@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

CALs are cheap ($50 as a standalone, cheaper if you buy in a pack).

CALs are either cheap or they are $50 per user, but they aren't both. For an SMB, $50 per user for no reason is expensive. What do they get from that $50?

And that's hardly the full cost... let's look at a ten person business:

• Server: $1,000
• Windows License: $700
• CALs: $500
• Windows Pro Upgrades: $1,500
• Admin Time to Set Up: 2-5 days

That's $3,700 or $370 per user just to set up, plus around half a day of effort, per user to get set up. In many SMBs, it could take a week of effort just to get that kind of spending approved!

1/2 a day of effort per user? Explain....

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

GPO largely "just works" for a ton of things and core applications with tons of existing templates and easily googlable guides (and staff who know how to maintain it that are cheap as chips), it hooks into other Microsoft domain tech (Print server management).

GPO is unnecessarily complicated and unreliable. It's pushed as a miracle product, but takes huge amounts of effort to learn and maintain and rarely works flawlessly. And AD isn't what provides GPO, that's one of the common myths that cause people to buy AD without actually looking into their needs. GPO doesn't come with AD, you already have it.

It does, but AD and OUT structures are the way most people use to deploy it (As well as the central policy store for deploying 3rd party). You could push it out with SALT etc, but in a SMB internal staff will not know how to use something like that.

You could have your RMM or MDM manage push outs though (and I am seeing Stuff like Airwatch positioned as a replacement). the big gap is MAM as a lot of apps had GPO's and need to have API's for management to make the transition smooth.

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

You keep saying that it's likely that many don't need AD - but I see AD making these things much easier (for a cost) than not using AD.

I think that that is mostly a myth. For a normal SMB, especially a relatively small one, AD saves no effort anywhere, but generates a ton of effort in needing to build and maintain servers, needing to maintain CALs, track CALs, take server backups, etc. All things that don't need to exist without AD, in some cases.

AD takes no effort to setup or deploy. GPO largely "just works" for a ton of things and core applications with tons of existing templates and easily googlable guides (and staff who know how to maintain it that are cheap as chips), it hooks into other Microsoft domain tech (Print server management).

CALs are cheap ($50 as a standalone, cheaper if you buy in a pack).

I worked for a MSP and the amount of "maintenance" we did on AD was really non-existent. If you want to be fancy, you have your RMM script a backup once a day doing a LDIFDE -f backupad.ldif but beyond that, there's just not a lot to it. Any RMM worth it's salt (get it, a SALT joke) can manage 100 domain controllers with RMM tools without any real overhead, etc.

I agree that AD isn't providing as much value these days for small shops as it used to, but the overheads are smaller than ever.

@scottalanmiller said in Amazon AWS Leaving Xen for KVM:

@dafyre said in Amazon AWS Leaving Xen for KVM:

@scottalanmiller said in Amazon AWS Leaving Xen for KVM:

@dafyre said in Amazon AWS Leaving Xen for KVM:

It's $25 a month 8-Core Intel / 16GB RAM / 2TB SATA / 100 mbit unmetered internet / 1 public IPv4.

That's not too bad. Of course, I'd argue that it would be way cheaper to get four people together, and get a "real" server in colocation and split it. Each of you getting way more than this.

Cheaper? Yes. Easier? Nah. I don't want 3 other people mad at me when reboot the host randomly.

It really isn't bad, and as far as I can tell, they've had amazing reliability at the facility.

I bet that they are using something like SM Blades.

Youtube Video

It's actually pretty cool.

@scottalanmiller The first way I ran Xen was on BSD and Solaris actually.

@scottalanmiller said in Amazon AWS Leaving Xen for KVM:

It's sad to see Xen go for historical reasons. But logically, the field has too many players. Consolidation is needed. Xen and KVM are already both from the Linux Foundation and XenServer has just driven Xen into the ground. It's horrible that so much went into Xen and now it is being lost, but the better thing for everyone would be for the Xen team to be folded into the KVM team and just focus on a single thing going forward.

Linus never was a fan of Xen I've heard (KVM got it's bits into the kernel first, while there was some snobbery about the quality of Xen's commits).

@scottalanmiller said in Amazon AWS Leaving Xen for KVM:

@black3dynamite said in Amazon AWS Leaving Xen for KVM:

@scottalanmiller said in Amazon AWS Leaving Xen for KVM:

@black3dynamite said in Amazon AWS Leaving Xen for KVM:

Why is it not possible to customize Xen to work with the custom Intel-made processing?

It is, but it is much harder. Xen is more complex in that way. And I'm sure a big piece is that they had to make a decision now as to if they should customize Xen or KVM. So if they were thinking that the time was coming to make the switch, this would be what triggered it to be "now" rather than "soon."

Besides para-virtualization, what other reasons to stick with Xen at all? APIs for Xen? Just in case a job require the need for Xen?

PV tech is the big piece. Other than that, Xen has fallen behind KVM, mostly due to most resources being focused on KVM for a long time now.

Xen's biggest strength was it's API's but performance wise it was getting slaughtered by modern KVM and ESXi on throughput. I saw benchmark testing done by some large ISP for NFV projects and it was brutal. The DOM0 design had some serious bottlenecks, and Xen's PV tech was largely obsoleted by other CPU offload functions. KVM's API's are maturing to the point that it's time for everyone to move on for people looking for an open source platform.

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@storageninja said in Arg! The money spent the month before I stated here.:

Most companies IT is "mature" at this point (Hell SABRE is like 70 years old) and if your company runs on it, you're stuck with a choice of spending a few hundred million to get off of it, or accepting you don't control your own code.

Pretty sure everyone has accepted that the choice to stay on SABRE has crippled the industry and that they would have all been better moving off of it.

A 2-3 year project that costs 9-11 figures depending on your size? Good luck getting a bored to approve and see that thru in an industry that is tied to the boom/bust cycle of oil prices.
Only reason I know one airline pulled it off as they were still small when they did it, they doubled the spending to do it in 18 months before oil snapped back up and the investors caught wind of it. Also their board/management is so incestuous, shareholder revolts were able to be ignored till they got it done before the stock tanked from the short-term dive in earnings per share for 6 quarters.

There is a LOT of things that the stock market will not let you do, and LONG capital-intensive projects that promise long slow returns on investment are pretty much only acceptable for utilities (and only if the RIOC can be kept on a straight line growth as the project completes in sections or else you lose your capital market access).

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@storageninja said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

Just have good security and don't let that happen. Basically what I hear over and over again is "our IT department is bad, so we use UTMs as a bandaid", which is exactly my concern. Is your company only willing to do dangerous things in production because it trusts in LAN centric security?

This only works if you control the IT from the start. Most companies IT is "mature" at this point (Hell SABRE is like 70 years old) and if your company runs on it, you're stuck with a choice of spending a few hundred million to get off of it, or accepting you don't control your own code.

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@dashrender said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

I don't use the UTM because I can't use AV some places, and as an additional layer of protection in a different way... not to make myself feel like I don't need good AV. Maybe other people, but not me.

You're environment is much more likely to be infected by a user's device that shouldn't be on your production network than from some user downloading something that an AV scanner on the UTM is going to detect.

Mostly because devices are allowed to leave the network, get infected, and join again. If the UTM covered them at home, it would be different.

Plus I assume that those devices can be multihomes while in the office to the LAN and to the Cell network (4G) so they might bypass the UTM even while still in the office.

This is where either forcing the wifi to route through the UTM to reach the server network, or having IDS functionality delivered by some sort of SDN controller (Tipping point can tap into open flow) can handle pushing security down as close to that device as possible on the network (So you don't end up with the squishy internal problem).

@nerdydad said in How to Shaping , Sizing Virtual resources , safe running VMs on VMware infra?.. And How to calculate how many VMs are running on single host server, it helps to face unplanned downtime when one host goes fail down??:

900:1 shows that something is not right with your calculations somewhere. That would also mean that you have on average 10.5 TB of RAM allocated to each and every VM in the cluster. Why would a VM need 10.5 TB of RAM? The

Someone doing build testing of in-memory database scaling (Functional, not actual performance) and they are using the SWAP to SSD to redirect the memory SWAP to an Intel Octane device, or NVMe drives so it doesn't completely crash

@ghani said in How to Shaping , Sizing Virtual resources , safe running VMs on VMware infra?.. And How to calculate how many VMs are running on single host server, it helps to face unplanned downtime when one host goes fail down??:

kindly guide me, how to shaping, sizing resources capacity and safe running Virtual infra in unplanned downtimes. Provide your suggestion.

Turn on Admission Control will let you reserve resources for the event of an HA failure.

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.avail.doc/GUID-BD6D9434-84C8-4937-BC76-04852F5EA136.html

@dustinb3403 said in How to Shaping , Sizing Virtual resources , safe running VMs on VMware infra?.. And How to calculate how many VMs are running on single host server, it helps to face unplanned downtime when one host goes fail down??:

There is no way in hell that your client has 921 TB of RAM allocated in this cluster. Something is wrong with what you've presented us.

These people exist. When I ask them who they work for they dodge the question and if I ask for their name I get something like "bob". I've asked not to question it when they have a TAM/SE sitting next to them confirming they are not actually crazy, they just work for.... interesting employers who do strange things....

@ghani said in VMware PSOD happening on VMware host server:

@storageninja

Dear Team,

customer dont have VMware SnS support for upgrading VMware latest.

You don't need active SnS to upgrade to 5.5 which is still in support for another 300 days or so...

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

There are other windows functions tied to AD (Print Servers, GPO's, authentication if users are domain users).
Are we at the point of using MDM systems for management, and external identity and SSO for authentication?

Leaving Houston and going to India for two weeks (Bangalore, New Dehli, some random park in the north).

@wrx7m Inbound attacks on systems you are hosting it's still an issue (and yes, your IDS/F5/LB's need to terminate SSL for this to work). On the outbound traffic, there's a lot that can be inferred from what/where you are talking to. If someone is phoning home to a known bot C&C system then you likely want to know that...

@wrx7m said in Arg! The money spent the month before I stated here.:

@jaredbusch I know firewalls use rules. In Sophos and Sonicwall and others, I'm sure, you can define a host, network and service and call it something like ServerA and drag and drop the hosts/ip address, services and networks to create the rules.

An object based rule engine. This is what most modern firewalls have moved to.

@wrx7m said in Arg! The money spent the month before I stated here.:

@jaredbusch Right but my question was related to ACLs, not IDS/IPS.

Did they have compliance requirements that would drive IDS/IPS? Honestly, I wouldn't deploy an office network without some sort of layer 7 edge inspection. Users are just too dumb...