|
NevergirlsOFFICIAL posted:on some WAPs like ruckus and meraki you can do "network isolation" so it gets dhcp from your server but after that can only send traffic through the gateway to the internet. can't talk to other nodes on the lan. I have no idea how it works or how secure it is (probably "not very") That reminds me of VLAN isolation on Cisco, though I've always wondered what would happen if you played with the clients subnet mask and tried to bounce traffic off the gateway (i.e. force it to try to treat everything as off the local vlan except the gateway and yourself). I've never really trusted VLAN isolation so I don't implement it so I haven't had a reason to try it out. Cisco's SDN stuff would be a really interesting solution for wired if they hadn't set their price point at $30k minimum buy in, $10k for a dev setup.
|
#
?
Jun 29, 2017 17:01
|
|
|
|
| # ? Apr 19, 2024 01:27 |
|
|
I have an appointment this weekend to go and evaluate a small event planner shop with 5-10 employees, all using remote desktops on an "old" server. The owner wasn't sure what version of Windows server they are running, but it could be as old as 2003. They apparently use a lot of VB macro heavy spreadsheets hence why they run load directly on the server. Essentially, the owner is looking for an on-call admin to remote in and tidy up their set-up with occasional on-site work. I was looking into MS' cloud options for this sort of thing for Office 365, VMs, file servers, entirely in the cloud just to get a sense of what the cost would be. Does anyone have a link to MS' pricing for such a setup? I looked through the Office 365 page but that looks like just Office licenses. Azure seems feasible but I'd still be installing a new environment and incurring usage fees. If cloud migration isn't in the cards the owner wants someone to install a RAID array and some redundancy, best practices, etc. It's been a while since I set up a Windows environment so I was hoping someone could point me to a good resource for me to bone up.
|
|
#
?
Jul 6, 2017 16:20
|
|
|
Yes, what you're doing is going to cost some money. Depending on what hardware they have now, maybe you can get a decent setup going without scaring your boss/client shitless. 10 people isn't a lot, however. Setting up small domains + hardware isn't really my expertise but here are some things I've run across in this general area. Might be a lot of dinosaur corporate IT ideas in here though Office365 is the platform that includes email via Exchange Online, calendar, sharepoint, Office clients, Skype for Business, Onedrive, etc. You're right that there are no ways to order VMs in there. You can purchase 10 licenses decently cheaply though, count on ~20$ a head for E3 licenses probably. These include basically everything in O365 (...maybe.... not Skype f Business and Project/Visio(??)), giant mailbox space, 1 TB per user on OneDrive + windows CALs for those users on your local AD if I'm not mistaken. It's a bit of work but to make it all work perfectly, but it's peanuts compared to hosting your own comparable mail servers etc If you're really lucky you can make them all work smoothly using only the tools Office365 provides and a few local machines (this won't happen). You could use OneDrive as a file server for each user. This used to be 'fraught with peril' but it's gotten a little better. Usually it's now seen as 'probably not the best idea' (but we've got the licenses anyway so it's free!!). But look into the services on offer, there isn't really a good hosted Excel for power users but most people can deal with the online clients. There's pretty good collaboration stuff in there, hosted Exchange works fine out of the box for smaller companies. Skype for Business is decent to good (depending on your current PBX) and Teams is pretty neat, especially by Microsoft standards. And you get sharepoint, which isn't cool at all but can be useful+Onedrive, which is basically also sharepoint but reskinned and slimmed down. You'll need to supplement this with local machines to use it all and a little local or cloud hosted back end at least. Then: the azure pricing calculator. https://azure.microsoft.com/en-us/pricing/calculator/ This is what you need for estimates of what VMs and database hosts and other infrastructure cost. You can create basically anything you can make on iron. However! You can't plug in your little 5V USB LED into one of those servers and sit in the room quietly reading by the white noise of the fans. This is overlooked too easily and imo a major disadvantage of full-cloud environments. Anyway in Azure you can make a lot of ready made pre-fab stuff as well, frankly if you need something that isn't in there in some way that would surprise me. But you're right. You're looking at a little more work now because 1) you have to figure out Azure itself 2) you need to get those users authenticated or in another directory, 3) you have to recreate what you had after. It isn't super hard to make a little VPN tunneling device, a virtual network, stick some file/script servers in there and go. But I don't think it's the best way of going about it. If you're going to replicate your old stuff exactly in a cloud environment, the only thing you move is hardware responsibilities. You're still going to patch it, fix whatever bugs, all the rest is still your problem. Also, probably going to be noticably more expensive (though the option to turn off non-critical hardware outside of working hours is really easy to use now, the portal will even ask/suggest you turn off your stuff to reduce bills). I'm not too up to date on the whole 'so macro-heavy they need a server' data processing thing, but there might be something that works perfectly for that. I know Microsoft like to mention PowerBI a lot and it's something to do with data but that's as far as my expertise goes.
|
|
#
?
Jul 6, 2017 17:06
|
|
|
Find out what they actually do and see if there's a SaaS platform they can move that poo poo to rather than trying to replicate exactly what they have now but in 
|
|
#
?
Jul 6, 2017 17:22
|
|
|
Hi friendo, I run a hybrid network mainly due to terabytes of data being generated in a day and needing to be moved quick and processed. this being said, if you are running huge amounts of data local servers are the way to go. Certain SMB programs (Im loving looking at you quickbooks on premise) suck done in a hybrid environment. running those pretty much only works with great latency. if your programs arent latency or data hefty. go cloud friend. o365 and azure maybe a tiny little crap on premise DC just to keep things tidy
|
|
#
?
Jul 6, 2017 17:26
|
|
|
All the 'cloud' Quickbooks services I've seen use RDP into a Windows server somewhere.
|
|
#
?
Jul 6, 2017 17:28
|
|
|
redeyes posted:All the 'cloud' Quickbooks services I've seen use RDP into a Windows server somewhere. pretty much. I have tried to replicate the on-premise feel in the cloud on all sorts of platforms but it just leads to 10 second lags between clicks and things that make the beancounters whine to the CFO about.
|
|
#
?
Jul 6, 2017 17:30
|
|
|
Thanks for the feedback. Does anyone have a quick checklist for Server installation best practices, ie RAID, Hyper V, etc?
|
|
#
?
Jul 6, 2017 18:15
|
|
|
SnatchRabbit posted:Thanks for the feedback. Does anyone have a quick checklist for Server installation best practices, ie RAID, Hyper V, etc? Realistically if you are using newer than 2012 (you really should be by the way) the best practices analyzer is pretty much built in, as far as role based best practices anyways. Planningwise its really all dependant on your specific architecture and application. Like example your forest functional level will determine an absolute shitton about your level of power your active directory has and so on.
|
|
#
?
Jul 6, 2017 18:19
|
|
|
SnatchRabbit posted:Thanks for the feedback. Does anyone have a quick checklist for Server installation best practices, ie RAID, Hyper V, etc? if you're talking physical server I would use: - hp proliant - memory depending on workload - cpu depending on workload - storage: again depending on workload, I usually still use platter, raid 6 - esxi, even if single server just put esxi free version on it, makes everything easier. then put windows in a vm on there. - don't forget ilo just in case!
|
|
#
?
Jul 6, 2017 18:28
|
|
|
SnatchRabbit posted:Thanks for the feedback. Does anyone have a quick checklist for Server installation best practices, ie RAID, Hyper V, etc? I love server 2016, I'd go with that, Hyper-V, you get 2VMs (running) per license, if you are going to have a second host that is a backup and something will be running on it if the other host fails you need both to be licensed for the max number of VMs that will be running (so if you have 3 on each with a DC that doesn't fail over you'd only need 5, sadly they come in 2 packs so you'd still get 6, but if you had say a database on each as well that were using the VM for high availability and didn't fail over the VM you could get away with a license for 4 on each). If you put anything other than just Hyper-V on the host OS it consumes 1 of the VM licenses, so if you put AD on it followed by 2VMs you need 3 licenses but it will happily let you run that until MS audits you! When in doubt ask a Microsoft licensing expert, your VAR should have one, ask about it when you order the hardware. Datacenter makes things very easy if you need 10 or more VMs, but in a small place that's kind of unlikely. For a small shop I stick with Hyper-V, it's very easy for someone with even basic windows knowledge to just figure out. VMware also has a free level so you can stick with them if you really want. For small I always think am I adding yet another skill this company needs when I leave that my replacement will need, can I solve this problem while not adding another skill or making that skill easy to acquire. I always do RAID10 for spinning disks, 5 or 6 for solid state. I've grown to dislike RAID5/6 on spinning drives but for 5-8 drives no one will fault you for RAID6 if you need the space. For just VB macro excel files you can probably get away with 2-4 cores on the VM and 4-8GB of RAM depending on how large the files are, you may end up needing more if they are pushing excel really hard and doing multiple things. Since they are running the excel files locally you need remote app right? Licenses are pretty affordable for Remote Desktop, and Remote App is really easy to setup, I recently did it and it took only a few days. You can get a trial of 2016 and build the VMs while you wait for the hardware on a local workstation if you want. You can upgrade the trial with a simple command and change the product key at the same time, it's actually how I made all my VMs since my server came with 2012R2 install media instead of 2016 (very early adopter, first week). Setup Remote App and not Remote Desktop, Remote App will show excel to them like it's run locally while still running on the remote server, it's fantastic. We use it for remote users accessing our ERP software and it works amazing. Remote App will save a ton of resources since you wont need explorer open and all the other junk that goes along with a full user session. Printers are brought in just like a remote session. Don't forget CALs, they probably haven't maintained them so they are only valid for that version and older. You will need new ones, but they will cover the old server, which they very likely haven't purchased more CALs for any new hires so they are likely out of compliance currently, get them square, CALs are stupid cheap. Remote Desktop wont let you gently caress up the CALs (they are tied to an AD account for 60 days, so you can't share a CAL for that) If it will run on 2012/2012R2 it will run on 2016, 2016 really makes it hard to gently caress up. So don't worry about downgrading to 2012R2 just go with 2016 it's really solid. Depending on other VMs you can probably get a cheap HP or Dell. I have some legacy stuff that pegs several cores so my servers are 8 Core x2 and 16GB of RAM, it sounds very low on RAM but we have excess RAM and the CPU is pretty worked when at peak. If you can install something like PRTG and monitor all servers you are looking to virtualize it will help you get a good estimate of what you really need. One of our physical hosts had 4GB of RAM and 4 4 core processors for a single single threaded application. All while our CPU hungry friend was on one with 8GB of RAM and 2 2 core processors. I really wonder if people actually put thought into the hardware they are purchasing. I honestly found storage to be the largest cost in an 8 drive RAID10. Don't skimp on RAM or CPU, both are very cheap, and extra is good it lets you setup more VMs in the future and grow.
|
|
#
?
Jul 6, 2017 19:02
|
|
|
Great advice, thank you all.
|
|
#
?
Jul 6, 2017 19:32
|
|
|
oh just as a note if you are using office 365 e3 or higher any of your subscribers can use it as a remoteapp (provided an RDS cal natch)
|
|
#
?
Jul 6, 2017 19:41
|
|
|
I feel like this should be lot easier and I'm missing something obvious as this VLAN ain't working; - Router is configured for VLAN10 using IP Address 10.0.0.1 - Wifi AP acting as DHCP server on 10.0.0.2 (Range 2-254, Subnet Mask 255.255.255.0, Gateway 10.0.0.1, DNS 8.8.8.8) - HP 2530 switch Port14 VLAN10 untagged (AP Port), Port48 VLAN10 tagged (Router port) Devices can connect to the AP no problem however can't access the internet, they can ping devices on that subnet but can't ping the router. Devices appear to pick up all the proper DHCP settings from IPconfig and looking at the switch the VLAN address table picks up both the router and laptop MAC, plus any mobile phones I connect to it... I'm stumped besides thinking it's something to do with routing the gateway. Network Layout  VLAN Table  Switch Config Running configuration: ; J9772A Configuration Editor; Created on release #YA.15.12.0015 ; Ver #05:08.41.ff.37.27:a3 hostname "Core Switch 01" console idle-timeout 3600 timesync sntp sntp unicast sntp 30 sntp server priority 1 192.168.16.5 time daylight-time-rule western-europe ip default-gateway 192.168.16.1 interface 44 no power-over-ethernet exit interface 46 no power-over-ethernet exit interface 48 no power-over-ethernet exit vlan 1 name "DEFAULT_VLAN" no untagged 14 untagged 1-13,15-52 ip address dhcp-bootp exit vlan 10 name "GUEST_WLAN" untagged 14 tagged 48 ip address dhcp-bootp exit spanning-tree priority 0 no tftp server no dhcp config-file-update EDIT: Of course I figure gently caress it and set both ports to tagged and traffic flows straight through... Pretty much had to wait until just before kick out time to not bring anything down, the biggest problem is reading through loads of documentation which changes between every manufacturer. Super Slash fucked around with this message at 17:17 on Jul 10, 2017 |
|
#
?
Jul 10, 2017 16:56
|
|
|
That should have worked fine, unless you were telling the wireless AP that it should be tagging a VLAN. Don't do STP priority 0 because then you limit your options. Set the priority to a few multiples of 4096 less than the default, and use BPDU guard and root guard to keep it working reliably.Your software release running on that switch is really loving old as well. Thanks Ants fucked around with this message at 23:11 on Jul 10, 2017 |
|
#
?
Jul 10, 2017 23:07
|
|
|
Yeah when I was digging around around the settings I compared the firmware and thought yeesh. STP is actually off at the moment as another switch is loving things up thinking it's the root bridge, I can't really hang around outside hours to blow up the network to do something about it but I do want to change out the other switches with more 2530's so our poo poo actually matches.
|
|
#
?
Jul 11, 2017 13:54
|
|
|
If you were crazy you could configure a similar switch and then write that config into the startup config of the switch that's in production, and schedule a reboot for 3am.
|
|
#
?
Jul 11, 2017 14:01
|
|
|
What does everyone else do with new Windows 10 machines? I want to remove all the Xbox/Cortana/etc stuff and I'm guessing there's something out there that will do it for me so that I don't have to sit here going through settings by hand.
|
|
#
?
Aug 8, 2017 10:36
|
|
|
Jack the Lad posted:What does everyone else do with new Windows 10 machines? I don't bother removing all the crud, but I use MDT and as part of the deployment task sequence set a custom Start Menu layout, with just Office, Weather, Edge and Chrome. Makes it look a lot tidier than the default Start Menu.
|
|
#
?
Aug 8, 2017 13:18
|
|
|
Jack the Lad posted:What does everyone else do with new Windows 10 machines? ADMX templates can help you if you have AD. If not, you can either bake your policies into the local policy store off a flash drive. If bubblegum and paperclips are your thing, you could run a nifty tool called VMware Optimization Tool. The VMOT isn't intended for desktop use, but in five minutes you can easily throw together a template that just turns off the Win10 features that you don't want.
|
|
#
?
Aug 8, 2017 13:41
|
|
|
I have just gone through the process of doing exactly these things. I tried prepping my Win10 machines in audit mode, before capture with MDT, and used a powershell command to get rid of the crud I didn't want. What the end result of that was a windows10 image that on deployment, clicking the start menu button did nothing, trying to open any program gave an error message saying I needed an app from the appstore to do that, etc. I think I went too far or did something wrong which broke everything, so my deployment used GigaFuzz's method instead. If you want to look into the powershell method of removing the crud, the commands you're looking for are Get-AppxPackage to get a list of all installed modern apps and Remove-AppxPackage to remove whatever you find on the list. So I had a question of my own: the school that I work at has just gone through the process of getting rid of the computer pool and almost all our devices are now laptops or iPads. Managing and updating the computer room PCs was really easy - wake on lan, apply updates or install stuff remotely, then shutdown. Or there were plenty of times during the day where the computers were already on but no one was using them so quick tasks could be completed. With laptops the expectation is that they are either turned off and away in the laptop trolley, or in use by students. When we had just one laptop trolley I didn't do much maintenance at all, just relied on windows updates being able to install occasionally. Any installations that were required I did manually, pulling each laptop out one by one. This is no longer really an option as there are now too many machines to make this feasible. What is the recommended method to manage laptops that live in trolleys? Are there MDM products out there that can do stuff for both iPads and windows laptops?
|
|
#
?
Aug 8, 2017 14:33
|
|
|
GigaFuzz posted:I don't bother removing all the crud, but I use MDT and as part of the deployment task sequence set a custom Start Menu layout, with just Office, Weather, Edge and Chrome. Makes it look a lot tidier than the default Start Menu. I've never been able to get custom start menu layout to work, what's the secret
|
|
#
?
Aug 8, 2017 14:47
|
|
|
NevergirlsOFFICIAL posted:I've never been able to get custom start menu layout to work, what's the secret Create account, set it how you'd like it to look, export XML, import XML through GPO. You can even lock some sections. It's pretty neat.
|
|
#
?
Aug 8, 2017 15:12
|
|
|
It also sounds like the sort of thing that will break every update and be a complete nightmare to keep on top of.
|
|
#
?
Aug 8, 2017 15:31
|
|
|
NevergirlsOFFICIAL posted:I've never been able to get custom start menu layout to work, what's the secret Create the start menu layout you want, then export it with code:In MDT, have a step in the Task Sequence which runs a Powershell script, like so  And the content of that script is code:
|
|
#
?
Aug 8, 2017 15:48
|
|
|
Except for the part where it only saves parts of the layout. You can't even fix it by editing the raw XML file. Specifically the order of the links in the left pane.
|
|
#
?
Aug 8, 2017 16:09
|
|
|
Thanks Ants posted:It also sounds like the sort of thing that will break every update and be a complete nightmare to keep on top of. I think this has been the way to do it since Windows 8.
|
|
#
?
Aug 8, 2017 17:17
|
|
|
Jack the Lad posted:What does everyone else do with new Windows 10 machines? Completely given up caring about it, our newer machines come with 10 Pro and I've gotten tired of fighting against GPOs that don't actually work/stuff resetting back to default/janky workarounds which just end up breaking things. I even switched Cortana back on because start menu search was all sorts of broken without it and sometimes programs wouldn't even load, for the longest time I just couldn't get company branding on the login/lock screen and was stuck with the stupid beach cave picture, so I took that off and left it to the daily random wallpaper for people to gawk at (today I had penguins in Antarctica). At the very least a fixed start menu layout is enforced, my de-gunk I've not bothered with for awhile.
|
|
#
?
Aug 8, 2017 18:36
|
|
|
My new Win10 machines get a batch file that perform the following stuff. This batch file as an app in the MDT task sequence. I've not gotten any complaints from my users at all and without Cortana W10 just reverts to classic W7 search indexer behavior. I wish there were an easy regedit to force a 1.5GB Recycle Bin but that's impossible without having the drive GUID and doing a bunch of wonky poo poo. 1. Set the following GP items a. Disable Cortana b. Disable Windows Store and Windows Store Apps c. Disable OneDrive as a default app d. Disable Windows Defender Antivirus (we install Sophos) e. Disable Windows Game Recording & Broadcasting f. Disable Windows Hello g. Disable Windows Mail h. Enforce 7am-7pm No-Restart period for Windows Updates (we may have to change this from 6am-12am) 2. Sets a static 10GB page file (guarantees sufficient swap file space if a user decides to poo poo up C: with whatever they do. They're lawyers) 3. Registry fix for larger memory heap size for Outlook (per a user encounter, seemed like a good thing to do) 4. Faster bootup by enabling all CPU Cores during startup. (normally set in MSCONFIG) 5. Disable hibernation (saves disk space equal to installed RAM, typically 8GB) 6. Enables the Remote Registry service and starts the service. (else some of our remote tools won't work) ProjektorBoy fucked around with this message at 22:35 on Aug 10, 2017 |
|
#
?
Aug 10, 2017 22:32
|
|
|
Hello is pretty cool if you have a hybrid environment and proper TPMs just as an asides. good whizz bang feature to wow execs and stuff.
|
|
#
?
Aug 10, 2017 22:36
|
|
|
Lawyers barely know how to drag themselves into Microsoft Word to hammer out documents. Plus we have a lot of other security mitigations going on. Hello isn't something we want to put on ourselves to troubleshoot.
|
|
#
?
Aug 10, 2017 22:40
|
|
|
ProjektorBoy posted:Lawyers barely know how to drag themselves into Microsoft Word to hammer out documents. They'll have a seizure at whatever it is Hello does. face recog and biometrics basically minimizing password changes and prompts. stores credentials in TPM so they arent quite as vulnerable.
|
|
#
?
Aug 10, 2017 22:43
|
|
|
just saying its nice to do prior to annual review time for extra sprinkles on it.
|
|
#
?
Aug 10, 2017 22:45
|
|
|
Super Slash posted:Completely given up caring about it, our newer machines come with 10 Pro and I've gotten tired of fighting against GPOs that don't actually work/stuff resetting back to default/janky workarounds which just end up breaking things. I even switched Cortana back on because start menu search was all sorts of broken without it and sometimes programs wouldn't even load, for the longest time I just couldn't get company branding on the login/lock screen and was stuck with the stupid beach cave picture, so I took that off and left it to the daily random wallpaper for people to gawk at (today I had penguins in Antarctica). The very last thing I attempted as my last job before leaving was attempting to standardize the layout on all the new 10 laptops I ordered. Turns out it's actually not entirely possible, due to the way Windows 10 dynamically generates the Start Menu and it isn't fully instantiated at the time that the GPO reads the XML file. I ended up throwing up my hands and formally declaring that as "not my problem now" You're very likely running into something like this.
|
|
#
?
Aug 11, 2017 01:19
|
|
|
I love audits that come in with questions at the level where they think we're some gigantic corporate entity that's susceptible to something like SOX, HIPPA, PCI. Like yeah, I'm going to fill out your 500 question tech audit with anything but a big marker and LOL scribbled over it. Our IT department and the necessary administrative staff would need to be bigger than our entire company.
|
|
#
?
Aug 11, 2017 17:19
|
|
|
Internet Explorer posted:I love audits that come in with questions at the level where they think we're some gigantic corporate entity that's susceptible to something like SOX, HIPPA, PCI. Like yeah, I'm going to fill out your 500 question tech audit with anything but a big marker and LOL scribbled over it. Our IT department and the necessary administrative staff would need to be bigger than our entire company. We are not a publicly traded company, but we are still subject to certain SOX-like regulations. It blew me away when I found out that our accounting team is the biggest department in this office, and there are multiple people who's only job is to make sure we are always in 100% compliant to these regulations.
|
|
#
?
Aug 11, 2017 17:47
|
|
|
Internet Explorer posted:I love audits that come in with questions at the level where they think we're some gigantic corporate entity that's susceptible to something like SOX, HIPPA, PCI. Like yeah, I'm going to fill out your 500 question tech audit with anything but a big marker and LOL scribbled over it. Our IT department and the necessary administrative staff would need to be bigger than our entire company. I get these and have to do them. I'm also currently working towards ISO27001 and PCI certification and GDPR compliance while supporting 450 users. It's just me 
|
|
#
?
Aug 11, 2017 17:50
|
|
|
Jack the Lad posted:I get these and have to do them. What in the gently caress? How is that even possible?
|
|
#
?
Aug 11, 2017 17:51
|
|
|
Internet Explorer posted:What in the gently caress? How is that even possible? To be fair only about 80 of the users are in an office environment with 1 machine per person, the majority are at remote sites where it's more like 1 machine per 10 people. Mostly it just really sucks. I've been asking for a second person for ages but there's apparently no money for it. We do use a bargain basement IT support company (they have 2 engineers) but they're not very good and I have to clean up after them a lot, which means users don't trust them and call me instead, and they don't know enough to help with the audits. I've just (finally!) gotten signoff from the board on getting a proper support company and contract in place from October and I'm hoping/planning that they will field all first line support so I can focus on other stuff.
|
|
#
?
Aug 11, 2017 17:56
|
|
|
|
| # ? Apr 19, 2024 01:27 |
|
|
SeaborneClink posted:You're very likely running into something like this. And because of the lack of machine imaging I did also include a PS script to be loaded at startup which removes a laundry list of "Apps", but there wasn't really all that much to be gained. The only real bug I've encountered and haven't dealt with yet is somehow switching users at the login screen and somehow trying to login as "Other User" where it just gets stuck loading forever, I haven't really found how to replicate it though.
|
|
#
?
Aug 11, 2017 18:47
|
|