@dbeato said in Multiple Tombstoned DC's:

@Fredtx said in Multiple Tombstoned DC's:

ot 11 AD sites. 1 of the 11 has 6 inbound neighbors that have not replicated since 08/2021, possibly because someone deleted the VPN tunnels to those sites, and did not look at the dependencies of that tunnel.
I'm familiar with the demoting/promoting process, including the DNS cleanup that comes with it. My question is, do I need to demote all 6 of those inbound neighbors? Or is there a better way to handle this. I read that some people have had success with using the Lingering Object Liquidator (LoL) Microsoft tool, and forced AD replication by modifying the Allow replication with divergent and corrupt partner reg key.

I would demote them fully and then add them slowly each one to make sure they are being added properly to the domain.

I was going to do 1 at a time, but ran into issues with the 1st as one of the other tombstone DC accepted the logon of the server when I joined it back to domain, so I had problems trying to promote it as I was pointing it to our corporate site, which corp site did not have the new computer object. I plan on demoting all 6 at one time Friday night, but was thinking there could be a better way to handle this possibly, or what other options I have.

I've got 11 AD sites. 1 of the 11 has 6 inbound neighbors that have not replicated since 08/2021, possibly because someone deleted the VPN tunnels to those sites, and did not look at the dependencies of that tunnel.

I'm familiar with the demoting/promoting process, including the DNS cleanup that comes with it. My question is, do I need to demote all 6 of those inbound neighbors? Or is there a better way to handle this. I read that some people have had success with using the Lingering Object Liquidator (LoL) Microsoft tool, and forced AD replication by modifying the Allow replication with divergent and corrupt partner reg key.

Drinking an awesome IPA at Malai Kitchen. Ipa is called Thai IPA, brewed with Lemongrass, ginger, and lots of other ingredients. They brew their beer in-house, and food is awesome too.

So a little background about this company I'm trying to implement patch management, is that it's growing through acquisitions. There's currently about 12 locations, and I just heard recently they acquired another company, which adds it to 13 locations. I'm wondering if implementing an RMM will benefit this company for the future? They are growing at a fast rate, and it doesn't appear to be slowing down.

@dashrender said in Wsus for remote vpn and on-premise users:

@obsolesce said in Wsus for remote vpn and on-premise users:

You can use Windows Update for Business. No need for WSUS.

Is there any type of reporting in that?

Looks like there's some built-in reporting in Azure.

Monitor Windows Update with Update Compliance

@dashrender said in Wsus for remote vpn and on-premise users:

I'm guessing at least some if not all of your servers will still be manual - and are you really looking at having WSUS push to workstations? If you are because you want to know their patch status because of reports from WSUS - great (hope there is budget for someone to manage this) if not, then just turn on automatic updates and be done with it.

Is logging in the console of windows servers the best way to install patches? What if there was 100 servers? That seems like a lot of overhead.

And yes, I'm looking at getting the report features for patch status for workstations, and was hoping for servers too.

@dashrender said in Wsus for remote vpn and on-premise users:

What is the goal here? to keep the servers up to date? Do you really want WSUS to update your servers 'whenever'? Most people don't, could lead to an unexpected reboot in the middle of the day.

Of course I would not want the servers to reboot in the middle of the day. I would have to discuss with management on maintenance windows of downtime, since this is a manufacture business where some sites run 24/7.

The goal is to improve and simplify how patching is handled for both servers and workstations. Currently there is no kind of process in place.

@scottalanmiller said in Wsus for remote vpn and on-premise users:

If you have any hesitation to that policy, it means you are running a platform you don't trust in production. That's valid as a concern. But your IT has committed its trust to Windows, so either you need to embrace that decision or you need to convince them to change.

With me being in this new role for 2 weeks (first system admin role), and the majority of the computers/servers on Windows, I will have to stick with this solution for now.

Currently there is no central management for patching, and currently they are logging on each server and running updates that way and hope that workstations are getting patched through the GPO they have in place.

@irj said in Wsus for remote vpn and on-premise users:

95% of WSUS administration is blindly approving updates anyway. Just let them auto update and be done.

That's another topic I want to get to as well. The topic of when and how to schedule/approve patching for your business in a Windows environment? And what is best practice? That may need to be a different post though.

@dashrender said in Wsus for remote vpn and on-premise users:

The following assumes your server has 16 or fewer hardware cores in it.
Windows Server standard licenses allow for 2 VMs per 16 cores worth of processor licensing.
Therefore, if you have 4 VMs today, you are required to have a minimum of 32 cores worth of licensing.
If you have more than one DC on that single server hardware - you might consider reassigning that VM as a non DC and as WSUS instead, to save you needing to buy another license.
No real value in two DCs in a VM on the same host. I mean there is a tiny bit of value, but worth the cost of another license - probably not.

Looks like I have 1 2019 Standard license available so no need to buy additional license, and I can create a vm just dedicated for wsus.

There is only 1 DC at our main site on the same esxi host that the future wsus server will be on.

So as of now, it's looking like 1 WSUS Upstream server at main site, that remote servers will download updates from via site to site vpn. And if possible, configure existing wsus settings for workstations to download updates from MS. If it's not possible, create a replica, which would only be used to tell the workstations which updates are approved, and will not store updates on the hard drive of the server?

@dashrender

I will have to see if can create multiple policies for specific groups. From what I read on a technet article wsus and updates via vpn, it suggested creating a replica

Yea, I've read that putting WSUS on a DC is a big no, no.

I was planning on creating a new VM on our esxi host dedicated as our wsus server. Currently the host has 4 VMs. 1 of the 4 is a WS2019 Standard which is our Fsmo role holder DC. I'm not familiar with licensing, but I guess I will have to get a new license?

I've been tasked with implementing patch management for our company. I worked at an MSP prior to this role (sys admin), and we handled patch management through our RMM agents. My current company does not have rmm agent/management, so I'm looking at implementing WSUS.

Just needing a little help in deciding how to implement WSUS with the current network environment/setup.

We have 16 sites. 13 out of the 16 are domain controllers. Sites are in a mesh site to site network. There is about 250-300 users between all sites, with our main site having the most users for office duties. This is a manufacturing company BTW.

I plan on creating a VM for the Upstream server at our main corporate site, which has 100/100 fiber link. The problem I have is for remote users. We have a company policy that allows users to WFH 3 days out of the week if they are capable. Some don't abide by that rule, and work remote the majority of that time. I think it would be better to have the workstations pull updates from Microsoft as opposed to downloading from wsus server over a vpn as it will rely on them staying connected to complete the download.

So I'm thinking about having workstations pull updates from Microsoft, and servers pull updates from wsus server. Or should I have some of the other remote servers function as downstream servers?

Any suggestions or ideas are much appreciated!

@scottalanmiller said in Job offer:

And go get this book...

Got it! Can't wait to read it! Thanks!

As troubleshooting step, have you tried to put the wireless device on static as opposed to dhcp?

@scottalanmiller said in Job offer:

@irj said in Job offer:

I always sign offer and wait for background check, drug screen, etc BEFORE I put my notice in

Heck yeah. Everything has to be totally finalized before I'll consider it.

Well, I got another offer from a different company. Same pay range. System Admin role, so I'll be managing/maintaining all their systems. First system admin role. Pretty excited about this one as it's exactly what I've been looking for. And I got an actual offer this time. Submitted drug test and background check today, and signed the offer. Once it's validated, then I will let my current employer know. I would hate to retract 2 resignations. lol.

@irj

I had to retract my resignation, which they were happy I wasn’t leaving yet. I guess I got too confident, and jumped the gun. Also, I was planning on taking a week off after my departure before I start the new position.

@irj said in Job offer:

I always sign offer and wait for background check, drug screen, etc BEFORE I put my notice in

Yep. Lesson learned dude. I did have a good interview today though, and I’m going to the next step. This one actually looks real, no red flags so far. We will see!!! Lol!

Well, I guess this was a fake job. I was notified this morning that the IT director has decided to retract the offer, and has decided to reevaluate the needs in his group and has postponed hiring for this position. It was weird how HR kept staling on giving me additional information, and the fact she told me they don't do an actually letter, and I would be signing on my first day of employment. Lesson learned on my end.

@jaredbusch said in Job offer:

I would take this offer in your position.
If it does turn out to be a lot of bench work, you will also have a lot of travel time to read/study on more azure/aws and improve your next jump to a new place.

I agree. My wife was actually telling me the same thing before you posted this. lol.

Here's some other things I see as possible red flags.

1. The position has been open for more than 30 days according to Indeed. Maybe because of the travel requirement? IDK.
2. There wasn't much of an interview when I interviewed with the Director and Senior engineer. I actually did not expect an offer when HR gave me a call the following day. Interview was them telling me about the position and company, and me telling them about my experience.