guideXis the windows server backup good?
naphtaliDefine "good"
naphtaliIt works in the proper environment
guideXwill restore the whole machine easily, and properly upon request
guideXhmm ok
naphtaliProperly, yes. Easily, yes, but not as easily as other solutions
guideXah ok
naphtaliWhat are the other parameters for choosing a backup solution?
guideXreliable, easy, cheap
guideXcan backup whole machines
naphtalii.e. cost, RTO/RPO, etc
guideXone thing, I'm not sure if it's the correct place to preform backups, seeing it's a hyperv machine
guideXand that has some backup functionality as well
naphtaliHow many VMs are you backing up?
guideXour hyperv only has two vm's at the moment, we have a bunch of other vm's on other vm software
guideXthose vm's on the other software has a builtin way to backup
naphtaliAltaro backup is free for 2 VMs
naphtaliIt is excellent software
guideXoic
naphtaliYou should at least evaluate it
guideXcool i'll check it out
naphtaliWhat OS is your Hyper-V host?
qbrixlol wat
naphtali2008 R2, 2012, etc
naphtalioh, that was qbrix
naphtaliNot sure what he was responding to
qbrixoh
qbrixshoulda said what OS version
qbrixSHEESH
naphtalioh yeah
naphtaliHe knew what I meant
guideXnaphtali: server 2008r2
naphtaliACTION drops a Mitel PBX on qbrix
naphtalierr wait, ShoreTel
naphtaliSame place I think now
naphtaliguideX: https://social.technet.microsoft.com/Forums/en-US/6f77d295-b0b3-4517-94b0-a655a796ddda/using-windows-server-backup-to-backup-vms?forum=winserverhyperv
naphtaliI was trying to find some of the limitations of Windows Backup
naphtaliRead the BrianEh posts
guideXoh hrm, this isn't an issue so far, I used a unc path
guideXmapped drives are fine, but idk unc path is quicker
naphtaliNo, this part: "Windows Server backup does not allow you to backup an individual VM as a VM. You backup volumes and restore the entire hypervisor and / or the volumes."
guideXoh hrm I see
guideXI am using the windows backup on the vm
guideXbut yeah I see what you mean
guideXI wonder if you can (or should) use ps or batch to create a snapshot on the vm, do the backup procedure, and then compress/tarball the vm backup, then sftp to another machine (i've done this with esx before)
guideXprobably on the hyperv side, better to not make custom scripts to do your backups
naphtaliI want an application I can manage from a webpage that will backup/monitor many VMs across many clients
naphtaliYour needs differ
qbrixs/needs/budget
ewonghi.. a working 2008r2 system bsod'd with a stop 0xf4.. going into recovery mode's command prompt.. I noticed C: is empty.. D: is the data drive.. and E: is the system drive.. is this 'normal'?
Stryykerrecovery mode may use different driver letters
Stryykerhttp://www.freenode-windows.org/resources/all-windows-versions/troubleshooting-bsod
ewongahh.. totally confused me there.. thought something went crazy
jcottonand X: is always a ramdisk
jcotton(unless you change it for some reason)
Stryykerhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xf4--critical-object-termination
StryykerWell, a recovery environment may be used on a system that has multiple installs too. Each OS thinks it is C. Drive letters are specific to the install.
ewongnow I"m checking the memory.. I'm unsure what happened as I was remoting into this machine just last night ;/
ewongStryyker: thanks for the troubleshooting bsod link.
ewongI'm wondering if it's an update or something
naphtaliewong is this a VM or physical?
ewongnaphtali: physical
naphtaliDo you have any dumps?
ewongnaphtali: I think I do. just need to get to the cmd
ewongand now.. it's gone black.. during memory test.. so dunno if I need to reboot it or what
naphtaliWhat kind of disk subsystem?
ewongnaphtali: as in SAN et. al? none.. was hoping to do something about that but just too swamped at work
naphtaliSo DAS with some kind of RAID controller?
ewongnaphtali: just DAS.. no raid.
naphtali<gulp>
ewongyeah.. Iknow ;/
naphtaliMy vote is failing HDD
ewongoh yay
ewongI'm guessing I shouldn't really trust the SMART thing
naphtaliSMART can only catch somethings
naphtaliAs you know, all drives will eventually fail. You just need to decide what kind of plan you will have in place when that day arrives
ewongI'm finding harddisks.. regardless of which colour, seem to last a lot shorter than previous models
jcottonI'm going to say rose-colored glasses
naphtaliewong, I have no empirical data but seat of my pants from using drives since I was a young lad with my C64, I would disagree with your statement
naphtaliDrive space is too cheap and backups are too easy to worry about trying to find a "longer lasting drive"
ewongtrue. at least this system isn't that critical
ewonglive and learn I guess
ewongkinda confused.. when I load system restore.. and cmd, the system (C:) drive is now E:. (established the fact that system restore doesn't use the 'correct' drive names).. but when I reboot and go to repair.. it can't find E:..
Stryykerreboot to what?
ewongnormally it'd show at least "C:\WINDOWS" (or something) in the list
ewongreboot to the installation disk
ewongrepair system..
ewongnow if I needed to load drivers to see the E:.. wouldn't system restore cmd not see E: then?
StryykerI don't know what you see, I don't know all your hardware etc.
naphtaliE: is your external media with the backups?
ewongnaphtali: no.. internal
ewongin any event, I think one of the sata ports is bad. so I moved the cables to different ports and it's now back up..
ewongbut I think it's time to move this to a new system
qbrixs/a new system/the cloud/
ewongqbrix: I hear you.. but not entirely sure I trust the cloud with my data.
qbrixyou trust your skills/budget more??
jcottonhttps://arstechnica.com/gadgets/2018/02/intel-releases-new-spectre-microcode-update-for-skylake-other-chips-remain-in-beta/
naphtaliPlease test that for me jcotton
jcottonheh
jcottonjust checked, no update for my mobo yet
ewongand now, it's back down..
jcottonwith the non-buggy microcode that is
naphtaliDell released one for my work laptop
naphtaliI installed it earlier today
naphtaliA client of mine got a threaten letter from Wells Fargo asking if their systems were protected from Meltdown/Spectre and/or what actions were being taken
naphtaliMy reply of "responsible admins are waiting to see what will happen" did not go over well
PosterMaybe just have a preemptive outage for few days
naphtaliheh, that would get attention
Posteryeah just schedule a reboot every few minutes "we're running the latest patches from Intel"
ewongnaphtali: yup.. you're right.. HD is on the fritz ;/
ewonggetting a crap ton of file record segment is unreadable during chkdsk
naphtaliDo you have good backups?
naphtaliDon't say anything unless the answer is Yes
ewong...
naphtaliI am putting qbrix on a plane to come and re-educate you
ewongnaphtali: thanks for the help though... very much appreciated.. it is indeed a hdd failure.. but it's mainly a pebcak issue ;/
naphtalinp
naphtaliBobFrankly, I am adding this to all my PS scripts: https://blogs.technet.microsoft.com/heyscriptingguy/2013/09/21/powertip-use-powershell-to-send-beep-to-console/
naphtaliAnimations are next
sirbondnessHeya together, does anyone got a clue how to make the Startmenu uner windows 10 with roaming profile reliable offline available ? at the moment our clients got offline a differetn startmenu than online (connection to domain Controller and Roaming Profile Storage)
sirbondnessGPOs are set and the tiledatabase is included in the roaming but still it looks like Windows doesnt use the roamed tile database but i cant find what the issue is
sirbondness(sry for the typos, its freaking early) :)
georgiosis it possible to have soft-raid with win server 2016? block level / fs level
furmeladeye, storage spaces
georgios1st time i hear about them. so, is it two drives total for a mirror with refs?
furmeladeit has mirror/parity capabilitiew, although i heard the parity is slow
furmelade2 drives should be enough, but it obv works with more
georgiosi will try it in a vm. apparently it works with all win 10 versions and i have pro installed atm.
furmeladeyou asked for server 2016
furmeladeno idea about the client capabilities
georgiosyes, i just happen to have pro around to play. server is the intended target
georgiosnot being able to boot from a storage pool / refs kindoff sucks
georgiosACTION is used to btrfs
Harm133Hey guys, I can´t seem to get an external mailbox to cache its credentials properly.. Its on a domain PC. One mailbox from the domain, one external. The external one just doesn´t want to save the credentials in between login cycles.. Ideas?
eagles0513876hey all I have a group policy and I need to add my pc to this policy as its for testing purposes yet when i try to add my machine name which is in AD it is not able to add it can someone kindly advise. server is 2012 r2
eagles0513876hey guys im on server 2012 r2 and I want to add the pc im on to a testing GPO how do I add the pc. I have it in AD with the name, but for some reason it is not able to find it so it can be added to the GPO.
sirbondnessin the search windows you need to add Computers in objecttyp
sirbondnesssearch window
eagles0513876hey all i have a question i am seeing passwords exposed very easily through chrome and easily through credential manager on windows is there something that i can do to hide the exposure of passwords? I was told this could be managed through GPO. where in GPO do i need to be looking?
eagles0513876is it a computer policy or user policy
flying_sausagesHey guys, I'm trying to basically implement this but I am a little lost.
flying_sausageshttp://dev.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist
flying_sausagesI already have a user, an OU and a linked group policy created to test this
flying_sausagesbut When I'm in the gpo management editor I do not know where to apply this
sirbondnessdid you import the ADMX ?
sirbondnesshttps://www.chromium.org/administrators/policy-templates
eagles0513876question
eagles0513876re GPO's
eagles0513876i have some GPO's that im testing if I have the authorized users in the list my concern is that these would be rolled out to all pc's when I actually wante them only rolled out to my laptop which I have added to the list of machines for the GPO.
eagles0513876Do I need to remove the authorized users? and link to my domain the GPO
sirbondnessdepends if it is only computer policies...if there are also USer based policies you need to remove authorized users and only add your user account
sirbondnessand of course bound the policies to your PC OU and/or User OU
eagles0513876sirbondness: in this case it is i believe one is a test policy for an interactive message that you read one of those this pc is for authorized users only
eagles0513876the other then i am wanting to test that when idle the pc logs out.
eagles0513876sirbondness: are the two things that i am saying computer policies? also on authorized users could i disable on those policies from being applied to authorized users
sirbondnesswell it depneds where you configured it...i would need to check but some policies can be configured in both computer and user part...but if you configured it in the computer part you can leave autorised users in there and only allow it for your PC
eagles0513876sirbondness: regardless i googled and saw there is a way where you can say to use the GPO on that group or not if i am not mistaken no
sirbondnesstrue but i dont know your infrastructure...if you have your PC and your USer in one OU and you only bound this policy to this OU you can leave it as it is...if you have your PC and user accounts in the OU where all the other clients and USers in...you should restrict it otherwise it will be applied on all
eagles0513876sirbondness: we have the default 2012 GPO
sirbondnesswith default you mean the default domain policy ? or what dou you mean with default ?
eagles0513876ya sorry default domain policy
eagles0513876both my test policies are computer configs
sirbondnessuh...dont test settings in the default domain policy
sirbondnessah ok
CptLuxxlol
eagles0513876im not
sirbondnessso its fine if you bound the policies to the OU of the PCs and restrict it to your PC Name
sirbondnessyou can leave authorised users in there
sirbondnesswas getting nervous for a second :D
sirbondnessas default domain policy was called :P
eagles0513876no no that is what we are using but with GDPR here in europe i need to use the non default gpo's to lock down some things
eagles0513876thanks sirbondness
eagles0513876then sirbondness i can do gpupdate /force to have my pc take the gpo's
eagles0513876now lets say i want to test user configuration what can i do there. Can i disable gpo's being used by authorized users
sirbondnessyes gpupdate /force and reboot....most computer policies need a reboot
eagles0513876gotcha
sirbondnessuser policies i would restrict to your user while testing
eagles0513876if i need to test user based gpo's can i switch off in the authorized user's group from running for all authorized users?
sirbondnessand remove authorised user
eagles0513876when i try to remove it a message comes up
sirbondnesswhat message ?
eagles0513876group policy requires each computer account to have permission to read GPO data from a domain controller in order for user group policy settings to be successfully applied. removing the authenticated users group may prevent processing of User group policies. please add the domain computers or the authenticated users security grou pwith at least read only permissions
eagles0513876that then also provides this link
eagles0513876https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14--2016
sirbondnessstill, you can do it as said just add under delegation the authorised users as read only permission
eagles0513876cant figure out how to change permissions on that group or even where to find it
sirbondnessunder delegation
eagles0513876?
eagles0513876where ?
eagles0513876found it but what exactly do i need to change the settings to?
sirbondnessauthorised users / read only
eagles0513876i dont have that option
eagles0513876i have read (from security filtering), edit settings
eagles0513876and edit settings, delete, modify security
sirbondnesson the right bottom you got advanced
eagles0513876ahh
sirbondnessmake sure apply policy is NOT marked
eagles0513876its not :)
sirbondnessor denied
sirbondnessthen you are set
eagles0513876ok perfect
eagles0513876so time to link them up and im good to go
sirbondnessyes
eagles0513876so authenticated users group
eagles0513876thats just for user gpo's
eagles0513876in computer based ones i need to add all the pc's for that policy
sirbondnessna you dont
sirbondnessyou can bound the policy to the OU with all PCs in there and it will be applied to all
eagles0513876ahh ok :)
sirbondnesswhat we talked about now was only for testing purposes as you wanted to test it specificly on your device with your user
eagles0513876so I would need to move all the pc's from the default Computer container to an OU
eagles0513876sirbondness: i know just thinking and planning ahead.
sirbondnessit as several advantages to granulate your infratsructure with OUs
sirbondnessso i would suggest you to do so
eagles0513876ya I know and I will
sirbondnessbut this is my personal opinion
eagles0513876i agree with you there.
eagles0513876having OU's would make it easy to keep GPO's organized on who they are for
sirbondnessexcactly
eagles0513876sirbondness: thanks for the help :) had started testing something and put things on the back burner and only now coming back to them
sirbondnessyou are welcome ;)
eagles0513876sirbondness: ill be back for sure hehe
sirbondness:)
eagles0513876sirbondness: that was an easy test
eagles0513876that worked with out a reboot log out and back in
sirbondnesscool ;) all as expected ?
eagles0513876sirbondness: yes
eagles0513876sirbondness: when you right click on a GPO there is enforced
eagles0513876what does that mean
sirbondnessyou only need it if you got two GPOs that are trying to modify the same setting
sirbondnessso you can enforce one of them to be applied
sirbondnessand ignore the other
eagles0513876sirbondness: would it be good to have multiple gpo's for each thing you want to control?
sirbondnesswell, it depends...i am doing it like...for example to roll out a certificate to clients - GPO, set firewall settings - GPO...etc
sirbondnessand seperate them from user settings aswell
eagles0513875sirbondness, eagles0513876: is me btw :D
sirbondness:D
CrtxReavrDoes Windows (RDP server) have any support for a per-user hosts file?
njbairwhat would be a good way to get a visualization of server share permissions by folder & by user? do I have to make a table manually?
BobFranklynjbair: powershell probably
BobFranklytime to start learning
njbairmakes sense. thanks!
naph-Whttps://www.netwrix.com/file_server_auditing.html
guideXhow do you secure your unsecured rdp ports, I disable the rdp functionality until needed, but sometimes I forget to disable, and hackers try to hit it overnight
guideXvpn would be too hard to setup with the vendors
BobFranklyguidex: are you using hypervisors, or setting up physical servers?
guideXoh we have both here
guideXthere's some physical, and some running under virtual host
BobFranklyso with hypervisors you setup an OS template that you clone off of. Disable RDP in the template, and every subsequent clone will be disabled
guideXthe firewall is pointing to one machine with rdp, so there's exactly one open hole
BobFranklywith physical...(which I hardly touch anymore)....maybe unattended installs?
guideXso we just disable it all the time, but my memory fails sometimes, and I leave it open
naph-WYour vendors dictate connection methods?
BobFranklywell, it's not a hole if it's properly secured, it's just attackable surface
guideXnaph-W: well, we could force them to use teamviewer, but then not every machine has teamviewer, rdp gives them broad access
guideXwe have a vendor or two who needs broad access
guideXI could like, block the specific hacker ip's I guess
guideXI was hoping for a better alternative :P
guideXalso it's not really the vendors forcing the connection method, it's my bnoss
guideXboss
naph-WIs the budget your normal amount?
guideXI can spend some money if need be
BobFranklyguidex: if you have a proper firewall, you hide the server behind it and only open the RDP port to your vendors' published IPs
guideXhmm yeah that's a good option
BobFranklyit's like that was the intended purpose of whitelisting
guideXit's good and bad, the vendors at first will wonder why they can't connect, but they usually ask us first anyways so yeah that should work fine
naph-WguideX, I picked up client using this and it seemed to work well. https://rdpguard.com/
naph-WBut Bob's solution is simpler if the vendors have finite IPs
guideXyeah should work fine, because usually something is wrong with something, they never just surf on to fix or maintain stuff.. so we can just ask them for the ip every time
Dus10I am working on an interesting solution to a potentially major "gap" in security for a very popular cloud service
naph-WFacebook?
BobFranklyand I am working to beat you to market
Dus10Facebook as a cloud service?
BobFranklyACTION makes it to the grocery store first and claims victory
Dus10I don't really consider it a service
Dus10it is just a website...
Dus10and a bad one at that
naph-WIt provides a service to people
Dus10no, people provide a service to it
Dus10they provide free content to Facebook for them to make a profit
Dus10no, the cloud service in question would be topical to the channel
naph-WTopical?
Dus10"(of a subject) of immediate relevance, interest, or importance owing to its relation to current events."
naph-WOh right, qbrix has mentioned that
Dus10topical, as in "on topic"
Dus10not a cream or ointment
naph-WSo you are labeling it as a "gap" and not a security flaw
Dus10I using the term "gap" as broad term that could include a security flaw
naph-WTechnically adpet sites such as Yahoo will refer to it as a security flaw
Dus10It is aggrevating when customers keep delaying (and not my short timeframes) and then the moment that they are ready they want to blame you for delays because you are not as available as they would prefer
Dus10very difficult when you need to plan and remain billable consistently
Dus10We should just tell them if they want to block me out indefinitely, then they need to support my minimum revenue until they are ready
naph-WI have clients like that. It's an emergency to fix the issue, but not an emergency paying the bill
Dus10They likely wouldn't be happy with that
naph-WHow did you discover this gap?
Dus10It is something that I speculated/hypothesized for over 6 months
Dus10we tested it this week
Dus10it works as I thought it would
Dus10there is some saving grace as it isn't exposed globally, but under circumstances that just about any malicious actor could position themselves for
CptLuxxpfff
CptLuxxsell that information
CptLuxxoh wrong channel
naph-WCDP coming to Altaro Luxxi
SnortyIf there is an EventID 2624 entry on a workstation for a domain account, will there always be the same entry on a domain controller?
SnortyEvent ID 4624*
CptLuxxnaph-W
CptLuxxi see you get the same spam that i get
naph-WMine is HTML spam
naph-WSo it's better
BobFranklyexactly, he thinks he's going to a legit site, but it's just an illusion
naph-WDid you see my new PS command last night BobFrankly?
naph-WI am a power user now
BobFranklylol, missed it
BobFranklydid you pipe to select?
naph-Whttps://blogs.technet.microsoft.com/heyscriptingguy/2013/09/21/powertip-use-powershell-to-send-beep-to-console/
BobFranklyoh yeah, there's some scripts out there that do whole tunes
BobFranklyyou know that's invoking dotNet right?
naph-WIt's all magic. I don't look under the hood
kidn3ysSo, I'm planning on deploying 802.1x in the near future and our systems folks are having a hard time providing a list of general services that should be allowed to domain controllers. Is this a good start? https://isc.sans.edu/diary/Cyber+Security+Awareness+Month+-+Day+27+-+Active+Directory+Ports/7468
kidn3ysI realize this is entirely environment specific but i'm basically getting 'allow everything' from them.
naph-WKind of defeats the purpose doesn't it
naph-W:-)
kidn3ysI mean, no. They will still have to auth.
kidn3ysI just like to understand what is required and then make exceptions from there. From what I can tell, the big 'unknown' seems to be RPC, but from the looks of it you can set it, at least to a specific range.
n0cquick sanity check. using OCT to set a places bar location for windows 10 deployment for google drive
n0c%userprofile% still works in wondows 10 correct?
n0ci.e. %userprofile%\Google Drive
naph-WThat is still a valid variable under Windows 10, yes
n0cthanks
F1L3m00nhi
F1L3m00nTeam viewer 584 970 653 password 9438
furmeladehi, thx
CptLuxxand now?
blkshpF1L3m00n: just no.
blkshpDont do that here.
F1L3m00njust windows vps
meyoucan it run pubg?
Dus10uh, yeah... no
CptLuxxBobFrankly we need a restapi for Zewwy.ps1
naph-WMy tubes went down
CptLuxxi see the tubes are back up naph-W
n0cseeing a bug where if i hit shift-alt when in MMC (in this case - deployment workbench) it friggin locks up
n0cany clueful suggestions?
BobFranklybeyond the obvious "dont do that"? Not really. MMC is ancient and MS is working on it's replacement
n0ci keep renaming task sequences and am doing shift ctrl left arrow to highlight a few preceding words but mess up and hit alt instead. weird that it crashes mmc
n0cgood
n0csucks i'm still using it on a fresh server 2016 install. le sigh
BobFranklyheh
CptLuxxuse fukuhila
BobFranklyI think it's...project honolulu?
CptLuxxor what the name was
CptLuxxah honolulul
n0clol
BobFranklyit that out luxx?
furmeladelmao good one CptLuxx
n0cACTION pops a Fukitol 25mg and get's back to work
CptLuxxa beta at least
BobFranklyso it might have similar worse issues at this point
CptLuxxuse both
BobFranklyit's at least well enough along that MS is comfortable talking about it though
CptLuxxand enjoy bugs from both worlds
BobFranklyYAYZ! \o\ /o/
n0cthis is just nutty with these c++ redists > https://puu.sh/zjyoJ/33f6203138.png
BobFranklyyeah, no kidding
weq2017 replaces 2015.
n0corly
CptLuxxyes
BobFranklyit tries to, but some apps disagree
BobFranklysome *poorly* coded ones to be sure, but they're essential around here sadly
n0cscrew it i only have two more to create in the TS
weqsome apps makers needs to learn not to static link towards specific files instead of using them like they arte supposed to be used.
CptLuxxwoah you expect to much from developers
BobFranklysome app makers need to find employment in a field they actually enjoy and can progress in, instead of making shoddy apps
weqwhy bother with doing this manually? you can script MDT to make this stuff. Or just script already made for this exact purpose.
weqhttps://github.com/aaronparker/Install-VisualCRedistributables
BobFranklyname fail there
weqor just use scripts*
BobFranklyshould be Install-ALLTHEcRedists
weqdepends on your xml :P
CptLuxxsounds complicated
BobFranklyand your taste in memes :P
CptLuxxjust use a trained monkey
BobFranklyCptLuxx: then you have to write scripts to clean up the botched installs and hire custodians to clean the keyboards
CptLuxxthats good for the economy
n0ci'mma have to check that out
n0ci have them all in discrete directories and added applications for each (at least using powershell)
n0cworth the work if it executes well every 6 months or so i build a new image
n0cwith win7 i was doing it pretty much monthly, definitely every other
jcottonn0c: why completely rebuild it?
ZewwySup
CptLuxxpe
ZewwyPreboot Enviro?
CptLuxxis that a question?
CptLuxxif yes i answer 3
ZewwyIs that rehtorical?
CptLuxxyou are confusing me
CptLuxxstop it
Zewwyand you me
furmeladei vote 4
Zewwyi vote 2
BobFranklyyou would
CptLuxxhttp://www.strawpoll.me/15032087
Zewwysup BobFrankly!
BobFranklydon't shake your #2 in my direction!
Zewwylol
Jedicusofftopic, but it's dead, so.. anyone ordered from memory.net before? they appear to be selling the exact same RAM sticks Dell/HP/Lenovo do. CPU-Z matches the Hynix chip
naphtaliJedicus, I can't remember if I have ordered from them or not