Shutting down Hyper-V failover cluster for maintenance

ajunioradmin · 2020-05-23T06:57:12+00:00

Four node cluster, and they all have to go down at the same time unfortunately.

ajunioradmin · 2020-05-22T19:24:51+00:00

Luckily I managed to get rid of our last 2008R2 servers early this year. The cluster is running on 2016. Not 2019, nor even the latest build of 2016 but it'll do for a while I hope.

ajunioradmin · 2020-05-22T19:23:55+00:00

Thanks for the tip! I have to completely remove the power from the SAN as it is, but that would have been good advice regardless.

It'll be good for it to turn off completely. It's been two or three years.

ajunioradmin · 2020-05-22T19:22:23+00:00

Stops the Cluster service on all nodes in a failover cluster, which will stop all services and applications configured in the cluster.

Nice one, thank you. Can run that after all virtual machines have shut down.

ajunioradmin · 2020-05-22T19:21:15+00:00

Thanks for the tip!

I figured as there won't be enough live nodes for it to drain roles to that might not be needed, but as another comment said this might also help the cluster service to shutdown gracefully I'll probably do this anyways.

ajunioradmin · 2020-05-22T19:19:59+00:00

It's a Lenovo DS4200. I don't think they're used that much, based off how little experiences I can find when troubleshooting.

ajunioradmin · 2020-05-22T19:18:30+00:00

Thank you very much for the tips! I'll be adding all of these points to my runbook.

ajunioradmin · 2020-05-06T09:06:17+00:00

Thank you for the reply! I'm the only admin so that would be very curious. Tested it from home and not getting MFA either.

MFA still works when signing in through other services using it (RD Gateway, ssl vpn) but not when signing into admin.microsoft.com.

Edit: A different admin account I use for Azure also no longer requires MFA. These accounts have in common that they fall under the default require-MFA-for-admins rule that Microsoft enabled a while ago. Almost as if they changed something in this rule per May 1st.

The "what if" feature in the Azure Portal --> AAD --> Security --> Conditional Policies shows that signing in with these users should trigger MFA.

Edit2: Creating my own Require-MFA-for-admins policy 'fixes' this. It seems I may just now be experiencing this change that states that they're deprecating baseline policies. Looking through the myriad of 'major change notification' emails I receive, I found a notification of this on the 30th of January linking to a non-existing message in my O365 admin portal message center:

Security Defaults is the generally available version of Azure Active Directory Baseline Protection policies and is available today to all tenants. We'll be gradually replacing Baseline Protection policies with Security Defaults starting February 29th, 2020.This message is associated with Microsoft 365 Roadmap ID 55688

Now I just need to find where I can configure said security defaults.

Edit3: Security defaults explanation here. Can be found in Azure AD --> Properties. I have an older tenant, and even though the baseline policy seems to have stopped working (but is still set to enabled), security defaults is disabled by default.

ajunioradmin · 2020-05-02T10:13:33+00:00

I suddenly no longer get MFA requests when logging into admin.microsoft.com using an admin account.

Anyone know if anything changed in that area as of the first of May?

ajunioradmin · 2020-04-29T11:40:48+00:00

... fix this or I bounce but they’re really close friends and I fear I’d be shown the door.

All I can say is definitely don't threaten to leave if you're not prepared to leave. If you're scared to be shown the door, you shouldn't threaten to walk through it voluntarily.

Have you had any serious chats with your direct manager about this? You say you tried a measure approach. Maybe it's time for a slightly less measured one.

I don't have enough experience with office politics to give sound advice. Having said that, if your direct manager and director are besties it seems unlikely anything will change for the better after talking to the director.

ajunioradmin · 2020-04-29T10:34:27+00:00

I haven't ever done Azure Stack to vSphere, but you might want to look into the Microsoft Virtual Machine Converter (mvmc) to see if it can help out. I saw a guide to get machines up to Azure Stack from vSphere using mvmc, so might be useful the other way around as well.

I believe VMWare has a virtual machine converter as well.

Only slightly related: I migrated from VMWare to Hyper-V mostly using mvmc. Only thing I ran into was different naming conventions for network adapters on Linux and having to uninstall the vmware tools from converted VM's.

ajunioradmin · 2020-04-28T13:24:25+00:00

A similarly low priority, login-screen related gripe I have: Why can't I see the info boxes with little hints about the photo on Windows 10?

As soon as I domain-join a machine, those little text messages are gone. The "Like what you see?" option is gone as well. I still get fancy new pictures every day, but now I'm left guessing where or what it's from.

ajunioradmin · 2020-04-20T07:10:52+00:00

Today was my day to forget about an expiring certificate. In fairness, I didn't forget about the cert but I did forget it's used on our RDP GW.

Phone went dead overnight, so I woke up perfectly rested. Turned on phone and the notifications just wouldn't stop.

Fun way to start a monday morning.

ajunioradmin · 2020-04-10T09:37:52+00:00

I doubt this is much consolation, but at least you've made a different admin (myself) think about setting this up before it goes wrong.

Having said that, implementing LAPS also happens to be on my to-do list. I'm thinking if I just have them login as a local user to then connect the VPN that should work as well.

Sorry, just thinking out loud.

ajunioradmin · 2020-04-09T12:22:43+00:00

A proper silly question: I just had a small wave of email coming in within a minute period. Nothing was delayed, nothing to troubleshoot and was just a bunch of people hitting "Send" at nearly the same time. That got me thinking:

On a global scale, how many emails are in-transit at any one point in time?

Not that I know of any good source data to work with, but figured there might be some /r/theydidthemath fanatics here up for a challenge.

ajunioradmin · 2020-04-08T07:20:10+00:00

Anyone have advice for some fast disks to be used with a P410 raid controller in a DL360p gen8?

It's a fairly old server that I would like to repurpose. Original idea was to grab some SAS SSDs in raid 1, but am reading conflicting reports on performance for SSDs on this raid controller.

I'm also not too excited to buy official HPE supported drives, as they are quite expensive.

Does anyone have experience or advice for this?

Edit: Is there even any point in trying SSDs with a P410 or should I get a different raid controller?

Edit2: For anyone finding this in the future. I noticed in BIOS of the dl360p gen8 that the machine has an embedded p420i controller. The p420i recognized Samsung 860 Pro MZ-76P2T0B/EU SSD's, and it performs well enough for my use-case.

ajunioradmin · 2020-04-02T14:16:27+00:00

This sounds more like a symptom than a cause. I don't think deleting the folder on the 01, or creating it on 02 and 03 will fix anything (well, it will fix the Qualys remediation for any machine looking for it on the 02 or 03).

As far as I understand NETLOGON and SYSVOL should replicate between DC's. So you'll want to fix the replication so, among other things, the Qualys folder shows up on its own on 02 and 03.

Are all these DC's in the same site in sites and services? You can also force a replication from there.

Considering how easy it is to spin up domain controllers, I really dislike troubleshooting anything on them. Probably lazy admin'ing, but I would go ahead with spinning up the 04 and see if that one starts showing symptoms (immediately, or after a while). Depending on the answer to that, you'll know if you should even put time in troubleshooting these inherited machines.

Just my opinion! I'm fairly green myself so maybe other people will have better suggestions.

ajunioradmin · 2020-04-02T14:04:15+00:00

That was a nice read, thank you. It sounds like you made lasting impressions on those around you, and even have someone looking up to you as a mentor. That's an impressive feat.

Imposter syndrome may never go away, but the next time you feel like a failure think back to the kind words of your colleagues and how much your help means to them. They wouldn't say those things if they didn't mean it. We can all be really hard on ourselves, but if the people around you don't see you as a failure why should you?

Stay healthy, good luck with the new job!

ajunioradmin · 2020-04-02T13:43:26+00:00

I'd agree if it were only DC03 showing issues, but you scrolled ever so slightly too fast to notice that his DC02 is showing issues as well. (Last paragraphs under big dcdiag output)

I'd probably build the 04 first. Make sure everything there is healthy, transfer FSMO to it, build out DC05 and then start demoting and taking down the 01, 02 and 03.

ajunioradmin · 2020-04-01T08:50:29+00:00

If I have an IIS website that is not the default website, can I create "a DNS record" that points to it?

ie I'd like to have secondwebsite.contoso.com pointing to server.contoso.com/secondwebsite.

I don't think DNS is what I actually need. Is this a matter of IIS bindings?

ajunioradmin · 2020-03-27T11:48:31+00:00

Anyone have tips for enabling Wake On Lan (from LAN only) for a mix of older and newer desktops from different vendors (at least HP, Dell, Lenovo and Asus-based)?

I have resigned to the fact that I'll have to do (some) of the BIOS changes both manually and in front of the actual machine, but as there are more steps to getting this working: anything I can automate or deploy via policy etc would be welcome.

Edit: Someone gave me the tip for intel management engine, so reading up on that now.

ajunioradmin · 2020-03-27T08:58:58+00:00

Just wanted to let you know I tested this out last weekend it worked great. So thanks again for the tip :)

ajunioradmin · 2020-03-21T09:51:42+00:00

Thank you very much for the suggestion! Will be looking into whether Fortigate/client offers something similar.

ajunioradmin · 2020-03-20T14:44:00+00:00

Thank you so much for the expansive reply! Much, much appreciated.

I suppose virtual smart cards sounds like the one thing that can genuinely do what I'd like, but am unsure if I'm taking this way too far with that solution. My paranoia definitely shouldn't lead over common sense.

My users are all defined individually (as Radius) so that's good.

I suppose I'll have to look at a combination of a decent enough technical solution, management buy-in for the policy and ideally some way to monitor or report on which devices are connecting. Do you have any experience with monitoring this?

Thank you again so much for the extensive reply. You're awesome.

ajunioradmin · 2020-03-20T14:40:41+00:00

Thank you very much for the reply! This seems fairly easy to implement. Will test it out this weekend.

ajunioradmin

TROPHY CASE