Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
Comfortador
Jul 31, 2003

Not even *my* powers can save CoX.

So I have very little experience with KMS style licensing. I set a server up on a whim when my VDI project called for it, so it's always been a source of "I dunno" when I had issues. I started installing some machines with Win10 2004 and I'm having the "You don't have enough activations" error message when they are trying to activate. Does Windows 10 count each version number as a separate count for activations? I should have a bunch of Win10 machines out there activating. Is there a quick way around this if thats the case?

Thanks guys, appreciate any input. I've had to interact with it so drat little and now it's coming back to bite me.

Adbot
ADBOT LOVES YOU

lol internet.
Sep 4, 2007
the internet makes you stupid

Any reason you're not doing active directory based licensing? Same key as KMS just choose AD based.

But to answer your question though before you actually activate the KMS server you need X amount of active computers. Not sure what the count is for Windows 10 but Windows 7 was 25 active PCs on the network trying to activate via KMS before it becomes an active KMS. Server OS is like 5 active servers. But go AD activation if possible, it's the new thing and easier.

Comfortador
Jul 31, 2003

Not even *my* powers can save CoX.

lol internet. posted:

Any reason you're not doing active directory based licensing? Same key as KMS just choose AD based.

But to answer your question though before you actually activate the KMS server you need X amount of active computers. Not sure what the count is for Windows 10 but Windows 7 was 25 active PCs on the network trying to activate via KMS before it becomes an active KMS. Server OS is like 5 active servers. But go AD activation if possible, it's the new thing and easier.

Is it fairly easy to switch over, and it won't screw with VDI in any way? (Horizon)

For the record it is still 25 for Windows clients, and 5 for Windows server clients. I'm still getting the standard "You don't have enough client activations" even though when I run a slmgr /dlv it showed 50 on the count. Ugh.

edit: Eh, I just decided to do it once I read the KMS and AD style can exist together. At the very least it immediately resolved by test machine. So... yay and thanks for the suggestion. To answer your question, we used to use KMS before I was hired here, so on the fly when I was told it was required I just seamlessly went that route.

Comfortador fucked around with this message at 15:03 on Jul 31, 2020

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern



Yam Slacker

I've come across a problem in Azure that has been pretty hard for me to google.

I've got a WVD Hostpool and a Standard Load Balancer so my VMs can share a Public IP Address

Somehow I've broken it so that when I add new VMs to the hostpool they have no external internet access, until I add them to the Backend Pool of the Load Balancer

This is preventing the VMs from having the Windows Virtual Desktop Agent and Bootloader installed, which means they don't join the hostpool automatically. Azure considers the VM deployment a failure because of this

As a result I have to add the VM to the Load Balancer Backend Pool manually, and then manually install the agents and register it with the hostpool

Life is hell

Wizard of the Deep
Sep 25, 2005


snackcakes posted:

I've come across a problem in Azure that has been pretty hard for me to google.

I've got a WVD Hostpool and a Standard Load Balancer so my VMs can share a Public IP Address

Somehow I've broken it so that when I add new VMs to the hostpool they have no external internet access, until I add them to the Backend Pool of the Load Balancer

This is preventing the VMs from having the Windows Virtual Desktop Agent and Bootloader installed, which means they don't join the hostpool automatically. Azure considers the VM deployment a failure because of this

As a result I have to add the VM to the Load Balancer Backend Pool manually, and then manually install the agents and register it with the hostpool

Life is hell

Are you putting them behind a restrictive Network Security Group?

Are they being joined to a working subnet?

Are they being joined to the RIGHT subnet?

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern



Yam Slacker

Wizard of the Deep posted:

Are you putting them behind a restrictive Network Security Group?

Are they being joined to a working subnet?

Are they being joined to the RIGHT subnet?

Not a restrictive NSG, definitely a working and correct subnet

Someone who wasn't me setup a basic load balancer for old VDIs (which are gone now) which I replaced with a standard load balancer. I see no reason why this would be an issue but... the problem started soon after.

It's probably something stupid and unrelated that I'm not seeing

Zaepho
Oct 31, 2013


snackcakes posted:

I've got a WVD Hostpool and a Standard Load Balancer so my VMs can share a Public IP Address
Would this not be what a NAT gateway would be used for?
What is the need for e single inbound public IP to be associated with the VMs in a WVD hostpool?

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern



Yam Slacker

Zaepho posted:

Would this not be what a NAT gateway would be used for?
What is the need for e single inbound public IP to be associated with the VMs in a WVD hostpool?

More of an outbound thing. One of the web apps they use is locked down so you have to get your IP address whitelisted and this is how we cut costs I guess. Anyhow I took a break from it today. Tomorrow I'll look into it again and let y'all know when(if) I discover the problem

Toast Museum
Dec 3, 2005

30% Iron Chef


When it comes to Office add-ins, am I missing something, or are the main options 1) centralized deployment or 2) give everyone access to the add-in store? (Add-ins can be added to a SharePoint app catalog, but Office for Mac can't access it, so that's a non-starter.) Is there really no way to make a curated portion of the add-in store/AppSource available to users?

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I have a corporate domain in an Office 365 tenant but we aren't using Exchange Online for email, a small team wants a domain adding to that tenant and they do want to use Exchange Online (as it's linked to using Teams for meetings with a certain set of clients). Is there any way to tell Office 365 that the corporate email needs to be sent over to Gmail, or is it always going to try delivering internally if the domain exists on the tenant?

Edit: Looks like the magical search term is Internal Relay Domain, I'll try it out this evening

https://docs.microsoft.com/en-gb/ex...ccepted-domains

Thanks Ants fucked around with this message at 16:01 on Aug 5, 2020

The Fool
Oct 16, 2003



My first instinct is to try to do it with a transport rule.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

You have to set the domain to an internal relay for it to even put things through transport rules/connectors. Seems to be sending stuff into Gmail as plain text and attaching winmail.dat for some reason though but I don't care about that.

Edit: And again, as soon as I post here the magical search terms come to me and I find the right document https://support.microsoft.com/en-gb...-external-recip

Thanks Ants fucked around with this message at 17:21 on Aug 5, 2020

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern



Yam Slacker

snackcakes posted:

More of an outbound thing. One of the web apps they use is locked down so you have to get your IP address whitelisted and this is how we cut costs I guess. Anyhow I took a break from it today. Tomorrow I'll look into it again and let y'all know when(if) I discover the problem

This update is more in case anyone is curious than me looking for answers, but I found that if I build a new WVD hostpool and deploy it using the same image it will deploy the VMs just fine. If I add an additional VM that works too.

Once I add the existing VMs in the hostpool to the backend pool for the load balancer, that's when the problem starts for future VM deployments.

Getting Microsoft support involved because this is weird

Internet Explorer
Jun 1, 2005





Oven Wrangler

snackcakes posted:

This update is more in case anyone is curious than me looking for answers, but I found that if I build a new WVD hostpool and deploy it using the same image it will deploy the VMs just fine. If I add an additional VM that works too.

Once I add the existing VMs in the hostpool to the backend pool for the load balancer, that's when the problem starts for future VM deployments.

Getting Microsoft support involved because this is weird

Good loving luck. I'm actually curious as to how this ends up. We need our traffic to come from IPs for application whitelisting, but our WVD is currently small enough we can just assign them from a pool. I looked at load balancers and I assumed it would interfere with traffic to the WVD management infrastructure.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

Could you let WVD manage its own networking and then peer that Vnet to another one with a NAT/virtual router image running and then shove routes to the web app into the route table of the WVD Vnet?

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern



Yam Slacker

The web app isn't ours, it's just a vendor who protects access by whitelisting IPs.

I'm starting to think the NAT Gateway that Zaepho posted about might be the way to go, but it seems like it's pretty new.

The problem is that I'm deploying these WVDs for about 150 people and internal IT is fast tracking this so it's in production way faster than it should have been. My hands are kind of tied now because the only way I can make changes would be after hours. Just for fun, because my company has a bunch of Azure credits, I might build out a test deployment with a NAT gateway and see how well it works

It's not like this is really stopping me from rolling out more WVDs, it just sucks that I have to manually register them to the host pool which means an extra 5-10 minutes spent per VM

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I meant just route traffic to the web app out via the NAT gateway or virtual firewall appliance you deploy by chucking the route into the route table for the WVD Vnet. Or if the web app uses multiple IPs just set the default route to your appliance. Means you can leave all the inbound load balancing in place.

Internet Explorer
Jun 1, 2005





Oven Wrangler

Thanks Ants posted:

I meant just route traffic to the web app out via the NAT gateway or virtual firewall appliance you deploy by chucking the route into the route table for the WVD Vnet. Or if the web app uses multiple IPs just set the default route to your appliance. Means you can leave all the inbound load balancing in place.

I am sure this would work, just sucks to have to stand up more infrastructure for it.

chupacabron
Oct 30, 2004




Fallen Rib

I volunteered to take a look at a non-profit's issues with Sql Server/2008 Access setup to see if I could help them out and I'm running in to some permissions issues. Basically, I can set permissions via Sql Server all I want and it works fine, but then logging via the Access side for a theoretically admin user I'm still restricted to what I can interact with. This is an issue of Access-level policies, right? Nothing else is broken like file permissions, at least as far as I can tell.

Broadly speaking their issue is that somebody left the company with the keys to Access and not much good will. So I'm trying to unbreak it as much as possible but am starting to think that this is going to involve either getting the keys from them, or doing some grey-hat stuff that's outside my pay range/skill level.

The Fool
Oct 16, 2003



Are you using sql auth or Windows auth? Is access passing through the current user or using stored credentials? Is there an odbc connector that could be causing issues?

chupacabron
Oct 30, 2004




Fallen Rib

Auth appears to be via sql. I'm not quite sure about whether access is using stored creds, but I appear to have the same permissions regardless of changes in the sql tables. ODBC connector data I can't access on account of Access being fairly locked down

kiwid
Sep 30, 2013



I just started a new job as head of IT (also the only IT person) for a company with 8 locations and about 70 users/computers across the company. Their IT situation is pretty non-existent at the moment. For example, many locations aren't even site-to-site VPNing to the main location (where the servers are) as they're using lovely asus home router/AP combos and each computer is individually VPNing with client software.

So, part of my job is essentially starting from scratch and cleaning this up. They do have a domain that was originally created with SBS and so it's using a .local TLD. I know Microsoft now recommends against this and so my question is, as the sole IT guy with more pressing poo poo to be doing, should I just leave this as is or should I really be considering re-creating the domain and migrating away from the .local? What would you guys do? Will leaving it cause me more headaches in the future?

edit. Also, over half the computers are not currently joined to the domain and are using local accounts which makes the situation a bit easier. We do have one piece of software (the main ERP software) that does AD auth though.

kiwid fucked around with this message at 12:58 on Aug 14, 2020

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

I'd get all the sites on a VPN back to your main location (or mesh if there's traffic that goes between branches) before doing anything with the domain.

Meraki MX appliances are really basic and poo poo in lots of ways but if you need to connect a bunch of branch locations together and they have different ISPs, dynamic IP addresses etc. then they're really good at that.

kiwid
Sep 30, 2013



Thanks Ants posted:

I'd get all the sites on a VPN back to your main location (or mesh if there's traffic that goes between branches) before doing anything with the domain.

Meraki MX appliances are really basic and poo poo in lots of ways but if you need to connect a bunch of branch locations together and they have different ISPs, dynamic IP addresses etc. then they're really good at that.

Already on that. Installing Fortinet firewalls next week. I was more wondering if I'm crazy in thinking about migrating to a new domain using a subdomain of their primary domain name or if I should just stick with the current .local domain?

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE


That ERP software is going to be your stick in the mud and it could be a giant disaster trying to untangle whatever mess is going on there, also you're sure there aren't other services tied to the current domain like O365 or anything?

Do you have support for the ERP product? If so, ask them what kind of investment it would take to migrate (in $$$ and/or hours); they might even be able to do some sort of copy/script mapping to new users i.e. MF_James.corp.local is supreme leader so we essentially copy everything to MF_james.sub.corp.com

Honestly, if it wasn't for that ERP, I'd probably do it so you don't drag whatever hosed up poo poo forward but part of me would probably be like "eh gently caress it, hopefully the skeletons in the closet will be the next guys problem and not mine"

MF_James fucked around with this message at 13:55 on Aug 14, 2020

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

kiwid posted:

Already on that. Installing Fortinet firewalls next week. I was more wondering if I'm crazy in thinking about migrating to a new domain using a subdomain of their primary domain name or if I should just stick with the current .local domain?

I'd move it just so you can get certificates if you need them - go to ad.company.com or even just an entirely separate domain. But you want to check dependencies first, anything that is actually AD integrated with use the GUIDs which won't be changing, but if it's just LDAP then there might be things you need to work out.

kiwid
Sep 30, 2013



MF_James posted:

That ERP software is going to be your stick in the mud and it could be a giant disaster trying to untangle whatever mess is going on there, also you're sure there aren't other services tied to the current domain like O365 or anything?

Do you have support for the ERP product? If so, ask them what kind of investment it would take to migrate (in $$$ and/or hours); they might even be able to do some sort of copy/script mapping to new users i.e. MF_James.corp.local is supreme leader so we essentially copy everything to MF_james.sub.corp.com

Honestly, if it wasn't for that ERP, I'd probably do it so you don't drag whatever hosed up poo poo forward but part of me would probably be like "eh gently caress it, hopefully the skeletons in the closet will be the next guys problem and not mine"

Yeah they have O365 but it isn't AD syncing. They have all local/cloud accounts which is a whole other mess and project to get merged into domain accounts.

After thinking about this more, I think I'm just going to leave it as .local. This is too big of a risk and something I'd rather tackle later when it actually becomes an issue. Maybe then I'll be able to reason the cost and time investment better because right now it is going to be hard to justify.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

You could build another forest and then create a trust relationship and put new things on the new domain, if you wanted to tackle it slowly.

Matt Zerella
Oct 7, 2002


Quick question. I'm working on an Ansible routine to deploy a piece of our software stack that runs on Windows. It doesn't run as a service so it runs as a regular user. Don't ask. It's the way it is.

I'm testing on Server2019.

I've got everything deploying except one little part. I have to add a shortcut to the Startup folder that locks the screen when the user logs in automatically. Shut up. I know.

But the Startup folder in the users app data/roaming/blahblah is missing. If I add a task to create it will windows just pick it up automatically?

kiwid
Sep 30, 2013



Thanks Ants posted:

You could build another forest and then create a trust relationship and put new things on the new domain, if you wanted to tackle it slowly.

That's not a bad idea.

lol internet.
Sep 4, 2007
the internet makes you stupid

Did MSFT force Chrome Edge install via updates yet? If so anyone got the KB?

stevewm
May 10, 2005


lol internet. posted:

Did MSFT force Chrome Edge install via updates yet? If so anyone got the KB?

It is included in the 2004 update.

kiwid
Sep 30, 2013



Is it normal to use one internal DNS server and one external DNS server in your DHCP scopes for workstations on a domain?

For example, this previous sysadmin had the domain controller/dns server setup as the primary dns server and Google's public 8.8.8.8 dns server as the secondary dns server. Will this cause any issues?

I'm used to having at least two DNS servers and pointing workstations at both and relying on forwarders for external DNS but this network only has one domain controller/dns server and so he's been putting the 8.8.8.8 as the secondary for everything. Just wondering if this is normal as I've never experienced this before.

skipdogg
Nov 29, 2004
Resident SRT-4 Expert


No. Not normal in my experience. Clients get internal dns servers, and the internal dns servers are setup with external forwarders

Actuarial Fables
Jul 29, 2014



Taco Defender

kiwid posted:

Is it normal to use one internal DNS server and one external DNS server in your DHCP scopes for workstations on a domain?

For example, this previous sysadmin had the domain controller/dns server setup as the primary dns server and Google's public 8.8.8.8 dns server as the secondary dns server. Will this cause any issues?

I'm used to having at least two DNS servers and pointing workstations at both and relying on forwarders for external DNS but this network only has one domain controller/dns server and so he's been putting the 8.8.8.8 as the secondary for everything. Just wondering if this is normal as I've never experienced this before.

It's not a best practice.

Is setting up a secondary DC/DNS server out of the question? Windows should only use the Secondary DNS server if it can't reach the Primary. If the workstations can't reach your DC/DNS Server then you've got problems, and the 8.8.8.8 band-aid will just make troubleshooting more difficult.

Matt Zerella
Oct 7, 2002


kiwid posted:

Is it normal to use one internal DNS server and one external DNS server in your DHCP scopes for workstations on a domain?

For example, this previous sysadmin had the domain controller/dns server setup as the primary dns server and Google's public 8.8.8.8 dns server as the secondary dns server. Will this cause any issues?

I'm used to having at least two DNS servers and pointing workstations at both and relying on forwarders for external DNS but this network only has one domain controller/dns server and so he's been putting the 8.8.8.8 as the secondary for everything. Just wondering if this is normal as I've never experienced this before.

Yeah, no, that's bad, especially if you're using active directory. the only place you'd use any external DNS is as you said, for forwarding.

If there's only one DNS server, just use the internal DNS server in the DHCP lease.

kiwid
Sep 30, 2013



skipdogg posted:

No. Not normal in my experience. Clients get internal dns servers, and the internal dns servers are setup with external forwarders


Actuarial Fables posted:

It's not a best practice.

Is setting up a secondary DC/DNS server out of the question? Windows should only use the Secondary DNS server if it can't reach the Primary. If the workstations can't reach your DC/DNS Server then you've got problems, and the 8.8.8.8 band-aid will just make troubleshooting more difficult.


Matt Zerella posted:

Yeah, no, that's bad, especially if you're using active directory. the only place you'd use any external DNS is as you said, for forwarding.

If there's only one DNS server, just use the internal DNS server in the DHCP lease.

Thanks, that's what I assumed. I'll just use the one internal dns server and remove the google public dns server from the dhcp scope.

Thanks Ants
May 21, 2004

Bless You Ants, Blants



Fun Shoe

AFAIK there isn't really a concept of primary and secondary DNS servers - there's just two DNS servers. Any little blip that causes the 'primary' (internal) DNS to respond slowly will result in the client hitting Google, and then getting the wrong answer and caching it.

The Fool
Oct 16, 2003



I've seen this in small shops where they only have one domain controller (usually SBS) and they had an outage. Then they learned the wrong lesson from it.

Adbot
ADBOT LOVES YOU

kiwid
Sep 30, 2013



Thanks Ants posted:

AFAIK there isn't really a concept of primary and secondary DNS servers - there's just two DNS servers. Any little blip that causes the 'primary' (internal) DNS to respond slowly will result in the client hitting Google, and then getting the wrong answer and caching it.

That was my understanding too but I've now seen this pattern in multiple organizations which made me second guess my knowledge on the subject. One of the orgs was even a Fortune 500 with 100+ IT staff who should have known better.

The Fool posted:

I've seen this in small shops where they only have one domain controller (usually SBS) and they had an outage. Then they learned the wrong lesson from it.

Yeah I'm assuming that's probably what has happened in this case too.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply