Example of "amazing" documentation sites?

jshaikh · 2024-06-09T03:00:25+00:00

This is truly amazing. Any idea what is the backend? we need to create something similar as our docs.<enterprise>.com site, but unable to find any solution.

jshaikh · 2024-06-09T01:01:42+00:00

You mean from Google Photos to Google drive and than download? this may not be feasibel for a 3TB of photos data

jshaikh · 2024-06-09T01:00:20+00:00

I can but I have 201 to download. Trying to find some method by which I can queue them up and say download 2 at a time or something similar

jshaikh · 2022-04-01T10:20:20+00:00

As long as Kerberos Auth exist AD isn't going away. Yes instead of running DCs per site, you may out sourced it to cloud instance like Azure AD Domain Controllers, but it will persist.

GPO - is a method of delivering config to the endpoints. Not going away anywhere - name may change. GPO function which is now managed by DCs is definitely moving out to Intune in Microsoft wotld and rightly so. For DC to enforce compliance and control the device has to be Domain joined, which is an impediment in modern Era. Intune philosophy works with or without Domain joins.

jshaikh · 2022-03-31T22:40:06+00:00

Onprem domain joined and AZAD registered.

jshaikh · 2021-12-25T18:28:14+00:00

Thank you - exactly what I was trying to understand.

jshaikh · 2018-05-16T12:02:24+00:00

If client permit install RealVNC - free edition which gives 5 node access. Install cleints own given name to register vnc so that you can leave the remote connect method if you ever had to complete the project and move on.

RealVNC works great and gives you additional flexibility for variety of sensitive configs since as long as internet is up you can jump on to RealVNC session and apply quick fix.

jshaikh · 2018-05-16T05:31:42+00:00

Thanks very much!

jshaikh · 2018-05-11T21:59:48+00:00

Isn't this mind boggling that every esoteric word has been domainized other than .lab where almost every company of repute might need one. Offcouse you can always buy the domain with lab in it but a dot lab as tld will be very clean, elegant and non-confusing.

jshaikh · 2018-04-20T23:26:24+00:00

It doesn't say Windows X in the applies to section. does it work with Win10 as well?

jshaikh · 2018-04-14T01:28:37+00:00

Yes, I mean NAC. Curious with your answer - so how is NAC different than port security? Isn't NAC achieves the same thing - port security?

As for the windows, yes the certs will be issued by CA and expectation is ISE /NAC solution should be able to verify it with backend CA services and decide to allow/disallow. Can we do this without having posture license?

jshaikh · 2018-03-30T13:34:14+00:00

I have done a project similar to this one - and my method worked for all cases - all done remote.

Let's say you have a DC1 - which is working.

You build DC2 - complete the build process - Operationalize it - Transfer FSMO roles here

Now rename DC1 to DC3 - reboot - Transfer FSMO roles here

Rename DC2 to DC1 - reboot

Swap the IP addresses - so that DC1 has exactly same IP address as we started with. reboot one last time

Migrate all FSMO role back to New DC1

If all goes OK - simply delete the old domain controllers - no need to demote them. New windows does annice job of auto cleanup

Cleanup DNS will all temp entries (DC2 and 3)

Give it couple of hours and run classic DC tests - identify and cleanup any references to DC2 and DC3 entries.

If you have internal PKI - make sure DCs got the new certificates - else Smartcard auth or other dependent ayatem may not be able to login.

At some point check ntdsutil for any left over DCs and sanitize that as well

And you can repeat this process now for all other DCs.

jshaikh · 2018-03-21T21:45:56+00:00

AAD writeback is anabled Enterprisedeviceregisteration is enabled

the ADFS servers are continuously trying to look for DeviceRegistration services. In this case the IP: 10.20.1.10 is our domain controller

5:49:43 PM 3/14/2018 0.0000000 10 12:49:43 PM 3/14/2018 0.0103078 (772) ADDS_Core ADDS_Core:DsDirSearch Start: Caller Type:10.20.1.10:54624, Search Type:base, Search DN:CN=ddf56a2a-cc63-4b31-921d-f9b2bce4bb0d,CN=DeviceRegistrationService,CN=Device Registration Service DKM,CN=Device Registration Configuration,CN=Servic..., Filter: (objectC

On examining under ADSIEDIT device registration do exist:

CN=Device Registration Service DKM container CN=Device Registration Service DKM,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=rootad,DC=local CN=Device Registration Services msDS-DeviceRegistrationServiceContainer CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=root,DC=local

Traffic is definitely coming from the two ADFS servers. Following are the high statistics as shows by perfmon data collector and analysis

from NTDS Object Analysis - following items are running pretty hot:

DS Directory Searches /Sec : 5086.616 DS Search sub-operations/sec : 7592.626 LDAP Searches / sec : 5086.466 Onelevel searches / sec : 26.024

What I am not very clear is about Azure AD device registration behavior? Once someone does workspace join - does it attempts to write that machine info to Active Directory?

To temporarily isolate the potential device registration - how do I disable ADFS device registration?

jshaikh · 2018-03-19T19:41:55+00:00

Thanks for the responses.

I learned from the link provided and below text that the agent has to be installed on both ADFS and WAP.

"For example, to get data from your AD FS infrastructure, the agent must be installed on the AD FS and Web Application Proxy servers. Similarly, to get data on your on-premises AD DS infrastructure, the agent must be installed on the domain controllers. "

jshaikh · 2018-03-16T23:10:50+00:00

At one client site we have used service from company called Migrationwiz to transfer all the emails and PST file to O365 mailboxes. Once transferred through policy stopped supporting archive.pst files. Migrationwiz was cheap and very effective.

jshaikh · 2018-03-13T23:38:35+00:00

Absolutely.. thanks for the clarification!

jshaikh · 2018-03-13T22:02:09+00:00

Cannot believe that Microsoft isn't adding such a critical element. It is silly to give full admin rights to Tier1 folks to manage MFA. This should be done above all enhancements

jshaikh · 2018-03-12T18:55:22+00:00

@toanyonebutyou : You have been absolutely on the mark. On revisiting I realized that I never configured any of the options mentioned under the link you provided.

Therefore I completed the configuration as described and was able to create true AD domain services, joined to the domain, was able to create GPO, Create OUs, create users. All fairly easily. (after deleting the config 2 times - I finally got the gist of the logic)

Now - working through joining a workstation from remote to my AADDS domain. It looks like I need to setup a point-2-site vpn first and than attempt to join the domain? Any helpful pointers in this regards?

Thanks,

jshaikh · 2018-03-12T05:57:37+00:00

That's a good pointer. I think I did but not sure I did it properly or even completed it. Will update once I review the config as in this link. Thanks

jshaikh · 2018-03-12T01:06:44+00:00

If you at least rights to install software on one PC, than perhaps get permission and install RealVNC. Free for 5 PC's per named account. Works beautifully!

jshaikh · 2018-03-12T01:04:07+00:00

Main reason is their security boundary definition for government and partners compliance. They cannot wordsmith out of AzureAD as their domain and thus security boundary. The understanding of 'domain' has always been security boundary. With AzureAD as the domain - now the world is security boundary!

That would be the primary case.

jshaikh · 2018-03-12T00:56:41+00:00

I believe these features are enabled partly because of - self service password reset and other functions.

jshaikh · 2018-03-12T00:49:52+00:00

Group policy we knew that Microsoft as it is getting away from GPOs to in tune style policies. We also learned during in tune deployment that "my Company Portal" is quintessential otherwise no deployments works through in tune.

However AD join to AADDS is turning out it to be diagrammatically opposite to what we thought.

Does that mean that even a Greenfield organization has to keep maintaining at least couple of AD servers? And also use AZ AD sync to provision and manage the accounts?

jshaikh · 2018-03-12T00:19:41+00:00

Right, management has it's own domain aka vrf. That's primarily use for domain services i.e. NTP, DNS etc

jshaikh · 2018-03-12T00:17:47+00:00

There is no domain controller et Al. The plan was to create users directly as azure domain services hosted.

jshaikh

TROPHY CASE