@scottalanmiller said in Trying to correctly understand core licensing in a vmware environment:

@pmoncho said in Trying to correctly understand core licensing in a vmware environment:

@coliver

That I get but does it make sense to get DC to stick with single function hosts? Does an SMB really want to pay for a WSUS, Email, two DC's, FileServer and two/three RDS servers separately?

All my SMBs do. The protection is important and once you have any number, DC makes the separation "free".

We do here too but with the refresh coming up next year, I am debating on whether the value for us is actually there vs moving as much to linux as possible. I have a little while to figure it out but this thread has been very enlightening. Good stuff.

@Obsolesce said in Top Ten Happiest Places on Earth in 2019:

@Dashrender said in Top Ten Happiest Places on Earth in 2019:

@Obsolesce said in Top Ten Happiest Places on Earth in 2019:

@scottalanmiller said in Top Ten Happiest Places on Earth in 2019:

@Dashrender said in Top Ten Happiest Places on Earth in 2019:

I also think Europeans at least have better diets than we Americans.

Not just Europeans. Basically the US and Mexico have the unhealthiest diets in the world. Everyone eats better than we do, on average (of those who have enough food.)

Also, some of the bad ingredients are simply illegal to use in food here.

Like what? you mean the pre-packaged chemicals for anti-spoilage? I'd be OK with that... though, my wife wouldn't be - she hates the grocery store, frankly I can't believe she has signed up for in home delivery of groceries or order ahead they bring to your car, groceries.

One big one off the top of my head is high fructose corn syrup

Just did a quick google search and it popped this up from livingstrong website.

"Contrary to common opinion, high fructose corn syrup isn't banned in Europe. Referred to as isoglucose or glucose-fructose syrup in this region, use of high fructose corn syrup is restricted because it's under a production quota.''

It would be nice if it was limited in the US.

Without sounding to ignorant, What is considered a Stateless system vs a Statefull?

I see many conversations here where "Stateless" is mentioned and I am having a small issue comprehending the entire meaning.

I can basically understand what stateless protocol is but applying it to a system confuses me what type of system this would be and its use.

If anyone has a link, that would be great.

I know I am not alone but was wondering how many here will search Mango/ServerXXX/ before Google?

Has anyone created a search on a personal site that will search all specific forums at once?

@kooler said in I think I am missing something about Hyper-V....?:

In general we shift our focus from "Hyper-V and VMware" to "VMware and KVM". Reason: Hyper-V doesn't grow anymore and KVM has very high chances to supersede it. VMware... There's just more money there

Could you expand on your statement about Hyper-V not growing? Thanks

@travisdh1

That is my issue, so many dang choices and I don't delve into the solar panel world. I'm not the electrician by any means so I have to figure out how much solar panel I need to charge a battery to allow X amount of lights to run for X amount of hours on battery. Just confusing....

I will keep this post updated.

I am unable to configure SELinux properly to allow faxgetty process.

I receive the following message in the audit.log

type=AVC msg=audit(1530011821.626:271): avc:  denied  { write } for  pid=1367 co
mm="faxgetty" name="status" dev="dm-0" ino=13376935 scontext=system_u:system_r:g
etty_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir permi
ssive=0
type=AVC msg=audit(1530011821.626:272): avc:  denied  { read } for  pid=1367 com
m="faxgetty" name="FIFO.ttyaa01" dev="dm-0" ino=13339822 scontext=system_u:syste
m_r:getty_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_spool_t:s0 tclass=
fifo_file permissive=0

I tried audit2allow with the following result but upon reboot, I have the same error

module faxgetty 1.0;

require {
        type var_spool_t;
        type getty_t;
        class capability setuid;
        class dir write;
        class fifo_file read;
}

#============= getty_t ==============

allow getty_t self:capability setuid;
allow getty_t var_spool_t:dir write;
allow getty_t var_spool_t:fifo_file read;

I either need to disable SELinux or do a "semanage permissive -a getty_t" for faxgetty to run at all.

@Dashrender said in Backyard Shed Lights:

We purchased a kit from Harbor Freight - it came with everything I needed at the time for a small lighting project.

I will check out HF this weekend. Lots to do before the wedding but I will make it an "but honey, its on the way" trip. :winking_face:

@flaxking said in Is RD Gateway useful?:

Let me bring my question back at a different angle. If you were paying for a hosted, fully managed terminal server, what would be your expectations for how it would be secured?

Personally, I would sleep fine at night with RDP exposed, but with 2-step authentication, and good log monitoring (and enforcing the security built into RDP and Windows authentication). However, maybe that is not enough for a professional solution.

You can add RDPGuard to the RDS server too.

Although, like @travisdh1 stated, put HTTPS in front and your all good. I use an SSL-VPN myself.

@travisdh1 said in Backyard Shed Lights:

@pmoncho said in Backyard Shed Lights:

@travisdh1 said in Backyard Shed Lights:

@pmoncho The other big question is, are you in Texas or New York? Big difference in the amount of solar power you can count on getting!

I'm NE Ohio. I am only planning on using the light in the shed for about 5-7 hours a week and about 1-2 hours at one time.

Well shoot, we should say hello sometime. I'm on the east side of Cleveland.

Absolutely. In our PM, I mentioned B-Spot. Lola Burger and Reissdorf beer

Edit: Sorry, Apparently I was thinking B-Spot and forgot to actually type it. I only mentioned grabbing a beer. My bad.

@lj said in Windows servers- move files from old to new:

Thanks again. Can you give me some details about "I use GPO's to set the users home dir and shared file folders"? That's another area I need help with.

If homedir means redirected folders then I would use MS documentation

For shared folders, I put a shortcut on their desktop to the share they need using a Group Policy Preferences. Also, my users are in groups so I assign GPO's and GPP's to groups not specific or all users.

@travisdh1 said in Backyard Shed Lights:

@pmoncho said in Backyard Shed Lights:

@travisdh1 said in Backyard Shed Lights:

@pmoncho said in Backyard Shed Lights:

@travisdh1 said in Backyard Shed Lights:

@pmoncho The other big question is, are you in Texas or New York? Big difference in the amount of solar power you can count on getting!

I'm NE Ohio. I am only planning on using the light in the shed for about 5-7 hours a week and about 1-2 hours at one time.

Well shoot, we should say hello sometime. I'm on the east side of Cleveland.

Absolutely. In our PM, I mentioned B-Spot. Lola Burger and Reissdorf beer

Edit: Sorry, Apparently I was thinking B-Spot and forgot to actually type it. I only mentioned grabbing a beer. My bad.

Hrm, should we start #mangomeetups?

I don't see why not. More than 1 in some places of the world could be considered a group. Then we label it a MangoMeetup!

@pete-s said in Firewall rules for outgoing traffic:

@scottalanmiller said in Firewall rules for outgoing traffic:

@pete-s said in Firewall rules for outgoing traffic:

What is best practice for SMB?

SMB the protocol? Or SMB meaning small business?

Small business. The enterprises I've seen have heavy restrictions on outbound traffic..

I use to limit outbound traffic but like @JaredBusch said, it became hard to manage with all crap issues and small numerous changes constantly. The outbound rules started to add up and after much deliberation, we decided to scrap it.

@scottalanmiller said in Non-IT News Thread:

@pmoncho said in Non-IT News Thread:

Its an all or nothing deal. My way or highway.

That's like calling all laws bullies. It's just the law. And in this case, not a law forced on them, one that they voluntarily joined.

All laws are not bullies but there are some that can be considered as such. What they joined voluntarily many many moons ago is not what they are being give today based on the this new requirement of "our way or the highway." Basically a bait and switch tactic. Aka - Bullying.

@jaredbusch said in Group Policy - Printer Deployment:

Fuck printers.
Fuck printer servers.
Fuck GPO based printing.

When did you start working with us?????

Hell, its about time to hire a windows print management specialist anymore!.

@scottalanmiller said in Non-IT News Thread:

@pmoncho said in Non-IT News Thread:

Basically a bait and switch tactic. Aka - Bullying.

Not really. It's a voluntary association that they are free to leave. Even if what you say is accurate and it was a bait and switch, they are no worse off leaving now than never having joined. So there was no bullying.

If they derive benefits from the agreement, then there is possible economic loss.

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@kelly said in Handling DNS in a Single Active Directory Domain Controller Environment:

just challenging the "most commonly correct approach" statement

It seems you are mistaking the "most common approach" with the "most common correct approach". I haven't been around the SMB as much as JB, but I'm assuming the most common approach to SMB DC implementations are incorrect. Meaning, 2+ DCs are being used when 1 should be used. Perhaps two DCs are used because so many other things are done incorrectly, it's thought 1 should't be used due to so many other things not properly in place, but that's besides the point in my reply here.

IMHO, SMB's use 2 DC's (me included) because it is drilled over and over in our heads by outside forces, including the application developers and the OS companies themselves. On top of that, we are completely stupid if we don't have a second DC if the hardware is available. So to follow "Best Practices," SMB's just do it. It doesn't necessarily mean that things are done incorrectly though. It mostly means, we (aka I) have an extra DC there sitting, waiting, getting monthly updates and then gather more dust for years on end all in the name of protection and risk reduction.

That is why coming here and having extensive discussions about general topics has helped me changed my own thoughts about system/network design in SMB's.

Then I assume you have an extra everything if it costs less than $5k, correct? Especially if other things depend on it... such as redundant ISP, all redundant switches, definitely redundant LoB services, etc... if not, why choose only a DC over things that would be way more beneficial to have HA? If you have extra hardware, extra software, etc... that would go unused and be wasted otherwise, then sure, it could make more sense, but could still cause the same amount of benefits and negatives.

Just because a company has an extra DC doesn't mean every process/product/connection needs to be duplicated. If there are two hosts an extra DC is peanuts. No $5K is needed, $800 tops and there is value (reduced risk) in that $800. Plus, as been mentioned, ceasing roles is less time and MUCH less panic than restoring a VM.

@Dashrender said in Non-IT News Thread:

@hobbit666 said in Non-IT News Thread:

Electric cars: New vehicles to emit noise to aid safety
New electric vehicles will have to feature a noise-emitting device, under an EU rule coming into force on Monday.

It follows concerns that low-emission cars and vans are too quiet, putting pedestrians at risk because they cannot be heard as they approach.
All new types of four-wheel electric vehicle must be fitted with the device, which sounds like a traditional engine.

Yup, because people can't be responsible for themselves at all.

"They" cannot be responsible because they were in an important search/text message/tv show that could not wait while crossing the busy two lane five point intersection.

@dashrender said in Handling DNS in a Single Active Directory Domain Controller Environment:

@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@pmoncho said in Handling DNS in a Single Active Directory Domain Controller Environment:

@obsolesce said in Handling DNS in a Single Active Directory Domain Controller Environment:

@kelly said in Handling DNS in a Single Active Directory Domain Controller Environment:

just challenging the "most commonly correct approach" statement

It seems you are mistaking the "most common approach" with the "most common correct approach". I haven't been around the SMB as much as JB, but I'm assuming the most common approach to SMB DC implementations are incorrect. Meaning, 2+ DCs are being used when 1 should be used. Perhaps two DCs are used because so many other things are done incorrectly, it's thought 1 should't be used due to so many other things not properly in place, but that's besides the point in my reply here.

IMHO, SMB's use 2 DC's (me included) because it is drilled over and over in our heads by outside forces, including the application developers and the OS companies themselves. On top of that, we are completely stupid if we don't have a second DC if the hardware is available. So to follow "Best Practices," SMB's just do it. It doesn't necessarily mean that things are done incorrectly though. It mostly means, we (aka I) have an extra DC there sitting, waiting, getting monthly updates and then gather more dust for years on end all in the name of protection and risk reduction.

That is why coming here and having extensive discussions about general topics has helped me changed my own thoughts about system/network design in SMB's.

Then I assume you have an extra everything if it costs less than $5k, correct? Especially if other things depend on it... such as redundant ISP, all redundant switches, definitely redundant LoB services, etc... if not, why choose only a DC over things that would be way more beneficial to have HA? If you have extra hardware, extra software, etc... that would go unused and be wasted otherwise, then sure, it could make more sense, but could still cause the same amount of benefits and negatives.

Just because a company has an extra DC doesn't mean every process/product/connection needs to be duplicated. If there are two hosts an extra DC is peanuts. No $5K is needed, $800 tops and there is value (reduced risk) in that $800. Plus, as been mentioned, ceasing roles is less time and MUCH less panic than restoring a VM.

Theres so much more though - now you have to make sure there are no replication issues, and you should likely be backing up that VM (it is a VM, right?) also. You could do it free, but assuming you're using a backup product, that might require another license because it's another box, so more costs. It's also additional time doing updates, 2 boxes vs 1.

In the scenario of 2 DC's, the VM would be backed up but is it worth it? Restoring a DC VM with multiple DC's has a higher probability of creating replication issues.

The backup product plus a server license for it, would not be included in the costs per this discussion as every scenario would have this cost (unless using windows backup but you still need somewhere to put the backup files).

As for updates, I view this as a HUGE value. Now, one can update the 2nd DC (aka non-FSMO role holder) first and if there is an issue, it doesn't effect any part of the network allowing the admin to NOT run updates on other servers.

If an SMB cannot afford a 2nd DC, then they definitely cannot afford a test environment. So all updates are run directly on production servers. We all know MS can really fork up and update or two.

My patch monthly patch process goes like this; On Sat of "Patch Tuesday" week, I update my 2nd DC and allow it to run till Tuesday. If no issues, I then proceed to other systems during the week or the next Sat. I have had 2 patch issues on a very very generic 2nd DC (Only, AD/DNS nothing else) over the years that could have cost big down time had it run on all production servers. IMHO, that safety, sanity, and security has a lot of value. Like the value investing axiom goes, "Price is what you pay, Value is what you get"

Paying a single OS license for YEARS of a production update server can have a value of 3X its worth.

I am not saying that a very small 10 person SMB shop with one host, 3 VM's (AD/DNS, FS, RDS) should have two DC's. But when you start creeping up to 40-50 users and maybe 100 remote clients, then maybe two DC's come in handy by reducing risk.

@scottalanmiller said in What Are You Doing Right Now:

Bored while waiting on the teens to wake up. Man they sleep a lot. We are lucky if they can handle six hours of active time a day!

Funny how us "old" folks can run circles around the young ones sometimes.

Over the holiday, spent the 4 days at a Kalahari (2 days), Cedar Point and then Put-in-Bay with the wife and her kids plus wife's niece. I had to keep dragging them all day everyday.