|
That's why I asked what specifically he was talking about. I'm not sure if you're answering the question he's asking. I've also never had to think about adding more than 2 DNS servers to an interface, because I'd be setting them up in order in my scope options in DHCP. Even if an environment ostensibly doesn't require DHCP I still use it and utilize reservations because who the hell is just statically assigning IPs and doing manual DNS edits in 2016.
|
|
#
?
Sep 23, 2016 20:09
|
|
|
|
| # ? Apr 27, 2024 20:13 |
|
|
Fudge posted:That's why I asked what specifically he was talking about. I'm not sure if you're answering the question he's asking. Well, here's the original question: lol internet. posted:Quick question about DCs & Sites and Services You can find lots of references that say you need more than one DC and good reasons for that. You can also find lots of references about how to set up the DNS IPs for those DCs, but I've rarely come across a good reason written in those refs. Most explanations I see essentially treat it as "This is what you do for reasons so do it". Notice his second sentence, "Normally...". This would only be true if the DCs were also DNS servers, but depending on your setup and traffic patterns and site setup and bandwidth and other things, you may not set up a DC as a DNS server. You might not even set it up as a Global Catalog server. And, the DC must point to writable DNS servers so it can update the SRV records for its information in the zone. So, with that being said, and the facts about how a Windows system does its DNS queries, I did answer his question. If they're all running DNS, and the domain they control has a zone in DNS that is AD Integrated, then have the first IP point to itself, then all the others. Use reservations in DHCP or type them in statically...doesn't matter, and their order after the first one doesn't matter either. Which reminds me about the second part of the question. A site is considered to be two things by MS: High bandwidth/low latency connections, and subnets in that setup. 100Mb connection between the two sets of DCs? That's high bandwidth and probably low latency. Might even be the same subnet depending on how things are hooked up. So, unless he has real solid reasons to build sites, attach subnet objects to those sites, and place those DCs into the site objects so AD understands these two locations are not local to each other, then it's not worth adding the complexity and enforced delay of AD updates. GPF fucked around with this message at 20:32 on Sep 23, 2016 |
|
#
?
Sep 23, 2016 20:23
|
|
|
Idk 'configurations pointing at each other' is kind of a bizarre way to put it which is why I was asking, especially since they're debating using sites and services.
|
|
|
#
?
Sep 23, 2016 20:29
|
|
|
127.0.0.1 and then other DCs.
|
|
#
?
Sep 23, 2016 22:08
|
|
GPF posted:Well, here's the original question: Dude, I meant I was double checking on his question. Not questioning whether or not you can sound like an encyclopedia entry about DNS. And your take on sites is weird. They're extremely simple to set up, and if you have two physically seperate locations and you're not using different subnets then I guess it wouldn't even be a question because it wouldn't work. But if there are two subnets there isn't a compelling case to not use them. Are you trying to say replication would be an issue here?
|
|
|
#
?
Sep 24, 2016 00:32
|
|
|
Has anyone ever done a large-scale migration to DFS from typical mapped drives and CIFS shares? I'm curious about the experience if so and if there were any particular pain points that stand out from the project. I'd love to get away from this poo poo setup we have, but with the nested security ACLs it's difficult to even architect it. Hell, I don't have access to a lot of the structure to parse it unless I put in a Change Control to temporarily elevate myself to do just that.
|
|
#
?
Sep 24, 2016 00:34
|
|
|
Did one that was Novell to DFS, ended up using powershell to re-create the directory structure and ACLs in a few minutes when it would have taken weeks manually, just needed a CSV with all the info. 2012 has native DFS commandlets but there's one bit that doesn't work right, ABE I think. Whatever it was, dfsutil covered for it. The ACLs were a bit of a bear too, I have some of the script lying around if you're interested in how I ended up dealing with it.
|
|
#
?
Sep 24, 2016 02:01
|
|
|
GPF posted:Which reminds me about the second part of the question. A site is considered to be two things by MS: High bandwidth/low latency connections, and subnets in that setup. 100Mb connection between the two sets of DCs? That's high bandwidth and probably low latency. Might even be the same subnet depending on how things are hooked up. So, unless he has real solid reasons to build sites, attach subnet objects to those sites, and place those DCs into the site objects so AD understands these two locations are not local to each other, then it's not worth adding the complexity and enforced delay of AD updates. Probably should of added that in the first post overall heh. Ended up getting a lot more responses then expected. Building a web app which uses a MS clustered backend in AWS. Cluster requires AD\DNS services. Two sites in different data centers for failover in case a whole data center goes down due to some configuration push by the cloud provider and that is part of why I asked about the DNS as well. I ended up creating the sites and services, but I felt like it wasn't necessary. It was a 100Mbit/12ms latency between the site and as I mentioned no client workstations, really just 12 servers between two sites running a web app. Looking forward to Workgroup Clusters in Server 2016! lol internet. fucked around with this message at 07:08 on Sep 24, 2016 |
|
#
?
Sep 24, 2016 05:56
|
|
|
hihifellow posted:Did one that was Novell to DFS, ended up using powershell to re-create the directory structure and ACLs in a few minutes when it would have taken weeks manually, just needed a CSV with all the info. 2012 has native DFS commandlets but there's one bit that doesn't work right, ABE I think. Whatever it was, dfsutil covered for it. The ACLs were a bit of a bear too, I have some of the script lying around if you're interested in how I ended up dealing with it. I guess I need to understand DFS a bit more before I can really try and architect a solution. This has been in-place for a very, very long time, and it's a huge amount of data (several terabytes). If you want to PM me a link to the script I'd love to take a look at it just to get an idea as to how involved it might be.
|
|
#
?
Sep 24, 2016 19:27
|
|
|
Fudge posted:And your take on sites is weird. They're extremely simple to set up, and if you have two physically seperate locations and you're not using different subnets then I guess it wouldn't even be a question because it wouldn't work. But if there are two subnets there isn't a compelling case to not use them. Are you trying to say replication would be an issue here? Well, I can understand thinking that sites just gives you a separation, but it's more than that. Let's say you have two sites, set up correctly with subnet objects and a single DC for the shsc.forum domain in each site. You make a change to a user account on the DC in the first site, and at the fastest you can set it, the second DC won't see the changes until 15 minutes later. This doesn't apply to things like account lockout/disable or password changes, but it does apply to almost all the other stuff. So, if I was in the same situation as the person that posted earlier, I'd leave both DCs in the same site and just use that high speed connection between the two locations for client communication back to the DCs. However, if I were using site-based technology or didn't need everything to replicate quickly, then sure, a multi-site setup would be fine even with DCs living in both sites. I just would have to account for and deal with the delays that are going to happen regarding replication of AD objects between the sites. I work in a huge multi-site, multi-child domain infrastructure where much of it is out of my direct control, so I have to consider these delays when writing certain automation, troubleshooting, or just discussing things with the groups upline from me.
|
|
#
?
Sep 24, 2016 23:16
|
|
|
GPF posted:You make a change to a user account on the DC in the first site, and at the fastest you can set it, the second DC won't see the changes until 15 minutes later. There's a way around that. This guy explains it on his blog, there are plenty of other blogs/articles that explain it as well. I do this between sites/DC's in the main data centers for each area of the company (NA, APAC, EMEA) since they have nice fat links between them and run spokes off each of those main sites to other regional sites. Keeps everything down to a reasonable replication time.
|
|
#
?
Sep 25, 2016 00:10
|
|
|
It's nice that you have "fat spokes" to work with, but that's a luxury, not necessarily something a small client will shell out $ for. Upping the replication frequency is nice and works with brute-strength network infrastructure, but there is value in learning to automate your infrastructure in terms of delays and sites. I used to resist the "hurry up and wait" operation of SCCM, but am starting only recently to see in shades the usefulness of planning everything out such that arbitrary delay -- slow home uplinks, road warriors / overseas researchers who may not run a policy download for days or weeks, that guy in marketing who refuses to reboot his lovely $2,500 Mac once a month, whatever -- does not break your stride on a technical or managerial standpoint.
|
|
#
?
Sep 25, 2016 01:03
|
|
|
lol internet. posted:Probably should of added that in the first post overall heh. Ended up getting a lot more responses then expected. I could only fathom how much this would cost in AWS.
|
|
#
?
Sep 26, 2016 21:22
|
|
|
incoherent posted:I could only fathom how much this would cost in AWS. More than I get paid lol.
|
|
#
?
Sep 27, 2016 03:50
|
|
|
I've implemented similar. If companies are considering it, they are making enough to justify it.
|
|
#
?
Sep 27, 2016 03:59
|
|
|
incoherent posted:I could only fathom how much this would cost in AWS. $20-40k/y. Not a big deal.
|
|
#
?
Sep 27, 2016 04:11
|
|
|
Internet Explorer posted:I've implemented similar. If companies are considering it, they are making enough to justify it. Literally half a new infrastructure in the cloud, and we have to shut it down every day after 5 because 20k/mo is too much.
|
|
#
?
Sep 27, 2016 18:34
|
|
|
One of the places I'm working with are basically spending six figures/year not including MS software licensing which is through the company EA..it's basically premium features which start add a lot to the cost. A huge percentage of company revenue is based on the system so yeah.. it's justifiable for them. But the whole hokus pokus with "the cloud is the future!" "the cloud is mature and stable" "The cloud is cheap, pay for what you use!" is such a load of bullshit. There is nothing worse then having to sit through a region/service/data center outage and not being able to do anything other then wait. Like with on prem, at least you can attempt to a fix a problem.
|
|
#
?
Sep 28, 2016 06:52
|
|
|
I'm not seeing a specific GPO/AD thread, so hopefully this is the right place to post this question: How do I go about configuring a group policy to apply to all computers in a given OU? Googling brings up a whole bunch of answers recommending loopback processing for folks trying to apply user configuration settings to computers, which is not what I'm trying to do. The straightforward alternative is setting up new security groups for all PCs but that strikes me as a waste of time. These PCs are already in dedicated OUs for all the workstations in a given location. Ideally I'd be able to just link the GPO in question to all these OUs and set security filtering to apply to everything, but there doesn't seem to be any "Authenticated Computers" equivalent to Authenticated Users.
|
|
#
?
Sep 28, 2016 17:56
|
|
|
Eschatos posted:I'm not seeing a specific GPO/AD thread, so hopefully this is the right place to post this question: Eschatos, if you apply a GP to an OU, it will apply to everything in that OU*. Computer configuration stuff will apply to computers, user config stuff to users. *Unless otherwise specified by filtering of some kind. Feel free to hit me up on IRC, I'm typically in it all day (you know which one!)
|
|
#
?
Sep 28, 2016 18:01
|
|
Eschatos posted:I'm not seeing a specific GPO/AD thread, so hopefully this is the right place to post this question: Domain computers is the security group you're looking for. Wherever you're putting the computers is the OU. Edit: but computer settings will apply for user accounts in a given OU. Like password policies are a computer config item, but you put that on your users OU and it applies the settings to a computer that user is on. milk milk lemonade fucked around with this message at 18:21 on Sep 28, 2016 |
|
|
#
?
Sep 28, 2016 18:14
|
|
|
word of warning when you migrate a dhcp server config that's in a DHCP failover relationship, it will end up deleting the dns records that were registered by the old DHCP server. Such as all of your printer's dns names for printer ports, etc... Just saying it might be a good idea to do that on a weekend with the lease times set to 30 min for a few days to get everything re-registered quickly.
|
|
#
?
Sep 28, 2016 18:38
|
|
|
Eschatos posted:I'm not seeing a specific GPO/AD thread, so hopefully this is the right place to post this question:
|
|
#
?
Sep 28, 2016 18:56
|
|
|
anthonypants posted:Authenticated Users includes computer objects. Microsoft really should have called it "Authenticated Objects" but it's entrenched now so eh
|
|
#
?
Sep 28, 2016 19:28
|
|
|
Isn't authenticated users a delegated read permission on GPO automatically? Edit: well I'll be damned it's not
|
|
|
#
?
Sep 28, 2016 19:32
|
|
|
MF_James posted:Feel free to hit me up on IRC, I'm typically in it all day (you know which one!) Details on this magical IRC channel please.
|
|
#
?
Sep 28, 2016 21:13
|
|
|
lol internet. posted:Details on this magical IRC channel please. There is 0 magical about it.
|
|
#
?
Sep 28, 2016 21:16
|
|
|
lol internet. posted:Details on this magical IRC channel please. haha just an IRC channel for a game we both play, nothing special.
|
|
#
?
Sep 28, 2016 22:12
|
|
|
MF_James posted:Eschatos, if you apply a GP to an OU, it will apply to everything in that OU*. Computer configuration stuff will apply to computers, user config stuff to users. So after a good deal of troubleshooting with the aid of MF_James, it turns out that the problem is not that the group policy isn't applying. Computer level policies are hidden from non-admin users, which I was using to test this policy. The actual problem requires a little more background. I'm trying to enable Powershell remoting on workstations. I had thought that setting up a group policy following this guide would do the job, but evidently something that enable-psremoting does is not covered by that. Back to the drawing board.
|
|
#
?
Sep 28, 2016 22:33
|
|
|
hihifellow posted:Microsoft really should have called it "Authenticated Objects" but it's entrenched now so eh They should have and I feel there's a good chance many people at Microsoft themselves are confused due to this. In reference to the recent patch which changed the security context of group policy processing, Microsoft themselves said you need to add both Authenticated Users and Domain Computers to the read permissions on the GPO. This of course is false as Authenticated Users covers both bases. In general Authenticated Users should always be given read permission to all GPOs (not to be confused with the "apply group policy" security permission). It was merely a lucky coincidence I became sufficiently annoyed at this not being the case at my company and ran a script against all ~3600 GPOs just a few months before the patch was released.
|
|
#
?
Sep 29, 2016 18:16
|
|
|
I thought the issue was that after the patch computers couldn't read the GPO because "Authenticated Users" wasn't in the access list, and the solution was to make sure Authenticated Users could read every GPO so the computers could actually read and apply them.
|
|
#
?
Sep 29, 2016 18:19
|
|
Hooray for Microsoft knowing about an RDP-shattering bug on RDS servers that results in blank screens and requires a server reboot for months and still being weeks away from fixing it 
|
|
|
#
?
Sep 29, 2016 18:25
|
|
|
FISHMANPET posted:I thought the issue was that after the patch computers couldn't read the GPO because "Authenticated Users" wasn't in the access list, and the solution was to make sure Authenticated Users could read every GPO so the computers could actually read and apply them. That's correct. It's Microsoft's own suggested fix stating that you also needed Domain Computers to be given access as well which means at least one person there doesn't know that Domain Computers is included within Authenticated Users or at the very least they don't understand the distinction between security filtering and security rights. Just saying people shouldn't feel too bad about being confused by the terminology since even people at MS sometimes get things mixed up. "•If you are using security filtering, add the Domain Computers group with read permission." https://support.microsoft.com/en-us/kb/3163622
|
|
#
?
Sep 29, 2016 18:38
|
|
|
buffbus posted:That's correct. It's Microsoft's own suggested fix stating that you also needed Domain Computers to be given access as well which means at least one person there doesn't know that Domain Computers is included within Authenticated Users or at the very least they don't understand the distinction between security filtering and security rights. Just saying people shouldn't feel too bad about being confused by the terminology since even people at MS sometimes get things mixed up. This is my daily pedantic post.
|
|
#
?
Sep 29, 2016 18:50
|
|
|
Customer: oh hay I need a new VM! Me: perfect let me just check your VLSC here to see what we can do. Hmm. You have no licenses for your 2008 enterprise installs... Customer: No we're good! Microsoft audited us last year. Lemme find the emails... *has email chain where Microsoft was blantantly lied to by old 3rd party company* Me:  Edit: wrong thread. Sort of related milk milk lemonade fucked around with this message at 20:03 on Sep 29, 2016 |
|
|
#
?
Sep 29, 2016 19:59
|
|
|
Thought that was heading for the old standby: "nah we're good, all of our 500 production servers are covered by this MSDN / Action Pack license!  " Straight up lying is at least a change of pace.
|
|
#
?
Oct 1, 2016 01:03
|
|
|
My old company was audited once. Found out that the "old IT crew" bought SCOM licenses instead of SCCM which was deployed in production.
|
|
#
?
Oct 1, 2016 08:13
|
|
|
Was that a long time ago? Because I think they're the same license now (unless SCOM is in a different ML, but if it is it's a higher level than SCCM so a SCOM ML would include SCCM).
|
|
#
?
Oct 1, 2016 17:18
|
|
|
Systems Center licensing is confusing now
|
|
|
#
?
Oct 1, 2016 17:24
|
|
|
|
| # ? Apr 27, 2024 20:13 |
|
|
All MS licensing is confusing. Almost as confusing as their product naming.
|
|
#
?
Oct 1, 2016 18:58
|
|
