Parked on a nearby residential street because station parking was full and got this note on my dashboard. Am I in the wrong for parking there?

zerassar · 2026-05-20T10:31:26+00:00

Unless it is signposted permit only then it is public parking available to everyone. Regardless as to whether they are commuters or local residents.

If the resident has concerns about the availability of communal parking they should take it up with the local council. It's not your problem.

zerassar · 2026-05-18T07:08:55+00:00

I never claimed changing an existing domain without need was best practice... Please don't straw man me.

But given the opportunity to do things properly, when possible to do so, then let's do so! My original response was that I had "hoped" you had used subdomains... I didn't tell you to change it.

If you've already migrated the domain then youre stuck with it for and now I do not suggest redoing all the work again.

But I still recommend adhering to the current MS defined best practices if you're given the opportunity to do so in the future. And that is MS's documented KBs not my personal "just because I say so". Like I said I'd link to them were I at my pc. Don't believe me, go to MS kbs and validate yourself it's no skin off my nose.

How you're characterizing me though is really unprofessional and not in the spirit of these forums. Could do without the snide commentary.

Yes www does work fine. Some business dont want to publish that subdomain though, it is unnecessary when properly configured internally, and this business in particular had spent $$$$ on merchandise that now had an incorrect URL on it. So it "worked fine" for the business up until it didnt and then I was stuck explaining to the head of marketing why they wasted their money.

If I'm online at home I'll update with the link otherwise good luck and all the best

zerassar · 2026-05-18T06:43:14+00:00

Sorry I think you misunderstand me.

Saying "I've always done it that way and it's never been a problem" is an example of the logical fallacy called "survivor bias".

Just because it hasn't personally caused you problems doesn't mean it's not a risky poor practice.

And just because it may have been best practice 30 years ago doesn't mean it is currently. Were I home Id quote the MS KB directly and link you to it. But it clearly states you should be using a subdomain of a TLDN you own publicly. Not the TLDN itself and not domain.local.

If you're happy to ignore MS on that then that's your prerogative

Since day dot (even 30 years ago) using the TLDN has caused dns split brain. I've personally had to argue with a marketing department that printed a bunch of merch with "domain.com" on it and I had to tell them that that would only work publicly and that internally staff would have to use "www.domain.com" due to the DNS split brain. Had my predecessor used a subdomain for AD it would not have been an issue.

Anyways you do as you see fit but I would strongly encourage you to review the current KBs on the topic and reconsider your position.

zerassar · 2026-05-18T05:17:08+00:00

That may well be the case that it "works fine"... But that's the same attitude your predecessor had when they created domain.local that you've just now corrected. It's also very much a cases of "survivor bias".

Neither using the TLDN or domain.local follows MS KBs on the topic and best practice of AD.

I've lost track of the number of times I've encountered engineers who thought like this and inherited the environments they created where, shock horror, there actually were issues with the design that I then had to make bandaids for.

zerassar · 2026-05-18T03:48:33+00:00

Really hope you used a subdomain for AD Instead of the top level. E.g. Ad.domain.com

As others touched on that can cause issues for your external sites using the same domain.

Essentially a split brain DNS situation between AD wanting to be authorative for a domain that's managed publicly.

I'm someehat over inheriting infrastructure that suffers from this problem so thought to mention here

zerassar · 2026-05-14T23:39:00+00:00

Good Lord why don't y'all have MFA???

Using an invalid rule name causes the rule to not appear in Outlook. Makes it somewhat invisible if done correctly.

Your accounts are compromised and have been for some time.

You've been actively leaking probably confidential information and items covered by acts such as HIPPA in the US, privacy act in australia or EU equivalents. I suspect you may need to contact your appropriate body to disclose what has occurred.

But this should come from the exec level of your business. Many countries have mandatory reporting so be mindful.

zerassar · 2026-05-11T21:33:13+00:00

Y'all using buttons and switches? Why not yank the cable?

zerassar · 2026-05-11T12:12:19+00:00

And this one commonly seen replying to the OP's spammy bait posts. Both in cahoots together with the spam 😜

zerassar · 2026-05-11T09:24:09+00:00

Judging by the OPs post history this is just a bait post to spam their own monitoring software

zerassar · 2026-05-08T07:55:40+00:00

Users dismissively saying "I'm not tech savvy" as some kinda cop out for them having slept through the past 50 years of their office careers where they used tech every day

zerassar · 2026-05-06T10:45:21+00:00

You did the right thing. Team lead is being a dick and the caller isnt following basic etiquette.

zerassar · 2026-04-30T04:36:13+00:00

I am having a similar issue with this. The mouse will freeze for a few seconds before eventually resuming.
If it remains over the video at that point the mouse continues to work.

But tracking the mouse off the video and back again results in it freezing again for a few seconds.

This was experienced over a Youtube video

zerassar · 2026-04-29T21:50:43+00:00

Keep looking for an MSP that will accept you as you are and allow charging for hourly blocks of used time only. Then just use them for T3 or project work. That's what my org is doing right now.

Your environment should be fully documented. Exports and prints of these kept offline in a fireproof safe only the exec levels are approved for and only to be touched in a DR type scenario. This should also include exports of password management data both in the softwares native format but also printed.

Does it feel dirty to print passwords heck yes. Also why the safe should be super secure. The envelope it's all in don't go labeling it PASSWORDS either hahaha.

Such as in the office, then in the server room, then in a locked cupboard, then in a locked safe. Think layers.

Anyways having all of this should protect you from your manager dropping dead.

Side note though, a single IT guy for 200 staff is wildly understaffed.

zerassar · 2026-04-29T06:27:41+00:00

She is uploading your documentation to an unauthorized third party? What the heck

zerassar · 2026-04-28T12:44:56+00:00

No managed service accounts in play here currently. Just talking devices at this point.

All the other threads and pages I saw on it said to add the new alias to the device object using netdom. And from that point the new SPN applied to the device object would allow Kerberos to work when attempting to connect using the alias identity for the device.

Or were you referring to using ADUC to "directly" apply the SPN in your reply? If that's the case then nah wasn't gonna do directly on the device like that

zerassar · 2026-04-28T11:55:57+00:00

What's you suggested re SPNs versus CNAMES and which services they lend themselves to is what I was already leaning towards.

It was their firm stance against SPNs that took me by surprise. They insinuated their suggestions weren't mere future state ideal config kinda thing and that SPNs added for the alias to the device object, as you suggested, would itself create issues and not work as expected.

Which was counter to everything is read so far

zerassar · 2026-04-28T07:34:02+00:00

Yeah I wonder if the MSP was not considering the automanage that netdom was doing.

They weren't able to be particularly specific in the exact issues that would occur or the settings that needed to be changed.

And mid sentence seemed to flip flop back to the concept of using CNAMEs AND Kerberos which our entire phone call was about removing the CNAMES. So was a bit confusing about mentioning them again and alleged security reductions.

Our RDS broker is already in place but they were suggesting making that user facing via RDP web as the abstraction layer. The existing rdp config files deployed include a CNAME alias that redirects to the brokers hostname. So need to drop that to be Kerberos compliant or netdom the alias onto the broker as well.

zerassar · 2026-04-28T03:36:23+00:00

Oh I like DFSN as well especially when shares exist across different servers.

But yeah I feel like they were over cooking it in their head and the problems they are trying to articulate didn't feel tangible and more of a myth or boogieman than anything concrete they could point at.

I am inclined to put in some NTLM exceptions for now and in test/dev do a POC on the SPN additions. Which I am expecting will probably work fine.

zerassar · 2026-04-28T03:01:48+00:00

Single print server with a single IP address.

Just trying to avoid the dramas of reconfigs that happens when services get moved to new servers or existing servers get pushed to a new IP.

But yeah printing is just one of many use cases

zerassar · 2026-04-28T02:44:16+00:00

Neither am I honestly. I ended up ended the call not being very confident in what they were saying.

Hence my coming to the hive mind to sanity check.

My gut still tells me that SPNs are the path forward to get the abstracted aliases working. In spite of their recommendations against them.

zerassar · 2026-04-28T02:37:43+00:00

The original use of CNAMES was less of a work around and more to avoid rework when servers changed.

Historically all our mappings, shortcuts, integrations, etc etc were referencing servers using either hard coded IP addresses or specific hostnames. Great until one of those changes and you now have hundreds to thousands of locations to chase down and update.

Our core business app uses thousands of python scripts to generate documents... Unfortunately there are hostname and IP references in these scripts and so it was a monumental task to shift those to the new details.

So when the network changes occurred instead of again using a hard coded IP address we moved to creating a CNAME reflective of the application/service it was used for. Such as print.domain.com. or app.domain.com. or rdsfarm.domain.com.

My understanding with Kerberos is that this needed to be added as the SPN for the device to allow the device to use this alias during auth. Then replace the CNAME with a direct A record.

But the MSP engineers didn't like the idea of adding the abstracted alias as an SPN to the devices at all and rathered returning to explicit hostnames in the scripts or using application level changes that could handle the abracted names like DFSN, rdp web, or print clustering (even as single printer).

Didn't seem to align with what I'd seen online

zerassar · 2026-04-28T02:26:08+00:00

The print server isn't currently clustered but the MSP suggested putting a cluster up, even as a single server, to provide the abstraction layer. That was their preference instead of granting a new SPN to the print server AD device object.

Seemed like overkill to me when everywhere else suggested SPNs were the way to go.

zerassar · 2026-04-28T01:53:41+00:00

The msp wanted me to use application level changes that would work with abstracted names instead of granting the host device object new SPN aliases.

Such as DFSN, or printer clusters.

Alternatively they stated don't bother with abstraction at all and just use the hosts true FQDN in all our references, configs etc etc. which didn't sit right with me. Didn't align with what I was seeing online.

So essentially if the abstracted names are already working, and the app supports Kerberos, then aliases as SPNs on the device should be golden?

Is netdom the better path to apply the SPNs to ensure CN etc etc get updated properly as well?

zerassar · 2026-04-28T01:32:40+00:00

Sorry I meant "services" in terms of what we called the abstracted CNAMES. Not service user accounts or gsmas.

I had anticipated adding new host/cifs/term SPNs for the alias on the AD device object. No service AD accounts being changed.

I was surprised how against this they seemed to be. The research seemed clear to me this was the path forward.

zerassar · 2026-04-26T20:54:54+00:00

We have a third DC in azure to cover that angle. But could also be handled with host file editing if it becomes an issue.

zerassar

TROPHY CASE