Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler
FWIW, the hardlink setup is working great for us at [govt. entity] using SCCM.

Adbot
ADBOT LOVES YOU

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

zapateria posted:

I don't know if this is the right thread, but I'll try:

I have a bunch of Windows Servers and I want to get an email alert whenever they reboot/shutdown.

I've set up Event Forwarding to one server and subscribe to the USER32 1074 event.

First problem:

Most of the events forwarded give me stuff like this:

code:
The description for Event ID 1074 from source USER32 cannot be found.
Either the component that raises this event is not installed on your local computer or the installation is corrupted.
You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.
On some events I get some information at the bottom of the event, others give no extra information. Is there an easy fix for this that does not involve installing hundreds of components on the event subscriber computer?

2. How do I set up an email alert on that event, that sends the event text in the email. Jesus you'd think that when they made the "attach task to event" and "send e-mail" they would maybe think of having an option to include event text?

I know there are workarounds like creating batch files that queries the last specific event of that type and copies it to a file and attaches and all that, but seriously is there no easier way? I'd even use a third party program..

http://www.eventlogblog.com/blog/2008/04/event-log-message-files-the-de.html has a good explanation of where the Eventing infrastructure gets those event descriptions. The system that is receiving the events is missing registry settings that point to the dll or exe that holds the event definition. You should be able to export some registry, import it into the forwarded system, and copy the dlls or exes that you need.

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

AreWeDrunkYet posted:

Is there a way to rename DHCP reservations without using the GUI? I see netsh commands to change the name or description on a scope, but there's nothing about individual reservations other than showing, adding, and deleting that I have been able to pull up.

edit: I would prefer to avoid having to delete and recreate the reservations if possible, and since it can be done on a live reservation in the GUI, presumably there's a command line option somewhere.
You're going to have to delete then recreate if you're doing it commandline. Here's how I do it in PowerShell:
code:
$dump = netsh dhcp server $DHCPserver scope $scope delete reservedip $newrangeip $mac
$dump = netsh dhcp server $DHCPserver scope $scope add reservedip $newrangeip $mac $fullname $driver
$dump = netsh dhcp server $DHCPserver scope $scope set reservedoptionvalue $newrangeip 012 STRING $name
As long as you have the scope, IP, and MAC, plus the changes you want, it's easy. add reservedip <IP> <MAC> [ClientName] [ClientComment] [DHCP|BOOTP|BOTH]. The stuff in [] is optional, but is location dependant.

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

AreWeDrunkYet posted:

Yup, usually do exactly that to add reservations - I was just hoping there was a way to specifically modify those fields to avoid any disruption if something goes wrong. I guess this is just a rare case of something that can be done from the GUI, but not command line.

By the way, if you are using that script to remove then add back a reservation, it wouldn't hurt to put the reservation IP on the exclusion list before deletion, then remove it from the exclusion list once the new reservation is up.
That's not a bad idea. So far I haven't had problems with DHCP stealing the IP before I recreated the reservation, but it definitely could do that. Time to add some lines to the script!

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

Erwin posted:

When I clone there are two issues. One is that VMware gives each VM a new MAC address, so each VM thinks it has a new NIC. Simple enough, I just give the DC the same IP it had before and everything else gets DHCP addresses. The bigger issue is trust relationship errors at random. I assume this is due to the time lag between snapshotting production and powering up the clones? Does anyone do what I'm trying to do? Do you just rejoin each machine no matter what so everything is happy?

If you're having difficulty with random errors in AD, first thing is to make sure that everyone is on the same time reference. All the DCs pull their time from the PDC Emulator which will be (by default) the first DC brought up in a domain. It really doesn't matter if the time is right or not, just that everyone is within 5 minutes +- of that PDC Emulator.

If you're in a multi-domain forest, each PDC Emulator will get its time from the one above, and they get it from the root DC from the first domain created in the tree.

Also, VMware can overwrite the time on the VMs with it's own idea of what the time is. That can screw up your relationships and replication.

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

Nukelear v.2 posted:

Does anyone have any endpoint management/protection software that they like for Windows desktops? We've been well served with WSUS/GPO/NOD32 but we have check some audit boxes off.
Things like disabling usb storage devices, unauthorized software reporting, scanning hd's for sensitive data leakage, patch reports etc.

Looking at Bit9 currently but would like some ground truth on how much of a pita they and others are to actually use.

I have a friend currently going in circles with Bit9. The sales and documentation say the recommended hardware for X number of users is level X. Installation and Technical support are saying the hardware should be at level X + OMG MORE MORE FASTER FASTER EVERYTHING CORES RAM IOPS TOO SLOW MORE MORE MORE MORE!!!!!! The disconnect between the two is striking and expensive.

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler
Here's some useful information about virtualizing Domain Controllers. It'll help you understand what the problem is not only with virtualizing DCs, but why snapshot restoration on DCs can be a bad idea. It'll also help you understand replication a bit better:
https://technet.microsoft.com/en-us/library/hh831734.aspx

Important line from the link above:

quote:

Beginning with Windows Server 2012, AD DS virtual domain controllers hosted on hypervisor platforms that expose an identifier called VM-Generation ID can detect and employ necessary safety measures to protect the AD DS environment if the virtual machine is rolled back in time by the application of a VM snapshot.

GPF fucked around with this message at 18:41 on May 27, 2016

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

Maneki Neko posted:

Your DNS server is broke. Nslookup on windows always tries to add the suffix (which is weird behavior, but the way it's always been):

http://serverfault.com/questions/74067/windows-appending-domain-suffix-to-all-lookups

I looked at the link and what you typed, and I'm having trouble believing it. Going to check at work tomorrow.

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

GreenNight posted:

I had a 5 day Server 2016 class and the only new poo poo was basically Nano and Hyper V stuff.

Then it was a bad class.

Hit https://blogs.technet.microsoft.com/ausoemteam/2016/08/14/whats-new-in-windows-server-2016-standard-edition-part-1/ and go through the parts. Tons of stuff has been changed, improved, modified, and added from 2012 R2, and this is just on Standard Server, not Datacenter.

GPF fucked around with this message at 19:49 on Sep 2, 2016

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

Fudge posted:

What exactly do you mean by configurations pointing at one another?
This applies to DNS running on DCs using AD Integrated zone files. Other setups make things different.

When you're putting a Windows DC up, many times people will fire up the DNS server on that DC and use Active Directory replication to update the DNS servers in a domain or in a forest. But AD is very reliant on DNS being right. So, to ensure a DC/DNS server can always get correct information into DNS regarding its SVC and other record types, most people set the first DNS IP on a DC interface to 127.0.0.1. That means AD will attempt to do DNS activities with the closest possible DNS server: the one it's hosting. The second (or even more) DNS IPs on that interface would point to other DNS servers hosting that zone. That way, if the DC is restarting and DNS isn't yet ready to accept changes or give answers, the DC can still push DNS settings to a writable DNS server.

The primary question is this: Two DCs in one site, two DCs in another. Should the DCs in the other site point to each other or to one or both of the other site. Personally, I'd have every DC have the IP of every other DC running DNS in their DNS settings. Here's why: When a Windows box is trying to do DNS activities, it first sends the request to the first IP in the DNS list. After waiting a short time for a reply, it then sends that request to EVERY OTHER IP IN THE LIST OF DNS SERVERS, one after the other as fast as it can.

If the first IP responds, great! That's the one it'll use for that cycle. If not, and one of the others respond, great! It'll use that one for that cycle. If none respond, that's when we have bigger problems.

So, it really doesn't matter what order the IPs are in after the first one...they'll all be sent at the same time...local site or remote site. And, yes, you can have a long list of DNS servers on an interface, not just two. The main thing is that DCs with DNS servers running AD Integrated zones should always point to writable DNS zones that also are running AD integrated zones.

If you're running DNS on a DC but using primary and secondary zones...what's your problem? Hah? <smeks u upside the hed> Why you make your mamma cry?

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

Fudge posted:

That's why I asked what specifically he was talking about. I'm not sure if you're answering the question he's asking.

I've also never had to think about adding more than 2 DNS servers to an interface, because I'd be setting them up in order in my scope options in DHCP. Even if an environment ostensibly doesn't require DHCP I still use it and utilize reservations because who the hell is just statically assigning IPs and doing manual DNS edits in 2016.

Well, here's the original question:

lol internet. posted:

Quick question about DCs & Sites and Services

Normally in one site DC1 and DC2 you set the DNS IP configuration to point at each other.

If another site is created with DC 3 and DC4, do I continue to set DNS servers to point at each other? Or should they point back to at least DC1 or DC 2?


And... this leads me to my other questions about sites and services. Is there really any reason to setup Sites and Services between two sites asides from good practice? It's a 100Mb link between the sites and there won't be too much data.

You can find lots of references that say you need more than one DC and good reasons for that. You can also find lots of references about how to set up the DNS IPs for those DCs, but I've rarely come across a good reason written in those refs. Most explanations I see essentially treat it as "This is what you do for reasons so do it". Notice his second sentence, "Normally...". This would only be true if the DCs were also DNS servers, but depending on your setup and traffic patterns and site setup and bandwidth and other things, you may not set up a DC as a DNS server. You might not even set it up as a Global Catalog server. And, the DC must point to writable DNS servers so it can update the SRV records for its information in the zone.

So, with that being said, and the facts about how a Windows system does its DNS queries, I did answer his question. If they're all running DNS, and the domain they control has a zone in DNS that is AD Integrated, then have the first IP point to itself, then all the others. Use reservations in DHCP or type them in statically...doesn't matter, and their order after the first one doesn't matter either.

Which reminds me about the second part of the question. A site is considered to be two things by MS: High bandwidth/low latency connections, and subnets in that setup. 100Mb connection between the two sets of DCs? That's high bandwidth and probably low latency. Might even be the same subnet depending on how things are hooked up. So, unless he has real solid reasons to build sites, attach subnet objects to those sites, and place those DCs into the site objects so AD understands these two locations are not local to each other, then it's not worth adding the complexity and enforced delay of AD updates.

GPF fucked around with this message at 20:32 on Sep 23, 2016

Adbot
ADBOT LOVES YOU

GPF
Jul 20, 2000

Kidney Buddies
Oven Wrangler

Fudge posted:

And your take on sites is weird. They're extremely simple to set up, and if you have two physically seperate locations and you're not using different subnets then I guess it wouldn't even be a question because it wouldn't work. But if there are two subnets there isn't a compelling case to not use them. Are you trying to say replication would be an issue here?

Well, I can understand thinking that sites just gives you a separation, but it's more than that. Let's say you have two sites, set up correctly with subnet objects and a single DC for the shsc.forum domain in each site. You make a change to a user account on the DC in the first site, and at the fastest you can set it, the second DC won't see the changes until 15 minutes later. This doesn't apply to things like account lockout/disable or password changes, but it does apply to almost all the other stuff.

So, if I was in the same situation as the person that posted earlier, I'd leave both DCs in the same site and just use that high speed connection between the two locations for client communication back to the DCs. However, if I were using site-based technology or didn't need everything to replicate quickly, then sure, a multi-site setup would be fine even with DCs living in both sites. I just would have to account for and deal with the delays that are going to happen regarding replication of AD objects between the sites.

I work in a huge multi-site, multi-child domain infrastructure where much of it is out of my direct control, so I have to consider these delays when writing certain automation, troubleshooting, or just discussing things with the groups upline from me.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply