jessecwell, I've read more dynamics nav documentation that I ever wanted to and it resulted in solving nothing, woohoo
jessecgotta give it to ms though, they removed themselves from the equation on nav sales, you can't call them
jessecif you buy it, you're tied permanently to contractors who pay microsoft
visceraCan I use a Managed Service Account in DHCP's "DNS dynamic update registration credentials"?
A-KONot sure, try it :P
visceraA-KO: well the dialog asks for a password so I don't see how through the front end and I don't see a relevant cmdlet
TariusWorkHi people how can I enable custom user shell on Windows 2012 R2 ?
Rasputin3711https://msdn.microsoft.com/en-us/library/ms838576(v=winembedded.5).aspx
TariusWorkI add value to registry under HKCU\Software\Microsoft NT\CurrectVersion\Winlogon (key:Shell) But it not work !
TariusWorkRasputin3711 ,I Have set first key to "USR:Software\Microsoft\Windows NT\CurrentVersion\Winlogon" and 3th key to : "C:\Windows\System\cmd.exe /C 'C:\shell-user.bat'" but it not working and shell-user.bat file exists
Rasputin3711Use double quotes instead of single
TariusWorkok I replace them bud shell not starting .. I check the permission of file and its acessible to user
TariusWorkC:\Windows\System\cmd.exe /C "C:\shell-user.bat"
TariusWorklol .. System32 not System.. My mystake.
WindyGet-PublicFolder -Identity is supposed to work with a GUID but when I run it i get an error that it's in an incorrect format
kuaharaok, what happened to #windows-server ?
kuaharanested subnets are stupid
kuaharajust fyi
Windynested subnets?
BobFranklyit's what subnets do after they lay thier eggs
ZewMorningg
BobFranklysadly you're correct zew
OliberBobFrankly: they sprout wings and missile launchers and take over the world
BobFranklyOliber: not missle launchers, bombers. They drop ordinance packages on cars that make you wannacry
Oliberi don't know what drugs were put in your tea this morning, but they are missile launches, sir.
BobFranklyas a bird owner myself, I'm quite familiar with accuracy of thier bombers. It is merely the speed with which they deploy these that causes this confusion over wether they are missiles or bombs. =)
bewbsdoes server 2012 have nic tiers where traffic will go over one nic if it's up, otherwise over the secondary?
BobFranklybewbs: I know R2 has nic teaming
BobFranklybut fair warning, MS Support likes to tell you to turn that off if you call them
bewbsi've used nic teaming, this isn't that though
bewbsi have a 10g connection to one switch, i want to have a backup 1gb connection to another
BobFranklyand to prioritize the 10g
bewbsyou can't team two nics of different speeds iirc
bewbsright
bewbslast night the 10gb switch went down and everything went down
bewbsi have two switches in a stack that act as one
bewbsthe 10gb switch lost hte uplink connection though to the main switch in the stack and rebooted itself to try and fix the issue
bewbsunsuccessfully
BobFranklynic teaming is a LBFO arrangement, load balancing & fail over, but I haven't looked at it teaming different speed connections
bewbsif you team different speed nic's it will default to the lower nic's speed
bewbswhich would defeat the purpose of having 10gb
bewbsi suppose i can just plug 2 in and see what happens
bewbsto one of the non-important servers
BobFranklybewbs: https://technet.microsoft.com/en-us/library/hh831648(v=ws.11).aspx?f=255&MSPPError=-2147217396
dopiwanI have an iSCSI SAN I'm testing and when I write data to a volume on it Windows shows transfer speeds from 500MBs - 1 GBs then tapers off to about 150 MB/s .... is Windows lying to me with these speeds?
BobFranklymay or may not be helpful, haven't looked at the docs there
BobFranklydopiwan: depends, are you copying big fat files, or tons of itty bitty ones?
dopiwanBobFrankly: Big fat files... but only 2x 1GB nics
dopiwanin MPIO
bewbsdopiwan it's not
dopiwanlast test copy got to 90% and seems to be stalled now...
bewbsyou're using your controller's cache first, getting 500+mb/sec
bewbswhen hte cache fills up, then it goes down to it's real speed
dopiwanAhhhhhh thank you
BobFranklydopiwan: if speed testing, try using robocopy with the MT option
bewbsthat's why you want to do a disk speed test with 8gb or so vs 1gb file transfer
bewbsin the olden days you could monitor the servers ram usage
dopiwanThanks I'll do some robocopies next
bewbsyou could watch it go up to 100%, then hte speed would die
BobFranklybewbs: according to the MS document, they've got active/standbye nic teaming, where it doesn't use whichever nic is designated the standby nic, until the primary fails
dopiwanweird... reading back from the SAN now a 90 GB file only downloading at 30MB/s
BobFranklybewbs: I'm looking at the R2 guide on that, check section 3.9 paragraph 3
BobFranklyit says you can team different speed nics if you're doing failover
bewbslink?
bewbsi have 2012, not r2
BobFranklyumm, look up?
BobFranklyalready linked you
bewbsoh i missed that one
kuahara"nested subnets" was just the best way I know how to describe it.
BobFrankly3.9 looks the same in the non-R2 section
bewbsthat's interesting
kuaharaWhen someone brings a router to work to create a new network inside an existing network.
bewbsi need to find where i can specify what kind of team it is
bewbsi haven't seen that opention
kuaharadouble nat, etc...
bewbs*option
BobFranklybewbs: that document should cover that
kuaharait's all kinds of dumb
BobFranklybewbs: but I thought I knew what I was talking about there :P
bewbsthanks, reading
BobFranklykuahara: so they natted to thier own 192.168.1.1?
bewbsi'd read multiple places you couldn't do what i wanted, but that document contradicts it
bewbsi'll isolate one of the servers and test it out
bewbsfeedback loop brings whole network donw...
bewbsoops
BobFranklybewbs: never underestimate the power of ignorant people in large numbers, amirite?
bewbsyup
bewbsit was on MS boards too
bewbsof course
BobFranklylol
kuaharaBobFrankly Say someone sets up a network 10.1.1.0/24 on R1 in a courthouse somewhere. Years later a new office is born and they want to be on their own network, but the existing infrastructure doesn't allow for it. So they bring a router (R2) to work, connect it to the existing network.
kuaharaThe wan interface on R2 is given 10.1.1.99 or whatever and 192.168.1.1 is created for the new office
kuahara192.168.1.0/24 is nested in 10.1.1.0/24
kuaharaI feel like I'm abusing the terminology, but it looks like that's correct
kuaharamy argument is: That's a bad way to do things.
bewbsi always abuse terminology
BobFranklykuahara, yeah, it's what everyone does in thier own home, so they try to bring it to work
BobFranklyhttps://en.wikipedia.org/wiki/Network_address_translation
kuaharayea, double nat among other problems
BobFranklyif implemented by end users, I typically roll my eyes as I disconnect them. If implemented by IT, I usually disconnect the equipment and throw it at the ignorant tech
kuaharain customer2139439242's case, they're network appears to be up and running but they can't get out to the internet. The edge router is down.
xnomari've done that listed the IP as dmz on the first router but you still can only forward ports not in use
kuaharaxnomar, what's worse is when some idiot introduces a 2nd router within the same network (both offices are on 10.1.1.0) and now there's a rogue dhcp server in play
xnomaryep that's not a good situation
kuaharaluck of the draw on which one you get your IP from. half the computers work fine, other half got an IP from a device that can't get out onto the internet, so they're all offline.
kuaharaWhen I first took this job, the guy they fired before hiring me did exactly that every time he needed a new wireless AP. Would plug in some store bought wireless router and leave DHCP connected.
kuaharaThe users described the nightmare to me when I got here.
xnomarapple routers can't disable dhcp and i see those crappy thinking being the network issue so many times
kuaharaleave dhcp running**
kuaharawell, with reasonable port security, it's a non issue anyway
bewbspeople try to take 192.168.x to work?
bewbsi took 10.0.x home
kuaharaI wouldn't allow a device to be connected to this network if dhcp couldn't be turned off
kuaharabewbs, I don't think the default subnet IP matters, you can change it on just about anything
ZewSeriously what the heck Powershell...
Zewhttps://social.technet.microsoft.com/Forums/windowsserver/en-US/ff25b75d-b6c2-4d2b-a87d-5348cfe8f0de/parameter-prompt-on-foreachobject-in-pipeline?forum=winserverpowershell
A-KOOne could solve that simply by not using the pipeline in scripts (I tend not to)
indus3alguten Nachmittag, fellas
Zewjust odd I had to break my usual structured code to make it work
ZewI like my squigglys to be below my function or code
A-KOIt just has to do with how you're using the pipeline. You could not do it that way and it'll work as you expect.
A-KOBut since you're piping stuff together, that's why.
indus3alpiping?
A-KOlike I said, I try hard not to use the pipeline in scripts. Although I don't think there's an argument on code style either way
indus3alah scripts yeah
indus3albut why not happily pipe around?
CptLuxxits not vbs indus3al
indus3aldamn
Zew Piping has its pros n cons like anything else
A-KOSome people use a lot of .NET syntax, for example. So lots of their powershell may as well just be written in C#.
ZewThat's what I like about powershell
indus3alpowershell is nothing more than .net for the command line ^^
Zewand more
Zewit has heavy usage on .net
BobFranklythe pipeline trades a little speed for being able to one-line things
BobFranklyif you're doing a heavily repeated task, changing a multi-piped line to be multiple lines of $var = get-aduser $user ; $newvar = get-primarygroup $user; etc....
BobFranklycan result in a faster return
Zewagreed
ZewAnd I liek optamized code
BobFranklyI only invest the time to optimize, where the benefits will be noticed
CptLuxxindus3al convert all your vbs to assembler ok?
indus3alwith a cmd script, yeah
BobFranklysqueezing a few seconds of speed out of a task that runs once every five minutes to dump some metrics into a DB? Whats the point...
naph-WHello indus3al
indus3alnaph-W: oh.. there you are! o/ just in time for Feierabend
indus3alo/ bye
naph-WLater
ZewACTION looks at indus3al 
naph-WLiver, chopped
indus3al;)
sudosmurfany of you guys use a remote desktop gateway with ipsec tunnels per RDP session?
Jedicusno... DirectAccess?
BobFranklysudosmurf: we use a netscaler. Not sure it that counts :P
sudosmurfnope ;D
bewbssudosmurf i just use non-standard ports
bewbsfor external rdp access
bewbs56201 for 10.0.0.201, 56202 for 10.0.0.202, etc
bewbsmost epxloiters/port scanners are scanning for common ports for vulnerabilities anyway
furmeladechanging ports is not increasing security at all
bewbsbetter than nothing
furmeladewrong
bewbsthough i'm unaware of any current rdp exploits
naph-WDon't you get tired of unlocking accounts from brute force attempts?
kuaharaspeaking of powershell, I was on a Windows 10 machine earlier and noticed when I shift+right-clicked in a winow to get the administrator's context menu and noticed that "Open cmd window here" was replaced with "Open powershell window here"... which is fine, except that not everything that works in cmd works in powershell exactly the same way
kuaharadir/s is not a valid cmdlet or whatever if I try to do a quick search for a file
bewbsnaph-W never had an issue
furmeladewell yes, cmd will get replaced sooner or later
furmeladethe change got introduced a couple of months ago kuahara
bewbsnaph-w never actually had anything locked or even attempted
kuaharathat's what I was told, but I hope commands that work in cmd aren't missed
kuaharaor changed
furmeladewat
furmeladenothing on ps/cmd itself is changing
kuaharain the beginning, it seemed like a lot of effort was made to make both dos and linux commands both work in powershell... because why not
kuaharafurmelade read my comment above
kuaharadir/s doesn't work
furmeladeso switch to ps native commands?
kuaharathat's worked in dos or cmd terminals for the last 30 something years
Harlocki don;t think dir /s is particularly useful for a quick search
furmeladeit still works in cmd
kuaharaswitching to new and different commands is beside the point
furmeladenothing has changed beside the buttons
Harlockdir is an alias for get-childitem
furmeladewhich was an inevitable move anyway
kuaharaharlock it's useful if I'm sitting in system32 or syswow64 trying to register a .dll or .ocx or whatever and I just want to quickly make sure the file is actually present before I unregister or reregister it
Harlockuse -r
kuaharaI'm starting to wonder if my point is being deliberately missed now
furmeladeyour point is that deprecated tools are not working anymore, fine
furmeladethats why its deprecated
kuaharafurmelade, in the beginning, they claimed they were keeping those commands
kuaharaand even included a wealth of linux commands
kuaharait doesn't hurt having more than 1 command that accomplishes the same thing
furmeladetheyre not included, theyre just aliases for posh cmdlets
kuaharathat's fine
furmeladealso, if im not mistaken, dir was since ever an alias for get-childitem in posh
kuaharabut the idea behind including aliases for both the old cmd, linux, etc.. was to make it useful to a wider audience right off the bat
kuaharato make it readily usable to a wider audience**
furmeladesorta, its there to help people to change over to new/other technologies
furmeladeso dir will still output things but will require other parameters as its a completely new thing
furmeladeits not like there was no time to move away from cmd and learn posh
sudosmurfbewbs: yeah, I am going beyond that. nonstandard ports are easily discovered. ;D
ZewI know that try catches can only catch termination exceptions... is access denied not a terminating expection?
Zewapparently not from the results of my code
bewbsnot saying they aren't
bewbsi'm just saying if you have 100 people scanning, easily 90 of them are scanning standard ports
sudosmurfI always do -p- in nmap, so...it will be discovered 100% of the time ;D
furmeladeand 10 will knock on your non-standard port, having no security added
bewbsworst case, yes they could hit me
bewbsbut in 5 years of rdp open tot he world, nothing yet
furmeladethats a solid security plan >_>
CptLuxxlove it
CptLuxxcould be fro nlc
bewbssecurity through obscurity
furmeladeCptLuxx: can i buy that nlc product anywhere?
CptLuxxyes yes
CptLuxxquery naph-W for informations
bewbshowever this isn't a work environment so it doesn't really matter
bewbsif it was i'd set up vpn and disable all external rdp access
CptLuxxwe have some whitepapers for the most secure enviroments
CptLuxxlike always use password as password
CptLuxxand always use any/any in the firewall
furmeladeCptLuxx: something like 'leave everything open like a barn door, potential attackers will think its a honepot'?
bewbsthat reminds me i need to configure the firewall on the failover wan
CptLuxxexactly
furmeladei like the way nlc employees think
CptLuxxafter nlc has "secured" everything lnc will go and "repair" the attacks like ransomware etc
CptLuxxso we pay double
furmeladeyou mean you get paid double?
CptLuxxeh yes :p
bewbssounds like a good business model
furmeladefuck yeah
furmeladesorry
naph-WI can schedule an on-site sales meeting with PowerPoint, explosions and donuts
xnomaryou mean they restore your data :) ransomeware is not cleanable
furmeladeim in cuz you said donuts naph-W
CptLuxxwe pay ransomware xnomar
bewbsi love donuts
naph-WMy closure rate goes to 98% when I bring out the bacon flavored ones
xnomar:)
furmeladeuh no im not into that
bewbsif two competing sales guys pitched me and one brougth donuts and the other didn't
bewbsthe donut guy would probably win regardless of what htey actually said
Digzthere are decryption tools.... there are also professional services who will deliberately get files encrypted with ransomware, files they know the exact content of to the bit level, so they can reverse engineer the encryption and help with a decryption tool.
CptLuxxthis sounds more expensive then just to pay the ransomware
Digzit typically is.
furmeladethere are decryption tools for ransomware where the developers were too stupid to implement crypto properly, yes
bewbspaying ransomware doesn't actually get rid of hte virus though
CptLuxx+1 furmelade
CptLuxx"virus"
bewbs"virus"
CptLuxxther was ONE ransomware that has spread over exploits in a lan that was all
bewbsit what, calms down for a month then boom
sudosmurfbewbs: ARE YOU CHALLENGING ME? :P
xnomaroffline replication in esxi saved our company from ransomeware. it was ugly
bewbs2 years ago i was working as a contractor and a customer got fbi virus ransomware crap
bewbsnuked everything
bewbssudosmurf huh
sudosmurfRDP open to the world on non-standard port and nothing has happened. IS THAT A CHALLENGE? :P
khelpwMy company seemed to think so
xnomarrdpguard is your friend if you dont have vpn only access
khelpwthat's one of the few awful practices I was actually able to put a stop to.
sudosmurfxnomar: why would I use some 3rd party app to do what windows can do?
bewbssecurity through obscurity
CptLuxxor the proper way xnomar a rd gateway
sudosmurfpeople need to stop doing that
bewbsi'm nothing and no one
bewbsamong billions
sudosmurfthey need to use the tools in front of the before buying some blinky box
bewbsblinky boxes are awesome
sudosmurfthey are a systemic problem
sudosmurfOUR BOX CAN STOP WANNACRY!
sudosmurfguess what
sudosmurfpatching your stuff can solve that
bewbsbrute forcing windows they'd have to guess my domain, username, and password
sudosmurfand if you MUST do something stupid like run XP, not putting it on the internet, or segmenting it can stop that
bewbsgood luck doing that before 2050
sudosmurfall of those controls are FREE to people that already have a firewall
sudosmurfbewbs: your name is bewbs
bewbsit's not my username
sudosmurfpassword is jigglyjiggly
sudosmurf:D
bewbsACTION jiggles
bewbsstill if they ever actually tried it would lock out in 10 attempts anyway
bewbsso unless ther'es an exploit in the rdp protocol in general
bewbsthe first thing anyone does is disable the admin account, and prevent non-domain logins unless at the physical machine
bewbsit's common sense
xnomaragreed
bewbssince it's a vm, i can console it from anywhere on hte internal network without rdp
bewbsand hte vm's are the only thing that have access to the external world via rdp
DigzI have RDP access to 2 boxes at my home, but they are on obscure high-number ports..... but for a business, I wouldn't really want to have RDP accessible to the internet. I'd setup a VPN.
xnomarvpn or lock it down to IP address works well too
DigzYeah... at my work no RDP without VPN, no SSH without VPN either with one or two exceptions only.
xnomari still have windows 2003 terminal servers for a call center running but with it locked to ip address plus rdpguard i have no issues at all
CptLuxx you know there are opensource tools as alternative for "rdpguard" ?
xnomaryeah i've tried a few but rdpguard is pretty cheap and makes it just too easy :)
furmeladefrom what i can see, rdpguard just adds windows firewall rules
CptLuxx https://github.com/jjxtra/Windows-IP-Ban-Service
CptLuxxdoes the same
CptLuxxworks..
xnomarnice i'll check it out i haven't tried that one yet
Harlock2fa external stuff
CptLuxxduo ftw
CptLuxxuse the nms to install it as a service xnomar
CptLuxx*nsm
ZewTings you learn ...
Zewhttps://social.technet.microsoft.com/Forums/office/en-US/2a8ae68c-02fa-4c4e-bd47-36fd934b8dd8/newaduser-the-name-provided-is-not-a-properly-formed-account-name?forum=winserverpowershell
Zewanother erronious error message
Zewit should report, user name length too long
Zew20 characters... seriously
khelpwDoes anyone here know if it is possible to set up a failover/HA cluster in server 2012 R2 in a non-domain environment?
khelpwI'm trying to stand up a test environment to learn how to set up MS SQL in HA.
TheRabbitno
khelpwYeah, that seems to be the case.
khelpwsetting up a DC now, but lame.
SCHAPiEIt's a bit of a weird requirement indeed
TheRabbitnot really
TheRabbitCluster computers need to authenicate each other accounts, AD gives them a place to do so
kuaharaThis is more of a legal (U.S.) question, but wondering if someone here has some insight. If a user walks away from their workstation and doesn't lock it, then an unknown 3rd party sits down at that workstation and starts accessing court records, has a crime been committed?
HEROnymouskuahara, without knowing specifics, the answer is "probably."
kuaharaA laptop that is used by the receptionist for the county attorney is left on a table in the courtroom unlocked, random person sits down and opens case records for other people to sate his curiosity
kuaharathis didn't actually happen. That person's laptop is sitting on the table, asleep, but as I walked by and noticed it, I wondered if they locked it before abandoning it or if it sat there unlocked until it went to sleep
kuaharaand what the reprecussions are if someone had been sitting there using it. That courtroom sees non county employee guests by the dozens all the time.
HEROnymousalso, it would be the person doing the access who committed the crime, not the person who left it unlocked.
kuaharathat's what I was wondering
kuaharathe person who left it unlocked is responsible for sure, but not guilty of a crime
HEROnymousthe person who left it unlocked may well be subject to administrative sanction by their employer however, based on their policies - and sometimes that may include firing.
kuaharaWhat I'm wondering is if the stranger to the court who uses it without permission is guilty of a crime
Sysadmin88espionage
HEROnymousvery possibly
Sysadmin88lol
HEROnymousthere're some qualifiers that'd be up to the lawyers to argue in the trial
kuaharaI don't think something like that would see a trial
SCHAPiEhttps://www.nycourts.gov/judges/cji/2-PenalLaw/156/156.05.pdf
Cheezeheadeasy solution.....lock the device
Harlockhere i beleive individuals can be fined for allowing a breech to happen as well as the orgs
Harlock.ca
Vaevictushmm... what's the current version number for windows update agent on win7?
compdocdoes the windows dns service suggest a gateway to clients? the server uses a different gateway than the clients
jcottongateway setting is part of DHCP
jcottonno?
compdocyeah, guess Im thinking about it the wrong way
ninjaianyone know the cause of "RPC Server Unavailable" when using virtual machine converter on a Linux physical machine?
naphtaliOK kids, Server 2008 R2 with the Hyper-V host (only) role. One of the svchost processes is consuming 5GB+ RAM. Registered services for this process are COM+ Event System, Function Discovery, Windows Font, Network List Service, Network Store Interfaces, Windows Time.
naphtaliHow can I pinpoint which service within is causing the issue?
jcottonnaphtali: i think process explorer can help here
jcottoni know it can list the services inside an svchost process
naphtaliI have it open in PE but can't find a memory usage by sub? process?
naphtaliI see Cycles Delta on the Threads tab
naphtaliAnd it's pretty high for Network Store Interface (NSI)
Stryykernaphtali: you can't because they are all the same process. (merely multiple DLLs loaded in)
naphtalihmm
StryykerYou can use the registry to split them in to their own svchost (I don't know the key words to look for but even works in XP) at the expense of more RAM use
naphtalihttps://social.technet.microsoft.com/Forums/office/en-US/78e2e4a5-6b03-46a0-917c-e9d76eea7756/svchost-for-nsi-network-store-interface-high-memory-usage?forum=winserverManagement
naphtaliThat looks promising
naphtaliI might try that on the next maintenance window Stryyker
StryykerIt is only in the more recent 10 (2016 too?) where the default install splits more services in to their own svchost
jcottonyes
jcottonprovided you have at least 3.5gb RAM
naphtalihttps://support.microsoft.com/en-us/help/2847346/svchost.exe-running-nsi-service-leaks-memory-and-non-paged-pool-memory-leak-tag-nspc
naphtaliwoo, hotfix
jcottonStrykar, naphtali: also some services (like some of the IIS ones) don't like being split
jcottoniirc
naphtaliNot sure jcotton
naphtaliI have never split them
jcottonsome IIS services broke during 1703 previews b/c of splitting
visceraGet-DhcpServerv4Scope gives some PermissionDenied error ("Failed to enumerate scopes on DHCP server FOO") -- why? The user is a member of Domain Admins and RDP'd to the DC
visceraDC/DHCP server
visceraDomain Admins is also a member of DHCP Administrators
visceraOh, I had to run PowerShell as Administrator
squibbyhey I seem to be doing something wrong when attempting to build a Web Application Proxy to tie into an ADFS 3.0 server. there appears to be some sort of certificate trust issue from what I can see from wireshark pcaps. I'm using the same adfs certificate and private key in the WAP server that is installed on the internal ADFS 3.0 box. This trust procedure works on 2.0, does this need to happen differently on ADFS 3.0 + WAP ? What am I
squibbydoing wrong here?
squibbywell I should backup, I'm able to use the same adfs certificate and private key when I build a trust between an ADFS Federation proxy and ADFS 2.0
squibbythe newer arrangement with WAP and ADFS 3.0 is telling me to pound sand.