|
Sacred Cow posted:Configuration Baseline in SCCM 2012 has remediation now. I can't vouch for how dependable it is since I've never used it outside of the lab in my training class but the option is there now. It's very dependable. I really don't have any issues with it anymore.
|
#
?
Jun 29, 2013 15:08
|
|
|
|
| # ? Apr 28, 2024 00:20 |
|
|
Is there a way to set a TCP/IP filter or something in Windows that will change the TOS tag on packets for a certain port (say, telnet)? The Windows telnet.exe doesn't seem to have the -S option that sets the TOS like the Linux client does. http://blogs.msdn.com/b/wndp/archive/2007/10/09/introduction-to-windows-qos-traffic-control.aspx
|
|
#
?
Jul 1, 2013 20:27
|
|
|
.
incoherent fucked around with this message at 21:11 on Jul 1, 2013 |
|
#
?
Jul 1, 2013 21:05
|
|
|
We currently use ScriptLogic's Desktop Authority to push out AD printers and drive mappings to users based on OU. In the past couple years or so, the printer stage of the process can take 5-10 minutes the first time a user logs in (and that's using an Ethernet connection, it's worse on wifi). I thought it might be DA causing the issue, so I have been doing some testing with Group Policy Preferences to replace DA, but the printer issue seems to remain, I'm just staring at a Welcome screen rather than a script box. I've also tried injecting the printer drivers into the images that are rolled out using MDT, but it doesn't help. It isn't a big deal on machines used by one user, but we have loaner laptops and kiosk machines that multiple people log into, and it is painful for them. Any ideas on what slows this process down and what I can test? Our print server is a 2008 R2 box.
|
|
#
?
Jul 2, 2013 16:22
|
|
|
incoherent posted:It looks like A VSS writer has poo poo the bed on my R2 install, and it seems microsoft has no way of fixing it. Symantec has done all they could and pointed me a the direction of microsoft. Have you just uninstalled whatever Symantec product is on there? We have multiple VSS writers on some servers (Compellent snapshots and Backup Exec) and I can't tell you how many times VSS has died until the BE agent gets nuked and reinstalled.
|
|
#
?
Jul 2, 2013 17:34
|
|
|
Is there a way to rename DHCP reservations without using the GUI? I see netsh commands to change the name or description on a scope, but there's nothing about individual reservations other than showing, adding, and deleting that I have been able to pull up. edit: I would prefer to avoid having to delete and recreate the reservations if possible, and since it can be done on a live reservation in the GUI, presumably there's a command line option somewhere.
|
|
#
?
Jul 2, 2013 21:00
|
|
|
AreWeDrunkYet posted:Is there a way to rename DHCP reservations without using the GUI? I see netsh commands to change the name or description on a scope, but there's nothing about individual reservations other than showing, adding, and deleting that I have been able to pull up. code:
|
|
#
?
Jul 3, 2013 15:56
|
|
|
GPF posted:You're going to have to delete then recreate if you're doing it commandline. Here's how I do it in PowerShell: Yup, usually do exactly that to add reservations - I was just hoping there was a way to specifically modify those fields to avoid any disruption if something goes wrong. I guess this is just a rare case of something that can be done from the GUI, but not command line. By the way, if you are using that script to remove then add back a reservation, it wouldn't hurt to put the reservation IP on the exclusion list before deletion, then remove it from the exclusion list once the new reservation is up.
|
|
#
?
Jul 3, 2013 18:44
|
|
|
AreWeDrunkYet posted:Yup, usually do exactly that to add reservations - I was just hoping there was a way to specifically modify those fields to avoid any disruption if something goes wrong. I guess this is just a rare case of something that can be done from the GUI, but not command line.
|
|
#
?
Jul 3, 2013 23:55
|
|
|
There doesn't seem to be a backup thread or a baby enterprise (SMB) thread so I'll ask here. Does anyone have any experience thoughts on any cloud backup solutions for 6 windows servers (with Exchange, SQL, Sharepoint, and lots of poorly organized files) which total about 600-1000 GB of data? Currently we use backup exec to NAS then from NAS to Portable hard drive. I'm not really up on the cloud solutions, but my ideal would be something that went offsite and to a local NAS that was managed by whoever ran it because even dealing with our local contract IT team about backup exec tries my patience. I'm looking at eVault which seems kind of nice, perhaps with their recovery site option as well, along with an onsite appliance version of the system. I'd really like to not renew my backup exec license because I hate it with a passion, but I'm also open to other suggestions and am looking at biting the bullet and buying a single LTO-5 drive and popping it in an old server to store backups on.
|
|
#
?
Jul 5, 2013 00:48
|
|
|
We have a small 2 machine terminal server farm load balanced using NLB. The RDP Session Broker is running on a 3rd machine that is not part of the farm. The users connect and run a single application in either full desktop mode, or RemoteApp mode. The problem we are having is that occasionally while using remote deskop a user will randomly receive a error message stating "Your session has been ended by a system administrator". However no one actually ended their session... Even stranger when I look at the logs, the logoff event looks like a standard user initiated log off. No mention of the session being ended by a admin. I know its not user error as I have had it happen to me while logged into our app. Edit: Servers are all 2008 R2. Clients are split between Win 7 and XP. All using the latest RDP client available. stevewm fucked around with this message at 14:44 on Jul 5, 2013 |
|
#
?
Jul 5, 2013 14:38
|
|
|
Are you auditing active directory? Anything unusual in there, for example, kerbrose/time issues?
|
|
#
?
Jul 5, 2013 18:21
|
|
|
incoherent posted:Are you auditing active directory? Anything unusual in there, for example, kerbrose/time issues? The only auditing enabled is the default setup. The only thing I see there are the normal logon/logoff/directory access messages when one of these events occur.
|
|
#
?
Jul 5, 2013 19:44
|
|
|
Do the user accounts have logon hours defined in AD Users and Computers? Do you have any applications which might boot users out, like anti-malware or other maintenance tools? Do the "your session has been ended" messages manifest at the same time as other events, like other users logging in? Or admins logging in to the machines locally?
|
|
#
?
Jul 5, 2013 22:41
|
|
|
Sounder posted:Do the user accounts have logon hours defined in AD Users and Computers? 1. Logon hours are at default settings. 2. Nope. 3. So far I have not seen anything that occurs at the same time. It appears completely random. And there are only 2 admins and none of those are logging in. I have been combing through all terminal services settings and GPOs trying to see if something is mis-configured, haven't found anything. When this happens on the server side it looks just like a user initiated log off. However the "your session has been ended" dialog that appears on the users side comes from the remote desktop client. I am beginning to wonder if some sort of network issue might be interrupting the connection and the RDP client is showing that dialog, but why would it log off on the server side?!?
|
|
#
?
Jul 8, 2013 14:06
|
|
|
Okay, it's taken me a while to read through this thread and thankfully I'm seeing some that are using MDT, so I'm hoping they can help me some some stuff I'm having issues with. I really hate to ask, but I've Googled around and looking in quite a few PDF's on MDT and can't seem to find answers on these. Is there a way to set the Size of the event logs when deploying XP? Default is 512KB, which, with our crappy Single Sign-on program, fills up rather quickly. I've taken to set them to 2MB and to overwrite as needed. I've yet to find a way to deploy XP with these settings. Is there a way to go through the deployment other than using the built in administrator account? Like, can it create a new local admin and then use that for the deployment? I ask because, the AD team has a policy to rename the local administrator account. So, once the computer is joined to the domain, I then have to manually log on to the system each time it reboots during the deployment. There doesn't seem to be a way to block this policy as they've set it to be enforced. The reason I need/want the systems to be joined to the domain while being deployed is that is the only way for them to update. They've completely blocked access to Windows updates, so we must use WSUS. ***edit*** I guess I can tack this on as well. I thought I would be able to easily add this as a package, as I thought that those were for MS updates and whatnot. Nevermind this part. I'm an idiot. I just noticed the drat checkbox to hide applications from deployment wizard. 
TWBalls fucked around with this message at 21:27 on Jul 8, 2013 |
|
#
?
Jul 8, 2013 20:03
|
|
|
Event Collecting might solve your log size issue, and it's pretty handy to have all your events on the server. It's a bit fiddly to get them to display properly if the same components aren't on the server, but possible.
|
|
#
?
Jul 9, 2013 12:10
|
|
|
Guess this is the right thread to post this... I am finally getting some sort of an upgrade budget, and I am trying to figure out where we can do better. So I am wondering how others would handle the situation, and I am looking for critique of our current setup. My company has multiple sites (currently 7, expanding to 8 soon), each site has a small amount of terminals/users (15-20 per site). Currently each site has a single Windows 2003 R2 domain controller also providing file sharing/DHCP/DNS/WSUS services and also running the backups for its respective location. The corp. office is the same, but running Windows 2008 instead, it is also the primary DC. All sites are connected to the corp. office in a hub/spoke VPN setup. With the corp. office being the hub. There are also some additional Windows 2008 R2 servers at the corp. office that serve out our main EDI/POS app over terminal services. In the past none of the sites had access to a decent internet connection which is why each one has its own local File/DHCP/DNS/WSUS server. While things have improved over the years, 5 of the sites are still on 2-4Mbps/768kbps DSL connections with no improvement in sight (US broadband   ).
|
|
#
?
Jul 9, 2013 17:22
|
|
|
I use PDQ tools to inventory and deploy out to systems. It's a kick rear end set of tools for networks too big for touching every computer and too small to warrant SCCM. PDQ deploy is really great for pushing out Java,Flash,Reader updates. You can even nest the updates so they all get pushed out at once. Also good for pushing most any program or shortcuts that wouldn't make sense to deploy via GPO. PDQ inventory is nice for listing what systems you have, service tags, and what software is installed. http://www.adminarsenal.com/home
|
|
#
?
Jul 11, 2013 07:20
|
|
|
I use PDQ once a day in my 150 user shop. It's just useful.
|
|
#
?
Jul 11, 2013 12:44
|
|
|
Is there a better way to import a certificate to a user's personal store than a batch file upon login to call certutil? I'm not seeing anywhere in group policy for users, only machine level and unfortunately it has to be in the personal store on a per-user basis.
|
|
#
?
Jul 11, 2013 16:22
|
|
|
mysteryberto posted:I use PDQ tools to inventory and deploy out to systems. It's a kick rear end set of tools for networks too big for touching every computer and too small to warrant SCCM. Since our purchasing departments are pricks that only allow certain vendors, we had to have CDW contact them about purchasing the software, as CDW doesn't offer it on their site. It's been 2mos since we submitted the order to our CDW rep and we still haven't gotten our software/keys. So, hopefully others have better purchasing departments. Otherwise, CDW will do it for you. They'll just take loving forever to do it. Can't wait to get it though. I've heard nothing but good things about it.
|
|
#
?
Jul 11, 2013 16:46
|
|
|
I have a certificate question. The cert we use for our wireless authentication will be expiring soon. We would like to renew the cert with the same key. Here is what I tried, and hopefully this is correct. I go to the server that is listed as the subject. Find the cert, and renew with same key. However, Im getting a message stating that the Wizard cannot be started because of one or more of the following conditions: There are no trusted CA available You do not have permissions to request from the available CAs The available CAs issue cert for which you do not have permissions I have full domain admin rights. I can see the cert on the CA, but it seems like I cannot request a renewal from the CA server. Im kind of at a loss on what to look into next. Edit: found my answer. The cert was created under a different user account. It renewed successfully. Drumstick fucked around with this message at 17:07 on Jul 15, 2013 |
|
#
?
Jul 11, 2013 18:00
|
|
|
Question for any fellow app packagers. Does anyone deploy third party windows installer patches (.msp) these days? I've worked for a few different companies now and most places seem generally happy enough to just roll an updated version of the app, usually just an MSI with appropriate upgrade codes etc. Was having a discussion with a project manager who believes all his third party patch management issues are going to disappear as soon as SCCM goes in. I tried to explain that it's not that simple and that you're probably still going to need packagers to manage the update and overall application lifecycle process, at the very least to ensure the original MSIs are up to date for new builds etc.
|
|
#
?
Jul 28, 2013 02:28
|
|
|
Spyderizer posted:Question for any fellow app packagers. Does anyone deploy third party windows installer patches (.msp) these days? I've worked for a few different companies now and most places seem generally happy enough to just roll an updated version of the app, usually just an MSI with appropriate upgrade codes etc. Adobe Acrobat updates are released as MSP patches and I deploy them.
|
|
#
?
Jul 28, 2013 02:39
|
|
|
Spyderizer posted:Question for any fellow app packagers. Does anyone deploy third party windows installer patches (.msp) these days? I've worked for a few different companies now and most places seem generally happy enough to just roll an updated version of the app, usually just an MSI with appropriate upgrade codes etc. Its not quite as simple as installing SCCM and clicking "update". You'll also want to use it in conjunction with System Center Update Publisher (SCUP) and 3rd party update packagers like Shavlik's SCUPdate feed. Adobe provides a SCUP feed for Reader and Flash for free but once you start getting into more 3rd party products like Java, FireFox Chrome, Adobe Air and so on, you'll need to create those deployment/update packages yourself. Trust me, it'll start to get old really really fast once Java or Air has 3 emergency releases in one month for security flaws. If you're in a strict locked down environment where you only have known baseline software it'll be easier to manage then the user free-for-all I currently work in.
|
|
#
?
Jul 28, 2013 19:19
|
|
|
How do people handle granting temporary local admin for people like developers and such who occasionally need to install software for their job, but don't need admin all the time? We're looking to get away from "approved ticket comes in, grant access, add reminder on calendar a week later to remove." Ideally it would be a "set once and it goes away" type of thing. We've kicked around a couple of ideas, but nothing has stood out as being a good solution.
|
|
#
?
Jul 29, 2013 15:31
|
|
|
devmd01 posted:How do people handle granting temporary local admin for people like developers and such who occasionally need to install software for their job, but don't need admin all the time? Create a new account with local admin privileges specific to that machine and give it an expiration date. If a user needs local admin, they can generally figure out Run as... VVV Yeah, it's really not a great idea to give them local admin for a little while, the damage can be done quickly. Either they're authorized and they should have it all the time (still good to do it on a separate account), or you should be installing for them. But if your company's policy is temporary local admin, an expiring account should be sufficiently fire and forget VVV AreWeDrunkYet fucked around with this message at 19:56 on Jul 29, 2013 |
|
#
?
Jul 29, 2013 15:39
|
|
|
Add their AD account to the local administrator group and have the user log off/on if they're already logged on. You can remove the account from the group at any time and they'll retain admin until they log out. At least that's been my experience, but I've always just done the install myself rather than grant temporary admin.
|
|
#
?
Jul 29, 2013 16:05
|
|
|
Just looking to get some opinions. We're upgrading from AD 2003 to 2008R2 over the next couple of months and our Microsoft PFE is recommending a larger change window, and demoting old 2003DC first, then bringing up the 2008 DC. I personally feel more comfortable bringing up DC2 in each location, getting everything setup and migrated like any shared printers, RADIUS settings and DHCP scopes, then doing a faster cutover by removing DC1 and then renaming DC2 to DC1 and swapping IP addresses. I know it's not as clean, but I haven't ran into issues with it before. Assuming I wait for full replication between demoting DC1 and renaming DC2 to DC1 there shouldn't be any issues at all. In case anyone is wondering 2008R2 is a temporary step until 2012R2 early next year. We have some dependencies in our environment we can't get rid of until late this year preventing us from going to 2012 right now.
|
|
#
?
Jul 30, 2013 18:27
|
|
|
skipdogg posted:Just looking to get some opinions.
|
|
#
?
Jul 30, 2013 18:52
|
|
|
Ummm yeah. There's no issue at all renaming domain controllers. Maybe back in NT4 or 2K land, but since 2003 it's pretty much been a non issue.
|
|
#
?
Jul 30, 2013 19:06
|
|
|
Don't rename them, nexxai is correct. Certificate services, Sysvol replication, DFS, and Exchange are all reasons to not do that. Your plan is basically the rear end-backwards way of upgrading, NT4 or 2008 R2 does not matter. The correct way: - Install 2008 R2 Machines - Promote to Domain Controllers, allow replication, check replication in AD Sites and Services, verify. - Transfer FSMO roles to whichever new 2008 R2 domain controller is your main one - Transfer DHCP/whatever else/apps - DCPromo to demote 2003 machines - Remove 2003 machines from Domain Swapping IP addresses and renaming is sure way to gently caress your AD meta data up. Speaking from experience and from having to fix such messes over the past 10+ years or so.
|
|
#
?
Jul 30, 2013 20:29
|
|
|
I have an odd issue. I have a program that about 3000 other people worldwide use. It uses python and whatnot in the background. Recently it was flagged as having a virus. I flagged it as a false positive and the antivirus vendor finally called back today and said it was infected. I have had 3 different antivirus programs since 2004. I loaded an old backup and it is also being flagged back to 2004 now. This has to be a false positive right? I have had the same antivirus (ESET) for 3 years now and it FINALLY picked up this as a virus. It didnt pick it up before, now it flags it and my old backups that i mounted. Kaspersky and Symantec do not pick it up as a virus. Is there somewhere i can submit a few of the flagged files and see if it really is infected? Edit: I should note that the virus did not exist until 2008, so having an infection back in 2004 seems unlikely.
|
|
#
?
Jul 31, 2013 00:30
|
|
|
I tend to throw files up to https://www.virustotal.com/en/ when I don't trust local antivirus, especially when it comes to code that we're checking out of Perforce from years ago - sometimes the binaries have signatures that set off Sophos, so I drop them up there just to be sure. We pretty much know already that they aren't infected, as we wrote the source and can reproduce with a recompile, but it's occasionally a fun exercise.
|
|
#
?
Jul 31, 2013 00:35
|
|
|
Oh boy, we're taking email and office ~to the cloud~ and going office365 across the enterprise. What are some major tips/tricks/suggestions we should consider in our implementation? I won't be doing the back-end work, more on the client configuration side but any tips are welcome.
|
|
#
?
Jul 31, 2013 22:07
|
|
|
devmd01 posted:Oh boy, we're taking email and office ~to the cloud~ and going office365 across the enterprise. The school I work for recently switched over to Office 365 to handle Exchange and it's been a dream to never have to deal with a locally hosted Exchange server again. One thing I keep running in to is every couple of months something will change on the O365 backend and I'll have to nuke all the Outlook certificates in Windows' Credential Manager for anyone having problems. I haven't been able to track down the exact cause yet but if you get clients who are having to enter their credentials constantly, that's been the fix.
|
|
#
?
Jul 31, 2013 22:31
|
|
|
devmd01 posted:Oh boy, we're taking email and office ~to the cloud~ and going office365 across the enterprise. Whats your environment like? We run O365 with 3300 users or so. Depending on your deployment scenario things can be really easy to somewhat easy. System Center or some other deployement tool makes quick work of the sign in client and Lync. Getting data from prem to cloud can kind of suck, but sounds like you get to avoid this.
|
|
#
?
Jul 31, 2013 22:40
|
|
|
Currently a single on-premise exchange server, about 350 outlook clients or so, the rest (about another 1500) use OWA. Mobile email all goes through activesync/owa via a couple of front-end servers. The OWA users typically use a generic login for active directory then their own personal login for email. I'm the Symantec Management Platform administrator, so any automation/software deployment/scripting will be a piece of cake. We currently limit everyone to a 100MB inbox, so data migration on that will be easy. My guess is that we won't give a poo poo about local PSTs people have unless they're VP or up.
|
|
#
?
Aug 1, 2013 01:09
|
|
|
|
| # ? Apr 28, 2024 00:20 |
|
|
KMS is breaking me. We have a Server 2003 box hosting KMS 1.2. It has a Windows 7 KMS installed and activated. Our Windows 7 clients are activating without intervention so everything appears to be working, but according to Microsoft I should be using a Server 2003 KMS key. I have no idea if these exist, and I certainly don't have one listed in my spreadsheet of keys. Are we heading towards ruin by using a Win7 key on a 2003 host, or should I just leave it since it seems to be working?
|
|
#
?
Aug 1, 2013 17:46
|
|