you have
> the log from the run using /create so you have that as a list of failures.
> Put the onus on the data owners to decide who should have access or if the
> data is even needed. Usually that's the next issue...finding someone who
> will take that responsibility.
>
> On Wed, Jan 31, 2018 at 9:36 AM, Michael Leone  wrote:
>>
>> 
>>
>> Oh, the joys of special permissions on sub-folders ...
>>
>> Good thing I did an initial run using the /CREATE switch (thanks for
>> that!). Found a number of errors, couldn't access destination folder.
>> Checking the source folder permissions, I see that these have been set
>> manually - not inherited, limited to only certain AD accounts (which now
>> don't exist, as those users left, and have been deleted from AD), etc.
>>
>> So I'm wondering if it's better to run Robocopy as the local system
>> account, to avoid issues like this?
>>
>> (I can probably fix the source permissions on a couple, after consulting
>> with that department, and seeing who to re-set the security to)
>>
>> How do others get around this type of problem? Or are your folders set
>> with sane NTFS security on all of them? LOL
>>
>>
>>
>> On Tue, Jan 30, 2018 at 8:23 AM, Michael Leone 
>> wrote:
>>>
>>> On Mon, Jan 29, 2018 at 5:07 PM, Charles F Sullivan
>>>  wrote:

 By default it only copies changed files, no /a switch needed.
>>>
>>>
>>>
>>> AH HA. Vital information/confirmation. Thanks. So if I do a /MIR this
>>> weekend, I should (theoretically) be able to do the same command, say every
>>> 3-4 days, until the move (17 days until the move).  That should make the
>>> final command, on the weekend of the move, relatively quick.
>>>
>>> I will start testing the /MIR on some temp and test folders ...
>>>
>>> Thanks!
>>>
>>>

 On Mon, Jan 29, 2018 at 3:15 PM, Michael Leone 
 wrote:
>
> On Mon, Jan 29, 2018 at 2:57 PM, Charles F Sullivan
>  wrote:
>>
>> I always use the /mir option when doing a migration like that. The
>> reason is I have to do a "big" initial copy and then at least one delta
>> copy. (I usually do the final copy after removing access by changing 
>> share
>> perms or removing the share entirely so no further changes are made.) If 
>> I
>> don't use the /mir option, users will likely end up with data that is no
>> longer supposed to be present. (This assumes they will continue to have
>> access to the old server while copy job is running.)
>
>
>
> Hmmm ... well, this would be done after hours on a Friday, so I doubt
> there would be any access.The idea is that the users go home Friday, and
> come back Monday, and it's all done behind the scenes.
>
>
>>
>> It's completely safe despite the warning in the help, at least in this
>> scenario. Unless I'm missing something, the new server will not be
>> accessible to users until you finish the migration, thus there should be 
>> no
>> extra data which could get deleted.
>
>
>
> I may test that this weekend, do a /MIR. Then I would need to only copy
> things that have changed since then. Is that  the /A option?
>
>>
>> On Mon, Jan 29, 2018 at 2:27 PM, Michael Leone 
>> wrote:
>>>
>>> I'd like to impose once more for some advice and opinions. I have a
>>> Win 2008 R2 file server; I need to migrate everything (shares and user 
>>> home
>>> folders) to a Win 2012 R2 Storage Server, and then retire the old 
>>> server.
>>> Everything is one 1 drive, with 3 main folders (Shares,Users,Scans), 
>>> total
>>> size in the neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total
>>> bandwidth of 4G.
>>>
>>> I'm thinking of use robocopy. I would make a full copy over the
>>> weekend:
>>>
>>> Source=OldFS\F$
>>> Destination=NewFs\d$
>>>
>>> RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP
>>> /NFL /NDL /LOG+:
>>>
>>> That should get everything, NTFS security and all sub-folders. I
>>> thought about the /MIR option, but I've never used it, and so am just a
>>> 

Re: [NTSysADM] Multi-Threading Robocopy

[Kurt Buff]

1000, Egyptian Cotton...



On Tue, Jan 30, 2018 at 12:16 PM, Michael Leone  wrote:
> In my tests, I've been using a thread count of 20 (/MT:20). While doing a
> /CREATE only run, it seems to not have any impact on performance (based on
> CPU usage in taskmgr).
>
> What's your favorite thread count? LOL
>
>

Re: [NTSysADM] Advice: migrate to new file server

[Kurt Buff]

Youngsters these days...

If I change the DVD/CD drive letter, I change it to Y:, because long
ago, under some really old version of windows (3.1? wfwg 3.1x? I'm
getting old - get off my lawn) logon scripts used Z:.

You can find a vague reference to it here:
http://www.oreilly.com/openbook/samba/book/ch06_06.html

Heh.

Kurt

On Mon, Jan 29, 2018 at 2:42 PM, Dave Lum <l...@ochin.org> wrote:
> My typical buildout:
>
> Anything with a user share (other than a domain controller) gets a separate 
> volume than the OS and the files live there. Database servers get at least 
> two additional (logs for one, DB for the other). Server hosting applications 
> with a lot of read/writes and or file growth get an additional volume as this 
> allows easy movement/growth/reallocation of data volumes without impacting 
> the host OS. Doing a file recovery can be simplified with this setup as 
> there's lower risk of restoring the wrong applicaiotn file/setting*
>
> Single volume systems are infrastructure stuff like domain controllers, DHCP 
> servers, and print server (depending on its load and if it's not also a file 
> server).
>
> My OCD also sets the DVD drive to Z: so adding other drive letters is 
> contiguous.
>
> Dave
> * This is probably legacy thinking as I haven't run into this in many, many 
> years.
>
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Monday, January 29, 2018 2:10 PM
> To: ntsysadm <ntsysadm@lists.myitforum.com>
> Subject: Re: [NTSysADM] Advice: migrate to new file server
>
> Don't know about everybody, but I do it - because I hate it when someone 
> copies a ton of big files to the driver that data shares with the OS, and the 
> machine chokes. Makes for a very unpleasant time for the users.
>
> I've also had to do this on machines with hyperactive print queues.
> Now, if I'm building a print server, the spool directory goes on a separate 
> partition - doesn't really matter how big the partition is, even just a few 
> gigs, as long as it doesn't share the OS partition.
>
> Kurt
>
> On Mon, Jan 29, 2018 at 1:40 PM, Gantry Zettler <gan...@gmail.com> wrote:
>> "I'm hoping that the data is on a separate partition from the OS.
>> That's pretty critical. "
>>
>> Is this what everyone else does?  Even on VMs?
>>
>>
>>
>> On Mon, Jan 29, 2018 at 3:16 PM, Melvin Backus
>> <melvin.bac...@byers.com>
>> wrote:
>>>
>>> Ditto. I usually do this over a span of days or weeks. Big initial
>>> copy, then incrementals periodically depending on normal usage, etc.
>>> Last pass as I’m ready to make the move.  By that time we’re talking
>>> about a few minutes because everything should be the same anyway,
>>> just the time to scan the file systems.
>>>
>>>
>>>
>>> --
>>> There are 10 kinds of people in the world...
>>>  those who understand binary and those who don't.
>>>
>>>
>>>
>>> ¯\_(ツ)_/¯
>>>
>>>
>>>
>>> From: listsad...@lists.myitforum.com
>>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F
>>> Sullivan
>>> Sent: Monday, January 29, 2018 2:58 PM
>>> To: ntsysadm@lists.myitforum.com
>>> Subject: Re: [NTSysADM] Advice: migrate to new file server
>>>
>>>
>>>
>>> I always use the /mir option when doing a migration like that. The
>>> reason is I have to do a "big" initial copy and then at least one
>>> delta copy. (I usually do the final copy after removing access by
>>> changing share perms or removing the share entirely so no further
>>> changes are made.) If I don't use the /mir option, users will likely
>>> end up with data that is no longer supposed to be present. (This
>>> assumes they will continue to have access to the old server while
>>> copy job is running.)
>>>
>>>
>>>
>>> It's completely safe despite the warning in the help, at least in
>>> this scenario. Unless I'm missing something, the new server will not
>>> be accessible to users until you finish the migration, thus there
>>> should be no extra data which could get deleted.
>>>
>>>
>>>
>>> On Mon, Jan 29, 2018 at 2:27 PM, Michael Leone <oozerd...@gmail.com>
>>> wrote:
>>>
>>> I'd like to impose once more for some advice and opinions. I have a
>>> Win
>>> 2008 R2 file server; I need to migrate everything (shares and user
>>> ho

Re: [NTSysADM] Advice: migrate to new file server

[Kurt Buff]

I'll have to disagree here.

I love DFSR, but I don't believe that DFSR is a great fit for this
particular task.

Initial configuration, and subsequent teardown, are just not worth the effort.

Kurt

On Mon, Jan 29, 2018 at 2:30 PM, Klaus Hartnegg  wrote:
> Am 29.01.2018 um 20:27 schrieb Michael Leone:
>>
>> I need to migrate everything (shares and user home folders) to a Win 2012
>> R2 Storage Server, and then retire the old server.
>
>
> Share definitions can be exported from the registry, and imported into the
> new server.
>
> If you want to minimize downtime: DFS-R can replicate all files from the old
> server to the new one, while users still modify and create new files. Just
> let DFS-R run, eventually the new server will have identical contents as the
> old one. It even survices being interrupted: it will after a while
> automatically pick up where it stopped, and just do the rest.
>
> Only three caveats: the staging area must be set much bigger than the
> largest file, the filter to skip bak files should be removed, and Microsoft
> should have made it easier to find out whether currently everything is in
> sync (you must use the commandline to query the backlog). Ping me for
> details if interested.
>
>

Re: [NTSysADM] Advice: migrate to new file server

[Kurt Buff]

Don't know about everybody, but I do it - because I hate it when
someone copies a ton of big files to the driver that data shares with
the OS, and the machine chokes. Makes for a very unpleasant time for
the users.

I've also had to do this on machines with hyperactive print queues.
Now, if I'm building a print server, the spool directory goes on a
separate partition - doesn't really matter how big the partition is,
even just a few gigs, as long as it doesn't share the OS partition.

Kurt

On Mon, Jan 29, 2018 at 1:40 PM, Gantry Zettler  wrote:
> "I'm hoping that the data is on a separate partition from the OS.
> That's pretty critical. "
>
> Is this what everyone else does?  Even on VMs?
>
>
>
> On Mon, Jan 29, 2018 at 3:16 PM, Melvin Backus 
> wrote:
>>
>> Ditto. I usually do this over a span of days or weeks. Big initial copy,
>> then incrementals periodically depending on normal usage, etc.  Last pass as
>> I’m ready to make the move.  By that time we’re talking about a few minutes
>> because everything should be the same anyway, just the time to scan the file
>> systems.
>>
>>
>>
>> --
>> There are 10 kinds of people in the world...
>>  those who understand binary and those who don't.
>>
>>
>>
>> ¯\_(ツ)_/¯
>>
>>
>>
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Charles F Sullivan
>> Sent: Monday, January 29, 2018 2:58 PM
>> To: ntsysadm@lists.myitforum.com
>> Subject: Re: [NTSysADM] Advice: migrate to new file server
>>
>>
>>
>> I always use the /mir option when doing a migration like that. The reason
>> is I have to do a "big" initial copy and then at least one delta copy. (I
>> usually do the final copy after removing access by changing share perms or
>> removing the share entirely so no further changes are made.) If I don't use
>> the /mir option, users will likely end up with data that is no longer
>> supposed to be present. (This assumes they will continue to have access to
>> the old server while copy job is running.)
>>
>>
>>
>> It's completely safe despite the warning in the help, at least in this
>> scenario. Unless I'm missing something, the new server will not be
>> accessible to users until you finish the migration, thus there should be no
>> extra data which could get deleted.
>>
>>
>>
>> On Mon, Jan 29, 2018 at 2:27 PM, Michael Leone 
>> wrote:
>>
>> I'd like to impose once more for some advice and opinions. I have a Win
>> 2008 R2 file server; I need to migrate everything (shares and user home
>> folders) to a Win 2012 R2 Storage Server, and then retire the old server.
>> Everything is one 1 drive, with 3 main folders (Shares,Users,Scans), total
>> size in the neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total
>> bandwidth of 4G.
>>
>>
>>
>> I'm thinking of use robocopy. I would make a full copy over the weekend:
>>
>>
>>
>> Source=OldFS\F$
>>
>> Destination=NewFs\d$
>>
>>
>>
>> RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP /NFL
>> /NDL /LOG+:
>>
>>
>>
>> That should get everything, NTFS security and all sub-folders. I thought
>> about the /MIR option, but I've never used it, and so am just a touch leery
>> (perhaps illogically).
>>
>>
>>
>> The end goal is to:
>>
>> copy all the files and shares to the new FS;
>>
>> re-name and re-IP the old FS;
>>
>> power off the old FS;
>>
>> re-name and re-IP the new FS to the old name.
>>
>>
>>
>>  (this way I can power up the old FS, just in case I need it for something
>> I've missed)
>>
>>
>>
>> That *should* make things transparent to the end users.
>>
>>
>>
>> (ordinarily, I would think about doing a restore from my backup program
>> Networker. But this is a remote site, and I believe that doing a local
>> robocopy will probably be faster than trying to restore 2TB of what is
>> probably a lot of small user files and folders across a 1G link)
>>
>>
>>
>> What have I missed? What would make it better?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Charlie Sullivan
>>
>> Sr. Windows Systems Administrator
>>
>> Boston College
>>
>> 197 Foster St. Room 367
>>
>> Brighton, MA 02135
>>
>> 617-552-4318
>
>

Re: [NTSysADM] Advice: migrate to new file server

[Kurt Buff]

Oh, yes

My thoughts make the assumption that this will be done while users are
not in play.

If that's not true, there are a couple of things that will need to be adjusted.

- Still consider doing a first run with the /CREATE switch.
- Can't shut down the server service, but probably still shouldn't
need the /ZB switch. Instead, do a second full run (not the initial
/CREATE run) after hours to pick up any changed data.
- If a second full run is required, then the /MIR switch is useful

Kurt

On Mon, Jan 29, 2018 at 11:27 AM, Michael Leone  wrote:
> I'd like to impose once more for some advice and opinions. I have a Win 2008
> R2 file server; I need to migrate everything (shares and user home folders)
> to a Win 2012 R2 Storage Server, and then retire the old server. Everything
> is one 1 drive, with 3 main folders (Shares,Users,Scans), total size in the
> neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total bandwidth of 4G.
>
> I'm thinking of use robocopy. I would make a full copy over the weekend:
>
> Source=OldFS\F$
> Destination=NewFs\d$
>
> RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP /NFL
> /NDL /LOG+:
>
> That should get everything, NTFS security and all sub-folders. I thought
> about the /MIR option, but I've never used it, and so am just a touch leery
> (perhaps illogically).
>
> The end goal is to:
> copy all the files and shares to the new FS;
> re-name and re-IP the old FS;
> power off the old FS;
> re-name and re-IP the new FS to the old name.
>
>  (this way I can power up the old FS, just in case I need it for something
> I've missed)
>
> That *should* make things transparent to the end users.
>
> (ordinarily, I would think about doing a restore from my backup program
> Networker. But this is a remote site, and I believe that doing a local
> robocopy will probably be faster than trying to restore 2TB of what is
> probably a lot of small user files and folders across a 1G link)
>
> What have I missed? What would make it better?
>
>
>

Re: [NTSysADM] Advice: migrate to new file server

[Kurt Buff]

I'm hoping that the data is on a separate partition from the OS.
That's pretty critical.

Some things to consider

- /S is redundant to /E - use just the /E
- /V will really slow down the copy job - I'd consider not using it,
as I've found robocopy to be very robust.
- If you shut down the server service on the old machine, you can use
/R:0 and /W:0
- Ditto for the /ZB switch - not needed in this situation, most
likely, if the server service is shut down
- If the partition on the new server is empty, you will not need /MIR
- You might want to do a first run with just the /CREATE switch - it
can really help mitigate disk/MFT fragmentation, and you will won't
need the /MIR switch
- Don't forget to create the shares on the new machine

I won't go into using security in shares vs. NTFS, nor making sure
that shares aren't set at the root of a drive - I have my own thoughts
on those subjects, but that discussion is probably not relevant to
your task (I hope).

Kurt

On Mon, Jan 29, 2018 at 11:27 AM, Michael Leone  wrote:
> I'd like to impose once more for some advice and opinions. I have a Win 2008
> R2 file server; I need to migrate everything (shares and user home folders)
> to a Win 2012 R2 Storage Server, and then retire the old server. Everything
> is one 1 drive, with 3 main folders (Shares,Users,Scans), total size in the
> neighborhood of 2TB. Both have 4 teamed 1G NICs, so a total bandwidth of 4G.
>
> I'm thinking of use robocopy. I would make a full copy over the weekend:
>
> Source=OldFS\F$
> Destination=NewFs\d$
>
> RoboCopy   /S /E /ZB /COPYALL /R:1 /W:1 /V /NP /NFL
> /NDL /LOG+:
>
> That should get everything, NTFS security and all sub-folders. I thought
> about the /MIR option, but I've never used it, and so am just a touch leery
> (perhaps illogically).
>
> The end goal is to:
> copy all the files and shares to the new FS;
> re-name and re-IP the old FS;
> power off the old FS;
> re-name and re-IP the new FS to the old name.
>
>  (this way I can power up the old FS, just in case I need it for something
> I've missed)
>
> That *should* make things transparent to the end users.
>
> (ordinarily, I would think about doing a restore from my backup program
> Networker. But this is a remote site, and I believe that doing a local
> robocopy will probably be faster than trying to restore 2TB of what is
> probably a lot of small user files and folders across a 1G link)
>
> What have I missed? What would make it better?
>
>
>

Re: [NTSysADM] Server build recommendation

[Kurt Buff]

Good explanation - thanks for this.

Kurt

On Fri, Jan 26, 2018 at 3:12 PM,  <art.dekn...@cox.net> wrote:
> Windows Server Essentials 2016 allows you to use Hyper-V on the host and
> Essentials Server as a VM. The product use rights allows one Operating
> System Environment (OSE) with Essentials and it must be Essentials.
> Basically you do the first part of the install and then cancel adding the
> Essentials role. You add the Hyper-V role only on the physical host. Then
> you create a VM that runs Essentials only and configure it as wish. So you
> can do AD, DNS, DHCP. You can not run any other VMs on that physical box.
> This is where the licensing comes in. Technically you could, legally you
> can’t.
>
>
>
> The bigger question is what version of Timberline are they using? And are
> they going to upgrade that also? If so, you have more issues to overcome.
>
>
>
> As others have suggested. Get the Server 2016 Standard. Install just the
> Hyper-V role on the physical box. Then install Server 2016 Standard in the
> first VM and add then add ADDS, configure your DNS and DHCP. Then add the
> Essentials role. Be careful with the Essentials role. If you decide you need
> certificate services on the server, don’t install them before the Essentials
> role. You’ll get error messages. The Essentials role installs certificate
> services as part of it’s install.
>
>
>
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
> On Behalf Of Susan Bradley
> Sent: Friday, January 26, 2018 1:41 PM
> To: ntsysadm@lists.myitforum.com
> Subject: Re: [NTSysADM] Server build recommendation
>
>
>
> What he said.
>
> It gives you lots more options going forward.
>
>
>
> On 1/26/2018 12:32 PM, Michael B. Smith wrote:
>
> And to clear this up a little for Kurt…
>
>
>
> Essentials is available as a Windows Role and as a separate SKU.
>
>
>
> The separate SKU has built-in limitations as to what it can do (and is
> cheaper because of that).
>
>
>
> Most of those limitations do not apply to the Windows Role.
>
>
>
> So buy Windows Standard. Put it on the Hyper-V host. Create a VM. Install
> Windows Standard with the Essentials Role for that VM. You can still add
> another Windows Server Standard VM if you want (this is all based on
> licensing – nothing is built into Windows to enforce licensing). And you can
> install your client VM, but you do need a separate license for that. To be
> legal. But Windows Standard doesn’t care.
>
>
>
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
> On Behalf Of Susan Bradley
> Sent: Friday, January 26, 2018 3:17 PM
> To: ntsysadm@lists.myitforum.com
>
>
> Subject: Re: [NTSysADM] Server build recommendation
>
>
>
> My apologies I was thinking normal server, not Essentials.  I'd recommend
> normal Server because Essentials can't be a HyperV host.  Essentials has a
> funky virtualization eula/rights that it can hyperv but only itself and then
> it's only useful for Azure backup.
>
> Windows 10 - you now need a SA/VL license to have it be headless.
>
> SMB licensing isn't a cheap as it once was IMHO.
>
> I honestly would bump the budget up to normal server, that gives you 2
> server in 1 hyperV host.  You can still set up the Essentials role for easy
> remote access for people.
>
>
>
> On 1/26/2018 11:55 AM, Brian Desmond wrote:
>
> Pretty much.
>
>
>
> I believe Essentials has the same license grant as standard (one guest
> server VM) but I wouldn't quote myself on that. You'd have to license
> additional VMs beyond that.
>
>
>
> Thanks,
>
> Brian
>
>
>
>
>
> Thanks,
>
> Brian Desmond
>
>
>
> w – 312.625.1438 | c – 312.731.3132
>
>
>
> -Original Message-
>
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
> On Behalf Of Kurt Buff
>
> Sent: Friday, January 26, 2018 1:21 PM
>
> To: ntsysadm <ntsysadm@lists.myitforum.com>
>
> Subject: Re: [NTSysADM] Server build recommendation
>
>
>
> I've never played with Windows Essentials, and have very little experience
> with Hyper-V, so I'll need to do some more reading.
>
>
>
> Let me parrot back to you, to make sure I understood what you said.
>
>
>
> I can set up the new machine with Windows Essentials as a Hyper-V host, and
> use that, with the same media and license, to run a VM that will be the DC.
>
>
>
> Is that correct?
>
>
>
> If it is, could I also stand up a Win10 VM (with its own license, of
> course), and use that to run their property management software?
>
>
>
> How many V

Re: [NTSysADM] Server build recommendation

[Kurt Buff]

This sounds reasonable.

I'll work with them next week to get this going.

Kurt

On Fri, Jan 26, 2018 at 12:32 PM, Michael B. Smith
<mich...@smithcons.com> wrote:
> And to clear this up a little for Kurt…
>
>
>
> Essentials is available as a Windows Role and as a separate SKU.
>
>
>
> The separate SKU has built-in limitations as to what it can do (and is
> cheaper because of that).
>
>
>
> Most of those limitations do not apply to the Windows Role.
>
>
>
> So buy Windows Standard. Put it on the Hyper-V host. Create a VM. Install
> Windows Standard with the Essentials Role for that VM. You can still add
> another Windows Server Standard VM if you want (this is all based on
> licensing – nothing is built into Windows to enforce licensing). And you can
> install your client VM, but you do need a separate license for that. To be
> legal. But Windows Standard doesn’t care.
>
>
>
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
> On Behalf Of Susan Bradley
> Sent: Friday, January 26, 2018 3:17 PM
> To: ntsysadm@lists.myitforum.com
>
>
> Subject: Re: [NTSysADM] Server build recommendation
>
>
>
> My apologies I was thinking normal server, not Essentials.  I'd recommend
> normal Server because Essentials can't be a HyperV host.  Essentials has a
> funky virtualization eula/rights that it can hyperv but only itself and then
> it's only useful for Azure backup.
>
> Windows 10 - you now need a SA/VL license to have it be headless.
>
> SMB licensing isn't a cheap as it once was IMHO.
>
> I honestly would bump the budget up to normal server, that gives you 2
> server in 1 hyperV host.  You can still set up the Essentials role for easy
> remote access for people.
>
>
>
> On 1/26/2018 11:55 AM, Brian Desmond wrote:
>
> Pretty much.
>
>
>
> I believe Essentials has the same license grant as standard (one guest
> server VM) but I wouldn't quote myself on that. You'd have to license
> additional VMs beyond that.
>
>
>
> Thanks,
>
> Brian
>
>
>
>
>
> Thanks,
>
> Brian Desmond
>
>
>
> w – 312.625.1438 | c – 312.731.3132
>
>
>
> -Original Message-
>
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com]
> On Behalf Of Kurt Buff
>
> Sent: Friday, January 26, 2018 1:21 PM
>
> To: ntsysadm <ntsysadm@lists.myitforum.com>
>
> Subject: Re: [NTSysADM] Server build recommendation
>
>
>
> I've never played with Windows Essentials, and have very little experience
> with Hyper-V, so I'll need to do some more reading.
>
>
>
> Let me parrot back to you, to make sure I understood what you said.
>
>
>
> I can set up the new machine with Windows Essentials as a Hyper-V host, and
> use that, with the same media and license, to run a VM that will be the DC.
>
>
>
> Is that correct?
>
>
>
> If it is, could I also stand up a Win10 VM (with its own license, of
> course), and use that to run their property management software?
>
>
>
> How many VMs does a license for Windows Essentials support? I don't see a
> need for more than two at this point, and the hardware will certainly
> support their needs, but I want to get myself educated before I go in there
> and make a mess.
>
>
>
> Kurt
>
>
>
> On Fri, Jan 26, 2018 at 7:57 AM, Susan Bradley <sbrad...@pacbell.net> wrote:
>
> In SMB space I don't see VMware as the virtualization platform of
>
> choice. I see HyperV, not to mention in a single host, you either go
>
> with what we used to do:  Host is not domain joined, hanging off the
>
> dhcp/dns of the firewall with static entries.  Or what you can do what
>
> we do now in the 2012 R2 and later era which is domain join the host
>
> to the DC-VM and it doesn't freak out and boots just fine without DCHP/DNS.
>
>
>
> I wouldn't use VMware.  I would do HyperV, and I would make these VMs.
>
> You never know even in SMB when you have a need for a virtual machine
>
> to stand up and test something, or a need for another server to put
>
> the application on.
>
>
>
>
>
> On 1/25/2018 8:29 PM, Kurt Buff wrote:
>
>
>
> VMware really wants a DNS server at boot time. If your DNS server is a
>
> VM on that host, it isn't there for VMware.
>
>
>
> This is a problem, to say the least.
>
>
>
> It's really the only reason why I have a DC on it's own physical host
>
> in my server room.
>
>
>
> Kurt
>
>
>
> On Thu, Jan 25, 2018 at 7:36 PM, Susan Bradley <sbrad...@pacbell.net> wrote:
>
>
>
> Why two hosts?
>
>
>
>
>
>
>

Re: [NTSysADM] Server build recommendation

[Kurt Buff]

I've never played with Windows Essentials, and have very little
experience with Hyper-V, so I'll need to do some more reading.

Let me parrot back to you, to make sure I understood what you said.

I can set up the new machine with Windows Essentials as a Hyper-V
host, and use that, with the same media and license, to run a VM that
will be the DC.

Is that correct?

If it is, could I also stand up a Win10 VM (with its own license, of
course), and use that to run their property management software?

How many VMs does a license for Windows Essentials support? I don't
see a need for more than two at this point, and the hardware will
certainly support their needs, but I want to get myself educated
before I go in there and make a mess.

Kurt

On Fri, Jan 26, 2018 at 7:57 AM, Susan Bradley <sbrad...@pacbell.net> wrote:
> In SMB space I don't see VMware as the virtualization platform of choice. I
> see HyperV, not to mention in a single host, you either go with what we used
> to do:  Host is not domain joined, hanging off the dhcp/dns of the firewall
> with static entries.  Or what you can do what we do now in the 2012 R2 and
> later era which is domain join the host to the DC-VM and it doesn't freak
> out and boots just fine without DCHP/DNS.
>
> I wouldn't use VMware.  I would do HyperV, and I would make these VMs. You
> never know even in SMB when you have a need for a virtual machine to stand
> up and test something, or a need for another server to put the application
> on.
>
>
> On 1/25/2018 8:29 PM, Kurt Buff wrote:
>
> VMware really wants a DNS server at boot time. If your DNS server is a
> VM on that host, it isn't there for VMware.
>
> This is a problem, to say the least.
>
> It's really the only reason why I have a DC on it's own physical host
> in my server room.
>
> Kurt
>
> On Thu, Jan 25, 2018 at 7:36 PM, Susan Bradley <sbrad...@pacbell.net> wrote:
>
> Why two hosts?
>
>
>
>
> On 1/25/2018 7:09 PM, Kurt Buff wrote:
>
> I had further discussion with them today.
>
> The LOB is Timberline property management software, and they're
> adamant about keeping it in-house. They were also set on Dell, so we
> finally settled on a Dell T430, with an H330 RAID card, and two 1tb
> NLSAS drives, and 16gb RAM. The Windows Essentials will come from
> Amazon for a lot less than what Dell was charging - and they weren't
> bundling Essentials with this machine anyway.
>
> They have moved their email to gmail (which was news to me - last I
> had heard from them they were still using their SBS 2003 Exchange).
>
> They also wanted to keep their RD1000 unit for backups, which seemed
> pretty reasonable - actually, they'll be getting a new RD1000 bundled
> into the new machine, and probably keep the old one for an emergency
> spare.
>
> I'm going to turn that server into a combined AD/DNS/DHCP and file
> server, and  I think I can convince them to keep their Timberline
> software on a domain-joined Win10 machine - I just gives me the
> shivers to install third party software on a DC.
>
> I didn't save them much on pricing (maybe $100-200), but I think I got
> them a much better machine.
>
> And, as a followup, once they have ordered it and it's in house, I'll
> be waling through their guy on setting it all up.
>
> If I could, I'd virtualize it all, but doing that right would involve
> two hosts, and more servers than they need, I think that it's pretty
> good the way we went.
>
> Kurt
>
> On Thu, Jan 25, 2018 at 9:11 AM, Susan E Bradley, CPA/CITP/CFF, GSEC
> <sbrad...@pacbell.net> wrote:
>
> What LOB needs do they have?  What storage?
>
> Premise peeps:  The Gen 10 Microserver doesn't have the fans it once had,
> my
> peeps are recommending HP ML110e
>
> Cloud peeps:  Do they really need a server or a rethinking of what they
> do
> needs to be done and office 365/mapped drive to Sharefile or Google drive
> would be a better plan going forward.  What LOB is keeping the need for
> the
> on premise server?
>
> These days, check that chip to see if it will get a spectre/meltdown
> patch.
>
>
> On 1/25/2018 8:18 AM, Rick Berry wrote:
>
> I'd suggest the consideration of something aftermarket as an option for
> them
> (since you said the words 'property management company' and having
> supported
> a few of those in the past I'll make crass generalizations about budget
> limitations/thriftiness)
>
> www.buysellservers.com  ... you can go build a 1U dell for instance with
> what you want in it (like a real RAID card) and also still get a
> drac/warranty/etc at aftermarket prices.
>
> We normally do new ourselves, but I'm also not against getting the
> occasional 1U 'a few years old but with a fresh warranty' de

Re: [NTSysADM] Palo Alto Endpoint Security Trapps?

[Kurt Buff]

Definitely heard of it, and we're looking to certify our offering to one
customer with it, which might provide us with the impetus to drop our
current AV (ESET), which I''m not terribly thrilled with, as the management
interface for it as overly complex. ESET performs OK on the endpoint, but
trying to deal with configuration from the web interface is stupid and
painful.

Kurt

On Fri, Jan 26, 2018 at 5:57 AM, David McSpadden  wrote:

> Anyone using or heard of this?
>
>
>
> *David McSpadden*
>
> Systems Administrator
>
> Indiana Members Credit Union
>
> P: 317.554.8190 <(317)%20554-8190>| F: 317.554.8106 <(317)%20554-8106>
>
> [image: Description: imcu email icon]   [image:
> Description: facebook email icon]
>   [image: Description: twitter
> email icon] 
>
> [image: Description: email logo]
>
> [image: Image result for mcp logo]
> 
>
>
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
> Please consider the environment before printing this email.
>

Re: [NTSysADM] Server build recommendation

[Kurt Buff]

VMware really wants a DNS server at boot time. If your DNS server is a
VM on that host, it isn't there for VMware.

This is a problem, to say the least.

It's really the only reason why I have a DC on it's own physical host
in my server room.

Kurt

On Thu, Jan 25, 2018 at 7:36 PM, Susan Bradley <sbrad...@pacbell.net> wrote:
> Why two hosts?
>
>
>
>
> On 1/25/2018 7:09 PM, Kurt Buff wrote:
>>
>> I had further discussion with them today.
>>
>> The LOB is Timberline property management software, and they're
>> adamant about keeping it in-house. They were also set on Dell, so we
>> finally settled on a Dell T430, with an H330 RAID card, and two 1tb
>> NLSAS drives, and 16gb RAM. The Windows Essentials will come from
>> Amazon for a lot less than what Dell was charging - and they weren't
>> bundling Essentials with this machine anyway.
>>
>> They have moved their email to gmail (which was news to me - last I
>> had heard from them they were still using their SBS 2003 Exchange).
>>
>> They also wanted to keep their RD1000 unit for backups, which seemed
>> pretty reasonable - actually, they'll be getting a new RD1000 bundled
>> into the new machine, and probably keep the old one for an emergency
>> spare.
>>
>> I'm going to turn that server into a combined AD/DNS/DHCP and file
>> server, and  I think I can convince them to keep their Timberline
>> software on a domain-joined Win10 machine - I just gives me the
>> shivers to install third party software on a DC.
>>
>> I didn't save them much on pricing (maybe $100-200), but I think I got
>> them a much better machine.
>>
>> And, as a followup, once they have ordered it and it's in house, I'll
>> be waling through their guy on setting it all up.
>>
>> If I could, I'd virtualize it all, but doing that right would involve
>> two hosts, and more servers than they need, I think that it's pretty
>> good the way we went.
>>
>> Kurt
>>
>> On Thu, Jan 25, 2018 at 9:11 AM, Susan E Bradley, CPA/CITP/CFF, GSEC
>> <sbrad...@pacbell.net> wrote:
>>>
>>> What LOB needs do they have?  What storage?
>>>
>>> Premise peeps:  The Gen 10 Microserver doesn't have the fans it once had,
>>> my
>>> peeps are recommending HP ML110e
>>>
>>> Cloud peeps:  Do they really need a server or a rethinking of what they
>>> do
>>> needs to be done and office 365/mapped drive to Sharefile or Google drive
>>> would be a better plan going forward.  What LOB is keeping the need for
>>> the
>>> on premise server?
>>>
>>> These days, check that chip to see if it will get a spectre/meltdown
>>> patch.
>>>
>>>
>>> On 1/25/2018 8:18 AM, Rick Berry wrote:
>>>
>>> I'd suggest the consideration of something aftermarket as an option for
>>> them
>>> (since you said the words 'property management company' and having
>>> supported
>>> a few of those in the past I'll make crass generalizations about budget
>>> limitations/thriftiness)
>>>
>>> www.buysellservers.com  ... you can go build a 1U dell for instance with
>>> what you want in it (like a real RAID card) and also still get a
>>> drac/warranty/etc at aftermarket prices.
>>>
>>> We normally do new ourselves, but I'm also not against getting the
>>> occasional 1U 'a few years old but with a fresh warranty' dell for
>>> swiss-army-knife server basic stuff like a dc/dns/ad/dhcp box.
>>>
>>> So sometimes we'll grab something like an R420 poweredge and put a RAID
>>> card
>>> in it/drac it and even ESXi it to internal USB bootable for a few grand
>>> less
>>> than new (but still with new hd's)
>>>
>>> Just throwing it out there, I know folks sometimes cringe at the 'used'
>>> market but in certain situations it works.
>>>
>>>
>>>
>>> -Original Message-
>>> From: listsad...@lists.myitforum.com
>>> [mailto:listsad...@lists.myitforum.com]
>>> On Behalf Of Kurt Buff
>>> Sent: Wednesday, January 24, 2018 6:46 PM
>>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>>> Subject: [NTSysADM] Server build recommendation
>>>
>>> The owner of a small 5-6 person property management company has
>>> approached
>>> me to help acquire a new server. They're currently running a 10+yo
>>> machine
>>> with SBS 2003, and wish to replace it.
>>>
>>> They've migrated their email to gmail, so don't need exchange, but do
>>> want a
>>> DC for account management, DHCP/DNS, etc., so they're looking to go with
>>> Server Essentials.
>>>
>>> The fellow he's nominated at his firm to be their sysadmin is quite
>>> green,
>>> and got a quote from Dell for a tower box with a software RAID card, and
>>> I
>>> told them to hold off on that purchase, while I look at alternatives.
>>>
>>> I was leaning toward an HP Microserver, but haven't played with one in
>>> years, and it looks like the current generation is using an AMD
>>> processor,
>>> and doesn't come with a RAID card to support RAID1.
>>>
>>> Anyone have a recommendation they can make regarding hardware?
>>>
>>> Kurt
>>>
>>>
>>>
>>
>>
>
>
>

[NTSysADM] Server build recommendation

[Kurt Buff]

The owner of a small 5-6 person property management company has
approached me to help acquire a new server. They're currently running
a 10+yo machine with SBS 2003, and wish to replace it.

They've migrated their email to gmail, so don't need exchange, but do
want a DC for account management, DHCP/DNS, etc., so they're looking
to go with Server Essentials.

The fellow he's nominated at his firm to be their sysadmin is quite
green, and got a quote from Dell for a tower box with a software RAID
card, and I told them to hold off on that purchase, while I look at
alternatives.

I was leaning toward an HP Microserver, but haven't played with one in
years, and it looks like the current generation is using an AMD
processor, and doesn't come with a RAID card to support RAID1.

Anyone have a recommendation they can make regarding hardware?

Kurt

Re: [NTSysADM] SQL Server question

[Kurt Buff]

Yep. I'm thinking of applying CU9, to get it up to speed.

Kurt

On Mon, Jan 22, 2018 at 2:49 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> I think Nathan's link says that 5556 is CU7 beyond SP2.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Monday, January 22, 2018 5:37 PM
> To: ntsysadm
> Subject: Re: [NTSysADM] SQL Server question
>
> Sigh.
>
> OK.
>
> I'll look at manually applying SP2 (or if that turns out to be already
> in use, CU9, or somesuch.)
>
> Kurt
>
> On Mon, Jan 22, 2018 at 2:26 PM, Michael B. Smith <mich...@smithcons.com> 
> wrote:
>> I think the detection logic only looks at the SQL Engine.
>>
>> If you assign anything else you need to reapply the sp.
>>
>> I'm not a SQL expert, but I have run into this before.
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
>> On Behalf Of Kurt Buff
>> Sent: Monday, January 22, 2018 5:18 PM
>> To: ntsysadm
>> Subject: Re: [NTSysADM] SQL Server question
>>
>> No:
>> ReportingServicesService.exe: 2014.0.5000.0
>> sqlserver.exe: 2014.120.5556.0
>> sqlagent.exe: 2014.120.5556.0
>>
>> But the thing that baffles me is that my WSUS machine isn't showing
>> that this machine wants SP2 installed again, and when I went to
>> Windows Update on the server in question, it said there weren't any
>> waiting.
>>
>> Kurt
>>
>> On Mon, Jan 22, 2018 at 1:46 PM, Michael B. Smith <mich...@smithcons.com> 
>> wrote:
>>> Are the file versions of ssrs matching sp2?
>>>
>>> -Original Message-
>>> From: listsad...@lists.myitforum.com 
>>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>>> Sent: Monday, January 22, 2018 4:00 PM
>>> To: ntsysadm
>>> Subject: [NTSysADM] SQL Server question
>>>
>>> I just installed SSRS on a couple of instances on a SQL Server 2014 box.
>>>
>>> All went smoothly, but at the end of the installation,I got a message
>>> stating that SP2 was missing from the instances.
>>>
>>> I checked installed updates, and SP2 is listed.
>>>
>>> Color me a bit confused - can anyone give me an idea of what's going on?
>>>
>>> Kurt
>>>
>>>
>>
>>
>
>

Re: [NTSysADM] SQL Server question

[Kurt Buff]

Sigh.

OK.

I'll look at manually applying SP2 (or if that turns out to be already
in use, CU9, or somesuch.)

Kurt

On Mon, Jan 22, 2018 at 2:26 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> I think the detection logic only looks at the SQL Engine.
>
> If you assign anything else you need to reapply the sp.
>
> I'm not a SQL expert, but I have run into this before.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Monday, January 22, 2018 5:18 PM
> To: ntsysadm
> Subject: Re: [NTSysADM] SQL Server question
>
> No:
> ReportingServicesService.exe: 2014.0.5000.0
> sqlserver.exe: 2014.120.5556.0
> sqlagent.exe: 2014.120.5556.0
>
> But the thing that baffles me is that my WSUS machine isn't showing
> that this machine wants SP2 installed again, and when I went to
> Windows Update on the server in question, it said there weren't any
> waiting.
>
> Kurt
>
> On Mon, Jan 22, 2018 at 1:46 PM, Michael B. Smith <mich...@smithcons.com> 
> wrote:
>> Are the file versions of ssrs matching sp2?
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
>> On Behalf Of Kurt Buff
>> Sent: Monday, January 22, 2018 4:00 PM
>> To: ntsysadm
>> Subject: [NTSysADM] SQL Server question
>>
>> I just installed SSRS on a couple of instances on a SQL Server 2014 box.
>>
>> All went smoothly, but at the end of the installation,I got a message
>> stating that SP2 was missing from the instances.
>>
>> I checked installed updates, and SP2 is listed.
>>
>> Color me a bit confused - can anyone give me an idea of what's going on?
>>
>> Kurt
>>
>>
>
>

Re: [NTSysADM] SQL Server question

[Kurt Buff]

OK - someone offlist kindly sent me this link:
https://sqlserverbuilds.blogspot.com/

>From that list, it looks as if SP2 is installed, and SSRS grabbed the
necessary files for it from somewhere (online or locally, but I don't
know where.)

However, file version 2014.120.5556.0 is listed as CU7, while
2014.0.5000.0 is bare SP2.

And, I don't see the machine listed as wanting/needing CU7/8/9 at the moment.

I think I need to dig a bit deeper on this.

On Mon, Jan 22, 2018 at 1:46 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> Are the file versions of ssrs matching sp2?
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Monday, January 22, 2018 4:00 PM
> To: ntsysadm
> Subject: [NTSysADM] SQL Server question
>
> I just installed SSRS on a couple of instances on a SQL Server 2014 box.
>
> All went smoothly, but at the end of the installation,I got a message
> stating that SP2 was missing from the instances.
>
> I checked installed updates, and SP2 is listed.
>
> Color me a bit confused - can anyone give me an idea of what's going on?
>
> Kurt
>
>

Re: [NTSysADM] SQL Server question

[Kurt Buff]

No:
ReportingServicesService.exe: 2014.0.5000.0
sqlserver.exe: 2014.120.5556.0
sqlagent.exe: 2014.120.5556.0

But the thing that baffles me is that my WSUS machine isn't showing
that this machine wants SP2 installed again, and when I went to
Windows Update on the server in question, it said there weren't any
waiting.

Kurt

On Mon, Jan 22, 2018 at 1:46 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> Are the file versions of ssrs matching sp2?
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Monday, January 22, 2018 4:00 PM
> To: ntsysadm
> Subject: [NTSysADM] SQL Server question
>
> I just installed SSRS on a couple of instances on a SQL Server 2014 box.
>
> All went smoothly, but at the end of the installation,I got a message
> stating that SP2 was missing from the instances.
>
> I checked installed updates, and SP2 is listed.
>
> Color me a bit confused - can anyone give me an idea of what's going on?
>
> Kurt
>
>

[NTSysADM] SQL Server question

[Kurt Buff]

I just installed SSRS on a couple of instances on a SQL Server 2014 box.

All went smoothly, but at the end of the installation,I got a message
stating that SP2 was missing from the instances.

I checked installed updates, and SP2 is listed.

Color me a bit confused - can anyone give me an idea of what's going on?

Kurt

Re: [NTSysADM] domain admin account passwords management

[Kurt Buff]

Our domain has been promoted from NT4 to 2003, 2008 R2 and 2012R2, and we
now have a DC at 2016.

Someone, before I got here, disabled the Administrator account and renamed
it, which is kind of silly, but I've never felt the need to rename it back
to Administrator.

There are 4 DA accounts, one for each member of my team, they are separate
from our non-privileged user, workstation administration and our server
administrator accounts.

Our DA passwords are covered by the same FGPP as our user accounts,
requiring complexity, 16+ characters, change every 365 days. I'd like to
set the elevated privilege account password expirations shorter, but I'd
get a lot of pushback from the team, so I can't get away with it.

I agree with MBS that if the Administrator account hasn't been disabled it
should have a max length password that is kept securely

Service accounts are not DAs - they get whatever privileges are necessary,
and only that.

We use a product from Thycotic which, in an edition that's more
featureful/expensive than what we have, can manage services accounts and
change the passwords for you. There are similar offerings from other
companies.

Also, Active Directory has MSAs (Managed Service Accounts) and GMSAs,
(Group Managed Service Accounts) which you should investigate - but I
haven't had a chance to implement them, so can't comment much further.

Kurt

On Wed, Jan 17, 2018 at 9:00 AM, David McSpadden  wrote:

> I know we have LAPS for local admins.
>
> What is everyone doing for domain admin account passwords management and
> compliance?
>
> We are being asked to change passwords every 90 days and most of the
> domain admins are service accounts?
>
> So…what does everyone else do to automate/management this?
>
>
>
>
>
> *David McSpadden*
>
> Systems Administrator
>
> Indiana Members Credit Union
>
> P: 317.554.8190 <(317)%20554-8190>| F: 317.554.8106 <(317)%20554-8106>
>
> [image: Description: imcu email icon]   [image:
> Description: facebook email icon]
>   [image: Description: twitter
> email icon] 
>
> [image: Description: email logo]
>
> [image: Image result for mcp logo]
> 
>
>
>
> This e-mail and any files transmitted with it are property of Indiana
> Members Credit Union, are confidential, and are intended solely for the use
> of the individual or entity to whom this e-mail is addressed. If you are
> not one of the named recipient(s) or otherwise have reason to believe that
> you have received this message in error, please notify the sender and
> delete this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing, or copying of this email is
> strictly prohibited.
>
> Please consider the environment before printing this email.
>

Re: [NTSysADM] Using PS to query date of latest Windows Updates installed

[Kurt Buff]

help get-hotfix -full

For your purposes this might work, if you have a small number of computers:
( get-hotfix -computername work1, work2, work3 | sort installedon )[-1]

Kurt

On Tue, Jan 16, 2018 at 12:37 PM, Michael Leone  wrote:
> I'm drawing a blank on this. I need to query a set of clients, and return
> the date that Windows Updates was last run (date updates were installed).
> Then I will email this to the appropriate person.
>
> I'm finding lots of ways to query for the list of needed updates, or a list
> of the installed updates,  but not for the last date/time when updates were
> actually installed. Clue/pointer, anyone? I remember something about a user
> created WSUS module that might have that as a function, but for the life of
> me, I'm not finding it.
>
> Thanks
>
> (I originally sent this to the powersh...@lists.myitforum.com , but it said
> I didn't have permission to post there. Dunno why, I used to be able to post
> there .. and the return message didn't include instructions on how to sign
> back up)
>

[NTSysADM] Well, someone had to do it...

[Kurt Buff]

https://xkcd.com/1938/

Re: [NTSysADM] RE: Question regarding how AD is evaluating account lockout status

[Kurt Buff]

 STFW for ilspy 

Oh, that's interesting. I don't believe I've heard of that before - looks
quite useful for real programmers, which unfortunately doesn't include me.

Still, might be worth looking through some powershell cmdlets to see what I
can see.

Thanks,

Kurt

On Thu, Jan 4, 2018 at 2:26 PM, Michael B. Smith 
wrote:

> I don’t know the answer to your question, but I’ll tell you how I’d figure
> it out.
>
>
>
> Two ways:
>
>
>
> [1] Use ILSpy and look at the cmdlet code.
>
>
>
> [2] look at both lists of users and figure out the differences by
> comparing a few users and their attributes.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Christopher Bodnar
> *Sent:* Thursday, January 4, 2018 4:38 PM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Question regarding how AD is evaluating account
> lockout status
>
>
>
> Got an AD question was hoping you someone can shed some light on for me. I
> don’t think anything is wrong, but just wanted to understand this a little
> better.  It has to do with how AD is evaluating that an account is “locked
> out”.  So for example if I run this PowerShell command:
>
>
>
> *Search-ADAccount -lockedout *
>
>
>
> I get 347 results. But if I run this  LDAP query:
>
>
>
> *(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))*
>
>
>
> I get 454. So it seems there are 107 accounts that have the “lockoutTime”
> attribute set, but are NOT considered “locked out” by AD. That’s where I’m
> having problems understanding why. Also note our Account Lockout Duration
> is “0” so there should be no gap when an account is automatically enabled
> and a user logs back in for the first time.  All locked out accounts need
> to be unlocked by an Admin in our environment.
>
>
>
> Also I’m pretty sure that the LOCKOUT value of the userAccountControl
> attribute (16) is not an accurate way to determine this.
>
>
>
> So for these 107 accounts that AD does not consider locked out, but have a
> lockoutTime greater than 0, how is that being evaluated? My understanding
> was that AD evaluates this for an authentication request, and looks at the
> badPwdCount, lockoutTime, and lockout duration policy in AD if applicable.
> So for example if a user has hit 5 bad passwords (and the account lockout
> threshold is 5), AD will then look at the lockoutTime value, and the
> account lockout Duration value in Group Policy if applicable, and if the
> time is past the sum of those 2 values, the badPwdCount and LockoutTime
> values are reset, and the account is considered unlocked. Otherwise it
> evaluates to locked out.
>
>
>
> Another factor is that I don’t see any correlation in the badPwdcount
> value for these 2 groups of users. That value seems to be all over the
> place, including null values. Which is another thing I don’t understand.
> How can an account be locked out, and the badPwdCount value be NULL? If an
> account was locked out, that value had to increment, and even if it’s
> reset, it goes to 0, not back to NULL.
>
>
>
> Also I’m very familiar with Richard Mueller’s article on this topic:
>
>
>
> https://social.technet.microsoft.com/wiki/contents/articles/32490.active-
> directory-bad-passwords-and-account-lockout.aspx
>
>
>
>
>
>
>
> Appreciate any input.
>
>
>
> Thanks
>
>
>
>
>
>
>
> *Christopher Bodnar*
> Enterprise Architect II, Corporate Office of Technology:Enterprise
> Architecture and Engineering Services
>
> Tel 610-807-6459 <(610)%20807-6459>
> 3900 Burgess Place, Bethlehem, PA 18017
> 
> christopher_bod...@glic.com
>
> [image: cid:image001.png@01D1326B.600058E0]
>
> * The Guardian Life Insurance Company of America*
>
> * www.guardianlife.com *
>
>
>
>
> --
>
>
>
>
>
> - This message, and any
> attachments to it, may contain information that is privileged,
> confidential, and exempt from disclosure under applicable law. If the
> reader of this message is not the intended recipient, you are notified that
> any use, dissemination, distribution, copying, or communication of this
> message is strictly prohibited. If you have received this message in error,
> please notify the sender immediately by return e-mail and delete the
> message and any attachments. Thank you.
>
>
>

Re: [NTSysADM] Oh, this one really hurts...

[Kurt Buff]

Close to zero? Any bets on when this year someone publishes a PoC?

Kurt

On Wed, Jan 3, 2018 at 7:25 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> Win10 (and Server 1709) patch is out: 
> https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
>
> Note that it only installs if the A/V vender has updated their engine! (Or 
> you are using Windows Defender.)
>
> There are 3 bugs according to Google. AMD is vulnerable to only one of them 
> and AMD says that the chances of that bug being hit are close to zero.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Wednesday, January 3, 2018 8:12 PM
> To: ntsysadm
> Subject: Re: [NTSysADM] Oh, this one really hurts...
>
> No, it's not trivial. And I have to believe it's going to be cloud
> providers who are hardest hit, initially.
>
> First, MSFT is releasing a patch for Win10 today:
> https://www.theverge.com/2018/1/3/16846784/microsoft-processor-bug-windows-10-fix
>
> Second, it's not just Intel - it seems to also affect AMD and ARM64:
> https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
>
> But AMD says it's not vulnerable:
> https://lkml.org/lkml/2017/12/27/2
>
> And, now it's *two* bugs, not just one:
> https://meltdownattack.com/
>
> And lastly, these flaws, along with this:
> https://www.thezdi.com/blog/2017/10/04/vmware-escapology-how-to-houdini-the-hypervisor
>
> make me more leery than ever of cloud services...
>
> Kurt
>
> On Wed, Jan 3, 2018 at 4:39 PM, Mark Gottschalk <mgo...@2roads.com> wrote:
>> "...The effects are still being benchmarked, however we're looking at a
>> ballpark figure of five to 30 per cent slow down, depending on the task and
>> the processor model..."
>>
>> PostgreSQL: 10%-23% slowdown.
>>
>> Wow. That is not trivial.
>>
>>
>>
>>
>> From:Kurt Buff <kurt.b...@gmail.com>
>> To:ntsysadm <NTSysADM@lists.myitforum.com>, Patch Management Mailing
>> List <patchmanagem...@listserv.patchmanagement.org>
>> Date:01/02/2018 06:59 PM
>> Subject:[NTSysADM] Oh, this one really hurts...
>> Sent by:<listsad...@lists.myitforum.com>
>> 
>>
>>
>>
>> "A fundamental design flaw in Intel's processor chips has forced a
>> significant redesign of the Linux and Windows kernels to defang the
>> chip-level security bug."
>>
>> http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
>>
>>
>>
>>
>
>

Re: [NTSysADM] Oh, this one really hurts...

[Kurt Buff]

No, it's not trivial. And I have to believe it's going to be cloud
providers who are hardest hit, initially.

First, MSFT is releasing a patch for Win10 today:
https://www.theverge.com/2018/1/3/16846784/microsoft-processor-bug-windows-10-fix

Second, it's not just Intel - it seems to also affect AMD and ARM64:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

But AMD says it's not vulnerable:
https://lkml.org/lkml/2017/12/27/2

And, now it's *two* bugs, not just one:
https://meltdownattack.com/

And lastly, these flaws, along with this:
https://www.thezdi.com/blog/2017/10/04/vmware-escapology-how-to-houdini-the-hypervisor

make me more leery than ever of cloud services...

Kurt

On Wed, Jan 3, 2018 at 4:39 PM, Mark Gottschalk <mgo...@2roads.com> wrote:
> "...The effects are still being benchmarked, however we're looking at a
> ballpark figure of five to 30 per cent slow down, depending on the task and
> the processor model..."
>
> PostgreSQL: 10%-23% slowdown.
>
> Wow. That is not trivial.
>
>
>
>
> From:Kurt Buff <kurt.b...@gmail.com>
> To:ntsysadm <NTSysADM@lists.myitforum.com>, Patch Management Mailing
> List <patchmanagem...@listserv.patchmanagement.org>
> Date:01/02/2018 06:59 PM
> Subject:[NTSysADM] Oh, this one really hurts...
> Sent by:<listsad...@lists.myitforum.com>
> 
>
>
>
> "A fundamental design flaw in Intel's processor chips has forced a
> significant redesign of the Linux and Windows kernels to defang the
> chip-level security bug."
>
> http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
>
>
>
>

[NTSysADM] Oh, this one really hurts...

[Kurt Buff]

"A fundamental design flaw in Intel's processor chips has forced a
significant redesign of the Linux and Windows kernels to defang the
chip-level security bug."

http://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

Re: [NTSysADM] Sys Log Servers

[Kurt Buff]

They will all work across a WAN.

The question is whether or not your WAN is up to the task, and that
will depend on the volume of logs generated vs. your other traffic,
and how reliable your WAN is.

Erik's suggestion is reasonable, but if you have a syslog server at
one site already, you should be able to roughly extrapolate traffic
based on current rates, and calculate bandwidth consumption from that.

Kurt

On Thu, Dec 21, 2017 at 6:03 AM, CSSU NetAdmin  wrote:
> I am looking for suggestions for sys log servers. Are any able to work
> across a WAN or do we need one for each of our LAN's?
>
> Thank you for any ideas.

Re: [NTSysADM] GoDaddy certs and Palo Alto firewall

[Kurt Buff]

Did you see this article?
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523

It seems pretty straightforward, but of course you need to understand
that a third party cert won't work for SSL inspection - for that
you'll need to stand up an internal CA and deploy a cert from it to
your internal population of machines.

Kurt

On Wed, Dec 20, 2017 at 6:21 AM, David L Herrick
 wrote:
> Outside my comfort zone – but here  I am.
>
> Is there a step by step guide for a firewall dummy to get the renewed Cert
> from GoDaddy into the Palo Alto
>
> What I have found on Google just made my head hurt
>
>
>
> Thx
>
>
>
> David

[NTSysADM] Again? Bad detection for KB3061064 in WSUS

[Kurt Buff]

This patch shows as needed by every machine in my environment,
including my DCs, Exchange servers, NAP box (Radius), file server,
etc.

Actually there are two versions listed: one with SmartSetup, the other without.

It's the SmartSetup version that wants to install everywhere.

It would be really nice if they could get this one right...

Kurt

Re: [NTSysADM] Update on KB4053579

[Kurt Buff]

G

I'm going to keep pushing - merely having the patch apply via DISM,
and then not agreeing with WSUS that it's applied, is not acceptable.

We'll see how far I get.

Kurt

On Fri, Dec 15, 2017 at 5:25 AM, Michael B. Smith <mich...@smithcons.com> wrote:
> I'm sorry to say that Microsoft support no longer does root cause analysis, 
> unless you pay for premier support. In fact, their opening email should say 
> that, where they define the success criteria for the case. It's very 
> important that you get that wording to your liking.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Thursday, December 14, 2017 10:17 PM
> To: ntsysadm
> Subject: [NTSysADM] Update on KB4053579
>
> I am not satisfied with MSFTs response on this.
>
> Here's how it played out.
>
> I was able to abscond with an affected laptop, and the tech worked on it for 
> a while.
>
> He was eventually able to see that our AV (ESET) was holding onto the drive.
>
> I uninstalled ESET, rebooted, and he:
>- Expanded the downloaded patch
>- Used to DISM apply the patch, which seems to be successful.
>
> However, WSUS is still offering the update, and still requiring updates. The 
> update doesn't show in the list of updates through the Windows Update GUI.
>
> The update does show in the registry, and if I do either a "wmi qfe list" or 
> a powershell wmi query, but the InstalledBy and InstalledOn columns are 
> missing.
>
> MSFT would only work with me on one machine, which I can almost understand - 
> he stated that each machine could have a different cause for failure to 
> install. While that's technically true, I have to believe that this many (35 
> out of just over 100) having this problem will likely have the same root 
> cause. Further, I could point to another machine right now that doesn't have 
> same configuration as the others (no AV), but I'm willing to bet the same 
> root cause.
>
> I'm pushing back, saying that until the client and WSUS agree that this 
> update is installed and no longer needed, the problem isn't really solved.
>
> Kurt
>
>

[NTSysADM] Update on KB4053579

[Kurt Buff]

I am not satisfied with MSFTs response on this.

Here's how it played out.

I was able to abscond with an affected laptop, and the tech worked on
it for a while.

He was eventually able to see that our AV (ESET) was holding onto the drive.

I uninstalled ESET, rebooted, and he:
   - Expanded the downloaded patch
   - Used to DISM apply the patch, which seems to be successful.

However, WSUS is still offering the update, and still requiring
updates. The update doesn't show in the list of updates through the
Windows Update GUI.

The update does show in the registry, and if I do either a "wmi qfe
list" or a powershell wmi query, but the InstalledBy and InstalledOn
columns are missing.

MSFT would only work with me on one machine, which I can almost
understand - he stated that each machine could have a different cause
for failure to install. While that's technically true, I have to
believe that this many (35 out of just over 100) having this problem
will likely have the same root cause. Further, I could point to
another machine right now that doesn't have same configuration as the
others (no AV), but I'm willing to bet the same root cause.

I'm pushing back, saying that until the client and WSUS agree that
this update is installed and no longer needed, the problem isn't
really solved.

Kurt

Re: [NTSysADM] AADConnect Update

[Kurt Buff]

On Wed, Dec 13, 2017 at 4:47 PM, Michael B. Smith  wrote:
> This is cross-posted to the exchange list and the ntsysadmin list.
>
> If you are running hybrid with Azure or Office 365, you need to update
> AADConnect.
>
> See:
> https://dirteam.com/sander/2017/12/13/azure-ad-connect-version-1-1-654-0-addresses-a-critical-security-vulnerability/
>
> If you want to understand the vulnerability better, see:
>
> http://www.essential.exchange/2008/10/22/admincount-adminsdholder-sdprop-and-you/

Yeah, that's gonna bit people who don't pay attention.

Thank you.

Kurt

Re: [NTSysADM] Just another day in the life of a Network Engineer

[Kurt Buff]

Why yes, it's just like that.

Nearly every day.

Kurt

On Wed, Dec 13, 2017 at 9:22 AM, Andrew S. Baker  wrote:

> https://www.linkedin.com/pulse/what-its-like-network-
> engineer-ron-buchalski/
>
> Regards,
>
>  *ASB*
>
>

Re: [NTSysADM] Owners of folders

[Kurt Buff]

Whoever's in the group that is listed as the management group for that
directory. That's distinct/different from staff who might have
read/write permissions to the folder, though the management group will
have that as well.

For instance, in the Engineering directory, I'll have two groups
listed with permissions: EngineeringManagers and Engineering. Each
group/departmental directory on the file server has a breakout like
that.

Domain Users will also be listed, with read-only permissions, if
applicable to that directory.

Kurt

On Tue, Dec 12, 2017 at 10:33 AM, Heaton, Joseph@Wildlife
 wrote:
> How do you guys keep track of file/folder owners?  i.e. who has the rights
> to request additions/removals of people to the access of those folders?
>
>
>
> Joe Heaton
>
> Information Technology Operations Branch
>
> Data and Technology Division
>
> CA Department of Fish and Wildlife
>
> 1700 9th Street, 3rd Floor
>
> Sacramento, CA  95811
>
> Desk:  916-323-1284
>
>

Re: [NTSysADM] Still stumped by bitlocker

[Kurt Buff]

I'll check that out, but I had another GPO with a startup script (.cmd)
that was capturing already-configured bitlocker installations and sending
the key to AD.

Perhaps an OU got missed, or something.

Thanks,

Kurt

On Fri, Dec 8, 2017 at 11:39 AM, Damien Solodow <damien.solo...@harrison.edu
> wrote:

> Take a look here: https://technet.microsoft.com/
> en-us/library/dd875529(v=ws.10).aspx
>
>
>
> Your GPO looks right (comparing to mine), but you do have to make some
> security changes in AD so that the computer has the necessary permissions
> to save the Bitlocker key in AD.
>
>
>
> DAMIEN SOLODOW
>
> IT Engineering Lead
>
> 317.447.6033 <(317)%20447-6033> (office)
>
> HARRISON COLLEGE
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kurt Buff
> *Sent:* Friday, December 8, 2017 2:29 PM
> *To:* ntsysadm <NTSysADM@lists.myitforum.com>
> *Subject:* [NTSysADM] Still stumped by bitlocker
>
>
>
> If anyone cares to comments on this, I'd appreciate it.
>
> I'm working on an older laptop with a TPM 1.2 chip (Dell Latitude E6530).
> I've tried with PPI provision and PPI deprovision both selected and
> deselected, with no difference in my results.
>
> I've reset the chip multiple times, with the following results:
>
> After resetting the chip, if the computer is in an OU with no GPOs, and I
> reboot a couple of times so that there are no applied GPOs, I can use the
> following command, and it starts encrypting just fine:
>
>  "enable-bitlocker C: -SkipHardwareCheck -TpmProtector"
>
> If I clear the TPM chip (either in BIOS or through tpm.msc) and put the
> computer in my test OU with the GPO, it does three things:
>
> - A first reboot, nothing happens. No errors, and bitlocker doesn't start
>
> - At second reboot, if PPI Provision/Deprovision are deselected, it gets
> an error with the run of the startup script:
> [image: Inline image 2]
>
> - At second reboot, if PPI Provision/Deprovision override are selected, I
> do not see the popup error above, but bitlocker stil doesn't start.
>
>
>
> In all cases after reboot while the GPO is applied, if I run the
> enable-bitlocker command above, I get the following:
>
> [image: Inline image 1]
>
> After resetting the TPM chip, I do see a lot of TPM and TPM-WMI event log
> entries, one of which indicates that the system is taking ownership of the
> chip (eventID 1027 TPM-WMI).
>
> This is the relevant portion of the output from "gpresult /h" - I've had
> the "Allow data recovery agent" in both states, enabled and disabled, with
> no difference in the results:
>
> [image: Inline image 3]
>
> Kurt
>

Re: [NTSysADM] windows 2012 R2 on VMware 5.1.0 SonicWALL NSA4500

[Kurt Buff]

Well that's interesting indeed.

Glad you got that working.

I wonder what would have happened if you just changed the MAC address...

Kurt

On Fri, Dec 8, 2017 at 3:49 PM, Scott Schneider <
sschnei...@inscapesolutions.com> wrote:

> Thanks for the input. As a last Hail Mary pass, I tried a vMotion move to
> another server in the cluster and low and behold it came alive. Maybe it
> was MAC issue.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Kurt Buff
> Sent: Wednesday, December 6, 2017 7:48 PM
> To: ntsysadm <ntsysadm@lists.myitforum.com>
> Subject: Re: [NTSysADM] windows 2012 R2 on VMware 5.1.0 SonicWALL NSA4500
>
> Are the MAC addresses the same on both networks? If they are, it might be
> confusing things.
>
> Kurt
>
> On Wed, Dec 6, 2017 at 1:19 PM, Scott Schneider <
> sschnei...@inscapesolutions.com> wrote:
> > Time to bring in the experts, I’m stumped.
> >
> >
> >
> > I have a windows 2012 R2 server on VMware 5.1.0 with a SonicWALL
> > NSA4500. On the SonicWALL we have and internal and DMZ network, same
> > with the vCenter
> > 5.1.0
> >
> > The 2012 server was built on the internal network with an IP of
> 172.16.1.79.
> > The server is supposed to replace an old 2003 server in the DMZ.
> >
> > When on the internal network it pings fine and behaves normally.
> >
> > I shut down the  2003 server in the DMZ (it pings, gets out to the net
> > and does a normal arp –a) and duplicate the IP it uses 172.31.0.3 on
> > the 2012 server.
> >
> > On the VMware side I switch the network from INT to DMZ. I can ping
> > the server OK, get out to the net and do a normal arp -a, but the
> > Websphere app it runs doesn’t behave as expected.
> >
> > If I do an arp –a on the 2012 or 2003 server it shows the default
> > gateway
> > 172.31.0.1
> >
> >
> >
> > So I want to put it up on another IP in the DMZ and run the 2 servers
> > in parallel. I duplicate the SonicWALL rules and bring it up on IP
> 172.31.0.6.
> > I can’t ping or get out to the net. I try an arp –a and have no have
> > default gateway. Monitor sniffs from the SonicWALL show no traffic.
> >
> > OK I think I messed up the rules. I bring down another server using IP
> > 172.31.0.4 in the DMZ which can ping, do an arp –a and get out to the
> > net on.
> >
> > I assign the same IP 172.31.0.4 to the 2012 server and I still get no
> > connectivity. It only works if I bring it up on 172.31.0.3. I flushed
> > the arp cache on the SonicWALL each time I changed IP’s.
> >
> > What could be configed in the network on the 2012 server which could
> > cause this behavior? It works on the internal side 172.16.1.79 (or any
> > other internal IP) or with a 172.31.0.3 address in the DMZ  but no
> > other DMZ IP will work on the 2012 server.
> >
> >
> >
> > Scott Schneider
> > Senior Network and System Administrator
> >
> > Inscape
> > T 905 952 4001  |  C 705 716 4540  |  Skype
> > sschnei...@inscapesolutions.com
> >
> > inscapesolutions.com
> >
> >
>
>
>

Re: [NTSysADM] Still stumped by bitlocker

[Kurt Buff]

Dang it. Forgot the most interesting part...

In all cases, after clearing the TPM chip, I can use the bitlocker GUI to
start encrypting.

Just can't make the startup script or a manual powershell command (what are
the same) do their thing.

However, when the GPO is applied, the GUI doesn't ask for a file location
for the key - it just sends it to AD, exactly as I want.

Kurt

On Fri, Dec 8, 2017 at 11:29 AM, Kurt Buff <kurt.b...@gmail.com> wrote:

> If anyone cares to comments on this, I'd appreciate it.
>
> I'm working on an older laptop with a TPM 1.2 chip (Dell Latitude E6530).
> I've tried with PPI provision and PPI deprovision both selected and
> deselected, with no difference in my results.
>
> I've reset the chip multiple times, with the following results:
>
> After resetting the chip, if the computer is in an OU with no GPOs, and I
> reboot a couple of times so that there are no applied GPOs, I can use the
> following command, and it starts encrypting just fine:
>
>  "enable-bitlocker C: -SkipHardwareCheck -TpmProtector"
>
> If I clear the TPM chip (either in BIOS or through tpm.msc) and put the
> computer in my test OU with the GPO, it does three things:
>
> - A first reboot, nothing happens. No errors, and bitlocker doesn't start
>
> - At second reboot, if PPI Provision/Deprovision are deselected, it gets
> an error with the run of the startup script:
> [image: Inline image 2]
>
> - At second reboot, if PPI Provision/Deprovision override are selected, I
> do not see the popup error above, but bitlocker stil doesn't start.
>
> In all cases after reboot while the GPO is applied, if I run the
> enable-bitlocker command above, I get the following:
> [image: Inline image 1]
>
> After resetting the TPM chip, I do see a lot of TPM and TPM-WMI event log
> entries, one of which indicates that the system is taking ownership of the
> chip (eventID 1027 TPM-WMI).
>
> This is the relevant portion of the output from "gpresult /h" - I've had
> the "Allow data recovery agent" in both states, enabled and disabled, with
> no difference in the results:
>
> [image: Inline image 3]
>
> Kurt
>

Re: [NTSysADM] windows 2012 R2 on VMware 5.1.0 SonicWALL NSA4500

[Kurt Buff]

Are the MAC addresses the same on both networks? If they are, it might
be confusing things.

Kurt

On Wed, Dec 6, 2017 at 1:19 PM, Scott Schneider
 wrote:
> Time to bring in the experts, I’m stumped.
>
>
>
> I have a windows 2012 R2 server on VMware 5.1.0 with a SonicWALL NSA4500. On
> the SonicWALL we have and internal and DMZ network, same with the vCenter
> 5.1.0
>
> The 2012 server was built on the internal network with an IP of 172.16.1.79.
> The server is supposed to replace an old 2003 server in the DMZ.
>
> When on the internal network it pings fine and behaves normally.
>
> I shut down the  2003 server in the DMZ (it pings, gets out to the net and
> does a normal arp –a) and duplicate the IP it uses 172.31.0.3 on the 2012
> server.
>
> On the VMware side I switch the network from INT to DMZ. I can ping the
> server OK, get out to the net and do a normal arp -a, but the Websphere app
> it runs doesn’t behave as expected.
>
> If I do an arp –a on the 2012 or 2003 server it shows the default gateway
> 172.31.0.1
>
>
>
> So I want to put it up on another IP in the DMZ and run the 2 servers in
> parallel. I duplicate the SonicWALL rules and bring it up on IP 172.31.0.6.
> I can’t ping or get out to the net. I try an arp –a and have no have default
> gateway. Monitor sniffs from the SonicWALL show no traffic.
>
> OK I think I messed up the rules. I bring down another server using IP
> 172.31.0.4 in the DMZ which can ping, do an arp –a and get out to the net
> on.
>
> I assign the same IP 172.31.0.4 to the 2012 server and I still get no
> connectivity. It only works if I bring it up on 172.31.0.3. I flushed the
> arp cache on the SonicWALL each time I changed IP’s.
>
> What could be configed in the network on the 2012 server which could cause
> this behavior? It works on the internal side 172.16.1.79 (or any other
> internal IP) or with a 172.31.0.3 address in the DMZ  but no other DMZ IP
> will work on the 2012 server.
>
>
>
> Scott Schneider
> Senior Network and System Administrator
>
> Inscape
> T 905 952 4001  |  C 705 716 4540  |  Skype sschnei...@inscapesolutions.com
>
> inscapesolutions.com
>
>

Re: [NTSysADM] Bitlocker - set up and store keys in AD all at once

[Kurt Buff]

Thanks for this.

I'm working with it now, and I think a GPO that includes a powershell
script might work.

Kurt

On Fri, Dec 1, 2017 at 12:44 PM, Steve Whitcher <st...@whitcher.org> wrote:
> As I said, it's been years since I set this up, but this was the
> documentation I followed for configuring everything on the AD side:
>
> https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx?f=255=-2147217396
>
> Note that I don't believe you can do the TPM password backup anymore, just
> the Bitlocker recovery password.
>
> It looks like that article talks about setting local policies to require the
> key backup, I'm not sure why it wouldn't mention the group policy settings,
> but you'll want to look in group policy under:
> Computer\Policies\Administrative Templates\Windows Components\Bitlocker
> Drive Encryption
>
> There are various levels under that which contain relevant settings, but the
> big one will be under Operating System Drives, "Choose how
> BitLocker-protected operating system drives can be recovered"  and inside
> that setting, enable the option for  "Save Bitlocker recovery information to
> AD DS for operating system drives".
>
> On Thu, Nov 30, 2017 at 9:20 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> Good enough. I'll take a look, but if you have more specifics, I'd
>> appreciate it.
>>
>> Kurt
>>
>> On Thu, Nov 30, 2017 at 5:20 PM, Steve Whitcher <st...@whitcher.org>
>> wrote:
>> > Yes, this can definitely be done, I've had our environment working this
>> > way
>> > for years. There is a GPO you can set to require bitlocker keys be
>> > backed up
>> > to AD. If that is set, bitlocker won't encrypt the drive if it can't
>> > save
>> > the key to AD.
>> >
>> > It was a little bit complicated when I set it up originally, but that
>> > was 6
>> > or 7 years ago. The process may be simpler now. There was definitely a
>> > well
>> > documented process on technet back then for enabling the key backup.
>> >
>> > Steve
>> > On Thu, Nov 30, 2017 at 6:52 PM Kurt Buff <kurt.b...@gmail.com> wrote:
>> >>
>> >> Anyone have a clue on how to do this - without setting up MBAM?
>> >>
>> >> AFAICT, there isn't a way to do this, but I'm throwing it out here to
>> >> see if I'm wrong. MBAM sets my teeth on edge, needing a SQL instance
>> >> and all that when all I want to do is provision new machines with
>> >> Bitlocker and get the key set up in AD in one go, and not hassle with
>> >> writing the key to a file, then running another (logon) script to get
>> >> the key imported into AD.
>> >>
>> >> Kurt
>> >>
>> >>
>> >
>>
>>
>

Re: [NTSysADM] New Blog Post: Get-FrameworkVersion

[Kurt Buff]

Thanks - this will prove quite useful.

Kurt

On Sun, Dec 3, 2017 at 3:21 PM, Michael B. Smith  wrote:
> New Blog Post: Get-FrameworkVersion
>
> http://www.essential.exchange/2017/12/03/get-frameworkversion/
>
>

Re: [NTSysADM] Bitlocker - set up and store keys in AD all at once

[Kurt Buff]

Good enough. I'll take a look, but if you have more specifics, I'd
appreciate it.

Kurt

On Thu, Nov 30, 2017 at 5:20 PM, Steve Whitcher <st...@whitcher.org> wrote:
> Yes, this can definitely be done, I've had our environment working this way
> for years. There is a GPO you can set to require bitlocker keys be backed up
> to AD. If that is set, bitlocker won't encrypt the drive if it can't save
> the key to AD.
>
> It was a little bit complicated when I set it up originally, but that was 6
> or 7 years ago. The process may be simpler now. There was definitely a well
> documented process on technet back then for enabling the key backup.
>
> Steve
> On Thu, Nov 30, 2017 at 6:52 PM Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> Anyone have a clue on how to do this - without setting up MBAM?
>>
>> AFAICT, there isn't a way to do this, but I'm throwing it out here to
>> see if I'm wrong. MBAM sets my teeth on edge, needing a SQL instance
>> and all that when all I want to do is provision new machines with
>> Bitlocker and get the key set up in AD in one go, and not hassle with
>> writing the key to a file, then running another (logon) script to get
>> the key imported into AD.
>>
>> Kurt
>>
>>
>

Re: [NTSysADM] DHCP role

[Kurt Buff]

Powershell is very nice for this too:
https://technet.microsoft.com/en-us/library/jj590751(v=wps.630).aspx

On Thu, Nov 30, 2017 at 2:33 PM, Andrew S. Baker  wrote:

> You can quickly import DHCP on a new machine running the same version of
> Windows using NETSH
>
> https://technet.microsoft.com/en-us/library/dd759224(v=ws.11).aspx
>
> Regards,
>
>  *ASB*
>
>
>
> On Thu, Nov 30, 2017 at 12:46 PM, David Lum  wrote:
>
>> I've pulled DHCP off all our DC's and it wasn't too tough for the network
>> team to accomodate. Using DHCP failover took a bit more work for us to
>> perfect.  Using failover you by definiton copy the confif to the new
>> serverstand up new dhcp server, config as failover, then stand down
>> DHCP on the domain controller and decondigure failover once the new server
>> is confirmed to hand out IP's. (Assuming Win DHCP servers).
>>
>> Totally worth it in our opinion.
>>
>> Dave
>>
>> On Nov 30, 2017, at 8:21 AM, Heaton, Joseph@Wildlife <
>> joseph.hea...@wildlife.ca.gov> wrote:
>>
>> Problem with that, is that I’d really like to keep the same IP for the
>> DHCP server.  My network team has that in all their switches around the
>> state as ip-helper entries.
>>
>>
>>
>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com ] *On Behalf Of *Webster
>> *Sent:* Thursday, November 30, 2017 7:45 AM
>>
>> *To:* ntsysadm@lists.myitforum.com
>> *Subject:* RE: [NTSysADM] DHCP role
>>
>>
>>
>> I would migrate DHCP first.
>>
>>
>>
>> Webster
>>
>>
>>
>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com ] *On Behalf Of *Heaton,
>> Joseph@Wildlife
>> *Sent:* Thursday, November 30, 2017 9:00 AM
>> *To:* ntsysadm@lists.myitforum.com
>> *Subject:* RE: [NTSysADM] DHCP role
>>
>>
>>
>> That’s what we’re doing as well.  Not sure why, but our service account
>> is member of DNSUpdateProxy, but also a member of DNSAdmins.  Anyone have
>> an idea why that group?  I didn’t set this up initially, I’m just trying to
>> get things in best practices, and address a current issue I’m working
>> through, of replacing a DC, that happens to be our main DHCP server.  My
>> thoughts at the moment, are to add a new DC, with only DC roles.  Then,
>> DCpromo the old DC (with DHCP), then migrate DHCP to a new server, that is
>> only a member server, not a DC.
>>
>>
>>
>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com ] *On Behalf Of *Mark Gottschalk
>> *Sent:* Wednesday, November 29, 2017 6:21 PM
>> *To:* ntsysadm@lists.myitforum.com
>> *Subject:* Re: [NTSysADM] DHCP role
>>
>>
>>
>> https://blogs.technet.microsoft.com/stdqry/2012/04/03/dhcp-
>> server-in-dcs-and-dns-registrations/
>> https://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx
>>
>> This is what we've done with DHCP on DC.  Have a user "DHCP_user" in
>> Protected User group, DNSUpdateProxy group. Use this for alternate
>> credentials.
>>
>> Note that first article says:
>> *"A common error is to think that the DHCP Server service running in a DC
>> will use its service account security context to register records in DNS if
>> no alternate credentials are configured, and then there is security risk.
>> In fact, this is not the behavior of the DHCP Server in a DC.*
>>
>> *If the DHCP Server service detects that it is running in a domain
>> controller, and no alternate credentials for DNS registrations have been
>> configured, then it decides to not do any registrations for DHCP clients
>> and logs event DHCP/1056."*
>>
>> It also starts with:
>> *"One common deployment scenario for the DHCP Server service is to have
>> it installed in domain controllers. When this scenario is used it is
>> necessary to define the alternate credentials to be used by DHCP when doing
>> DNS registrations on behalf of the DHCP clients."*
>>
>> If you can separate them with no downside, go for it.  However, running
>> DHCP on a DC appears to be accounted for and can be addressed by above.
>>
>> -- Mark
>>
>>
>>
>>
>> From:"Heaton, Joseph@Wildlife" 
>> To:'NT System Admin Issues Discussion list' <
>> ntsysadm@lists.myitforum.com>
>> Date:11/29/2017 02:49 PM
>> Subject:[NTSysADM] DHCP role
>> Sent by:"listsad...@lists.myitforum.com" > --
>>
>>
>>
>> Is it still best practice to have DHCP NOT on a DC?  I’ve been reading a
>> bunch of stuff, but everything I’m reading refers to Server 2003 or older.
>>
>>
>>
>> Joe Heaton
>>
>> Information Technology Operations Branch
>>
>> Data and Technology Division
>>
>> CA Department of Fish and Wildlife
>>
>> 1700 9th Street, 3rd Floor
>>
>> Sacramento, CA  95811
>>
>> Desk:  916-323-1284 <(916)%20323-1284>
>>
>>
>>
>>
>

Re: [NTSysADM] Accessing only a lower level folder in a share

[Kurt Buff]

Thanks. It took me a long time to figure all this out.

Kurt

On Mon, Nov 27, 2017 at 11:29 PM, Micheal Espinola Jr
<michealespin...@gmail.com> wrote:
> fwiw, +1 on all counts from me as far as best practices go.
>
> --
> Espi
>
>
> On Mon, Nov 27, 2017 at 11:14 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> My apologies up front for the long ramble. Take this with the usual
>> pinch/tablespoon/pound/kilo of salt. This is what works for me - you
>> might need something different. Actually, I'd wager money that you do,
>> as you seem to be in an educational environment, which most assuredly
>> has different requirements than a business.
>>
>> However, up front, I'll just say this: Breaking inheritance for
>> permissions in any environment is like telling lies - it's a bad idea,
>> because you have to keep track of it all, and the more lies you tell
>> (and the more places you break inheritance), the less likely you are
>> to be able to keep track of the situation.
>>
>> So, mostly, the answer to your question depends on what you mean by
>> "departmental folder", and where each lives in the directory
>> structure. We have a Groups directory which is shared (i.e., G:\Groups
>> (I don't create shares at the root of a drive for several reasons)),
>> and which contains a subdirectory for each department (G:\Groups\HR),
>> and other subdirectories at the same level as needed for
>> cross-departmental efforts (G:\Groups\9001ISOAuditDocuments).
>>
>> However, the first thing I'd do is document the permissions as
>> currently applied, then peruse them carefully. If there are any places
>> where inheritance is broken, figure out why. If there's a defensible
>> reason (there are no "good" reason for this, IMHO), then look for ways
>> to fix it - with my favorite way being to move the directory that has
>> inheritance blocked somewhere up the directory structure, to a point
>> where inheritance no longer needs to be blocked.
>>
>> If there isn't a defensible reason for inheritance to be
>> broken/blocked, refactor your permissions and re-enable inheritance.
>>
>> It will help to do a few other things:
>>- take a careful look at the groups for which permissions are
>> applied. If any individual accounts have explicit permissions, replace
>> those with group permissions
>>- create a dummy directory structure (possibly empty, or with only
>> some zero-length files in it), and practice your script-fu on that,
>> before tackling production directories
>>- set up a dummy departmental directory as a model in your
>> production structure, with a readme file in it to document how you
>> want new departmental directories created
>>
>> The Groups directory is shared with Full Control to Everyone, and with
>> NTFS permissions of read-only to all employees for that folder only
>> (Admins get read-write, with full inheritance).
>>
>> Each departmental directory at its top level has read-only access to
>> all employees, for that folder only. This gets everyone transit to its
>> subdirectories.
>>
>> Each departmental directory has only three subdirectories:
>>Public (read-only for all employees, read-write for department
>> employees, with full inheritance )
>>Private (read-write for department/project employees only, no
>> access to other employees, with full inheritance)
>>Manager (read-write for the department/project manager only, no
>> access to other employees, with full inheritance)
>>
>> Permissions are not applied any further down the tree than that. If a
>> directory needs different permissions, it is moved to the root of the
>> departmental directory, and relevant permissions are applied to it
>> there.
>>
>> A couple of other things I do:
>>- Each departmental directory gets three groups of its own in AD:
>> non-departmental read-only, departmental read-write and department
>> manager owner(s).
>>- I create an AD OU into which I stuff all of the groups for the
>> server (file, SQL or other), and it's a sub-OU of the OU in which that
>> server resides, and is named -permissions. Modify this as
>> needed for DFSR environments.
>>- I name each group explicitly for the directory to which it is
>> applied, so it's obvious where and why it's used (USFSGroupsHR-RO -
>> which means the US file server, the Groups Directory, the HR
>> subdirectory, read-only permissions)
>>
>> This doesn't address SharePoint directly (although I think the general
>> approach on how permis

Re: [NTSysADM] Accessing only a lower level folder in a share

[Kurt Buff]

ns to read-only for all users one departmental folder at a time?
>
> Options I've considered thus far -
>
> Run a report of the current permissions and then using icacls, modify 
> all to read-only.  (stumbled on this today - 
> https://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83)
> I just downloaded Quest's Security Explorer and plan to test it out.
>
> Many thanks.
> - Tammy
>
>
>
>
>
> -----Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Tuesday, November 14, 2017 2:51 PM
> To: ntsysadm <ntsysadm@lists.myitforum.com>
> Subject: Re: [NTSysADM] Accessing only a lower level folder in a share
>
> You need to adjust the permissions in the directory tree, and breaking 
> inheritance is the wrong way of doing it.
>
> Change the permissions at each level so that they are explicitly defined to 
> allow "This Folder and Files" for those who only need to see the files in 
> that directory, but not other subdirectories.
>
> Also, it seems as if your directory structure needs refactoring - it's way 
> too complex if you're running into these kinds of permission problems.
>
> Kurt
>
> On Tue, Nov 14, 2017 at 8:51 AM, Michael Leone <oozerd...@gmail.com> wrote:
>> It's been so long since I've had to do this, I need a check. I'm doing
>> something fundamentally wrong, I think.
>>
>> We use groups to set share/ACLs on folders. I got a request to share a
>> 4th level sub-folder with other employees not in the ACL. So what I
>> have is:
>>
>> Folder A1 (shared)
>> -->>B2
>>-->>C3
>>  -->> D4 (this is the one I want to allow access to)
>>
>> Now, the share permissions on A1 is for DevelopmentGroup, and the NTFS
>> permissions are the same. Those permissions just flow down to B2, C3
>> and D4 (i.e., normal inheritance).
>>
>> Now, I'm pretty sure the only way to allow access to only D4, and not
>> allow access to B2 and C3 or even see files there, is to enable ABE.
>> But I've never done that, and am leery of enabling it in production,
>> without a whole more testing and forethought (I shudder to think of
>> all the help desk calls, if I get something wrong).
>>
>> Am I correct that only ABE will do what I am thinking of (allow access
>> only to D4 and hide contents of A1, B2, C3)?
>>
>> Barring ABE, there's nothing I can do, short of granting a new group
>> access to D4, and living with the consequences?
>>
>> Thoughts? At this point, I want to just add the new group to the NTFS
>> permissions of D4 only, and live with the fact that these new group
>> members can see everything higher up.
>>
>>
>
>

Re: [NTSysADM] OS in the CPU

[Kurt Buff]

There are always more problems:

https://www.thezdi.com/blog/2017/10/04/vmware-escapology-how-to-houdini-the-hypervisor

https://www.youtube.com/watch?v=uRemWLNBSZg

On Mon, Nov 20, 2017 at 8:05 AM, Andrew S. Baker <asbz...@gmail.com> wrote:

> But wait!   There's more...
>
> https://www.youtube.com/watch?v=KrksBdWcZgQ
>
>
> ​(I see your "solution" and raise you two more problems)​
>
> Regards,
>
>  *ASB*
>
>
> On Sun, Nov 19, 2017 at 12:28 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>
>> The OS in question (minix), isn't in the main CPU - it's in the CPU of
>> the management engine, which is completely separate, and doesn't, or at
>> least shouldn't, affect system performance.
>> https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Hardware
>>
>> That actually makes it worse, since as long as the machine is connect to
>> power, even though putatively "off", the management engine is available.
>> That is, if it's been configured. This is an enterprise feature, so the ME
>> is usually not active in consumer-grade computers.
>>
>> But, if it's present and turned on, then it's pretty risky:
>> https://www.theregister.co.uk/2017/11/09/chipzilla_come_clos
>> er_closer_listen_dump_ime/
>>
>> But there's some hope, of a sort - Google is on the case:
>> http://www.tomshardware.com/news/google-removing-minix-manag
>> ement-engine-intel,35876.html
>>
>> Kurt
>>
>> On Sun, Nov 19, 2017 at 6:34 AM, Andrew S. Baker <asbz...@gmail.com>
>> wrote:
>>
>>> No wonder our machines don't seem as fast as we think they *could*
>>> be... They're busy running more stuff than we thought:
>>>
>>> http://www.zdnet.com/article/minix-intels-hidden-in-chip-ope
>>> rating-system/
>>>
>>> The security implications are also pretty staggering...
>>>
>>> Regards,
>>>
>>>  *ASB*
>>>
>>>
>>
>

Re: [NTSysADM] OS in the CPU

[Kurt Buff]

The OS in question (minix), isn't in the main CPU - it's in the CPU of the
management engine, which is completely separate, and doesn't, or at least
shouldn't, affect system performance.
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Hardware

That actually makes it worse, since as long as the machine is connect to
power, even though putatively "off", the management engine is available.
That is, if it's been configured. This is an enterprise feature, so the ME
is usually not active in consumer-grade computers.

But, if it's present and turned on, then it's pretty risky:
https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/

But there's some hope, of a sort - Google is on the case:
http://www.tomshardware.com/news/google-removing-minix-management-engine-intel,35876.html

Kurt

On Sun, Nov 19, 2017 at 6:34 AM, Andrew S. Baker  wrote:

> No wonder our machines don't seem as fast as we think they *could* be...
>They're busy running more stuff than we thought:
>
> http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/
>
> The security implications are also pretty staggering...
>
> Regards,
>
>  *ASB*
>
>

Re: [NTSysADM] Looking for a global VPN solution - looking for input

[Kurt Buff]

So, it's not used to configure load balancing or client redirection
for GP? OK, I can see that.

Kurt

On Tue, Nov 14, 2017 at 6:22 PM, Don Ely <don@gmail.com> wrote:
> Panorama is only a MGMT tool for the firewalls. It has nothing to do with
> traffic mgmt
>
> On Nov 14, 2017 17:25, "Kurt Buff" <kurt.b...@gmail.com> wrote:
>>
>> I presume this requires Panorama? We don't have that, I've been
>> wanting it for a while, but it's been hard to justify when we have
>> only 3 sites, two of which are PA500s.
>>
>> On Tue, Nov 14, 2017 at 1:49 PM, Don Ely <don@gmail.com> wrote:
>> > Sure it can, DNS RR or some kind of GTM
>> >
>> > As for cloud, PA does GP in the cloud.  Scales up and down as needed...
>> >
>> >
>> > On Tue, Nov 14, 2017 at 1:35 PM Kurt Buff <kurt.b...@gmail.com> wrote:
>> >>
>> >> Perhaps I missed it, but I didn't see that GP will autoconnect to the
>> >> closest/fastest site.
>> >>
>> >> That doesn't mean GP is out of the running - I like it where I've set
>> >> it up, so it's on my list, especially since all of our sites have Palo
>> >> Altos already.
>> >>
>> >> But, from the way the questions were put to me, it sounds like the
>> >> requestor is biased toward some sort of "cloud" solution, not tied to
>> >> current hardware.
>> >>
>> >>
>> >> Kurt
>> >>
>> >> On Mon, Nov 13, 2017 at 6:04 PM, Don Ely <don@gmail.com> wrote:
>> >> > Why can't Global Protect achieve all of your needs?  Did I miss some
>> >> > requirement they can't meet?
>> >> >
>> >> > On Mon, Nov 13, 2017 at 5:25 PM Kurt Buff <kurt.b...@gmail.com>
>> >> > wrote:
>> >> >>
>> >> >> Arg - that should be "seeking commercial services"..
>> >> >>
>> >> >> And, once I bring recommendations, it might well be that we just
>> >> >> fall
>> >> >> back to a DirectAccess server in each office, with our without a
>> >> >> multi-site configuration, potentially with an SSP VPN appliance also
>> >> >> at each office for backup and contractors, and call it good.
>> >> >>
>> >> >> Kurt
>> >> >>
>> >> >> On Mon, Nov 13, 2017 at 5:03 PM, Kurt Buff <kurt.b...@gmail.com>
>> >> >> wrote:
>> >> >> > I'm not sure either, but that's the task I've been given - not
>> >> >> > necessarily to implement at this stage, but to scope out the
>> >> >> > alternatives and come up with some possibilities.
>> >> >> >
>> >> >> > It's also why I'm seeing recommendations on commercial services,
>> >> >> > so
>> >> >> > that our implementation requirements are minimized.
>> >> >> >
>> >> >> > Kurt
>> >> >> >
>> >> >> > On Mon, Nov 13, 2017 at 4:38 PM, Joseph L. Casale
>> >> >> > <jcas...@activenetwerx.com> wrote:
>> >> >> >> I've done a lot of openvpn setups in a myriad of formats, site to
>> >> >> >> site,
>> >> >> >> hub and spoke, client etc.
>> >> >> >> It works well and there are even some lesser documented features
>> >> >> >> that
>> >> >> >> do some neat stuff but you are now rolling your solution and
>> >> >> >> marinating it
>> >> >> >> manually.
>> >> >> >> Not sure how well that will scale unless you have a skilled team.
>> >> >> >>
>> >> >> >>> -Original Message-
>> >> >> >>> From: listsad...@lists.myitforum.com
>> >> >> >>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> >> >> >>> Sent: Monday, November 13, 2017 5:22 PM
>> >> >> >>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>> >> >> >>> Subject: [NTSysADM] Looking for a global VPN solution - looking
>> >> >> >>> for
>> >> >> >>> input
>> >> >> >>>
>> >> >> >>> All,
>> >> >> >>>
>> >> >&

Re: [NTSysADM] Looking for a global VPN solution - looking for input

[Kurt Buff]

Unknown. We do have an EA with bridge licensing, but how quickly we
move to the cloud is undetermined.

And, I haven't even looked at what O365/Azure Constrained Access" might be.

Kurt

On Tue, Nov 14, 2017 at 5:42 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> Sorry I wasn't clear.
>
> I meant, will you require "Office 365/Azure Constrained Access"?
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Tuesday, November 14, 2017 8:21 PM
> To: ntsysadm
> Subject: Re: [NTSysADM] Looking for a global VPN solution - looking for input
>
> Do you mean need mobile/BYOD?
>
> Likely will, but whether we'll be on O365/Azure by then is an open question 
> in my mind.
>
> I'd prefer not, but I recognize that MSFT wants their money, so will do 
> everything they can to force us there.
>
> Kurt
>
> On Tue, Nov 14, 2017 at 1:56 PM, Michael B. Smith <mich...@smithcons.com> 
> wrote:
>> I can't speak to your environment, but many of my customers are pushing for 
>> Office 365/Azure Constrained Access.
>>
>> Especially because of mobile/BYOD.
>>
>> I suggest you should consider the likelihood or whether you'll NEED that 
>> capability within 5 years.
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> Sent: Tuesday, November 14, 2017 4:31 PM
>> To: ntsysadm
>> Subject: Re: [NTSysADM] Looking for a global VPN solution - looking
>> for input
>>
>> Ran through your posts in this thread, and i have to say that it looks like 
>> the days of DA are numbered.
>>
>> However, if I implement it under 2016, it should be supported for at least 5 
>> more years (assuming that Win10 still supports it, too).
>>
>> So, I'm not worried too much about that as such, but AVPN support for 
>> non-domain-joined devices looks very interesting, and the fact that DA only 
>> supported IPv6 was sometimes limiting.
>>
>> I think I'll explore AVPN a bit more, and probably include it as an option.
>>
>> On Mon, Nov 13, 2017 at 6:08 PM, Michael B. Smith <mich...@smithcons.com> 
>> wrote:
>>> So just a data point to consider.
>>>
>>> Microsoft is kinda moving away from DirectAccess.
>>>
>>> Many of the security functionalities added in Server 2016 won't work with 
>>> DA.
>>>
>>> Instead you need to be using their Automatic VPN. The endpoint isn't very 
>>> relevant, although they push RRAS.
>>>
>>> For example, WIP doesn't work properly with DA. Only with AVPN.
>>>
>>> -Original Message-
>>> From: listsad...@lists.myitforum.com
>>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>>> Sent: Monday, November 13, 2017 8:19 PM
>>> To: ntsysadm
>>> Subject: Re: [NTSysADM] Looking for a global VPN solution - looking
>>> for input
>>>
>>> Arg - that should be "seeking commercial services"..
>>>
>>> And, once I bring recommendations, it might well be that we just fall back 
>>> to a DirectAccess server in each office, with our without a multi-site 
>>> configuration, potentially with an SSP VPN appliance also at each office 
>>> for backup and contractors, and call it good.
>>>
>>> Kurt
>>>
>>> On Mon, Nov 13, 2017 at 5:03 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>>> I'm not sure either, but that's the task I've been given - not
>>>> necessarily to implement at this stage, but to scope out the
>>>> alternatives and come up with some possibilities.
>>>>
>>>> It's also why I'm seeing recommendations on commercial services, so
>>>> that our implementation requirements are minimized.
>>>>
>>>> Kurt
>>>>
>>>> On Mon, Nov 13, 2017 at 4:38 PM, Joseph L. Casale
>>>> <jcas...@activenetwerx.com> wrote:
>>>>> I've done a lot of openvpn setups in a myriad of formats, site to site, 
>>>>> hub and spoke, client etc.
>>>>> It works well and there are even some lesser documented features that do 
>>>>> some neat stuff but you are now rolling your solution and marinating it 
>>>>> manually.
>>>>> Not sure how well that will scale unless you have a skilled team.
>>>>>
>>>>>> -Original Message-
>>>>>> From: lis

Re: [NTSysADM] Looking for a global VPN solution - looking for input

[Kurt Buff]

Do you mean need mobile/BYOD?

Likely will, but whether we'll be on O365/Azure by then is an open
question in my mind.

I'd prefer not, but I recognize that MSFT wants their money, so will
do everything they can to force us there.

Kurt

On Tue, Nov 14, 2017 at 1:56 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> I can't speak to your environment, but many of my customers are pushing for 
> Office 365/Azure Constrained Access.
>
> Especially because of mobile/BYOD.
>
> I suggest you should consider the likelihood or whether you'll NEED that 
> capability within 5 years.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Tuesday, November 14, 2017 4:31 PM
> To: ntsysadm
> Subject: Re: [NTSysADM] Looking for a global VPN solution - looking for input
>
> Ran through your posts in this thread, and i have to say that it looks like 
> the days of DA are numbered.
>
> However, if I implement it under 2016, it should be supported for at least 5 
> more years (assuming that Win10 still supports it, too).
>
> So, I'm not worried too much about that as such, but AVPN support for 
> non-domain-joined devices looks very interesting, and the fact that DA only 
> supported IPv6 was sometimes limiting.
>
> I think I'll explore AVPN a bit more, and probably include it as an option.
>
> On Mon, Nov 13, 2017 at 6:08 PM, Michael B. Smith <mich...@smithcons.com> 
> wrote:
>> So just a data point to consider.
>>
>> Microsoft is kinda moving away from DirectAccess.
>>
>> Many of the security functionalities added in Server 2016 won't work with DA.
>>
>> Instead you need to be using their Automatic VPN. The endpoint isn't very 
>> relevant, although they push RRAS.
>>
>> For example, WIP doesn't work properly with DA. Only with AVPN.
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> Sent: Monday, November 13, 2017 8:19 PM
>> To: ntsysadm
>> Subject: Re: [NTSysADM] Looking for a global VPN solution - looking
>> for input
>>
>> Arg - that should be "seeking commercial services"..
>>
>> And, once I bring recommendations, it might well be that we just fall back 
>> to a DirectAccess server in each office, with our without a multi-site 
>> configuration, potentially with an SSP VPN appliance also at each office for 
>> backup and contractors, and call it good.
>>
>> Kurt
>>
>> On Mon, Nov 13, 2017 at 5:03 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>> I'm not sure either, but that's the task I've been given - not
>>> necessarily to implement at this stage, but to scope out the
>>> alternatives and come up with some possibilities.
>>>
>>> It's also why I'm seeing recommendations on commercial services, so
>>> that our implementation requirements are minimized.
>>>
>>> Kurt
>>>
>>> On Mon, Nov 13, 2017 at 4:38 PM, Joseph L. Casale
>>> <jcas...@activenetwerx.com> wrote:
>>>> I've done a lot of openvpn setups in a myriad of formats, site to site, 
>>>> hub and spoke, client etc.
>>>> It works well and there are even some lesser documented features that do 
>>>> some neat stuff but you are now rolling your solution and marinating it 
>>>> manually.
>>>> Not sure how well that will scale unless you have a skilled team.
>>>>
>>>>> -Original Message-
>>>>> From: listsad...@lists.myitforum.com
>>>>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>>>>> Sent: Monday, November 13, 2017 5:22 PM
>>>>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>>>>> Subject: [NTSysADM] Looking for a global VPN solution - looking for
>>>>> input
>>>>>
>>>>> All,
>>>>>
>>>>> 1) For staff, currently we're using DirectAccess on 2012R2 as our
>>>>> primary conduit in the US, with SSL VPNs (SonicWall and Palo Alto
>>>>> Global Protect) as primary for our overseas offices and secondary
>>>>> for the US (Sonicwall).
>>>>>
>>>>> 2) In the US office, we also have contractors/consultants needing
>>>>> to use our SSL VPN for access to various resources, and that will
>>>>> likely expand to our overseas offices soon. Differentiation and
>>>>> securing resources is even more important here than in 1).
>>>>>
>>>>> 3) We also stand up IPSec tunnels for vendors/partners as needed
>>>>> (lab to lab), for interoperability/compatibility testing.
>>>>>
>>>>> We're looking to get into a solution that will take care of at
>>>>> least the first two (and ideally the third as well), so that we
>>>>> don't have so many platforms to support, and so that we can make
>>>>> sure that staff in the field get the fasted connection available.
>>>>>
>>>>> I've taken a quick gander at the websites for vyprvpn (Golden
>>>>> Frog), and OpenVPN (commercial client offering), but don't have
>>>>> much of an opinion on them, as info about them is a bit thin.
>>>>>
>>>>> Anyone have experience with solutions like this, and care to comment?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Kurt
>>>>>
>>>>
>>
>>
>
>

Re: [NTSysADM] Looking for a global VPN solution - looking for input

[Kurt Buff]

Ran through your posts in this thread, and i have to say that it looks
like the days of DA are numbered.

However, if I implement it under 2016, it should be supported for at
least 5 more years (assuming that Win10 still supports it, too).

So, I'm not worried too much about that as such, but AVPN support for
non-domain-joined devices looks very interesting, and the fact that DA
only supported IPv6 was sometimes limiting.

I think I'll explore AVPN a bit more, and probably include it as an option.

On Mon, Nov 13, 2017 at 6:08 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> So just a data point to consider.
>
> Microsoft is kinda moving away from DirectAccess.
>
> Many of the security functionalities added in Server 2016 won't work with DA.
>
> Instead you need to be using their Automatic VPN. The endpoint isn't very 
> relevant, although they push RRAS.
>
> For example, WIP doesn't work properly with DA. Only with AVPN.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Monday, November 13, 2017 8:19 PM
> To: ntsysadm
> Subject: Re: [NTSysADM] Looking for a global VPN solution - looking for input
>
> Arg - that should be "seeking commercial services"..
>
> And, once I bring recommendations, it might well be that we just fall back to 
> a DirectAccess server in each office, with our without a multi-site 
> configuration, potentially with an SSP VPN appliance also at each office for 
> backup and contractors, and call it good.
>
> Kurt
>
> On Mon, Nov 13, 2017 at 5:03 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>> I'm not sure either, but that's the task I've been given - not
>> necessarily to implement at this stage, but to scope out the
>> alternatives and come up with some possibilities.
>>
>> It's also why I'm seeing recommendations on commercial services, so
>> that our implementation requirements are minimized.
>>
>> Kurt
>>
>> On Mon, Nov 13, 2017 at 4:38 PM, Joseph L. Casale
>> <jcas...@activenetwerx.com> wrote:
>>> I've done a lot of openvpn setups in a myriad of formats, site to site, hub 
>>> and spoke, client etc.
>>> It works well and there are even some lesser documented features that do 
>>> some neat stuff but you are now rolling your solution and marinating it 
>>> manually.
>>> Not sure how well that will scale unless you have a skilled team.
>>>
>>>> -Original Message-
>>>> From: listsad...@lists.myitforum.com
>>>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>>>> Sent: Monday, November 13, 2017 5:22 PM
>>>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>>>> Subject: [NTSysADM] Looking for a global VPN solution - looking for
>>>> input
>>>>
>>>> All,
>>>>
>>>> 1) For staff, currently we're using DirectAccess on 2012R2 as our
>>>> primary conduit in the US, with SSL VPNs (SonicWall and Palo Alto
>>>> Global Protect) as primary for our overseas offices and secondary
>>>> for the US (Sonicwall).
>>>>
>>>> 2) In the US office, we also have contractors/consultants needing to
>>>> use our SSL VPN for access to various resources, and that will
>>>> likely expand to our overseas offices soon. Differentiation and
>>>> securing resources is even more important here than in 1).
>>>>
>>>> 3) We also stand up IPSec tunnels for vendors/partners as needed
>>>> (lab to lab), for interoperability/compatibility testing.
>>>>
>>>> We're looking to get into a solution that will take care of at least
>>>> the first two (and ideally the third as well), so that we don't have
>>>> so many platforms to support, and so that we can make sure that
>>>> staff in the field get the fasted connection available.
>>>>
>>>> I've taken a quick gander at the websites for vyprvpn (Golden Frog),
>>>> and OpenVPN (commercial client offering), but don't have much of an
>>>> opinion on them, as info about them is a bit thin.
>>>>
>>>> Anyone have experience with solutions like this, and care to comment?
>>>>
>>>> Thanks,
>>>>
>>>> Kurt
>>>>
>>>
>
>

Re: [NTSysADM] Looking for a global VPN solution - looking for input

[Kurt Buff]

Perhaps I missed it, but I didn't see that GP will autoconnect to the
closest/fastest site.

That doesn't mean GP is out of the running - I like it where I've set
it up, so it's on my list, especially since all of our sites have Palo
Altos already.

But, from the way the questions were put to me, it sounds like the
requestor is biased toward some sort of "cloud" solution, not tied to
current hardware.


Kurt

On Mon, Nov 13, 2017 at 6:04 PM, Don Ely <don@gmail.com> wrote:
> Why can't Global Protect achieve all of your needs?  Did I miss some
> requirement they can't meet?
>
> On Mon, Nov 13, 2017 at 5:25 PM Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> Arg - that should be "seeking commercial services"..
>>
>> And, once I bring recommendations, it might well be that we just fall
>> back to a DirectAccess server in each office, with our without a
>> multi-site configuration, potentially with an SSP VPN appliance also
>> at each office for backup and contractors, and call it good.
>>
>> Kurt
>>
>> On Mon, Nov 13, 2017 at 5:03 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>> > I'm not sure either, but that's the task I've been given - not
>> > necessarily to implement at this stage, but to scope out the
>> > alternatives and come up with some possibilities.
>> >
>> > It's also why I'm seeing recommendations on commercial services, so
>> > that our implementation requirements are minimized.
>> >
>> > Kurt
>> >
>> > On Mon, Nov 13, 2017 at 4:38 PM, Joseph L. Casale
>> > <jcas...@activenetwerx.com> wrote:
>> >> I've done a lot of openvpn setups in a myriad of formats, site to site,
>> >> hub and spoke, client etc.
>> >> It works well and there are even some lesser documented features that
>> >> do some neat stuff but you are now rolling your solution and marinating it
>> >> manually.
>> >> Not sure how well that will scale unless you have a skilled team.
>> >>
>> >>> -Original Message-
>> >>> From: listsad...@lists.myitforum.com
>> >>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> >>> Sent: Monday, November 13, 2017 5:22 PM
>> >>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>> >>> Subject: [NTSysADM] Looking for a global VPN solution - looking for
>> >>> input
>> >>>
>> >>> All,
>> >>>
>> >>> 1) For staff, currently we're using DirectAccess on 2012R2 as our
>> >>> primary conduit in the US, with SSL VPNs (SonicWall and Palo Alto
>> >>> Global Protect) as primary for our overseas offices and secondary for
>> >>> the US (Sonicwall).
>> >>>
>> >>> 2) In the US office, we also have contractors/consultants needing to
>> >>> use our SSL VPN for access to various resources, and that will likely
>> >>> expand to our overseas offices soon. Differentiation and securing
>> >>> resources is even more important here than in 1).
>> >>>
>> >>> 3) We also stand up IPSec tunnels for vendors/partners as needed (lab
>> >>> to lab), for interoperability/compatibility testing.
>> >>>
>> >>> We're looking to get into a solution that will take care of at least
>> >>> the first two (and ideally the third as well), so that we don't have
>> >>> so many platforms to support, and so that we can make sure that staff
>> >>> in the field get the fasted connection available.
>> >>>
>> >>> I've taken a quick gander at the websites for vyprvpn (Golden Frog),
>> >>> and OpenVPN (commercial client offering), but don't have much of an
>> >>> opinion on them, as info about them is a bit thin.
>> >>>
>> >>> Anyone have experience with solutions like this, and care to comment?
>> >>>
>> >>> Thanks,
>> >>>
>> >>> Kurt
>> >>>
>> >>
>>
>>
>

Re: [NTSysADM] Accessing only a lower level folder in a share

[Kurt Buff]

You need to adjust the permissions in the directory tree, and breaking
inheritance is the wrong way of doing it.

Change the permissions at each level so that they are explicitly
defined to allow "This Folder and Files" for those who only need to
see the files in that directory, but not other subdirectories.

Also, it seems as if your directory structure needs refactoring - it's
way too complex if you're running into these kinds of permission
problems.

Kurt

On Tue, Nov 14, 2017 at 8:51 AM, Michael Leone  wrote:
> It's been so long since I've had to do this, I need a check. I'm doing
> something fundamentally wrong, I think.
>
> We use groups to set share/ACLs on folders. I got a request to share a
> 4th level sub-folder with other employees not in the ACL. So what I
> have is:
>
> Folder A1 (shared)
> -->>B2
>-->>C3
>  -->> D4 (this is the one I want to allow access to)
>
> Now, the share permissions on A1 is for DevelopmentGroup, and the NTFS
> permissions are the same. Those permissions just flow down to B2, C3
> and D4 (i.e., normal inheritance).
>
> Now, I'm pretty sure the only way to allow access to only D4, and not
> allow access to B2 and C3 or even see files there, is to enable ABE.
> But I've never done that, and am leery of enabling it in production,
> without a whole more testing and forethought (I shudder to think of
> all the help desk calls, if I get something wrong).
>
> Am I correct that only ABE will do what I am thinking of (allow access
> only to D4 and hide contents of A1, B2, C3)?
>
> Barring ABE, there's nothing I can do, short of granting a new group
> access to D4, and living with the consequences?
>
> Thoughts? At this point, I want to just add the new group to the NTFS
> permissions of D4 only, and live with the fact that these new group
> members can see everything higher up.
>
>

Re: [NTSysADM] Looking for a global VPN solution - looking for input

[Kurt Buff]

Arg - that should be "seeking commercial services"..

And, once I bring recommendations, it might well be that we just fall
back to a DirectAccess server in each office, with our without a
multi-site configuration, potentially with an SSP VPN appliance also
at each office for backup and contractors, and call it good.

Kurt

On Mon, Nov 13, 2017 at 5:03 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
> I'm not sure either, but that's the task I've been given - not
> necessarily to implement at this stage, but to scope out the
> alternatives and come up with some possibilities.
>
> It's also why I'm seeing recommendations on commercial services, so
> that our implementation requirements are minimized.
>
> Kurt
>
> On Mon, Nov 13, 2017 at 4:38 PM, Joseph L. Casale
> <jcas...@activenetwerx.com> wrote:
>> I've done a lot of openvpn setups in a myriad of formats, site to site, hub 
>> and spoke, client etc.
>> It works well and there are even some lesser documented features that do 
>> some neat stuff but you are now rolling your solution and marinating it 
>> manually.
>> Not sure how well that will scale unless you have a skilled team.
>>
>>> -Original Message-----
>>> From: listsad...@lists.myitforum.com
>>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>>> Sent: Monday, November 13, 2017 5:22 PM
>>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>>> Subject: [NTSysADM] Looking for a global VPN solution - looking for input
>>>
>>> All,
>>>
>>> 1) For staff, currently we're using DirectAccess on 2012R2 as our
>>> primary conduit in the US, with SSL VPNs (SonicWall and Palo Alto
>>> Global Protect) as primary for our overseas offices and secondary for
>>> the US (Sonicwall).
>>>
>>> 2) In the US office, we also have contractors/consultants needing to
>>> use our SSL VPN for access to various resources, and that will likely
>>> expand to our overseas offices soon. Differentiation and securing
>>> resources is even more important here than in 1).
>>>
>>> 3) We also stand up IPSec tunnels for vendors/partners as needed (lab
>>> to lab), for interoperability/compatibility testing.
>>>
>>> We're looking to get into a solution that will take care of at least
>>> the first two (and ideally the third as well), so that we don't have
>>> so many platforms to support, and so that we can make sure that staff
>>> in the field get the fasted connection available.
>>>
>>> I've taken a quick gander at the websites for vyprvpn (Golden Frog),
>>> and OpenVPN (commercial client offering), but don't have much of an
>>> opinion on them, as info about them is a bit thin.
>>>
>>> Anyone have experience with solutions like this, and care to comment?
>>>
>>> Thanks,
>>>
>>> Kurt
>>>
>>

[NTSysADM] Looking for a global VPN solution - looking for input

[Kurt Buff]

All,

1) For staff, currently we're using DirectAccess on 2012R2 as our
primary conduit in the US, with SSL VPNs (SonicWall and Palo Alto
Global Protect) as primary for our overseas offices and secondary for
the US (Sonicwall).

2) In the US office, we also have contractors/consultants needing to
use our SSL VPN for access to various resources, and that will likely
expand to our overseas offices soon. Differentiation and securing
resources is even more important here than in 1).

3) We also stand up IPSec tunnels for vendors/partners as needed (lab
to lab), for interoperability/compatibility testing.

We're looking to get into a solution that will take care of at least
the first two (and ideally the third as well), so that we don't have
so many platforms to support, and so that we can make sure that staff
in the field get the fasted connection available.

I've taken a quick gander at the websites for vyprvpn (Golden Frog),
and OpenVPN (commercial client offering), but don't have much of an
opinion on them, as info about them is a bit thin.

Anyone have experience with solutions like this, and care to comment?

Thanks,

Kurt

Re: [NTSysADM] WOW!!! I had no idea I was going to be honored

[Kurt Buff]

Well, damn...

That's amazing, old man.

Congratulations, and well-deserved.

Kurt

On Tue, Oct 24, 2017 at 9:17 AM, Webster  wrote:
> https://www.citrix.com/blogs/2017/10/24/announcing-ctp-fellow-award-a-new-classification/
>
>
>
> Deeply, deeply humbled and honored
>
>
>
> Thanks
>
>
>
>
>
> Carl Webster
>
> Citrix Technology Professional | iGel Tech Community Insider | Parallels
> VIPP
>
> http://www.CarlWebster.com
>
> The Accidental Citrix Admin
>
>
>
>

Re: [NTSysADM] Pro tip for you: free...

[Kurt Buff]

On Wed, Oct 18, 2017 at 5:27 AM, Michael Leone <oozerd...@gmail.com> wrote:
> On Tue, Oct 17, 2017 at 1:24 AM, Kurt Buff <kurt.b...@gmail.com> wrote:
>
>> I can't say for sure what caused it, but somewhere during this process
>> about 10 out of the 70+/- GPOs got fubared, and I had to recover them
>> - something I've never had to do before. Thank all the gods (and
>> decent planning!) that I had snapshot backups of the DC holding all of
>> the FSMO roles, and could mount the VMDK and pull out the sysvol
>> directory and copy them back from the Friday night backup.
>
> Really. I have a scheduled task that backs up all GPOs to a central
> share on the last day of the month. I always assumed that if I needed
> to, I could import a GPO from there, if I needed to restore some
> settings.That seems easier than having to mount a copy of the sysvol
> and copy them out of that.

Yes, there was a lesson in there for me, and I've learned it.

Kurt

Re: [NTSysADM] Pro tip for you: free...

[Kurt Buff]

On Tue, Oct 17, 2017 at 1:06 AM, Michael B. Smith <mich...@smithcons.com> wrote:
> Generally speaking, if you remove a server from a domain the computer account 
> is disabled.  That's all. You've ALWAYS gotta clean it up.

This hasn't been my experience with workstations - when I remove one
from the domain via the GUI, the account is gone. I haven't done this
via Posh before this, however, and this was a DC. I must say that I
haven't manually removed DCs very often (haven't in about 3 years), so
my memory is dim on that - and it's almost as rare that I need to
decommission a server.

And when I last demoted a DC, we surely didn't have any problems with the GPOs.

> Also generally speaking, I've commonly seen artifacts remain in AD and DNS 
> when demoting DCs and removing Exchange and removing Lync/SfB servers.

This was just a DC - nothing special about it, though we do run
Exchange 2010 and SfB 2015.

So, I'm still somewhat baffled, but it's all recovered, AFAICT.

Kurt


> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Tuesday, October 17, 2017 1:24 AM
> To: ntsysadm
> Subject: Re: [NTSysADM] Pro tip for you: free...
>
> You might say that. This happened on Saturday the 8th.
>
> When you log into the target DC, and issue the Posh commands to demote and 
> remove the computer from the domain, it does.
> (https://technet.microsoft.com/en-us/library/hh974714(v=wps.630).aspx).
> The DC ends up in a workgroup with the same name as the domain.
>
> But, if the computer account is protected from accidental deletion, it 
> doesn't kill the account in the domain, so you have to go back and clean up.
>
> This was our physical 2012R2 DC - the others (one in HQ and one in each 
> office overseas, all 2012R2) are VMs.
>
> I can't say for sure what caused it, but somewhere during this process about 
> 10 out of the 70+/- GPOs got fubared, and I had to recover them
> - something I've never had to do before. Thank all the gods (and decent 
> planning!) that I had snapshot backups of the DC holding all of the FSMO 
> roles, and could mount the VMDK and pull out the sysvol directory and copy 
> them back from the Friday night backup. Among other things, the 
> damaged/empty/screwed up GPOs were applied to our DirectAccess server, which 
> promptly decided it wasn't one anymore, and to a fair number of the 
> DirectAccess clients, when then couldn't connect again, even after the DA 
> server was put back together. We had to walk a number of people in the field 
> through connecting to our SSL VPN and doing a 'gpupdate /force' to get them 
> going again. There was also a mishmash of other problems, including drive 
> mapping oddities, printer sharing oddities and other weird crap that had to 
> be sorted.
>
> It was not a good time last week.
>
> One or more of the following could have caused the problem:
>- Maybe because I replaced the DC by formatting the disk and re-installing 
> with the same name and IP address (doubtful)
>- Perhaps it was because during this process I replaced the old
> 2012R2 DC with a 2016 DC. (maybe - seems unlikely)
>- Perhaps it was when I tried to introduce the new 2016 machine into the 
> domain and I discovered that the old account was still there (more likely 
> than the first two)
>- Perhaps it happened during the cleanup after the failed domain account 
> deletion during the demotion process (this seems most likely to me)
>- Or some combination thereof.
>- Or the phase of the moon and a lack of chicken blood.
>
> Kurt
>
> On Mon, Oct 16, 2017 at 7:09 PM, Micheal Espinola Jr 
> <michealespin...@gmail.com> wrote:
>> Interesting...  did something odd happen?
>>
>> --
>> Espi
>>
>>
>> On Mon, Oct 16, 2017 at 4:25 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>>
>>> When you demote a DC, you really should make sure that the computer
>>> account in the domain isn't protected against accidental deletion.
>>>
>>> Further deponent sayeth not.
>>>
>>> Kurt
>>>
>>>
>>
>
>

Re: [NTSysADM] Pro tip for you: free...

[Kurt Buff]

You might say that. This happened on Saturday the 8th.

When you log into the target DC, and issue the Posh commands to demote
and remove the computer from the domain, it does.
(https://technet.microsoft.com/en-us/library/hh974714(v=wps.630).aspx).
The DC ends up in a workgroup with the same name as the domain.

But, if the computer account is protected from accidental deletion, it
doesn't kill the account in the domain, so you have to go back and
clean up.

This was our physical 2012R2 DC - the others (one in HQ and one in
each office overseas, all 2012R2) are VMs.

I can't say for sure what caused it, but somewhere during this process
about 10 out of the 70+/- GPOs got fubared, and I had to recover them
- something I've never had to do before. Thank all the gods (and
decent planning!) that I had snapshot backups of the DC holding all of
the FSMO roles, and could mount the VMDK and pull out the sysvol
directory and copy them back from the Friday night backup. Among other
things, the damaged/empty/screwed up GPOs were applied to our
DirectAccess server, which promptly decided it wasn't one anymore, and
to a fair number of the DirectAccess clients, when then couldn't
connect again, even after the DA server was put back together. We had
to walk a number of people in the field through connecting to our SSL
VPN and doing a 'gpupdate /force' to get them going again. There was
also a mishmash of other problems, including drive mapping oddities,
printer sharing oddities and other weird crap that had to be sorted.

It was not a good time last week.

One or more of the following could have caused the problem:
   - Maybe because I replaced the DC by formatting the disk and
re-installing with the same name and IP address (doubtful)
   - Perhaps it was because during this process I replaced the old
2012R2 DC with a 2016 DC. (maybe - seems unlikely)
   - Perhaps it was when I tried to introduce the new 2016 machine
into the domain and I discovered that the old account was still there
(more likely than the first two)
   - Perhaps it happened during the cleanup after the failed domain
account deletion during the demotion process (this seems most likely
to me)
   - Or some combination thereof.
   - Or the phase of the moon and a lack of chicken blood.

Kurt

On Mon, Oct 16, 2017 at 7:09 PM, Micheal Espinola Jr
<michealespin...@gmail.com> wrote:
> Interesting...  did something odd happen?
>
> --
> Espi
>
>
> On Mon, Oct 16, 2017 at 4:25 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> When you demote a DC, you really should make sure that the computer
>> account in the domain isn't protected against accidental deletion.
>>
>> Further deponent sayeth not.
>>
>> Kurt
>>
>>
>

[NTSysADM] Pro tip for you: free...

[Kurt Buff]

When you demote a DC, you really should make sure that the computer
account in the domain isn't protected against accidental deletion.

Further deponent sayeth not.

Kurt

[NTSysADM] Re: [ActiveDir] Is it possible to allow users to update just 1 field in AD?

[Kurt Buff]

Don't give the staff member a direct powershell solution.

We've done something similar with LAPS and allowing certain staff
members to read the local Administrator password from AD on their
machines - we created a limited account with specific rights to
perform the task and set up a web page that has that account perform
the task.

Kurt

On Mon, Oct 16, 2017 at 5:44 AM, Michael Leone  wrote:
> I have a user, who needs to do 2 things in AD.
>
> 1. She needs to lookup a user, to see what their login ID is (it has
> to match what is in our Cisco VOIP, I'm told). And then ...
> 2. She needs to input a value in the "IP Phone" field. (apparently,
> the Cisco software does an LDAP lookup of this field).
>
> Is it possible to delegate the right to change just that one field to
> a user? (I think not) We don't want her to inadvertently delete a
> user, or change anything else. We're just tired of her calling the
> help desk to do simple lookups, or enter a phone number that she
> should (might?) be able to do herself.
>
> Mind you, I did an export of all user logins, which was supposed to be
> fed into the Cisco system. So why they think the logins don't match, I
> don't know. And don't have time (or inclination) to deal with.
>
> Thanks for any advise.
> Forum info: http://www.activedir.org
> Problems unsubscribing? Email ad...@mail.activedir.org

Re: [NTSysADM] This pleases me...

[Kurt Buff]

Belated is still appreciated.

Thank you.

Kurt

On Fri, Oct 13, 2017 at 6:42 AM, Andrew S. Baker <asbz...@gmail.com> wrote:

> Congrats, Kurt... belated though it is.
>
> Regards,
>
>  *ASB*
>
>
> On Fri, Oct 6, 2017 at 9:24 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>
>> It's a good start
>> https://www.giac.org/certified-professional/kurt-buff/162966
>>
>> Passed with 85%, in 1h 12m.
>>
>>
>>
>

Re: [NTSysADM] A different kind of 3rd party risk

[Kurt Buff]

I saw that, and was pretty floored.

That's so stoopid.

Ob XKCD
https://www.xkcd.com/327/
Well, not exactly on point, but still...

Kurt

On Thu, Oct 12, 2017 at 4:04 PM, Richard Stovall <rich...@gmail.com> wrote:
> On a similar (not really, but kind of) note, I present (courtesy of today's
> SANS @Risk):
>
> The Absurdly Underestimated Dangers of CSV Injection
>
>
> http://georgemauer.net/2017/10/07/csv-injection.html
>
> Seriously.
>
> On Tue, Oct 3, 2017 at 11:03 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>>
>> https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c
>>
>>
>

Re: [NTSysADM] Win10 editions question

[Kurt Buff]

IoT Core has an SSH server? That's so dang cool!
https://docs.microsoft.com/en-us/windows/iot-core/connect-your-device/ssh

Good grief, why don't they put that in all of their OSes? And the client, too!

Thank you, though. That's pretty clear.

Kurt

On Thu, Oct 12, 2017 at 3:08 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> There are three versions of IoT.
>
> Windows 10 IoT Core does not support domain join. While IoT Core is the 
> replacement for Win10 Embedded, I would certainly not call it "the rebranded 
> version" of Embedded. But perhaps I don't understand what the Wikipedia 
> author means by "rebranded".
>
> Windows 10 IoT Enterprise does support domain join. It is Windows 10 
> Enterprise, for all intents and purposes.
>
> Windows 10 IoT Mobile is Windows 10 Mobile, without any of the extra bells 
> and whistles. It supports device join and workplace join, but not domain join.
>
> So, Windows 10 IoT Core does not join domains - but it can be managed by 
> InTune (and any of the various ODM compliant MDMs). However, it's not a 
> desktop environment. It does UWP and PowerShell. And SSH.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Thursday, October 12, 2017 5:23 PM
> To: ntsysadm
> Subject: [NTSysADM] Win10 editions question
>
> So, I've looked at the wikipedia article, and it's not *exactly* answering 
> the question I have...
> https://en.wikipedia.org/wiki/Windows_10_editions
>
> Our engineering department is developing systems that need to have tightly 
> controlled updating, as they are often deployed in public safety environments 
> - ranging from small (2-10 workstations) up to much larger (hundreds of 
> workstations), and there is basically no tolerance for workstations patching 
> and rebooting in anything but the most controlled fashion. Problem is, of 
> course, that the smaller environments aren't going to have domains, and the 
> larger ones are.
>
> Someone has proposed Windows 10 Embedded (which really seems to be Windows 10 
> IoT, but never mind that), but the engineers and PMs are thinking that Win10 
> IoT doesn't join domains.
>
> From the article above, and my other searching, I'm not able to come up with 
> a clean, documented answer as to whether any edition of Win10 IoT can join 
> domains, and if so, which ones.
>
> Can someone point me to clear documentation, preferably from MSFT?
>
> Kurt
>
>

[NTSysADM] Win10 editions question

[Kurt Buff]

So, I've looked at the wikipedia article, and it's not *exactly*
answering the question I have...
https://en.wikipedia.org/wiki/Windows_10_editions

Our engineering department is developing systems that need to have
tightly controlled updating, as they are often deployed in public
safety environments - ranging from small (2-10 workstations) up to
much larger (hundreds of workstations), and there is basically no
tolerance for workstations patching and rebooting in anything but the
most controlled fashion. Problem is, of course, that the smaller
environments aren't going to have domains, and the larger ones are.

Someone has proposed Windows 10 Embedded (which really seems to be
Windows 10 IoT, but never mind that), but the engineers and PMs are
thinking that Win10 IoT doesn't join domains.

>From the article above, and my other searching, I'm not able to come
up with a clean, documented answer as to whether any edition of Win10
IoT can join domains, and if so, which ones.

Can someone point me to clear documentation, preferably from MSFT?

Kurt

Re: [NTSysADM] This pleases me...

[Kurt Buff]

Thank you very much.

It was an interesting experience.

Kurt

On Tue, Oct 10, 2017 at 5:48 AM, Michael Leone <oozerd...@gmail.com> wrote:
> Congratulations! Well done.
>
> On Fri, Oct 6, 2017 at 9:24 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>> It's a good start
>> https://www.giac.org/certified-professional/kurt-buff/162966
>>
>> Passed with 85%, in 1h 12m.
>>
>>
>
>

Re: [NTSysADM] This pleases me...

[Kurt Buff]

Thank you. Much appreciated.

Kurt

On Wed, Oct 11, 2017 at 4:44 PM, Richard Stovall <rich...@gmail.com> wrote:
> Well done, Kurt.  Congratulations.
>
> On Fri, Oct 6, 2017 at 9:24 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> It's a good start
>> https://www.giac.org/certified-professional/kurt-buff/162966
>>
>> Passed with 85%, in 1h 12m.
>>
>>
>

Re: [NTSysADM] This pleases me...

[Kurt Buff]

Thank you, sir. I know you've credentialed yourself nearly to oblivion
- how many did you get in the past few years?

Kurt

On Sat, Oct 7, 2017 at 8:31 AM, Ed Ziots <eziot...@gmail.com> wrote:
> Gratz..
>
> Ed
>
> On Oct 6, 2017 9:30 PM, "Kurt Buff" <kurt.b...@gmail.com> wrote:
>>
>> It's a good start
>> https://www.giac.org/certified-professional/kurt-buff/162966
>>
>> Passed with 85%, in 1h 12m.
>>
>>
>

Re: [NTSysADM] This pleases me...

[Kurt Buff]

I took a SANS course (SEC401), but frankly could have taught most of
the course myself.

I've been doing this a very long time, and have read everything
security-related I could get my hands on for years.

The course and testing did highlight a few areas where I my knowledge is weak.

I expect that the next cert I go for will be significantly harder for
me, as whatever it might be (no sure which - GCED/GCWIN/GHIH) will
require much more in-depth knowledge in a specific domain.

Kurt

On Sat, Oct 7, 2017 at 6:10 AM, Erik Goldoff <egold...@gmail.com> wrote:
> Nice :D
> What was your preparation for the exam?  In person classroom, web based,
> book based, etc. ?
>
> Erik
>
> On Fri, Oct 6, 2017 at 9:24 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> It's a good start
>> https://www.giac.org/certified-professional/kurt-buff/162966
>>
>> Passed with 85%, in 1h 12m.
>>
>>
>

Re: [NTSysADM] This pleases me...

[Kurt Buff]

Privately - coming from you this means a fair amount.

Also, privately - my 60th birthday was the day after the test!

A lot to celebrate last week...

Kurt

On Fri, Oct 6, 2017 at 7:27 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> Congrats to you, sir!
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Friday, October 6, 2017 9:24 PM
> To: ntsysadm
> Subject: [NTSysADM] This pleases me...
>
> It's a good start
> https://www.giac.org/certified-professional/kurt-buff/162966
>
> Passed with 85%, in 1h 12m.
>
>

Re: [NTSysADM] This pleases me...

[Kurt Buff]

Thank *you*!

Kurt

On Fri, Oct 6, 2017 at 7:27 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> Congrats to you, sir!
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Friday, October 6, 2017 9:24 PM
> To: ntsysadm
> Subject: [NTSysADM] This pleases me...
>
> It's a good start
> https://www.giac.org/certified-professional/kurt-buff/162966
>
> Passed with 85%, in 1h 12m.
>
>

Re: [NTSysADM] This pleases me...

[Kurt Buff]

Thank you. I'm not sure which cert to get next, but I'm going to try
for another next year.

Kurt

On Fri, Oct 6, 2017 at 6:54 PM, D R <drod...@gmail.com> wrote:
> Congratulations.
>
> Impressive score and time.
>
> Very good. (audience stands and applauds.)
>
> Daniel Rodriguez
>
> On Fri, Oct 6, 2017 at 8:24 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> It's a good start
>> https://www.giac.org/certified-professional/kurt-buff/162966
>>
>> Passed with 85%, in 1h 12m.
>>
>>
>
>
>
> --
> Daniel Rodriguez
> drod...@gmail.com

Re: [NTSysADM] This pleases me...

[Kurt Buff]

Thanks.

On Fri, Oct 6, 2017 at 7:04 PM, Micheal Espinola Jr
<michealespin...@gmail.com> wrote:
> Well done, and congrats!
>
> --
> Espi
>
>
> On Fri, Oct 6, 2017 at 6:24 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> It's a good start
>> https://www.giac.org/certified-professional/kurt-buff/162966
>>
>> Passed with 85%, in 1h 12m.
>>
>>
>

[NTSysADM] This pleases me...

[Kurt Buff]

It's a good start
https://www.giac.org/certified-professional/kurt-buff/162966

Passed with 85%, in 1h 12m.

[NTSysADM] A different kind of 3rd party risk

[Kurt Buff]

https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

Re: [NTSysADM] Odd problems with account display after name change

[Kurt Buff]

Oh, and looking over the referenced article, I agree that it seems
that it should refresh after 10 minutes, so I am at a loss to
understand what did/didn't happen to the system(s) to update the name
looking.

Weird.

Kurt

On Sun, Sep 24, 2017 at 5:42 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> Thanks for this information... but I've gotta ask - did you reboot first?
>
> Or restart NetLogon first?
>
> As I read this: 
> https://technet.microsoft.com/en-us/library/ff428139(ws.10).aspx
>
> It implies that every 10 minutes the cache should be updated for existing 
> entries!
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Thursday, September 21, 2017 4:56 PM
> To: ntsysadm
> Subject: Re: [NTSysADM] Odd problems with account display after name change
>
> Found it...
>
> LSA cache seems to have been the culprit.
>
> https://support.microsoft.com/en-us/help/946358/the-lsalookupsids-function-may-return-the-old-user-name-instead-of-the
>
> I set up the regentry in this article, then restarted the netlogon service, 
> and we got the results we wanted.
>
> I expect if I had just bounced the machines, that would have fixed it too...
>
> Kurt
>
> On Sat, Sep 16, 2017 at 9:12 AM, Brian Desmond <br...@briandesmond.com> wrote:
>> I'd more wonder if the app doesn't have a database that it sticks some bits 
>> about the user in the first time they sign-in and never updates it again.
>>
>> Thanks,
>> Brian Desmond
>>
>> w – 312.625.1438 | c – 312.731.3132
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> Sent: Friday, September 15, 2017 7:01 PM
>> To: ntsysadm <ntsysadm@lists.myitforum.com>
>> Subject: Re: [NTSysADM] Odd problems with account display after name
>> change
>>
>> No, I'm not sure the app isn't caching - this despite the web developer's 
>> assertion that it's a direct query to AD for each login.
>>
>> I'm going to do an iisreset this weekend, and see if that resolves the 
>> problem.
>>
>> Kurt
>>
>> On Fri, Sep 15, 2017 at 4:18 PM, Brian Desmond <br...@briandesmond.com> 
>> wrote:
>>> Seems unlikely. Are you sure the app isn't caching something locally?
>>>
>>> Thanks,
>>> Brian Desmond
>>>
>>> w – 312.625.1438 | c – 312.731.3132
>>>
>>> -Original Message-
>>> From: listsad...@lists.myitforum.com
>>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>>> Sent: Friday, September 15, 2017 6:03 PM
>>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>>> Subject: [NTSysADM] Odd problems with account display after name
>>> change
>>>
>>> All,
>>>
>>> I've got a couple of questions, but first what I'm seeing.
>>>
>>> One of our users went through a name change this week (from jmounts to 
>>> jmartin), and now she's seeing her old ID on a couple of internally 
>>> developed web sites (we show who's logged in on the landing page for each 
>>> of them) that get permissions from AD.
>>>
>>> I've looked over her account briefly (get-aduser -properties*), and see a 
>>> couple of places that still show the old ID:
>>>
>>>legacyExchangeDN  : /o=Exampe/ou=US/cn=Recipients/cn=JMounts
>>>msExchADCGlobalNames   :
>>> EX5:cn=JMounts,cn=Recipients,ou=US,o=Example:organizationalperson$per
>>> s
>>> on$top41538F7E51E1C701}
>>>
>>> The second one above also has NT5 and FOREST entries.
>>>
>>> I also see these entries:
>>>
>>>ProxyAddresses   X400:c=US;a= ;p=Example;o=US;s=Mounts;g=Jill;
>>>
>>> along with her smtp and sip addresses, and
>>>
>>>textEncodedORAddress   : X400:C=US;A= ;P=Zetron;O=ZETUS;S=Mounts;G=Jill;
>>>
>>> But since they don't show jmounts, I don't think they play a role here.
>>>
>>> So, the question:
>>> 1) would any of these fields be picked up by the web sites? Doesn't seem 
>>> likely to me.
>>>
>>> 2) Is there any other place I should be looking to track this down?
>>>
>>> Kurt
>>>
>>>
>>
>>
>
>

Re: [NTSysADM] Odd problems with account display after name change

[Kurt Buff]

Yes, a full week seems excessive.

Kurt

On Thu, Sep 21, 2017 at 2:12 PM, Joseph L. Casale
<jcas...@activenetwerx.com> wrote:
> Nice catch, reading up this shows the default is 10080 minutes. That’s pretty 
> long...
>
>> -Original Message-
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> Sent: Thursday, September 21, 2017 2:56 PM
>> To: ntsysadm <ntsysadm@lists.myitforum.com>
>> Subject: Re: [NTSysADM] Odd problems with account display after name
>> change
>>
>> Found it...
>>
>> LSA cache seems to have been the culprit.
>>
>> https://support.microsoft.com/en-us/help/946358/the-lsalookupsids-
>> function-may-return-the-old-user-name-instead-of-the
>>
>> I set up the regentry in this article, then restarted the netlogon
>> service, and we got the results we wanted.
>>
>> I expect if I had just bounced the machines, that would have fixed it too...
>>
>> Kurt
>>
>> On Sat, Sep 16, 2017 at 9:12 AM, Brian Desmond
>> <br...@briandesmond.com> wrote:
>> > I'd more wonder if the app doesn't have a database that it sticks some bits
>> about the user in the first time they sign-in and never updates it again.
>> >
>> > Thanks,
>> > Brian Desmond
>> >
>> > w – 312.625.1438 | c – 312.731.3132
>> >
>> > -Original Message-
>> > From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> > Sent: Friday, September 15, 2017 7:01 PM
>> > To: ntsysadm <ntsysadm@lists.myitforum.com>
>> > Subject: Re: [NTSysADM] Odd problems with account display after name
>> change
>> >
>> > No, I'm not sure the app isn't caching - this despite the web developer's
>> assertion that it's a direct query to AD for each login.
>> >
>> > I'm going to do an iisreset this weekend, and see if that resolves the
>> problem.
>> >
>> > Kurt
>> >
>> > On Fri, Sep 15, 2017 at 4:18 PM, Brian Desmond
>> <br...@briandesmond.com> wrote:
>> >> Seems unlikely. Are you sure the app isn't caching something locally?
>> >>
>> >> Thanks,
>> >> Brian Desmond
>> >>
>> >> w – 312.625.1438 | c – 312.731.3132
>> >>
>> >> -Original Message-
>> >> From: listsad...@lists.myitforum.com
>> >> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> >> Sent: Friday, September 15, 2017 6:03 PM
>> >> To: ntsysadm <NTSysADM@lists.myitforum.com>
>> >> Subject: [NTSysADM] Odd problems with account display after name
>> >> change
>> >>
>> >> All,
>> >>
>> >> I've got a couple of questions, but first what I'm seeing.
>> >>
>> >> One of our users went through a name change this week (from jmounts
>> to jmartin), and now she's seeing her old ID on a couple of internally
>> developed web sites (we show who's logged in on the landing page for each
>> of them) that get permissions from AD.
>> >>
>> >> I've looked over her account briefly (get-aduser -properties*), and see a
>> couple of places that still show the old ID:
>> >>
>> >>legacyExchangeDN  : /o=Exampe/ou=US/cn=Recipients/cn=JMounts
>> >>msExchADCGlobalNames   :
>> >>
>> EX5:cn=JMounts,cn=Recipients,ou=US,o=Example:organizationalperson$per
>> s
>> >> on$top41538F7E51E1C701}
>> >>
>> >> The second one above also has NT5 and FOREST entries.
>> >>
>> >> I also see these entries:
>> >>
>> >>ProxyAddresses   X400:c=US;a= ;p=Example;o=US;s=Mounts;g=Jill;
>> >>
>> >> along with her smtp and sip addresses, and
>> >>
>> >>textEncodedORAddress   : X400:C=US;A=
>> ;P=Zetron;O=ZETUS;S=Mounts;G=Jill;
>> >>
>> >> But since they don't show jmounts, I don't think they play a role here.
>> >>
>> >> So, the question:
>> >> 1) would any of these fields be picked up by the web sites? Doesn't seem
>> likely to me.
>> >>
>> >> 2) Is there any other place I should be looking to track this down?
>> >>
>> >> Kurt
>> >>
>> >>
>> >
>> >
>>
>

Re: [NTSysADM] Running RSAT tools elevated

[Kurt Buff]

What I do now is not satisfactory, but I'll get to that in a few moments...

Currently I log into my machine with non-elevated user credentials.

I have a text file with all of the incantations I need - I stuck it in
my startup folder, so that it's always there. Each one is in the form
of:

runas /netonly /user:kurt-ad...@example.com
"C:\Windows\system32\mmc.exe \"C:\Program Files\Microsoft\Exchange
Server\V14\Bin\Exchange Management Console.msc\""

I run a cmd session elevated with the local administrator password.
One problem with that is that some of the RSAT tools won't launch
unless the session is elevated with a domain account, which baffles
me, but I haven't figured out a way around it.

What's the better way?

Create a PAW (Privileged Access Workstation), and log in with your
admin credentials. Use a VM on your PAW (or in your VM farm) to do
non-privileged tasks, as a non-privileged user. I'm trying to find
time to do that, but it's very hard, because I have so many projects
on my plate - but here are the foundational docs for this effort:
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations
https://gallery.technet.microsoft.com/Privileged-Access-53a4673a

Kurt

On Thu, Sep 21, 2017 at 6:48 AM, Heaton, Joseph@Wildlife
 wrote:
> So, in Win 7, I had installed RSAT tools, and I had the shortcuts setup so
> that when I double-clicked it, it would run as administrator, I’d be
> prompted by my privilege elevation software, put in my admin credentials and
> away I went.  I did not have to use the runas command in the shortcut to
> make this happen.  Now, in Win 10, I can’t for the life of me get this
> working.  If I go to the Advanced button in the shortcut, and choose Run as
> Administrator, nothing happens.  The tool opens using my logged in
> credentials, not prompting me for my admin creds.  If I do put in the runas
> command, I end up having to enter my credentials twice, once for my
> privilege elevation software, once in a command window that opens up.
>
>
>
> Anyone know of a better way of doing this?
>
>
>
> Joe Heaton
>
> Information Technology Operations Branch
>
> Data and Technology Division
>
> CA Department of Fish and Wildlife
>
> 1700 9th Street, 3rd Floor
>
> Sacramento, CA  95811
>
> Desk:  916-323-1284
>
>

Re: [NTSysADM] Odd problems with account display after name change

[Kurt Buff]

Found it...

LSA cache seems to have been the culprit.

https://support.microsoft.com/en-us/help/946358/the-lsalookupsids-function-may-return-the-old-user-name-instead-of-the

I set up the regentry in this article, then restarted the netlogon
service, and we got the results we wanted.

I expect if I had just bounced the machines, that would have fixed it too...

Kurt

On Sat, Sep 16, 2017 at 9:12 AM, Brian Desmond <br...@briandesmond.com> wrote:
> I'd more wonder if the app doesn't have a database that it sticks some bits 
> about the user in the first time they sign-in and never updates it again.
>
> Thanks,
> Brian Desmond
>
> w – 312.625.1438 | c – 312.731.3132
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Friday, September 15, 2017 7:01 PM
> To: ntsysadm <ntsysadm@lists.myitforum.com>
> Subject: Re: [NTSysADM] Odd problems with account display after name change
>
> No, I'm not sure the app isn't caching - this despite the web developer's 
> assertion that it's a direct query to AD for each login.
>
> I'm going to do an iisreset this weekend, and see if that resolves the 
> problem.
>
> Kurt
>
> On Fri, Sep 15, 2017 at 4:18 PM, Brian Desmond <br...@briandesmond.com> wrote:
>> Seems unlikely. Are you sure the app isn't caching something locally?
>>
>> Thanks,
>> Brian Desmond
>>
>> w – 312.625.1438 | c – 312.731.3132
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> Sent: Friday, September 15, 2017 6:03 PM
>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>> Subject: [NTSysADM] Odd problems with account display after name
>> change
>>
>> All,
>>
>> I've got a couple of questions, but first what I'm seeing.
>>
>> One of our users went through a name change this week (from jmounts to 
>> jmartin), and now she's seeing her old ID on a couple of internally 
>> developed web sites (we show who's logged in on the landing page for each of 
>> them) that get permissions from AD.
>>
>> I've looked over her account briefly (get-aduser -properties*), and see a 
>> couple of places that still show the old ID:
>>
>>legacyExchangeDN  : /o=Exampe/ou=US/cn=Recipients/cn=JMounts
>>msExchADCGlobalNames   :
>> EX5:cn=JMounts,cn=Recipients,ou=US,o=Example:organizationalperson$pers
>> on$top41538F7E51E1C701}
>>
>> The second one above also has NT5 and FOREST entries.
>>
>> I also see these entries:
>>
>>ProxyAddresses   X400:c=US;a= ;p=Example;o=US;s=Mounts;g=Jill;
>>
>> along with her smtp and sip addresses, and
>>
>>textEncodedORAddress   : X400:C=US;A= ;P=Zetron;O=ZETUS;S=Mounts;G=Jill;
>>
>> But since they don't show jmounts, I don't think they play a role here.
>>
>> So, the question:
>> 1) would any of these fields be picked up by the web sites? Doesn't seem 
>> likely to me.
>>
>> 2) Is there any other place I should be looking to track this down?
>>
>> Kurt
>>
>>
>
>

Re: [NTSysADM] Odd problems with account display after name change

[Kurt Buff]

Sorry for the late reply - the user wasn't in yesterday, so i couldn't
confirm the effectiveness of the iisreset - but it wasn't...

According to the dev, the web sites use two different methods to
gather the ID from the user:

 string PageUserName = Page.User.Identity.Name.Replace("EXAMPLE\\", "");
and
 string HttpContextCurrentUser =
HttpContext.Current.User.Identity.Name.Replace("EXAMPLE\\", "");

How it validates that against AD I don't know.

I'm going to install Fiddler on the user's machine tmorrow, and see if
that can tell me anything.

And, I'm beginning to wonder if there's something that's cached in her
local profile that's gone worng [sic].

Kurt


On Fri, Sep 15, 2017 at 5:08 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> Then what's the query?
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Friday, September 15, 2017 8:01 PM
> To: ntsysadm
> Subject: Re: [NTSysADM] Odd problems with account display after name change
>
> No, I'm not sure the app isn't caching - this despite the web developer's 
> assertion that it's a direct query to AD for each login.
>
> I'm going to do an iisreset this weekend, and see if that resolves the 
> problem.
>
> Kurt
>
> On Fri, Sep 15, 2017 at 4:18 PM, Brian Desmond <br...@briandesmond.com> wrote:
>> Seems unlikely. Are you sure the app isn't caching something locally?
>>
>> Thanks,
>> Brian Desmond
>>
>> w – 312.625.1438 | c – 312.731.3132
>>
>> -Original Message-
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> Sent: Friday, September 15, 2017 6:03 PM
>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>> Subject: [NTSysADM] Odd problems with account display after name
>> change
>>
>> All,
>>
>> I've got a couple of questions, but first what I'm seeing.
>>
>> One of our users went through a name change this week (from jmounts to 
>> jmartin), and now she's seeing her old ID on a couple of internally 
>> developed web sites (we show who's logged in on the landing page for each of 
>> them) that get permissions from AD.
>>
>> I've looked over her account briefly (get-aduser -properties*), and see a 
>> couple of places that still show the old ID:
>>
>>legacyExchangeDN  : /o=Exampe/ou=US/cn=Recipients/cn=JMounts
>>msExchADCGlobalNames   :
>> EX5:cn=JMounts,cn=Recipients,ou=US,o=Example:organizationalperson$pers
>> on$top41538F7E51E1C701}
>>
>> The second one above also has NT5 and FOREST entries.
>>
>> I also see these entries:
>>
>>ProxyAddresses   X400:c=US;a= ;p=Example;o=US;s=Mounts;g=Jill;
>>
>> along with her smtp and sip addresses, and
>>
>>textEncodedORAddress   : X400:C=US;A= ;P=Zetron;O=ZETUS;S=Mounts;G=Jill;
>>
>> But since they don't show jmounts, I don't think they play a role here.
>>
>> So, the question:
>> 1) would any of these fields be picked up by the web sites? Doesn't seem 
>> likely to me.
>>
>> 2) Is there any other place I should be looking to track this down?
>>
>> Kurt
>>
>>
>
>

Re: [NTSysADM] iOS 11 is scheduled for release tomorrow...

[Kurt Buff]

Oh.

My.

Thanks for the heads up.

Kurt

On Mon, Sep 18, 2017 at 11:22 AM, Michael B. Smith
 wrote:
> And that may not be a good thing in all cases…
>
>
>
> Known issues to be aware of:
>
>
>
> [1] Exchange ActiveSync is broken under certain configurations. Apple is
> aware of the issue and pursuing a fix.
>
>
>
> [2] The default picture format for iPhones 7/8/X is changing. As a Microsoft
> employee wrote earlier today:
>
>
>
> The new photo and video formats result in files about 1/2 size of the old
> JPEG and video formats, while having better quality. The problem is that new
> files will likely not open properly outside of your phone until everything
> that you use to work with photos updates to work with new HEIF formats.
>
>
>
> To check if your iOS 11 phone uses the new format, go to Settings > Camera >
> Formats. "High Efficiency" is new and "Most Compatible" is the old /
> current.
>
>
>
> I do not suggest to just turn this off; hey - getting files half the size is
> super cool. Just realize that if you use the photos outside of your phone
> that there might be temporary issues with viewing.
>
>
>
> Windows and OneDrive do not yet support the new formats.
>
>
>
> h/t ninob
>
>
>
> You may wish to suggest to your user communities that they delay upgrades
> because of the EAS issue.

Re: [NTSysADM] Odd problems with account display after name change

[Kurt Buff]

The two affected web sites run on different platforms - one's on 2003
R2 (don't say it - yes, I know...), the other is on 2008 R2.

He states that he used two different methods to auth against AD, but I
can't remember off the top of my head what they were.

I'll check with him again on Monday to see what he says.

Kurt

On Fri, Sep 15, 2017 at 4:27 PM, Michael B. Smith <mich...@smithcons.com> wrote:
> How does the app look up the name?
>
> That's really the important question, IMO.
>
> (BTW, msExchADCGlobalNames is from the Active Directory Connector, moving 
> from Exchange 5.5 to Exchange 2000/2003. Long long unused.)
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Friday, September 15, 2017 7:03 PM
> To: ntsysadm
> Subject: [NTSysADM] Odd problems with account display after name change
>
> All,
>
> I've got a couple of questions, but first what I'm seeing.
>
> One of our users went through a name change this week (from jmounts to 
> jmartin), and now she's seeing her old ID on a couple of internally developed 
> web sites (we show who's logged in on the landing page for each of them) that 
> get permissions from AD.
>
> I've looked over her account briefly (get-aduser -properties*), and see a 
> couple of places that still show the old ID:
>
>legacyExchangeDN  : /o=Exampe/ou=US/cn=Recipients/cn=JMounts
>msExchADCGlobalNames   :
> EX5:cn=JMounts,cn=Recipients,ou=US,o=Example:organizationalperson$person$top41538F7E51E1C701}
>
> The second one above also has NT5 and FOREST entries.
>
> I also see these entries:
>
>ProxyAddresses   X400:c=US;a= ;p=Example;o=US;s=Mounts;g=Jill;
>
> along with her smtp and sip addresses, and
>
>textEncodedORAddress   : X400:C=US;A= ;P=Zetron;O=ZETUS;S=Mounts;G=Jill;
>
> But since they don't show jmounts, I don't think they play a role here.
>
> So, the question:
> 1) would any of these fields be picked up by the web sites? Doesn't seem 
> likely to me.
>
> 2) Is there any other place I should be looking to track this down?
>
> Kurt
>
>

Re: [NTSysADM] Odd problems with account display after name change

[Kurt Buff]

No, I'm not sure the app isn't caching - this despite the web
developer's assertion that it's a direct query to AD for each login.

I'm going to do an iisreset this weekend, and see if that resolves the problem.

Kurt

On Fri, Sep 15, 2017 at 4:18 PM, Brian Desmond <br...@briandesmond.com> wrote:
> Seems unlikely. Are you sure the app isn't caching something locally?
>
> Thanks,
> Brian Desmond
>
> w – 312.625.1438 | c – 312.731.3132
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Kurt Buff
> Sent: Friday, September 15, 2017 6:03 PM
> To: ntsysadm <NTSysADM@lists.myitforum.com>
> Subject: [NTSysADM] Odd problems with account display after name change
>
> All,
>
> I've got a couple of questions, but first what I'm seeing.
>
> One of our users went through a name change this week (from jmounts to 
> jmartin), and now she's seeing her old ID on a couple of internally developed 
> web sites (we show who's logged in on the landing page for each of them) that 
> get permissions from AD.
>
> I've looked over her account briefly (get-aduser -properties*), and see a 
> couple of places that still show the old ID:
>
>legacyExchangeDN  : /o=Exampe/ou=US/cn=Recipients/cn=JMounts
>msExchADCGlobalNames   :
> EX5:cn=JMounts,cn=Recipients,ou=US,o=Example:organizationalperson$person$top41538F7E51E1C701}
>
> The second one above also has NT5 and FOREST entries.
>
> I also see these entries:
>
>ProxyAddresses   X400:c=US;a= ;p=Example;o=US;s=Mounts;g=Jill;
>
> along with her smtp and sip addresses, and
>
>textEncodedORAddress   : X400:C=US;A= ;P=Zetron;O=ZETUS;S=Mounts;G=Jill;
>
> But since they don't show jmounts, I don't think they play a role here.
>
> So, the question:
> 1) would any of these fields be picked up by the web sites? Doesn't seem 
> likely to me.
>
> 2) Is there any other place I should be looking to track this down?
>
> Kurt
>
>

Re: [NTSysADM] Dropping Kaspersky Av, who to replace it with?

[Kurt Buff]

I believe that's a political decision, not backed by any technical detail.

Kurt

On Thu, Sep 14, 2017 at 11:26 AM, Kennedy, Jim
 wrote:
> Looks like the WH's cybersecurity dude announced it.
>
> http://www.businessinsider.com/kaspersky-is-being-banned-across-the-us-government-by-trump-2017-9
>
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Michael B. Smith
> Sent: Thursday, September 14, 2017 2:18 PM
> To: ntsysadm@lists.myitforum.com
> Subject: RE: [NTSysADM] Dropping Kaspersky Av, who to replace it with?
>
> As I've recommended Kaspersky for about a decade now, I'm interested in 
> knowing your source. :-)
>
> I know that the USA is less and less happy with Russia... But I've not found 
> anything that even seems official...
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
> On Behalf Of Michael Leone
> Sent: Thursday, September 14, 2017 12:32 PM
> To: ntsysadm@lists.myitforum.com
> Subject: [NTSysADM] Dropping Kaspersky Av, who to replace it with?
>
> We use Kaspersky for our AV needs, and to be honest, it's worked out well for 
> us. It's certainly caught things that McAfee, our previous AV solution, 
> didn't. However, they have this slight problem with being a covert arm of the 
> Russian government, apparently ..
>
> So we need to drop them, as the federal agencies are doing.
>
> There are lots of reviews, such as av-test.org, that we are looking at. But 
> tell me, who do you have? And - more importantly - if you had your say in the 
> matter, would you keep them?
>
> We're an sort of enterprise level organization, maybe 1K users, bunch of 
> laptops issued to remote users. So far, all Win 7 for workstations, but 
> obviously that will change in the future. Servers are all Win
> 2008/2012 R2 (so far). So we need something with a centralized console, to 
> push out rules, updates, etc.
>
> We use Proofpoint as an email gateway, so it does mail scanning. We have 
> Checkpoint firewalls for managing that sort of traffic.
>
> Thoughts?  I know I've heard good things about ESET and Sophos, among others. 
> Just soliciting some real world opinions, along with our own research.
>
>

Re: [NTSysADM] Is there a reason not to have file shares in a drives root folder

[Kurt Buff]

+1
- create a directory at the root, and share that, not the root.
- Remove the NTFS permissions for Users from the root, and assign it to the
directory, with Read-Only (this folder only)

It solves a lot of problems.

Kurt



On Tue, Sep 12, 2017 at 3:10 AM, Melvin Backus 
wrote:

> Not putting them in the root avoids the need to modify the base NTFS
> permissions on every new share you create.  While defaults used to allow
> r/w access for everyone, now the default is r/o for everyone. By pushing
> down a level you can change it once and all new shares can inherit the new
> setting.  I create a Shares folder for that purpose. No clue why going
> down 2 levels though. I get the path length part, but our users wind up
> exceeding that so often I’ve just come to accept it.  Move a 200
> character path down the tree 8 levels to another 200 character path and
> what do you get?  A mess. J
>
>
>
>
>
>
>
> --
> There are 10 kinds of people in the world...
>  those who understand binary and those who don't.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Graeme Carstairs
> *Sent:* Tuesday, September 12, 2017 5:10 AM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Is there a reason not to have file shares in a
> drives root folder
>
>
>
> Recently came across some filservers that were setup as
>
>
>
> F:\1\2\fileshares
>
>
>
> When asked why they relied that they had an ms consultant who recommended
> this as file share share should not be in the root folder and that 3rd
> level folder was the reccomended place for them
>
>
>
> They can't remember his reasoning
>
>
>
> But the 1 and 2 was to keep the path small so not to run into path length
> issues
>
>
>
> Does anyone know why this would be recommended ?
>
>
>
> Tia
>
> Graeme
>
> --
>
> Graeme Carstairs
>
>
>
> e-mail :- loonyto...@gmail.com
>

Re: [NTSysADM] Group Policy - Enforce screensaver and password

[Kurt Buff]

On Thu, Sep 7, 2017 at 5:25 AM, Michael Leone <oozerd...@gmail.com> wrote:
>
> On Wed, Sep 6, 2017 at 2:25 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> Below is a picture of what we do. We just lock the screen. Doesn't matter if 
>> the user chooses a screensaver or not - the screen locks after 900 seconds 
>> (too long in my opinion, but it quelled the screaming).
>
>
> AH HA. That's the sort of thing I was looking for. That command does lock the 
> screen, no need to worry whether a screensaver was set or not. So while it's 
> not a "real" screensaver, it does serve the ultimate purpose (locking the 
> machine, and requiring a password to unlock).
>
> Thanks so much! This seems to be working in my testing.


Glad to hear it. I can't remember where I found it, but it was a good
day when I did.

Kurt

Re: [NTSysADM] Group Policy - Enforce screensaver and password

[Kurt Buff]

Below is a picture of what we do. We just lock the screen. Doesn't matter
if the user chooses a screensaver or not - the screen locks after 900
seconds (too long in my opinion, but it quelled the screaming).

And, as mentioned, test on someone first.

[image: Inline image 2]

On Wed, Sep 6, 2017 at 8:26 AM, Michael Leone  wrote:

> I've had a "suggestion" from my CIO. :-) He would like to use GP to
> enforce that all domain computers have a screensaver (set to like 15
> minutes), and that the screensaver is password enabled. He didn't seem
> to care which screensaver, as long as one is set.
>
> (these are all Win 7 PCs, BTW)
>
> I see the options in User Config/Policies/Admin Templates/Control
> Panel/Personalization that I can Enable Screen saver and password
> protect the screen saver. But if I read it right, I either have to
> specify which screen saver to use, or depend on the user to pick one.
>
> So what happens if I choose
>
> Enable screen saver: ENABLED
> Password protect the screen saver: ENABLED
> screen saver timeout: 900 seconds
>
> and the user does *not* set a screensaver? If I use the above
> settings, do I really also need to force a specific screen saver, so
> that I can be sure that at least a passworded screen saver is set?
>
> What do the rest of you do? I'm assuming at least some of you enforce
> passworded screensavers.
>
> Thanks for any advice.
>
>
>

Re: [NTSysADM] Recommendations for a Security Software Reseller

[Kurt Buff]

Ask the publishers for their resellers, and I'd take a look at the
following Carbon Black/Bit9, Cylance, Cybereason, etc.

Also,don't neglect the products that are published by your firewall
vendor - Palo Alto, etc., have endpoint products that are worth a
look, and provide a more unified administrative environment, which is
no small thing.

But frankly, IMHO, you can get more than 90% of the way there with
Applocker or SRPs.

Kurt

On Tue, Sep 5, 2017 at 2:56 PM, Joe Tinney  wrote:
> Hey folks,
>
> I'm interested in working with a reseller that has a strong knowledge of
> current security software (anti-malware, app whitelisting, endpoint
> firewall, etc). Before I go with what I know (Symantec Endpoint Protection)
> I want to make sure I've vetted some of the newer offerings. I've seen lots
> of different suggestions come through from everyone and if you have any more
> of those that would be great as well.
>
> Basically, I'm looking to provide a solid layer of prevention (right now
> we've invested heavily in response via logging and reporting tools like
> Netwrix, AlienVault, etc). By prevention I meant I'm interested in looking
> at a solution that provides endpoint network isolation, authorization
> management, application whitelisting, behavioral analysis, etc.
>
> We've come out of contract with a vendor that was providing TrendMicro's
> cloud product and I was very underwhelmed. I've trialed Symantec Endpoint
> Cloud and again, the same. These small business products just aren't up to
> the task I'm looking to accomplish.
>
> I believe that I do not have the time at the moment to learn, design and
> implement solutions using Group Policy nor do I have extensive MS licensing
> that would allow me to employ more advanced solutions like AppLocker. The
> implementation of products that I'm interested in may of course change my
> mind depending on how protracted the configuration can be.
>
> If anyone has someone they enjoy working with and is sharp please let me
> know. This would be for a company based in the Midwestern Region of the US.
>
> Regards,
> Joe

Re: [NTSysADM] Odd problem with GPO-mapped drives and SSL VPN

[Kurt Buff]

The drive letter is mapped to a 2012R2 file server, fully patched.

The client is Win10 1607, fully patched.

Here's the very, very weird thing that just happened.

The GPO error that I saw in the event log was for item-level targeting to
put this machine into a WSUS group. I finally deleted and recreated the
GPO, and was able to do 'gpupdate /force', and the error was gone, using my
workstation administrator login to do the gpupdate.

I sent the user an email, asking him to log in, make the SSL VPN
connection, and do a 'gpupdate /force' - which he did.

But, the command produced the same error he got earlier - on the recreated
GPO!

I'm pretty much done with this, so I've advised him that the next time he's
in the office, he needs to save his data, wipe and reload the machine.

Kurt

On Fri, Aug 25, 2017 at 4:32 PM, Micheal Espinola Jr <
michealespin...@gmail.com> wrote:

> Sorry if I missed it, but what are the client and server OSs?
>
> --
> Espi
>
>
> On Thu, Aug 24, 2017 at 6:04 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>
>> The plot sickens...
>>
>> After I updated a GPO to disable slow link detection, I ran a gpupdate
>> /force on the users machine (over a teamviewer session), and am now
>> getting the error and event ID shown below. I did some research
>> suggesting that there might be an AD replication problem, but a quick
>> analysis with adreplstatus shows no problems, so I'm thinking a
>> possible corrupt GPO somewhere. I'll have to do some research to
>> figure out which it might be.
>>
>> C:\temp>gpupdate /force
>> Updating Policy...
>>
>> User Policy update has completed successfully.
>> Computer policy could not be updated successfully. The following errors
>> were enc
>> ountered:
>>
>> The processing of Group Policy failed. Windows could not apply the
>> registry-based policy settings for the Group Policy object
>> LDAP://CN=Machine,cn={6ADA2CCE-5829-472C-BC68-1B2C2E5D},
>> cn=policies,cn=system,DC=example,DC=com.
>> Group Policy settings will not be resolved until this event is
>> resolved. View the event details
>> for more information on the file name and path that caused the failure.
>>
>> To diagnose the failure, review the event log or run GPRESULT /H
>> GPReport.html from
>> the command line to access information about Group Policy results.
>>
>>
>> Log Name:  System
>> Source:Microsoft-Windows-GroupPolicy
>> Date:  25/08/2017 10:32:42 AM
>> Event ID:  1096
>> Task Category: None
>> Level: Error
>> Keywords:
>> User:  SYSTEM
>> Computer:  GBOTLEY1.example.com
>> Description:
>> The processing of Group Policy failed. Windows could not apply the
>> registry-based policy settings for the Group Policy object
>> LDAP://CN=Machine,cn={6ADA2CCE-5829-472C-BC68-1B2C2E5D},
>> cn=policies,cn=system,DC=example,DC=com.
>> Group Policy settings will not be resolved until this event is
>> resolved. View the event details for more information on the file name
>> and path that caused the failure.
>> Event Xml:
>> http://schemas.microsoft.com/win/2004/08/events/event;>
>>   
>> > Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
>> 1096
>> 0
>> 2
>> 0
>> 1
>> 0x8000
>> 
>> 858000
>> 
>> 
>> System
>> GBOTLEY1.example.com
>> 
>>   
>>   
>> 2
>> 1254
>> 0
>> 9562
>> 5
>> Access is denied. 
>> \\zAUDC02p.example.com
>> LDAP://CN=Machine,cn={6ADA2CCE-5829-472C-
>> BC68-1B2CEEEE2E5D},cn=policies,cn=system,DC=example,DC=com
>> \\example.com\sysvol\example.com\Policies\{6
>> ADA2CCE-5829-472C-BC68-1B2C2E5D}\Machine\registry.pol
>>   
>> 
>>
>> On Thu, Aug 24, 2017 at 12:22 AM, Micheal Espinola Jr
>> <michealespin...@gmail.com> wrote:
>> > You should be able to raise the threshold of slow link detection to
>> > compensate.  If you dont allow ping to traverse, the link will always
>> > register as slow.
>> >
>> > --
>> > Espi
>> >
>> >
>> > On Wed, Aug 23, 2017 at 7:21 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>> >>
>> >> That's interesting. So, if it detects a slow link the GPO "unapplies",
>> >> and the mapped drive stops working?
>> >>
>> >> I shall take a look at that.
>> >>
>> >> Kurt
>> >>
>>

Re: [NTSysADM] Odd problem with GPO-mapped drives and SSL VPN

[Kurt Buff]

The plot sickens...

After I updated a GPO to disable slow link detection, I ran a gpupdate
/force on the users machine (over a teamviewer session), and am now
getting the error and event ID shown below. I did some research
suggesting that there might be an AD replication problem, but a quick
analysis with adreplstatus shows no problems, so I'm thinking a
possible corrupt GPO somewhere. I'll have to do some research to
figure out which it might be.

C:\temp>gpupdate /force
Updating Policy...

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows could not apply the
registry-based policy settings for the Group Policy object
LDAP://CN=Machine,cn={6ADA2CCE-5829-472C-BC68-1B2C2E5D},cn=policies,cn=system,DC=example,DC=com.
Group Policy settings will not be resolved until this event is
resolved. View the event details
for more information on the file name and path that caused the failure.

To diagnose the failure, review the event log or run GPRESULT /H
GPReport.html from
the command line to access information about Group Policy results.


Log Name:  System
Source:Microsoft-Windows-GroupPolicy
Date:  25/08/2017 10:32:42 AM
Event ID:  1096
Task Category: None
Level: Error
Keywords:
User:  SYSTEM
Computer:  GBOTLEY1.example.com
Description:
The processing of Group Policy failed. Windows could not apply the
registry-based policy settings for the Group Policy object
LDAP://CN=Machine,cn={6ADA2CCE-5829-472C-BC68-1B2C2E5D},cn=policies,cn=system,DC=example,DC=com.
Group Policy settings will not be resolved until this event is
resolved. View the event details for more information on the file name
and path that caused the failure.
Event Xml:
http://schemas.microsoft.com/win/2004/08/events/event;>
  

1096
0
2
0
1
0x8000

858000


System
GBOTLEY1.example.com

  
  
2
1254
0
9562
5
Access is denied. 
\\zAUDC02p.example.com
LDAP://CN=Machine,cn={6ADA2CCE-5829-472C-BC68-1B2C2E5D},cn=policies,cn=system,DC=example,DC=com
\\example.com\sysvol\example.com\Policies\{6ADA2CCE-5829-472C-BC68-1B2C2E5D}\Machine\registry.pol
  


On Thu, Aug 24, 2017 at 12:22 AM, Micheal Espinola Jr
<michealespin...@gmail.com> wrote:
> You should be able to raise the threshold of slow link detection to
> compensate.  If you dont allow ping to traverse, the link will always
> register as slow.
>
> --
> Espi
>
>
> On Wed, Aug 23, 2017 at 7:21 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>
>> That's interesting. So, if it detects a slow link the GPO "unapplies",
>> and the mapped drive stops working?
>>
>> I shall take a look at that.
>>
>> Kurt
>>
>> On Wed, Aug 23, 2017 at 3:57 PM, Joseph L. Casale
>> <jcas...@activenetwerx.com> wrote:
>> > Default behavior of slow link detection?
>> >
>> >> -Original Message-
>> >> From: listsad...@lists.myitforum.com
>> >> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> >> Sent: Wednesday, August 23, 2017 4:47 PM
>> >> To: ntsysadm <NTSysADM@lists.myitforum.com>
>> >> Subject: [NTSysADM] Odd problem with GPO-mapped drives and SSL VPN
>> >>
>> >> I've got a user in the field out of our AU office.
>> >>
>> >> We have a SonicWall SSL VPN to which he connects.
>> >>
>> >> We map a drive for him to the DFS share (\\example.com\au\share) via
>> >> GPO, but it doesn't work well while he's in the field.
>> >>
>> >> While in the field, if he opens a command prompt, and does a 'gpupdate
>> >> /force', the drive mapping works for a while, then he says it
>> >> disconnects after about an hour or so.
>> >>
>> >> When he's in the office, it's solid.
>> >>
>> >> While in the field, if he maps another drive letter to \\machine\share
>> >> that works either in or out of the office.
>> >>
>> >> I've not seen anything in particular in the event logs that seems
>> >> relevant, but I'm going to look again when he's free.
>> >>
>> >> Has anyone seen behavior like this, and can point me in the general
>> >> direction of an answer?
>> >>
>> >> I understand that drive mappings via GPO over a VPN connection are
>> >> problematic, because the GPO is applied at login, and before VPN
>> >> connection is made, but the fact that it fails after a 'gpupdate
>> >> /force' is truly weird.
>> >>
>> >> Kurt
>> >>
>> >
>>
>>
>

Re: [NTSysADM] Odd problem with GPO-mapped drives and SSL VPN

[Kurt Buff]

That's interesting. So, if it detects a slow link the GPO "unapplies",
and the mapped drive stops working?

I shall take a look at that.

Kurt

On Wed, Aug 23, 2017 at 3:57 PM, Joseph L. Casale
<jcas...@activenetwerx.com> wrote:
> Default behavior of slow link detection?
>
>> -Original Message-
>> From: listsad...@lists.myitforum.com
>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
>> Sent: Wednesday, August 23, 2017 4:47 PM
>> To: ntsysadm <NTSysADM@lists.myitforum.com>
>> Subject: [NTSysADM] Odd problem with GPO-mapped drives and SSL VPN
>>
>> I've got a user in the field out of our AU office.
>>
>> We have a SonicWall SSL VPN to which he connects.
>>
>> We map a drive for him to the DFS share (\\example.com\au\share) via
>> GPO, but it doesn't work well while he's in the field.
>>
>> While in the field, if he opens a command prompt, and does a 'gpupdate
>> /force', the drive mapping works for a while, then he says it
>> disconnects after about an hour or so.
>>
>> When he's in the office, it's solid.
>>
>> While in the field, if he maps another drive letter to \\machine\share
>> that works either in or out of the office.
>>
>> I've not seen anything in particular in the event logs that seems
>> relevant, but I'm going to look again when he's free.
>>
>> Has anyone seen behavior like this, and can point me in the general
>> direction of an answer?
>>
>> I understand that drive mappings via GPO over a VPN connection are
>> problematic, because the GPO is applied at login, and before VPN
>> connection is made, but the fact that it fails after a 'gpupdate
>> /force' is truly weird.
>>
>> Kurt
>>
>

[NTSysADM] Odd problem with GPO-mapped drives and SSL VPN

[Kurt Buff]

I've got a user in the field out of our AU office.

We have a SonicWall SSL VPN to which he connects.

We map a drive for him to the DFS share (\\example.com\au\share) via
GPO, but it doesn't work well while he's in the field.

While in the field, if he opens a command prompt, and does a 'gpupdate
/force', the drive mapping works for a while, then he says it
disconnects after about an hour or so.

When he's in the office, it's solid.

While in the field, if he maps another drive letter to \\machine\share
that works either in or out of the office.

I've not seen anything in particular in the event logs that seems
relevant, but I'm going to look again when he's free.

Has anyone seen behavior like this, and can point me in the general
direction of an answer?

I understand that drive mappings via GPO over a VPN connection are
problematic, because the GPO is applied at login, and before VPN
connection is made, but the fact that it fails after a 'gpupdate
/force' is truly weird.

Kurt

Re: [NTSysADM] A new task for me - setting up a SQL Server cluster on vSphere 6.0

[Kurt Buff]

Wouldn't never! Musta been someone else...

Kurt

On Thu, Aug 17, 2017 at 1:27 PM, Webster <webs...@carlwebster.com> wrote:

> You talking about me? [image: ]
>
>
>
> Thanks
>
>
>
>
>
> Carl Webster
>
> Citrix Technology Professional | iGel Tech Community Insider | Parallels
> VIPP
>
> http://www.CarlWebster.com
> <http://t.sidekickopen01.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdV8QRW2zWLDn4XrdjzW7fK3rs56dwxZf67wwsR02?t=http%3A%2F%2Fwww.carlwebster.com%2F=6012126861197312=4311b7b1-332d-4242-8585-36954b184dc7>
>
> The Accidental Citrix Admin
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kurt Buff
> *Sent:* Thursday, August 17, 2017 3:00 PM
> *To:* ntsysadm <ntsysadm@lists.myitforum.com>
>
> *Subject:* Re: [NTSysADM] A new task for me - setting up a SQL Server
> cluster on vSphere 6.0
>
>
>
> Who was just on a list asking for help with VMware configuration? H?
>
> [image: 樂]
>
>
> Kurt
>
>
>
> On Thu, Aug 17, 2017 at 10:59 AM, Webster <webs...@carlwebster.com> wrote:
>
> Everyone has their faults. [image: ]
>
>
> Webster
>
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Michael B. Smith
> Sent: Thursday, August 17, 2017 12:52 PM
> To: ntsysadm@lists.myitforum.com
> Subject: RE: [NTSysADM] A new task for me - setting up a SQL Server
> cluster on vSphere 6.0
>
> Yes, it will work.
>
> I cannot say anything whatsoever about VMware. I'm a Hyper-V guy.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Kurt Buff
> Sent: Thursday, August 17, 2017 1:18 PM
> To: ntsysadm
> Subject: Re: [NTSysADM] A new task for me - setting up a SQL Server
> cluster on vSphere 6.0
>
> Right. Server Datacenter. Knew that. Habit to type Enterprise.
>
> The rest is stuff I'm trying to figure out, since I haven't played around
> much with real SQL Server since the 2000 edition, and not even much with
> Express since then.
>
> We are planning a 2-node cluster, so it sounds like Windows Server
> 2016 Standard and SQL Server 2016 (2017?) Standard will do exactly what we
> want.
>
> We do have restrictions in our EA regarding the number of licenses for SQL
> Server (2), and we also want to reduce the clutter of old versions of SQL
> Standard and SQL Express scattered amongst our servers.
>
> I intend to deploy on our VMware cluster (vSphere 6.0 Standard, 6 nodes,
> backed by a Nimble SAN), unless testing indicates it's a bad fit.
>
> Kurt
>
> On Thu, Aug 17, 2017 at 8:53 AM, Michael B. Smith <mich...@smithcons.com>
> wrote:
> > I think y’all are confusing yourselves. Words mean things.
> >
> >
> >
> > For the purposes of this discussion, there is no such thing as
> > “Windows Server Enterprise”.
> >
> >
> >
> > The editions are Windows Server Standard and Windows Server Datacenter.
> > Since Windows Server 2012, both Standard and Datacenter include
> > Windows Failover Clustering (WFC). (So does Nano Server in Windows
> > Server 2016, but I digress.)
> >
> >
> >
> > There ARE features that a SQL installation may want to use, such as
> > SOFS (Scale-Out File Servers), that may require Windows Server
> > Datacenter; but WFC itself does not require Datacenter.
> >
> >
> >
> > SQL Server also comes in two editions, for the purposes of this
> discussion.
> > They are Standard and Enterprise.
> >
> >
> >
> > SQL Server Standard supports WFC for EXACTLY two nodes (this is also
> > called SQL Server Always On Failover Clustering). No more nodes than
> > two. SQL Server Standard does NOT support Always On Availability Groups.
> >
> >
> >
> > SQL Server Enterprise supports WFC for the operating system maximum
> > number of nodes. SQL Server Enterprise supports Always On Availability
> Groups.
> >
> >
> >
> > Define the deployment plan FIRST, then you can determine the necessary
> > software. Alternately, the licenses you have may restrict your
> > deployment plan.
> >
> >
> >
> > Regards,
> >
> > Michael B.
> >
> >
> >
> > From: listsad...@lists.myitforum.com
> > [mailto:listsad...@lists.myitforum.com]
> > On Behalf Of D R
> > Sent: Thursday, August 17, 2017 11:00 AM
> >
> >
> > To: ntsysadm@lists.myitforum.com
> > Subject: Re: [NTSysADM] A new task for me - setting up a SQL Server
&

Re: [NTSysADM] A new task for me - setting up a SQL Server cluster on vSphere 6.0

[Kurt Buff]

Someone ought to hire whoever wrote that article - it's very nice.

Kurt

On Thu, Aug 17, 2017 at 1:27 PM, Webster <webs...@carlwebster.com> wrote:

> http://carlwebster.com/implementing-microsoft-sql-
> server-2016-standard-basic-availability-groups-use-
> citrix-xenapp-xendesktop-7-9/
>
>
>
> Someone wrote on article on that very topic.
>
>
>
> Thanks
>
>
>
>
>
> Carl Webster
>
> Citrix Technology Professional | iGel Tech Community Insider | Parallels
> VIPP
>
> http://www.CarlWebster.com
> <http://t.sidekickopen01.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdV8QRW2zWLDn4XrdjzW7fK3rs56dwxZf67wwsR02?t=http%3A%2F%2Fwww.carlwebster.com%2F=6012126861197312=4311b7b1-332d-4242-8585-36954b184dc7>
>
> The Accidental Citrix Admin
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Kurt Buff
> *Sent:* Thursday, August 17, 2017 3:18 PM
> *To:* ntsysadm <ntsysadm@lists.myitforum.com>
>
> *Subject:* Re: [NTSysADM] A new task for me - setting up a SQL Server
> cluster on vSphere 6.0
>
>
>
> The link you provided is helpful - thanks.
>
> According to our EA summary, I have an effective quantity of 4 x SQL
> Server Standard Core 2016 licenses, with an unresolved quantity of 20 and
> an SA quantity of 16, though I'm not entirely sure what all that means.
>
> Kurt
>
>
>
> On Thu, Aug 17, 2017 at 11:17 AM, Nathan Shelby <ntshe...@gmail.com>
> wrote:
>
> "Server Standard does NOT support Always On Availability Groups"
>
> Sort of? As of SQL 2016, It supports Basic Availability Groups which are
> AGs with limitations, they are managed the same way as a standard AG. They
> don't scale particularly well but they avoid the pitfalls of a WSFC SQL
> implementation where you wait for the resource to come back up with a node
> failure.  (differences here: https://docs.microsoft.com/en-
> us/sql/database-engine/availability-groups/windows/
> basic-availability-groups-always-on-availability-groups).
>
> Another thing that Kurt should be aware of is the licensing model for SQL
> 2016 Virtual Machines. With the consolidation mentioned are you planning to
> license the cluster as SQL Server Standard Core (depending on size this may
> make the most sense) or SQL Server Standard and SQL Client CALs? If you're
> running SQL Standard Core a VM requires running a minimum of 4 core
> licenses (2x 2 core packs, which is how SQL Core licensing is sold).  I
> assume with a 6 node cluster you'll be covering the license with Software
> Assurance to take advantage of License Mobility so you can move the VM
> between hosts more than once per 90 day period.
>
>
>
>
> Nathan Shelby
> ntshe...@gmail.com
> 425-205-9047 <(425)%20205-9047>
>
>
>
> On Thu, Aug 17, 2017 at 10:52 AM, Michael B. Smith <mich...@smithcons.com>
> wrote:
>
> Yes, it will work.
>
> I cannot say anything whatsoever about VMware. I'm a Hyper-V guy.
>
> -Original Message-
> From: listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] On Behalf Of Kurt Buff
> Sent: Thursday, August 17, 2017 1:18 PM
> To: ntsysadm
>
> Subject: Re: [NTSysADM] A new task for me - setting up a SQL Server
> cluster on vSphere 6.0
>
> Right. Server Datacenter. Knew that. Habit to type Enterprise.
>
> The rest is stuff I'm trying to figure out, since I haven't played around
> much with real SQL Server since the 2000 edition, and not even much with
> Express since then.
>
> We are planning a 2-node cluster, so it sounds like Windows Server
> 2016 Standard and SQL Server 2016 (2017?) Standard will do exactly what we
> want.
>
> We do have restrictions in our EA regarding the number of licenses for SQL
> Server (2), and we also want to reduce the clutter of old versions of SQL
> Standard and SQL Express scattered amongst our servers.
>
> I intend to deploy on our VMware cluster (vSphere 6.0 Standard, 6 nodes,
> backed by a Nimble SAN), unless testing indicates it's a bad fit.
>
> Kurt
>
> On Thu, Aug 17, 2017 at 8:53 AM, Michael B. Smith <mich...@smithcons.com>
> wrote:
> > I think y’all are confusing yourselves. Words mean things.
> >
> >
> >
> > For the purposes of this discussion, there is no such thing as
> > “Windows Server Enterprise”.
> >
> >
> >
> > The editions are Windows Server Standard and Windows Server Datacenter.
> > Since Windows Server 2012, both Standard and Datacenter include
> > Windows Failover Clustering (WFC). (So does Nano Server in Windows
> > Server 2016, but I digress.)
> >
> >
> >
> > There ARE fea