Best posts made by PhlipElder

@Fredtx said in Multiple Tombstoned DC's:

@PhlipElder said in Multiple Tombstoned DC's:

What was happening for ADDS/DNS there anyway that there'd be that many tombstoned DCs? How did authentication happen?

My theory is the vpn tunnels were removed, and nobody checked if there was any kind of dependencies for those tunnels.

Below is the current setup.

The replication disconnection/issue happened at Highlands with 6 of it's inbound partners. The one's with the strikethrough

FortWorth -Replicates from Highlands
Highlands -Replicates from Toronto , Edmonton, Fort Worth, Nashua, York, Fresno, New Freedom, Oakland, Atlanta, Pewaukee
Toronto -Replicates from Fort Worth, Highlands, Nashua
Fresno -Replicates from Fort Worth, Highlands, Nashua, Toronto
Pewaukee -Replicates from Higlands
Nashua -Replicates from Edmonton, Oakland, Pewaukee, York, New Freedom, Atlanta, Toronto, Fort Worth, Highlands, Fresno
Oakland -Nashua, Highlands, Fort Worth
Atlanta -Replicates from Highlands, Fort Worth, Toronto
York -Replicates from Highlands, Fort Worth
NewFreedom -Replicates from Nashua, Highlands, Fort Worth
Edmonton -Replicates from Highlands, Toronto

Okay, with that amount of time ...
https://pmeijden.wordpress.com/2011/01/12/domain-replication-has-exceeded-the-tombstone-lifetime/

[QUOTE]
Another way to achieve this goal is to extend the Tombstone lifetime with ADSI Edit. You can find the option in CN=Configuration,DC=ForestRootDomainName,CN=Services and CN=Windows NT. Right click CN=Directory Service, and then click Properties. In the Attribute column, click tombstoneLifetime and change the value. Check the event log for the last successful replication date, this is very important in deciding the correct number of days. Beware that it is possible that objects that were removed are showing up in Active Directory again! You have to be sure that there aren’t that many changes in AD otherwise you can end up with a big mess.
[/QUOTE]
Emphasis mine.

Just how much change is there between then and now?

If there's a fair amount, then DCPromo -Force to remove ADDS/DNS from them and then DCPromo them back in after cleaning up the metadata, DNS, Sites, Trusts of any lingering bits and pieces.

Again, make sure there's a known good backup before starting.

@Fredtx said in Multiple Tombstoned DC's:

@notverypunny said in Multiple Tombstoned DC's:

@Fredtx does the isolated site still exist in Sites and Services? What's the plan for that location if the ideal end goal is to have the vpn tunnel down and no site to site connection? (apologies if this was already covered)

Yes, the site still exist. I'm just confused as to why the KCC is adding the connection to the link when there is no network connectivity to that site. From my understanding, the whole purpose of the KCC is to create connections with the best paths, which this one would NOT be the best path since there's no network connectivity.

Is the defunct site's subnet set up in Sites? That's what is going to need to be changed or removed.

@scottalanmiller said in MS SQL Server Error: No Process is on the other end of the pipe:

Full error...

A connection was successfully established with the server, but then an error occurred during the login process. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.)

(Microsoft SQL Server, Error: 233)

---

This error tends to happen when you are trying to authenticate with a SQL Server account on a system that is only configured for Windows Authentication. MS SQL Server allows SQL accounts to be created regardless of this setting in the configuration and gives no errors (for logical reasons we could go into) so it is easy to do without realizing it. So if you see this error, check to make sure that SQL Server authentication is enabled or use a Windows account instead.

We deal with some really clunky front ends that run with SA/SQL Authentication so hybrid mode is a setting that gets done during the initial instance setup process.

The other thing to keep in mind is that if there is more than one admin account being used to manage that instance, or those instances, to make sure to add those accounts during the instance creation process otherwise pain ensues.

@Pete-S said in Mikrotik software firewall/router?:

Does anyone have experience with Mikrotik's software firewall/routers?
Or any opinion on their products in general, especially for business use?

I used to think they were some kind of garage company but it turns out they're a billion dollar company.

We worked with them quite a bit at a site. Clunky, difficult, and not the most stable at that time.

Have they improved? Not sure, but IMNSHO, there's better products out there for the same or slightly higher pricing.

@dmacf10 said in Mikrotik software firewall/router?:

@PhlipElder Odd that you had stability issues. When properly configured I've never had any issues at all besides the occasional lightning strike back in the day on the PtP sites. When used in controlled environments they have world-class stability and reliability. At least that's been my experience with the 500+ that I've worked with.

It's been a while, but they were primarily due to the site-to-site VPN going down and the occasional lockup.

There's always been "suspicion" around inexpensive products since we get what we pay for.

Ubiquiti is no less in the crosshairs of that suspicion with it being justified.

Once bitten, twice shy so really haven't looked back.

Are there folks that are running MicroTik now with no issues? It sounds like you are?

@Pete-S said in Mikrotik software firewall/router?:

@PhlipElder said in Mikrotik software firewall/router?:

@scottalanmiller said in Mikrotik software firewall/router?:

The same sales tactic is used to sell expensive "you have to pay the vendor extortion rates for support" over open source products that are known to be far better for decades. It's probably the best known scam in our industry. And once people overpay and get too little, the vendor has customers over a barrel and they feel that they can't expose to management that they spent a fortune and got less than they would have gotten for cheap or for free. And so the spending spree continues because no one up the chain wants to expose what they've done.

Three cluster setups:
1: Cisco Small Business Pro series Gigabit and 10GbE
2: NETGEAR Gigabit and 10GbE
3: Ubiquiti Gigabit and 10GbE
4: Mellanox/NVIDIA 10GbE, 40GbE, 50GbE, 100GbE

Guess which ones we've had the most grief with? Which one's the least?

I can't stand the suspense. Please tell!

In order of stability and longevity:
4 1 2 3.

@scottalanmiller said in Mikrotik software firewall/router?:

The same sales tactic is used to sell expensive "you have to pay the vendor extortion rates for support" over open source products that are known to be far better for decades. It's probably the best known scam in our industry. And once people overpay and get too little, the vendor has customers over a barrel and they feel that they can't expose to management that they spent a fortune and got less than they would have gotten for cheap or for free. And so the spending spree continues because no one up the chain wants to expose what they've done.

Three cluster setups:
1: Cisco Small Business Pro series Gigabit and 10GbE
2: NETGEAR Gigabit and 10GbE
3: Ubiquiti Gigabit and 10GbE
4: Mellanox/NVIDIA 10GbE, 40GbE, 50GbE, 100GbE

Guess which ones we've had the most grief with? Which one's the least?

@PhlipElder said in Mikrotik software firewall/router?:

@scottalanmiller said in Mikrotik software firewall/router?:

The same sales tactic is used to sell expensive "you have to pay the vendor extortion rates for support" over open source products that are known to be far better for decades. It's probably the best known scam in our industry. And once people overpay and get too little, the vendor has customers over a barrel and they feel that they can't expose to management that they spent a fortune and got less than they would have gotten for cheap or for free. And so the spending spree continues because no one up the chain wants to expose what they've done.

Three cluster setups:
1: Cisco Small Business Pro series Gigabit and 10GbE
2: NETGEAR Gigabit and 10GbE
3: Ubiquiti Gigabit and 10GbE
4: Mellanox/NVIDIA 10GbE, 40GbE, 50GbE, 100GbE

Guess which ones we've had the most grief with? Which one's the least?

Off the top:

4: ConnectX-3 VPI would not come back online after a cable swap no matter what. Had to reboot the node. SwitchX still up and running and we're getting close to 8 years.
1: We have some SG300x or SG350x series that came back from clients still humming along close to 10 years later. Had a few early hardware rev editions drop ports. Some issues with the UI and responsiveness but all and all a solid platform.
2: Solid. 10 years later still going though firmware tends to get persnickety after 24-36 months of uptime or longer so an occasional reboot needed.
3: Management UI installed the reset the adopted switches without any warning. Threw a cluster into chaos. Site does not mention that that would happen. Lesson learned. VLANs: If there are "too many" the switches randomly stop routing. Just stop. In a teamed setting not so bad but the VMs residing on the port that gets dropped just disappear. What a PITA to troubelshoot troubleshoot (dyslexic brain on overdrive today).

We do get what we pay for. ;0)

@pattonb said in bitlocker suddenly enabled:

greetings, I have a user that claims on his recently purchased lenovo laptop, that he started it up and is now asking for the bitlocker key. I have checked his Microsoft account, and there has not been any bitlocker keys used or saved. Is this a matter of a user inadvertently enabling bitlocker or............ ?

Recent Windows Update is the culprit. The catch is, to remove it one needs to get in to the OS partition in order to remove it.

@scottalanmiller said in Need: How-To Step-by-Step for Multiple WordPress sites on Ubuntu 20/22 LEMP:

@PhlipElder said in Need: How-To Step-by-Step for Multiple WordPress sites on Ubuntu 20/22 LEMP:

@PhlipElder said in Need: How-To Step-by-Step for Multiple WordPress sites on Ubuntu 20/22 LEMP:

Wow, talk about documentation fragmentation.

We've installed Ubuntu 22 a number of times reaching various points towards the goal of hosting multiple WordPress sites in a single Ubuntu v22.04 (as of this writing) using one MariaDB instance with multiple databases set up within.

NGINX is set up and the server blocks are in place.

This last go-around we managed to get three sites up and running without issue. Once the fourth went in all of a sudden the server would only serve one of the sites no matter what URL was being requested.

Certificates are being handled by RapidSSL as a personal preference. We've not had any issues there.

Please and thanks.

And, crash and burn again. :0(

As soon as I install the second site the server only pushes the last one set up. sigh

I bet it is a matter of being in alphabetical order. That causes a lot of "mystery" issues in this kind of setup.

I fat fingered it. The ">" at the end of the domain for server_name is what did it.

Since all of the setup files were copy and paste, whenever that got introduced it carried onwards.

Because of the wiring in my head when it happened the first time I didn't see it. So, I flattened everything and started fresh. When it happened the second time I took the time to look at the original reference server block because it was seemingly obvious that I'd done something.

@scottalanmiller said in Rackspace Blocking Zoho Email:

We have multiple customers all reporting the same thing, emails going from Zoho customers to Rackspace customers are being blocked by IP by Rackspace.

It's bad. There's a number of articles out there that indicate that they were pretty far behind on their patching.

My guess is HAFNIUM.

They've moved everything over to O365. No going back.

https://redmondmag.com/articles/2022/12/06/rackspace-confirms-ransomware-attack-on-hosted-exchange-service.aspx

https://doublepulsar.com/rackspace-cloud-office-suffers-security-breach-958e6c755d7f

https://status.apps.rackspace.com/index/viewincidents?group=2

$40M ain't no chump change. :0(

@JasGot said in Rackspace Blocking Zoho Email:

It also affected the Hosted Exchange servers they run for Intermedia.

There's a military term that applies here: Cl-sterF-ck.

Wow.

@Pete-S We have a few older accounting apps we support that don't scale well in RemoteApp no matter what the client setting is. The menu items appear to be microscopic.

Great for Session Host desktops but what about RemoteApp?

@Pete-S said in Manage domains and DNS for customers?:

Is there a good way to manage domain renewals and DNS settings on behalf of a customer?

Basically handle everything and then invoice the customer. But the customer should still legally own the domain(s).

We take care of everything including DNS. Too many times where the "Web Experts" have messed with DNS settings and broke things.

We roll the cost into our monthly management fees.

@Pete-S said in Manage domains and DNS for customers?:

@PhlipElder said in Manage domains and DNS for customers?:

@JaredBusch said in Manage domains and DNS for customers?:

@Pete-S said in Manage domains and DNS for customers?:

Is there a good way to manage domain renewals and DNS settings on behalf of a customer?

Basically handle everything and then invoice the customer. But the customer should still legally own the domain(s).

Anyone granted access to log in to the registrar can become the sole owner by transferring the registration to someplace that no one else has access to.

Without any legal contracts stating clearly how it all works, the legal owner is whoever is paying for it. That would be you, not them, in the scenario listed.

IANAL, but barring things like previously trademarked names, a company would likely not win (assuming cost of litigation is not an issue) in court if you said they did not own the right to their domain registration.

We actually put it in writing that we are managing their Internet properties and services and that ownership of said properties are theirs. If they decide to move on, it's in the contract that they would pay the fee(s) for the transfer out with the unlock codes presented once that process was initiated.

OK, so if you work with a new customer you will transfer their domains to your registrar and account? And then you can take care of everything - renewals, dns settings etc.

When the relationship ends, you will transfer their domain back to a registrar of their choosing.

That is correct. We manage everything. We drop a few horror stories where web devs made changes, or deleted DNS entries, because they thought they weren't needed.

@scottalanmiller said in Manage domains and DNS for customers?:

@PhlipElder said in Manage domains and DNS for customers?:

To some respects yes, but we've also had clients who listened to a web dev and flipped the DNS settings at the registrar level to the Web Dev's BIND servers sitting behind fake IPs to make it look like there's more than one (a requirement). To get everything back, including mail flow, can take 24 to 72 hours.

That should have prompted legal action. That's a big deal.

Heh ... we live in the People's Republik of Kanada.

Breathing on a lawyer up here would require a $10K retainer. Most small businesses would just walk away after recovering their assets.

It's just easier, for us and our clients, to maintain a handle on everything. In the end, they know us and we know them and they trust us to do what's best for them. Everything is in writing so there's no question about ownership.

EDIT: Ideals and Reality: Never the twain shall meet.

@Pete-S said in Force password change on first login over RDP:

Is there are Microsoft blog post, tech article or whatever place of authority that I can send to IT support people?

I need it for those that doesn't know that you can't force users to change their passwords on first login (or after password reset) when they connect over RDP only.

Users get this error:

As far as I know there is no reasonable workaround around this catch-22 problem.
Except don't force users to change password on first login...

Is this after they have been given a temporary password?

Is PasswordChangeEnabled set to true on the RDWeb server?

Albeit, I'm not sure if that would prompt the user to actually change the password like it does if their password is expired.

We don't have an RDS Lab up at the moment so I'm not able to test.

@Pete-S said in Force password change on first login over RDP:

@PhlipElder

I don't know about RDWeb but it's happens for example when you reset the password in AD, give the user a temporary password and select "Users must change password at next logon".

If you connect with RDP directly to a windows OS (applies to all of them) you can never change your password and you can't login.

I believe it's because RDP need to authenticate the user before the client is allowed to connect and then change their password.

It's been like this since forever, at least Windows 7.

IT support that has remote users should know this. I just need a source from Microsoft I can point them to that explains it to people so they know what to do.

I'm working on getting a test RD Farm set up. I'll follow-up once I've tested.

I think the RDWeb prompt should happen when that variable is set in AD.

@PhlipElder said in Force password change on first login over RDP:

@Pete-S said in Force password change on first login over RDP:

@PhlipElder

I don't know about RDWeb but it's happens for example when you reset the password in AD, give the user a temporary password and select "Users must change password at next logon".

If you connect with RDP directly to a windows OS (applies to all of them) you can never change your password and you can't login.

I believe it's because RDP need to authenticate the user before the client is allowed to connect and then change their password.

It's been like this since forever, at least Windows 7.

IT support that has remote users should know this. I just need a source from Microsoft I can point them to that explains it to people so they know what to do.

I'm working on getting a test RD Farm set up. I'll follow-up once I've tested.

I think the RDWeb prompt should happen when that variable is set in AD.

Setting in place:

Yup. Works.

@Pete-S said in Force password change on first login over RDP:

Great, so it works if you use RDWeb.

But if you RDP directly to any Windows server or workstation it won't.

Nope. It won't. There's no way around that.

We also have Exchange on-premises so OWA works for that password change.