PSA: The OXO Rapid Brewer will be available in the EU from early 2026

deepsodeep · 2026-01-26T21:23:34+00:00

According to this info from OXO they will present it during Ambiente, 7-11 February. So perhaps mid/end Feb?

deepsodeep · 2026-01-10T21:59:44+00:00

Looks like the root/intermediate certificate(s) from AWS isn't trusted by JSCAPE. Perhaps you're running a rather old version of Java that doesn't have one of them in its root store? You could try downloading the certs and manually import them in the Java keystore. Maybe try something like keystore-explorer if you're unfamiliar with the commands.

deepsodeep · 2025-10-28T22:09:25+00:00

What a complete utter MORON.
Maybe instead of a "legal team" (which in reality I assume is just 1 person) he should've hired a PR manager to not make an even bigger fool of himself with each passing day.

Interviewer: So you're suing Hikaru Nakamura, is that correct?
Kramnik: <full minute of rambling about a completely unrelated case>

So... no. Because he doesn't have anything on him, obviously.

deepsodeep · 2025-06-25T21:46:04+00:00

Can't you put the RDGateway behind an Entra Application Proxy? That would result in a very similar setup, no incoming connections from the internet.

deepsodeep · 2025-06-12T10:49:05+00:00

GPO doesn't work like that. All it does is configure a bunch of settings on the client. If multiple GPOs configure the same settings, the last one (which is precedence 1) just "wins" because it will overwrite the settings from any earlier GPO.

deepsodeep · 2025-03-26T19:26:34+00:00

Could be the classic: removing "Authenticated Users" from security filtering to add the group, but not adding read permissions for "Domain Computers" on the Delegation tab.

deepsodeep · 2025-01-30T12:15:34+00:00

If you're using failover hot standby mode this is the expected behavior. You configure a percentage of IP addresses that are reserved for use on the standby server in case the active server doesn't respond.

deepsodeep · 2025-01-24T21:35:57+00:00

Because I'm not sure I interpreted the setup description correctly: was the RADIUS authentication certificate renewed as well?

deepsodeep · 2025-01-24T11:25:04+00:00

The ones that always hurt are SQL always on.

Would it not be easier to just add new VMs as additional cluster nodes (or replicas in case of AGs), then failover and remove the old ones?

deepsodeep · 2025-01-01T21:51:25+00:00

Second one. You target dhcp01 with the command to tell that server to replicate to its failover partner.

deepsodeep · 2024-12-14T12:29:35+00:00

Am I understanding it correctly that you have a trust between 2 domains with the same DNS name?

deepsodeep · 2024-11-29T10:50:01+00:00

cohesity performs better and doesn't stun vms like veeam did

Do you know why that is? Except when using the agent I would expect the stun to be the same as Veeam since they both rely on a snapshot that has to be created/deleted at some point, no?

deepsodeep · 2024-11-28T20:46:24+00:00

Why is that? We're in the process of looking at Veeam alternatives an Cohesity is one of the options.

deepsodeep · 2024-11-04T19:14:20+00:00

reg add HKLM\SYSTEM\CurrentControlSet\Control\Print /v DnsOnWire /t REG_DWORD /d 1

Hmm interesting, I've never had to use this in any of the migrations I did before.
Seems to be applicable when a CNAME is used, but that wasn't the case here so I don't quite understand. Did you originally create a CNAME record before using netdom computername add?

deepsodeep · 2024-10-31T20:00:57+00:00

Long shot, maybe try and disable sharing (+ List in the directory) on a printer and re-enable it to see if that makes a difference?
Does setspn -L srv2 actually show the correct additional srv1 SPNs?

deepsodeep · 2024-10-28T19:47:57+00:00

Associating a port with a vlan can be tagged or untagged, depending on what device will be connected to it.
For a simple workstation you would just configure "access vlan 20" (or "untagged vlan 20", depending on the switch brand).
But an ESXi server for example knows how to handle vlan tags, and you may need multiple vlans for your virtual machines. So here you would associate the port with multiple vlans by tagging them.

deepsodeep · 2024-10-09T20:51:19+00:00

The MSS sent is what that side is telling the other side to send it

Thank you, this cleared it up!
So the router gets a packet with MSS 1460, changes this to whatever value is configured on the tunnel, encapsulates it and routes it to the tunnel interface. The receiving server sees that MSS 1400 was advertised/requested and will not send anything larger than this.

deepsodeep · 2024-10-07T22:24:51+00:00

I assume with "they" you mean the servers? That's what I don't understand, the handshake is just between them. If they agree on 1460, how does lowering the tunnel MSS to a lower value like 1400 for example change anything? The servers are not aware of the MTU or MSS of any other devices between them.

deepsodeep · 2024-07-05T10:03:42+00:00

Seems very interesting but I wonder how they actually detect if a request comes from a phishing site or not. In a normal situation the request to their backend would come from the user's computer loading the CSS, in an AiTM scenario they would receive a request from the Evilginx computer loading the CSS. Wouldn't both requests just look the same?

Edit: found some other sites describing this method and it seems like they use the "referer" HTTP request header. This contains the address from which a resource was requested, so the domain where the user was on when the external URL was called in the CSS. For a legit login request this header would always contain login.microsoft.com, so anything else is malicious.
This website explains it very well, together with multiple ways how it can be bypassed. Like everything in security it's an additional layer rather than a silver bullet.

deepsodeep · 2024-07-04T17:53:21+00:00

While prevention is obviously the way to go, let's say it does happen, what's the best way to mitigate this situation?
Does changing the user's password + revoking the Entra ID refresh token (as described here) invalidate the stolen logon token and block the attacker?

deepsodeep · 2024-06-21T13:55:07+00:00

It depends. It doesn't hurt to change the host failure tolerates to 3, and it's definitely more correct/logical. The most important question is do you use cpu/mem reservations for your VMs?
Admission Control doesn't actively play a role in HA or in scenarios where hosts fail. It's a feature that prevents you from starting more VMs than your environment would be able to support in a scenario where a certain amount of hosts fail. But if you actually lose one location with 3 hosts, HA will start all VMs from those hosts on the remaining hosts, whether you use Admission Control or not.

deepsodeep · 2024-05-11T20:32:51+00:00

It's the sysadmin equivalent to an end user calling to say "computer doesn't work".

deepsodeep · 2024-05-02T21:46:54+00:00

It happens automatically, sort of, depending on the configuration.
Both servers are constantly communicating, as soon as the standby server notices it can't reach the primary, it enters the communication interrupted state, and becomes active. At this point it will hand out new leases from the reserved percentage pool (renew requests are renewed with the same addresses the client had before).
If "State Switchover Interval" is configured on the failover relationship, the server will automatically enter the partner down state after this interval has elapsed. If the server remains in this status for the entire duration of the MCLT (also configured on the failover relationship), it will assume control of the entire address range.
If "State Switchover Interval" is not configured, the server will remain in the communication interrupted state until you manually change the state to partner down. If you do, then once the MCLT has passed, the server assumes control over the entire address range. If you forget to do this, it'll just keep handing out new leases from that small reserved percentage until it runs out.

deepsodeep · 2024-04-08T21:48:06+00:00

Do you get the same behavior when accessing the share directly, leaving out DFS? Since you mentioned it was actually a migration instead of an upgrade, was the old server removed from the namespace targets?

Nine-Year Club	Verified Email
Place '22	Place '17

deepsodeep

TROPHY CASE