@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@dave247 said in question about Hyper-V resource management?:

@dashrender said in question about Hyper-V resource management?:

@nerdydad said in question about Hyper-V resource management?:

Computer Management -> Action -> Connect to another computer... -> Your Hyper-V host

Exactly - what he's not telling you is that Computer Management is a completely different tool. It's the Windows tool.

If you came from ESXi or even XS, you're in for some surprises. Unlike ESXi and XS, there is no single pane of glass to see all of the things related to Hyper-V. Instead you have to manage all the components the exact same way you would a normal server. Computer Management handles a lot of them, but not all. For example, you can't look at Device Manager that way anymore - MS removed remote access a bit ago.

OOOOOOOOOOOOOOOOOH... yes. Shit. LOL

yeah - this is why I #$#%^@ hate Hyper-V

ugh.. I wish I knew this before.. Maybe I'll just use the free version of ESXi instead..

no - you shouldn't do that. If you bail on Hyper-V, you should look at KVM instead, so you aren't leaving often needed/desired feature that are free in KVM and Hyper-V and cost a ton in ESXi.

well I do want to gain some experience with Hyper-V so maybe I'll stick it out.. I just need to find a centralized guide on this or something.. The way to do things so far has been murky and illusive.. Part of the problem may be that I'm so used to VMware with ESXi and vSphere.

I have a thread.
https://mangolassi.it/topic/15767/building-a-hyper-v-2016-host-take-2

it covers all the things to get all the pieces working.
It assumes an Active Directory though.

Oh nice! I will comb thru this. And I do have AD running here. Thanks!

You will find tons of guides here on ML.

I think this has become my favorite forum. Much nicer than reddit, less BS than Spiceworks.. everyone is nice and thorough and we have SAM ruling with an iron fist

As a pretty green sysadmin, there have been times where I've needed to point things to an NTP server and I've been kind of fuzzy about the best way to go about this, despite reading various resources online... If my memory is correct, I think I've heard that best-practice is to point all your internal devices to the same internal NTP sever and then have that single internal NTP server sync with an external server. So like I would have all my equipment point to the DC and then have the DC sync with a trustworthy external time server. That being said, I'm a little unclear on the best way to do this.

I just ran w32tm /query /peers on my DC and it looks like it's pointed to pool.ntp.org. I have been checking various other servers and some things point to the DC where other things point to a list of time servers, usually, 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org and 3.pool.ntp.org. Sometimes it's a mixture of both.

I guess my question is this: Should I set up my domain controller to use a better time sever that what it's configured for, or is there a better NTP server I should be using. And then should I just point all servers and appliances in my environment to my domain controller for time synchronization?

I'm trying out Microsoft's Hyper-V 2016 server -- not the OS role, I'm talking about the actual Hypervisor without the "Desktop Experience" GUI. I got that installed and joined to our domain and then added an administrator and then I installed the Hyper-V management tools on my Windows 10 workstation and then I tried to connect to the server as that user. However I can't seem to get connected. It's constant errors.

Right now I'm stuck on "Enable delegation" as I get an error that says "Delegation of credentials to the server could not be enabled. CredSSP authentication is currently disabled.

I keep trying to google things but 90% of the stuff I find seems to be about setting up the Hyper-V role, not the straight Hypervisor. Then anything more explicit than that, such as with the CredSSP stuff, I just find about of stuff regarding PowerShell scripts.

I'm now trying to run Enable-WSManCredSSP commands according to this guide but it's not working...

I've been slowly doing this for hours now and I'm just ripping my hair out at this point. Is there a more straight-forward way to set up and manage Hyper-V without having to do a bunch of obscure steps? I just want to get to where I can install some VMs. See I've gotten used to the user friendliness of WMware where I can just connect to the hosts or vCenter via web browser and go from there.

Now I'm not crying about this because it's hard -- I enjoy learning challenges.. but right now I'm just drained and need some guidance. Otherwise I was considering installing some other free Hypervisor in hopes that it's easier to setup.

@dashrender said in question about setting up a new domain controller:

@dave247 said in question about setting up a new domain controller:

So going back to the reseller vs partner bit:

• If I go through a partner, they will help me get set up with hosted Exchange directly through MS, so I am subject only to MS?

• If I go through a re-seller, I basically get their version of that service, which means I am subject to the limitations they put on it (max mailbox size for example) and I am also subject to their pricing as well as the risk that the are responsible for paying MS to keep our Exchange active?

yep.

holy shit do I actually understand something???

So basically, what I should do, is swap as much of my manual static to DHCP reservation that I possibly can. Then I can update DNS in the DHCP scope and all should be well... sounds like a good plan.

I was a complete idiot and incorrectly typed "172.0.0.1" instead of "127.0.0.1" which would explain all my errors over the weekend.

smacks head

@tim_g said in Girl Scouts - Training Girls to Run MLMs, Change My Mind:

The real question here is: what do girl scouts do besides MLM, and is it significant enough to categorize them as not just a MLM?

I was thinking the same thing. My daughter is in GS and has been for a few years now. They seem to do a bunch of other stuff, but I'm not that involved. I mean, I go to a lot of her events, but my wife is the main one doing stuff. My daughter is a brownie too so I think depending on the bracket (or whatever) and the people running the troop, the various activities they do probably can very a lot.

Actually, my wife has gotten stuck with being the troop's cookie manager two years in a row. She has to collect all the money from the parents and submit the orders online. She hasn't said anything to me about things seeming fishy, but she does have a lot of complaints about their website, plus a lot of parents are idiots about submitting and picking up their orders.

I'm also thinking that if it is a full blown MLM at this point, it probably didn't start off that way. I'm sure various levels of greed and corruption have gradually fueled changes that swung the cookie sales portion of the GS into the MLM arena of things.

I feel like pretty much anything that starts off with good and pure intentions and is successful is inevitably pushed more and more to the point that it becomes an obscene version of it's original self.

@obsolesce said in Staying at your shitty employer is your fault:

@dave247 said in Staying at your shitty employer is your fault:

@jaredbusch said in Staying at your shitty employer is your fault:

@dave247 said in Staying at your shitty employer is your fault:

Where is everyone searching for quality IT job postings these days?

Word of mouth. I've never gotten a good job from a random posting.

I suppose the correct answer to myself is a wide net of every combination, including word of mouth, job posting sites like Indeed, Monster, etc, direct job postings on the website of the company, LinkedIn, etc.

I managed to get my first IT job using my state's job network website. I got a call-back from HR and had some awesome back and forth and landed a great gig. My friend and past co-worker got an amazing job from a head-hunter on LinkedIn. Another friend got a job from a company website post...

The last several good jobs I was either offered or have started were directly from LinkedIn, and some of them are $300K to $500K jobs.

Can I ask what kind of IT jobs those were and the general requirements? That seems a little hard to believe unless you're talking about jobs in the major US technology hubs... but I have limited knowledge and experience in this area.

I have a few servers that are now available for whatever I want, since I've virtualized them to our vSphere 6.5 environment. We currently have a single SAN unit for our vm datastore which connects to two switches and then to three virtual hosts (SAM's Inverted Pyramid of Doom thing).

Anyway, I am trying to experiment with a different design as well as set up a new test environment. I want to install Hyper-V 2016 Server on my most powerful spare server, then I want to use my other two servers as mirrored or a distributed storage cluster.

I am not 100% on what is best practice on how exactly to set this up, so I'm hoping for some input. I mean, I'm a sysadmin at my job, so I understand how to install and configure stuff.. but I've not set up a completely new environment from scratch before.

Any advice is much appreciated!

@scottalanmiller said in Can I get some direction on setting up Hyper-V server with a storage cluster?:

I'm late, but yes, @StarWind_Software is the way to go here. It's free and native to Hyper-V and does exactly what you are looking to do.

Hi Scott. Yes, thanks. I am going to work on setting up vSAN. Looks like it will be a fun learning experience for me.

Turns out I would also need proper MICR font, like this https://www.1001fonts.com/micr-encoding-font.html

@dashrender said in Looking for MICR check printing software that doesn't suck:

@dave247 said in Looking for MICR check printing software that doesn't suck:

@dashrender said in Looking for MICR check printing software that doesn't suck:

Isn't the MICR just in the toner? Does that part even matter? Maybe I'm wrong and those printers actually have two types of toner in them...

That's what I was wondering. And yes, MICR is just magnetic ink. I don't know if I could even just technically use Microsoft Word to print on them using the MICR printer....

I think you can. Only one way to find out

you know what, you're right hahaha

@dashrender said in Looking for MICR check printing software that doesn't suck:

Isn't the MICR just in the toner? Does that part even matter? Maybe I'm wrong and those printers actually have two types of toner in them...

That's what I was wondering. And yes, MICR is just magnetic ink. I don't know if I could even just technically use Microsoft Word to print on them using the MICR printer....

I work at a bank and we have been using an application called MMS Forms from Blauser Technologies for like 10 years to print temporary checks and loan coupons. It totally sucks. It looks like something out of 1995 and the annual update process is very confusing and nonsensical. It's not a big complex to-do or anything, just messy and different than a normal, modern application. Updating the check image graphic requires using something like InfraView with a plugin to edit a .pcx file. I could go on. All we use MMS Forms for is to print temporary checks which obviously requires a MICR printer and then loan coupons. I can't imagine the software has to be "special" or something crazy...

I searched around the internet but keep finding equally questionable looking applications. I'm hoping some of you here have used something in the past that maybe worked well.

Delete me - got it all figured out

@pete-s said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@voip_n00b said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 I use certificates to only allow company owned and managed devices to connect.

Interesting, can you elaborate more on how you achieve that?

It's common to have certificates with VPN.

A OpenVPN client for example without any MFA is usually setup so that it needs a client certificate and a username and a password as well as the connection info. The same goes for Cisco AnyConnect and others.

The VPN connection uses mutual authentication so the client authenticate that the server is who he is suppose to be and the server authenticate the client is who he says he is.

If you install the certificate on your company devices you can't connect to the VPN just by downloading and installing the client on another computer and enter the credentials. Because you don't have the certificate.

So that's how you can control what device is allowed to connect. For more security the certificates can also be stored on smart cards, hardware devices or even the TPM module inside the computer.

You should have something similar on NetExtender. Look for client certificate or client authentication.

Another thing with certificates is that you can prevent VPN access by revoking the client's certificate. And also certificates expire so you can give someone a short term access if you like.

Nice, I will check it out. I have opened a few tickets and asked around other places regarding NetExtender and nobody has said anything about this, so I don't know if its possible with the Sonicwall NSA / NetExtender setup, but I will find out.

@scottalanmiller said in New customer - greenfield setup:

@dave247 said in New customer - greenfield setup:

I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.

That's good that they try. A problem with that, though, is that categories have to be maintained and trusted. So if you use Bank of America or Wells Fargo, I'm sure you are fine. But what if you use a local savings and loan or credit union or a foreign bank or do your banking through a third party site? Sure, your bank might make their list, but it might not. They make an effort, and probably a good one, but at some point it's just people making a list of sites they feel should be in a category. They don't really know. Anyone can make a fake bank website to get around that, there's no way to have enough staff to check sites. And I'm sure tons of real financial institutions get missed because no one though of checking that name.

Yes, great points there. Oh hey, I was also going to ask you why you excluded Sophos from your deep packet inspection comment. I assume you will say they do it right, and if that's they case, how do they do it better / correctly?

@voip_n00b said in Looking for simplest/secure setup for connecting a domain joined computer to corporate network when remote:

@dave247 I use certificates to only allow company owned and managed devices to connect.

Interesting, can you elaborate more on how you achieve that?

@scottalanmiller said in New customer - greenfield setup:

@dave247 said in New customer - greenfield setup:

@scottalanmiller said in New customer - greenfield setup:

@dashrender said in New customer - greenfield setup:

Of course it's really only worthwhile where we can do SSL inspection (can this be down without installing certs on the clients to allow MiTM inspection?)

Nope, that's physically impossible. These types of devices I see as reckless because they are often poorly maintained, often made by questionable vendors (Sophos is fine, but many others are less respectable) and provide a single point of total egress of your data with nearly all assumed protections removed.

Hey Scott, can you elaborate a bit more on that - I'm talking about the recklessness of SSL inspection. I ask because my company has a Sonicwall NSA appliance and in the past I have attempted using the "DPI-SSL" feature (deep packet inspection) which required installing the Sonicwall cert on all systems and then the traffic would be intercepted and inspected. Despite me following their guide and applying the correct settings and site exceptions, I still had some issues and ended up scrapping the effort for now. I already know your opinion on Sonicwall but I just wanted to get more insight into the whole deep packet inspection effort.

So my issue with that is that it "breaks" the entire security chain. The idea behind the certificate system is that your traffic is encrypted end to end. By adding a man in the middle there is a time when the traffic is not encrypted, but both the browser and the server believe that it is.

If everything works as expected, this is fine because we trust the man in the middle, in this case. But that's asking a lot of "another system" to be completely trusted.

In reality neither of the end points truly trust the man in the middle. The "firewall" isn't a friend here, it's in the path because it already distrusts both end points. So trust is not really appropriately at play here.

On a technology side, this adds an extremely high profile target that is rarely secured close to as well as the server or the workstations are. Traditionally firewalls were an extra layer of security, rather than an extra layer of risk. A compromised firewall meant that you lost a layer of defense, not that the firewall represented a bypass to existing security measures as well. So this ends up being a lot like a VPN, everyone says it's for security, but as used it is nearly always a huge risk because risk is extended rather than the tool being used to lock it down more.

So both hard technical by adding a huge point of exposure and for bypassing existing controls; and soft technical by putting the most critical point of exposure where network admins tend to understand it the least and where politics tend to keep it from getting properly maintained.

Then comes liability. Legally you can use this in most circumstances. But only most. I would never use this without my legal team signing off on it. Because you are hijacking encrypted data mid-stream that is meant to be trusted you risk both political fallout (customers, vendors, etc. being angry or going public that data may have been hijacked - possibly without consent) and legal fallout (if this is discovered and HIPAA data was in flight, for example, it technically violated any end to end encryption laws or requirements.) Knowing decrypting network traffic midway carries a lot of risk and you really need to understand the legal or business risk to all of the traffic. It's not something you can just do and not worry about.

As a business owner, never ever would I take that risk. Huge risk, no real value to doing so. I'd have to be a seriously emotionally driven control freak to consider doing something like this.

Which brings the final problem with it... a tool like this would not be made by or deployed by those who value security. So if you have a vendor making these tools, or you have management demanding these tools, you have people who are prioritizing control or the emotional perception of control above business interests and security. Sure, a vendor like SonicWall is just catering to their client base. To them it is a good business decision, but that decision is to allow their customers to undermine their own security. So from a security perspective, this goes against all common sense and otherwise stated practices.

As an aside, IF something like this was ever warranted, it should never be put on the firewall but run in a VM like any other production workload. That people put it on the firewall instead shows how little security thinking is involved when these products are discussed. There are better ways to do this if someone actually intended to do it in a good way.

Nice! I'm glad to hear you point all those things out because I've also thought similarly about deep packet inspection / MITM functionality on the firewall. It's basically breaking that secure chain of trust, like you said, and when I first learned about it, I just though it seemed a little risky or wrong or something.

And as I added more and more exceptions, I began to think, what is the point of this if I'm going to add a bunch of exceptions? Then I would just be leaving all the untrusted sites but that sort of thing should be more filtered out using web content filtering, not DPI.

Also, I'm not defending it, but when I was attempting to enable DPI-SSL on our Sonicwall, I was able to add many category-based exceptions which included banking and medical services, among others. So at least that concern is somewhat removed there, but still.

I was just thinking, there's not really currently a way I can lock down access to specific computers that can access the VPN. I can give assess to only select employees but what's to stop an employee from downloading NetExtender on a non-company managed device and accessing the network that way?