I'm not a fan of VMM. Literally every time I log in there's something about he console I have to fix. Or the constant WMI queries to the hosts killing my backups. The virtual switch/logical switch/logical network concept is a overly complicated knockoff of VMware distributed switches.
I am very interested in 5nine Manager however. Have you run a demo in your environment?
Yes to all of that. MS licensing reps say a million different things, are wholly un-knowledgeable, and are generally the last people I'll talk to. We had to get our EA true-up contract amended 12 times before they got it right. 12 TIMES!!! As policy, every piece of correspondence with them is 1) in writing, and 2) backed up for at least 89 years. That way they're forced to legally stand behind what they say.
Those articles helped a ton, thanks! It's pretty simple with DC licensing: just license the hosts.
@scottalanmiller said in Skip Eating Meals for Better Productivity:
@Breffni-Potter said in Skip Eating Meals for Better Productivity:
I'm on a huge foodie change at the moment.
The biggest change I've made is, getting up earlier, having a substantial breakfast and I already feel way better have 3 weeks of that, more awake/energetic during the day, more productive.
I'm the opposite. Breakfast makes me tired all day. And hungry too, so much more hungry when I eat breakfast.
Breakfast kickstarts metabolism, no matter what it is, so the hunger is natural. Sugary breakfast makes me instantly tired and hungry, but fiber, protein, and carbs will carry me through lunch. Breakfast should be a good 400 calories to really count.
I have a question regarding System Center licensing, specifically VMM:
When we bought SC VMM licensing (EA) a few years ago, we got workgroup edition, which covered unlimited VM's. Then, when our SA upgraded, licensing changed. Our System Center VMM Workgroup Edition turned into System Center Standard.
Keep in mind we're only using VMM - no other SC products. Under System Center Standard, do you need a Server ML for each VM in addition to each host? They both count as OSE's, right? We have 100 VM's - this is not an option.
We can upgrade our System Center ML to Datacenter for roughly twice the cost, and that includes unlimited VM's. With SCVMM, a Server ML covers two physical CPU's. So would I need to license only the physical endpoints, right? (IE - two hosts with 2 sockets each, hosting 100 VM's = 2 SC Datacenter Server CAL's)
Sorry, was on vacation.
@RamblingBiped said in SPF Records for Google Apps Mail:
@TAHIN So I should be able to get away with the same entry as what you have then? What does the addition of "a mx" add?
Adding the 'a mx' parameters indicates that only servers that match a public A record or public MX record of your domain are allowed to send. Generally, just saying MX is enough - you're telling the recipient to fail the mail unless the sending IP matches the IP address of one of your domain's MX records, effectively eliminating spoofing. We added 'A' to give us the flexibility to source email from an application or DMZ server. The include: parameter overrides these defaults, allowing Google to proxy.
80% of the reason we (and most companies) implement SPF is to protect their own organization from incoming spearphishing via domain spoofing. The fact that it isn't 100% adopted by all organizations shouldn't be a deterrent to use it.
Our google record : v=spf1 a mx include:_spf.google.com ~all
Soft fail aids troubleshooting when legitimate mail isn't being delivered. We're monitoring for the soft fail tag so we'll know right away if we're getting hit.
You become authoritative for that domain once you add it as an forward lookup zone - so machines on your internal domain will look there first and only. If you're missing an A record in your new zone, lookups will fail.
@Dashrender said in Solving poorly programmed app that requires local admin rights:
@TAHIN said in Solving poorly programmed app that requires local admin rights:
When I go the manual route, I install to a test machine and log in as a normal user. When the app doesn't launch, I start with broad changes (give rights to the whole program files(x86) directory) then test again. I start at the file level, then move to the registry. Have ProcExp open and look for red/green entries. With ProcMon you can play with 'access denied' filters. After you've opened it up enough to get it to work as a standard user, start locking things down one at time until it breaks again.
Like I said, I usually get pretty lucky, ProcExp will launch a process that points right to it.
Starting from an Open System and locking it down seems like it would be much more difficult than going the other way.
For example, I don't want to give full control access to the entire Programs Files directory. Only the application folder in question.
Sometimes it's that easy, but sometimes I have trouble narrowing it down to a specific system component (ie - is it registry, the application directory, something in /Windows, /appdata, etc...). I've found that starting with broad strokes can help narrow it down faster.
@Dashrender said in Solving poorly programmed app that requires local admin rights:
LOL even MS has a failout to running as local admin.
Yep it looks pretty slick. Reddit is still good for something 
When I go the manual route, I install to a test machine and log in as a normal user. When the app doesn't launch, I start with broad changes (give rights to the whole program files(x86) directory) then test again. I start at the file level, then move to the registry. Have ProcExp open and look for red/green entries. With ProcMon you can play with 'access denied' filters. After you've opened it up enough to get it to work as a standard user, start locking things down one at time until it breaks again.
Like I said, I usually get pretty lucky, ProcExp will launch a process that points right to it.
The Standard Analyzer Tool, part of the Application Compatability Toolkit (ACT) from Microsoft might help. It is designed as an application development tool, but I've heard of people using it to supplement installers to give the application appropriate rights during the install. The end result will be two installers. One for the app, and one for the rights.
https://technet.microsoft.com/en-us/library/cc838047(v=ws.10).aspx
I've never tried it - ProcMon/Exp has always given me what I needed for simple apps. So if you do use it, please report back 
Microsoft runs their whole company on Hyper-V, so saying it isn't scaleable is unfounded; however, saying that complexity of scaling up is significantly higher proportional to the same scaling in VMware is accurate. I would consider Hyper-V mature at this point. In fact I would pick it over VMware in almost all situations. In my experience with both, VMware does several things better than hyper-V, but Hyper-V is also completely capable, just with an increased step-count.
My top 5 for VMware advantages over Hyper-V:
Despite those 5 things, I would still pick Hyper-V over VMware for cost alone. VMware needs to realize that their pricing model is losing thousands of potential customers.
Funny... I just ran into this yesterday:
www.iflscience.com/technology/earpiece-translator-claims-let-you-talk-people-foreign-language
IFLS = take it for what it's worth.
@BBigford Yes, exactly what I was going to say The DC should only have links to the real data somewhere else.
@scottalanmiller said in When the Auditor is Tricking Your Business:
I truly believe that nearly all are scams. Some are scams just to take your money for not doing the audit that they promised to do.
Or to take your money by threatening an audit and hoping you'll compensate by over-licensing to death. We just went through our MS SQL true-up. Good god. When Microsoft can prove to me at the binary level that one thread from a VM is able to schedule two hyper-threaded siblings from the same core at the same time, contradicting all of their other documentation, THEN I'll pay for twice the SQL licensing just because I have hyper-threading turned on on my host. Friggin thieves.
@scottalanmiller said in When the Auditor is Tricking Your Business:
How does "legit" and that go together? That his boss was able to cover doesn't make it legit. Could someone be confused to that degree? Maybe. Was it likely? not very.
By legit I meant not a social engineer. He represented a legit company, though he was not reputable himself. Maybe he wanted it so he could sell it later, who knows 
@BBigford
When you browse to \domain.com, it performs a DFS-GET-REFERRALS against the record that was retrieved from DNS. The namespace has to be explicitly shared on the DC that you're connecting to. It's the same for the other AD shares: If you go to your DC and type 'net share' in cmd, you'll be able to see netlogon, sysvol, and your namespace shares and where they're shared from. In essence all DFS does is present shares in a creative way based on which DC you're closest to; there is no DFS without shares.
There was a reddit article a while back about a completely legit HIPAA auditor demanding domain logons and passwords for every user in the company to prove that IT kept track of the stuff. So they went through this guy's company directory, found his boss, and talked to him. The auditor in question was 'confused' and rescinded the demand.
I'm starting to wonder if security audits are conducted like house appraisals..... "I have no idea what the rules are so I'll just do what the guy next to me did".
@Dashrender said in O365 and encrypted mail to other email systems:
@TAHIN , so - you guys are using a Barracuda appliance - why? According to Scott's and your arguments, it's completely unnecessary.
I did at my last job in the medical sector, but not any more. This is where Scott and my philosophies may differ a little bit. Even though we weren't required to maintain security on the other end, we did fall into the 'best effort' mindset. If we were sending stuff to a lawyer or doctor's office that we didn't have a close relationship with, we did what we could to guarantee security knowing that their email system may have flaws, especially if we had the means. Would we have done it if it weren't a free feature from our anti-spam provider? Probably not.