@hari said in Server Setup for Legal Firm:
@JasGOt Hi Thanks for the reply and your recommendations, sorry for the delayed response. Had to research more on 'our requirements' vs what 'we think we need' rather 'what we do need' As you were knew from the Post i am new to this.
So where did you end up? What are the requirements you are trying to fill based on actual need?
@scottalanmiller said in Server Setup for Legal Firm:
@pmoncho said in Server Setup for Legal Firm:
@scottalanmiller said in Server Setup for Legal Firm:
@Donahue said in Server Setup for Legal Firm:
one post wonder?
Exactly.
1PW's drive me absolutely insane. Between here (which has been realllllllly nice) and
, I wish their was a count at the top for how many times the original poster replied.
Nothing worse than seen 5 pages of replies asking for further info to solve their problem when the 1PW abandons the post.
Its' super rare here, this is one of the very few. On
I agree and that is why I hang out here more than anywhere else. 
@scottalanmiller said in Server Setup for Legal Firm:
@Donahue said in Server Setup for Legal Firm:
one post wonder?
Exactly.
1PW's drive me absolutely insane. Between here (which has been realllllllly nice) and , I wish their was a count at the top for how many times the original poster replied.
Nothing worse than seen 5 pages of replies asking for further info to solve their problem when the 1PW abandons the post.
@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:
@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:
@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:
@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:
@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:
@stuartjordan said in Handling DNS in a Single Active Directory Domain Controller Environment:
I believe the forest level with Samba can only be 2008R2 though.
Sure, but what does that really affect? Forest level limitation is nothing like an old code limitation. Nothing wrong with using a 2008 R2 Forest level.
If I am reading this correctly, I believe Samba 4.4 and higher can go to 2012 R2.
https://wiki.samba.org/index.php/Raising_the_Functional_Levels
Rumor is, but I'm not sure that 4.4 is widely available yet?
smbstatus on Ubuntu 18.1 shows Samba 4.7.6.
Is that for 18.04 or 18.10, the latter released a few days ago (I need to go update some systems.)
My bad, it is 18.04.1
@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:
@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:
@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:
@stuartjordan said in Handling DNS in a Single Active Directory Domain Controller Environment:
I believe the forest level with Samba can only be 2008R2 though.
Sure, but what does that really affect? Forest level limitation is nothing like an old code limitation. Nothing wrong with using a 2008 R2 Forest level.
If I am reading this correctly, I believe Samba 4.4 and higher can go to 2012 R2.
https://wiki.samba.org/index.php/Raising_the_Functional_Levels
Rumor is, but I'm not sure that 4.4 is widely available yet?
smbstatus on Ubuntu 18.1 shows Samba 4.7.6.
@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:
@stuartjordan said in Handling DNS in a Single Active Directory Domain Controller Environment:
I believe the forest level with Samba can only be 2008R2 though.
Sure, but what does that really affect? Forest level limitation is nothing like an old code limitation. Nothing wrong with using a 2008 R2 Forest level.
If I am reading this correctly, I believe Samba 4.4 and higher can go to 2012 R2.
https://wiki.samba.org/index.php/Raising_the_Functional_Levels
@scottalanmiller said in Handling DNS in a Single Active Directory Domain Controller Environment:
@brrabill said in Handling DNS in a Single Active Directory Domain Controller Environment:
Just think of what a different discussion this would be if MS just allowed you to spin up a free AD server, that just had AD, like Hyper-V Server.
Just imagine if a free AD server existed out there!
Oh wait...
I'm guessing you mean Samba? Or am I missing something?
@aaronstuder said in Synology High-Availability Cluster:
@pmoncho I already have the units, so I am just looking for how to set it up.
This location has no room for a rack/servers/etc.
Seems like Shared Folder Sync should do what I want it to do.
Oh I see. I didn't know that. Well, that I cannot help with so I will differ to the community.
@aaronstuder said in Synology High-Availability Cluster:
@pmoncho the whole point of having 2 of them is so that if one of them fails, this location is still working fine.
I guess your question is, what if the whole cluster fails? That is something I have considered, that's why I am asking
I get it. That is why I have stayed away from all NAS products for anything other than backup storage.
I have tested Synology and it sure is a nice product. I guess it also comes down to, can the money be spent wiser elsewhere, like a SAM-SD?
My oldest server will be EOL and without support soon so I am looking a building a SAM-SD as I feel it will perform better than purchasing a new NAS. Plus I can find a duplicate server for spare parts on Ebay cheaper than the NAS I want to purchase.
@aaronstuder said in Synology High-Availability Cluster:
Anyone every built a Synology High-Availability Cluster?
https://www.synology.com/en-us/dsm/feature/high_availability
Would you trust it, or am I better to just rsync the data ever so often?
My first thought is, If the HA is for business, did Synology update their support to at least same day response.
@dafyre said in Handling DNS in a Single Active Directory Domain Controller Environment:
@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:
@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:
@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:
@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:
@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:
@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:
@kelly said in Handling DNS in a Single Active Directory Domain Controller Environment:
just challenging the "most commonly correct approach" statement
It seems you are mistaking the "most common approach" with the "most common correct approach". I haven't been around the SMB as much as JB, but I'm assuming the most common approach to SMB DC implementations are incorrect. Meaning, 2+ DCs are being used when 1 should be used. Perhaps two DCs are used because so many other things are done incorrectly, it's thought 1 should't be used due to so many other things not properly in place, but that's besides the point in my reply here.
IMHO, SMB's use 2 DC's (me included) because it is drilled over and over in our heads by outside forces, including the application developers and the OS companies themselves. On top of that, we are completely stupid if we don't have a second DC if the hardware is available. So to follow "Best Practices," SMB's just do it. It doesn't necessarily mean that things are done incorrectly though. It mostly means, we (aka I) have an extra DC there sitting, waiting, getting monthly updates and then gather more dust for years on end all in the name of protection and risk reduction.
That is why coming here and having extensive discussions about general topics has helped me changed my own thoughts about system/network design in SMB's.
Then I assume you have an extra everything if it costs less than $5k, correct? Especially if other things depend on it... such as redundant ISP, all redundant switches, definitely redundant LoB services, etc... if not, why choose only a DC over things that would be way more beneficial to have HA? If you have extra hardware, extra software, etc... that would go unused and be wasted otherwise, then sure, it could make more sense, but could still cause the same amount of benefits and negatives.
Just because a company has an extra DC doesn't mean every process/product/connection needs to be duplicated. If there are two hosts an extra DC is peanuts. No $5K is needed, $800 tops and there is value (reduced risk) in that $800. Plus, as been mentioned, ceasing roles is less time and MUCH less panic than restoring a VM.
Theres so much more though - now you have to make sure there are no replication issues, and you should likely be backing up that VM (it is a VM, right?) also. You could do it free, but assuming you're using a backup product, that might require another license because it's another box, so more costs. It's also additional time doing updates, 2 boxes vs 1.
In the scenario of 2 DC's, the VM would be backed up but is it worth it? Restoring a DC VM with multiple DC's has a higher probability of creating replication issues.
- In the times worked in environments with multiple AD controllers (2 at my last job, and 6 here), when a DC fails, you don't restore it. You seize the FSMO and other roles with the remaining good DC. Then you do a fresh install and reuse the name of the crashed DC.
I agree wholeheartedly. Just seize and remove bad DC and be done. Bring up new DC later during down time.
If an SMB cannot afford a 2nd DC, then they definitely cannot afford a test environment. So all updates are run directly on production servers. We all know MS can really fork up and update or two.
- In a single AD Server environment, you would take snapshots of your AD Server before doing updates.
Snapshot is fine if issues appear immediately which they mostly do. What happens if it appears 1-3 days later? Then issues are compounded. Unless their is a huge vulnerability that needs patched, I wait at least till Sat for initial update and then the rest of production servers days later.
@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:
@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:
@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:
@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:
@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:
@kelly said in Handling DNS in a Single Active Directory Domain Controller Environment:
just challenging the "most commonly correct approach" statement
It seems you are mistaking the "most common approach" with the "most common correct approach". I haven't been around the SMB as much as JB, but I'm assuming the most common approach to SMB DC implementations are incorrect. Meaning, 2+ DCs are being used when 1 should be used. Perhaps two DCs are used because so many other things are done incorrectly, it's thought 1 should't be used due to so many other things not properly in place, but that's besides the point in my reply here.
IMHO, SMB's use 2 DC's (me included) because it is drilled over and over in our heads by outside forces, including the application developers and the OS companies themselves. On top of that, we are completely stupid if we don't have a second DC if the hardware is available. So to follow "Best Practices," SMB's just do it. It doesn't necessarily mean that things are done incorrectly though. It mostly means, we (aka I) have an extra DC there sitting, waiting, getting monthly updates and then gather more dust for years on end all in the name of protection and risk reduction.
That is why coming here and having extensive discussions about general topics has helped me changed my own thoughts about system/network design in SMB's.
Then I assume you have an extra everything if it costs less than $5k, correct? Especially if other things depend on it... such as redundant ISP, all redundant switches, definitely redundant LoB services, etc... if not, why choose only a DC over things that would be way more beneficial to have HA? If you have extra hardware, extra software, etc... that would go unused and be wasted otherwise, then sure, it could make more sense, but could still cause the same amount of benefits and negatives.
Just because a company has an extra DC doesn't mean every process/product/connection needs to be duplicated. If there are two hosts an extra DC is peanuts. No $5K is needed, $800 tops and there is value (reduced risk) in that $800. Plus, as been mentioned, ceasing roles is less time and MUCH less panic than restoring a VM.
Theres so much more though - now you have to make sure there are no replication issues, and you should likely be backing up that VM (it is a VM, right?) also. You could do it free, but assuming you're using a backup product, that might require another license because it's another box, so more costs. It's also additional time doing updates, 2 boxes vs 1.
In the scenario of 2 DC's, the VM would be backed up but is it worth it? Restoring a DC VM with multiple DC's has a higher probability of creating replication issues.
The backup product plus a server license for it, would not be included in the costs per this discussion as every scenario would have this cost (unless using windows backup but you still need somewhere to put the backup files).
As for updates, I view this as a HUGE value. Now, one can update the 2nd DC (aka non-FSMO role holder) first and if there is an issue, it doesn't effect any part of the network allowing the admin to NOT run updates on other servers.
If an SMB cannot afford a 2nd DC, then they definitely cannot afford a test environment. So all updates are run directly on production servers. We all know MS can really fork up and update or two.
My patch monthly patch process goes like this; On Sat of "Patch Tuesday" week, I update my 2nd DC and allow it to run till Tuesday. If no issues, I then proceed to other systems during the week or the next Sat. I have had 2 patch issues on a very very generic 2nd DC (Only, AD/DNS nothing else) over the years that could have cost big down time had it run on all production servers. IMHO, that safety, sanity, and security has a lot of value. Like the value investing axiom goes, "Price is what you pay, Value is what you get"
Paying a single OS license for YEARS of a production update server can have a value of 3X its worth.
I am not saying that a very small 10 person SMB shop with one host, 3 VM's (AD/DNS, FS, RDS) should have two DC's. But when you start creeping up to 40-50 users and maybe 100 remote clients, then maybe two DC's come in handy by reducing risk.
@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:
@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:
@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:
@kelly said in Handling DNS in a Single Active Directory Domain Controller Environment:
just challenging the "most commonly correct approach" statement
It seems you are mistaking the "most common approach" with the "most common correct approach". I haven't been around the SMB as much as JB, but I'm assuming the most common approach to SMB DC implementations are incorrect. Meaning, 2+ DCs are being used when 1 should be used. Perhaps two DCs are used because so many other things are done incorrectly, it's thought 1 should't be used due to so many other things not properly in place, but that's besides the point in my reply here.
IMHO, SMB's use 2 DC's (me included) because it is drilled over and over in our heads by outside forces, including the application developers and the OS companies themselves. On top of that, we are completely stupid if we don't have a second DC if the hardware is available. So to follow "Best Practices," SMB's just do it. It doesn't necessarily mean that things are done incorrectly though. It mostly means, we (aka I) have an extra DC there sitting, waiting, getting monthly updates and then gather more dust for years on end all in the name of protection and risk reduction.
That is why coming here and having extensive discussions about general topics has helped me changed my own thoughts about system/network design in SMB's.
Then I assume you have an extra everything if it costs less than $5k, correct? Especially if other things depend on it... such as redundant ISP, all redundant switches, definitely redundant LoB services, etc... if not, why choose only a DC over things that would be way more beneficial to have HA? If you have extra hardware, extra software, etc... that would go unused and be wasted otherwise, then sure, it could make more sense, but could still cause the same amount of benefits and negatives.
Just because a company has an extra DC doesn't mean every process/product/connection needs to be duplicated. If there are two hosts an extra DC is peanuts. No $5K is needed, $800 tops and there is value (reduced risk) in that $800. Plus, as been mentioned, ceasing roles is less time and MUCH less panic than restoring a VM.
@romo said in Twilio to Acquire Sendgrid:
Just got the email, Twilio is acquiring Sendgrid.
I believe this is a good acquistion. Both parties are growing at decent percentages and it fills a gap in Twilio's platform.
On the investment side - Buy the Dip.
@openit said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:
@openit said in You know any IT Security Awareness (from Home Users to Enterprise) resource?:
Is there any focused and dedicated resource available for IT Security Awareness which is covered from Home Users to Enterprise?
When I say Home Users to Enterprise, it is covering everyone who uses Internet/Technology though which user have a risk of privacy and security, either user can be Home Makers, students, blue color worker or people working in SMEs or Giant companies, government sector, so we are talking about around 3.5 Billion people.
I am aware of Knowbe4, getgophish and many others, but they are focused only for companies or business users right?
And there are so many internet users other than Business Users, so my core question was not addressed?
How about any resource in form of Udemy/Coursera or something good, which is focused and dedicated only for IT Security Awareness, which is covering Home users, students, blue color job holders and **of course, SMB/Giants.
While SMB/Giants continually look for training resources, I don't know how feasible it is to get home users, students, blue collar workers, non-techy individuals to a security website.
In my view of these users, computer/cell phone/tablet security is at the bottom of their life list until something goes wrong.
The only site I can think of that is roughly in the area you are looking for, would possibly be www.bleepingcomputer.com
Good luck on your endeavor if you choose to create one. It would be a nice benefit to everyday non-tech individuals.
@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:
@kelly said in Handling DNS in a Single Active Directory Domain Controller Environment:
just challenging the "most commonly correct approach" statement
It seems you are mistaking the "most common approach" with the "most common correct approach". I haven't been around the SMB as much as JB, but I'm assuming the most common approach to SMB DC implementations are incorrect. Meaning, 2+ DCs are being used when 1 should be used. Perhaps two DCs are used because so many other things are done incorrectly, it's thought 1 should't be used due to so many other things not properly in place, but that's besides the point in my reply here.
IMHO, SMB's use 2 DC's (me included) because it is drilled over and over in our heads by outside forces, including the application developers and the OS companies themselves. On top of that, we are completely stupid if we don't have a second DC if the hardware is available. So to follow "Best Practices," SMB's just do it. It doesn't necessarily mean that things are done incorrectly though. It mostly means, we (aka I) have an extra DC there sitting, waiting, getting monthly updates and then gather more dust for years on end all in the name of protection and risk reduction.
That is why coming here and having extensive discussions about general topics has helped me changed my own thoughts about system/network design in SMB's.
@stuartjordan said in Windows Virtual Desktop gives you a Windows 7 or 10 desktop on Azure:
@scottalanmiller could you possibly see Microsoft eventually putting the prices up on RDS Cal's targetting hosted desktop suppliers and companies running RDS/VDI on their own servers and try and push them to run on azure instead, so not making it profitable running on their own infrastructure?
IMHO, MS was close when they had RemoteApp but then moved to RDS and Citrix.
I was looking at moving two servers to RemoteApp on Azure as the price over 3 years was close. All I needed was a simple server for a many users and RemoteApp fit the bill as RDS licenses were included in the pricing. Then MS in their infinite wisdom created RDS with Citrix and the price increase 40% because of additional licensing (albeit with more tools and possibilities of which I don't need)
I haven't checked in a long while so who knows what the pricing is now.
@jaredbusch said in Group Policy - Printer Deployment:
Fuck printers.
Fuck printer servers.
Fuck GPO based printing.
When did you start working with us?????
Hell, its about time to hire a windows print management specialist anymore!.
@pete-s said in Firewall rules for outgoing traffic:
@scottalanmiller said in Firewall rules for outgoing traffic:
@pete-s said in Firewall rules for outgoing traffic:
What is best practice for SMB?
SMB the protocol? Or SMB meaning small business?
Small business. The enterprises I've seen have heavy restrictions on outbound traffic..
I use to limit outbound traffic but like @JaredBusch said, it became hard to manage with all crap issues and small numerous changes constantly. The outbound rules started to add up and after much deliberation, we decided to scrap it.
@dustinb3403 said in VM host: dual CPU vs single CPU - same CPU performance rating:
@pmoncho said in VM host: dual CPU vs single CPU - same CPU performance rating:
@jaredbusch said in VM host: dual CPU vs single CPU - same CPU performance rating:
@scottalanmiller said in VM host: dual CPU vs single CPU - same CPU performance rating:
@pete-s said in VM host: dual CPU vs single CPU - same CPU performance rating:
But for instance in my case 2 x E5-2630V2 (2x6 cores @ 2.5GHz) shows up as having about the same benchmark performance (single thread and multi thread) as 1 x E5-2670V2 (10 cores @ 2.5Ghz).
Comparing typical TDP: 2x6 cores is 2x80W=160W while 1x10 core is 115W.
This is partly why I push companies so hard to move to single proc servers. Often makes far more sense. There is way less overhead.
But in this case tool six scores versus Single Tencor you might as well get the dual processor advantages since youβre going to have to pay for the licensing anyway if he runs any Microsoft products at all
It seems to me, in these situations, software dictates hardware configuration negatively. That is frustrating if one wants to continue to use MS products. Choices, choices, choices!!
I would say the software isn't dictating the hardware, but the licensing terms that comes with the software is.
You are correct. I re-typed that a couple different times and forgot the word "licensing" in the final reiteration.