@Mike-Davis said in Migrate and/or replace old cert server?:

If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

If it wasn't a DC, I would do a V2V right now. But I've heard doing a V2V of DCs is horribly frowned upon.

@Mike-Davis said in Migrate and/or replace old cert server?:

If your sharepoint server is on its own VM, and the only roles on your DC are the cert services, I would build a new DC migrate your FSMO roles over and back up the old DC. Then shutdown the old DC and listen for the screams. If you hear nothing after a week or so power it back up and demote it.

We already have a different server that has all of our FSMO roles, along with four other DCs besides this one, so we're good on the DC side of things.

One thing I'm worried about (mostly because of ignorance) is that, if I demote the server, it will cause some sort of issue with cert services, which could possibly cause issues with SharePoint.

Best case scenario would be that I could totally get rid of cert services and demote the server, SharePoint would keep working without any issues, and I could V2V this server and migrate it over to our ESXi enviroronment! (Prior to learning what I did about Hyper-V today, I would've said P2V :P)

@scottalanmiller said in content filter for small school?:

@Shuey said in content filter for small school?:

I thought I loosely conveyed that pfSense would be the router and DansGuardian would be a module you install inside it for the filtering, lol.

Well that's incorrect, then pfSense is the router and it has a module that is Squid. Squid inside of pfSense does the filtering. Dansguarding is the set of filter rules for Squid. In all cases, Squid is what does the filtering.

My original point was that if you wanted DansGuardian and Squid that it should not be run on your router, like pfSense. It should be on a VM running Linux (or FreeBSD), but not on your router.

Ah, I see - thanks for clarifying. I mean this with all sincerity Scott: I've only had a handful of virtual interactions with you in the relatively short amount of time I've known you, but I really enjoy it and look forward to learning a lot more. You remind me a lot of one of my other IT friends (Joseph Granneman); both of you guys possess a mind-blowing amount of knowledge and skills!

@scottalanmiller said in content filter for small school?:

@Shuey said in content filter for small school?:

I've heard good things about pfSense with DansGuardian

pfSense is just Squid. You should not be using pfSense for filtering, that's your firewall, don't put your filtering in your firewall (trying to make it a UTM). Use pfSense as a router, that's fine. But don't do the UTM thing.

If you want what pfSense to do your filtering, just use Squid in a Linux VM.

I used Squid with Dansguardian for a school back in 2004.

I thought I loosely conveyed that pfSense would be the router and DansGuardian would be a module you install inside it for the filtering, lol.

I've heard good things about pfSense with DansGuardian

Mr Oizo - Flat Beat: https://www.youtube.com/watch?v=qmsbP13xu6k

Playing:
Pac-Man 256 on Steam
Nullpomino on Windows
Hodoku on Windows
Score Rush on Xbox 360
Katamari Damacy on PSX/PS2

Looking to play:
Not sure... I was such a game addict back in the day, I generally try to avoid falling back into being a junkie, lol. Look at my past game collection and you'll see what I mean:
Shuey's old video game collection

I've been using SecureAPlus for the last several months, along with Microsoft Security Essentials on Windows 7 and Windows Defender on Windows 10. It uses ClamAV and it's free - check it out: https://www.secureaplus.com/

@Dashrender said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

I just checked the list of issued certs on the server and the last entry (180530) was on May 23rd of 2016... I wonder why it stops there.... I can't think of anything on the server or the rest of the network for that matter that would've caused it to end in May...

I'd really like to figure out how to safely test this role in a disabled state, but I don't know how to disable it without completely removing the role :D.

What was it issued to? that might lead you somewhere.

A user account. The last couple hundred certs were issued to user accounts and workstations.
If you guys have any ideas how to "safely turn it off" for a period of time (so I can see what happens), I'm all ears, lol.

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

I'd really like to figure out how to safely test this role in a disabled state, but I don't know how to disable it without completely removing the role :D.

Just suspect the VM.... oh wait, not a discrete VM. One of the many reasons why that is important

Sorry, had to go there.

LOL, touche!

I just checked the list of issued certs on the server and the last entry (180530) was on May 23rd of 2016... I wonder why it stops there.... I can't think of anything on the server or the rest of the network for that matter that would've caused it to end in May...

I'd really like to figure out how to safely test this role in a disabled state, but I don't know how to disable it without completely removing the role :D.

@scottalanmiller Thanks for the enlightenment Scott! I can't believe I JUST NOW found out how Hyper-V really works, lol. Better late than never :D.

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

Before Hyper-V was ever introduced on this server, it was and still is a Windows Server 2008 R2 server. They installed Windows Server 2008 R2 on a bare-metal ProLiant. Then, after several months of having the server running as a DC, SharePoint, a cert server and a file server, they decided that they wanted to make it a VM host as well, so they installed the Hyper-V role and built some VMs inside the Hyper-V console.

What you are calling the "Hyper-V Console" is a VM. You are describing the standard "poor" way to install Hyper-V. It doesn't matter how Hyper-V gets installed, a type 1 hypervisor is a type 1 hypervisor. That "console" is a VM on top of Hyper-V. Hyper-V cannot run on top of Windows, it's physically impossible. This is the most common myth around Hyper-V and there are hundreds of posts on SW correcting this.

It's also often listed as the #2 reason (after licensing) that people are confused about Hyper-V and why we used to say that all Hyper-V deployments were caused by confusion.

When you install the "role" of Hyper-V, it takes the previous bare metal Windows install, packages it into a VM, installs Hyper-V beneath it.

Oh snap! I had no idea! I'm still trying to wrap my head around it.... So there's never an instance where someone installs Server 2008 on a physical box, and then later adds the Hyper-V role? You HAVE to build a bare-metal Hyper-V box first and install your server OS in it BEFORE you can then add the Hyper-V role?

update Oh, I just re-read your post. It takes the previous bare-metal WINDOWS install, and turns THAT into a VM!

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

-They installed the Hyper-V role which runs as a console (much like VMware Workstation; type 2 hypervisor)

That's incorrect. There is one and only one thing called Hyper-V and it is only a Type 1 hypervisor. This is why you are getting confused when I keep describing why there is no host, because there is truly no host. YOu are assuming that there is an OS on the bare metal, which there is not.

Before Hyper-V was ever introduced on this server, it was and still is a Windows Server 2008 R2 server. They installed Windows Server 2008 R2 on a bare-metal ProLiant. Then, after several months of having the server running as a DC, SharePoint, a cert server and a file server, they decided that they wanted to make it a VM host as well, so they installed the Hyper-V role and built some VMs inside the Hyper-V console.

@Dashrender said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

-They installed the Hyper-V role which runs as a console (much like VMware Workstation; type 2 hypervisor)
No actually it doesn't.

You lost me here... a Type 1 hypervisor is a "on hardware" hypervisor (exclusively running as the OS, like ESXi). A Type 2 hypervisor is an "on software" hypervisor (like VMware Workstation).

@scottalanmiller said in Migrate and/or replace old cert server?:

I think that you had four guest VMs from the description. Just one was being perceived as the host, even though it was a VM like the others.

I'll try to layout how this main server was setup:
-A single ProLiant DL360 G6 with 24GB of RAM and a 1TB raid array (4 drives, 7200rpm SATA; yeah, major lame sauce!). I'll refer to this server as the "primary server"; it's the main physical box that everything is "hosted" on/in
-The server has Windows Server 2008 R2 installed and promoted it to a domain controller
-They installed the Hyper-V role which runs as a console (much like VMware Workstation; type 2 hypervisor)
-They built three VMs inside this Hyper-V console
-They installed SharePoint in the primary server (not as a VM) and they configured it so that staff could access it from outside the network
-They installed the Cert Services roles in the primary server and configured it to talk with a separate physical server that acted as the radius host

Does this help?

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

@Dashrender said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

@Dashrender said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Dashrender said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).

Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.

I'm betting it's mainly because the company didn't want to buy 2-3 physical servers. If they would have gone virtualized back then, they might be on different OSEs.

Right.... so assuming one bad decision leading to another.

I know you've been using virtualization since the day VMWare rolled out their first internal only beta (yes I'm kidding), but I don't feel that the SMB really started using virtualization until 2010 or later. It's likely whoever setup this server was unfamiliar with virtualization and they were working with what they knew.

I guess you could say that the bad decision was that the business had a one man/very small IT internal staff. If they had a good MSP or consulting business partner, they might have have gone another route.

The ONLY "virtualization" infrastructure that was in place when I got here was a Hyper-V console (on the same server that I referenced in my original post in this thread; the server that also has SharePoint! This server used to also be a print server and a file server on top of everything else I've already mentioned).

I deployed the VMware infrastructure about a year or so after I started working here.

Assuming that the servers were commodity and post 2005, that means that someone was slacking. Why was Hyper-V console installed but nothing else? That's weird. Did you ever figure out why?

It wasn't "Hyper-V and nothing else". It was a "DC, SharePoint, File Server, Cert Server, AND a Hyper-V host"!

That's not what he means - he means, why was the console for Hyper-V installed and VMs not created - OR - ARE there VMs and Sharepoint is running in a VM? etc...

Nope, SharePoint is running natively in the host OS (not in a VM inside the Hyper-V host which was also installed/running on this server in the past)

Wait, this statement doesn't make sense. There is no "host" with virtualization. EIther it is on the Hyper-V machine or it is not. Everything on a Hyper-V machine is a VM.

Sorry if I confused things. I meant that this server had the Hyper-V role installed, and they had three guest VMs running inside that virtual infrastructure (meaning, it wasn't a dedicated host like an ESXi host is).

That additional "host" is a VM. It's exactly how VMware was until recently. But it is another VM that requires all the same licensing as any other VM (except in very specific cases where it is completely useless.) In both cases, it should not exist.

I'm getting more confused now... you lost me on that last comment Scott :-S (others: please feel free to chime in on Scott's comment to help alleviate the confusion if possible)

@Dashrender said in Migrate and/or replace old cert server?:

So have you removed all VMs from this host?

Yes, long ago. I did away with the print server completely, the media server was rebuilt from scratch as a VMware guest in our ESXi infrastructure and I did a V2V of the accounting server and migrated it also over to our ESXi environment.

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

@Dashrender said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

@Dashrender said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Dashrender said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).

Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.

I'm betting it's mainly because the company didn't want to buy 2-3 physical servers. If they would have gone virtualized back then, they might be on different OSEs.

Right.... so assuming one bad decision leading to another.

I know you've been using virtualization since the day VMWare rolled out their first internal only beta (yes I'm kidding), but I don't feel that the SMB really started using virtualization until 2010 or later. It's likely whoever setup this server was unfamiliar with virtualization and they were working with what they knew.

I guess you could say that the bad decision was that the business had a one man/very small IT internal staff. If they had a good MSP or consulting business partner, they might have have gone another route.

The ONLY "virtualization" infrastructure that was in place when I got here was a Hyper-V console (on the same server that I referenced in my original post in this thread; the server that also has SharePoint! This server used to also be a print server and a file server on top of everything else I've already mentioned).

I deployed the VMware infrastructure about a year or so after I started working here.

Assuming that the servers were commodity and post 2005, that means that someone was slacking. Why was Hyper-V console installed but nothing else? That's weird. Did you ever figure out why?

It wasn't "Hyper-V and nothing else". It was a "DC, SharePoint, File Server, Cert Server, AND a Hyper-V host"!

That's not what he means - he means, why was the console for Hyper-V installed and VMs not created - OR - ARE there VMs and Sharepoint is running in a VM? etc...

Nope, SharePoint is running natively in the host OS (not in a VM inside the Hyper-V host which was also installed/running on this server in the past)

Wait, this statement doesn't make sense. There is no "host" with virtualization. EIther it is on the Hyper-V machine or it is not. Everything on a Hyper-V machine is a VM.

Sorry if I confused things. I meant that this server had the Hyper-V role installed, and they had three guest VMs running inside that virtual infrastructure (meaning, it wasn't a dedicated host like an ESXi host is).

@Dashrender said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

@Dashrender said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Dashrender said in Migrate and/or replace old cert server?:

@scottalanmiller said in Migrate and/or replace old cert server?:

@Shuey said in Migrate and/or replace old cert server?:

First let me say that I know nothing about certificate services, IIS or SQL (all three of which are currently configured and running on this server).

Why are those together? That's not generally a best practice. I realize that Windows licensing causes some decisions that would otherwise be poor, but this seems an odd combination.

I'm betting it's mainly because the company didn't want to buy 2-3 physical servers. If they would have gone virtualized back then, they might be on different OSEs.

Right.... so assuming one bad decision leading to another.

I know you've been using virtualization since the day VMWare rolled out their first internal only beta (yes I'm kidding), but I don't feel that the SMB really started using virtualization until 2010 or later. It's likely whoever setup this server was unfamiliar with virtualization and they were working with what they knew.

I guess you could say that the bad decision was that the business had a one man/very small IT internal staff. If they had a good MSP or consulting business partner, they might have have gone another route.

The ONLY "virtualization" infrastructure that was in place when I got here was a Hyper-V console (on the same server that I referenced in my original post in this thread; the server that also has SharePoint! This server used to also be a print server and a file server on top of everything else I've already mentioned).

I deployed the VMware infrastructure about a year or so after I started working here.

Assuming that the servers were commodity and post 2005, that means that someone was slacking. Why was Hyper-V console installed but nothing else? That's weird. Did you ever figure out why?

It wasn't "Hyper-V and nothing else". It was a "DC, SharePoint, File Server, Cert Server, AND a Hyper-V host"!

That's not what he means - he means, why was the console for Hyper-V installed and VMs not created - OR - ARE there VMs and Sharepoint is running in a VM? etc...

Nope, SharePoint is running natively in the host OS (not in a VM inside the Hyper-V host which was also installed/running on this server in the past)