Posts made by dbeato

@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dbeato said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.

It's also per-user perpetual licensing

oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.

Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.

Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.

Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/

Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.

OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.

I guess "knowing to unplug the cable" is the second factor?

Also you can disable that setting and it won't let you login at all in Duo.

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.

It's also per-user perpetual licensing

oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.

Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.

@nadnerb Hahah that is ServiceNow so funny

@jaredbusch It is supported you can either pay for support or run OpenSource.
https://xcp-ng.com/

It has been super stable compared to Xenserver/Citrix XenServer.

@jaredbusch It works on the legacy UI, newer UI is not so great for that.

@jaredbusch Relax, people will come around to what you are saying.

@travisdh1 the Line of EdgeMax Switches are below
https://store.ui.com/collections/operator-edgemax-switches

and match the name that probably were written incorrectly before.

@gjacobse yeez, that's a lot!

@gjacobse So all your kids have gotten through this?

@siringo said in What Are You Doing Right Now:

lost a client. been with them for 8-9 years.
no consultation, no nothing.
they have a track record of this type of behaviour
the worst thing about it all
the way i've been treated
got told my services were no longer required by a consultant

the new mob they've gone with
first thing they asked me to do (yeah, I'm going to take notice of what they want)
can I remove the av off all hosts so their rmm can be installed
this, while i'm still managing the network

Yeah, this has been happening lately sorry to hear tha.

@jasgot I hope I am helpful

@mc_bol and what will you do for the coming cumulative updates that have the update again? Just keep deferring?

@jasgot said in What Are You Doing Right Now:

Bringing a 2013 Exchange server back to life so it can be replaced with 2019

I hope not to do an in place upgrade

@garak0410 said in Facebook and Instagram Pages Won't Load on Domain Connected Windows 11 PC:

r does it give an error...it will usually perpetually spin or just show a white page. I fired up Chrome and same thing but if you wait long enough it MAY load but mostly the same thing.
I've tried a different Edge Profile and even used guest and in-private mode. Same results.
If I disable the network card on this domain joined PC and go on the Wi-Fi (which is outside domain), Facebook and Instagram work fine. As soon as I reenable the network card on the domain, bam, it stops.
I went ahead and upgraded another, domain joined PC in the office (with a different PC name) to Windows 11 and tried

What are you using for DNS on the Domain Controllers? Root Hints or Forwarders servers? And what are they now?

@eleceng said in The remote session was disconnected because there are no Remote Desktop License Servers:

Getting error The remote session was disconnected because there are no Remote Desktop License Servers to give a license.

This is on server 2016 and just doing RDP connection for setting up server roles not using terminal services or making a terminal server just connecting with RDP like you do desktop to desktop on the Lan, etc.

There are no CAL licenses applied yet.

Connect to the server as mstsc /admin or mstsc /console with the Admin user. Setup the roles, license the server and you will be good to go.

@eleceng Just make sure that you have an account that is not the built-in Administrator user as the only Domain admin and the GPO Policy applied only to certain OUs and not the domain root. Otherwise you will have a problem in your hands.

@travisdh1 said in What Are You Doing Right Now:

he county sheriff office had their main server break overnight. This has bad day written all over it

That's not fun

@gjacobse https://www.theverge.com/2021/10/4/22708989/instagram-facebook-outage-messenger-whatsapp-error

@eleceng DNS and DCs go hand in hand so while you could get away with it there is no reason to separate those roles.

@scottalanmiller Yup Facebook down

@eleceng said in WSUS Location:

Should WSUS be a separate server / VM or added as a role on one of the 2 domain controllers?

What's best practice, experience?

Best practice is a separate server and never a domain controller.