I'll add a note for clarity given the title... SaltStack does not do authentication like AD does. AD does not do patching of any sort like Salt does. Salt is an alternative to common myths about AD functionality, but not to actual AD functionality. But you can use Salt to do distributed local authentication management, which does replace the need for AD, but is very different than what is being discussed here. In this case Salt is replacing GPO, not AD.

@msff-amman-Itofficer said in Beginner SaltStack Question: Can minions be placed in folders or groups ? (Coming from AD perspective):

@scottalanmiller

ohh shit, how did that get passed me...

Great, thanks again.

:)

@Mike-Davis said in Authenticate Laptops to Wifi against ActiveDirectory:

and on the Meraki side, you chose WPA2 Enterprise, correct?

Definitely WPA2 on the Meraki. I'll check my conditions though. Thanks for the tip.

@scottalanmiller said in Nethserver for FTPS/SFTP:

@alefattorini said in Nethserver for FTPS/SFTP:

It should work flawlessly, do you have any issue?

I guess a big question is, with Nethserver is.. does it "just work" or is there a setting that needs to be selected? Not sure if this is the default behaviour or not.

Mostly this. I haven't done anything with it yet and before I invest the time, I'd like to know if it possible and/or how difficult it is, especially since a co-worker claims that it did not and he went with IIS to get the same task done (and then he sat there cursing the whole day because he doesn't like Microsoft products).

@Mike-Davis said in AD CS hosed - anyone have any experience?:

@scottalanmiller said in AD CS hosed - anyone have any experience?:

So the SBS is the one and only AD in this case?

Sorry, I think we're interpreting the word cluster differently here. When I read that I though you were talking about Microsoft Cluster Server - which is a different technology than multiple domain controllers. He had three domain controllers.

In that case, how do you recover from something like this? Since the FSMO roles are on a 2003 server, do you start running through the various esentutl.exe commands?

Right, I'm talking about an AD application cluster (the set of domain controllers for one domain.) SBS has to be the root controller in order to work. And if you have a cluster (this isn't AD specific but is a general thing about clustering) you can't do restores. If you restore a cluster node like this, you corrupt the entire cluster in many cases, if you are lucky just one node. AD DCs form a database cluster under the hood, which is how they handle failovers, but that means that you have to protect them like a normal database cluster and let them resync from a rebuild, never do a restore.

https://community.spiceworks.com/topic/1988106-ad-logins-dont-work-after-baremetal-restored-windows-2008-dc

Yes, you'll likely need to seize roles on one of the 2012 R2 machines and just retire the SBS 2003 machine.

@Mike-Davis said in Domain Controller and WINS Server Powered Down and Removed without Proper Demotion:

@wirestyle22 said in Domain Controller and WINS Server Powered Down and Removed without Proper Demotion:

We don't use DHCP at all

I would go the other direction then and check for WINS queries and then visit all the NICs that are still using WINS and remove the entry. This article explains it:
https://blogs.technet.microsoft.com/craigf/2010/07/09/decommissioning-wins/

Thanks! This actually answered a few of my other questions too.

Inserted a new line of code at line 82 & 87 to read as follows:

icacls \\<server>\d$\Users\$un\* /grant $un:F /inheritance:e /T

This line grants the new employee full access to their network folder and subfolders and items.

@coliver said in Azure AD Open Source Alternative:

@StrongBad said in Azure AD Open Source Alternative:

Samba 4 does what AD does, for free. But I'm not aware of anything that does what Azure AD does using open source software that you can host yourself. Does anyone know if something exists?

I guess what are you looking for? Azure AD is basically hosted AD with some limitations as to client management.

It's a totally different technology. Azure AD is a competitor with hosted AD. It's not AD in any way. Very different technologies. One is a LAN design and one is LANless as well.

@DustinB3403 I figured, but just wanted to clear the air juuusstttt in case. :-D

@JaredBusch said in Synology DSM 6.1 Released with Active Directory Server:

@scottalanmiller said in Synology DSM 6.1 Released with Active Directory Server:

@JaredBusch said in Synology DSM 6.1 Released with Active Directory Server:

@travisdh1 said in Synology DSM 6.1 Released with Active Directory Server:

@scottalanmiller said in Synology DSM 6.1 Released with Active Directory Server:

@travisdh1 said in Synology DSM 6.1 Released with Active Directory Server:

@scottalanmiller said in Synology DSM 6.1 Released with Active Directory Server:

@travisdh1 said in Synology DSM 6.1 Released with Active Directory Server:

Hrm, fast-clone. Probably time to try out a Btrfs based file server at home.

It's good stuff.

Yeah, I know brtfs is the way to go, I just haven't tried it out yet myself. Starting out on IRIX with XFS back in the day makes me a too nostalgic.

I still use XFS for everything.

When will be the right time to switch to btrfs then? We know it's been stable for long enough that it's becoming the default in a number of distributions now, but has it really been battle tested well enough yet?

Also, should we maybe make another thread for the btrfs discussion?

The answer here is you do not switch. You install a distro letting it do its native thing by default and less you have an over arcing huge reason to override defaults. So you will get this when you install a new system that now has it as a default.

openSuse, for example, has had it as default for two years.

Really though, I prefer XFS for anything that isn't a storage machine. VMs need something mature, stable and light. XFS does that well.

But does your preference mean that you will override a default installs choice just because that is your preference?

Using anything but default should have very clear reasons because the first time somebody besides you have to troubleshoot it there will be big problems.

I would often, yes actually. XFS is not like an odd, unsupported option. It's just not the default. It's still completely core to openSuse's design. They simply had to pick which one they were going to use when someone did not choose one or the other and they opted for extra features over lean design for those that don't know which they want, which I think makes sense. Just like CentOS opts for the simplicity of using root for administration instead of sudo, but makes it super easy to enable sudo. It's not default, but it's fully supported. They just had to choose something as default.

FreeBSD does have getent.

PowerShell Empire has some good modules that will do all that ;)
Check out BloodHound.

@thwr said in DCs out of sync:

@Dashrender said in DCs out of sync:

@thwr said in DCs out of sync:

No substantial changes have been made during the last couple of weeks. Just a few new users and password changes plus maybe 2 or 3 new machine accounts. Some clients and servers now refuse to authenticate users during login due to the well known "trust could not be established between..." error.

Where you still getting those errors after you powered down the broken DC? I'm guessing not since you moved forward with the install of another DC.

Nope. Only "missing that other DC" errors now, which is fine. I've got some crappy internet connection (free WiFi in the train, next to no 3G/4G signal) here and can't check the current state. but it was fine half an our ago.

OK, reading your OP, it seemed that you were getting those errors after turning off the broken DC, but since you're not - seems like you found a good solution.

@mlnews said in How to configure Ubuntu Linux server as a Domain Controller:

http://www.techrepublic.com/article/how-to-configure-ubuntu-linux-server-as-a-domain-controller-with-samba-tool/

Samba 4 and samba-tool make getting up and running with AD on Linux pretty quick and easy.

Sounds nice, I'll need to make time to look at this.

@JaredBusch said in AD on top of something that depends on it:

No, JB would say, FFS stop conflating shit. A hypervisor is not a server or desktop OS.

LOL same difference :P

Everything is still looking good!

@coliver said in Removed ADFS, CRM plugin for Outlook wont authenticate now:

Man am I the only one that doesn't have issues with ADFS? It just works with little to no intervention on our part.

Yes. It's just awful.

Why do you have ADFS? Why not just sync?

And patch management and software updates are taken care of for you.

@aanenih said in Can't Get SpiceWorks on Azure to Authenticate to AD:

Hello Guys, I seem to have found the solution to this issue. By default, Azure has no ports open and that was why i was getting the errors. To solve this problem, i had to create an endpoint for the Virtual machine that had Spiceworks installed in it and open ports 389 and 636 TCP.
Now spiceworks syncs and authenticates with the AD on Azure and on premise.

that's why I was asking for specific VPN details. A VPN on the servers bypasses the Azure ports. A site to site VPN hits the "outside" of the servers and has ports blocked.

@travisdh1 said in Creating an Active Directory Group with PowerShell:

Gah, I'm having bad memories of OpenVMS with the different programs for every single little thing.

It does make for a nice looking and short command-line structure tho.

Oh yeah, SO much different than UNIX.

@scottalanmiller said in Using Pertino with Active Directory:

Originally posted on my Windows Administration blog in 2013 here: http://web.archive.org/web/20130929034913/http://www.scottalanmiller.com/windows/2013/04/05/using-pertino-with-active-directory/

This information is very out of date concerning Pertino itself. But the theory on how this works remains relevant.

IMO, you should put the 'old post' notice at the top of these.

@scottalanmiller said in Add Active Directory User to Group using PowerShell:

When we work strictly from Windows Server Core installations we need to be able to do everything from the command line, even user management. Let's add a user that already exists into a group that already exists in Active Directory using only PowerShell.

To do this we have the handy Add-ADGroupMember PowerShell commandlet. This is very easy to use in its basic form, all we need is the name of the group and of the user that we want to add. In this case, I want to add user jane to the group "Domain Admins".

Add-ADGroupMember "Domain Admins" jane

That's it, jane is added automatically. This process, like most, is silent on success. To verify that all is as we want it to be, we can use the Get-ADGroupMember command to look up the members of a group.

Get-ADGroupMember "Domain Admins"

Can also do
Add-ADGroupMember -identity "Domain Admins" -members "jane" -WhatIf
to see if it gets added before actually running the command.

@IRJ said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

@thwr said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

@coliver said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

@thwr said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

@IRJ said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

Good article. There is ZERO reason to have a GUI on a Domain Controller. Everything can be done through Server Manager on Windows 10/8

You mean RSAT ;)

Both? You can do a lot of directory management through Server Manager as well.

Ok, agree. Just don't like the Server Manager this much, ugly interface. I want to be sure WHICH drive on WHICH host I'm going to format for example. But that is just my personal opinion and I'm more or less a console fetishist ;)

But when it comes to ADSIedit or AD sites, you really want to have RSAT.

huh?

Those options are generally only there is RSAT is installed.

@thwr said in Simple guide to diagnosing Account Lockouts:

Locked AD accounts due to bad passwords
https://mangolassi.it/topic/9709/monitoring-ad-users/12

Thanks. I added the link to the comment section on the article.

@Jstear said in Azure AD Authentication with NextCloud:

@travisdh1 possibly, but I would like to attach it to an existing on premise server.
https://help.nextcloud.com/t/backblaze-b2-sync/1323

Well, sure. I guess I should keep reminding people about my location. Online services like storage don't work because of the price we'd have to pay for a connection. Making the server and storage both online (preferably in the same data center) is just so much easier.