@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

Hey look, as soon as we say AD is easy, someone posts on SW that they screwed up their little AD install, again. We get these like once a week, maybe every two weeks. For SMBs, even what should be a trivially easy single server AD install is regularly a major problem. Just picking a domain name is beyond the common skill level. People don't get tripped up by advanced AD techniques, they are regularly stumped by just the most basic install process.

If you can't figure out that you should use a domain you own, you shouldn't be setting up a cloud SSO deployment either...

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

Central authentication, while it does have value, in the SMB seems to be primarily deployed out of confusion, rather than out of solving a problem

The general issue I've seen is a lot of (idM) systems have weird quirks when working with things other than AD. Yes on paper LDAP will work with quite a few I suspect didn't get a lot of QE testing...

I do think (idM) systems and SSO brokers are breaking the final biggest tie of AD (Authentication). Setting up federated services was always a pain in the ass and turnkey SAML integrations for common web apps are a lot nicer to manage.

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

Yeah, but you can outsource that stuff to qualified people for a fraction of the cost of AD.

Qualified people cost money

You ever see a rate sheet for Continuums outsourced India desk?
Good luck finding SALT talents that's cheap (even in Bangalore).

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

. let's look at a ten person business:

Server: $1,000
Windows License: $700
CALs: $500
Windows Pro Upgrades: $1,500
Admin Time to Set Up: 2-5 days

With 10 users you could use essentials or foundation edition. I can buy a Dell T130 with that ~$700.

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

CALs are cheap ($50 as a standalone, cheaper if you buy in a pack).

CALs are either cheap or they are $50 per user, but they aren't both. For an SMB, $50 per user for no reason is expensive. What do they get from that $50?

And that's hardly the full cost... let's look at a ten person business:

• Server: $1,000
• Windows License: $700
• CALs: $500
• Windows Pro Upgrades: $1,500
• Admin Time to Set Up: 2-5 days

That's $3,700 or $370 per user just to set up, plus around half a day of effort, per user to get set up. In many SMBs, it could take a week of effort just to get that kind of spending approved!

1/2 a day of effort per user? Explain....

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@storageninja said in Do You Need Two AD Domain Controllers? SAMIT Video:

GPO largely "just works" for a ton of things and core applications with tons of existing templates and easily googlable guides (and staff who know how to maintain it that are cheap as chips), it hooks into other Microsoft domain tech (Print server management).

GPO is unnecessarily complicated and unreliable. It's pushed as a miracle product, but takes huge amounts of effort to learn and maintain and rarely works flawlessly. And AD isn't what provides GPO, that's one of the common myths that cause people to buy AD without actually looking into their needs. GPO doesn't come with AD, you already have it.

It does, but AD and OUT structures are the way most people use to deploy it (As well as the central policy store for deploying 3rd party). You could push it out with SALT etc, but in a SMB internal staff will not know how to use something like that.

You could have your RMM or MDM manage push outs though (and I am seeing Stuff like Airwatch positioned as a replacement). the big gap is MAM as a lot of apps had GPO's and need to have API's for management to make the transition smooth.

@scottalanmiller said in Do You Need Two AD Domain Controllers? SAMIT Video:

@dashrender said in Do You Need Two AD Domain Controllers? SAMIT Video:

You keep saying that it's likely that many don't need AD - but I see AD making these things much easier (for a cost) than not using AD.

I think that that is mostly a myth. For a normal SMB, especially a relatively small one, AD saves no effort anywhere, but generates a ton of effort in needing to build and maintain servers, needing to maintain CALs, track CALs, take server backups, etc. All things that don't need to exist without AD, in some cases.

AD takes no effort to setup or deploy. GPO largely "just works" for a ton of things and core applications with tons of existing templates and easily googlable guides (and staff who know how to maintain it that are cheap as chips), it hooks into other Microsoft domain tech (Print server management).

CALs are cheap ($50 as a standalone, cheaper if you buy in a pack).

I worked for a MSP and the amount of "maintenance" we did on AD was really non-existent. If you want to be fancy, you have your RMM script a backup once a day doing a LDIFDE -f backupad.ldif but beyond that, there's just not a lot to it. Any RMM worth it's salt (get it, a SALT joke) can manage 100 domain controllers with RMM tools without any real overhead, etc.

I agree that AD isn't providing as much value these days for small shops as it used to, but the overheads are smaller than ever.

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@storageninja said in Arg! The money spent the month before I stated here.:

Most companies IT is "mature" at this point (Hell SABRE is like 70 years old) and if your company runs on it, you're stuck with a choice of spending a few hundred million to get off of it, or accepting you don't control your own code.

Pretty sure everyone has accepted that the choice to stay on SABRE has crippled the industry and that they would have all been better moving off of it.

A 2-3 year project that costs 9-11 figures depending on your size? Good luck getting a bored to approve and see that thru in an industry that is tied to the boom/bust cycle of oil prices.
Only reason I know one airline pulled it off as they were still small when they did it, they doubled the spending to do it in 18 months before oil snapped back up and the investors caught wind of it. Also their board/management is so incestuous, shareholder revolts were able to be ignored till they got it done before the stock tanked from the short-term dive in earnings per share for 6 quarters.

There is a LOT of things that the stock market will not let you do, and LONG capital-intensive projects that promise long slow returns on investment are pretty much only acceptable for utilities (and only if the RIOC can be kept on a straight line growth as the project completes in sections or else you lose your capital market access).

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@storageninja said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

Just have good security and don't let that happen. Basically what I hear over and over again is "our IT department is bad, so we use UTMs as a bandaid", which is exactly my concern. Is your company only willing to do dangerous things in production because it trusts in LAN centric security?

This only works if you control the IT from the start. Most companies IT is "mature" at this point (Hell SABRE is like 70 years old) and if your company runs on it, you're stuck with a choice of spending a few hundred million to get off of it, or accepting you don't control your own code.

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@dashrender said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

@scottalanmiller said in Arg! The money spent the month before I stated here.:

@tim_g said in Arg! The money spent the month before I stated here.:

All AVs are not equal. THere are none with a 100% detection rate. The best AVs miss things the mediocre ones catch, and vice versa.

Right, and I'd argue (and have) that having UTM makes people feel that they don't need to have good AV. But they do, because threats originate often from inside the LAN where the UTM is powerless.

I don't use the UTM because I can't use AV some places, and as an additional layer of protection in a different way... not to make myself feel like I don't need good AV. Maybe other people, but not me.

You're environment is much more likely to be infected by a user's device that shouldn't be on your production network than from some user downloading something that an AV scanner on the UTM is going to detect.

Mostly because devices are allowed to leave the network, get infected, and join again. If the UTM covered them at home, it would be different.

Plus I assume that those devices can be multihomes while in the office to the LAN and to the Cell network (4G) so they might bypass the UTM even while still in the office.

This is where either forcing the wifi to route through the UTM to reach the server network, or having IDS functionality delivered by some sort of SDN controller (Tipping point can tap into open flow) can handle pushing security down as close to that device as possible on the network (So you don't end up with the squishy internal problem).

@ghani said in How to Shaping , Sizing Virtual resources , safe running VMs on VMware infra?.. And How to calculate how many VMs are running on single host server, it helps to face unplanned downtime when one host goes fail down??:

kindly guide me, how to shaping, sizing resources capacity and safe running Virtual infra in unplanned downtimes. Provide your suggestion.

Turn on Admission Control will let you reserve resources for the event of an HA failure.

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.avail.doc/GUID-BD6D9434-84C8-4937-BC76-04852F5EA136.html

@dustinb3403 said in How to Shaping , Sizing Virtual resources , safe running VMs on VMware infra?.. And How to calculate how many VMs are running on single host server, it helps to face unplanned downtime when one host goes fail down??:

There is no way in hell that your client has 921 TB of RAM allocated in this cluster. Something is wrong with what you've presented us.

These people exist. When I ask them who they work for they dodge the question and if I ask for their name I get something like "bob". I've asked not to question it when they have a TAM/SE sitting next to them confirming they are not actually crazy, they just work for.... interesting employers who do strange things....

@scottalanmiller said in Arg! The money spent the month before I stated here.:

It's not about proving a point. It's about factors like cost and social engineering (even when unintentional.) Companies with UTMs, I would wager, are vastly more likely to do things like have machines deployed without proper protections, AV break and not be fixed, patches not kept up with... because it creates a sense of security.

It's the other way. You are an airline or other company who doesn't control 80% of the code going into production...

There are other windows functions tied to AD (Print Servers, GPO's, authentication if users are domain users).
Are we at the point of using MDM systems for management, and external identity and SSO for authentication?

@wrx7m said in Arg! The money spent the month before I stated here.:

@jaredbusch Right but my question was related to ACLs, not IDS/IPS.

Did they have compliance requirements that would drive IDS/IPS? Honestly, I wouldn't deploy an office network without some sort of layer 7 edge inspection. Users are just too dumb...

@travisdh1 said in Arg! The money spent the month before I stated here.:

I got an email this week about the Sophos renewal, which is only $300.00 more per year in maintenance than replacing it with Ubiquiti gear with no maintenance cost, and was renewed the month before I came on staff.

Oh the joys of IT.

The Sophos gear does IDS, load balancing and a ton of other fun things that Uniquity doesn't do....

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@stacksofplates said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@tim_g Welcome to Linux. All kinds of shit breaks on new kernels...

If you want a *Nix based desktop that just "@#$@% works" and has a bare metal backup may I suggest MacOS and Time Machine? You can from the BIOS re-install bare metal even from Apple's servers (PXE over WAN).

What's bizarre to me is that you would waste time on forum support for something you complain enough to spend 30 minutes troubleshooting in forums or complaining here about. A license is $50-$30 per desktop per year. You apparently WANT a backup of the desktop and see value in it, but don't want to spend money....

I want a functioning car. I don't want to pay for gas. Sadly this doesn't work.

What crap software are you dealing with? Don’t know any software with this kind of problems. What crap does VMware run that they can’t update?

Not understanding this question....

20 years on Linux and I’ve never seen this issue once. Use enterprise software and you should be good. How would any useful software carry kernel dependencies?

Block level storage hooks can often end up there (although there are exceptions like the micro-redirection in VAIO).... IN this case, it's Veeam making the software (curious where VMware came into this).

The other issue is API's changing that are called. People sometimes change them, sometimes they break etc.

Again really the only time API changes should break anything outside of the OS is when software is using 3rd party kernel modules which is against best practices.

Which in turn makes those apps generally crap. (Zerto, for example.)

They were kludges when you have an app that would take millions to refactor or migrate, lacks native DR capabilities, and the gaps from normally supported options are too big.

Now, with VAIO (which RP4VM's has moved too, and Veeam has announced will support) I expect Zerto to quietly implode in the corner.

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@tim_g Welcome to Linux. All kinds of shit breaks on new kernels...

If you want a *Nix based desktop that just "@#$@% works" and has a bare metal backup may I suggest MacOS and Time Machine? You can from the BIOS re-install bare metal even from Apple's servers (PXE over WAN).

What's bizarre to me is that you would waste time on forum support for something you complain enough to spend 30 minutes troubleshooting in forums or complaining here about. A license is $50-$30 per desktop per year. You apparently WANT a backup of the desktop and see value in it, but don't want to spend money....

I want a functioning car. I don't want to pay for gas. Sadly this doesn't work.

What crap software are you dealing with? Don’t know any software with this kind of problems. What crap does VMware run that they can’t update?

Not understanding this question....

20 years on Linux and I’ve never seen this issue once. Use enterprise software and you should be good. How would any useful software carry kernel dependencies?

Block level storage hooks can often end up there (although there are exceptions like the micro-redirection in VAIO).... IN this case, it's Veeam making the software (curious where VMware came into this).

The other issue is API's changing that are called. People sometimes change them, sometimes they break etc.

VMware came in because you (at VMware) were constantly running into issues that all of your software had kernel hooks, and ones that would break too.

I ran into having to do bare metal restores with shit apps at Synchronet, and that was mostly windows garbage (That had DLL or Java version hell requirements).

That doesn't surprise me. Those things I expect to break apps. But kernel versions, very rarely.

Veeams providing a functionality that no one is. That generally means they had to do some hacktastic stuff. Until 2016 they had to write their own kernel driver for changed block tracking I'm pretty sure (it wasn't native to Hyper-V)

@stacksofplates said in Veeam Backup and Replication for ESXi:

Again really the only time API changes should break anything outside of the OS is when software is using 3rd party kernel modules which is against best practices

I agree with you here, but historically certain functionality (Block level zero RPO, long distance no ack wait replication) tended to fall into this vooodoo land (Zerto, Recover Point, double take, never fail as examples).

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@scottalanmiller said in Veeam Backup and Replication for ESXi:

@storageninja said in Veeam Backup and Replication for ESXi:

@tim_g Welcome to Linux. All kinds of shit breaks on new kernels...

If you want a *Nix based desktop that just "@#$@% works" and has a bare metal backup may I suggest MacOS and Time Machine? You can from the BIOS re-install bare metal even from Apple's servers (PXE over WAN).

What's bizarre to me is that you would waste time on forum support for something you complain enough to spend 30 minutes troubleshooting in forums or complaining here about. A license is $50-$30 per desktop per year. You apparently WANT a backup of the desktop and see value in it, but don't want to spend money....

I want a functioning car. I don't want to pay for gas. Sadly this doesn't work.

What crap software are you dealing with? Don’t know any software with this kind of problems. What crap does VMware run that they can’t update?

Not understanding this question....

20 years on Linux and I’ve never seen this issue once. Use enterprise software and you should be good. How would any useful software carry kernel dependencies?

Block level storage hooks can often end up there (although there are exceptions like the micro-redirection in VAIO).... IN this case, it's Veeam making the software (curious where VMware came into this).

The other issue is API's changing that are called. People sometimes change them, sometimes they break etc.

VMware came in because you (at VMware) were constantly running into issues that all of your software had kernel hooks, and ones that would break too.

I ran into having to do bare metal restores with shit apps at Synchronet, and that was mostly windows garbage (That had DLL or Java version hell requirements).