@jaredbusch We always set up the full subnet in DHCP then configure exclusions for the parts of the subnet that would be divvied up to printers, servers, and other services/systems we assign addresses to.

@donahue said in Handling DNS in a Single Active Directory Domain Controller Environment:

This is a tangent, but can you tell a DHCP reservation to use a particular IP in the scope? Like if it comes in with something random, you can make a reservation for that mac and then change the IP to something else and restart the device?

The reservation can be set by right clicking on the DHCP Lease and Add to Reservations to reserve the specific IP a device would pick-up when it first connects.

Or, I can set up the reservation using that device's MAC address ahead of time so that when the device gets connected it picks up the IP address I need it to have.

Does that answer the question?

@jmoore said in Handling DNS in a Single Active Directory Domain Controller Environment:

@scottalanmiller My printers all have static IP's as well. I manage that and keep track of all printers/IP's. We have around 200 users

We use DHCP Reservations for all printers being managed. If a printer gets moved from one site to another we don't have to muck about with it prior to the move or afterwards. All printers get deployed using a dedicated GPO linked to the Site/OU the printer will reside in.

@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:

@kelly said in Handling DNS in a Single Active Directory Domain Controller Environment:

Given the premise of handling DNS failover scenarios it seems like having two DCs would be better, but I'm open to being convinced.

So there are a few scenarios here. But here are some general approaches to this that I've seen (thanks to @JaredBusch for the big one...)

1. In really small AD environments, there might be zero internal DNS needs and Windows DNS is for AD only. In which case, point to the router's DNS or a public DNS and you are done, easy peasy. Free, simple, universal.
2. In environments with internal DNS dependencies, much of the time the impact of losing that is trivial and you just have workers run in a reduced functionality mode until AD DC is fixed. Impact can be so small as to not measure. An option if you are very small and don't need external web access (super rare.)
3. Jared's solution... point your router to your internal DNS first, then to public DNS. This handles failover and deals with any concerns of Windows DNS stack being flaky. When AD is up, internal DNS works, when it goes down, you transparently fail to public DNS.
4. Use zone transfer to another DNS server. This could just be to your router. Have your router or some other "free or already included" system keep a copy of Windows' DNS and use this as your secondary. Full DNS redundancy (without active updates) while the AD DC is down. You could build a DNS server just for this, but nearly all networks have one already available. But a Raspberry Pi will do this easily if you really have no other hardware.

1: Nope. It's not a good idea to ever point DNS to an Internet based DNS server whether on the edge, DHCP, or DNS1 of a NIC (DNS0 being the local DC). Any kind of glitch will kick the clients over to a public DNS server that will respond to all internal queries with a, "Huh?" Then, Time To Live (TTL) means folks sit their doing nothing until someone either reboots, restarts DNS Client, or the TTL goes by.

2: If it's really that important there are two ways to deal with it: A: A good backup that's known good (fully restore tested). Or, B: an A series VM with site-to-site VPN in Azure with a fully prompted DC on the VM.

3: Nope. We've dealt with too many DNS questions/problems due to this to permit this on any network we manage.

4: See #2

@jaredbusch said in Hot Topics for MangoCon 2019:

@Dominica @pchiodo
Obviously, I can doing something on VoIP decision making or something. Similar but different from what I just did at SpiceWorld. Maybe focused on deciding on internal hosted vs external hosted as well as some other point in more detail.

I also have something half wrote on "Are you (IT) helping or hurting your company?"

This was the best presentation at Ignite 2018 bar none:

Ned Pyle: Accelerating your IT Career BRK1094
Youtube Video

Ned is an awesome guy, to the point, and blunt. Very blunt.

@jaredbusch said in Hot Topics for MangoCon 2019:

@scottalanmiller said in Hot Topics for MangoCon 2019:

@kelly said in Hot Topics for MangoCon 2019:

Reseller/VAR vs ITSP/MSP. What makes them different, and what value do each deliver.

I like this and it would be nice if we had a panel for it.

Certainly you and I would work that panel. Who else?

Can do. Our business, my wife and I co-own, is both VAR and a blended MSP.

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.

Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?

One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.

Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.

It is expected to be automated. SSL Cert updates should not be intrusive. All of the tools for LE SSL Certs are designed around the idea that you will automate them and never need to worry about them again. It's about being less of a snag, not more of one.

Got it thanks. Looks like a bit of a learning curve then.

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.

Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?

One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.

Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.

@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller Is this for self-issued certificates?

No, this is for LetsEncrypt certs.

I must admit, this is the first time I've heard of them.

Seriously? You need to get out more.

Heh … that's one of the reasons I'm on this forum.

@jaredbusch said in H-1B furor: Canada smooths the way for techies:

@phlipelder said in H-1B furor: Canada smooths the way for techies:

@mlnews said in H-1B furor: Canada smooths the way for techies:

Mercury News- H-1B furor: Canada smooths the way for techies

Two weeks: That’s how quickly a foreign technology worker in Silicon Valley can get an employment permit from Canada. In the U.S., that process takes months.

As the administration of President Donald Trump has increased scrutiny of H-1B visas for skilled foreign workers and plans to ban their spouses from holding jobs in the U.S., Canada has been moving aggressively to suck top foreign talent out of Silicon Valley and other technology-rich regions of the U.S.

The Canadian government won’t say if it’s leveraging the tumultuous and uncertain immigration climate in the U.S. But experts say Canada’s year-old “Global Skills Strategy” program, which offers work permits similar to America’s H-1B visa, is ideally structured to attract highly skilled foreign tech workers to Toronto, Montreal or Vancouver. Though immigrants make up just 20 percent of Canada’s population, they hold about half of the science, technology, engineering and math degrees at the bachelor’s level and above, government figures show.

Before the program launched, Canada’s employment permit process for skilled workers took months.

“It captures all of the Silicon Valley people, and it captures them quickly,” said Asha Kaushal, a professor at the University of British Columbia law school who studies immigration law.....

Heh, wait until they get their first tax bill.

Umm, been to Chicago lately? And we don't get shit from it.

Heh … we don't have much to show for it either.