@jaredbusch said in Need some guidance - replacing physical 2008 R2 DC with a virtual 2016 DC - keeping same name and IP:
Keeping the same name and IP is a recipe for disaster.
I've asked around numerous times in the past and have had mixed input. Some say it's bad to do and others say it's fine. Can you give me the reasons why you're saying it's a recipe for disaster?
((Please read my entire post before rushing to reply))
I just watched Scott's YT video about virtualizing domain controllers and it reminded me that I need to take care of this project I've been putting off for some time.
My Environment:
Goal: I would like to replace my physical DC1 with a virtual Server 2016 domain controller. I would also like this new DC to have the same name and IP address as DC1, mainly because we have so many printers, servers and appliances that either point to "DC1" or it's IP address. I merely want to "swap" domain controllers and end up with a virtual 2016 DC1 of same IP, without breaking Exchange, or numerous other things.
To execute my plan, these are the steps I assume I would take, and this is one area where I need guidance:
I understand that this may be bending or breaking best practice a little, but I would still like to get close to achieving this or something similar with out breaking things. I am the only IT guy at my company and I've done a good job at keeping everything running while fixing/updating/upgrading/replacing/etc. I really don't want to damage our DC with this project but I don't want to wait too long to make this change either.
Additionally, I do believe I have set up time correctly on DC1, but could you guys help me verify this? I suspect I am having time related issues sometimes, for reasons currently unknown..
w32tm /query /peers
#Peers: 1
Peer: pool.ntp.org
State: Active
Time Remaining: 357.8628266s
Mode: 1 (Symmetric Active)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 10 (1024s)
HostPoll Interval: 10 (1024s)
w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0499886s
Root Dispersion: 0.0557726s
ReferenceId: 0x60F46013 (source IP: 96.244.96.19)
Last Successful Sync Time: 11/19/2017 3:39:27 PM
Source: pool.ntp.org
Poll Interval: 10 (1024s)
Notes:
Thanks again for the awesome help guys!
@tim_g said in Looking for a very basic solution for building/maintaining company intranet:
@dave247 said in Looking for a very basic solution for building/maintaining company intranet:
@dave247 said in Looking for a very basic solution for building/maintaining company intranet:
@scottalanmiller said in Looking for a very basic solution for building/maintaining company intranet:
For static internal pages, very little will compete with Wordpress.
Oh yeah I forgot about WP.. but all this stuff would need to be local and not online at all. ... I'm looking it up now and it looks like we can just download WordPress and use to generate local content.. awesome. This may do perfectly..
ooh looks like I'm going to get to set up a Linux server with LAMP... fun
@scottalanmiller has you covered!
https://mangolassi.it/topic/13112/using-saltstack-to-install-high-performance-lamp-on-fedora-25
https://mangolassi.it/topic/13115/installing-wp-cli-the-wordpress-command-line-with-saltstack
Awesome. I don't get to touch Linux too much at work, so this will be a fun project. Thanks!
@dave247 said in Looking for a very basic solution for building/maintaining company intranet:
@scottalanmiller said in Looking for a very basic solution for building/maintaining company intranet:
For static internal pages, very little will compete with Wordpress.
Oh yeah I forgot about WP.. but all this stuff would need to be local and not online at all. ... I'm looking it up now and it looks like we can just download WordPress and use to generate local content.. awesome. This may do perfectly..
ooh looks like I'm going to get to set up a Linux server with LAMP... fun
@scottalanmiller said in Looking for a very basic solution for building/maintaining company intranet:
For static internal pages, very little will compete with Wordpress.
Oh yeah I forgot about WP.. but all this stuff would need to be local and not online at all. ... I'm looking it up now and it looks like we can just download WordPress and use to generate local content.. awesome. This may do perfectly..
@zachary715 said in Looking for a very basic solution for building/maintaining company intranet:
Following. I looked for a basic solution like this for a while and wasn't easy. I looked at Wordpress since I had some experience but ultimately settled on Sharepoint Foundation (free). We didn't need any bells and whistles. We have external links to particular websites or resources, internal links via UNC path to our file shares, and then there are easy web parts for announcements, calendars, etc. Pretty simple to setup and maintain.
With Sharepoint Foundation no longer being offered beyond 2013, I'll likely have to go a different route in the future.
Yeah I know about the Sharepoint Foundation thing not being offered anymore so I forgot about it after I saw that..
I am on the hunt for a VERY BASIC web-based application that I can use to build and maintain static web pages for my company's intranet.
We previously had a product that included help desk, time and attendance, and basic information and document presentation (among other things), which made up our intranet.
Now we've gone with different vendors for the help desk and time and attendance parts and now all we are left with is to find something that can essentially allow specific users to create and manage static web pages, for the purpose of displaying announcements, news and links to local and exteral resources and documents.
This is something pretty basic that I could probably build myself in PHP and PostgreSQL or something but I honestly don't have the bandwidth for a project like that right now.
I'm hoping someone can provide some suggestions for any products that might meet that description. Again, it doesn't need to be very complex at all and I know a lot of solutions have a lot of extra stuff jammed packed into them. I'm just looking for something really lightweight and simple to deploy and manage.
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that?
Everything is the problem with it. It goes against everything we learn in IT about good practices. Why do we put databases, applications, monitoring, logging, and Active Directory on different VMs when we could mash them all into one VM?
Why are you treating your network security like it's a desktop or hobby class device and are willing to smash all kinds of applications together onto the network appliance, when you'd never consider anything of the sort with even relatively trivial production applications? Why is security and networking so often considered to be of trivial importance compared to everything else on the network?
The real question is... given best practices and broad application of rules that apply on every production workload, why do you consider the applications on your router to be the exception to the rule rather than one of the most important examples of it?
This just seems like another vague attempt to prop up your opinion again. Again, our 3600 does a really good job even though all those features are "mashed" in the same system.
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?
I feel like you've missed everything I've ever said.
First of all, UTM never means Firewall. Those are two different things.
Second, a router is always a firewall, the two are always the same thing, have been for decades. The idea that you even CAN separate the router and firewall is silly, while it's possible no separate devices have been on the market since the late 1990s.
Third, never once ever have I suggested anything but a physical appliance for the firewall. Ever.
Where did you get the impression that I ever said anything of the sort?
I didn't miss what you said, but you frame things in such a way that comes off more arrogant than helpful.
I may not know a lot, but I know enough to know that a firewall and a router are not the same thing. Sure, they are pretty much always packages together in the same product but they are two different individual functions. And I get that there is some overlap as routers can have ACLs and firewalls can set static routes, but that doesn't mean they are same thing.
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
@tim_g said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.This is exactly how it is for me too.
I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.
If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.
What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?
Why would they be "devices"? What's the benefit to having hardware appliances for every application in a business? They should be treated like any other enterprise application - individual VMs. There are standard patterns here that are widely known and accepted. The issue, I think, is that people start hearing the marketing spiel on this stuff and start forgetting that network AV scanning, IDS, web proxies, etc. are "just another application" and that best practices have always existed for them.
Best practices for applications include virtualization, and separation. What I'm suggesting isn't weird here, it's having them on appliances or mashed together on the same OS that breaks the standard approach.
You wouldn't treat your database or even your website this way, why your security system?
By devices, I meant having the router and firewall on separate devices. Are you seriously suggesting I have a router and a firewall as a VM?
I understand having a web proxy, IDS and AV scanning on virtual machines, but if everything can be integrated into one system and it has enough computing resources to work well, then what's the problem with that? Also, for what it's worth, the SonicWall's GMS Analyzer is on a separate virtual machine.
@tim_g said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.This is exactly how it is for me too.
I personally haven't seen any of the negatives Scott is pointing out against SonicWall or IPS working on the edge firewall.
If it degrades performance, I haven't experienced it. I do agree with him on all the aspects though and would not choose to implement a SonicWall or similar device if one wasn't already set up.
What are some recommended alternatives? Is Scott (and supposed best practice) suggesting to spread all of these roles out to individual devices vs having everything in a single unit or something?
@scottalanmiller said in Thoughts on how I could improve my network security?:
@dave247 said in Thoughts on how I could improve my network security?:
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
What's wrong with Sonicwall? We have that where I work..
High cost, low quality, bad vendor. Reverse the question... what's good about them?
- They are a UTM maker, something I think is generally fundamentally wrong as an approach.
- They claim to be for security but have hidden configuration that isn't documented, a big no no in security and IT.
- They intentationally set defaults to break things for no reason like SIP-ALG (SW is the #1 cause for VoIP issues.)
- They are expensive, many times the cost of equipment I consider to be much better.
- They essentially exist only, much like Meraki, to make sales people money. They are like Mary Kay or AmWay - no one buys them intentionally, they buy them from sales people to make them go away. They aren't good enough for people to go looking for them. But when the girl scouts come to your door, you feel bad and buy something small to make them leave, SonicWall is the cheapest thing you can buy from the vendors that sell them, it's a lot like unwanted Girl Scout cookies - you know they are expensive and unhealthy, but you feel you have to buy something.
I have our three ISP connections coming into the SonicWall with load-balancing. I also have wifi zones for corp and guest on their own VLAN. I have LAN and VPN zones (an others) which are carefully set up and segregated through firewall rules. There's a page to manage NAT policies. We make use of SSLVPN, Gateway A/V and anti-spyware, content filtering, IDS & IPS, and the GMS Analyzer, etc.
I didn't choose this product as it was on site when I got my job here, but as I said, it's been completely solid.
@scottalanmiller said in Thoughts on how I could improve my network security?:
If you DO decide to go UTM, avoid crap like ASA, SonicWall, Sophos etc. I heavily recommend Palo Alto or nothing. If you can't do it right, don't do it halfway with gear I'd not even be willing to deploy at home.
What's wrong with Sonicwall? We have that where I work..
@dashrender said in Need some help with a better fax solution:
The last time I looked at the fact solution for my 700+ pages per day the cost was going to be in excess of $700 a month for a hosted solution.
This is why I kept it in the house onto a machine that I already owned saving to a network share but I could have just as easily sent it to an email group.
Monthly reoccurring fees are $30 for a pots line.
My machine has a printer driver that allows printing to fax. So there is no need to print something and walk to a machine.
We do about 200 pages a month or so which is going to cost us about $30 per month and then it sounds like if we go over that, it's still quite cheap.
@scottalanmiller said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
I'm not leaving this company for a while as I just got the job a year ago as my first IT job as sysadmin and I've been getting a ton of invaluable experience with a massive range of IT things, big and small.
That should read "I'm getting out of here as quickly as possible. I've been here a full year and already am dramatically left without mentorship and there is no upward mobility. The company doesn't care about business and my desires to do good IT work don't align with the organization."
I actually do have mentorship and there is upward mobility. Additionally, I have learned a ton on my own and I think I'm doing pretty good so far, despite some negative things. And of course my company cares about business, despite making some bad decisions in the past. Stop making such negatively absolutist statements.
We've signed up with egoldfax so thanks to the user who suggested that.
@scottalanmiller said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@scottalanmiller said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@scottalanmiller said in Need some help with a better fax solution:
@marcinozga said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@marcinozga said in Need some help with a better fax solution:
We use RingCentral for VoIP, so faxing is included. They have 3 options for sending faxes. Emails to [email protected], through deskphone app, or printing to virtual printers installed on desktops.
We're going with a new Cisco voip and I guess they don't have a fax solution... rips hair out
Perhaps it's time to fire the first person for buying Cisco.
That would be the first step. Find the root cause of the problems.
That's my CIO who thinks Cisco is the way to go since it's Cisco. I tried telling him about Vonage and other far cheaper voip solutions but he doesn't really hear what I'm saying.
The root of the issue is whoever hired a CIO that isn't qualified to work in IT (or business.) That's not the logic of a business person.
Scott, the person who hired my company's CIO was the owners of the company. There is nobody in-between.
I didn't suggest that it was. You have an endemic problem with the business approach. Not something that can be fixed. You have two options... stop caring about doing a good job because that's not the job they want done or leave.
Well I'm not going to stop caring because I have still been able to make a lot of difference here for the better, despite the CIO's bad habits.
I'm not leaving this company for a while as I just got the job a year ago as my first IT job as sysadmin and I've been getting a ton of invaluable experience with a massive range of IT things, big and small.
@scottalanmiller said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@scottalanmiller said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@scottalanmiller said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@eddiejennings said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@eddiejennings said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@eddiejennings said in Need some help with a better fax solution:
This is the solution we chose for faxing was using voip.ms's virtual fax service. I ported the number we were using for faxing to them. I setup E-mail to fax so inbound faxes are sent to [email protected]. You could set that to be the address of your fax E-mail group. For outbound faxing, users (who I've authorized to fax) send a message to [email protected] with an attachment. Our printer doesn't have a direct scan-to-E-mail option, so if my users don't already have a digital document of what they want to fax, they'll need to scan it. The system is pretty bare bones, but it meets our needs.
I was hoping fax would just go away for us when we moved to FreePBX + Twilio SIP trunking, but On High requires it, and I decided that wasn't a battle worth fighting.
What about if you want faxes to go to different departments? Would you have a separate fax line for each department or is there an easier way that I'm not thinking of?
Also, turns out our Bizhub C454e has a PC Fax driver so users can just send faxes from their PC. I'm hurrying to install this now.
For that, if I used voip.ms, I'd probably have to have a separate DID for each department. I'm in a situation where that's not a requirement, and we just have one place for faxes. That being said, the aforementioned mailbox is a mail-enabled public folder, to which I've only granted access to the people in the office who would have been the people would could access faxes anyway.
Yeah that's pretty much how we have it set up now. I have a couple extra phone lines I could be using for fax to different departments...
You might want to check eGoldFax and see if they can do what you want. Folks here have spoke highly of them. Their cheapest eGoldFax plan was around $30 / month, and for our volume (or lack thereof) of faxing, the pricing didn't make sense.
oh wow, eGoldFax looks perfect. Completely cloud hosted with no hardware or software to install... thanks!
That's the way that I think most companies are going today. Not that service specifically, just fully hosted fax services. It's worth just making that whole component go away.
We just had a meeting with our printer support vendor and they want to sell us this solution involving a virtual fax server and stuff that's ballpark $8,000. I'm just silently ripping my hair out while my CIO eats it up.
So your CIO isn't even an intern level? That's basic adulting, how do people like this even get employed?
He's a friend of the owners of my company. He makes over $150k per year but he doesn't know much about IT at all. He more or less deals with businessy stuff and policies and "vendor management"... he works about 25 hours a week and is kind of a spendthrift. I can't do anything about it except try to "manage upward"..
Actually, the issue I'm seeing is that he's not doing business or vendor management - exactly the opposite.
Yup.
@scottalanmiller said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@scottalanmiller said in Need some help with a better fax solution:
@marcinozga said in Need some help with a better fax solution:
@dave247 said in Need some help with a better fax solution:
@marcinozga said in Need some help with a better fax solution:
We use RingCentral for VoIP, so faxing is included. They have 3 options for sending faxes. Emails to [email protected], through deskphone app, or printing to virtual printers installed on desktops.
We're going with a new Cisco voip and I guess they don't have a fax solution... rips hair out
Perhaps it's time to fire the first person for buying Cisco.
That would be the first step. Find the root cause of the problems.
That's my CIO who thinks Cisco is the way to go since it's Cisco. I tried telling him about Vonage and other far cheaper voip solutions but he doesn't really hear what I'm saying.
The root of the issue is whoever hired a CIO that isn't qualified to work in IT (or business.) That's not the logic of a business person.
Scott, the person who hired my company's CIO was the owners of the company. There is nobody in-between.