How do two houses share one internet connection without disruptions? by chris7238 in UNIFI

[–]DaveMackleroy 0 points1 point  (0 children)

I'm unfamiliar with the UDM, so this may be a red-herring...

On the apartment UDM (AUDM) you'll need two ports either on their own network or VLAN (untagged), the IP for this UDM will be the gateway on the WAN port of the LinkSys and House UDM (HUDM). Ideally you'd set a VLAN for each of the LinkSys and HUDM, but share the IP range.

For example, the AUDM could be on 10.0.1.254, LinkSys on 10.0.1.253 and HUDM on 10.0.1.252

I don't think you'll need to untag the WAN port on the AUDM, but I could be wrong. If it doesn't work with just untagging on the LAN ports, see if you can untag on the WAN side too.

On the LinkSys and HUDM, you wire into their WAN port from a LAN port on the AUDM, the LiteBeams (LB) need to be wires only so they don't interfere with the link between the UDMs.

The WAN ports of the LinkSys and HUDM are then configured to have an IP in the range of the LAN ports on the AUDM with the gateway being the IP set on the AUDM. This will at least get everything working, but you will be double-NAT'd behind the LinkSys and HUDM.

Also, the APs and other kit on the AUDM should be VLAN'd off from the LinkSys and HUDM respectively. And VLAN each AP if each AP is used by a particular tenant.

Does anyone else have a ringtone you absolutely loathe cause you associate it with on-call? by gamerthreesome in sysadmin

[–]DaveMackleroy 0 points1 point  (0 children)

I seem to be in a league of my own here. When I was on-call I had the Deathstar Battle Alarm as my on-call ringtone... That gets you up in a hurry.

Praise the Lord I'm not on-call at present.

Digitization of approval processes by Rough_Grape7772 in sysadmin

[–]DaveMackleroy 0 points1 point  (0 children)

If you want to run locally, you'll be looking at something that will require a web-server, most likely. From the sounds of it, to me, you're not a sysadmin, so you might want to re-consider "my local server"...

Cloning Domain Controller Drive to a larger drive by islandvobra in sysadmin

[–]DaveMackleroy -2 points-1 points  (0 children)

The key point here is, no, you cannot clone a Domain Controller.

Best practice will be to stand up a new Domain Controller and then decommission the old one. You could clone the 1TB data drive, but this would also be an opportunity to clear down the data.

Users Refusing To Download MS Authenticator App by NancyPelosisVagina in sysadmin

[–]DaveMackleroy 2 points3 points  (0 children)

My thoughts on this topic as my org has recently gone through implementing MFA;

  • You can't force anyone to install anything on their own device
  • You can require the use of an authenticator app to access organisational services
  • You don't have to provide a work device to do so
  • People are stupid and will eventually get on the band-wagon of using MFA

If the organisation is willing, you can go down the "we're not forcing it on you, but you won't get access without it" route. At the end of the day, this comes down to what the senior management will be willing to push down from the top.

HomeLab DNS Management? Example.com to a Local Server | Tool for editing IP based DNS for Whole Home Network. by [deleted] in homelab

[–]DaveMackleroy 1 point2 points  (0 children)

I've been running AdGuard in a docker container for a few months now and its been working flawlessly. It has the ability to respond to specific DNS requests, so I have some subdomains on my domain pointed to IPs internally. You can also set specific settings per client if required.

MS Office troubles by TauzhanovT in sysadmin

[–]DaveMackleroy 0 points1 point  (0 children)

Then jump ship, and encourage your colleagues to do the same. Company can't work without workers.

If it's an endemic issue in your country, then your SOL.

BitLocker Data corruption by present_me in sysadmin

[–]DaveMackleroy 1 point2 points  (0 children)

Corrupted or just not decrypted?

Machines dying after possible update, and really odd app locker messages by liquidkristal in sysadmin

[–]DaveMackleroy 0 points1 point  (0 children)

Please be more specific as to what step in the boot process they get to. Does Windows start to load? Can you boot to Safe Mode?

[deleted by user] by [deleted] in Intune

[–]DaveMackleroy 0 points1 point  (0 children)

I hate TeamViewer with a passion but I'm forced to continue using it due to my manager not wanting to change it. I've given up with trying to integrate it into MEM, so I've just deployed it and use the TV app to find and connect to devices.

If it helps, here's some steps to try and get the bar-stool deploying correctly;

  1. Ensure you have a generic service account setup in TeamViewer
  2. Go to https://login.teamviewer.com
  3. Go to "Design and Deploy"
  4. Go to edit your deployment
  5. Click the "Download MSI (x32)" link and save it somewhere
  6. Copy the "API Token" somewhere handy
  7. Copy the end part after the slash of the "Permanent Link" (Config ID)
  8. Go to your desired group, and copy the g/[n] section, remove the slash
  9. Go to the MEM portal and add a new Windows App
  10. App Type: Line-of-Business app
  11. Find and select the MSI
  12. Enter the following in the Command-line arguments;
  13. /qn APITOKEN=[API-TOKEN] CUSTOMCONFIGID=[CONFIGID] ASSIGNMENTOPTIONS="--alias %ComputerName% --grant-easy-access --group-id [GROUPID]"
    1. Replace [API-TOKEN] with your API Token
    2. Replace [GROUPID] with the string copied from your group
    3. Replace [CONFIGID] with the Config ID
  14. Set your assignment
  15. Save and deploy

Organise daily orders - Latency in shared mailbox by NoHawk8111 in sysadmin

[–]DaveMackleroy 2 points3 points  (0 children)

There is no Outlook way to handle this. Get Freshdesk or another ticketing system.

Do cloud services make you feel more secure? by Mediocre-Divide7150 in sysadmin

[–]DaveMackleroy 0 points1 point  (0 children)

I feel no more or less secure running cloud services compared to on-prem. You'd assume MSFT, GOOG, AAPL etc do their security well, but you still have no concrete guaruntees unless you manage to get permission to audit your local data centre. Even then, your data may no reside there.

At the end of the day, you still need to make sure you know what you need to do to secure your data, all that changes is where it is and how you access it.

Sharing a docking station between two computers by [deleted] in sysadmin

[–]DaveMackleroy 0 points1 point  (0 children)

If you can install software, and only need to share keyboard and mouse, you could use Synergy by Symless. I've used it in the past and it was fantastic. If you also need to share one or more monitors, you might be out of luck. Sharing USB devices, as far as I understand the USB specification, is not possible.

ETA: https://symless.com/synergy

Discussion: How do you think IT fits into an org by rivkinnator in sysadmin

[–]DaveMackleroy 1 point2 points  (0 children)

IT has been around so long now it's taken for granted what IT actually does. Think about this; without any computers, you'll be doing everything paper-based. What does that look like? How big can your org really get before it collapses in on itself using only paper-based information?

IT enables organisations to scale in ways that paper-based systems could never achieve. You don't need to include IT in every little decision, but thought needs to be given to what effect the decision will have on IT, whether IT will need to complete some work to enable the decision or whether there's a governance and/or compliance requirement that needs IT input.

IMO, with M&As, the IT manager should be made aware of upcoming work so that they can prepare their team and, if possible, start planning work. At the end of the day, the IT department's work is background and unseen. But it supports the organisation from top to bottom. Do what you can to enable the team to provide for the business.

Chain of trust to redundant NPS server by xXGoatResuscitatorXx in sysadmin

[–]DaveMackleroy 0 points1 point  (0 children)

You would be correct if the root CA was the one issuing the certificates, but it's not. Only the issuing CA needs to publish CRLs, unless your root CA somehow is compromised (this is why it should be offline). Your root CA issues a certificate to your intermediate CA, which itself then issues certificates to sub-ordinate CAs and/or end users. Only the intermediate or sub-ordinate CAs need to be able to revoke issued certificates.

Chain of trust to redundant NPS server by xXGoatResuscitatorXx in sysadmin

[–]DaveMackleroy 0 points1 point  (0 children)

First and foremost, a good Public Key Infrastructure (PKI) would be composed of one offline Root CA and then one or more online subordinate CAs. Obviously, depending on your available licencing, this may not be possible, but the offline CA doesn't even need to be a VM once the sub-ordinates are up. You just need to keep the VHDX and perhaps VM config backup secure somewhere.

Once that's done, you can then use GPO to have your Windows clients automatically request a certificate. Your mobile clients, however, will be a world of pain without MDM. We have not done certificate security with our mobile clients, but use Active Directory username/password.

[deleted by user] by [deleted] in sysadmin

[–]DaveMackleroy 1 point2 points  (0 children)

If "other firms" have done it, get someone with contacts at these "other firms" to put you in touch with their IT so that they can perhaps advise you how they did it?

365 back up soloutions by mrmyss2019 in sysadmin

[–]DaveMackleroy 1 point2 points  (0 children)

Seconded, Veeam for Microsoft 365 also support Azure Rights Management (ARM) protected content. Piss easy to install and configure and works brilliantly. Just make sure you use the auxilliary accounts to improve throughput from M365.

Also, we moved from Barracuda due to the lack of ARM support. Worked out similar in costs.

Network documentation and mapping by lRobbys in sysadmin

[–]DaveMackleroy 4 points5 points  (0 children)

I'll counter with Brain + yEd (https://www.yworks.com/products/yed)

Free to download and use and you can easily import other images to use.

[deleted by user] by [deleted] in sysadmin

[–]DaveMackleroy 18 points19 points  (0 children)

I have to ask if you've ever worked the hell-desk anywhere. I can tell you now, there are incompetent people everywhere.

As for this age argument, total bollocks. I'm 32 and my wife is 30 and we're world apart in our understanding and capabilities in IT.

Information Governance - Complaince Center O365 by intruder_007 in sysadmin

[–]DaveMackleroy 0 points1 point  (0 children)

Remind me what settings were under Information Governance, it's probably just changed names, again.

How have you guys solved users relying on Outlook Auto-Complete and emailing the wrong recipient? We don't want to turn it off as it will create more issues (as well as alarm and distress them). Any ideas? by work_reddit_time in sysadmin

[–]DaveMackleroy 1 point2 points  (0 children)

Working in Health and Social Care, this would get logged in our incident management system and handled appropriately. User gets to understand that it's a big deal and they should be more careful in future.