|
klosterdev posted:Probably dumb question: A quick google search says MAB operates at layer 2, and seems to affect layers 2-3/4 in some capacity (depending on what they mean by port) if its an authentication issue, wouldn't that be a completely seperate issue at the application level? Normally a packet is sent to the radius server, which is application level but in our network it'll first check the mac address to see if there is a mab exception. If there is, it'll bypass the radius check and go straight into the dhcp to get an IP assigned. We use it on certain hardware like controllers, some printers, when we want to pxe re-image machines or when trusted assets from outside our domain need access to our network for a few days so we dont have to re-image their entire box. The radius only checks if the asset is in one of the domains. I dont know, the more I think about it the more I think its dns for some stupid reason
|
#
?
Feb 27, 2021 01:36
|
|
|
|
| # ? Apr 20, 2024 02:11 |
|
|
If you give one of the affected machines a static IP, can it ping the DNS and/or DHCP servers its supposed to be talking to ?
|
|
#
?
Feb 27, 2021 14:01
|
|
|
mllaneza posted:If you give one of the affected machines a static IP, can it ping the DNS and/or DHCP servers its supposed to be talking to ? Nope, even with a static IP. I've tried given it an IP from the old domains range and the new ones swapping out the dns between just in case. e-Our networking chief figured it out, apparently the tools that we use to add machines to the MAB were just adding them to the first domains side of the network, not the second. When he hardcoded the mac into the other sides mab it picked up an IP. Cao Ni Ma fucked around with this message at 16:12 on Mar 1, 2021 |
|
#
?
Feb 27, 2021 14:34
|
|
|
There are some things I wish we used a MSP for. Migrating Exchange, big projects that we only do one time as a company...otherwise I'd ask them about this. We want to migrate from Symantec Endpoint Encryption to Bitlocker. It's easy to script the 'un-encryption and un-installation of SEP', but what do we need to do with Bitlocker? It looks like you can configure it with a GPO, and store your keys in AD for recovery. MBAM is going away? You can also do this with SCCM or Intune? We don't use either of those right now. We have a few people working from home over VPN, but 95% of our computers are on-site. We use Kaseya for RMM so getting any kind of modern system management tool tends to get shot down. What do goons say?
|
|
#
?
Mar 3, 2021 13:52
|
|
|
Intune would be quicker to set up if you don't have SCCM. That being said, everything you need to do can be done with GPO (push settings out) and a powershell script (query bde status to verify success) via whatever endpoint management software you're running Does kayesa give you the ability to centrally see the exit and error codes of a powershell script?
|
|
#
?
Mar 3, 2021 14:27
|
|
|
Potato Salad posted:Does kayesa give you the ability to centrally see the exit and error codes of a powershell script? Will have to look into that, haven't used it for anything with Powershell scripting yet. We basically use it for patching and remote control.
|
|
#
?
Mar 3, 2021 14:46
|
|
|
Speaking of scripting, we need to remove Sophos encryption then have machines register their bitlocker key in AD or azure AD if they are hybrid-joined. Has anyone dealt with that before?
|
|
#
?
Mar 3, 2021 15:22
|
|
|
A GPO setting will handle that key transfer for you.
|
|
#
?
Mar 3, 2021 15:24
|
|
|
Okay, sweet. I wasn’t sure if that setting would force a key storage action into AD. Thanks!
|
|
#
?
Mar 3, 2021 15:46
|
|
|
In a hybrid setup with all mailboxes moved to online. On prem exchange is used as a SMTP relay currently. Ready to change inbound mail flow from on prem to exchange online. Is updating the MX record all that is needed? Maybe also adding a connector? No hybrid configuration wizard should be required? SMTP shouldn't break as nothing is changing?
|
|
#
?
Mar 9, 2021 10:06
|
|
|
edit: wrong thread
|
|
#
?
Mar 9, 2021 13:47
|
|
|
Hello everyone! Just a quick note to help out the folks who browse by bookmarks. We've started a SH/SC feedback thread and would love it if you stopped by to say hi and let us know what you think. https://forums.somethingawful.com/showthread.php?threadid=3961558
|
|
#
?
Mar 9, 2021 18:35
|
|
|
DKIM question. I have a on prem smtp relay > Exchange O365. When I do a powershell test smtp send message to Internal Corp on prem SMTP Relay > O365 > External Email, it doesn't sign the message, how come? lol internet. fucked around with this message at 03:25 on Mar 15, 2021 |
|
#
?
Mar 15, 2021 03:23
|
|
|
which part isn't dkim signed, relay to o365?
|
|
#
?
Mar 15, 2021 03:33
|
|
|
Ughh the final destination external email. I don't see it saying mailed by <domain name> and signed by <domain name> in gmail. If I use my regular O365 account I do see it. I would assume since theres a O365 connector for my on prem smtp server to O365, it would sign the message with the DKIM keys going out.. or is that now how it works? Would the on prem smtp need to enable DKIM?
|
|
#
?
Mar 15, 2021 03:46
|
|
|
Essentially whatever is originating that email has to sign it. If it’s your internal exchange server then yes, it needs to and luckily can do DKIM signing. If you’re using an IIS relay or something, good luck. But also if you can avoid it all just set your apps and stuff up to use O365 directly and avoid the hassle. Edit: https://docs.microsoft.com/en-us/exchange/transport-routing this lays out the hybrid routing scenarios, you might find something useful in there i am a moron fucked around with this message at 04:57 on Mar 15, 2021 |
|
|
#
?
Mar 15, 2021 04:45
|
|
|
Pop them bottles for a particularly hellish azure outage.
|
|
#
?
Mar 15, 2021 21:48
|
|
|
AAD. I love how this one impacted service basically kills everything user facing.
|
|
#
?
Mar 15, 2021 21:59
|
|
|
Yeah, amazing how everything relies on the identity service to allow users access
|
|
#
?
Mar 16, 2021 18:45
|
|
|
I get that it's annoying, but you have to assume every time something blows up like this, they learn from it (yes I am incredibly naïve why do you ask). The total downtime was about six hours - fortunately for us it was well outside of business hours - and the advantages of having an identity platform far outweigh the downsides of it making GBS threads the bed once every few years. There's no way I could secure applications as well as App Proxy, modern authentication, risk-based conditional access etc. If this became something that happened every few months then yeah that would cause people to start asking me questions, but until that happens all I can really do is ignore it.
|
|
#
?
Mar 16, 2021 19:49
|
|
|
Except that MS365 has a noticeable outage like once a month these days. Sure it's a slightly different package each time (teams then outlook then aad then...), but it's sold as a package, so there's a lot of pissed off execs out there who are going "so we went to the cloud and now it's less stable.." Fortunately there's enough benefits to going to the cloud, but reliability isn't the primary one.
|
|
#
?
Mar 19, 2021 13:35
|
|
|
The important thing is if you’re responsible for it at your company, there’s really nothing you have to do about it except wait it out. And honestly I’d trade the downtime for the security and compliance features all day. MS needs to get their poo poo together though.
|
|
|
#
?
Mar 19, 2021 14:06
|
|
|
AAD/Identity needs to be managed in fixed, highly-tested releases. Agile is not appropriate for the linchpin of M365.
|
|
#
?
Mar 19, 2021 14:11
|
|
|
It seems extremely unagile and monolithic to me. The RCA they released last time sounded like MS engineering has gotten themselves into a pickle with AAD, I dunno if it’s the nature of the service or what but these huge release waves and inability to roll back quickly reminds me of every lovely monolith I’ve ever been near
|
|
|
#
?
Mar 19, 2021 14:17
|
|
|
poo poo, I like your viewpoint kinda sounds like the monolith problem from the Netflix CIO interview that half the planet read a few years ago "oops we made a microservice very large"
|
|
#
?
Mar 19, 2021 14:45
|
|
|
I'm still feeling optimistic because MS decided to publicly announce their changing their AAD SLA from 99.9% to 99.99% after the last major AAD outage. And another major outage, and not just any outage but specifically an AAD major outage that took everything else down with it is going to cause a lot of hell to be raised. They can't go back to 99.9% and not expect to lose waves of customers during a period of major growth. MS has no way out of this mess but to fix their processes.
|
|
#
?
Mar 19, 2021 19:24
|
|
|
Oh they won't lose any customers even if they go back to 99.9%. AAD is too intrenched now, so everyone just has to suck it up unfortunately. Getting credits for the outage is basically impossible too. If they go to just 99%, then maybe people will figure out alternatives, but that's a long way away.
|
|
#
?
Mar 19, 2021 19:46
|
|
|
Question about wsus updates via gpo. I have the gpo set to download and install every Thursday at 3am but it doesn't look like it's doing that as I am not seeing the computers rebooting and wsus is not reporting them as compliant. Is there any other gpo I should be configuring? I normally do updates through sccm.. But for this environment it doesn't have it.
|
|
#
?
Mar 22, 2021 04:13
|
|
|
lol internet. posted:Question about wsus updates via gpo. Should be setting deadlines in wsus to go with your GPO. Set it for a hour after or the next day at 3am.
|
|
#
?
Mar 22, 2021 06:45
|
|
|
Does anyone know wtf this hpe server power connector is and what's the chances of me getting this to work at home? https://1drv.ms/u/s!Aj7MtiJqrae4mvpZoJfJ9NpvdB9jRw incoherent posted:Should be setting deadlines in wsus to go with your GPO. Set it for a hour after or the next day at 3am.
|
|
#
?
Mar 23, 2021 04:21
|
|
|
lol internet. posted:Does anyone know wtf this hpe server power connector is and what's the chances of me getting this to work at home? It says 15A 277V AC on it. A little bit of googling makes me think it's maybe a NEMA 11 series receptacle, which is for 3 phase. 277 volts is 1 phase out of 3. You probably don't have that at your house. Happiness Commando fucked around with this message at 04:42 on Mar 23, 2021 |
|
#
?
Mar 23, 2021 04:35
|
|
|
That sucks. Guess I'll have to buy another one.
|
|
#
?
Mar 23, 2021 07:05
|
|
|
I would be surprised if the PSU isn’t dual voltage and just uses a weirdly keyed connector to stop you using a normal 10A rated IEC lead and starting a fire. What’s the HP part number on the PSU? Edit: Just saw the above, it’s a US commercial standard. You’ll need a new PSU if you’re trying to run it at home. Thanks Ants fucked around with this message at 17:53 on Mar 23, 2021 |
|
#
?
Mar 23, 2021 17:47
|
|
|
Happiness Commando posted:It says 15A 277V AC on it. A little bit of googling makes me think it's maybe a NEMA 11 series receptacle, which is for 3 phase. 277 volts is 1 phase out of 3. You probably don't have that at your house. Yeah, It's for a 3phase setup at 480v (277v is one phase) - used only in very high density settings where squeaking out that extra ~5% of power efficiency is worth it over the standard 120v/240v/208v. Only solution is to replace the power supply.
|
|
#
?
Mar 25, 2021 17:06
|
|
|
Anyone testing Veeam 11?
|
|
#
?
Mar 26, 2021 01:25
|
|
|
We dropped Veeam at the end of our support renewal and went to Clumio last year, since Veeam’s cloud backup offerings aren’t really there IMO. Another team member did the clumio setup but it is pretty slick.
|
|
#
?
Mar 26, 2021 02:06
|
|
|
For those of you using sccm software update point. Do you still need to point your computers via gpo to the sccm server in then specify a update server gpo? It seems the Microsoft store needs to go out to the internet to install store apps/updates. This use to not be the case but it seems it is the case now. Maybe since I've updated to 20h2. Ideally I don't want to sync the store with sccm. Thoughts?
|
|
#
?
Apr 2, 2021 10:38
|
|
|
You don't need to do anything with gpo, when the sccm client applies policy it will set those keys for you. There is however a good setting that will let the client go directly to Microsoft for "additional content" if it's not available on the update server it's pointed to. You might need that to allow store downloads.
|
|
#
?
Apr 2, 2021 14:01
|
|
|
FISHMANPET posted:You don't need to do anything with gpo, when the sccm client applies policy it will set those keys for you. There is however a good setting that will let the client go directly to Microsoft for "additional content" if it's not available on the update server it's pointed to. You might need that to allow store downloads. Last I checked it wasn’t a might but a must. Also a requirement to do online installations of .net
|
|
#
?
Apr 2, 2021 15:22
|
|
|
|
| # ? Apr 20, 2024 02:11 |
|
|
We have PC's that do not have Trusted Platform Module (TPM) This means we either have to use a USB drive or PIN to boot Bitlocker enabled computers? Should we just stick with Symantec disk encryption at this point?
|
|
#
?
Apr 7, 2021 14:32
|
|