Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Cao Ni Ma
May 25, 2010


klosterdev posted:

Probably dumb question: A quick google search says MAB operates at layer 2, and seems to affect layers 2-3/4 in some capacity (depending on what they mean by port) if its an authentication issue, wouldn't that be a completely seperate issue at the application level?

Normally a packet is sent to the radius server, which is application level but in our network it'll first check the mac address to see if there is a mab exception. If there is, it'll bypass the radius check and go straight into the dhcp to get an IP assigned. We use it on certain hardware like controllers, some printers, when we want to pxe re-image machines or when trusted assets from outside our domain need access to our network for a few days so we dont have to re-image their entire box. The radius only checks if the asset is in one of the domains.

I dont know, the more I think about it the more I think its dns for some stupid reason

Adbot
ADBOT LOVES YOU

mllaneza
Apr 28, 2007


Veteran, Bermuda Triangle Expeditionary Force, 1993-1952





If you give one of the affected machines a static IP, can it ping the DNS and/or DHCP servers its supposed to be talking to ?

Cao Ni Ma
May 25, 2010


mllaneza posted:

If you give one of the affected machines a static IP, can it ping the DNS and/or DHCP servers its supposed to be talking to ?

Nope, even with a static IP. I've tried given it an IP from the old domains range and the new ones swapping out the dns between just in case.

e-Our networking chief figured it out, apparently the tools that we use to add machines to the MAB were just adding them to the first domains side of the network, not the second. When he hardcoded the mac into the other sides mab it picked up an IP.

Cao Ni Ma fucked around with this message at 15:12 on Mar 1, 2021

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



There are some things I wish we used a MSP for. Migrating Exchange, big projects that we only do one time as a company...otherwise I'd ask them about this.

We want to migrate from Symantec Endpoint Encryption to Bitlocker. It's easy to script the 'un-encryption and un-installation of SEP', but what do we need to do with Bitlocker?

It looks like you can configure it with a GPO, and store your keys in AD for recovery. MBAM is going away? You can also do this with SCCM or Intune? We don't use either of those right now. We have a few people working from home over VPN, but 95% of our computers are on-site.

We use Kaseya for RMM so getting any kind of modern system management tool tends to get shot down. What do goons say?

Potato Salad
Oct 23, 2014

Nobody Cares




Intune would be quicker to set up if you don't have SCCM.

That being said, everything you need to do can be done with GPO (push settings out) and a powershell script (query bde status to verify success) via whatever endpoint management software you're running

Does kayesa give you the ability to centrally see the exit and error codes of a powershell script?

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Potato Salad posted:

Does kayesa give you the ability to centrally see the exit and error codes of a powershell script?

Will have to look into that, haven't used it for anything with Powershell scripting yet. We basically use it for patching and remote control.

devmd01
Mar 7, 2006

Elektronik
Supersonik


Speaking of scripting, we need to remove Sophos encryption then have machines register their bitlocker key in AD or azure AD if they are hybrid-joined. Has anyone dealt with that before?

Potato Salad
Oct 23, 2014

Nobody Cares




A GPO setting will handle that key transfer for you.

devmd01
Mar 7, 2006

Elektronik
Supersonik


Okay, sweet. I wasnít sure if that setting would force a key storage action into AD. Thanks!

lol internet.
Sep 4, 2007
the internet makes you stupid

In a hybrid setup with all mailboxes moved to online. On prem exchange is used as a SMTP relay currently.

Ready to change inbound mail flow from on prem to exchange online. Is updating the MX record all that is needed? Maybe also adding a connector? No hybrid configuration wizard should be required? SMTP shouldn't break as nothing is changing?

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



edit: wrong thread

Internet Explorer
Jun 1, 2005


Oven Wrangler

Hello everyone! Just a quick note to help out the folks who browse by bookmarks. We've started a SH/SC feedback thread and would love it if you stopped by to say hi and let us know what you think.

https://forums.somethingawful.com/showthread.php?threadid=3961558

lol internet.
Sep 4, 2007
the internet makes you stupid

DKIM question.

I have a on prem smtp relay > Exchange O365.

When I do a powershell test smtp send message to Internal Corp on prem SMTP Relay > O365 > External Email, it doesn't sign the message, how come?

lol internet. fucked around with this message at 02:25 on Mar 15, 2021

Potato Salad
Oct 23, 2014

Nobody Cares




which part isn't dkim signed, relay to o365?

lol internet.
Sep 4, 2007
the internet makes you stupid

Ughh the final destination external email. I don't see it saying mailed by <domain name> and signed by <domain name> in gmail.

If I use my regular O365 account I do see it. I would assume since theres a O365 connector for my on prem smtp server to O365, it would sign the message with the DKIM keys going out.. or is that now how it works? Would the on prem smtp need to enable DKIM?

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

Essentially whatever is originating that email has to sign it.

If itís your internal exchange server then yes, it needs to and luckily can do DKIM signing. If youíre using an IIS relay or something, good luck. But also if you can avoid it all just set your apps and stuff up to use O365 directly and avoid the hassle.

Edit: https://docs.microsoft.com/en-us/exchange/transport-routing this lays out the hybrid routing scenarios, you might find something useful in there

i am a moron fucked around with this message at 03:57 on Mar 15, 2021

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010


Pop them bottles for a particularly hellish azure outage.

Potato Salad
Oct 23, 2014

Nobody Cares




AAD.

I love how this one impacted service basically kills everything user facing.

The Fool
Oct 16, 2003



Yeah, amazing how everything relies on the identity service to allow users access

Thanks Ants
May 21, 2004

#essereFerrari


I get that it's annoying, but you have to assume every time something blows up like this, they learn from it (yes I am incredibly naÔve why do you ask). The total downtime was about six hours - fortunately for us it was well outside of business hours - and the advantages of having an identity platform far outweigh the downsides of it making GBS threads the bed once every few years. There's no way I could secure applications as well as App Proxy, modern authentication, risk-based conditional access etc.

If this became something that happened every few months then yeah that would cause people to start asking me questions, but until that happens all I can really do is ignore it.

unknown
Nov 16, 2002
Ain't got no stinking title yet!




Except that MS365 has a noticeable outage like once a month these days. Sure it's a slightly different package each time (teams then outlook then aad then...), but it's sold as a package, so there's a lot of pissed off execs out there who are going "so we went to the cloud and now it's less stable.."

Fortunately there's enough benefits to going to the cloud, but reliability isn't the primary one.

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

The important thing is if youíre responsible for it at your company, thereís really nothing you have to do about it except wait it out. And honestly Iíd trade the downtime for the security and compliance features all day. MS needs to get their poo poo together though.

Potato Salad
Oct 23, 2014

Nobody Cares




AAD/Identity needs to be managed in fixed, highly-tested releases. Agile is not appropriate for the linchpin of M365.

i am a moron
Nov 12, 2020

Gettin' woke about vaccines

It seems extremely unagile and monolithic to me. The RCA they released last time sounded like MS engineering has gotten themselves into a pickle with AAD, I dunno if itís the nature of the service or what but these huge release waves and inability to roll back quickly reminds me of every lovely monolith Iíve ever been near

Potato Salad
Oct 23, 2014

Nobody Cares




poo poo, I like your viewpoint

kinda sounds like the monolith problem from the Netflix CIO interview that half the planet read a few years ago

"oops we made a microservice very large"

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

I'm still feeling optimistic because MS decided to publicly announce their changing their AAD SLA from 99.9% to 99.99% after the last major AAD outage. And another major outage, and not just any outage but specifically an AAD major outage that took everything else down with it is going to cause a lot of hell to be raised. They can't go back to 99.9% and not expect to lose waves of customers during a period of major growth. MS has no way out of this mess but to fix their processes.

unknown
Nov 16, 2002
Ain't got no stinking title yet!




Oh they won't lose any customers even if they go back to 99.9%. AAD is too intrenched now, so everyone just has to suck it up unfortunately. Getting credits for the outage is basically impossible too. If they go to just 99%, then maybe people will figure out alternatives, but that's a long way away.

lol internet.
Sep 4, 2007
the internet makes you stupid

Question about wsus updates via gpo.

I have the gpo set to download and install every Thursday at 3am but it doesn't look like it's doing that as I am not seeing the computers rebooting and wsus is not reporting them as compliant.

Is there any other gpo I should be configuring?

I normally do updates through sccm.. But for this environment it doesn't have it.

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010


lol internet. posted:

Question about wsus updates via gpo.

I have the gpo set to download and install every Thursday at 3am but it doesn't look like it's doing that as I am not seeing the computers rebooting and wsus is not reporting them as compliant.

Is there any other gpo I should be configuring?

I normally do updates through sccm.. But for this environment it doesn't have it.

Should be setting deadlines in wsus to go with your GPO. Set it for a hour after or the next day at 3am.

lol internet.
Sep 4, 2007
the internet makes you stupid

Does anyone know wtf this hpe server power connector is and what's the chances of me getting this to work at home?

https://1drv.ms/u/s!Aj7MtiJqrae4mvpZoJfJ9NpvdB9jRw


incoherent posted:

Should be setting deadlines in wsus to go with your GPO. Set it for a hour after or the next day at 3am.
Great thanks

Happiness Commando
Feb 1, 2002
$$ joy at gunpoint $$



lol internet. posted:

Does anyone know wtf this hpe server power connector is and what's the chances of me getting this to work at home?

https://1drv.ms/u/s!Aj7MtiJqrae4mvpZoJfJ9NpvdB9jRw

Great thanks

It says 15A 277V AC on it. A little bit of googling makes me think it's maybe a NEMA 11 series receptacle, which is for 3 phase. 277 volts is 1 phase out of 3. You probably don't have that at your house.

Happiness Commando fucked around with this message at 03:42 on Mar 23, 2021

lol internet.
Sep 4, 2007
the internet makes you stupid

That sucks. Guess I'll have to buy another one.

Thanks Ants
May 21, 2004

#essereFerrari


I would be surprised if the PSU isnít dual voltage and just uses a weirdly keyed connector to stop you using a normal 10A rated IEC lead and starting a fire.

Whatís the HP part number on the PSU?

Edit: Just saw the above, itís a US commercial standard. Youíll need a new PSU if youíre trying to run it at home.

Thanks Ants fucked around with this message at 16:53 on Mar 23, 2021

unknown
Nov 16, 2002
Ain't got no stinking title yet!




Happiness Commando posted:

It says 15A 277V AC on it. A little bit of googling makes me think it's maybe a NEMA 11 series receptacle, which is for 3 phase. 277 volts is 1 phase out of 3. You probably don't have that at your house.

Yeah, It's for a 3phase setup at 480v (277v is one phase) - used only in very high density settings where squeaking out that extra ~5% of power efficiency is worth it over the standard 120v/240v/208v.

Only solution is to replace the power supply.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Anyone testing Veeam 11?

devmd01
Mar 7, 2006

Elektronik
Supersonik


We dropped Veeam at the end of our support renewal and went to Clumio last year, since Veeamís cloud backup offerings arenít really there IMO. Another team member did the clumio setup but it is pretty slick.

lol internet.
Sep 4, 2007
the internet makes you stupid

For those of you using sccm software update point.

Do you still need to point your computers via gpo to the sccm server in then specify a update server gpo?

It seems the Microsoft store needs to go out to the internet to install store apps/updates. This use to not be the case but it seems it is the case now. Maybe since I've updated to 20h2.

Ideally I don't want to sync the store with sccm.

Thoughts?

FISHMANPET
Mar 3, 2007

Sweet 'N Sour
Can't
Melt
Steel Beams


You don't need to do anything with gpo, when the sccm client applies policy it will set those keys for you. There is however a good setting that will let the client go directly to Microsoft for "additional content" if it's not available on the update server it's pointed to. You might need that to allow store downloads.

The Fool
Oct 16, 2003



FISHMANPET posted:

You don't need to do anything with gpo, when the sccm client applies policy it will set those keys for you. There is however a good setting that will let the client go directly to Microsoft for "additional content" if it's not available on the update server it's pointed to. You might need that to allow store downloads.

Last I checked it wasnít a might but a must. Also a requirement to do online installations of .net

Adbot
ADBOT LOVES YOU

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



We have PC's that do not have Trusted Platform Module (TPM)

This means we either have to use a USB drive or PIN to boot Bitlocker enabled computers? Should we just stick with Symantec disk encryption at this point?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply