@Obsolesce said in DNS Update Issue:

@scottalanmiller said in DNS Update Issue:

@PhlipElder said in DNS Update Issue:

@Donahue said in DNS Update Issue:

@scottalanmiller said in DNS Update Issue:

@Donahue said in DNS Update Issue:

right, but I wonder if my branch DC should be pointing to the HQ DC, or just going straight to external?

Branch DC's DNS should point first to the loopback, then to the HQ DNS. That way to minimize WAN traffic, and maximize performance.

in the NIC settings, correct? Should HQ secondarily point to branch?

ADDS DCs with integrated DNS should have only one DNS entry on the NIC: DNS0: Own IP

When a DC is elevated it drops the loopback address in.

Again, an AD integrated DNS server does not need any other DNS servers assigned to its own NIC. That's taken care of by AD and DNS replication.

But the whole question is what happens when the DNS fails locally.

When does this even happen? How do you have a DC/DNS server running, then suddenly the DNS service breaks? Then what? Just fix it and be done with it. Restore the zone, whatever... if it's the only DC, a simple restore will get you up and going in 10 minutes. If there's others, and DNS is corrupt, it'll replicate and corrupt the other DNS servers too. AD integrated DNS zones replicate.

If the DNS role/service fails on a DC, you have bigger issues. If it's corruption or deletion, well all your other ones will be screwed too anyways.

The only time we've hit this is in a full power outage situation where there was not enough UPS to keep things up and running.

With Cloud Witness there needs to be a DNS server alive prior to the cluster nodes firing to allow them to find that cloud located witness or no-go for starting the cluster.

For on-premises, if DNS is offline there's more going on there than a simple oops. What we do while recovering the DC if it's going to take longer than 15-30 minutes is flip DHCP Services on at the edge and have the clients release and renew their IP address to pick that up. Then, at least they are somewhat productive while we're working on the recovery.

As soon as the DC is back online DHCP gets turned off at the edge and the clients renew their IP address to catch the DC again. Done.

@Donahue said in question on veeam backup:

@NerdyDad said in question on veeam backup:

Umm, yeah. There is a lot better answer here. Install Hyper-V Server 2016 from ISO instead of wasting the license.

https://www.microsoft.com/en-us/evalcenter/evaluate-hyper-v-server-2016

Once Hyper-V is installed on all 3 hosts, either run Veeam B&R by itself on a server or run it in conjunction with another server that isn't being fully utilized.

Also, why aren't you clustering your hosts together and load balancing your VMs across all 3 hosts? Can they not see the same storage or something?

I am pretty sure that what I am trying to do requires a windows license. Its a dubious grey area at best as to if veeam requires a license or not. From what I have found so far, the consensus seems to be that veeam does not require a license if veeam is backing up VM's from that host. It is less clear when veeam is backing up VM's from a completely different host.

I do not need a cluster. My existing two hosts at this site are old and are going into semi-retirement such as just running veeam. My storage is being completely redone for this project.

Guest licensing is always based on the host. If VM is running in a Windows Server VM then the host needs at least one Server Standard license. That particular license allows for two guests. So, Veeam in one guest and a secondary DC in the other. Or, whatever the need may be.

@Donahue said in question on veeam backup:

@PhlipElder said in question on veeam backup:

@Donahue said in question on veeam backup:

As a result of changing all my setup, I am going to have three hosts at my HQ site, all running Hyper-V. Host A will be new and basically carry the entire production load. Host B is existing and will be running empty, and only used as a restore point in case host A goes down. Host C is also existing, but will be running only veeam. Currently I am on ESXi and veeam is running in a server 2012r2 VM. My question is, when everything is switched over and veeam is now the only thing running on host C under Hyper-V, should I run that inside a VM on Hyper-V core, or just install Server on the bare metal and run veeam from that?

The VM route obviously consumes a license, and really a pair of them. Running the server with Hyper-V role seems a little more dubious from a licensing standpoint. I am not sure if there could be a clear answer that was agreed upon since veeam would be "supporting Hyper-V", but the hosts Hyper-V it would be supporting would be a different host. I am also currently using dedupe within windows server, which is a nice feature. I am not sure how the veeam dedupe compares.

If we assume the both uses consume a windows server license, which would you prefer and why?

We'd keep the VM leaving the host resources available for any spot workloads or even lab workloads.

but I can do that both ways since there will be hyper V both ways.

I'm not sure I understand.

The only place bare metal makes any real sense anymore, IMNSHO, is in high transaction workloads like SQL. Otherwise, keep the guest and utilize the resources for other projects.

@Donahue said in question on veeam backup:

As a result of changing all my setup, I am going to have three hosts at my HQ site, all running Hyper-V. Host A will be new and basically carry the entire production load. Host B is existing and will be running empty, and only used as a restore point in case host A goes down. Host C is also existing, but will be running only veeam. Currently I am on ESXi and veeam is running in a server 2012r2 VM. My question is, when everything is switched over and veeam is now the only thing running on host C under Hyper-V, should I run that inside a VM on Hyper-V core, or just install Server on the bare metal and run veeam from that?

The VM route obviously consumes a license, and really a pair of them. Running the server with Hyper-V role seems a little more dubious from a licensing standpoint. I am not sure if there could be a clear answer that was agreed upon since veeam would be "supporting Hyper-V", but the hosts Hyper-V it would be supporting would be a different host. I am also currently using dedupe within windows server, which is a nice feature. I am not sure how the veeam dedupe compares.

If we assume the both uses consume a windows server license, which would you prefer and why?

We'd keep the VM leaving the host resources available for any spot workloads or even lab workloads.

@Donahue said in DNS Update Issue:

@scottalanmiller said in DNS Update Issue:

@Donahue said in DNS Update Issue:

right, but I wonder if my branch DC should be pointing to the HQ DC, or just going straight to external?

Branch DC's DNS should point first to the loopback, then to the HQ DNS. That way to minimize WAN traffic, and maximize performance.

in the NIC settings, correct? Should HQ secondarily point to branch?

ADDS DCs with integrated DNS should have only one DNS entry on the NIC: DNS0: Own IP

When a DC is elevated it drops the loopback address in.

Again, an AD integrated DNS server does not need any other DNS servers assigned to its own NIC. That's taken care of by AD and DNS replication.

In the branch the local DC points to itself. In AD Sites a site is set up with replication links and timing between the branch and the HO. This usually a 15 minute cycle. The branch DC should be a Global Catalogue server so the local machines always authenticate to it. DHCP should assign that local DC for DNS only.

Please don't assign public DNS servers to any internal resource. That's just plain wrong. If anything glitches on the network the clients flip to DNS1 instead of DNS0 that's pointing to an external DNS server. So, when internal resources are called the Internet DNS server answers, "Huh?!?"

Depending on Time To Live (TTL) the clients would either need a IPConfig /Release && IPConfig /Renew or a reboot to get them to look at the local DNS server again.

@Dashrender said in DNS Update Issue:

@JaredBusch said in DNS Update Issue:

@PhlipElder said in DNS Update Issue:

@JaredBusch said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

@Dashrender said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

Simple case of me never doing this wrong I guess. What a weird thing to screw up. Didn't really have time to sift through it all.

What do you normally use for your top level domain on an AD build?

ad.domain.com theoretically. Everything I've ever touched is already in place. Although i'd love to rebuild my families infrastructure from the ground up.

If it looks like this, then it owns domain.com

Oh man, what a mess.

Meh, not bad actually. Perfect? No. But small enough to not be a problem really.

Definitely not what I would do now if I set it up new.

This is just a throw back to the new days of AD. MS suggested just this - then after a while they suggested domain.local for the internal domain, and now they recommend ad.domain.com for the internal domain.

Being a part of the SBS crew from the BackOffice 4.0 and 4.5 (NT) days, the .Local phenomena started around the discussion of Internet domain registration and keeping the internal and internet domains separate. That was prior to SBS 2003 that was the first product to deploy out of the box with .Local.

Some had to do with the confusion around registering the internet domain that was to be used internally. We used to encounter companies with Domain.Com that did not own the internet domain. It was painful to say the least.

AD was still relatively new so no one really new what to do about internal and external DNS though SBS 2003 did split the DNS for Remote.Domain.Com.

Besides wizards, which were primarily in the SBS realm, splitting the DNS became the norm and eventually the recommendation came about for Corp.Domain.Com with the caveat that the internet domain should be owned.

So, here we are. Most companies own their internet domains so it's a no-brainer to split the DNS for their setups.

@JaredBusch said in DNS Update Issue:

@PhlipElder said in DNS Update Issue:

@JaredBusch said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

@Dashrender said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

Simple case of me never doing this wrong I guess. What a weird thing to screw up. Didn't really have time to sift through it all.

What do you normally use for your top level domain on an AD build?

ad.domain.com theoretically. Everything I've ever touched is already in place. Although i'd love to rebuild my families infrastructure from the ground up.

If it looks like this, then it owns domain.com

Oh man, what a mess.

Meh, not bad actually. Perfect? No. But small enough to not be a problem really.

Definitely not what I would do now if I set it up new.

Okay, the masking threw me off.

_msdcs.domain.local
domain.com
domain.local
^^Zones?

Why domain.com?

When we split DNS we usually leave domain.com to Internet DNS even if Location.Domain.Com is internal.

Then we set up the required internal DNS FLZs for services:
Remote.Domain.Com
SharePoint.Domain.Com
Mail.Domain.Com
LoB.Domain.Com

Application Request Routing (ARR) is used to parlay incoming HTTPS calls to their respective owners (RDS, Exchange, SharePoint, LoB) so we only require one WAN IP address with Internet DNS A records for the above pointing to the WAN IP address.

EDIT: To get around the AutoDiscover.Domain.Com we use the _autodiscover SRV record method.

@JaredBusch said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

@Dashrender said in DNS Update Issue:

@wirestyle22 said in DNS Update Issue:

Simple case of me never doing this wrong I guess. What a weird thing to screw up. Didn't really have time to sift through it all.

What do you normally use for your top level domain on an AD build?

ad.domain.com theoretically. Everything I've ever touched is already in place. Although i'd love to rebuild my families infrastructure from the ground up.

If it looks like this, then it owns domain.com

Oh man, what a mess.

Are these Active Directory based domain controllers with AD integrated DNS set up?

Then DNS0 on all DCs should point to itself only. By default no other DNS server IP entry should be set on the NIC other than 127.0.0.1. Ever.

AD integrated DNS takes care of replicating changes and IDs among the DCs in a given forest/domain.

Never, ever, put a public DNS server anywhere but in the Forwarders location on an AD integrated DNS server.

DHCP should be handing out DNS entries for the AD DC DNS servers local to them or a tertiary if need-be for redundancy.

It sounds like whomever set things up had no idea how DNS works.

Visio is great for this. There are lots of stencil kits out there that are free for various vendors.

@scottalanmiller said in HA With switches:

@PhlipElder said in HA With switches:

We live in an era where we get what we pay for.

I've found this to be about the polar opposite of reality. Look at operating systems, the free ones are best, the paid ones are worst - not that Windows is "bad", it's just not up to par with paid options, all OSes are pretty decent today, but when the free ones do the best.... Look at networking hardware, the highest cost is Cisco which is often the worst vendor, and the cheapest reasonable ones are often the best. The higher performance processors aren't the most expensive. And on, and on.

I'd say it's more often inverted... you get the opposite of what you pay for.

There's always going to be exceptions to any rule.

We work with ISPs that deploy Catalyst switches into our client sites. There's one site where the WiFi ISP connection piggybacks off of another ISP's system. The other ISP has an ancient Catalyst that keeps locking up every once in a while. That's one example of an issue with a Cisco product yet it can't be faulted as the switch is probably way more than ten years old. We've got fibre and coax going into that business park so we'll be parking that ISP connection into a secondary role at some point so we've not really pursued a switch change with them yet ...

For the most part though, we rarely encounter issues with Catalyst switches.

But, to back up what is being said the last two hotels in different cities I've stayed in that are the same hotel chain using Cisco Meraki WiFi have been nothing but grief. Whether that particular chain has chosen to leave the on-premises WiFi die or the folks supporting it are not doing a great job or the product is just plain crap is left to be said.

@Francesco-Provino said in HA With switches:

Anybody has experience with ONIE/WhiteLabel switches? Dell seems committed to it...

I was in San Jose a couple of weeks ago at the invitation of QCT for their one day product showcase event.

They are invested pretty heavily with Broadcom in the ONIE market.

We've deployed a lot of their storage products in cluster settings. They have been a solid go-to for shared SAS settings and soon QCT purpose-built Storage Spaces Direct nodes. They are worth the look.

@coliver said in HA With switches:

@PhlipElder said in HA With switches:

There's a very important reason why Ubiquiti's 10GbE switch is sub $1K while a purebred Cisco is orders of magnitude above that in cost. Engineering.

Or Marketing and Name Recognition.

Point taken. Indeed, there's a huge volume of dollars and folks involved on that side.

@scottalanmiller said in HA With switches:

@PhlipElder said in HA With switches:

As far as NETGEAR goes, we avoid anything entry/consumer/pro-sumer. We've only deployed their 10GbE switches and have had good success with them.

That gets a lot of people, I think. They use consumer Netgear stuff and get questionable results. But I've seen only good results from their more high end gear.

We live in an era where we get what we pay for. Historically, one could count on purchasing a solid product from pretty much all top tier vendors at all levels.

That is no longer the case.

Example: Dell's included warranty. Ever dealt with the "must troubleshoot/diagnose via phone support" support folks before. Ugh, the pain. ProSupport with NA techs and at least Next Business Day replacement is worth every penny.

Example: There's a very important reason why Ubiquiti's 10GbE switch is sub $1K while a purebred Cisco is orders of magnitude above that in cost. Engineering. NETGEAR catches the middle-lower of the pack in the XS716T series but still has quality engineering involved on both the hardware and software side.

Perhaps I'm preaching to the choir here? I'm sufficiently new enough on this forum to excuse it eh?

I remember standing at the back of the room at Microsoft a number of years ago having the AMG/M versus CTS-V "discussion" with some Blue Badges, my conclusion being CTS-V all the way, though an argument against was exactly this reasoning. A 6-Speed CTS-V Supercharged Wagon is still one of those bucket list items for me. The CTS series is made by Cadillac.

Looking back to the Cisco purchase of Linksys it was a wise move. They picked up a solid crew of folks to produce a pretty good line of products aimed at a huge market: SMB

The major "improvement" was a GUI and the introduction of enterprise grade features in a switch and edge setup destined for that market. The early rebranded Linksys stuff was still theirs and still sucked IMNSHO. But, as mentioned, the Small Business Pro product lines have been excellent though not without a few issues.

For gits and shiggles: https://youtu.be/8SE4YfmlckE <-- Still one of the best produced auto model introduction commercials I've ever seen.

@JaredBusch said in HA With switches:

@scottalanmiller said in HA With switches:

@hobbit666 said in HA With switches:

As mentioned I was going to use them coming off the core switches, or should I just stick with what I know. Netgear

As per their names, Ubiquiti really only focuses on Edge devices. Netgear makes amazing core stuff (and edge.) Netgear has a really broad line, too.

I've dealt with too much bad Netgear. I know you always like them, but I've had crap luck with them over the years.

Today, I would still use Ubiquiti for core.

Heh, and our experience with Ubiquiti is the same: Crap. Especially when we've got a lot of VLAN routing to do at the port level. We've seen them take a knipsch and go into lockdown mode where no packets flow on a specific VLAN.

I do not like Ubiquiti Sam I Am, Sam I Am, I do not like Ubiquiti Sam I Am.

As far as NETGEAR goes, we avoid anything entry/consumer/pro-sumer. We've only deployed their 10GbE switches and have had good success with them.

@scottalanmiller said in HA With switches:

@JaredBusch said in HA With switches:

@scottalanmiller said in HA With switches:

The maker of Linksys (traditionally?) Cisco

Dude, Cisco sold off Linksys in 2013. Pay attention.
Cisco bought them in 2003.

As a brand, but they kept a lot of the products in their routing, switching, and VoIP lines. They sold the name, but they kept the products. So old Linksys is now Cisco proper.

The Cisco Small Business Pro series edge (NSA 510/520 series with and without WiFi) and their SG300/SG500 series switches were the result of the Linksys purchase engineering combination.

We've deployed a lot of the SG500x series stackable switches with a few weird behaviours depending on how they are set up. Many of them fronted the disaggregate clusters mentioned above.

@hobbit666 said in HA With switches:

@PhlipElder don't know why but never thought Netgear as "Enterprise" grade gear. Yeah fine for a office or shop but not backbone.

Since they are always mentioned I thought Ubiquiti but not sure they will give the required ports as they only have 2 10g SPF+ ports and I'll need 4 at the core.

Have looked at Dell N4000 series but they seem ££££

We've been running NETGEAR 10GbE in disaggregate cluster settings for five or six years now. For the most part, they've been rock solid. The only issue we've experienced with them is the need to flash firmware when switching a shared 10GbE RJ45/SFP+ port from one to the other.

For the price, they are a great place to start.

And again, no way we'd touch Ubiquiti for anything more than a managed switch.

@scottalanmiller said in What Are You Currently Reading Outside of Tech:

Started reading A Wrinkle in Time to the kids today. Through the first chapter now, "Mrs. Whatsit".

My daughter loved the book thought the movie sucked.

@Francesco-Provino What's in place now? If it works well then run with their updated products.

We've run with NETGEAR and Mellanox for 10GbE and Mellanox for 25GbE+.

The NETGEAR XS716T and up are nice because they don't require any infrastructure upgrades other than CAT6 preferable to endpoints. RJ45 = simple plug & play for most applications with SFP connectors for switch to switch.

Mellanox for all of the SFP style connectors. A pair of MSX1012X 10GbE switches can be had for a very good price. Cost wise, a pair of NETGEAR XS716T switches + Intel X550T-2 NIC pair per server is about the same as a pair of MSX1012X 10GbE Mellanox switches with ConnectX-4 LX 10GbE NIC pairs per server. The benefit with the Mellanox setup is RoCE/RDMA while stepping up into Intel's iWARP capable NICs would push the cost up even further.

@hobbit666 Ubiquiti has a 10GbE 16-Port switch as well. We would not use them for any kind of primary traffic whether server to server, aggregator, or TOR. Edge/Leaf(? not up on network terms) okay, but not really if VLANs are needed. Too much grief. BTDT