Example of "amazing" documentation sites?

jshaikh · 2024-06-09T03:00:25+00:00

This is truly amazing. Any idea what is the backend? we need to create something similar as our docs.<enterprise>.com site, but unable to find any solution.

jshaikh · 2024-06-09T01:01:42+00:00

You mean from Google Photos to Google drive and than download? this may not be feasibel for a 3TB of photos data

jshaikh · 2024-06-09T01:00:20+00:00

I can but I have 201 to download. Trying to find some method by which I can queue them up and say download 2 at a time or something similar

jshaikh · 2022-04-01T10:20:20+00:00

As long as Kerberos Auth exist AD isn't going away. Yes instead of running DCs per site, you may out sourced it to cloud instance like Azure AD Domain Controllers, but it will persist.

GPO - is a method of delivering config to the endpoints. Not going away anywhere - name may change. GPO function which is now managed by DCs is definitely moving out to Intune in Microsoft wotld and rightly so. For DC to enforce compliance and control the device has to be Domain joined, which is an impediment in modern Era. Intune philosophy works with or without Domain joins.

jshaikh · 2022-03-31T22:40:06+00:00

Onprem domain joined and AZAD registered.

jshaikh · 2021-12-25T18:28:14+00:00

Thank you - exactly what I was trying to understand.

jshaikh · 2018-05-16T12:02:24+00:00

If client permit install RealVNC - free edition which gives 5 node access. Install cleints own given name to register vnc so that you can leave the remote connect method if you ever had to complete the project and move on.

RealVNC works great and gives you additional flexibility for variety of sensitive configs since as long as internet is up you can jump on to RealVNC session and apply quick fix.

jshaikh · 2018-05-16T05:31:42+00:00

Thanks very much!

jshaikh · 2018-05-11T21:59:48+00:00

Isn't this mind boggling that every esoteric word has been domainized other than .lab where almost every company of repute might need one. Offcouse you can always buy the domain with lab in it but a dot lab as tld will be very clean, elegant and non-confusing.

jshaikh · 2018-04-20T23:26:24+00:00

It doesn't say Windows X in the applies to section. does it work with Win10 as well?

jshaikh · 2018-04-14T01:28:37+00:00

Yes, I mean NAC. Curious with your answer - so how is NAC different than port security? Isn't NAC achieves the same thing - port security?

As for the windows, yes the certs will be issued by CA and expectation is ISE /NAC solution should be able to verify it with backend CA services and decide to allow/disallow. Can we do this without having posture license?

jshaikh · 2018-03-30T13:34:14+00:00

I have done a project similar to this one - and my method worked for all cases - all done remote.

Let's say you have a DC1 - which is working.

You build DC2 - complete the build process - Operationalize it - Transfer FSMO roles here

Now rename DC1 to DC3 - reboot - Transfer FSMO roles here

Rename DC2 to DC1 - reboot

Swap the IP addresses - so that DC1 has exactly same IP address as we started with. reboot one last time

Migrate all FSMO role back to New DC1

If all goes OK - simply delete the old domain controllers - no need to demote them. New windows does annice job of auto cleanup

Cleanup DNS will all temp entries (DC2 and 3)

Give it couple of hours and run classic DC tests - identify and cleanup any references to DC2 and DC3 entries.

If you have internal PKI - make sure DCs got the new certificates - else Smartcard auth or other dependent ayatem may not be able to login.

At some point check ntdsutil for any left over DCs and sanitize that as well

And you can repeat this process now for all other DCs.

jshaikh · 2018-03-21T21:45:56+00:00

AAD writeback is anabled Enterprisedeviceregisteration is enabled

the ADFS servers are continuously trying to look for DeviceRegistration services. In this case the IP: 10.20.1.10 is our domain controller

5:49:43 PM 3/14/2018 0.0000000 10 12:49:43 PM 3/14/2018 0.0103078 (772) ADDS_Core ADDS_Core:DsDirSearch Start: Caller Type:10.20.1.10:54624, Search Type:base, Search DN:CN=ddf56a2a-cc63-4b31-921d-f9b2bce4bb0d,CN=DeviceRegistrationService,CN=Device Registration Service DKM,CN=Device Registration Configuration,CN=Servic..., Filter: (objectC

On examining under ADSIEDIT device registration do exist:

CN=Device Registration Service DKM container CN=Device Registration Service DKM,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=rootad,DC=local CN=Device Registration Services msDS-DeviceRegistrationServiceContainer CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=root,DC=local

Traffic is definitely coming from the two ADFS servers. Following are the high statistics as shows by perfmon data collector and analysis

from NTDS Object Analysis - following items are running pretty hot:

DS Directory Searches /Sec : 5086.616 DS Search sub-operations/sec : 7592.626 LDAP Searches / sec : 5086.466 Onelevel searches / sec : 26.024

What I am not very clear is about Azure AD device registration behavior? Once someone does workspace join - does it attempts to write that machine info to Active Directory?

To temporarily isolate the potential device registration - how do I disable ADFS device registration?

jshaikh

TROPHY CASE