"TL DR" think of it this way: AD is your first factor is most cases,so that is the first system checked for authentication. If that succeeds it will then check the second factor.
I do agree it would be nice if that was swapped, but I doubt they will.
Actually our previous 2FA product would insert the 2F request alongside the AD credentials request (so, a third box on the sign-in page), and if that failed then it wouldn't process to AD at all
The one we have now also takes over the login page, but then users sign in with a badge and forget their password.
I suppose I shouldn’t assume most 2FA systems still process AD first.
RandomHajileNot actually a SnatcherThe New KremlinRegistered Userregular
I’ve been working on getting our new backup system setup this week. I got it backing up a couple physical servers and a handful of VMs to the DataDomain this afternoon, so I decided to tackle the tape unit for the last couple of hours of the day. For some reason, it wouldn’t show the tape library in Windows. I had been refreshing Device Manager all week, going “huh that’s weird” when it didn’t show up, and then moving on with the main setup of the DD and NetWorker. I must have done this a few times a day since we racked it earlier this week.
Okay, I’ll take a step into the past when we racked it: my colleague and I usually rack servers as a team, and once it is in the rack, I work on the setup and configuration of the server while he works on the cabling in the back. So I handed him the SAS cable that goes between the server and the tape unit, and then I went about my work on the DataDomain.
Okay, back to today. Like any sane server room, we use cable management arms, so I have this thought in the back of my head like “what is the minimum bend radius of that SAS cable?” I know it’s pretty stiff copper, but I just can’t be sure that it’s not bent too much or that the connectors are strained or whatever. I go to the server room and pull the cable that is routed in the cable management arm and replace it with a brand new one that is wrapped in a wide, gentle loop. When I do get it fully clicked in, making sure that the clips catch the port holes to lock it in, I notice that a light shows up on the SAS HBA card in the server. I’m pretty sure that light wasn’t there 10 seconds ago! Since the original cable is pretty stiff, I can see how it was plugged in, now just lying there, and I notice that the plastic pull release mechanism is on the top...while the new cable has it on the bottom while plugged in.
TLDR: mini-SAS cable ports are basically square and it is very easy to get them upside-down and they feel like they’re plugged in when they’re upside-down!
I had my backup job get stuck at the same place 3 nights in a row. after first night, just killed the job and set it to re-run as normal. after second night I restarted the server, and then just let it re run.
after the third night.... what I did was try to troubleshoot it by stopping the service on the server..... which broke/failed/timed out and the server completely freaked out and wouldn't start any of the services again. so I rebooted the server, started a backup...... and it didn't get stuck this time.
Hrm, we have a mac server functioning as part of our DNS and DHCP. Apparently one of my admins doesn't have internet this morning because someone's new Pixel 3 is using the same IP as their macbook. I've checked both devices and both are set to get an IP from the DHCP server. But the DHCP server, a mac running Server, is weirdly assigning them the same IP. Of course, trying to google mac server dhcp ip conflict stuff gets a whole lot of stuff that doesn't help. Any ideas on how I can like, refresh the DHCP server without killing our network? This is probably a super easy thing and seems like a silly question for some of you, I'm sure.
0
Options
That_GuyI don't wanna be that guyRegistered Userregular
Hrm, we have a mac server functioning as part of our DNS and DHCP. Apparently one of my admins doesn't have internet this morning because someone's new Pixel 3 is using the same IP as their macbook. I've checked both devices and both are set to get an IP from the DHCP server. But the DHCP server, a mac running Server, is weirdly assigning them the same IP. Of course, trying to google mac server dhcp ip conflict stuff gets a whole lot of stuff that doesn't help. Any ideas on how I can like, refresh the DHCP server without killing our network? This is probably a super easy thing and seems like a silly question for some of you, I'm sure.
In windows and most routers you can clear the DHCP pool and/or conflicts. IDK quite how to do that on Mac. I did some googling and it didn't appear to be very clear. Maybe use this as an opportunity to ditch the apple server and use something that's actually supported for DHCP.
What do the DHCP leases on the server say? Do they somehow miraculously have the same MAC address? Did the lease not expire on one of them when it should have?
One of the devices was listed about a hundred times in the interface. But I rebooted it and that seems to have worked? So uh...ignore me! Definitely using this as a "hey let's get rid of this thing entirely" conversation starter though. Thanks! Sorry for uh..not trying that before posting. >.>
+3
Options
lwt1973King of ThievesSyndicationRegistered Userregular
Sometimes you think users learn and then you have days like this.
"He's sulking in his tent like Achilles! It's the Iliad?...from Homer?! READ A BOOK!!" -Handy
Hrm, we have a mac server functioning as part of our DNS and DHCP. Apparently one of my admins doesn't have internet this morning because someone's new Pixel 3 is using the same IP as their macbook. I've checked both devices and both are set to get an IP from the DHCP server. But the DHCP server, a mac running Server, is weirdly assigning them the same IP. Of course, trying to google mac server dhcp ip conflict stuff gets a whole lot of stuff that doesn't help. Any ideas on how I can like, refresh the DHCP server without killing our network? This is probably a super easy thing and seems like a silly question for some of you, I'm sure.
In windows and most routers you can clear the DHCP pool and/or conflicts. IDK quite how to do that on Mac. I did some googling and it didn't appear to be very clear. Maybe use this as an opportunity to ditch the apple server and use something that's actually supported for DHCP.
DHCP servers should also have conflict detection turned on if it's not. This makes the server ping the address it's offering before assigning the address to a device with a different MAC. Of course if ping is blocked for some reason, this won't work. The client should then do an ARP ping once it gets an address to also check for conflicts on the local lan, but that could fail too. Apple phones are particularly annoying because they join the network with expired ip's before even attempting a DHCP renew.
Just remember that half the people you meet are below average intelligence.
So looking at our network and stuff, it seems like setting up some kind of Active Directory type thing would be beneficial. We have a mix of windows and mac computers, iPads (managed by Jamf), and google accounts. It looks like we could setup a single sign on type thing to sync people's AD credentials with their google credentials which would save me a lot of headache when people ask me "what do you mean my computer password" and then finding out that their password is "password." We're hoping to add the macs to Jamf soon too, but I'm not certain if AD and MDM stuff overlap too much? I would love to be able to more easily stop people from downloading SearchProtect and mindspark garbage though.
I just have to convince my bosses that we need to get a server to handle this, probably a rackmount type thing and then I can figure out VMs and all that fun stuff too. Is this sounding plausible or are there other alternatives I should be aware of?
0
Options
TL DRNot at all confident in his reflexive opinions of thingsRegistered Userregular
How many computers?
Setting up an Active Directory domain is pretty much necessary once you start managing more than a handful of endpoints - users don't need Local Admin rights, you shouldn't be having to set up mapped drives and printers manually pretty much ever, and as you mentioned Single Sign-On is the light.
The cost of a server and Windows licensing will be non-trivial, though, and I'm not sure I'd recommend this project for someone who hasn't worked with AD before. Do you have the option to bring in a contractor for the initial setup at least?
Setting up an Active Directory domain is pretty much necessary once you start managing more than a handful of endpoints - users don't need Local Admin rights, you shouldn't be having to set up mapped drives and printers manually pretty much ever, and as you mentioned Single Sign-On is the light.
The cost of a server and Windows licensing will be non-trivial, though, and I'm not sure I'd recommend this project for someone who hasn't worked with AD before. Do you have the option to bring in a contractor for the initial setup at least?
We've got approximately 200ish laptops/desktops. And yeah, I'd almost certainly be bringing in a contractor to get the initial setup going (while I peer over their shoulder and learn as best I can). When I worked at the help desk at my uni I got some experience adding machines to active directory, but that was a while ago. Not having to setup printers anymore sounds pretty dang tempting.
And yup, for a school. Price being a huge concern for my admin so dirt cheap licensing is sounding good.
I'd plan for 2 ad installs on separate machines in case one goes south. You're kind of fucked if your only domain controller goes down.
Syncing for jamf and Google shouldn't be too difficult. I'd just ask what kind of permissions they want the service account to have. So many of those things ask for a domain admin account, and that's not a great idea. There's probably a way to narrow down what they need, but you'll have to ask for it, most likely.
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
Hybrid 365 is so damn stupid, especially when 1 out of every 10 accounts you attempt to create ends up creating both a Cloud and On-Prem mailbox, even when you have never assigned an Exchange Online license before.
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
Hybrid 365 is so damn stupid, especially when 1 out of every 10 accounts you attempt to create ends up creating both a Cloud and On-Prem mailbox, even when you have never assigned an Exchange Online license before.
The other day we were talking about limitations on memory usage for 32-bit processes running in a 64-bit Windows environment. I found some good discussions about it on MSDN and StackExchange:
...but there's one thing I want confirmation on, which is how to translate that to the output of the Get-Process Powershell command, which divides up its output among four pools of memory:
Lets say I want to make sure that my animetiddiesvisualnovel.exe 32-bit process isn't bumping up against the aforementioned limits. If I understand how memory allocation works (and I'm not sure if I do), then I should sum all three values and look at the total, right?
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I think the only one you should be caring about is the working set?
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
+4
Options
RandomHajileNot actually a SnatcherThe New KremlinRegistered Userregular
It takes a lot for an employer in Sweden to be able to fire someone on the spot.
This feels like one of those cases.
Still seems better than the new medical IT system in Denmark, which is bad and slow and has been the cause of patients being given the wrong doses of medicine.
I think the only one you should be caring about is the working set?
Working set will be the total of whatever is currently in the physical memory.
Paged pool is what can be paged in and out of the virtual memory.
Non paged pool is memory that cannot be paged, usually from device drivers like network cards.
Working set will be the one that will trigger the OutOfMemory exception.
I think the only one you should be caring about is the working set?
Working set will be the total of whatever is currently in the physical memory.
Paged pool is what can be paged in and out of the virtual memory.
Non paged pool is memory that cannot be paged, usually from device drivers like network cards.
Working set will be the one that will trigger the OutOfMemory exception.
The others are useful in some situations.
Thank you!
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Does anyone know the ballpark cost for setting up a domain controller server/hyperv type thing? The people I just talked to quoted around 5k for one, possibly double to have a redundant backup. Potentially going to be a tricky sell to my bosses at that pricing. Seems like something we definitely want in the long run though.
Does anyone know the ballpark cost for setting up a domain controller server/hyperv type thing? The people I just talked to quoted around 5k for one, possibly double to have a redundant backup. Potentially going to be a tricky sell to my bosses at that pricing. Seems like something we definitely want in the long run though.
A DC on Hyper-V? For someplace to do that and do a good job, that’s probably a reasonable estimate.
Personally I’d do it on the free VMWare hypervisor over Hyper-V but whatever. 5k is not unreasonable at all.
There’s fast, good, and cheap - you can only ever pick two. Personally I don’t often pick cheap.
Does anyone know the ballpark cost for setting up a domain controller server/hyperv type thing? The people I just talked to quoted around 5k for one, possibly double to have a redundant backup. Potentially going to be a tricky sell to my bosses at that pricing. Seems like something we definitely want in the long run though.
A DC on Hyper-V? For someplace to do that and do a good job, that’s probably a reasonable estimate.
Personally I’d do it on the free VMWare hypervisor over Hyper-V but whatever. 5k is not unreasonable at all.
There’s fast, good, and cheap - you can only ever pick two. Personally I don’t often pick cheap.
Okay, good to know. The people I talked to have given me some fairly expensive quotes in the past so just wanted to make sure I was in the right ballpark. Free VMWare might be the way to go though. The guy was saying a lot of the cost might be moving our users into it (which I guess is trickier than just loading up our google admin and trying to sync stuff over?) but ideally that's a project I can tackle and cut down the cost. Because presumably once I get this up and running it'll reduce my headaches in the long run.
Posts
tl:dr; users are still users.
Okay, I’ll take a step into the past when we racked it: my colleague and I usually rack servers as a team, and once it is in the rack, I work on the setup and configuration of the server while he works on the cabling in the back. So I handed him the SAS cable that goes between the server and the tape unit, and then I went about my work on the DataDomain.
Okay, back to today. Like any sane server room, we use cable management arms, so I have this thought in the back of my head like “what is the minimum bend radius of that SAS cable?” I know it’s pretty stiff copper, but I just can’t be sure that it’s not bent too much or that the connectors are strained or whatever. I go to the server room and pull the cable that is routed in the cable management arm and replace it with a brand new one that is wrapped in a wide, gentle loop. When I do get it fully clicked in, making sure that the clips catch the port holes to lock it in, I notice that a light shows up on the SAS HBA card in the server. I’m pretty sure that light wasn’t there 10 seconds ago! Since the original cable is pretty stiff, I can see how it was plugged in, now just lying there, and I notice that the plastic pull release mechanism is on the top...while the new cable has it on the bottom while plugged in.
TLDR: mini-SAS cable ports are basically square and it is very easy to get them upside-down and they feel like they’re plugged in when they’re upside-down!
This is a clickable link to my Steam Profile.
I had my backup job get stuck at the same place 3 nights in a row. after first night, just killed the job and set it to re-run as normal. after second night I restarted the server, and then just let it re run.
after the third night.... what I did was try to troubleshoot it by stopping the service on the server..... which broke/failed/timed out and the server completely freaked out and wouldn't start any of the services again. so I rebooted the server, started a backup...... and it didn't get stuck this time.
:rotate:
They were running processes on the global zones. . . .
*Snaps*
XBL:Phenyhelm - 3DS:Phenyhelm
In windows and most routers you can clear the DHCP pool and/or conflicts. IDK quite how to do that on Mac. I did some googling and it didn't appear to be very clear. Maybe use this as an opportunity to ditch the apple server and use something that's actually supported for DHCP.
DHCP servers should also have conflict detection turned on if it's not. This makes the server ping the address it's offering before assigning the address to a device with a different MAC. Of course if ping is blocked for some reason, this won't work. The client should then do an ARP ping once it gets an address to also check for conflicts on the local lan, but that could fail too. Apple phones are particularly annoying because they join the network with expired ip's before even attempting a DHCP renew.
After that vfemail attack the other day we rethought our threat model a bit, and I'm getting some bucks to add to our solution
Gonna have some fun over here
I just have to convince my bosses that we need to get a server to handle this, probably a rackmount type thing and then I can figure out VMs and all that fun stuff too. Is this sounding plausible or are there other alternatives I should be aware of?
Setting up an Active Directory domain is pretty much necessary once you start managing more than a handful of endpoints - users don't need Local Admin rights, you shouldn't be having to set up mapped drives and printers manually pretty much ever, and as you mentioned Single Sign-On is the light.
The cost of a server and Windows licensing will be non-trivial, though, and I'm not sure I'd recommend this project for someone who hasn't worked with AD before. Do you have the option to bring in a contractor for the initial setup at least?
Liscensing should be dirt cheap for K-12 and npo's on most MS software.
XBL:Phenyhelm - 3DS:Phenyhelm
We've got approximately 200ish laptops/desktops. And yeah, I'd almost certainly be bringing in a contractor to get the initial setup going (while I peer over their shoulder and learn as best I can). When I worked at the help desk at my uni I got some experience adding machines to active directory, but that was a while ago. Not having to setup printers anymore sounds pretty dang tempting.
And yup, for a school. Price being a huge concern for my admin so dirt cheap licensing is sounding good.
Check out techsoup stock.
XBL:Phenyhelm - 3DS:Phenyhelm
Syncing for jamf and Google shouldn't be too difficult. I'd just ask what kind of permissions they want the service account to have. So many of those things ask for a domain admin account, and that's not a great idea. There's probably a way to narrow down what they need, but you'll have to ask for it, most likely.
https://medium.com/@rikardhjort/2-7-medical-calls-breached-in-sweden-and-its-pure-comedy-b93c1af95e06
I laughed, I cried.
Nobody could see the full ramifications of the mighty Ethernet cable...
This entire company seems to be older guys who learned things in the 90s and never bothered to update their knowledge.
This takes the "I plugged both ends of the cable into the ports in the wall because it looked nicer" to a whole new level...
Hybrid 365 is a headache.
I like "but Computer Sweden found out".
It takes a lot for an employer in Sweden to be able to fire someone on the spot.
This feels like one of those cases.
(Also a question for the rest of the thread.)
The other day we were talking about limitations on memory usage for 32-bit processes running in a 64-bit Windows environment. I found some good discussions about it on MSDN and StackExchange:
https://blogs.msdn.microsoft.com/tom/2008/04/10/chat-question-memory-limits-for-32-bit-and-64-bit-processes/
https://docs.microsoft.com/en-us/windows/desktop/Memory/memory-limits-for-windows-releases
https://stackoverflow.com/questions/639540/how-much-memory-can-a-32-bit-process-access-on-a-64-bit-operating-system
...but there's one thing I want confirmation on, which is how to translate that to the output of the Get-Process Powershell command, which divides up its output among four pools of memory:
Non-paged pool: 51 KB
Paged pool: 54200 KB
Working Set: 104356 KB
Lets say I want to make sure that my animetiddiesvisualnovel.exe 32-bit process isn't bumping up against the aforementioned limits. If I understand how memory allocation works (and I'm not sure if I do), then I should sum all three values and look at the total, right?
the "no true scotch man" fallacy.
the "no true scotch man" fallacy.
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
This is a clickable link to my Steam Profile.
Still seems better than the new medical IT system in Denmark, which is bad and slow and has been the cause of patients being given the wrong doses of medicine.
Thank you!
the "no true scotch man" fallacy.
Working set will be the total of whatever is currently in the physical memory.
Paged pool is what can be paged in and out of the virtual memory.
Non paged pool is memory that cannot be paged, usually from device drivers like network cards.
Working set will be the one that will trigger the OutOfMemory exception.
The others are useful in some situations.
Thank you!
the "no true scotch man" fallacy.
A DC on Hyper-V? For someplace to do that and do a good job, that’s probably a reasonable estimate.
Personally I’d do it on the free VMWare hypervisor over Hyper-V but whatever. 5k is not unreasonable at all.
There’s fast, good, and cheap - you can only ever pick two. Personally I don’t often pick cheap.
Okay, good to know. The people I talked to have given me some fairly expensive quotes in the past so just wanted to make sure I was in the right ballpark. Free VMWare might be the way to go though. The guy was saying a lot of the cost might be moving our users into it (which I guess is trickier than just loading up our google admin and trying to sync stuff over?) but ideally that's a project I can tackle and cut down the cost. Because presumably once I get this up and running it'll reduce my headaches in the long run.
:bro: