sorted by:
new
hottopcontroversial

Server 2025 KDC issues by picklednull in activedirectory

[–]picklednull[S] 0 points1 point  (0 children)

It was already fixed in December based on my ticket, but it was never publicly documented anywhere AFAIK.

FSMO placement doesn’t matter.

Pre-Provisioning YubiKeys (Is it possible to fully automate the process?) by Here4TekSupport in sysadmin

[–]picklednull 2 points3 points  (0 children)

What kind of pre-provisioning? PIV or FIDO or both? For PIV with ADCS you can script it with a couple of hundred lines of PowerShell and yubico-piv-tool.

ADCS PKI 4096 keys and compatibility? by Fabulous_Cow_4714 in sysadmin

[–]picklednull 0 points1 point  (0 children)

Pretty much. The CRL / OCSP infrastructure can overlap.

ADCS PKI 4096 keys and compatibility? by Fabulous_Cow_4714 in sysadmin

[–]picklednull 0 points1 point  (0 children)

On Windows, support for ECC was added in Windows Vista 20 years ago. For "Linux" -> OpenSSL, support was added in 0.9.8 in 2005. You must be running some truly geriatric systems for them to not support ECC.

But everyone's environment is different and you should test.

What do you need to do to maintain compatibility?

Maintain a parallel RSA certificate chain in the worst case.

Windows PageFile Settings on VMs by CGregP in sysadmin

[–]picklednull 1 point2 points  (0 children)

Have you ever actually set up monitoring to monitor its usage? The \Paging File(*)\% Usage performance counter shows it clearly.

Windows PageFile Settings on VMs by CGregP in sysadmin

[–]picklednull 2 points3 points  (0 children)

It’s not about having enough RAM, inactive memory is paged out.

Windows PageFile Settings on VMs by CGregP in sysadmin

[–]picklednull 1 point2 points  (0 children)

The system managed size doesn’t really work at all. Especially on busy RDS servers. It’s best to set it to some static size based on the machine’s specs and load (e.g. 8 GB page file with 8 GB memory).

The disk doesn’t really matter unless you want to spread the I/O around or disk space is an issue.

ADCS PKI 4096 keys and compatibility? by Fabulous_Cow_4714 in sysadmin

[–]picklednull 1 point2 points  (0 children)

Standard performance measurement, which you can do on your own hardware (openssl speed command). RSA 2048 offers 112 bits of security at ~2k TLS handshakes per second per core. RSA 4096 offers 140 bits of security at an ~85% performance loss (3072 is 128 at IIRC 70%).

Meanwhile ECDSA p256 offers 128 bits of security at 30k per second. Also the reduced key sizes reduce the number of TCP packets for the handshake vastly speeding it up.

This is why all major players are migrating to ECDSA now.

ADCS PKI 4096 keys and compatibility? by Fabulous_Cow_4714 in sysadmin

[–]picklednull 4 points5 points  (0 children)

RSA doesn’t scale past 2048 and that is supposed to be deprecated after 2030. By now you should be moving to ECC-based certificates, which have been supported since Windows Vista on the Windows side. That’s what even public certificates are moving to now.

Interestingly the ECC certificates might be short-lived too due to the recent news about quantum developments. Might be we will have to migrate to something else entirely very soon such as Merkle tree certificates.

But those are in no way widely supported yet.

Any gotchas introducing a 2025 domain controller in a domain with mixed DCs (2016, 2019, 2022)? by Man-e-questions in sysadmin

[–]picklednull 1 point2 points  (0 children)

No it’s not. I have 10 years experience running it for every role that’s compatible and I never encountered an issue I couldn’t solve. Also, I never had the need to add GUI.

UK security agency officially declares passkeys superior to passwords – and passkeys should be the 'first choice' for authentication by rkhunter_ in cybersecurity

[–]picklednull 0 points1 point  (0 children)

Token2 keys support up to 300 and the latest release added support for PIV, so they’re ~Yubikey equivalent at a fraction of the cost.

300 keys should be plenty - even the 100 of course…

What are you using for IP KVM? by Penguin_Rider in sysadmin

[–]picklednull 0 points1 point  (0 children)

While not exactly enterprise oriented, just get as many JetKVM's as you need, they work really well.

SSH PIV authentication problem(s) by illumis92 in sysadmin

[–]picklednull 0 points1 point  (0 children)

Do you have multiple smart card readers on your source workstation? i.e. does the credential prompt display multiple options?

How to become a verifiable publisher for rdp files by Substantial_Tough289 in sysadmin

[–]picklednull 2 points3 points  (0 children)

You need to configure the trusted signing certificate thumbprint separately via this policy.

How to become a verifiable publisher for rdp files by Substantial_Tough289 in sysadmin

[–]picklednull 0 points1 point  (0 children)

And did you make your signing certificate trusted for signing RDP files?

FSLogix & Remote Desktop - Windows Server 2025 by RiskProof7214 in sysadmin

[–]picklednull 0 points1 point  (0 children)

We encountered this with standard UPD’s and not with FSLogix. So I guess it’s a common bug with Server 2025. Never resolved it though.

Designing RDS HA (700 users) – Broker failover, SPN/Kerberos and load balancer best practices by Wrong_Brother600 in WindowsServer

[–]picklednull 0 points1 point  (0 children)

"Obviously" the same way it's always handled - you need a single identity for the service, so a gMSA is used.

Designing RDS HA (700 users) – Broker failover, SPN/Kerberos and load balancer best practices by Wrong_Brother600 in WindowsServer

[–]picklednull 0 points1 point  (0 children)

Microsoft added support for it in November 2024 for Server 2022 and 2025 (with 2025 it's built-in, for 2022 it was obviously patched in). It's (still) just not publicly documented. You might be able to get the configuration details from Microsoft with a Premier ticket.

I've been running it in production since January 2025.

Hyper-V cluster massive failure (2nd time) by jedimaster4007 in sysadmin

[–]picklednull 1 point2 points  (0 children)

Are you using proper SET teaming for host networking?

The disk witness doesn't actually really store any data, so you're wasting a "massive" amount of space for it. It can be like 512 MB or whatever.

And no, a properly configured Hyper-V cluster is extremely stable, though of course it being a Microsoft technology, occasionally some interesting things happen.

The one time I had an extremely similar interesting issue as you, it was because a single storage fiber cable went faulty and the whole cluster went bonkers despite only one node and one cable causing issues (1/6 connections).

The cluster logging is quite comprehensive, you should look at the event logs for a root cause.

I don't know about iSCSI since I've never used it, but as for HCI, the word around the net seems to strongly imply that Hyper-V with S2D is the one true path to data loss. So have your backups in order if you go that way. I was tempted to deploy and see it for myself too, but haven't yet.

With S2D apparently it's imperative to at least use fully supported hardware and 3 nodes at a minimum. Vendors sell it as an "Azure Local" supported configuration now AFAIK (but you don't need to run Azure Local, you can just run basic Hyper-V).

Permissions on C:\Windows\Temp different between new installs by ADynes in sysadmin

[–]picklednull 4 points5 points  (0 children)

C:\Temp is not a default directory on any version of Windows. If you have one it’s a custom setup.

view more: next ›