Posts made by ElecEng

@gjacobse Which is best disable or remove?

What's a good example naming scheme for admins?

What are some standard GPO's to put in place for god management and system hardening?

Don't have any printers on this network BTW

@scottalanmiller I guess I will just have to wait until more options roll out I guess. The standard was pushed back a long time so i figured they would have a ton of hardware ready for release but guess not.

@gjacobse we did similar at a previous job. But we used ADM.

@obsolesce Servers primarily but user desktops and laptops will be the same.

Getting error The remote session was disconnected because there are no Remote Desktop License Servers to give a license.

This is on server 2016 and just doing RDP connection for setting up server roles not using terminal services or making a terminal server just connecting with RDP like you do desktop to desktop on the Lan, etc.

There are no CAL licenses applied yet.

On the various server VM's the customer wants a local admin account in addition to the domain admin account.

For security though should we disable the administrator account and create a different named local account with admin privileges instead?

Are we gaining a lot of security by doing this?

Thinking of using LAPS for these also.

What are your thoughts on Using LAPS to manage local admin account passwords on a domain?

@scottalanmiller SAM thanks for the video that does clarify it and makes it easy to understand.

The reason for using WSUS as it will have constant internet access to be able to download updates and patches. During maintenance we will set it to deploy what we need and nothing else as these systems will run production equipment on the manufacturing plant floor and we only get a small window to update things monthly so we can't spend it choosing the update we need and downloading and deploying them on 1 of 35 VM's

we get about 4 hrs per month to take things down and do any kind of work.

@scottalanmiller SAM there are 2 DC's now (VM's) and i have to add DNS and DHCP as separate VM's or put them together.

It's a very small network but needs high availability.

Should DNS and DHCP have a primary and secondary VM?

@scottalanmiller The business owner already has NAS replication which contains all pc and data backups going to a synology at his home.

The plan is to do a monthly backup to tape x 2 and store 1 at locally just for a backup on different media and the second to his home in San Diego which he goes to several times a month for 2-3 day stints.

There are 2 people in the office other than the owner that are IT savvy enough to exchange tapes, etc.

My thoughts were something like the link below as they already have a shelf for this but don't have a rack. Everything is on a multi-level shelf so going with a tape loader would mean purchasing a rack and finding a place to put it.

https://magstor.com/collections/thunderbolt-3

does ESXi not do automatic snapshots like workstation can?

@notverypunny what about DNS and DHCP? Those roles are normally on DC though right?

@pete-s right the drag and drop functionality keeps you from having to import / export just cant find info on how to use it.

Should WSUS be a separate server / VM or added as a role on one of the 2 domain controllers?

What's best practice, experience?

@dashrender it is a manufacturing network so you would want internet access disabled 95% of the time and only enabled when you need to do application updates, windows updates, etc.

I need a way to easily enable/disable internet access to some or all VM's on a stand-alone ESXi server hosting its own vcenter.

Right now it's done with pf sense and changing some firewall rules but I need a way for someone to do it without bothering with the firewall rules.

Any ideas?

@dashrender monthly

@travisdh1 yes plus a lot lower cost to get started with.