IT Team gets together and creates the hold from hell.
Best posts made by PhlipElder
The Register: Must listen: We've found the real Bastard Operator From Hell
"There has been a criticial security vulnerability discovered in FreePBX which allows remote code execution without authentication."
v14/v15 should automatically update themselves. Earlier versions will not.
RE: Random Thread - Anything Goes
This is what's keeping me busy lately. Building a Chicken Coop, though we're calling it the Palace, for our girls.
We have Leghorns (apparently pronounced LegUrns, Rhode Island Red, and Plymouth Rock (black) to start.
Construction is 2x4 insulated 8' x 8' with the run being 20' x 8'. All those years in construction back in the day always seem to pay off in some way.
Apparently, I've been elected to be the one to get them from the coop to the table when the time comes.
RE: SMBv2/v3 Issues on Windows Server 2016
@dustinb3403 It's been a while, but there's a set of files the Mac writes to all folders it touches. .DS_Store or something like that.
We've seen busy graphics houses have their file servers brought to their knees by this "feature".
Starwood/Marriott Reservations Database Breached ... for FOUR YEARS
The announcement page: Starwood Guest Reservation Database Security Incident Marriott International
My thoughts on the matter though rather curtailed from what I really want to say due to polite company: Some Thoughts on the Starwood/Marriott Reservations Database Breach
RE: DHCP Question...
This is for a friend of mine who asked me ; And Wanted to be able to send him a link to read up on DHCP Best practices and ideas on his situation.
He came to me and said "if you set up a dhcp why do you set up .2-.254 with a gate way of .1
don't you want to keep some open for Static IPs... for example: printers?"
what can I say to him other than
.1 is reserved for gateway?.1 is the gateway so it can't be used in the scenario.
He is explaining to me that this company Cybera is setting up a firewall for him at his location and is curious why they would leave it that wide and open without any reserved Static IPS.
I'm sending him the link to this thread to have him read through the answers I get.
Our rule of thumb, and it's a "we've been doing it this way since ... so we keep doing it this way" situation, is to set up the full subnet in DHCP and then set exclusions for what we want to set aside for servers, printers, and the like. We generally set printers via reservation.
Here's a simple scope setup in PowerShell:
Add-DHCPServerInDC Add-DHCPServerv4Scope -Name "OUR Local Scope" -StartRange 10.100.10.1 -EndRange 10.100.10.254 -SubnetMask 255.255.255.0 Add-DhcpServerv4ExclusionRange -ScopeID 10.100.10.0 -StartRange 10.100.10.1 -EndRange 10.100.10.49 Add-DhcpServerv4ExclusionRange -ScopeID 10.100.10.0 -StartRange 10.100.10.200 -EndRange 10.100.10.254 Set-DhcpServerv4OptionValue -ComputerName DC.Domain.com -DnsServer 10.100.10.254 -DnsDomain Domain.com -Router 10.100.10.1
RE: Interviewing Candidates for a Jr. IT Systems Administrator Position- Good Questions to Ask?
In candidates watch out for this one that they may ask: "What PSA do you use?"
We avoid script jockeys at all costs.
What is PSA in this context?
Professional Services Automation software. It allows a support person to ask questions and follow a queue path through to an answer as one aspect.
RE: Why aren’t chip credit cards stopping “card present” fraud in the US?
A security analysis firm called Gemini Advisory recently posted a report saying that credit card fraud is actually on the rise in the US. That's surprising, because the US is three years out from a big chip-based card rollout. Chip-based cards were supposed to limit card fraud in the US, which was out of control compared to similar fraud in countries that already used EMV (the name of the chip card standard)....
I remember reading comments from the American payment industry folks that basically said Americans were too stupid to do Chip & PIN. We've had it here for a very long time with TAP being a relatively recent addition. TAP is limited to $50 or $100 depending on merchant and product. It makes transactions fast versus any other method.
Swipe needs to be banned. Period.
Next up: RFID protection wallets. A must-have for frequent travelers.
RE: Installing Windows 10 without a Microcoft account
Easier is "Set up for an Organization" and choose a username. Ours would be Laptop Admin with the space and no password to avoid the questions.
Once logged on, CTRL+ALT+DEL and Change Password to set the new one. Note that the existing would be a blank.
RE: Random Thread - Anything Goes
Oh man, this is so freaking true it's not funny.
VMQ enabled in-driver for Broadcom Gigabit controllers in Hyper-V would kill network performance for the guests. Disable it then a driver update would set it back on again.
Ah, straight up fail then. I knew I prefer Intel NICs for a reason.
What blows my mind is the fact that the specifications for VMQ make it clear that 10GbE ports and silicon for tying in to the CPU cores are required.
Despite years of requests to remove that setting enabler/re-enabler Broadcom just ignored it.
Bad one: SonicWALL Remote Management Vulnerability
Their site was offline most of this morning. It seems to be back now.
Rule #1: Never, ever, have a device connected to the Internet in an unrestricted manner for any kind of management. Never.
Rule #2: Update it. Always. Pay the fee if need-be, but make sure it's up to date.
The number of iDRAC/iLO/RMM horror stories heard around here as a result of being plugged directly into the Internet are sadly more numerous than they should be.
RE: AWS Catastrophic Data Loss
This was one AZ, right? If so, you need to design your environment to span multiple AZs, if not regions. This is beginner AWS design theory.
A few things come to mind:
1: Just how many folks know how to architect a highly available solution in any cloud?
2: At what cost over and above the indicated method does the HA setup incur?
3: It does not matter where the data is, it should be backed up.
Microsoft's central US DC failure, I think it was last year or early this year, cause a substantial amount of data loss as well. Not sure if any HA setup could have saved them from what I recall.
How many people backup their O365 systems? I am willing to bet VERY few!! yet, if MS were to have the same issue, customers would find themselves in a similar situation.
One (invalid) claim I see from time to time when migrating to the cloud - it saves money because backups are part of the solution... which we can see here is definitely not the case.
Veeam was one of the first ones on the block to back up O365. That's messaging that Microsoft has not made clear but I've seen in the grapevine as far as the customer being responsible to do so.
No. My sh#t on their sh#t means no sh#t if something takes a sh#t.
RE: Why IT certifications are worth more than you think...
@Jimmy9008 Parenthood 500 and above level courses.
RE: Printers - IP or WSD
Another is using a utility or print server so that the end point never needs to know the current IP address of a printer.
Have you found this to work? Even on print servers, I print to IP, and the server print queue is static to that IP.
I haven't used WSD ports on a server yet - have you?
WSD breaks things. We turn it off on all printers we deploy on a given network.
Windows 10 doesn't listen to our manually setting the default printer post feature update. It then drops the WSD setup in which causes the print driver to break for whatever reason.
RE: DHCP Question...
The DHCP range is always the full subnet. That is standard, even if Windows lets you do stupid shit.
Here is my home router.
Instead of visibly showing ranges to exclude, outside of windows, you typically tell it hat range to pass out. I'm passing out .31 - .254
Primary DNS is my PiHole on .4
Secondary DNS is the router on .1
Can you clarify something for me @JaredBusch. You stated that DHCP range is always the full subnet, but yours is from .31 to .254. I feel like I'm missing something.
DHCP always serves the entire subnet it is defined on.
If you tell it the scope is a /24, it serves .1-.254 always.
You then subsequently define which part of the scope you want it to hand addresses out on.
In windows that is done by "excluding" things.
On most other platforms, it is done by telling it what range to supply to clients that ask for an address. Hence the .31 through .254
But regardless of what you specify, either as a range to use or range to exclude, DHCP still serves the entire scope.
This is why you can make reservations outside of the listed range as in my .7 printer and .10 phone.
When we define the DHCP Scope we can s
et the delivery IPsdefine it to 10.100.10.31 - 10.100.10.225 or the like. One does not need to define the scope according to the full subnet whatever that may be.
RE: Swap on systems with large RAM?
In Windows Server:
In Elevated CMD:
wmic.exe computersystem where name="SERVERNAME" set AutomaticManagedPagefile=False
wmic.exe pagefileset where name="c:\\pagefile.sys" set InitialSize=8192,MaximumSize=8192
shutdown -r -t 0
Then in an elevated PowerShell:
Set-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\CrashControl –Name CrashDumpEnabled –value 1
Get-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\CrashControl –Name CrashDumpEnabled
Set-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\CrashControl –Name FilterPages –value 1
Get-ItemProperty –Path HKLM:\System\CurrentControlSet\Control\CrashControl –Name FilterPages
We do the above on all servers we deploy since they all have a 128GB or 256GB at the most host OS drive and it's not uncommon to be deploying over a Terabyte of RAM.
RE: VM host: dual CPU vs single CPU - same CPU performance rating
I decided to go with the single 10-core CPU in this case as it would leave open the possibility of adding another CPU and set of memory if needed.
No licensing to consider in this particular case.
Keep in mind that the SL code of the existing CPU should be recorded as when it comes time to add the second CPU the same SL code CPU would need to be acquired.
There's a reason why Tier 1 charges huge coin to add a second CPU at a later date. They need to keep them on the shelf.
RE: 10GbE copper or fiber NICs? Intel or Chelsio?
Cavium over Chelsio any day if considering iWARP RDMA. Intel would be a distant second to Cavium.
The RJ45/SFP+ really depends on needs. If there are enough fibre runs to complete the setup then SFP+ would be the direction for top of rack (TOR) and/or aggregation.
For non-RDMA enabled networks we use RJ45 based setups for the NICs (Intel X540/X557 10GbE). For RDMA we use RoCE 10GbE/25GbE/40GbE/50GbE/100GbE via Mellanox NICs and switches which are SFPx based.
Intel 7xx series NICs utilize iWARP and SFPx and may be an option depending on server vendors and switch setup.
Performance wise, depending on network type and whether RDMA is present or not 10GbE should be around the numbers mentioned by @NashBrydges.
RE: Is Spamhaus the DDoS Arm of Microsoft
Back in the day the general sentiment was that RBL "services" were no more than extortion rackets. IMNSHO, that has not changed much.
With the advent of SPF, DMARC, and DKIM their relevance will become a lot smaller which is a happy.
Edge (Sync) Favourites Toasted
I did a write-up of what happened here: http://blog.mpecsinc.ca/2018/09/warning-edge-sync-ate-all-favourites.html
Make sure to back up the Favourites in Edge after a solid day of adding links.
RE: Need some help with SQL Server 2016 Standard licensing (price confusion)
I am working on building a new physical server to replace one which is running older versions of Windows and SQL server, plus it is almost out of storage space so this needs to be done sooner than later.
This SQL server is running a 3rd party application and they currently only support up to SQL 2016, so that's what I have to install - not 2017. And it's going to be SQL 2016 Standard Edition running on Windows 2016 Server Standard with 16 cores.
I spent a while researching SQL sever licensing to try and get an idea of how much it's going to cost. I haven't dealt with SQL server licensing yet.
First, I assumed that I would still have to purchase SQL Server 2017 core licenses with downgrade rights. So looking on the SQL Sever Pricing page, it looks as though Standard - per core price is $3,717 (2 pack). So if my server has a total of 16 cores, this is going to cost about $29,736 to cover SQL licensing.
Then I checked over on CDW just to get an idea of prices and things and I had the idea to search "SQL 2016" when I found this: SQL Server 2016 Standard - license - 16 cores - with Server 2016 Standard for like $1,900.
Is this even applicable to what I'm doing or am I missing something? It does say in the technical details "BIOS locked (Lenovo)" but I have no idea what that refers to. But other than that, it looks like it's licensing SQL Server 2016 for 16 cores and bundled with Windows Server 2016. Surly this can't be correct... or is it? If it is actually what I would need to be covered, I would purchase it, of course.
Otherwise, can someone help me get an idea of what I should be paying for SQL Server 2016 Standard Edition for 16 cores if not the cost I initially calculated ($29,736)? And I don't think we'd do the server + cal licensing as we have about 80 users and 100 or more systems which would connect to the SQL server.
Simple rule of thumb to ask your Microsoft licensing rep for the following:
First option is license + CALs that allows internal access only with unlimited instances on the server and unlimited cores:
- SQL Server Standard License
- SQL Server Standard User CALs (80 Users)
Second option is per core with a minimum of 4 to purchase:
- SQL Server Standard Per Core 2-Pack (2x)
In the Per Core scenario we can license for the number of physical cores to use and delimit that in SQL Studio Management. When it comes to audit, a snip of that setting that only allows the four threads should be just fine.
I did not realize that the license + CAL route allowed unlimited instances and/or cores. And we actually have a few other SQL Server 2008 R2 servers that need to be refreshed soon (a few are virtual and two are physical).
I could check with my Microsoft partner, who is actually also our Dell VAR... so I'm probably in need of finding a separate person who is solely a MS Partner and not a salesman.. unless I mean something other than partner.
A SQL Server License covers installation on a given physical server or guest.
This is a good place to start: http://mla.microsoft.com/
Run through Open with no SA to get a base cost for both options.
RE: Get User Last Login from Windows
@scottalanmiller We use this script to check user activities as we're not always updated when users are gone in high churn environments among other uses:
EDIT: Just saw the lack of AD. Peer-to-peer makes this a challenge.
RE: Small colo infrastructure - rack layout feedback
@pete-s If the runs are not fibre look into 10GbE certified ultra-thin patch cables. We've started using them for all of our data centre deployments as they save a huge amount of space. There's some really good but expensive VELCRO rolls for tying things up. We've picked up a box or two of VELCRO thin and wide plant ties each. Same stuff as the computer ones in black but a tenth of the price. So what if they're green. ;0)
PDU cables rated for 240V are freaking huge and a bear to manage. I'd bundle and run them straight down the middle then to the sizes and up to their position on the PDUs L/R. That's a bit more cabling to deal with, but it would keep the sides clear for the nodes to be pulled without messing around with getting the PDU cables out of the way. Think W for the cable bundles one left and one right.
EDIT: Make sure the PDU cables support a native locking mechanism at the PDU side at the very least.
RE: Handling DNS in a Single Active Directory Domain Controller Environment
@jaredbusch We always set up the full subnet in DHCP then configure exclusions for the parts of the subnet that would be divvied up to printers, servers, and other services/systems we assign addresses to.
RE: Documenting rack, servers, drives, CPU, RAM etc
Visio is great for this. There are lots of stencil kits out there that are free for various vendors.
RE: Do you ask for permission...
We ask. Most of our clients are accounting firms on our MSP side and contractors and their clients.
All it takes is a bit of coordination to make sure we're not infringing on any large projects they may be running. As a rule, tax season is off limits for obvious reasons.
RE: Do you ask for permission...
What time do guys normally schedule reboots? During business hours? Early mornings? Late evenings? Weekends only?
Cluster nodes can be run pretty much anytime during the day.
For servers running roles and services we schedule an outage and run with it.
Methodology is straightforward:
- Reboot the server if running longer than 60 days
- Back up
- Install the patch and reboot
- Verify services
If the patch fails restore.
We use Veeam and ShadowProtect to back up with.
RE: Hyper-V 2019
Noob question. Does MS offer a Hardware Compatibility List for Hyper-V? How do you determine if your hardware will be compatible with each version of Hyper-V?
www.windowsservercatalog.com <-- The hardware references are all in there.