@JaredBusch said in AD on top of something that depends on it:

No, JB would say, FFS stop conflating shit. A hypervisor is not a server or desktop OS.

LOL same difference 😛

Everything is still looking good!

@coliver said in Removed ADFS, CRM plugin for Outlook wont authenticate now:

Man am I the only one that doesn't have issues with ADFS? It just works with little to no intervention on our part.

Yes. It's just awful.

Why do you have ADFS? Why not just sync?

And patch management and software updates are taken care of for you.

@aanenih said in Can't Get SpiceWorks on Azure to Authenticate to AD:

Hello Guys, I seem to have found the solution to this issue. By default, Azure has no ports open and that was why i was getting the errors. To solve this problem, i had to create an endpoint for the Virtual machine that had Spiceworks installed in it and open ports 389 and 636 TCP.
Now spiceworks syncs and authenticates with the AD on Azure and on premise.

that's why I was asking for specific VPN details. A VPN on the servers bypasses the Azure ports. A site to site VPN hits the "outside" of the servers and has ports blocked.

@travisdh1 said in Creating an Active Directory Group with PowerShell:

Gah, I'm having bad memories of OpenVMS with the different programs for every single little thing.

It does make for a nice looking and short command-line structure tho.

Oh yeah, SO much different than UNIX.

@scottalanmiller said in Using Pertino with Active Directory:

Originally posted on my Windows Administration blog in 2013 here: http://web.archive.org/web/20130929034913/http://www.scottalanmiller.com/windows/2013/04/05/using-pertino-with-active-directory/

This information is very out of date concerning Pertino itself. But the theory on how this works remains relevant.

IMO, you should put the 'old post' notice at the top of these.

@scottalanmiller said in Add Active Directory User to Group using PowerShell:

When we work strictly from Windows Server Core installations we need to be able to do everything from the command line, even user management. Let's add a user that already exists into a group that already exists in Active Directory using only PowerShell.

To do this we have the handy Add-ADGroupMember PowerShell commandlet. This is very easy to use in its basic form, all we need is the name of the group and of the user that we want to add. In this case, I want to add user jane to the group "Domain Admins".

Add-ADGroupMember "Domain Admins" jane

That's it, jane is added automatically. This process, like most, is silent on success. To verify that all is as we want it to be, we can use the Get-ADGroupMember command to look up the members of a group.

Get-ADGroupMember "Domain Admins"

Can also do
Add-ADGroupMember -identity "Domain Admins" -members "jane" -WhatIf
to see if it gets added before actually running the command.

@IRJ said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

@thwr said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

@coliver said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

@thwr said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

@IRJ said in Building a First Active Directory Domain Controller on Windows 2012 R2 Core:

Good article. There is ZERO reason to have a GUI on a Domain Controller. Everything can be done through Server Manager on Windows 10/8

You mean RSAT 😉

Both? You can do a lot of directory management through Server Manager as well.

Ok, agree. Just don't like the Server Manager this much, ugly interface. I want to be sure WHICH drive on WHICH host I'm going to format for example. But that is just my personal opinion and I'm more or less a console fetishist 😉

But when it comes to ADSIedit or AD sites, you really want to have RSAT.

huh?

0_1469044083616_2016-07-20_15-47-37.png

Those options are generally only there is RSAT is installed.

@thwr said in Simple guide to diagnosing Account Lockouts:

Locked AD accounts due to bad passwords
https://mangolassi.it/topic/9709/monitoring-ad-users/12

Thanks. I added the link to the comment section on the article.

@Jstear said in Azure AD Authentication with NextCloud:

@travisdh1 possibly, but I would like to attach it to an existing on premise server.
https://help.nextcloud.com/t/backblaze-b2-sync/1323

Well, sure. I guess I should keep reminding people about my location. Online services like storage don't work because of the price we'd have to pay for a connection. Making the server and storage both online (preferably in the same data center) is just so much easier.

@Dashrender said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@scottalanmiller said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

@thwr said in Alternatives for Microsoft server products: Active Directory & Domain Controller:

Samba is quite capable of running AD, but what about management options or multi-site environments?

What is the issue with management (the Windows tools should work with it) and what happens with multi-site?

Sorry, didn't see your question because of the formatting. FTFY.

Like I said, the whole topic is just about discussing valid alternatives for the typical SMB / EDU environment. I was aware that Samba 4 got full DC capabilities, at least when it comes to authentication. I did not know about its GPO support and other things like replication between "DC"s or the possibility to use Microsoft's RSAT tools for management.

@coliver (and you) mentioned one can use RSAT for management. That's good and would mean that the Samba4-team is trying hard to get to a high level of compatibility. How to say... looks like a perfect replacement for a real DC.

Back to your question, multi-site (and/or subdomain) is a quite important feature in case you got a branch office, for example.

I've run many branch offices with no local DC. AD authentication is extremely light traffic wise. installing software via GPO could give you problems, or needing a local server for file access might be needed, but and AD in most branch offices isn't. Unless your branch is like 100+ people.

you can put Linux fileservers in branch offices to handle the load locally.

@Mike-Davis said in Azure AD Connect and populating a new AD Forest:

With powershell you can rename a UPN suffix. Pretty easy with powershell:
https://blogs.technet.microsoft.com/canitpro/2015/07/07/step-by-step-changing-the-upn-suffix-for-an-entire-domain-via-powershell/

Thanks @Mike-Davis, this is one of the pieces to the puzzle that I was missing.

@aaronstuder said in Changing SQL SPN:

You missed blacking out some hostnames 😉

😆 Damn VNC!

Getting lots of eyes on this thread today. Very interesting.

@Kelly said:

@PSX_Defector said:

@Kelly said:

I've also been looking at PowerBroker Identity Services from BeyondTrust. It is where Likewise ended up after a series of acquisitions. It looks like I'm going to have to be building a virtual network and trying some of this.

I've used this in multiple companies, from an airline in America to an oil exploration company.

Works like a champ, it's built on Winbind, but now has actual support versus calling RedHat and hoping for the best.

Did you use PBIS Open or the paid version? The paid version is significantly more than I can afford at about $1,600 per server instance.

This was back in the Likewise days. So free.99.

@wrx7m said:

I think they pulled IPv6 support awhile back. All my Pertino devices are IPv4. Also, note that I have problems with builds 520+ when installing it on Windows DCs/DNS servers. The DNS records do not dynamically update when Pertino is installed. 510 works OK, though. I have a custom 529 build that support gave me that is basically 510 but enables some more verbose logging so they can find out what is going on.

This is an old article from 2013 being reposted because @scottalanmiller stopped maintaining the original.

@JaredBusch how did you setup your NIC for the workstation that had to remote into the AD via ZeroTier? I'm still trying to figure out exactly what was statically assigned as your post wasn't too clear for me (this is new to me).