@black3dynamite said in Do you ask for permission...:

What time do guys normally schedule reboots? During business hours? Early mornings? Late evenings? Weekends only?

Cluster nodes can be run pretty much anytime during the day.

For servers running roles and services we schedule an outage and run with it.

Methodology is straightforward:

• Reboot the server if running longer than 60 days
• Back up
• Install the patch and reboot
• Verify services

If the patch fails restore.

We use Veeam and ShadowProtect to back up with.

If you have the original 2019 .ISO file already then slipstream the latest Servicing Stack Update and Cumulative Update into the Install.WIM and recreate the .ISO file. The method we use is here.

@WLS-ITGuy said in Do you ask for permission...:

@DustinB3403 said in Do you ask for permission...:

When a customer is paying you to maintain their systems you need to verify with the customer before you go and do things. whether it's system updates, reboots, shutdowns or migrations you always have to ask.

Just to be clear. I am in the house guy. I agree when it comes to production stuff there needs to be a window and permission. What I am saying is that even if I get a window/permission I still get push back. So if it is something that isn't going to affect the overall production then I reboot whenever I want now because it isn't worth the headache of finding a "good time" for all parties.

The simple thing of it is: We need a reboot to apply patches to protect our network from baddies and to help with overall stability in the operating systems.

We ask. Most of our clients are accounting firms on our MSP side and contractors and their clients.

All it takes is a bit of coordination to make sure we're not infringing on any large projects they may be running. As a rule, tax season is off limits for obvious reasons.

Downloaded both the 1809 server and desktop clients from Volume Licensing Service Centre yesterday so the .ISO files are up on that side.

Note that once the .ISO files are down, they are .107 so they will need the latest Servicing Stack Update (SSU) and Cumulative Update (CU) slipstreamed in to be current.

@wrx7m said in PowerShell - Create New AD User Using Prompts and Variables:

If I get rid of the attempt to combine the 2 existing variables into a 3rd, I get this error.

New-ADUser : A positional parameter cannot be found that accepts argument '+'.
At \\FP02\it\Scripts\AD\AD-InitialUserCreationVariables.ps1:5 char:1
+ New-ADUser -Name "$GivenName $Surname" `
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [New-ADUser], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.NewADUser

Like this I think:

New-ADUser -Name "$($GivenName) $($Surname)"`

From: https://blogs.technet.microsoft.com/stefan_stranger/2013/09/25/powershell-sub-expressions/

Ugh, I put thin clients out there with e-Machines PCs.

We decided years ago to avoid them and stick with the smallest form factor PC would could deploy Windows Pro on. It's paid off well. No driver headaches, no print issues, dual display is plugging in a second cable and monitor, and security can be hardened via Group Policy.

A Celeron based Intel NUC with two 24" monitors and a wireless keyboard and mouse has been our go to for quite a long time. An alternate is the Intel Compute Stick for single monitor setups. Both are Windows Pro based.

Since 2016 RD EasyPrint just works it's a pretty neat thing to walk in, set up, turn on, connect to a printer on-site, and fire a print job off in a few short minutes. That seems to transcend any need to discuss Geek Speak type stuff.

@scottalanmiller said in What Are You Currently Reading Outside of Tech:

The Magician's Nephew

We've read the series over and over and over in our house.

Our home school board offers an online literature class on the series with our two oldest having taken the course with nary an argument about reading the series again.

I don't know how many times I've read them but it's quite a few both for myself and some of them to the kids.

@hobbit666 said in HA With switches:

Another things that got me confused. SPF+ modules.
I can see Ubiquiti SPF+ 10G MultiMode modules are £40 odd for a 2 pack.

But a Fibre module for Netgear are £200+ each

Aruba £600 odd

SFP can be for copper or fibre. It can be active and passive with active pushing the signal further. Those are the differences between the modules IIRC.

@JasGOt said in Tunnel Interface with two Sonicwalls and three subnets.:

@PhlipElder said in Tunnel Interface with two Sonicwalls and three subnets.:

What we do:

Plug the server into a small 5-Port or 8-Port Gigabit switch.

We have a dedicated bench SonicWALL that is used to isolate the bench network then each LAN port on the unit is configured with its own subnet/gateway with a DENY between all.

The above switch is plugged in to one port on the SW. A Site-to-Site (S2S) tunnel is created to the client's site.

The VMs are stood up leaving the host in workgroup mode pulling a DHCP address that can be set to DHCP Reserved if need-be for longer bench duration.

All Roles and Features are set up and LoBs are installed and configured.

When it comes time to deliver we delete the S2S on both client and bench SWs.

Deliver the host. We always have a RMM/iDRAC Enterprise installed with DHCP enabled. That way we virtually never run into a problem on-site. Worse gets to worst a monitor and keyboard are available.

Once the host is configured on the production network we flip the IP on the DC VM and IPConfig /RegisterDNS then verify AD, DNS, ETC.

From there it's migrate ...

Okay. You do exactly what we do. Almost. Your outline above is describing what I am trying to streamline so it can be done over and over with different client sites with little to no effort. The one difference is that we use Robocopy to migrate all the data (over the tunnel) ahead of time (last week we pulled over 200TB of data over a tunnel in advance, it was sweet!), and then when we arrive on site (since it's all the same subnet), we run our script one last time to catch any new/modified files that showed up in the hours before final migration; this takes minutes.....

We even setup the new domain (when needed; I hate .local domains) with DHCP turned off, in our office before hand. It works a treat.

I spent time last night reading about EoIP with Mikrotik. It is exactly what I want, but I couldn't find any docs on setting it up with both Microtiks behind NAT devices. I'm still looking.

We do a .VHDX restore of their backup to the newly stood up VM what hosts their files and folders. That way there's no permissions issues. Final sync is done using BeyondCompare.

@DustinB3403 said in Azure OS is ... Windows Server Core 2016 running Hyper-V:

@manxam said in Azure OS is ... Windows Server Core 2016 running Hyper-V:

@DustinB3403 : I assume you work for Microsoft support?

I guess I should go forth and apply. . .

LoL

Their, they're, and there!
On-premises not on-premise
Affect and effect
Bare or bear

Being dyslexic has its privileges. ;0)

@Dashrender We've done network audits for all-Mac or blended-Mac companies and there's a particular mindset that seems to come on the Mac side that one rarely find on the PC side. It seems to carry over to the other lines as well in my experience.

I had to replace my Microsoft Lumia 950XL due to needing a couple of apps to do work with in our business.

We won't touch the G00g so that left the bigger of the two fruits.

The iPhoneX was out for about a month or so with the cell providers up here just starting to pick it up and incorporate it into their offerings.

We purchase our phones outright so off to the Apple Store we went. After looking at the options I ended up with the iPhoneX with the largest amount of storage available in it at 256GB.

The phone has paid for itself in saved trips to the bank as we can deposit company cheques, yes we still get them, using the banking app.

But, anyone that says this platform is "perfect", which is all I've ever heard about Apple products, is blatantly wrong. It is no more stable than the 950XL was with Cortana on the Windows Phone totally blowing Siri away for abilities and features.

The platform is definitely showing its age.

What we do:

Plug the server into a small 5-Port or 8-Port Gigabit switch.

We have a dedicated bench SonicWALL that is used to isolate the bench network then each LAN port on the unit is configured with its own subnet/gateway with a DENY between all.

The above switch is plugged in to one port on the SW. A Site-to-Site (S2S) tunnel is created to the client's site.

The VMs are stood up leaving the host in workgroup mode pulling a DHCP address that can be set to DHCP Reserved if need-be for longer bench duration.

All Roles and Features are set up and LoBs are installed and configured.

When it comes time to deliver we delete the S2S on both client and bench SWs.

Deliver the host. We always have a RMM/iDRAC Enterprise installed with DHCP enabled. That way we virtually never run into a problem on-site. Worse gets to worst a monitor and keyboard are available.

Once the host is configured on the production network we flip the IP on the DC VM and IPConfig /RegisterDNS then verify AD, DNS, ETC.

From there it's migrate ...

The above is from Mark Russinovich's Ignite 2018 presentation slides.

10-4. Radio Imaging sorta.

The idea has been around for a long time? I seem to remember movies having this type of thing happening?

Many, many, many years ago a couple of buddies and I rented a house in Winnipeg just west of downtown.

All of our electronics would go bat sh*t crazy in the evenings with loud blasts of static. It took a bit to figure out, but it turned out that a neighbour beside us was using a CB among other radios.

Long story short, one of my roommates took matters into his own hands when the neighbour refused to do anything about it (eaves were contacting and his antenna was not grounded properly plus the homes were built in the early 1940s).

The neighbour and a couple of his buddies figured out where the "problem" was by triangulating.

It's not hard to figure out the what/where/when of any radio signal. It just takes some time and patience and three points of reference.

@JaredBusch said in DNS Update Issue:

@Dashrender said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

@scottalanmiller said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

So thought experiment:

If DC1 and DC2 have 127.0.0.1 as their only DNS entry and their forwarders are only set to each other, how does that resolve? Can the DC's tell the difference between a forwarding request and a normal DNS request? Otherwise wouldn't this time out?

The problem here, is if you are on DC1 and DC1's DNS fails, then the loopback lookup will have nowhere to go. And everything will fail, even though you have redundant services on your network.

If you had DC2 as the secondary DNS entry, things would have kept working.

Right but I'm just asking to understand whether or not the DNS servers understand the difference between a normal dns query and a forwarding dns query. Would this ever end due to a rule that wasn't a timeout?

I can't imagine it would see a difference. I think the delayed response would be the only timeout happening. Though, in an implementation that doesn't think about a cyclical query, I could see the resources being used until the server crashed... they would keep going forward, even though the past queries themselves would time out. Though, since you had this setup, and you didn't have crashing servers (did you?) that seems like an unlikely problem.

You are correct, because the DNS forwarding functions is simply a DNS lookup to the IP of the DNS forwarder instead of the local DNS. It does not use the NIC DNS settings at all. Also, this can only occur is the DNS server itself is working as the DNS server itself is what makes the damned forwarder lookup. So in the case of DNS server not working, this would never apply.

I do not understand why this is so damned hard for everyone to understand.

DNS Forwarding is:

• Client: Hay, where's www.whatchamacallit.com?
• DNS Server: Hmmm, looking in my local cache
• DNS Server: Nope, not there
• DNS Server: Do I have the domain hosted locally? Nope
• DNS Server: I have a Forwarder DNS Server set up
• DNS Server: Hay Forwarder DNS Server, do you know where www.whatchamacallit.com is?
• DNS Forwarder: Yup, it's at IP 99.88.77.66 (or, ask DNS SOA for domain at NS1.HostedDNS.Com)
• DNS Server: Hay Client, it's at 99.88.77.66

The alternate at step 4 would be to go through the process of finding SOA (Start of Authority) via the Root Hints server. But, that process takes a lot "longer".

The above is as close as I can remember to the process.

@Dashrender said in DNS Update Issue:

@scottalanmiller said in DNS Update Issue:

@Dashrender said in DNS Update Issue:

@scottalanmiller said in DNS Update Issue:

@Dashrender said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

@Dashrender said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

@Dashrender said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

@scottalanmiller said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

So thought experiment:

If DC1 and DC2 have 127.0.0.1 as their only DNS entry and their forwarders are only set to each other, how does that resolve? Can the DC's tell the difference between a forwarding request and a normal DNS request? Otherwise wouldn't this time out?

The problem here, is if you are on DC1 and DC1's DNS fails, then the loopback lookup will have nowhere to go. And everything will fail, even though you have redundant services on your network.

If you had DC2 as the secondary DNS entry, things would have kept working.

Right but I'm just asking to understand whether or not the DNS servers understand the difference between a normal dns query and a forwarding dns query. Would this ever end due to a rule that wasn't a timeout?

I can't imagine it would see a difference. I think the delayed response would be the only timeout happening. Though, in an implementation that doesn't think about a cyclical query, I could see the resources being used until the server crashed... they would keep going forward, even though the past queries themselves would time out. Though, since you had this setup, and you didn't have crashing servers (did you?) that seems like an unlikely problem.

Well the local pc's and stuff had dns set to public dns and then local dns so things just didnt work here and there

Yeah - that's a nightmare - surprised that local stuff worked at all - perhaps it worked only because of broadcasts based resolution on the local network - i.e. the public DNS had no answer, so the system did a broadcast to try to resolve the name locally... and that worked.

That's exactly the case IMO

this is why end points should never have a public DNS entry - ever. The recently discussed solution for setting up DNS inhouse provides failover to public DNS in situations where internal DNS is down. All without the risk that a client machine will just decide to flip to it's secondary DNS and if public suddenly not have access to info about internal resources.

This risk is unique to Windows. Under non-Windows situations, you wouldn't avoid that as it isn't a risk.

How is it not a risk? You don't have internally only known resources? i.e. an internal DNS server that has resolution that only works inhouse?

Because the risk is from flipping, a Windows bug.

I don't follow - Won't non windows machine also flip to a secondary DNS if the primary times out? and when it does flip - when do those non windows OSes decide to flip back?

i.e. you give you Linux client primary internal DNS and secondary google DNS - how do you not run into the same issue if the client flips to the secondary?

There was, or maybe still is, a bug in Windows Server DNS Server service WRT Top Level Domains (TLDs) and the DNS cache that reared its head occasionally. The bug would not allow a DNS poll to get beyond the initial local cache check to check the Root Hints servers and move on from there.

So, folks would get no answer or a blank page when the DNS poll failed.

There's a fix for it somewhere. But, since we always use forwarders, normally OpenDNS, we've not hit the bug in years. Thus, I have no idea if the bug is still present in Server 2016 or Server 2019!