Posts made by anthonyh

Playing with an SQL query to see how efficient I can make it. The query right now is taking 5-6 minutes to run and I'm hoping to tighten that up a bit. I'm not sure I can though since part of the query is doing a like search on a field that contains free-form text. Yet another puzzle for the day.

I got my answer. It turns out OSPF applies a default metric to readvertised EIGRP routes, but EIGRP does not apply a default metric to readvertised OSPF routes. So I modified my EIGRP config like so:

router eigrp 100
redistribute static
redistribute ospf 3 metric 1000000 0 255 1 1500
no auto-summary
no eigrp log-neighbor-changes
network 10.0.0.0
network 172.19.0.0

BOOM, works!

@anthonyh said:

@Dashrender said:

for the username on the application, have you tried domain\username or [email protected]?

I did try [email protected], but I did not try domain\username. I'll give that a shot.

No go unfortunately. I'm going to ask the vendor if the app supports SAML based authentication. I'm pretty sure the answer is going to be no, but it's worth an ask.

@Dashrender said:

for the username on the application, have you tried domain\username or [email protected]?

I did try [email protected], but I did not try domain\username. I'll give that a shot.

I am working on setting up a secondary link between two of our sites. The two sites currently connect via AT&T Opt-E-Man service. Since the two sites are a only a few blocks apart, we are going to use a pair of Ubiquiti AirFiber radios to put up this secondary (which will actually become our primary) link.

Because of the organization I work for, I need to encrypt the traffic flowing across the radio link. We purchased a pair of Ubiquiti ERPro8's, and I've got the VPN tunnel set up and working beautifully. I also have OSPF working between the two routers as well, so the VPN tunnel is more-or-less seamless to connecting devices.

The remainder of our network is composed of various Cisco gear, which means we are using EIGRP. So, I need to 1) redistribute EIGRP over OSPF so the ERPro's are aware of our network, and 2) redistribute OSPF over EIGRP so that the rest of our network is aware of the ERPro routes. The idea is that with dynamic routing we can automagically "fall back" to the Opt-E-Man circuit if anything happened to the radio link (hardware failure, alignment issue, etc).

I have EIGRP redistrubuting over OSPF beautifully. However, I cannot seem to get OSPF to redistribute over EIGRP. The neighboring device is getting OSPF updates without issue, but doesn't seem to be redistributing them over EIGRP. Here are the EIGRP and OSPF configurations on the neighboring switch that is to do the redistribution:

router eigrp 100
redistribute static
redistribute ospf 3
no auto-summary
no eigrp log-neighbor-changes
network 10.0.0.0
network 172.19.0.0

router ospf 3
router-id 10.39.11.1
log-adjacency-changes
redistribute static subnets
redistribute eigrp 100 subnets
passive-interface default
no passive-interface GigabitEthernet0/5
network 10.39.11.0 0.0.0.3 area 0
default-information originate always

Any ideas?

Well, I've been successful at establishing a one was external trust between my test domain and production domain. I was able to grant permissions on file shares to users across the trust and authenticate successfully. However, I cannot get the application in question (the reason for the trust) to authenticate via an account across the trust. I believe this is due to the way the application is querying AD (it's doing an LDAP lookup with a base of our production domain). So, this may not be an option after all...which I'm OK with.

We are considering one of two options:

1. Continuing to enforce the Password Self Service portal

OR

2. Configuring accounts for each agency so that someone technical on their end has restricted access to their respective OU. This would allow them to reset passwords and create/delete accounts for their respective organization (with oversight from us, of course).

I'm trying to push my boss towards option 1, but the decision is really up to him.

@Dashrender said:

@anthonyh said:

@Jason said:

@anthonyh said:

@Jason said:

We have a transitive domain trust with a company we just bought out..

A trust isn't something you really want for External Agencies.

Why is that?

Because it is a Trust.. With something you have no control over. Not really something I'd recommend doing.

So, if we were to establish a one way external trust with one of the external agencies, what sort of control would that external agency have that I cannot control?

Pretty sure One Way trusts don't exist anymore. I think those went out in 2003.

Actually, I just set one up between my test DC (we'll call it test.com) and our production domain (we'll call it prod.com).

I was able to set up a trust so that prod.com trusts test.com, but test.com does not trust prod.com. I was also able to set it up as selective authentication which, if I understand the description properly, means they cannot authenticate to any resource unless specifically allowed. Not sure if that'll work for the app in question, but hey it's worth a shot!

@Jason said:

@anthonyh said:

@Jason said:

We have a transitive domain trust with a company we just bought out..

A trust isn't something you really want for External Agencies.

Why is that?

Because it is a Trust.. With something you have no control over. Not really something I'd recommend doing.

So, if we were to establish a one way external trust with one of the external agencies, what sort of control would that external agency have that I cannot control?

@Jason said:

We have a transitive domain trust with a company we just bought out..

A trust isn't something you really want for External Agencies.

Why is that?

@Dashrender Well, from a quick search, it looks like the application needs to be "claims-aware" for federation to work. I don't know if the application in question is claims-aware. I'll have to find out.

I know you can establish what are called "external" trusts, which is what I was going to aim for. It's not a matter of connectivity. We have private connections to the agencies in question, so it would just be a matter of appropriately adjusting our firewall for whatever is needed for the domain trust and/or federation.

@Dashrender Well, I know the term, but know nothing about it.

Trust vs Federation is another thing I'll need to research.

@Dashrender Are you referring to domain federation?

I have a client that does a yearly holiday mailing, which involves exporting contacts from their CRM and doing a Word mail merge. Every year I walk their office manager through it the first time (she usually has to do it 2-3 times as she finds addresses that need to be cleaned up). She takes notes, but since it's a task she does every 12 months, I don't expect it to stick.

My wife doesn't understand why they need me to do it, but eh...if they want to pay me my going consultant rate to do it, who am I to say no?

We have an application (yes, "that" application, if you saw my earlier XenServer post) that many external agencies access for various reasons. This application uses AD authentication, so we have to create AD accounts for all external users. This was fine, except the number of external users has grown to the hundreds, and people cannot seem to figure out how to use our, what I feel is a very straight forward, password self-service portal (PWM), or they simply refuse. So we have a never ending flow of "need my password reset" requests coming from them.

These external agencies use AD as well, which makes us wonder if a domain trust is the answer. The idea being that these external agencies can manage their own accounts and we'd simply grant/deny access to the application.

This sounds wonderful. However, I've never established a domain trust before. Instead of diving in head first with any of the external agencies, I want to test this locally. I've set up a test DC with a test domain. I'd like to establish trust between it and our production domain.

Can you guys point me to some great resources on basically a "crash course" in domain trusts? Something that'll walk me through the process would be great, too.

For what it's worth, our production AD is Windows 2008 R2. The test DC/Domain is running Server 2012 R2.

Thanks!

@JaredBusch I suspected the same as well, but what was confusing was that they would be cleaned up by the time I would be able to troubleshoot. It seemed to be a very short moment where it would happen, as it seemed to happen long enough for XenCenter to alert, but not long enough to have any impact on the environment.

Northern California, US
75/5, VDSL2
250GB Cap (though there are reports that it's currently not enforced)
$42/mo (will be $87 after the promotion is up though)
AT&T U-verse

I will give AT&T a little credit: unlike their ADSL service, I regularly see download speeds in the 80-85 Mbps range.

I will be calling them about the non-promotional rate, though. Looks like it expires for me in 8 days.

Hey all - So sorry for going dead! We implemented a new system that basically "runs the organization" and it's been a mad house. We consolidated 6 separate databases into one system, and even after a year of doing data migration tests, UAT, etc., it's still a bit of a mess (which we anticipated, fortunately). In any rate, I am here to update this thread on the issue...

It seems that the issue was caused by my backup software. Because the backup jobs were taking so long to process, for one magical moment, the software would have snapshots created for every single VM. This was the cause of the issue. After beefing up our backup server and adding SSDs for the metadata database (deduplication), backup windows are MUCH better, jobs are not overlapping as much as before, and this issue has not happened since.

Thanks everyone for the help! I'm hoping to be able to participate a bit more moving forward. We'll see how that goes...

Thanks @scottalanmiller and @mlnews !

I'm the sys/network admin for a U.S. trial court on the west coast. We have 12 XenServer hosts (8 in a pool) and growing, and a smidge over 100 VMs in our environment. Many of our services are Linux based, which I'm fairly proud of. Virtualization, networking, storage administration, AD, email, MySQL/MSSQL, you name it I am in charge of it. Fortunately we have a great group of guys who manage our workstations and do end-user support, so I can focus on back end infrastructure stuffs.

I'm a geek at heart, but my 2 year old b/g twins limit what I can tinker with at home (in a good way).

I heard through @scottalanmiller (thanks again, BTW!) that there are some pretty active XenServer users here, so hopefully some light can be shed on this weird issue that hast just started happening for me.

I received the following alert multiple times from my XenServer pool today:

Field Value

Name: No space left on device
Priority: 3
Class: SR
Object UUID: 545839f5-e2fc-e972-9391-d5641a60a567
Timestamp: 20151017T15:06:49Z
Message UUID: 4cdd6b52-3343-fd64-bd37-e37a59b1a793
Pool name: MyPool
Body: Run out of space while coalescing.

I've checked the SR and according to XenCenter it is approximately 50% consumed:

I checked the SAN itself and it shows even less disk space consumed. In any rate, all signs show I have plenty of disk space.

Is there any way to get more detail behind what was going on when this happened? I looked at /var/SMlog and didn't see anything out of the ordinary, but maybe I need to look again.

Any ideas? Thanks!