IT Team gets together and creates the hold from hell.

https://www.theregister.co.uk/2016/04/29/it_helpdesk_creates_oh_hold_hell/

https://www.reddit.com/r/VOIP/comments/dypp36/20191119_critical_freepbx_security_vulnerability/

"There has been a criticial security vulnerability discovered in FreePBX which allows remote code execution without authentication."

v14/v15 should automatically update themselves. Earlier versions will not.

@wirestyle22 said in Random Thread - Anything Goes:

thanks

This is what's keeping me busy lately. Building a Chicken Coop, though we're calling it the Palace, for our girls.



We have Leghorns (apparently pronounced LegUrns, Rhode Island Red, and Plymouth Rock (black) to start.

Construction is 2x4 insulated 8' x 8' with the run being 20' x 8'. All those years in construction back in the day always seem to pay off in some way.

Apparently, I've been elected to be the one to get them from the coop to the table when the time comes.

@dashrender said in Random Thread - Anything Goes:

@nadnerb said in Random Thread - Anything Goes:

So sad but true!

Why do so many companies have to hear it from an outsider before they believe it?

Prophet is never known as such in their own home land.

The announcement page: Starwood Guest Reservation Database Security Incident Marriott International

My thoughts on the matter though rather curtailed from what I really want to say due to polite company: Some Thoughts on the Starwood/Marriott Reservations Database Breach

@dustinb3403 It's been a while, but there's a set of files the Mac writes to all folders it touches. .DS_Store or something like that.

We've seen busy graphics houses have their file servers brought to their knees by this "feature".

These guys: https://dea.nbird.com.au/2014/11/19/windows-server-prevent-mac-files-on-shares-ds_store-_-trashes/

@Danp Whoever made the T-Shirt was probably too intimidated to mention the grammatical error or maybe let it go because the guy was a d*ck.

@WrCombs said in DHCP Question...:

This is for a friend of mine who asked me ; And Wanted to be able to send him a link to read up on DHCP Best practices and ideas on his situation.

He came to me and said "if you set up a dhcp why do you set up .2-.254 with a gate way of .1
don't you want to keep some open for Static IPs... for example: printers?"

what can I say to him other than .1 is reserved for gateway? .1 is the gateway so it can't be used in the scenario.

He is explaining to me that this company Cybera is setting up a firewall for him at his location and is curious why they would leave it that wide and open without any reserved Static IPS.

I'm sending him the link to this thread to have him read through the answers I get.

Our rule of thumb, and it's a "we've been doing it this way since ... so we keep doing it this way" situation, is to set up the full subnet in DHCP and then set exclusions for what we want to set aside for servers, printers, and the like. We generally set printers via reservation.

Here's a simple scope setup in PowerShell:

Add-DHCPServerInDC
Add-DHCPServerv4Scope -Name "OUR Local Scope" -StartRange 10.100.10.1 -EndRange 10.100.10.254 -SubnetMask 255.255.255.0
Add-DhcpServerv4ExclusionRange -ScopeID 10.100.10.0 -StartRange 10.100.10.1 -EndRange 10.100.10.49
Add-DhcpServerv4ExclusionRange -ScopeID 10.100.10.0 -StartRange 10.100.10.200 -EndRange 10.100.10.254
Set-DhcpServerv4OptionValue -ComputerName DC.Domain.com -DnsServer 10.100.10.254 -DnsDomain Domain.com -Router 10.100.10.1

@mlnews said in Why aren’t chip credit cards stopping “card present” fraud in the US?:

Fraud is on the rise despite a move to chip cards.

A security analysis firm called Gemini Advisory recently posted a report saying that credit card fraud is actually on the rise in the US. That's surprising, because the US is three years out from a big chip-based card rollout. Chip-based cards were supposed to limit card fraud in the US, which was out of control compared to similar fraud in countries that already used EMV (the name of the chip card standard)....

I remember reading comments from the American payment industry folks that basically said Americans were too stupid to do Chip & PIN. We've had it here for a very long time with TAP being a relatively recent addition. TAP is limited to $50 or $100 depending on merchant and product. It makes transactions fast versus any other method.

Swipe needs to be banned. Period.

Next up: RFID protection wallets. A must-have for frequent travelers.

@DustinB3403 said in Random Thread - Anything Goes:

@scottalanmiller said in Random Thread - Anything Goes:

A is positively the correct answer.

Kids in our family know what Eye-Dee-Ten-Tee (ID10T) and PEBKAC (Peb-Cack) mean.

@nadnerB said in Random Thread - Anything Goes:

Looks more like a built-in shower to me. After playing in the mud that would be da'bomb so no trouble walking in the door after a mudfest.

@scottalanmiller said in So You Lost Your ERP MSP?:

@marcinozga said in So You Lost Your ERP MSP?:

Most software have help -> about menu option and it should list software vendor.

If you can log in

But we know the ERP is Oracle NetSuite. But like everyone, they went through a reseller and lost the more important contacts.

Start looking at date stamps and polling peeps' memories for an approximate install date.

Then, get them to run a report on IT expenses in a 24-36 month period and look for the wart. It's going to be a big one.

@scottalanmiller said in So You Lost Your ERP MSP?:

@PhlipElder said in So You Lost Your ERP MSP?:

@scottalanmiller said in So You Lost Your ERP MSP?:

Not sure if this is funny, or a rant, or what. So we are the MSP for a firm and we do everything except their ERP support. I actually like this as ERP sucks and they use some ERP we don't know so cool, that's a perfect situation. It's web based so other than making sure Chrome is installed, up to date, and clean, we don't have to worry about the ERP.

Except one little problem. Upon implementation of the new ERP, the total disregard for the selection and implementation process is apparent and now it turns out, there is no one in the company who knows who the ERP vendor is or how to reach them. Or the MSP that supports them. So, we get ticket after ticket asking for help with the ERP and we are like "um, we don't know anything at all, call the support desk for the ERP" and they are like "sure, but... who is that?" And, of course, we were never told who it was. It's a browser based app, we don't need to interact with that support firm so we weren't introduced or given contacts.

So now the key application upon which the entire company operates is an unsupported black hole of disaster waiting to happen. This is the problem with going with little, unknown companies and keeping everything at arm's length.

There's no one specific failing. Just a general disregard for running the business, I guess. A bit of an "I can't even" here.

We have a few of those.

We go in and dig up any and all relevant info on the app/LoB so that we can at least be ready for disaster recovery. We set the expectations right from get-go.

If we end up supporting the apps, which we have in many cases, so be it. We bill for it as there's nothing wrong with picking up a few extra hours here and there. Part of setting the expectations is to define that we are not the front-line support for the App/LoB but are happy to help where we can.

It's complicated for us as we are flat rate and the ERP is the majority of the work. We'd love to pick it up, but it's not like we just have hours to bill, that would be handy. If that was the case we'd be voluntarily taking anything that we can. We don't even have logins, though.

Back Billing is a part of the contract. Any third party App/LoB that falls into our laps that is out of the scope of our support contract is billable.

The one really crappy app we support we don't have a logon for. Well, we do now since the owner has shared theirs along with their unlock admin code and so long as they are not logged in we can troubleshoot the app. Believe me, it's super duper crappy.

@scottalanmiller said in So You Lost Your ERP MSP?:

Not sure if this is funny, or a rant, or what. So we are the MSP for a firm and we do everything except their ERP support. I actually like this as ERP sucks and they use some ERP we don't know so cool, that's a perfect situation. It's web based so other than making sure Chrome is installed, up to date, and clean, we don't have to worry about the ERP.

Except one little problem. Upon implementation of the new ERP, the total disregard for the selection and implementation process is apparent and now it turns out, there is no one in the company who knows who the ERP vendor is or how to reach them. Or the MSP that supports them. So, we get ticket after ticket asking for help with the ERP and we are like "um, we don't know anything at all, call the support desk for the ERP" and they are like "sure, but... who is that?" And, of course, we were never told who it was. It's a browser based app, we don't need to interact with that support firm so we weren't introduced or given contacts.

So now the key application upon which the entire company operates is an unsupported black hole of disaster waiting to happen. This is the problem with going with little, unknown companies and keeping everything at arm's length.

There's no one specific failing. Just a general disregard for running the business, I guess. A bit of an "I can't even" here.

We have a few of those.

We go in and dig up any and all relevant info on the app/LoB so that we can at least be ready for disaster recovery. We set the expectations right from get-go.

If we end up supporting the apps, which we have in many cases, so be it. We bill for it as there's nothing wrong with picking up a few extra hours here and there. Part of setting the expectations is to define that we are not the front-line support for the App/LoB but are happy to help where we can.

@Fredtx said in Multiple Tombstoned DC's:

@notverypunny said in Multiple Tombstoned DC's:

@Fredtx does the isolated site still exist in Sites and Services? What's the plan for that location if the ideal end goal is to have the vpn tunnel down and no site to site connection? (apologies if this was already covered)

Yes, the site still exist. I'm just confused as to why the KCC is adding the connection to the link when there is no network connectivity to that site. From my understanding, the whole purpose of the KCC is to create connections with the best paths, which this one would NOT be the best path since there's no network connectivity.

Is the defunct site's subnet set up in Sites? That's what is going to need to be changed or removed.

@Fredtx said in Multiple Tombstoned DC's:

@PhlipElder

Sorry, I didn't mean links. I meant inbound partners. AKA "connections" when viewing in AD Sites and Services.

Yes. That's what I understood to be said there.

If there are replication links there that were automatically generated then at one time the good site's DCs were replicating with the offline site's DCs.

@Fredtx said in Multiple Tombstoned DC's:

@PhlipElder said in Multiple Tombstoned DC's:

Just how much change is there between then and now?

I don't know. It's been 8 months so I imagine there has been quite a bit of changes.

Also, just to confirm. The KCC ONLY creates site links for sites that have network connectivity, correct? My coworker seems to think that the Highlands server was never connected to those 6 sites, but from what I recall, they need to be connected or KCC would not have created those links. Again my theory is someone removed those vpn tunnels, or the Highlands DC was configured at our Fort Worth Hub site, and later shipped to Highlands.

If there are replication links (auto) then there was comms between the two site's DCs.

@Fredtx said in Multiple Tombstoned DC's:

@PhlipElder said in Multiple Tombstoned DC's:

What was happening for ADDS/DNS there anyway that there'd be that many tombstoned DCs? How did authentication happen?

My theory is the vpn tunnels were removed, and nobody checked if there was any kind of dependencies for those tunnels.

Below is the current setup.

The replication disconnection/issue happened at Highlands with 6 of it's inbound partners. The one's with the strikethrough

FortWorth -Replicates from Highlands
Highlands -Replicates from Toronto , Edmonton, Fort Worth, Nashua, York, Fresno, New Freedom, Oakland, Atlanta, Pewaukee
Toronto -Replicates from Fort Worth, Highlands, Nashua
Fresno -Replicates from Fort Worth, Highlands, Nashua, Toronto
Pewaukee -Replicates from Higlands
Nashua -Replicates from Edmonton, Oakland, Pewaukee, York, New Freedom, Atlanta, Toronto, Fort Worth, Highlands, Fresno
Oakland -Nashua, Highlands, Fort Worth
Atlanta -Replicates from Highlands, Fort Worth, Toronto
York -Replicates from Highlands, Fort Worth
NewFreedom -Replicates from Nashua, Highlands, Fort Worth
Edmonton -Replicates from Highlands, Toronto

Okay, with that amount of time ...
https://pmeijden.wordpress.com/2011/01/12/domain-replication-has-exceeded-the-tombstone-lifetime/

[QUOTE]
Another way to achieve this goal is to extend the Tombstone lifetime with ADSI Edit. You can find the option in CN=Configuration,DC=ForestRootDomainName,CN=Services and CN=Windows NT. Right click CN=Directory Service, and then click Properties. In the Attribute column, click tombstoneLifetime and change the value. Check the event log for the last successful replication date, this is very important in deciding the correct number of days. Beware that it is possible that objects that were removed are showing up in Active Directory again! You have to be sure that there aren’t that many changes in AD otherwise you can end up with a big mess.
[/QUOTE]
Emphasis mine.

Just how much change is there between then and now?

If there's a fair amount, then DCPromo -Force to remove ADDS/DNS from them and then DCPromo them back in after cleaning up the metadata, DNS, Sites, Trusts of any lingering bits and pieces.

Again, make sure there's a known good backup before starting.

@Fredtx said in Multiple Tombstoned DC's:

@PhlipElder said in Multiple Tombstoned DC's:

Is there a list of known devices that authenticate against those now defunct DCs? Are they still authenticating?

Most likely workstations are still authenticating. I don't have a list

Oiy. That's a mess.

@Fredtx said in Multiple Tombstoned DC's:

@PhlipElder said in Multiple Tombstoned DC's:

We've done this a few times where the work to remove the errant DCs was way more than flipping the bit, waiting and watching to make sure they don't screw anything up, and then flip the bit back.

Yea, I'm trying to be efficient as well, but also not screw anything up. lol. Especially since the Dc that has the fsmo roles also functions as Radius server for vpn and wireless authentication throughout different sites. I've only been here a month, so trying to get stuff working as it should.

Is there a list of known devices that authenticate against those now defunct DCs? Are they still authenticating?

One concern would be domain machine's passwords not being in sync with the PDCe.

What was happening for ADDS/DNS there anyway that there'd be that many tombstoned DCs? How did authentication happen?