|
Spin up azure ad directory services and domain join to that. https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-overview https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-join-windows-vm-portal
|
#
?
Mar 27, 2019 02:53
|
|
|
|
| # ? Apr 25, 2024 04:50 |
|
|
The Fool posted:Spin up azure ad directory services and domain join to that. Thank you and the others who made this suggestion, I got thrown by all the additional info about Expressroute and VPNs and Azure AD vs Azure AD DS and one way sync and damnit I hate all this so much. SO, here is what I understand so far: Microsoft has a directory service for auth/management/etc called "Active Directory". Microsoft created a cloud service for the same, but mostly identity use called "Azure AD" that one day will do all the same stuff. Because they expect your VMs to pound the poo poo out of the service you have to create a managed instance of "Azure AD Directory Services" to replicate everything into your VM space. I'm not this stupid, I used to manage hundreds of systems, just never Windows.
|
|
#
?
Mar 27, 2019 15:17
|
|
|
FunOne posted:Microsoft created a cloud service for the same, but mostly identity use called "Azure AD" that one day will do all the same stuff. Mostly right, Microsoft is spinning most of the device management stuff into Intune, which is their MDM product, only Windows 10 counts as mobile in this case. quote:Because they expect your VMs to pound the poo poo out of the service you have to create a managed instance of "Azure AD Directory Services" to replicate everything into your VM space. I doubt that is the reason. Joining to a device to Azure AD has a very specific purpose and it doesn't give you very many management options. They likely added this limitation to make it easier to manage the VM's.
|
|
#
?
Mar 27, 2019 17:01
|
|
|
FunOne posted:Microsoft has a directory service for auth/management/etc called "Active Directory". Microsoft created a cloud service for the same, but mostly identity use called "Azure AD" that one day will do all the same stuff. Because they expect your VMs to pound the poo poo out of the service you have to create a managed instance of "Azure AD Directory Services" to replicate everything into your VM space. Microsoft Windows Server Active Directory Domain Services - Traditional Kerberos and NTLM provider. Along with GPOs, etc. for managing endpoints or user devices. Microsoft Azure Active Directory - Modern Identity. SAML, OpenID Connect, etc. entirely web-based auth. protocols. Intune used for endpoint management but doesn't replace everything GPOs can do - yet. Microsoft Azure AD Domain Services - Provides Traditional Kerberos and NTLM through Azure AD for Azure Virtual Machines through an Azure Virtual Network without the need for a VPN/ExpressRoute. Limited functionality. Only supports directory reads, no schema extensions, etc. Targeted for smaller deployments, organizations that aren't cloud ready, etc.
|
|
#
?
Mar 27, 2019 17:42
|
|
|
Personally, I'd recommend just making an Azure VNet with a VPN. Configure the Azure VNET as a separate site in AD and have two DCs in in Azure. It even doubles as a potential DR Site. There's a bit of effort with the initial configuration but once it's done it's done. Little post maintenance needed. The bigger issues are the network configuration and security freaking out with Domain Controllers in the 
|
|
#
?
Mar 27, 2019 17:46
|
|
|
The people who freak out the most about  also seem to be the ones with an old tower server with exposed USB ports running in the corner of the office, and no vetting process in place for people like cleaning crew.
|
|
#
?
Mar 27, 2019 17:47
|
|
|
Tab8715 posted:Personally, I'd recommend just making an Azure VNet with a VPN. ... But, why? Again, I have no-on premise servers or services. I currently have no cloud VMs. My employees have O365 accounts which they use on their laptops. I don't even know where this VPN idea comes in. Or is this advice for 'general people'
|
|
#
?
Mar 27, 2019 18:05
|
|
|
FunOne posted:But, why? Again, I have no-on premise servers or services. I currently have no cloud VMs. My employees have O365 accounts which they use on their laptops. I don't even know where this VPN idea comes in. Or is this advice for 'general people' It would be general advice since Windows shops that don't have an on-premise domain are still pretty rare.
|
|
#
?
Mar 27, 2019 18:18
|
|
|
Migrating On-Premise Exchange 2010 (currently SP1) to O365. Basically every step I take I have to completely upgrade their infrastructure just to keep going. Already had to upgrade the whole AD schema, next is gonna be Exchange upgrade to SP3. Also, somehow microsoft removed Exchange from their original tenant because it was unused for too long (WTF??) and we had to recreate the tenant, which meant waiting a day just to remove the domain...
|
|
#
?
Mar 28, 2019 10:25
|
|
|
Thanks Ants posted:The people who freak out the most about
|
|
#
?
Mar 29, 2019 13:46
|
|
|
Speaking of the cloud, and being employed at  ..I recently had my desk moved so I'm next to the call center that spawned me, so I have a direct eavesdropping line on calls when one of my louder colleagues is working. Overheard today:"Yes, you can use Office. No, you can't use 365. No, putting customer data in a competitor's cloud is against policy. Yes, it's been that way forever. Six years, sir. I've been here for six years. I see you started...last November? Okay, thanks, and have a great day."
|
|
#
?
Mar 29, 2019 17:52
|
|
|
SEKCobra posted:Migrating On-Premise Exchange 2010 (currently SP1) to O365. Basically every step I take I have to completely upgrade their infrastructure just to keep going. Already had to upgrade the whole AD schema, next is gonna be Exchange upgrade to SP3. Also, somehow microsoft removed Exchange from their original tenant because it was unused for too long (WTF??) and we had to recreate the tenant, which meant waiting a day just to remove the domain... This seems like a lot more effort than I usually have to go through... What are you using for the migration? Their built-in tools? If you aren't already in too deep, you may want to look into something like MigrationWiz. You'll need to migrate things like public folders on your own, and it won't grab things like contact groups local to the mailbox, but it is very convenient. I typically also use their own sync tool to migrate distribution groups to the cloud, because once you lose Exchange it's kind of a pain to manage things like whether or not external senders can mail the distro, or hiding from address book.
|
|
#
?
Mar 31, 2019 23:21
|
|
|
Reconfiguring quorum shouldn't take out a cluster right guys? Ie. Disk to file share Too lazy to test
|
|
#
?
Apr 3, 2019 02:12
|
|
|
"How IS our DFS-R configured?" "We have a DFS-R?"
|
|
#
?
Apr 3, 2019 02:17
|
|
|
Running Azure AD connect on our domain to sync users and use Single Sign On. The user logs onto their domain account, and they can visit an office application and not be prompted for their password. We had a problem with Office / Outlook sign on, but that seems OK, as long as we use an older version of Office (newer ones don't automatically activate). We are using Shared Computer Licensing. The issue is that newer versions of Office don't seem to want to activate, and OneDrive doesn't seamlessly sign on. I've been reading about Hybrid setups, and I wonder if the clients needs to be authenticated to the domain AND to Azure AD in the background before these processes fully work? Is this the case? I know on newer versions, OneDrive and Office bring up "Sign in for this app only" which suggests there's some kind of broader account stuff going on. If it IS the case that I need to sign users on to Azure AD too, is there a guide to automate this process? It's a school and so it's very hot-desky.
|
|
#
?
Apr 3, 2019 13:53
|
|
|
The users only need to sign in to AD. There are a bunch of factors that can affect application SSO, including but not limited to: modern authentication, adds configuration (if used), dns, ad properties, etc I would start here: https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview
|
|
#
?
Apr 3, 2019 14:48
|
|
|
The Fool posted:The users only need to sign in to AD. Thanks. Modern Auth is enabled, and on the version of Office we're using, it activates and connects to Exchange no problem; i.e. SSO is configured correctly and so is Modern Auth in Exchange. I've read the MS documentation a lot and can't seem to find why newer builds of Office fail to work, and OneDrive SSO doesn't work either.
|
|
#
?
Apr 3, 2019 15:09
|
|
|
Well, OneDrive does need additional configuration for seamless SSO: https://docs.microsoft.com/en-us/onedrive/use-silent-account-configuration But there are still a bunch of other possible causes of your Office sign-in/activate issues, and it would be hard to narrow down without more information. Like, if they manually sign in, does the application activate? Does Outlook autodiscover work? You say newer, but which version? Does the MSI install of 2019 work, just not 365 Click-to-Run? Here is a bit AAD SSO troubleshooting checklist: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso
|
|
#
?
Apr 3, 2019 17:58
|
|
|
Dirt Road Junglist posted:"How IS our DFS-R configured?" Your sysvol should at least be DFSR 
|
|
#
?
Apr 4, 2019 03:14
|
|
|
Digital_Jesus posted:Your sysvol should at least be DFSR you say that but 2008r2 is still supported and its easy to not know you need to convert
|
|
#
?
Apr 4, 2019 17:47
|
|
|
Digital_Jesus posted:Your sysvol should at least be DFSR Oh, I know. It's just everything else a DFS-R can do that we keep being told we can't do because REASONS. They are not good reasons.
|
|
#
?
Apr 4, 2019 17:52
|
|
|
Not sure if this is a better post for one of the enterprise networking threads, but it seems like my problems are mostly Windows related so: We have an existing Network Policy Server running on a Server 2012R2 domain controller. We're going to decommission this DC, so I stood up a new 2016 machine to use as a dedicated NPS. Exported the NPS configuration from the old server, imported it in the new server. Enrolled the new NPS server in AD. Our RADIUS-enabled Cisco switches authenticate fine on the old server and the new one. We use Cradlepoint devices for some LTE-backed WiFi access. When we configure the devices to use RADIUS via the old NPS, users can successfully authenticate to the WiFi. When we point the Cradlepoint to the new NPS, we consistently fail with reason code 22 "The client could not be authenticated because the EAP type cannot be processed by the server." What am I missing? Everything seems identical except for the fact that the new NPS is 2016 instead of 2012R2 and isn't running on a DC.
|
|
#
?
Apr 4, 2019 18:20
|
|
|
So, just getting started with ARM Templates in Azure and can I say, gently caress ARM Template formatting
|
|
#
?
Apr 4, 2019 20:21
|
|
|
Wicaeed posted:So, just getting started with ARM Templates in Azure and can I say, gently caress ARM Template formatting JSON is super freaking easy. What are you talking about?
|
|
#
?
Apr 4, 2019 20:28
|
|
|
Tab8715 posted:JSON is super freaking easy. What are you talking about? Maybe it's my initial frustration, and yeah understanding JSON/YAML is easy, however the overall complexity and length of the template.json & parameters.json files compared to something like say, an Ansible Playbook or Teraform configuration is loving ridiculous. Like, 1000 lines of JSON to deploy a single Azure VM with a single data disk? I can do the same thing in about 200 lines with Ansible, and it's easy on the eyes to boot.
|
|
#
?
Apr 4, 2019 22:16
|
|
|
BangersInMyKnickers posted:you say that but 2008r2 is still supported and its easy to not know you need to convert I've been migrating so many Sysvols to DFSR lately, and it shows no signs of slowing down. On another note, does anyone have any good reading on Azure AD DS? So far I've been able to ascertain that it ties to a domain name, and that it is neither AD DS nor Azure Active Directory. My company wants to start moving in that direction and I'm not entirely sure why
|
|
#
?
Apr 4, 2019 23:20
|
|
|
I'd rather build DCs in Azure and then DirSync into Azure AD. You can then bring a VPN tunnel or ExpressRoute up and decide between domain join, Azure AD join, or Hybrid. AADDS is fine for enabling LDAP(S) authentication for a legacy app that you might need to keep accessible through RDS, but it's currently only possible to deploy into one region, and I'm comfortable enough with building out multi-site AD that I don't want to give up that control. Also having Active Directory with DirSync means you can have a couple of DCs running in AWS/Google Cloud and connected via a VPN if you really wanted to spread the risk around. The downside is that you then have to do all your admin work on the DCs rather than in Azure (  ) but there's been a long running aim to fix that, possibly involving writeback.
|
|
#
?
Apr 4, 2019 23:56
|
|
|
Speaking of Azure - is there a good solution for connecting to an Azure network via SSL VPN on a workstation, and having DFS work correctly? I can ping the domain, I can ping the servers, but Explorer browsing to the namespace doesn't work. Is that just a limitation? The Azure point-to-site VPN client is garbage, I have to manually add routes via text file. Is there another all-cloud solution that I can slap into my Azure environment that would be more... preconfigured?
|
|
#
?
Apr 5, 2019 14:33
|
|
|
DirectAccess
|
|
#
?
Apr 5, 2019 14:41
|
|
|
Sidenote: the client also wants it to be a "VPN" because they want to put their terminal server behind it. Can DirectAccess do that kind of private networking? edit-- and some users will be using personal computers, so I can't explicitly add them when setting up DirectAccess. This is a mess.
|
|
#
?
Apr 5, 2019 14:52
|
|
|
Terminal servers can be published behind web access gateways and IMO that is the only somewhat secure way of allowing access to company resources from an unmanaged personal computer.
|
|
#
?
Apr 5, 2019 15:02
|
|
|
buffbus posted:Terminal servers can be published behind web access gateways and IMO that is the only somewhat secure way of allowing access to company resources from an unmanaged personal computer. Agreed with this. I've been a Citrix guy pretty much my whole career and when I hear client to site VPN it makes my skin crawl. Internet Explorer fucked around with this message at 18:54 on Apr 5, 2019 |
|
#
?
Apr 5, 2019 15:46
|
|
|
buffbus posted:Terminal servers can be published behind web access gateways and IMO that is the only somewhat secure way of allowing access to company resources from an unmanaged personal computer. Agreed, there is no such thing as securing data on an unmanaged endpoint, outside of really locked down environments like iOS that sandbox all the apps. You don't want someone calling in sick and using a VPN from their kids PC having access straight into your network.
|
|
#
?
Apr 5, 2019 16:55
|
|
|
Aunt Beth posted:Not sure if this is a better post for one of the enterprise networking threads, but it seems like my problems are mostly Windows related so: Stab in the dark, but is this a certificate issue?
|
|
#
?
Apr 5, 2019 17:07
|
|
|
buffbus posted:Terminal servers can be published behind web access gateways and IMO that is the only somewhat secure way of allowing access to company resources from an unmanaged personal computer. Thanks Ants posted:Agreed, there is no such thing as securing data on an unmanaged endpoint, outside of really locked down environments like iOS that sandbox all the apps. Or you can just let your users BYOD VPN to your network all you want because you set up your VPN properly and users are sorted into security groups with restricted split-tunnel ACLs that prevent them from accessing anything except the exact resources they need from a non-company workstation (Just your remote servers). Though with RDWeb and Gateway brokers being a thing that would probably be a limited use case based on specific device requirements, but since those would be unsupported anyway the furthest I'd go is "You can use the restricted VPN good luck." I mean I hope people aren't just being like "Yeah we got VPN" and just let that vpn tunnel talk to your entire inside lan. If you want VPN access to anything more than just terminal services you gotta either have a company device with endpoint management or a written authorization to evade protocol from someone with a "C" in front of their title, and even then you'll probably get told no unless the CEO himself comes in and makes a stink. E: and your UTM solution should be scanning inbound vpn traffic anyway, your remote servers are monitored, have AV, and you have restriction policies in place that would prevent users from opening bad poo poo, so? Unless your concern is some employee copying excel sheets to timmy's gaming laptop on the weekends or whatever but I mean if you're worried about that kind of a breach thats a policy and proceedure thing more so than worrying about who's using VPN. Turn off RDS clipboarding or something. Digital_Jesus fucked around with this message at 19:10 on Apr 5, 2019 |
|
#
?
Apr 5, 2019 18:50
|
|
|
ChubbyThePhat posted:Stab in the dark, but is this a certificate issue? This was my first thought when they said new server, but considering some devices work and others don't it's odd, but it wouldn't be the first time one vendor goes with spec and one against...
|
|
#
?
Apr 5, 2019 19:46
|
|
|
Alright SCCM question: I have a task sequence that is imaging machines. It's connected to a workbench at a local MSP so they can image things for me. They have imaged roughly 2000 machines for me in the last year, but this week there have been almost 10 failures. Machines show up with no software installed what so ever. So the issue is that both the SCCM reports and the logs on the machine say everything was 100% successful. If that's the case then why is there nothing on these machines? The Task sequence failure logs are all gone and moved to the correct spot on the C: drive. The reports show all the software installed successfully. Logs on the machine show connections to the right distribution points and successful downloads of the content and packages. What the hell is going on here? Obviously I don't expect wizard answers but where should I even start looking?
|
|
#
?
Apr 5, 2019 22:51
|
|
|
ChubbyThePhat posted:What the hell is going on here? Obviously I don't expect wizard answers but where should I even start looking? AppEval and the AppEnforce logs might be a good place to start if these are indeed apps (and things haven't rolled off). Are the Application Install steps set to Continue on Error? What SCCM Build and Windows Build are you deploying? Is it possible a Windows Servicing update is being applied after the Apps have installed?
|
|
#
?
Apr 5, 2019 23:11
|
|
|
Are you sure those parts of the TS are actually running? Are there conditions on those steps that are evaluating to false? Are those steps failing but they're set to continue on error? Those are the easy ones you've probably got out of the way... The way we package all our apps is using a wrapper powershell script that includes logging so we can see if the applications actually ran or not. If you don't have anything like that you could maybe stick some steps in the parts of the TS that aren't running that would write some log files to the machine so you can maybe get a better idea what state a machine is in when it runs?
|
|
#
?
Apr 5, 2019 23:14
|
|
|
|
| # ? Apr 25, 2024 04:50 |
|
|
Zaepho posted:AppEval and the AppEnforce logs might be a good place to start if these are indeed apps (and things haven't rolled off). Are the Application Install steps set to Continue on Error? What SCCM Build and Windows Build are you deploying? Is it possible a Windows Servicing update is being applied after the Apps have installed? Good idea I'll dig through those logs. Some of the apps are continue on error, but they all show as successful in the logs. We're running 2012r2 1806. Update pending to 1903 or whatever it is in the near future. No service patches are applying afterwards.
|
|
#
?
Apr 5, 2019 23:16
|
|