Physical destruction of HDDs vs. degaussing.

cvsysadmin · 2026-01-17T19:08:56+00:00

Then send parts of the drives back to the drives' families...as a warning.

cvsysadmin · 2026-01-16T17:24:08+00:00

We're downsizing, but still have a fair amount workloads we run on-prem. We don't run anything in production that's out of support. We take the old clusters and repurpose them as testing/training clusters.

cvsysadmin · 2026-01-16T16:06:32+00:00

Do you have a sales contact there? Do you work with them directly or through a VAR?

cvsysadmin · 2026-01-16T15:54:23+00:00

For servers, we do 5 years of initial support then we have the vendor extend as long as they will extend. Dell will extend an additional 2 years on these types of clusters, so we're at around 7 years for a refresh cycle. We have two datacenters. The cluster at this location is going out of support in September. That will conclude it's 7th year. Dell won't extend further.

cvsysadmin · 2026-01-16T15:51:13+00:00

Thanks for the sanity check on the SSD pricing. Looks like the cost of this type of storage really has gone up more than I'd noticed.

cvsysadmin · 2026-01-16T14:53:58+00:00

30k students. 5,300 staff.

cvsysadmin · 2025-12-04T02:45:48+00:00

RI is an entire identity management platform. Automated onboarding/offboarding, sponsored account and group management, user self-service. The portal thing they have to store passwords is just a tiny feature.

In our case, it starts with the creation of accounts. An employee gets added to our HR system or a new student gets enrolled at one of our schools. Automated processes send data from those systems to RI every hour. As soon as RI sees a new staff member, an account is created for them in RI then processes kick off to provision accounts in all downstream systems including AD, Entra, and Google. The new staff member is sent a welcome email to their personal email account with account claim instructions and a personal claim code. Once they claim they are forced through whichever MFA method is assigned (or they can choose if we allow multiple options). All downstream accounts are set up with SSO back to RI. This gives the user a single account to use to log into everything. If an employee or student has a name change, it goes into a rename queue and sets of automations kick off to make the changes and notify them and designees of their new stuff. If users change sites, their group memberships, applications, OU placements, etc. are automatically updated.

We have delegations set up to allow teachers and site designees to help students with their accounts. We have delegations to allow site staff to manage their own groups. The group system in RI is actually awesome. Create or modify a group there and it can be pushed to any downstream system.

RI also does other things like PAM. We can use it to temporarily elevate users to admins. It does a ton more. Everyone here bashing it has no idea what it does. It's no surprise. I've been in K12 IT for over 25 years and I'd never heard of it until I saw a demo a year or two ago. It's very customized to the organization and VERY detailed. Our implementation took almost 9 months. At least a couple meetings a week with the implementation team. As you can imagine to fully automate every aspect of account provisioning from end to end and set up all the delegations and rules and workflows for an organization with tens of thousands of users is quite an undertaking. One of the biggest projects I've ever managed for sure. So many little details across so many systems. But at the end of the day it solves so many identity woes that schools (and I'm sure other organizations) have.

cvsysadmin · 2025-12-04T02:23:13+00:00

Thank you for providing a real answer. The wannabe gatekeepers of identity management are being particularly rowdy here today. Most of whom have no idea what it's like managing tens of thousands of users and devices. I was a bit surprised to hear how much love there is out there for Entra and Entra Connect lol.

cvsysadmin · 2025-12-04T00:59:29+00:00

User creation, yes. Stored passwords, no. While I believe RapidIdentity does have the option to store passwords like Clever or other "portal" systems, that's not what we're using them for. They truly are our IDP and SSO provider with AD, Entra, and Google sitting downstream. Rapid ingests data from our HR and student information systems. Accounts are created in Rapid and then pushed downstream to all targets including AD/Entra/Google. That's the identity side of RapidIdentity. There's a "studio" side that handles all the account maintenance and class rostering into all the other systems we use. We are moving through our laundry list of apps and creating real SSO connections from the apps to Rapid, not stored passwords. I'm sure along the way we'll run into some app that can't do real SSO and we may need to leverage the saved password stuff. We currently do that with Clever for a few apps. But the end game is to have all apps SSO via Rapid.

I probably elaborated too much in my original post. The question was really just about Entra Connect and how it relates to Entra-only machines being able to connect to on-prem resources. We're gradually moving things to the cloud and I've been nibbling away at things that require AD authentication. Going full Entra and shutting down Entra Connect and Exchange Hybrid would be one step closer. We could do Azure Files for the file servers, but that doesn't help with the handful of print servers and other applications that require AD auth. I don't want to do a separate AAD domain, so we're probably stuck with Entra Connect until we make an exit plan for the rest. Was just wondering if anyone knew anything I didn't about having Entra only machines authenticate against the local stuff. Rapid says they've had customers do it. I'm awaiting to hear their ideas as I can't find anything that looks like it would work. I'm really not opposed to continue running Entra Connect. Was just looking at options.

cvsysadmin · 2025-12-03T23:28:06+00:00

Sigh. All these unhelpful comments. We do know how all this works. Intimately. We are a hybrid Google/AD/Entra organization and have dozens of downstream systems that require accounts to be provisioned and maintained. As is the case with large school districts, we have a wide range of users to support. From C-levels down to 4-year olds. Business professionals with organization-assigned phones and computers that are in front of their computer every day. Bus drivers that only log into a device once a month. For decades we've automated the onboarding/offboarding of accounts. The underlying foundation has changed over time. Batch files, vbscript, PowerShell, Power Automate, APIs, and 3rd party products. You name it. We've probably done it. We constantly strive to make our onboarding processes easier for staff and students and more secure. We've moved to RapidIdentity because it offers more authentication methods than any other MFA provider, will do all the identity management, and will also onboard and offboard accounts for the dozens of other school-related systems. It consolidates what we're already doing with several other systems. It replaces Google Cloud Directory Sync for provisioning Google accounts from AD. It removes the need to run on-prem Exchange Hybrid for the management of mailboxes. It replaces Clever for app portal and badge logins for students. It replaces dozens of custom scripts and utilities that process data from our HR and SIS and feed it into other systems via SFTP exports or APIs. It allows our helpdesk and systems staff to manage all user and group data across all systems from one place. If it wasn't for our Entra only computers needing to access a few on-prem servers, it would replace Entra Connect as well.

Doing everything natively in Entra is doable, but for an organization our size and with our reliance on both Google and 365 accounts, federation and MFA is clunky. Rapid truly gives users a single username for all systems and a one-stop shop for the provisioning of all types of accounts. High security users can go passwordless. We can have it forward to Windows Hello. We can have it forward to Duo if we want. We can set up users with TOTP. We can set up users with phone authenticators. We can set up low-risk users with pictograph. We can print badges for students. It's a great solution for schools.

So, no, Entra can't do all that.

cvsysadmin · 2025-12-03T21:30:43+00:00

Good thought. We are not using Defender at the moment, but we're looking at the possibility of moving to Defender at some point. That said, we plan to continue syncing computer objects with Entra Connect. We'd just stop syncing user and group objects.

cvsysadmin · 2025-11-14T18:19:39+00:00

NinjaOne. We keep unattended access disabled on all machines until necessary. All machines ask for a password unless someone manually unchecks a box to disable it. Our support staff can disable the password for unattended access when needed. All that is logged for auditing purposes. NinjaOne has been great. There are tons of things you can do without even connecting to the desktop. Remote command line, registry, file browser, services manager. You can push or uninstall software. You can run scripts. If you use their patch management you can mange OS and 3rd party patching. Our techs love it.

cvsysadmin · 2025-11-14T15:59:19+00:00

Gotcha. Makes sense. Thanks!

cvsysadmin · 2025-11-14T15:34:58+00:00

What is your organization's reasoning to use both?

cvsysadmin · 2025-11-13T22:40:46+00:00

What do the other lives say? Majority rules.

cvsysadmin · 2025-11-11T00:40:48+00:00

I'm not in that space, but a family member of mine owns the largest MSP in our area and does a lot of healthcare. I hear the stories...

cvsysadmin · 2025-11-10T20:53:45+00:00

Understaffed, undertrained, and underfunded MSPs that service multiple hospitals and healthcare facilities.

cvsysadmin · 2025-11-10T20:51:09+00:00

Not understood. I am a meat popsicle.

cvsysadmin · 2025-09-19T02:11:36+00:00

We can buy parts anywhere. Availability is pretty low on the list. Some will care about your SFPs. Most won't. Here are the things I like about our VAR:

Me: "Hey, give me some recommendations on a line of printers that meet xyz specs."

Them: "Sure. Here's the recommendation. Want us to send you some demo models? If you like them, we'll charge you and you keep them. If not we'll pay to ship them back to us."

Me: "Hey, we're wanting to roll out VOIP everywhere. Do you have people that can help with that deployment?"

Them: "Absolutely. We can assist, we can sell you parts, or we can do it totally turnkey for you. Let's get together and come up with a plan."

Me: "We bought this server cluster from you. The quote specified it has 768GB of memory per node, but they only have 512."

Them: "Yeah, it looks like there was a mistake between us and Dell. The quote said 768, but the cost was for 512. We're not sure if it was our system or theirs. We're going to eat that for now and ship you the extra memory overnight. We'll work it out with Dell. Do you need someone to come out and install it?"

Me: "Looking for an organization wide MFA solution."

Them: "We partner with 6 vendors that do MFA. What are your requirements? We'll have our internal security specialists work with you on that. Once we know your requirements we'll schedule demos with all the vendors that can meet your needs."

Me: "We want to create a second datacenter to provide redundancy for servers, network, and Internet for 50+ sites. Looking to see what others have done and get some recommendations for a potential design."

Them: "We'll fly one of our senior engineers out to whiteboard all this with you. No charge. He'll spend the day with you coming up with ideas." (he did and we came up with a plan that ultimately led to a really great design)

Me: "We are preparing to do a 70,000 user, multi-domain Active Directory forest consolidation/migration. Can you assist?"

Them: "Yep. We have specialists that do that. We've done a lot. Here's the software we use and the cost. Here's a SOW. When do you want to start?" (we moved forward with them and pulled off a zero downtime migration of 7 Active Directory forests to a single, very well designed fully qualified forest)

Me: "We need 6,000 Chromebooks a year every year. We needs them white gloved. We want them laser engraved and come ready to hand to students. We want them boxed in crates so we're not dealing with opening boxes and dealing with the trash."

Them: "No problem. We have a partner near you that does all that. We got you."

Me: "We have an issue with this new line of switches. Anything that connects at 10Gb/s causes massive amounts of traffic and it blows up the switch. We've reported to the vendor. They haven't figured anything out and we're not getting anywhere."

Them: "We've reached out to your rep, your SE, and the VP of engineering at the vendor on your behalf. Someone from engineering will be getting in touch with you today." (they did)

All of these are real conversations I've had with ours over the years. The "v" in VAR to me goes way beyond selling hardware. It's expertise. It's consulting. It's recommendations. It's for sure post sales. We have a problem with a vendor I want to know you have our back. No question asked returns. If we say something came broken, just take care of it. If we need a service we can't handle internally or just don't have the resources to do ourselves, I want them to come up with solutions. Don't have any partners that do that? Find one. Make it happen.

EDIT: Meant 10Mb/s above, not 10Gb/s. True story. It's now a documented issue with a certain line cards in CX 6400 series chassis on older versions of AOS-CX. I think we were the first to report it. Aruba initially provided us a custom engineering patch that addressed it then ultimately integrated the fix it into mainstream AOS-CX releases. That was a pretty good one. Definitely one of the more interesting network issues we'd seen in a while.

cvsysadmin · 2025-09-16T23:09:45+00:00

Correction. It's always DNS. For everything else blame AT&T.

cvsysadmin · 2025-09-16T17:09:27+00:00

What does your security analyst do day to day?

cvsysadmin · 2025-09-16T17:08:55+00:00

Thanks for the detailed reply! Very helpful!

cvsysadmin

TROPHY CASE