active directory is always the worst. I've never encountered one that wasn't set up in the 90's so there's just layers and layers of cruft and re-designing/building a new one from scratch is always going to be too much work so you just live with it.
at my current place the domain isn't even a .local domain. For some reason whoever set this AD up, like I said probably in the 90's, used [domain].ads as the AD domain here.
6 months in and it still gets me every so often.
Yeah this is also one of the reasons I'm extremely hesitant to shift us into the Windows direction as a company.
I know for a fact we won't do it properly, resource-wise. I know I lack the know-how to do it properly, logistically. And I've seen what a colossal clusterfuck it can cause when someone doesn't do it properly.
Re: My earlier posts about this subject, I'm actually shifting gears towards supporting stuff in WINE instead because the alternative will be worse.
Does anyone have recommendations for email hosting? I have my own (really really basic) site running on digitalocean, and while there's "how to set up an email server on digitalocean" tutorials out there, they all look like more trouble than I want to deal with just to get 'me@mywebsite.com' to work rather than having to use 'myname@gmail.com'.
(looking for personal, cheap, email hosting, not enterprise-grade stuff, to clarify; one of these days I want to make my website not so awful, and it feels like setting mail up properly goes along with that)
The things I've seen people trying to use AD for.... It's not a HR system, stop putting personal information in it, it's readable by everbody. No, we can't change that, it's the whole point of it. Why do we have 200+ OUs for different users? We just need Regular Users, Admins, Serviceaccounts and Shared Mailboxes.
I have had customers (small businesses) that had a decent setup for AD though (usually because we get to greenfield it once we get a customer). You definitely don't want to use .local domains anymore though, best practice is public resolvable top domain and then an internal subdomain (intern.pennyarcade-example.com, corp.pennyarcade-example.com etc.).
Does anyone have recommendations for email hosting? I have my own (really really basic) site running on digitalocean, and while there's "how to set up an email server on digitalocean" tutorials out there, they all look like more trouble than I want to deal with just to get 'me@mywebsite.com' to work rather than having to use 'myname@gmail.com'.
(looking for personal, cheap, email hosting, not enterprise-grade stuff, to clarify; one of these days I want to make my website not so awful, and it feels like setting mail up properly goes along with that)
O365 is the main hosting platform I have used and you can get basic email (Kiosk, 2GB, webmail only) for around $2.50/month, less basic email (Business Basic, 50GB, Exchange) for $6.50/month. Incredibly easy to set up, add the domain to 365, add the DNS records to your host, license the account and away you go.
Because if you're going to attempt to squeeze that big black monster into your slot you will need to be able to take at least 12 inches or else you're going to have a bad time...
Does anyone have recommendations for email hosting? I have my own (really really basic) site running on digitalocean, and while there's "how to set up an email server on digitalocean" tutorials out there, they all look like more trouble than I want to deal with just to get 'me@mywebsite.com' to work rather than having to use 'myname@gmail.com'.
(looking for personal, cheap, email hosting, not enterprise-grade stuff, to clarify; one of these days I want to make my website not so awful, and it feels like setting mail up properly goes along with that)
O365 is the main hosting platform I have used and you can get basic email (Kiosk, 2GB, webmail only) for around $2.50/month, less basic email (Business Basic, 50GB, Exchange) for $6.50/month. Incredibly easy to set up, add the domain to 365, add the DNS records to your host, license the account and away you go.
I'll second Microsoft 365. Business Basic is actually just $6 a month if you buy a year at a time.
Just FYI, ".local" domains aren't best practice, either.
Best practice is to use a real honest to goodness registered domain.
If you absolutely must have your DNS split between internal and external, use a subdomain for your internal.
The problem with using .ads though is that it's a bona fide TLD, which means it's possible (though extremely unlikely) for the TLD owner (Google) to create a public domain name that matches your internal domain name.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Rebuilding Active Directory is basically building New New York on top of Old New York.
That said you can still start and continue doing things better and slowly clean up.
The users and groups part is the easy bit. Group Policy is where thing really take a piss.
Interesting. I've always found the opposite to be true.
The native tools for group policy tell you exactly which GPO is assigned to which user and group, and they show you the settings for that GPO. I don't have to switch to another pane of glass.
However, there's no native tool for showing you what a security group is used for; even just scanning your file servers for NTFS permissions requires either some Powershell scripting or a third-party tool. And it takes forever. And that doesn't tell you anything about third-party systems that use LDAP to check security group membership.
Basically, if I see a weird GPO, I can look at that GPO and know what it does.
If I see a weird security group, I have to go on a scavenger hunt across multiple disparate systems and servers to figure out what it's used for.
This makes GPOs much easier to clean up and GPOs in a legacy environment much easier to manage than security groups.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
active directory is always the worst. I've never encountered one that wasn't set up in the 90's so there's just layers and layers of cruft and re-designing/building a new one from scratch is always going to be too much work so you just live with it.
at my current place the domain isn't even a .local domain. For some reason whoever set this AD up, like I said probably in the 90's, used [domain].ads as the AD domain here.
6 months in and it still gets me every so often.
Yeah this is also one of the reasons I'm extremely hesitant to shift us into the Windows direction as a company.
I know for a fact we won't do it properly, resource-wise. I know I lack the know-how to do it properly, logistically. And I've seen what a colossal clusterfuck it can cause when someone doesn't do it properly.
Re: My earlier posts about this subject, I'm actually shifting gears towards supporting stuff in WINE instead because the alternative will be worse.
I love Active Directory. But at this point, I'm getting extremely disillusioned with Microsoft overall.
No usable audit trail anywhere
No usable way to determine who changed what files on a file server
Turning on the object access auditing sucks balls
WMI is great for management but sucks shit for monitoring
No native SNMP v3 support
No native syslog support
Fucking Xbox Live components installed by default on server OSes
Windows Update tools still in the dark ages
Thank god for PSWindowsUpdate
WSUS reporting sucks shit
No native ability to blacklist keywords in users' passwords or fine-grain complexity requirements
No native ability to see which users are logged on to which workstations in an AD network
... I could go on ...
It's obvious that damn few of the people who work on Windows Server products are actual server administrators. Mission-critical features like PSWindowsUpdate and LAPS (or the older Sysinternals stuff) are created by Windows software engineers on their off time and released as unsupported add-ons for people to beta test for a few years until Microsoft semi-officially adopts them but won't bring them fully into the fold and then it's questionable whether they'll actually get updated in the future (like the Sysinternals stuff). They have no clue what the actual workflows are for server administrators in real-world enterprises. I shouldn't have to install a third-party agent to get my hosts to talk to a goddamn syslog server, and I shouldn't have to pick through that syslog server to figure out in real-time where a user is logged in.
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
And that's nothing to say of Windows 10, which from a system admin POV has been a dumpster fire since day one. (Candy Crush adverts in the start menu in an Enterprise SKU? Fucking really? A fucking Calculator app that shits itself? How do you fuck up a Calculator app?) I haven't even touched Windows 11 for personal use yet.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
the "no true scotch man" fallacy.
+1
Options
RandomHajileNot actually a SnatcherThe New KremlinRegistered Userregular
DNS LOGS ARE STILL A TEXT FILE!
We use the Splunk Forwarder and it’s great and all, but sometimes we get alerts about DNS lookups from our firewall and you have to check the 100MB text file before it gets zapped….at some random time in the middle of the night.
active directory is always the worst. I've never encountered one that wasn't set up in the 90's so there's just layers and layers of cruft and re-designing/building a new one from scratch is always going to be too much work so you just live with it.
at my current place the domain isn't even a .local domain. For some reason whoever set this AD up, like I said probably in the 90's, used [domain].ads as the AD domain here.
6 months in and it still gets me every so often.
Yeah this is also one of the reasons I'm extremely hesitant to shift us into the Windows direction as a company.
I know for a fact we won't do it properly, resource-wise. I know I lack the know-how to do it properly, logistically. And I've seen what a colossal clusterfuck it can cause when someone doesn't do it properly.
Re: My earlier posts about this subject, I'm actually shifting gears towards supporting stuff in WINE instead because the alternative will be worse.
I love Active Directory. But at this point, I'm getting extremely disillusioned with Microsoft overall.
No usable audit trail anywhere
No usable way to determine who changed what files on a file server
Turning on the object access auditing sucks balls
WMI is great for management but sucks shit for monitoring
No native SNMP v3 support
No native syslog support
Fucking Xbox Live components installed by default on server OSes
Windows Update tools still in the dark ages
Thank god for PSWindowsUpdate
WSUS reporting sucks shit
No native ability to blacklist keywords in users' passwords or fine-grain complexity requirements
No native ability to see which users are logged on to which workstations in an AD network
... I could go on ...
It's obvious that damn few of the people who work on Windows Server products are actual server administrators. Mission-critical features like PSWindowsUpdate and LAPS (or the older Sysinternals stuff) are created by Windows software engineers on their off time and released as unsupported add-ons for people to beta test for a few years until Microsoft semi-officially adopts them but won't bring them fully into the fold and then it's questionable whether they'll actually get updated in the future (like the Sysinternals stuff). They have no clue what the actual workflows are for server administrators in real-world enterprises. I shouldn't have to install a third-party agent to get my hosts to talk to a goddamn syslog server, and I shouldn't have to pick through that syslog server to figure out in real-time where a user is logged in.
Or WSUS still requiring IE to get an out-of-band update in it (there is a way to get it to work in Edge, but it requires quite a bit of fiddling) with no word from Microsoft on an Edge compatible version.
-SCCM is still being developed in a cave by people who have no interaction with the outside world including the rest of Microsoft.
- If you have a Hybrid Exchange environment and you were used to managing everything through ECP, the O365 button no longer works: the hybrid page in O365 has been removed. You get a page with links, but no longer have a tool where you don't need to have multiple tabs open to manage your on-prem and O365.
- Microsoft has been working for over 10 years for a solution for on-prem AD and Exchange Online (still requiring an on-prem Exchange server). Keep repeating that "it's hard". Then throwing up their hands and giving us a Powershell only solution (I can live with Powershell only). Then 3rd party build a free tool within a few days.
- Win 11 losing just about all customability of the start menu (one of the things that Win10 was pretty good about).
- Autotranslate instead of professional translation for other versions of Windows 11, causing a lot of very weird notifications and settings. Example: My Win11 alert setting is (literal translation) "Show No Notifications Except for Notifications". In original english those are two different words, but the auto-translate picked the same word for them).
The crazy thing is that for as much as Active Directory feels like a product with no meaningful updates since the 90's, I spent a year working for a place where I was managing Google Workspace as the identity/email/docs/etc system and.... it felt like a toy compared to Active Directory and Azure Active Directory.
I have my complaints about on-prem AD, but for me the good outweighs the bad. What impresses me about AD is its robust redundancy and reliability. You can spin up as many AD servers as you like (and you only have to pay for OS licensing), they will automatically add themselves to DNS, set up replication with each other, and start servicing clients. You can nuke half of them from orbit and AD will still work. Yes, you should remove them from your environment correctly, but the fact that it keeps working even if you don't is pretty amazing. You should tweak the replication rules, but you don't have to. You should learn how the AD DNS records work, but you don't have to.
It has mature GUI and CLI tools. It is largely based on non-proprietary protocols like LDAP/S and DNS and strongly interoperable with non-Microsoft OSes and various other software.
I genuinely like supporting it. I just see how it could be better, without forklifting or refactoring the foundation.
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
On the other hand, that is kinda heartening, that it hasn't had any meaningful updates since the 90's, as someone who hasn't touched it in over a decade and may have to soon, one way or another.
AD is pretty great. IMO the 'bad' part of AD is that it's a powerful tool and it does what you tell it to. IE it's easy to shoot yourself in the foot and/or design some truly awful AD models.
- If you have a Hybrid Exchange environment and you were used to managing everything through ECP, the O365 button no longer works: the hybrid page in O365 has been removed. You get a page with links, but no longer have a tool where you don't need to have multiple tabs open to manage your on-prem and O365.
- Microsoft has been working for over 10 years for a solution for on-prem AD and Exchange Online (still requiring an on-prem Exchange server). Keep repeating that "it's hard". Then throwing up their hands and giving us a Powershell only solution (I can live with Powershell only). Then 3rd party build a free tool within a few days.
I keep telling my team that as we move to O365, we should plan on keeping an on-prem Exchange server for management and backups. And the response is basically "we don't wanna" and I'm like "well, okay, fine."
The excuse is that management is haaaaaard but it really isn't. It used to be much harder. The improvements that Microsoft made to Exchange management to facilitate their own O365 support trickled down into Exchange 2016 and 2019. I'm not going to say it's a brainless breeze but it's no more difficult than managing any other enterprise server software.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
The thing that ticks me off immensely about exchange online/hybrid exchange is that for the 2016 sku Microsoft provided a free version of Exchange server that you could run on prem specifically do do those management tasks that aren't possible in Exchange online with the on prem AD.
They took that away in 2019 so now you have to pay for an exchange server standard license to have that on prem server, even if literally all it does is connect to exchange online.
On the other hand, that is kinda heartening, that it hasn't had any meaningful updates since the 90's, as someone who hasn't touched it in over a decade and may have to soon, one way or another.
Early 00s more than the 90s, unless you count the very end of 1999.
It was introduced with Windows 2000, and there were a lot of changes between 2000 and 2003 R2 (released in 2005). The current paradigm got settled in 2005 with that R2 release. (ADFS, their SAML implementation, was introduced in 2003 R2 for instance.)
But yeah the basic paradigm is similar enough. There have been various under the hood updates, like the addition of Powershell, lots of additions to group policy settings, the conversion from one file replication technology to another (FRS to DFS), and so forth. But if you were managing AD in 2005, or even in 2003, you can slide right in to Active Directory management today with just an online refresher webinar.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
The thing that ticks me off immensely about exchange online/hybrid exchange is that for the 2016 sku Microsoft provided a free version of Exchange server that you could run on prem specifically do do those management tasks that aren't possible in Exchange online with the on prem AD.
They took that away in 2019 so now you have to pay for an exchange server standard license to have that on prem server, even if literally all it does is connect to exchange online.
Exactly.
and my attitude, which I know is idiosyncratic, is if you're paying for the license, just keep it as a secondary mailbox server and replicate your mailboxes to it
then if you ever encounter a problem with O365 (say, your Internet goes down, or there's some glitch with O365), those mailboxes are still accessible
the only reason not to is because somebody has to learn how to manage a secondary Exchange mailbox server, but that's really not very difficult anymore, especially if you aren't relying on that server to service clients 99% of the time
but like I said, I know that's an unusual attitude
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
On the other hand, that is kinda heartening, that it hasn't had any meaningful updates since the 90's, as someone who hasn't touched it in over a decade and may have to soon, one way or another.
Early 00s more than the 90s, unless you count the very end of 1999.
It was introduced with Windows 2000, and there were a lot of changes between 2000 and 2003 R2 (released in 2005). The current paradigm got settled in 2005 with that R2 release. (ADFS, their SAML implementation, was introduced in 2003 R2 for instance.)
But yeah the basic paradigm is similar enough. There have been various under the hood updates, like the addition of Powershell, lots of additions to group policy settings, the conversion from one file replication technology to another (FRS to DFS), and so forth. But if you were managing AD in 2005, or even in 2003, you can slide right in to Active Directory management today with just an online refresher webinar.
Oh, my last year with AD was in 2011, and we had Citrix, and no bullshit, it was actually fucking great.
- Win 11 losing just about all customability of the start menu (one of the things that Win10 was pretty good about).
I dunno about you, but I hated Tile customization in Windows 10. As a user, it's fine. Just pin a program to the tile area.
But as an administrator, fuck it so hard. I created a customized tile area (in XML, gag) for our users to swiftly access their most requested programs by department. Can you easily push that out or modify it by GPO? No. You have to use local commands pointed to that XML file, so you have to write a script and push the script out by GPO. And script can't just update the tile area, it replaces the whole damn thing.
What happens if one of the programs in the tile area gets updated? For example, you have Chrome pinned by XML, and Chrome gets updated? Chrome (sometimes) disappears and doesn't come back. Not all the time. Just sometimes. Often enough to be infuriating, but not reliably enough to be easily fixable.
The rest of the Start Menu is fine! But the rest of the Start Menu is managed just like it was in Windows 7. Drop shortcuts and folders in C:\ProgramData\Microsoft\Windows\whateverthehelltherestofthatpathis\Start Menu. Done. Null sweat, chummer.
Fuck tiles.
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I still hate tiles because the hill I will die on is that diving into menus to find things and learn all the things you can do with your computer is a good way for people to learn all the things they can do with their computer. Having their top 3 apps and Candy Crush Saga being the only things in front of them stifles their learning.
The thing that ticks me off immensely about exchange online/hybrid exchange is that for the 2016 sku Microsoft provided a free version of Exchange server that you could run on prem specifically do do those management tasks that aren't possible in Exchange online with the on prem AD.
They took that away in 2019 so now you have to pay for an exchange server standard license to have that on prem server, even if literally all it does is connect to exchange online.
- Win 11 losing just about all customability of the start menu (one of the things that Win10 was pretty good about).
I dunno about you, but I hated Tile customization in Windows 10. As a user, it's fine. Just pin a program to the tile area.
But as an administrator, fuck it so hard. I created a customized tile area (in XML, gag) for our users to swiftly access their most requested programs by department. Can you easily push that out or modify it by GPO? No. You have to use local commands pointed to that XML file, so you have to write a script and push the script out by GPO. And script can't just update the tile area, it replaces the whole damn thing.
What happens if one of the programs in the tile area gets updated? For example, you have Chrome pinned by XML, and Chrome gets updated? Chrome (sometimes) disappears and doesn't come back. Not all the time. Just sometimes. Often enough to be infuriating, but not reliably enough to be easily fixable.
The rest of the Start Menu is fine! But the rest of the Start Menu is managed just like it was in Windows 7. Drop shortcuts and folders in C:\ProgramData\Microsoft\Windows\whateverthehelltherestofthatpathis\Start Menu. Done. Null sweat, chummer.
Fuck tiles.
I've never pushed the customization to my users, but I had my workflow with nice big buttons (I have some visual impairments) for my most used programs, nicely grouped. I don't need interactive tiles, but I do want to order and set size for the icons I use. Windows 11 doesn't allow you to change the size of the icons, or the size of the start menu and reserves half of the Start Menu for "Recommendations" (In my case which is basically Recently Opened Documents. Not most-used documents or anything). and you can't turn of Recommendations (You can turn it off but you just have a big empty square where it used to be and can't put anything else there). There are third-party tools (there are always third party tools) that can fix this a little, but it's very annoying mostly.
Steam/Origin: davydizzy
+1
Options
AthenorBattle Hardened OptimistThe Skies of HiigaraRegistered Userregular
Hey, Sysadmins?
If you have a public-facing Confluence page, you might want to check in with your security folks. Like right now.
I have to explain the basics of DNS (and I mean basics, like "here's what DNS does" and "here's how to use NSLOOKUP") to my IT department and it is making me want to walk into the sea.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I have to explain the basics of DNS (and I mean basics, like "here's what DNS does" and "here's how to use NSLOOKUP") to my IT department and it is making me want to walk into the sea.
Hopefully they took notes on the proper order of sacrifices to appease Tzeentch.
Just remember that half the people you meet are below average intelligence.
I have to explain the basics of DNS (and I mean basics, like "here's what DNS does" and "here's how to use NSLOOKUP") to my IT department and it is making me want to walk into the sea.
Hopefully they took notes on the proper order of sacrifices to appease Tzeentch.
With how much DNS screws people over I'd have thought it was Slaanesh's domain.
I have to explain the basics of DNS (and I mean basics, like "here's what DNS does" and "here's how to use NSLOOKUP") to my IT department and it is making me want to walk into the sea.
Hopefully they took notes on the proper order of sacrifices to appease Tzeentch.
With how much DNS screws people over I'd have thought it was Slaanesh's domain.
Or maybe certificates
Feldorn on
0
Options
That_GuyI don't wanna be that guyRegistered Userregular
edited June 2022
I did it guys. I applied for a new job.
You might remember that I used to be a tech for a little MSP. Then I moved to inside sales engineering (at the same company) where I have been for the last 2 years. I have been killing it. I have done over $2 million in gross sales, not including MRR since assuming my new duties. I have done over $225k in gross sales in just the last 90 days alone. About 6 months ago I closed an $80k sale to a law office for a new VoIP phone system, new firewall, switches and a vhost with 2 of those 64 core AMD server CPUs, 128gb of ram, and 16tb of useable SSD storage in a RAID 10 + hot spare (it was like 9 drives). I worked my ass off to close that sale and make the company as much money as possible while doing it. I was so proud of what I had accomplished. I went to my bosses and asked if they could consider giving me a small bonus for the sale. My request was flatly refused. The last 6 months of sales have been even better. Finally last month they break down and announced company wide raises. My raise was a whopping 8%. Basically an extra $80 per paycheck after deductions, taxes and whatnot. This felt like more of an insult than anything. They don't even give me enough to account for the last 2 years of inflation. So I started looking around for work.
Well last week one of my closest friends and on/off/on co-worker was contacted by a recruiter for another local MSP who is looking for an inside sales engineer, among other jobs. I took the weekend to make a new resume and submit it with the referral from my buddy. The recruiter called me today to go over the job and get my salary expectations. I flatly told them I was looking for $80-$90k. They came back and asked when I could interview. I told them I was available Wednesday or Thursday and asked what times worked for them.
So, yeah. The stars appear to be aligning. Even if they come back to me with a lower than asking offer, I can take it to my current bosses. I doubt they're willing to match any impending offer but who knows. I wasn't expecting them to make a counteroffer the last time and I got about a 25% raise out of it. Maybe they will again.
I have to explain the basics of DNS (and I mean basics, like "here's what DNS does" and "here's how to use NSLOOKUP") to my IT department and it is making me want to walk into the sea.
Hopefully they took notes on the proper order of sacrifices to appease Tzeentch.
With how much DNS screws people over I'd have thought it was Slaanesh's domain.
heyoooooo
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
i honestly feel like i'm being pranked.
i'm going to quit this job and fucking ashton kutchner's going to pop out like it's 2012 and point and laugh at me
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Genuinely don't know what the "security" team at my company actually does. They don't seem to deliver capability, they don't do any testing, they are weirdly unavailable with 4 hours notice to have a 30 minute conversation. They will "review" products once they're done and complain about them, but won't pre-commit to accepting the broadstrokes of any solution up front. If you ask them that question you get a big list of "you could..." but not actually "what I want to see and I will sign off on...".
Genuinely don't know what the "security" team at my company actually does. They don't seem to deliver capability, they don't do any testing, they are weirdly unavailable with 4 hours notice to have a 30 minute conversation. They will "review" products once they're done and complain about them, but won't pre-commit to accepting the broadstrokes of any solution up front. If you ask them that question you get a big list of "you could..." but not actually "what I want to see and I will sign off on...".
They bring the information from the customer to the engineers
We ended up with a minor glitch with some of our CNAME records. It wasn't a big deal to fix, once I could identify the problem.
But after teaching everybody in the department about DNS yesterday and last week
and after giving everybody specific troubleshooting instructions
literally NOBODY who reported the problem to me bothered to do a ping or nslookup
One of my best friends is fresh out of college and working for a major financial software company that literally everyone here has heard of and worked with in some capacity.
He wasn't planning on being in an IT career path but he is now. He's being taught the job from the ground up.
It is hilarious/depressing to me when one of our other friends will have their Internet take a shit, and his first troubleshooting step is to ask them if they have Wireshark installed. Gotta start doing some packet inspection. Inspect those packets. First step!
At one point, my ISP took a shit (Spectrum, go figure, getting fiber installed in a couple months, will be glad to be rid of them), and he's like, "Hey what does wireshark tell you?" and I just snapped.
"Are you seriously telling me that they've trained you to start wiresharking shit at the first sign of network issues? Do you even know what you're targeting or filtering for? Do you know where the break is? Have they taught you ping, traceroute, mtr, fucking anything? Do you ping 8.8.8.8 as your first resort to ensure you can speak with the outside world, and then if you can, you move on to trying google.com to make sure DNS is working?"
Him: ".............what's ping?"
This is how the next generation of technicians are being trained in the main troubleshooting dept of one of the largest fucking companies you've ever heard of.
Not for nothing he learned some shit that night and weirdly he's able to spot things faster than others on his team now.
I do not fucking understand, though. I don't get it. I'm filled with sadness and rage over it and I don't even fucking work there.
Posts
Yeah this is also one of the reasons I'm extremely hesitant to shift us into the Windows direction as a company.
I know for a fact we won't do it properly, resource-wise. I know I lack the know-how to do it properly, logistically. And I've seen what a colossal clusterfuck it can cause when someone doesn't do it properly.
Re: My earlier posts about this subject, I'm actually shifting gears towards supporting stuff in WINE instead because the alternative will be worse.
(looking for personal, cheap, email hosting, not enterprise-grade stuff, to clarify; one of these days I want to make my website not so awful, and it feels like setting mail up properly goes along with that)
I have had customers (small businesses) that had a decent setup for AD though (usually because we get to greenfield it once we get a customer). You definitely don't want to use .local domains anymore though, best practice is public resolvable top domain and then an internal subdomain (intern.pennyarcade-example.com, corp.pennyarcade-example.com etc.).
O365 is the main hosting platform I have used and you can get basic email (Kiosk, 2GB, webmail only) for around $2.50/month, less basic email (Business Basic, 50GB, Exchange) for $6.50/month. Incredibly easy to set up, add the domain to 365, add the DNS records to your host, license the account and away you go.
I'll second Microsoft 365. Business Basic is actually just $6 a month if you buy a year at a time.
That said you can still start and continue doing things better and slowly clean up.
The users and groups part is the easy bit. Group Policy is where thing really take a piss.
Best practice is to use a real honest to goodness registered domain.
If you absolutely must have your DNS split between internal and external, use a subdomain for your internal.
The problem with using .ads though is that it's a bona fide TLD, which means it's possible (though extremely unlikely) for the TLD owner (Google) to create a public domain name that matches your internal domain name.
the "no true scotch man" fallacy.
Interesting. I've always found the opposite to be true.
The native tools for group policy tell you exactly which GPO is assigned to which user and group, and they show you the settings for that GPO. I don't have to switch to another pane of glass.
However, there's no native tool for showing you what a security group is used for; even just scanning your file servers for NTFS permissions requires either some Powershell scripting or a third-party tool. And it takes forever. And that doesn't tell you anything about third-party systems that use LDAP to check security group membership.
Basically, if I see a weird GPO, I can look at that GPO and know what it does.
If I see a weird security group, I have to go on a scavenger hunt across multiple disparate systems and servers to figure out what it's used for.
This makes GPOs much easier to clean up and GPOs in a legacy environment much easier to manage than security groups.
the "no true scotch man" fallacy.
I love Active Directory. But at this point, I'm getting extremely disillusioned with Microsoft overall.
It's obvious that damn few of the people who work on Windows Server products are actual server administrators. Mission-critical features like PSWindowsUpdate and LAPS (or the older Sysinternals stuff) are created by Windows software engineers on their off time and released as unsupported add-ons for people to beta test for a few years until Microsoft semi-officially adopts them but won't bring them fully into the fold and then it's questionable whether they'll actually get updated in the future (like the Sysinternals stuff). They have no clue what the actual workflows are for server administrators in real-world enterprises. I shouldn't have to install a third-party agent to get my hosts to talk to a goddamn syslog server, and I shouldn't have to pick through that syslog server to figure out in real-time where a user is logged in.
the "no true scotch man" fallacy.
the "no true scotch man" fallacy.
We use the Splunk Forwarder and it’s great and all, but sometimes we get alerts about DNS lookups from our firewall and you have to check the 100MB text file before it gets zapped….at some random time in the middle of the night.
This is a clickable link to my Steam Profile.
Or WSUS still requiring IE to get an out-of-band update in it (there is a way to get it to work in Edge, but it requires quite a bit of fiddling) with no word from Microsoft on an Edge compatible version.
-SCCM is still being developed in a cave by people who have no interaction with the outside world including the rest of Microsoft.
- If you have a Hybrid Exchange environment and you were used to managing everything through ECP, the O365 button no longer works: the hybrid page in O365 has been removed. You get a page with links, but no longer have a tool where you don't need to have multiple tabs open to manage your on-prem and O365.
- Microsoft has been working for over 10 years for a solution for on-prem AD and Exchange Online (still requiring an on-prem Exchange server). Keep repeating that "it's hard". Then throwing up their hands and giving us a Powershell only solution (I can live with Powershell only). Then 3rd party build a free tool within a few days.
- Win 11 losing just about all customability of the start menu (one of the things that Win10 was pretty good about).
- Autotranslate instead of professional translation for other versions of Windows 11, causing a lot of very weird notifications and settings. Example: My Win11 alert setting is (literal translation) "Show No Notifications Except for Notifications". In original english those are two different words, but the auto-translate picked the same word for them).
Basically it all sucks for different reasons.
It has mature GUI and CLI tools. It is largely based on non-proprietary protocols like LDAP/S and DNS and strongly interoperable with non-Microsoft OSes and various other software.
I genuinely like supporting it. I just see how it could be better, without forklifting or refactoring the foundation.
the "no true scotch man" fallacy.
I keep telling my team that as we move to O365, we should plan on keeping an on-prem Exchange server for management and backups. And the response is basically "we don't wanna" and I'm like "well, okay, fine."
The excuse is that management is haaaaaard but it really isn't. It used to be much harder. The improvements that Microsoft made to Exchange management to facilitate their own O365 support trickled down into Exchange 2016 and 2019. I'm not going to say it's a brainless breeze but it's no more difficult than managing any other enterprise server software.
the "no true scotch man" fallacy.
They took that away in 2019 so now you have to pay for an exchange server standard license to have that on prem server, even if literally all it does is connect to exchange online.
Early 00s more than the 90s, unless you count the very end of 1999.
It was introduced with Windows 2000, and there were a lot of changes between 2000 and 2003 R2 (released in 2005). The current paradigm got settled in 2005 with that R2 release. (ADFS, their SAML implementation, was introduced in 2003 R2 for instance.)
But yeah the basic paradigm is similar enough. There have been various under the hood updates, like the addition of Powershell, lots of additions to group policy settings, the conversion from one file replication technology to another (FRS to DFS), and so forth. But if you were managing AD in 2005, or even in 2003, you can slide right in to Active Directory management today with just an online refresher webinar.
the "no true scotch man" fallacy.
Exactly.
and my attitude, which I know is idiosyncratic, is if you're paying for the license, just keep it as a secondary mailbox server and replicate your mailboxes to it
then if you ever encounter a problem with O365 (say, your Internet goes down, or there's some glitch with O365), those mailboxes are still accessible
the only reason not to is because somebody has to learn how to manage a secondary Exchange mailbox server, but that's really not very difficult anymore, especially if you aren't relying on that server to service clients 99% of the time
but like I said, I know that's an unusual attitude
the "no true scotch man" fallacy.
Oh, my last year with AD was in 2011, and we had Citrix, and no bullshit, it was actually fucking great.
I dunno about you, but I hated Tile customization in Windows 10. As a user, it's fine. Just pin a program to the tile area.
But as an administrator, fuck it so hard. I created a customized tile area (in XML, gag) for our users to swiftly access their most requested programs by department. Can you easily push that out or modify it by GPO? No. You have to use local commands pointed to that XML file, so you have to write a script and push the script out by GPO. And script can't just update the tile area, it replaces the whole damn thing.
What happens if one of the programs in the tile area gets updated? For example, you have Chrome pinned by XML, and Chrome gets updated? Chrome (sometimes) disappears and doesn't come back. Not all the time. Just sometimes. Often enough to be infuriating, but not reliably enough to be easily fixable.
The rest of the Start Menu is fine! But the rest of the Start Menu is managed just like it was in Windows 7. Drop shortcuts and folders in C:\ProgramData\Microsoft\Windows\whateverthehelltherestofthatpathis\Start Menu. Done. Null sweat, chummer.
Fuck tiles.
the "no true scotch man" fallacy.
https://practical365.com/a-new-tool-to-manage-exchange-related-attributes-without-exchange-server/?utm_content=208420620&utm_medium=social&utm_source=twitter&hss_channel=tw-66219976
It's not amazing yet, but we're getting there. Slowly, very very slowly.
I've never pushed the customization to my users, but I had my workflow with nice big buttons (I have some visual impairments) for my most used programs, nicely grouped. I don't need interactive tiles, but I do want to order and set size for the icons I use. Windows 11 doesn't allow you to change the size of the icons, or the size of the start menu and reserves half of the Start Menu for "Recommendations" (In my case which is basically Recently Opened Documents. Not most-used documents or anything). and you can't turn of Recommendations (You can turn it off but you just have a big empty square where it used to be and can't put anything else there). There are third-party tools (there are always third party tools) that can fix this a little, but it's very annoying mostly.
If you have a public-facing Confluence page, you might want to check in with your security folks. Like right now.
https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
the "no true scotch man" fallacy.
Hopefully they took notes on the proper order of sacrifices to appease Tzeentch.
With how much DNS screws people over I'd have thought it was Slaanesh's domain.
Or maybe certificates
You might remember that I used to be a tech for a little MSP. Then I moved to inside sales engineering (at the same company) where I have been for the last 2 years. I have been killing it. I have done over $2 million in gross sales, not including MRR since assuming my new duties. I have done over $225k in gross sales in just the last 90 days alone. About 6 months ago I closed an $80k sale to a law office for a new VoIP phone system, new firewall, switches and a vhost with 2 of those 64 core AMD server CPUs, 128gb of ram, and 16tb of useable SSD storage in a RAID 10 + hot spare (it was like 9 drives). I worked my ass off to close that sale and make the company as much money as possible while doing it. I was so proud of what I had accomplished. I went to my bosses and asked if they could consider giving me a small bonus for the sale. My request was flatly refused. The last 6 months of sales have been even better. Finally last month they break down and announced company wide raises. My raise was a whopping 8%. Basically an extra $80 per paycheck after deductions, taxes and whatnot. This felt like more of an insult than anything. They don't even give me enough to account for the last 2 years of inflation. So I started looking around for work.
Well last week one of my closest friends and on/off/on co-worker was contacted by a recruiter for another local MSP who is looking for an inside sales engineer, among other jobs. I took the weekend to make a new resume and submit it with the referral from my buddy. The recruiter called me today to go over the job and get my salary expectations. I flatly told them I was looking for $80-$90k. They came back and asked when I could interview. I told them I was available Wednesday or Thursday and asked what times worked for them.
So, yeah. The stars appear to be aligning. Even if they come back to me with a lower than asking offer, I can take it to my current bosses. I doubt they're willing to match any impending offer but who knows. I wasn't expecting them to make a counteroffer the last time and I got about a 25% raise out of it. Maybe they will again.
heyoooooo
the "no true scotch man" fallacy.
We ended up with a minor glitch with some of our CNAME records. It wasn't a big deal to fix, once I could identify the problem.
But after teaching everybody in the department about DNS yesterday and last week
and after giving everybody specific troubleshooting instructions
literally NOBODY who reported the problem to me bothered to do a ping or nslookup
the "no true scotch man" fallacy.
one
goddamn
soul
used
nslookup
the "no true scotch man" fallacy.
i'm going to quit this job and fucking ashton kutchner's going to pop out like it's 2012 and point and laugh at me
the "no true scotch man" fallacy.
They bring the information from the customer to the engineers
They're people persons
One of my best friends is fresh out of college and working for a major financial software company that literally everyone here has heard of and worked with in some capacity.
He wasn't planning on being in an IT career path but he is now. He's being taught the job from the ground up.
It is hilarious/depressing to me when one of our other friends will have their Internet take a shit, and his first troubleshooting step is to ask them if they have Wireshark installed. Gotta start doing some packet inspection. Inspect those packets. First step!
At one point, my ISP took a shit (Spectrum, go figure, getting fiber installed in a couple months, will be glad to be rid of them), and he's like, "Hey what does wireshark tell you?" and I just snapped.
"Are you seriously telling me that they've trained you to start wiresharking shit at the first sign of network issues? Do you even know what you're targeting or filtering for? Do you know where the break is? Have they taught you ping, traceroute, mtr, fucking anything? Do you ping 8.8.8.8 as your first resort to ensure you can speak with the outside world, and then if you can, you move on to trying google.com to make sure DNS is working?"
Him: ".............what's ping?"
This is how the next generation of technicians are being trained in the main troubleshooting dept of one of the largest fucking companies you've ever heard of.
Not for nothing he learned some shit that night and weirdly he's able to spot things faster than others on his team now.
I do not fucking understand, though. I don't get it. I'm filled with sadness and rage over it and I don't even fucking work there.