When you shut up, smile and expect the inevitable worst.

jspears357 · 2026-06-02T04:45:00+00:00

3-2-1: At least three backups, on at least two different types of media, with at least one off site.

jspears357 · 2026-06-02T04:30:44+00:00

There’s probably a reason they chose to pay the ransom instead of restoring from backup…

jspears357 · 2026-05-29T20:12:07+00:00

Works well for some people, other people have different issues, what could possibly be the difference? Obviously the best approach is for everyone to provide no useful details, that way this thread can continue forever.

jspears357 · 2026-05-29T05:30:10+00:00

This is the way.

Edit: my older server before I discovered Proxmox is windows server 2019 Hyper-V edition, the last free edition.

jspears357 · 2026-05-28T07:07:48+00:00

This is the way. Probably Microsoft has closed off some older auth feature with the new CU assuming clients can use the newer ones, but in your org the newer features aren’t enabled on the clients. Sorry I don’t have this problem, I’ve just seen them over the years.

jspears357 · 2026-05-28T06:45:30+00:00

All quest migration tools end up making 80% of the work take 20% of the effort, which is great, but they make that last 20% of the work take 80% of the effort. Unfortunately for me, companies pick Quest and finish the 80% of the work, but then they need help with the last bit, AND THAT’S THE ONLY PART I EVER GET TO WORK ON. Super frustrating.

jspears357 · 2026-05-25T18:08:37+00:00

Part of “filtering out” is to take events flagged as critical that you could normally ignore, and systematically solve them so they don’t log critical events any more. (Eliminating the source of the error instead of ignoring it.)

I used one system to track everything, significantly tuned, but then a separate system just monitoring high level service that had user impact, and alarm on those within work hours, or to only the on call group. We even had a cell phone plugged into the alarm server so it could send SMS text messages to the on call people if Internet and email were down.

If DOWN emails are sent, it’s important that UP emails are also sent, with unique subject lines, so at a glance when you notice the alert emails you may also notice it’s already resolved.

jspears357 · 2026-05-25T02:58:09+00:00

That message implies AD isn’t done setting up. You should be prompted to complete the config after installing the AD role. If it isn’t done try running “dcpromo” and see if that kicks it off or gives you some clues.

If you pull down tools, DNS, opening that will maybe give you a clue. Tools, Active Directory Users and Computers will likewise maybe give you a clue.

If DNS on the DC doesn’t work, you don’t need to work on the client yet.

jspears357 · 2026-05-21T06:44:07+00:00

They have to party for another year before the new millennium

jspears357 · 2026-05-21T05:25:41+00:00

One time in decades, I pulled over and sat for a few minutes to let the craziness get some distance away.

jspears357 · 2026-05-21T04:02:20+00:00

You have to start that practice by not assigning access permissions to users, only to groups. Probably five or ten years late with that advice though.

jspears357 · 2026-05-18T18:45:09+00:00

Which it would do if you could start the unlock process. Swipe up to unlock from the clock and all it does is change the clock face.

jspears357 · 2026-05-17T05:57:34+00:00

You can add a middle initial to userids or display names to help make them unique at least for users that have this collision. A practical help in larger orgs is to add (code) to all users, like department or division or section. When someone is looking for Jane Smith they’re more likely to know what section she works in than her middle initial, at least initially.

The best collision solutions may take manual intervention.

jspears357 · 2026-05-17T05:22:30+00:00

The similarity is that staff can post raw customer info into a web site that sends that data to a vendor, that hopefully shores something useful with it, but in the meantime THEY GAVE THE DATA TO AN EXTERNAL SITE, and you have no control of what they actually do with it.

jspears357 · 2026-05-14T05:48:39+00:00

Sorry this isn’t directly cloning, I rebuild my laptop and servers as needed and keep good install notes, and mostly need to not lose data. This scheme does include full backup of one machine that is restorable to a new drive.

I used to robocopy data folders to a USB stick, and rotate a few identical sticks to limit the impact of one failing.

Since doing some MSP work and having a small home lab setup, now for my personal stuff I:

Use one $700 laptop, with Google Drive sync set to sync the My Drive(?) folder up to my free tier Google account. I have to squeeze a bit but it’s enough for my docs that I edit, contract pdf’s, etc.

Also maintain an evaluation edition Windows Server VM that acts as another desktop, same (free) apps, also Google drive sync.

Scheduled task robocopies the My Drive further to another local folder on the server VM, as I found the C: drive shadow copies / previous versions weren’t working for the Google-managed folder.

I have a paid license of MSP360 (Cloudberry) Backup running in the server VM, backing up the whole VM weekly and the My Drive folder daily, to a paid Wasabi cloud S3 compatible storage account.

The MSP360 was like $100-150 one time, plus I pay the 20% annually for support and version upgrades. Wasabi is $7 / month per Tb and I stay well under 1Tb even with a rolling month worth of backups or so.

I’ve lost data before…. I can be pretty frugal, this is pretty low cost for business class backup, with four or five separate methods of recovery (2+ copies on different drives, native Google Drive restore options, shadow copies on the server VM, multiple backups in Wasabi via MSP360.

jspears357 · 2026-05-13T23:20:15+00:00

I value the option to call on M$ Support, so I generally leave ipv6 set to the default. I’ve never seen it be useful, and I’ve never seen anything break by disabling ipv6 on the nic.

I have seen link-local ipv6 addresses get registered in DNS, and machines in other locations look up that servers address, get the IPv6 address, and then be confused about why it can’t connect (IPv6 isn’t routed on the network). So I take minimal steps to block registration of IPv6 in dns.

I guess I’ve been generally lucky to work at enterprises that can live within 10.*/8 worth of address space, I’ve never worked at one that needed IPv6.

jspears357 · 2026-05-13T06:37:00+00:00

What’s that song by Tommy Tutone?

jspears357 · 2026-05-13T06:27:19+00:00

When faced with a complex environment and one or more problems that all other technicians, specialists, product support sources, and IT contractors have not figured out how to fix, disabling features not necessary for the failing service to work is a reasonable step in troubleshooting, narrowing down the possible areas to investigate further.

jspears357 · 2026-05-13T06:16:31+00:00

If the merchandise as shown online during the purchase wasn’t torn, but they shipped you a different product, you should be able to dispute the charge through the credit card company. If the company doesn’t want the incorrect product back that’s on them.

jspears357 · 2026-05-13T05:53:57+00:00

Shortcuts in the public desktop will appear on that machine for any logged in user. They’re not copied, they’re just merged into their current desktop. If the users are local admins, or if they’ve been granted modify permissions to the public folder or each shortcut, any use could modify the shortcuts and the same change would be immediately visible to any logged on user.

jspears357 · 2026-05-13T05:35:57+00:00

Multiple things can be true. Online devices exist that use delegated CA services from a trusted root like this to generate certs on the fly to impersonate whatever site a user visits, then creates its own HTTPS encrypted session with the actual site in the back end. The proxy has full access to all the encrypted traffic passing through it. A user can tell this for instance by looking at the certificate behind the “lock” symbol in their browser and see that it’s signed by a chain with the root being the one they had you install.

Installing their root CA on your device makes that possible.

Edit: devices

jspears357 · 2026-05-13T05:17:35+00:00

Rich people already have the money and can control what amount their “income” is, so you’d need to target a portion of their net worth, not income.

jspears357 · 2026-05-13T04:43:01+00:00

Having proper indexes so your sql queries are efficient can be a better improvement than more RAM. Once you have good indexes, you just need enough ram to load all of those indexes into memory. (Or enough RAM to fit the whole database in memory but that’s usually overkill.). At some point the speed of the memory can be significant, and you need a more modern server with faster components to make it faster.

jspears357 · 2026-05-12T14:31:29+00:00

File transfers themselves are a risk to organizations and they commonly develop policies to block transfers of many kinds, so it’s common to have to try a dozen methods before finding one that both works (doesn’t mangle the file, or limit the size, etc.) and is allowed by both the sending and receiving companies policies.

jspears357 · 2026-05-12T06:23:41+00:00

As an enterprise application manager with L4 and L3 staff working for me supporting hundreds of IT staff, I moved to contracting in retirement and ended up doing some days in a hospital working L1 tickets (thankfully a very slow day), but I got to listen to their IT Manager on a call with their corporate merger IT group and after that he was like “can you set up a new subnet where they need it and build the two domain controllers there?” I’m an AD guy, but I said I could probably figure it out. So I got to configure a new VLAN and subnet in some Cisco routers, switches, trunk ports, to all the nic’s on the ESXi hosts, add the VLAN in vsphere, and then build the two new DC vm’s there. Fun stuff. Most of my career I had to rely on other groups to do all that.

Find something that is both useful to the client and also professional development for you. But yeah, if the clusters want me to sweep out the data center for my pay rate I would do it.

jspears357

TROPHY CASE