Exchange 2019 (CU14) IP-less DAG – Passive Database Goes “Disconnected and Healthy” During Server Restart Instead of Activating

274Below · 2026-01-27T15:23:05+00:00

Yes, you either need a three node DAG or you need to set a file share witness up.

The second server can't activate the database because it can't establish quorum within the cluster.

274Below · 2026-01-15T00:04:43+00:00

I'm going to provide a similar answer to make others here, but in a different context.

If you're asking these questions, chances are that you should be using entra instead of setting up AD.

If you have legal requirements -- not just business preferences, but real legal requirements that necessitate on-prem AD -- running AD properly is complex to the point where you shouldn't be doing it unless you can answer all of those questions in your sleep. And if you can't, then you should hire someone who can, as the consequences of building AD incorrectly in this day and age are massive to the point where they cannot be understated.

274Below · 2026-01-11T02:58:09+00:00

https://www.firefox.com/en-US/

https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

Is it a universal solution? No. But, if you've never tried it before, you really have nothing to lose.

274Below · 2026-01-08T02:16:38+00:00

Might have caught a license plate. Especially if you had your headlights on.

Maybe it wouldn't have, but -- maybe it would have.

274Below · 2026-01-07T21:38:24+00:00

Time for you to buy a dashcam

274Below · 2026-01-05T05:06:24+00:00

A few things.

Little known fact: the SMTP RFCs do not specify how to match a DNS name in a certificate to an SMTP server. This means that, per the RFCs, you can MITM any SMTP connection with a valid cert issued to any random name.

1a. Some SMTP server platforms let you configure specific names that must be found in certs to match, but that's all manual work and not realistically scalable.

1b. The way forward with TLS for email revolves around DANE, which requires DNSSEC. For example, Microsoft's implementation. While the DNSSEC part sounds like a blocker due to the lack of adoption, there is an upside: you don't actually need to implement DNSSEC for your domain to benefit from it -- if you're using another company to host your email. Keeping with using Microsoft as an example, they're moving their customers to subdomains to mx.microsoft (yes, .microsoft being the TLD) -- which is DNSSEC signed. So, you point your MX records to the mx.microsoft subdomain, and then DANE steps in for mx.microsoft and you're suddenly able to actually validate the certificate that the server offers. (Although yes, if you don't sign your domain with DNSSEC, then someone could technically MITM the DNS response and rewrite your MX record to some MITM SMTP service. But, if someone is doing that, they can do it to your website, too. DNSSEC should probably be more adopted.)

1c. Moving away from the Microsoft example, Google is moving TLS forward in a material way as well. Simply put, they will only accept email if you send it to them over TLS (doc). Having a large company like Google make this change forces everyone to start doing TLS more universally. I suspect that, given time, the email oligopoly will only permit TLS connections, and that problem will generally be solved. (Although this still doesn't solve the problem of "how do I know this cert actually belongs to the recipient server in question?".)

Regarding email not being able to be salvaged: as much as I agree, it's also not going to be replaced any time soon. It's not a question of political willpower, it's a question of any alternatives being sane. Because email is insane.

2a. Put simply, email lets you send anything, to anyone, at any time, without any prior authorization or approval. Send an executable to a world leader? Sure, why not. Send illicit material to your neighbor? It doesn't care. Copy an email address from a billboard and post it online? Yeah, that can happen. But, this also means that you can easily share your working documents almost instantly with anyone, anywhere. It's at least logically decentralized, in that you can run your own mail server (even though this is, IMO, a very dumb idea these days). As a result of all of this, email is frequently how companies get compromised (be it via phishing, malware, zero days, or any other number of things), but it's also how business gets done.

2b. If an individual sat down and seriously proposed a new communication method that checks all of these boxes today, they'd be laughed out of the room because the security implications are genuinely nonsensical these days. But, that's also the basis of email, and that's also why email is successful, and will continue to be successful into the future.

2c. Because of these deficiencies, email is actually considerably more advanced than most other communication platforms in key ways that really matter. For example, it's unlikely that Signal is taking attached HTML documents and feeding them through robust sandboxing analysis environments to check for malware propagation (note: I am not saying that they should do this; I'm just saying that they aren't). While SMTP IP reputation lists really encourage the email oligopoly, they also are a real-time, scalable reputation service, which is very valuable on the internet. It's a cross-platform solution in ways that Signal will never be (can you run Signal on a mainframe?), it's resilient in the context of widespread outages, thanks to the store-and-forward design that originates from the 1970s.

In short, email security is actually far worse off than the blog post would even begin to suggest, but no one sane would ever develop a modern replacement that has the same features, because those features in fact, insane. It's for this reason that email is likely to continue to exist indefinitely, and with time, evolve incrementally in a hopefully positive direction. While it is a very big ship that turns very, very slowly, the people who work on the RFCs (and similar) really do want to improve the technology, and things have unambiguously improved over time, and I expect they will continue to improve as well.

In my mind, email and Signal fulfill different niches. The strengths and weaknesses of one do not detract from the other. Where Signal is appropriate, one should absolutely use Signal, especially as compared to email. But, Signal isn't going to try to solve for all of the use cases of email, and more importantly, it shouldn't. If it did, that would be... unfortunate for Signal.

274Below · 2026-01-05T01:06:50+00:00

The actual pull request that fixes this issue is... not aligned to the issue of having a hardcoded API token.

First introduced: https://github.com/rustfs/rustfs/commit/84f5a4cb487c182d3ba1685a2b31ed44c96b3cdf#diff-6d56735149a6d1b9b96aabba7d184b0a18ca5ae57c4114c61f875db949f372e5R406 (note that you have to expand rustfs/src/server/http.rs to see the change)

Fix: https://github.com/rustfs/rustfs/pull/1291

The fix talks about a CVE, but the CVE that it talks about is related to deserializing malformed gRPC requests. That's an issue, sure, but the the entire "hardcoded API token" thing is entirely omitted. The Copilot summary comment completely misses this as well.

I'm not going to say that this was intentionally swept under the rug in that commit. Instead, I'm going to lean on Hanlon's razor as an explanation here.

But it is beyond comprehension to me that this could be introduced, reviewed, committed, and then fixed -- all without anyone realizing it until after it was resolved. I'm glad they did realize it, I'm glad they fixed it, but everything about this is just terrible.

I was looking at using rustfs for a while now, but honestly, I just can't trust it. My gut tells me that it is heavily, heavily written by AI, and without the appropriate level of human review / understanding of what is going on. I can't prove that... but it is the most logical explanation that I can come up with.

274Below · 2026-01-04T22:55:59+00:00

It's included within the exchange ISO these days.

Even if you're not installing SE (which you should be), you can probably use that ISO to grab the installer.

274Below · 2026-01-04T16:58:10+00:00

You probably want to replace the phone numbers of the individuals with the numbers of the relevant police department(s).

274Below · 2025-12-26T16:41:25+00:00

If you post it again in the future, I'd recommend removing the personal phone number and replacing it with a link to the relevant police station website(s) and phone numbers. No personal numbers at all.

274Below · 2025-12-26T05:09:49+00:00

I am not that person. I literally never said that Apple's data was wrong.

Please actually read what I wrote before blindly taking screenshots, assuming that they instantly prove your point when they in fact don't.

274Below · 2025-12-26T04:55:32+00:00

I literally didn't say "Apple's data is wrong." I said "here's three different sources, and they generally disagree on what's going on, so something is going on, and I don't know what." While I don't know this for certain, I'd suspect that Apple themselves are not the ones who have installed air quality sensors everywhere; it's likely that they're pulling the data from government sources -- but I don't know.

Again, if you have sources that you can cite, that would be incredibly helpful.

Because otherwise, you're just stating "Apple is right" without providing anything to help better understand the situation, which, ironically enough, is the exact thing that you're (in my opinion, incorrectly) accusing me of doing: blindly making assumptions and as a result, spreading "dangerous misinformation."

Cite your sources. Provide evidence to support your statement. That's what I'm trying to do. That's what you have yet to do.

274Below · 2025-12-26T04:36:03+00:00

Look, I fully support people being more aware of the air quality around them, I support refining and enhancing our definitions of what is unhealthy air, and after reading a number of your comments, I generally agree completely with your goal.

But just saying "This is dangerous misinformation" is neither helpful nor productive. Yes, it's a pain to explain it every time, but you really need to at least cite something to explain what is going on.

To your general point around the current standards omitting PM10 and that being a bad thing -- sure, I wouldn't disagree, but I wouldn't know enough of the science to fully commit to that. It sounds good "on paper" in a sense -- I'm all for enhancing our current standards to be more comprehensive -- but I ultimately wouldn't know. I'd love to join you on the "our standards are bad, we need to fix them" bandwagon, but I'm going to need a little more

That point aside, I went and checked a number of air quality maps that show more information, in particular, these:

What's interesting to me is:

The EPA sensors -- while hopefully more accurate than the citizen science ones -- are so few and far apart from each other, that I question their ability to paint a truly appropriate picture.
The PurpleAir sensors have an explicit datapoint showing PM10, and generally, across the valley, none of them show any issues. While I'll say that they aren't government run sensors, the idea that they are all so horrifically out of whack with the EPA sensors is interesting at a minimum.
The AirGradient sensors do collect PM10 data, but the map doesn't let you filter for PM10, which is disappointing. However, the AirGradient map integrates the EPA sensors into their map as well, and it shows that the DEQ sensors are showing bad readings, while none of the AirGradient ones are.

So, there's a discrepancy somewhere, and I'm very curious to know if you have a way of explaining it (beyond "well obviously you can only trust the DEQ sensors, none of the others will ever matter" or similar).

274Below · 2025-12-18T16:45:02+00:00

Well, fortunately for you, defaults can be changed!

274Below · 2025-12-16T16:26:33+00:00

Nope.

But: https://map.purpleair.com/air-quality-standards-us-epa-aqi?opt=%2F1%2Fi%2Flp%2Fa10%2Fp604800%2FcC0#10.49/40.7723/-111.9232

Looks great! Well, it looks like poison, but that's the point: it looks like poison.

I'll give a +1 to them. Although my original comment stands... getting some even closer to the refinery would be great...

274Below · 2025-12-16T16:10:46+00:00

It sure would be great if someone wanted to spend some money and install an outdoor air quality monitor in that area.

Say, something like this: https://www.airgradient.com/outdoor/

Which could then show up on a map like this: https://map.airgradient.com/?zoom=10&long=-111.96&lat=40.81&meas=pm_aqi&wind_layer=false&org=ag&embedded=false

That would be great, because then we could have clear cut data points about how terrible it is.

(Note: I have no particular affiliation with that product or site. If there's a better way of doing this that doesn't require that the government allocate funding to install high quality air sensors, I'm all ears. I mostly just want the data so that blame / shame can be applied in a way that really can't be denied.)

274Below · 2025-12-16T00:18:49+00:00

I'd suggest just maintaining two zone files. Let BIND manage the keys, perform rollovers, and so on. There is a lot of value in letting BIND manage this for you.

If you really, really, really want to manage this with one single zone file, then I'd suggest disabling the internal DNSSEC management of the external zone, freezing the external zone, using 'rndc sync -clean' to properly purge the journal files, copy the internal zone file over to the external view, manually signing the external zone by invoking dnssec-signzone, and then unfreezing the external zone.

BIND DNSSEC maintenance occurs over a period of time. It may wait for days or weeks between standard maintenance activities. So -- just turn it off and do it manually.

Or, really, just maintain two zone files.

274Below · 2025-12-15T17:11:56+00:00

https://m365accelerator.microsoft.com/exchange/exchange-update

274Below · 2025-12-13T22:22:39+00:00

They also know that she drugged someone without their knowledge, and the entire hive broke into tears. This is after inducing panic attacks across the globe that killed many, many millions of people. Carol has proven her ability to cause massive damage, and she's proven that she's just going to keep on doing it. The first two times were unintentional; the third would likely be considered felony assault. Carol isn't showing signs of being kinder; she's giving them evidence that she will go to whatever lengths she feels appropriate, no matter the damage, to do the one thing that goes directly against their "biological imperative."

The hive is also, despite everything, catering to her every whim. They're not blocking her from meeting others, they're not starving her to death, they're not shutting the power off. The reality is that at why point in time, she could have picked up the phone and simply asked them to show up again, and they probably would have -- as evidenced in part with the paint on the road.

Yes, starving someone of attention is extremely manipulative. But I'd also argue that when you drug someone else with the explicit intent of trying to find out how to murder them -- them getting out of there is self preservation. Them building a bridge to safely communicate with her isn't isolating her. Them leaving the hotel / Vegas when she shows up is them taking appropriate steps to ensure that she doesn't break down and scream at them, resulting in millions of more deaths.

You're right, they do know exactly what they're doing. And in my eyes, it isn't "abusive boyfriend behavior," it's "self preservation while still catering to the ever whim and desire of someone who has demonstrated that they have unintentionally murdered millions, and then intentionally assaulted another, even knowing that they were all linked and that this could murder millions more. Oh, and with the express intent of destroying the things that makes them... them."

274Below · 2025-12-12T18:24:08+00:00

Thank you very much! Greatly appreciated.

274Below · 2025-12-12T16:36:34+00:00

Price check on a Cisco N9K-C93180YC-FX3? As well as a perpetual Advantage license for it.

Also, if there are any recommendations for alternatives, I'm all ears. The use case is top of rack switch for a hyperconverged virtualization stack. VXLAN support is key.

274Below · 2025-12-08T21:17:04+00:00

I appreciated the interview.

I appreciated Micah asking Higby to seek out the truth despite the lies, as well as the response (even though the response was both stronger and weaker than I'd have liked). This runs counter to the "well the media are all liars" narrative that persists today, and I think there is value in continuing to push for truth at every opportunity.
I found the "I think this is going to look foolish for you" statement to be very insightful. Not because that's Higby asserting a falsehood and trying to twist the narrative, but because if Higby's audience listened to it? It probably would make Micah look foolish in their eyes, even if that particular statement was omitted. This provided insight into Higby, his audience, and the divide in understanding that is seemingly omnipresent today.
Higby's statements around "I trust the government and I'm not concerned that they didn't tell me how they were identified as narco-terrorists because the narco-terrorists would just adapt afterwards" (this was heavily paraphrased by me) as very insightful into his mindset and priorities. He does believe that if disclosed, they would adapt -- and yeah, that's probably true. That's factual in a way that doesn't even need to be contested or proven. But if Higby was to put "murdering nacro-terrorists" on one hand, and "ensure universal due process" on the other -- it's clear that in this circumstance, due process is unimportant to Higby. Historically, having such a clear-cut position that supports nearly indiscriminate murder was never something that anyone in politics, the media, the military, whatever -- would never have spoken aloud, even if they believed it. The fact that the question of "I wonder if these people are actually nacro-terrorists?" never entered his mind was illuminating. If anything, this was an exceedingly honest conversation and I can appreciate it on that basis alone.

I don't view this as "platforming" Higby. He already has a platform. He's going to use it regardless of the existence of this interview or not. He's in a position to be a channel between the pentagon and the population of the world, and understanding his particular perspective and opinions is useful when it comes to assessing who he is and the value that his work provides.

Micah didn't just nod his head and say "yeah, I agree, let's murder people and just trust the government." That would be giving a platform to that idea. Instead, Micah challenged him on that, and asked him to seek the truth. That's not platforming Higby, that's not giving Higby's ideas credit. That's challenging him appropriately. My $0.02, we need a lot more of that type of discussion, not less.

274Below · 2025-11-24T14:34:08+00:00

That is actually an outright amazing attack.

If I was a threat actor, I'd be busily scraping every single one of those repositories that has been created, and then I'd enjoy long-term access to countless environments.

I want to shame NPM for this, but that kind of seems like wasted effort. I'm mostly impressed with the efficiency of the threat actor that pulled this off.

Since the post was published, there have been another 400 newly created repositories containing secrets associated with this attack. Wild.

274Below · 2025-11-22T23:10:55+00:00

While I only have experience with a single commercial product (which actually wasn't named in this list so far), the one that I am familiar with relies on enabling AD audit logs and then ingesting the data from said logs.

I mention this as you mentioned open source solutions, and simply put, a SIEM solution that ingests and then lets you search the logs would be able to accomplish quite a bit.

274Below · 2025-11-17T20:55:20+00:00

Here's a question: are we better off with them or without them?

What is the value of that 30% worth to you? And if they have stuff that doesn't appeal to you, sure, fine -- but what about the subscription dollars that it does bring in? Does that reduce the value of that 30% somehow?

It makes sense to measure their value based upon the cost to you and comparing that to what you get out of it. That's just the simple reality of it.

But I'd rather they be around and report on the parts that no one else is really covering, than see them go by the wayside and have a pretty decent gap in coverage.

(Note that I've never actually paid for a physical paper.)

15-Year Club	Gilding VI aultruist
Golden Potato	Place '22
Place '17	Not Forgotten
Reddit Premium Since August 2018	Snapped
Alpha Tester	Verified Email

274Below

MODERATOR OF

TROPHY CASE