|
Diffs can suck after a few days because if you have a one-time turn over of a large amount of blocks in the volume now each subsequent diff comes close to the size of just taking a full and resetting everything, except that is happening every time. The really good poo poo these days are incremental backup solutions that consolidate the chain of incrementals in to the base image as it ages through the retention window.
|
#
?
Dec 7, 2017 16:36
|
|
|
|
| # ? Apr 19, 2024 20:34 |
|
|
In MBAM when does the encryption key exchange occur? I ask because I'm wondering what happens if someone gets the gpo then goes away for a month and bitlocker automatically encrypts their disk, will MBAM still have the key? Is it exchanged at policy delivery?
|
|
#
?
Dec 11, 2017 23:58
|
|
|
orange sky posted:In MBAM when does the encryption key exchange occur? I ask because I'm wondering what happens if someone gets the gpo then goes away for a month and bitlocker automatically encrypts their disk, will MBAM still have the key? Is it exchanged at policy delivery? I’m pretty sure you can set that action in the GPO. I’m on my phone so I’m paraphrasing here but “don’t encrypt until key is saved” or something similar. If you try to manually encrypt without being connected to your infrastructure it will shoot an error and not proceed.
|
|
#
?
Dec 12, 2017 03:20
|
|
|
Pro-tip, if you have your PCs joined to Azure AD, and enable Bitlocker, it will give the option to save the key directly to Azure AD. Then you go to portal.office.com and bring up your laptop or whatever from the list of all company devices, and the key is shown right there. It's a pretty recent thing and saves us a ton of work since our company uses Azure AD without a domain, and that was the one thing that was a pain in the rear end before, backing up keys securely.
|
|
#
?
Dec 12, 2017 03:33
|
|
|
orange sky posted:In MBAM when does the encryption key exchange occur? I ask because I'm wondering what happens if someone gets the gpo then goes away for a month and bitlocker automatically encrypts their disk, will MBAM still have the key? Is it exchanged at policy delivery? So in our environment we store the keys in AD and in MBAM. We can run into a certain scenario where the key is in AD, but not in MBAM. The MBAM client has a default startup delay of up to 90 minutes. It's one of those random ones like a WSUS checkin that is +/- a set amount of time to prevent overloading a server during initial deployment. In our environment, we once in a while run into the issue where a freshly imaged machine hasn't had a chance to update to the MBAM server, but has still encrypted the drive. Our PC Tech's don't have access to the Bitlocker recovery info in AD, so they have to ask one of us to get it for them. If the key has been written to AD, encryption will take place. It doesn't have to report to MBAM as well. I asked them to change their imaging task to set the NoStartupDelay registry key for the MBAM client so it reports immediately, which fixed the issue for the PC Techs. Double check your GPO policies, there's a setting "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives" make sure that is how you want it set. Ours is checked/enabled. There's several other policies both under bitlocker and MDOP MBAM, just check those make sure they're all set the way you want. It is possible for the scenario you describe to happen, but probably not be default, you would have to manually change the settings to enable encryption before recovery info is stored somewhere.
|
|
#
?
Dec 12, 2017 06:59
|
|
|
Zero VGS posted:Pro-tip, if you have your PCs joined to Azure AD, and enable Bitlocker, it will give the option to save the key directly to Azure AD. Then you go to portal.office.com and bring up your laptop or whatever from the list of all company devices, and the key is shown right there. It's a pretty recent thing and saves us a ton of work since our company uses Azure AD without a domain, and that was the one thing that was a pain in the rear end before, backing up keys securely. For my MDM peeps: Airwatch will grab the bitlocked key and let you issue your own corporate bitlocker key to enrolled devices.
|
|
#
?
Dec 12, 2017 07:25
|
|
|
Thanks a lot guys. We were thinking of storing the key only in MBAM but it appears it's actually best to store it both in AD and MBAM. I'll test it. Thanks again  E: Also, another thing that's bugging me. Why does MBAM require the System Reserved Partition in a SCCM Task Sequence but not through GPO? I couldn't answer that question and it's bugging me. Have you guys done this process with W10 1706 with no issues? I've heard something about it not giving up the encryption key or something. orange sky fucked around with this message at 12:54 on Dec 12, 2017 |
|
#
?
Dec 12, 2017 12:48
|
|
|
Looking at this support document it seems like a pretty straightforward process to turn off directory sync in Office 365. Is there anything more to it than just turning it off? I don't want to turbo-gently caress a load of attributes or rip out all my aliases.
|
|
#
?
Dec 12, 2017 15:25
|
|
|
orange sky posted:Thanks a lot guys. We were thinking of storing the key only in MBAM but it appears it's actually best to store it both in AD and MBAM. I'll test it. Thanks again We don't image with SCCM, but we do run Bitlocker on W10 up to and including the latest 1709 release. Bitlocker has to have the system reserved partition available for it to work. If one doesn't exist during a GPO style deployment, it will shrink the OS disk and create one. I'm assuming that if you're enabling bitlocker during the deployment in SCCM it wants to make sure it exists as well.
|
|
#
?
Dec 12, 2017 19:19
|
|
|
Trying to track down failed logins in our vmware environment:quote:info 'commonvpxLro' opID=1b5c20ed] [VpxLRO] -- BEGIN task-internal-758593 -- -- vim.SessionManager.login -- c6357139-4639-8dbf-f7bd-8bbc50a179a5 We get this in the vpxd.log, I've turned on trivia logging to hopefully get something more useful (like an IP address of the source....) is there anything else useful that I can change/turn on that would help narrow this down? We get ~13000 of these failed logons a day, they don't seem to hit our domain controllers though (user account is never locked out), it's really just annoying our SOC guys because they don't want to filter this off and miss legit events.
|
|
#
?
Dec 12, 2017 19:46
|
|
|
skipdogg posted:We don't image with SCCM, but we do run Bitlocker on W10 up to and including the latest 1709 release. Thank you very much
|
|
#
?
Dec 12, 2017 19:49
|
|
|
So I have a WDS server and Sophos Router on two different subnets. WDS handles imaging, and the Sophos router does DHCP. I've had option 66 & 67 configured on the Sophos router because it's on a different subnet than the WDS server, and it's worked fine for ~a year. All of the sudden in the last two weeks, clients won't be able to see the WDS server in PXE boot until I restart the DHCP services on the WDS server. I've been googling like crazy, but every article I find seems to be people that haven't heard about/configured options 66 and 67 on their switches/routers. It doesen't make any sense to me that rebooting the DHCP services on the WDS server would enable clients to see it again through PXE boot for a bit. I can't find anything in event viewer either.
|
|
#
?
Dec 12, 2017 21:47
|
|
|
I think this has come up previously and the consensus was to move to using IP helpers rather than DHCP options.
|
|
#
?
Dec 12, 2017 21:57
|
|
|
Thanks Ants posted:I think this has come up previously and the consensus was to move to using IP helpers rather than DHCP options. I was reluctant to do this for years until UEFI booting basically became mandatory and I was mixing with existing BIOS bootable computers. It’s been working flawlessly and now wish I used IP helper sooner. Also if it doesn’t work it’s the network guys problem now.
|
|
#
?
Dec 13, 2017 01:02
|
|
|
Sacred Cow posted:Also if it doesn’t work it’s the network guys problem now. 
|
|
#
?
Dec 13, 2017 01:13
|
|
|
MF_James posted:Trying to track down failed logins in our vmware environment: ssh into the esxi box and ping the domain controller (or any).
|
|
#
?
Dec 13, 2017 03:16
|
|
|
incoherent posted:ssh into the esxi box and ping the domain controller (or any). SSO works fine, but I figured it out, it was our dumb monitoring system. I finally found the source IP but it took me a bit to figure out what was doing it (just didn't think of it) since the configuration isn't on the server itself, just the agent.
|
|
#
?
Dec 13, 2017 07:46
|
|
|
orange sky posted:In MBAM when does the encryption key exchange occur? I ask because I'm wondering what happens if someone gets the gpo then goes away for a month and bitlocker automatically encrypts their disk, will MBAM still have the key? Is it exchanged at policy delivery? Bitlocker does not force volume encryption, this is something you would have to automate yourself with a script or manual intervention. Bitlocker GPOs only dictate the parameters of how it is used (crypto, backup to AD, enforcement for removable devices, TPM policies, etc). Once the volume encryption key has been set it does not change until the volume has been decrypted and re-encrypted.
|
|
#
?
Dec 13, 2017 16:48
|
|
|
BangersInMyKnickers posted:Bitlocker does not force volume encryption, this is something you would have to automate yourself with a script or manual intervention. Bitlocker GPOs only dictate the parameters of how it is used (crypto, backup to AD, enforcement for removable devices, TPM policies, etc). Once the volume encryption key has been set it does not change until the volume has been decrypted and re-encrypted. I was under the impression that the Policy named "Encryption Policy Enforcement Settings" was exactly to set off encryption after a grace period. I'm using MBAM, not Bitlocker out of the box, if you mean that.  From https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/planning-for-mbam-25-group-policy-requirements
|
|
#
?
Dec 13, 2017 16:52
|
|
|
Ah gotcha, I read that as a standard GPO rollout. My bad.
|
|
#
?
Dec 13, 2017 19:48
|
|
|
I’ve got an automation software that communicates primarily via COM/RPC and every day at a specific timeframe we get a ton of RPC faults that fails job runs and generally causes issues. Given it’s linked to a window of time I’m assuming some other network traffic during this time is flooding out our requests. What’s the best method of tracking RPC traffic and determining where failed calls die? I’ve run the Microsoft Networking Tool 3.4 and have logged a ton of RPCFaults failing due to “nca_server_too_busy”, but I’d like to get a more definitive source so I can bring it before our NOC and tell them to fix their poo poo. I need this because they are completely dismissive of our problems as being due to our software, without any particular reason to do so (beside laziness). This is the same NOC that denied my repeated requests for assistance with occasional domain trust failures until it completely shut down our cross-domain traffic and they had to have an emergency 2-day bridge call with MS engineers to fix it.
|
|
#
?
Dec 14, 2017 14:55
|
|
|
Question: How reliable is nfs for clients service on windows desktop? I'm doing the research to put our stuff in AWS through storage gateway and I just think it's a janky implementation (my primary experence is through my use on the server side mounting NFS shares). The cost difference between file and block are not-insignificant.
|
|
#
?
Dec 18, 2017 19:21
|
|
|
File Gateway supports NFSv3 clients so that should be fine. Windows still doesn't come with an NFSv4 client (UMich built one, though) so no Elastic File System for Windows yet.
|
|
#
?
Dec 18, 2017 19:35
|
|
|
I'm more getting a pulse if it would be wise to expose nfs shares to my end users through microsoft's implementation (through dfs shares) and the potential support needs vs a iscsi\smb share with cacheable data.
|
|
#
?
Dec 18, 2017 19:41
|
|
|
What are you trying to do? There's a growing number of storage gateway type products now and chances are one is going to suit your needs.
|
|
#
?
Dec 18, 2017 22:43
|
|
|
Well to simply put it i've spun up two VMs for a file and volume gateway cookoff. One VM appliance gateway exposes S3 buckets as a NFS share in my network. We don't really know who is using about 40TB of stale data, if at all (this org was build on a lot of duct tape). With S3 we get all the cool analytics of "when was the file touched" and "how often" and take advantage of eventually moving it to a glacier. The other VM gateway exposes EBS volumes as iscsi targets for easy-peasy SMB shares (and this is my second safe choice). My windows question is if anyone here is using NFS shares large scale in a end-user windows environment. I can handle administering and troubleshooting NFS shares server-side but I really don't want to commit to an org-wide deployment for NFS access if there are any oddities with the services.
|
|
#
?
Dec 19, 2017 00:27
|
|
|
If you're serving Windows clients then I'd also look at StorSimple or keep an eye on Azure Files development (it will get ACLs soon and SMB3 is pretty snappy). I can't help with the mount NFS, reshare as SMB question though.
|
|
#
?
Dec 19, 2017 00:35
|
|
|
NFS as a service is also coming for Azure.
|
|
#
?
Dec 19, 2017 11:57
|
|
|
Isn't it being delivered by NetApp with the associated costs?
|
|
#
?
Dec 19, 2017 12:16
|
|
|
Just deployed a POC for Zscaler this afternoon, pretty slick tech. I did about half an hour of pre-work (deploying the ova, importing their SAML metadata into adfs), and the call took all of an hour and a half to get it fully functioning with everything we wanted working day one. app-level vpn is a perfect use case for our business, lots of remote workers who mostly access cloud services, but still need specific internal services.
|
|
#
?
Dec 21, 2017 02:44
|
|
|
Anyone know if sharepoint (on-prem) is going the constant feature update route? Instead of constantly releasing brand new major versions? (ie. 2010/2013/2016) Migrating sites is insanely time consuming. Have sites on 2007/2013 and now potentially spinning up 2016 since project server lives on it. 
|
|
#
?
Dec 21, 2017 05:20
|
|
|
Is server 2016 going that route?
|
|
#
?
Dec 21, 2017 06:38
|
|
|
None of the on prem software will do CFA. Windows server 2016 1709 will provided you installed your windows as server core (otherwise you're waiting for 2018).
incoherent fucked around with this message at 19:55 on Dec 21, 2017 |
|
#
?
Dec 21, 2017 18:01
|
|
|
Going to cross-post this with the Mac OS software thread but what is everyone doing with printers and mac? Generally if you have a basic printer and some HP nonsense, you could get it working but unfortunately I am trying to get it working with a huge plotter which need custom paper size settings. Is there anyway to copy a config from one OSX machine to another?
|
|
#
?
Dec 22, 2017 05:22
|
|
|
https://www.papercut.com/kb/Main/CopyingPrinterConfigOnTheMac
|
|
#
?
Dec 22, 2017 17:17
|
|
|
From what I can tell, looks like Server 2012 (non-r2) will not be gettig patches for Spectre/Meltdown. Anyone know if that is true or not?
|
|
#
?
Jan 8, 2018 21:37
|
|
|
Microsoft confirmed the big gently caress You on a supported OS: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002 quote:
|
|
#
?
Jan 8, 2018 21:40
|
|
|
Awesome. Time to pull money out my rear end for some 2016 Datacenter licenses. I swear if I buy 2016 Datacenter, and they release R2 shortly after, I am going to strangle someone.
|
|
#
?
Jan 8, 2018 22:02
|
|
|
Moey posted:Awesome. Time to pull money out my rear end for some 2016 Datacenter licenses. This is why I am holding off on deploying 2016 right now. There's no features I need that aren't in 2012 R2 and I have a hard time believing they aren't going to pull that poo poo, even with this whole continuous deployment approach.
|
|
#
?
Jan 8, 2018 22:05
|
|
|
|
| # ? Apr 19, 2024 20:34 |
|
|
Internet Explorer posted:This is why I am holding off on deploying 2016 right now. There's no features I need that aren't in 2012 R2 and I have a hard time believing they aren't going to pull that poo poo, even with this whole continuous deployment approach. I ended up getting stuck buying 2012 due to budget money that had to be spent, and 2012 R2 not being out yet. At that time, I didn't want to deploy 2008 R2 and made the assumption 2012 wasn't "that bad". I have pretty much had zero issues with it, until now. I'll bring this up with management tomorrow and let them make a call.
|
|
#
?
Jan 8, 2018 22:10
|
|