@tirendir said in Is Most IT Really Corrupt?:

As far as underhanded or shady purchasing deals with kickbacks, I would agree that IT are pretty uniquely situated to participate in such practices far more so than the vast majority of fields. I'll also agree that SMBs get the short end of things in terms of quality personnel of course, because they don't have the scope of reach for talent recruitment, nor the vast resources that Enterprises typically do, so oftentimes the Enterprises will scoop up much of the best talent before SMBs ever get a chance. Such scenarios obviously would leave the SMBs with far less comparable or adequately capable talent to choose from, forcing them to have to make due with what they have left to select from. Ironically, the biggest issue with SMBs may well be Enterprises gobbling up much of the best talent, perhaps as much as the fact that SMBs may not be great businesses.

A huge issue with SMB's is they have far less robust hiring practices. SMB's tend to cheap out on background checks for criminal actions (and in some cases even hilariously waste money on drug tests for IT staff, while using the "budget" background check).

I saw an IT director wiretap a board meeting at a SMB once. The guy was a little off, but honestly, I blame management. They wanted to have an IT director slash custom software developer who worked 70 hour weeks with 1 week of vacation a year and they paid a farcical 100K with no variable comp. If you have such unrealistic compensation requirements, your only option is going to be getting someone who's an idiot or worse, has some "fun" quirks like ethics or mental health.

Curious if anyone had seen this article that goes into Deal registration, and the other challenges of procurement in an enterprise. Personally I'm a big fan of deal registration when its done right, but I'm curious others thoughts on it.

http://www.jpaul.me/2015/07/what-ive-learned-about-it-purchasing/

@scottalanmiller said in StarWind vs Storage Spaces Direct:

My take on it is that after 20 years of Windows Software RAID being totally insane to implement in production, we need to wait at least one or two server release cycles before we have enough time for Storage Spaces Direct to have collected enough reliability data to even be a remote consideration. Microsoft's track record here speaks for itself. The entire hardware RAID industry exists almost solely to tackle this one software issue with Windows. Storage Spaces was just an attempt to rename it to hopefully get out of touch Windows Admins to think that there was some hot, new feature worth putting their data on and a lot got burned.

There's some nasty @#$@ in there. Mainly write order fidelity isn't working yet with ReFS...

@wirestyle22 said in Domain Controller Down (VM):

@John-Nicholson

I am definitely interested in any education you are willing to offer but I think we are actually almost finished with this currently. Are you willing to sit with me for literally any amount of time tomorrow? I am a very eager learner.

A bit tied up with prep for VMworld Barcelona but might find a few minutes to talk.

One thing is as soon as humpty is back together again is run RVTools against the vCenter. Get a XLS dump. The health tab on the end will find all kinds of fun misconfigurations but I can go over it with you (or if you can sanitize it and post it hear I can give you a tear down).

Next up your on essentials Plus. You can have 24/7 production support, use it. GSS likes to help.

100Mbps switching is NOT supported for storage or vMotion.
Get some real storage. [email protected] can help you get a small FC DAS HUS with good support to avoid a lot of this mess.

Upgrade to the VCSA (use the migrate2VCSA tool!), and 6.x ESXi. ESXi 5.1 is not in general support anymore as of last week or so.

Before you do that upgrade the BIOS/FIrmware on those UCS boxes.
Fix the NTP serve config to start the service, and make sure to have 3 (not 2!) NTP servers so you can fix drift.
Get into the UCS CIMC (Set that up!) and fix the clocks if needed.

Get a pair of cheap but fast/good TOR 1Gbps switches. ICX 6450's Brocade's are solid, speak proper RSTP, and fast enough to handle iSCSI for the migration, and vMotion once done.

Get Veeam for backups. Possibly beef up the backup storage.
Replace that Gen6 HP. Its out of support, and unsupportable.

Don't worry a lot on resource balance, your CPU and memory usage are good and those cisco hosts (M3's) are current enough. Check the smartness' on them though, and get CIMC alerting setup.

All in FC, labor (week at 10K) Host, migration of a few VM's Veeam setup, small host, switches, upgrade, your looking 50-60K?

Still got other challenges (banish 2003, get VDI deployed, replace campus switching) but I'd give Howard a ring. He's seen worse I promise...

Other people to talk to if your in the SW, Sigma (Nigel Hickey's a good guy there). Does a lot of VDI work.

@coliver said in Domain Controller Down (VM):

Looks like an ipod... This is going to be interesting in the long term. Those Cisco chassis can do some expending though so you may be able to get to a more reliable system with what you have.

Actually UCS can't really expand much from a storage perspective. They don't have any native DAS JBOD support, and the MegaRaids on them they do little in integration or customization. UCS was never really designed to use local storage in RAID I'm convinced (at scale anyways). They are useful if your using them in true JBOD (VSAN, they are certified for use) or with HBA's to talk to an external disk array.

@scottalanmiller said in Domain Controller Down (VM):

@stacksofplates said in Domain Controller Down (VM):

@scottalanmiller said in Domain Controller Down (VM):

@stacksofplates said in Domain Controller Down (VM):

@scottalanmiller said in Domain Controller Down (VM):

@stacksofplates said in Domain Controller Down (VM):

At least if the other end knew what he needed he could get some help. But now he might cancel his subscription and go somewhere else (which I believe is what they are trying to avoid). I can't imagine the amount of "IT Pros" that contact them looking for support for issues like that.

Same vein, how many avoid them because they don't provide ANY reasonable support options? I'm never asking anyone to support everything, but everyone needs to support something serious.

Right, and they do. VMware.

Oh okay, well that's fine then. Not the BEST option, but acceptable. And by BEST I don't mean that VMware is or isn't the best, I mean ONLY supporting that one is not as good as supported a few options.

Ya, this whole thing started because Dustin said he should drop them since they don't support anything else. That's ridiculous.

I see. Yeah that's going to far. That's lacking variety and options, but not lacking an enterprise deployment option. You have to figure the costs associated with VMware into the product's costs when decision making, but that's about it. VMware is very, very enterprise. It's a bit crappy that they don't offer ANY lower cost options for companies like this where VMware is way out of their league and crazy that they allow 100Mb/s Synology iSCSI but require VMware ESXi... so they have some clear problems in their thinking and requirements, but VMware itself is just fine.

To be clear, requiring VMware ESXi in a supported configuration is at odds with the 100Mb/s for vMotion and iSCSI (VMware does NOT support this abomination of a configuration).

@stacksofplates said in Domain Controller Down (VM):

@DustinB3403 said in Domain Controller Down (VM):

@stacksofplates said in Domain Controller Down (VM):

@scottalanmiller said in Domain Controller Down (VM):

@stacksofplates said in Domain Controller Down (VM):

@scottalanmiller said in Domain Controller Down (VM):

@stacksofplates said in Domain Controller Down (VM):

If you're running on something using PV drivers that they don't understand...

Then your critical app vendor is below the home line. THAT'S how scary this should be to companies.

When your "business critical support" lacks the knowledge and skills of your first year help desk people, you need to be worried about their ability to support. Sure, when nothing goes wrong, everything is fine. But if anything goes wrong, you are suggesting these people don't have even the most rudimentary knowledge of systems today. That's worrisome. And it's why so many systems simply have no support options - relying on software and hardware that is out of support meaning that while the app might call itself supported, they depend on non-production systems making the whole thing out of support by extension.

So when running with a preallocated qcow2 image, which caching mode do you use for your disk? Writethrough, writeback, directsync, none?

What about IO mode? native, threads, default?

No one can support every hypervisor at that level.

Also, none of those things need to be supported by the app vendor. They just need to support the app and stop looking for meaningless excuses to block support. I understand some vendors want to support all the way down the stack, but if they don't know how to do that with virtualization, they don't know how to do it. The skills to support the stack would give them the skills to do it virtually even better (fewer variables.) So that logic doesn't hold up.

So they don't need to be fully supported, but let's say the IT guy down the street who's used Linux twice in his life installs the software in a VM with a non preallocated QCOW2 with an rtl8139 NIC. It's going to run slower than anything. So he calls the vendor for support and they try to help him. Nothing they are going to be able to tell him is going to help him, because it's nothing to do with their software. It's in their best interest to try to control what you're installing on to to mitigate stupid issues like that.

At least if the other end knew what he needed he could get some help. But now he might cancel his subscription and go somewhere else (which I believe is what they are trying to avoid). I can't imagine the amount of "IT Pros" that contact them looking for support for issues like that.

That is the issue of the IT Guy not understanding the system requirements, the fact that it is virtual means nothing. He could install that image to a bare metal system and have just as poor performance!

No, those are specific to a hypervisor. Bare metal would be much faster than that, you woudln't have those issues.

If bare metal was with a single ATA 66 drive, it might not be... Virtualization doesn't have a monopoly on stupid non-supported configurations.

@stacksofplates said in Domain Controller Down (VM):

@DustinB3403 said in Domain Controller Down (VM):

Here is a physical system

Here is a virtual system.

Now tell me which system would you prefer to use if IOPS performance was an issue.

Ha. If you look at the timeline it's the same thing from the same dates (9-12:11 - 9-12:12). Good try.

This graph is also worthless as it doesn't show us latency or queue depth so we don't actually know if the app just doesn't do anything or if it has actual demands. This would be like me showing you how many RPM's I used on my car, and without any other context you don't know if I drove from Waco to Houston at 100MPH this weekend (I did) or if I just sat in a parking lot in neutral. RAWR IOPS GRAPH TIME!

@NetworkNerd 2 Hosts Plus a Witness VM somewhere (how vSAN or HP StorVirtual operate).

@scottalanmiller Lets play "solaris did it first!"

Containers are so awesome (Scott mutters something about zones).
SDS is so badass! (ZFS did it first!)
Virtualization (has been around since the mainframes)

https://cormachogan.com/2016/01/18/where-are-they-now/

Good read of the boneyard of storage companies.

@scottalanmiller said in Major Intel CPU vulnerability:

@storageninja said in Major Intel CPU vulnerability:

@scottalanmiller said in Major Intel CPU vulnerability:

@storageninja said in Major Intel CPU vulnerability:

Not sure all the Intel hate is due here....

It's the unsubstantiated claims, cover up, and embargo. All unacceptable things. That they had a bug is not the issue.

The Embargo was technically the entire software industry conspiring including Linus himself. Would you rather have them released this back in June before anyone had any POC code?

Yes, I never support secrecy. Transparency is always more important.

Google breached their maximum disclosure holding for project Zero. Funny how you do that when it's your servers on the line...

@scottalanmiller said in Licenses for APs and Switches:

@storageninja said in Licenses for APs and Switches:

@dafyre said in Licenses for APs and Switches:

With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.

I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.

Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.

Private college, should be free to avoid CIPA.

Ahhh. For a private college I'd do a few things....

1. Put Students on private PVLANs Basically they can't reach anything but the internet, services you have facing the internet, and possibly edge gateways for Citrix/View/VDI etc. Don't let those clients talk to each other.

2. Deploy NAC for the wireless to make sure that infected clients get forced to remediation. https://packetfence.org/ is popular in education for low cost. Strong easy NAC support and integration is one reason why "big wireless" (Aruba, Cisco AeroHive etc) dominate in campus education.

3. Do you have dorms you provide internet for? Consider at a minimum getting peering to major sources of traffic (Netflix is AS 2906), and CDNs, or negotiate with CDN providers to put in caching appliances on your network directly. (Do you operate an AS directly?).

@scottalanmiller said in Licenses for APs and Switches:

@markferron said in Licenses for APs and Switches:

@scottalanmiller said in Licenses for APs and Switches:

@storageninja said in Licenses for APs and Switches:

@dafyre said in Licenses for APs and Switches:

With that campus the size that it is, I would definitely recommend finding something to handle the Layer7 stuff.

I'm relatively certain you could drop in Ubiquiti APs, and possibly grab a Palo Alto that could work and still come out cheaper than doing the licenses for the Meraki gear.

Palo Alto does far better layer 7. If this is a school you need to meet CIPA compliance.

Private college, should be free to avoid CIPA.

Muhaha... Yes we are free to avoid CIPA, but it would still be nice to comply. It would look great on accreditation.

To the accrediting board, you mean? I suppose that makes sense, with the things out there that they are willing to give accreditation to, clearly education isn't what they are focused on.

Considering this is complying with censorship requests I'd assume they don't care. Personally, I'd allow porn, just shape it into the lowest traffic class (whatever is left over). If you block it people will VPN/get around it. If you allow it but make it slow then people will just give up and use their phones etc for it.

@stacksofplates said in Ubiquiti WiFi vs... everyone:

This isn't wifi related but a big downside for us is the largest 10 gig switches are only 16 port. For a site with 40 Gb core and 10 Gb everywhere it's a big limitation.

I wouldn't buy 10Gbps ports in 2018. 25Gbps or 100Gbps. Cost is the same for 25Gbps with how the ASICs and optics work.

@scottalanmiller said in TPM module - what is it used for?:

That's the norm, yes. Anyone looking for data, that's what they do. That's always the fear in datacenters. A 2.5" drive is "easy" to steal. It is loose, and tiny, fits in a pocket or an arm pit. A server is essentially impossible to steal from any real location.

Running out of a DC with a DL380 doesn't happen. Someone bulk sells the server on eBay does.

Real encryption keeps the keys in a remote KIMP server (what you'll see for any DISA/STIG system etc).

Realistically you use a TPM for detecting supply chain attacks (validating firmware, validating boot loader, EFI VIBs etc) is what ESXi uses it for.

https://blogs.vmware.com/vsphere/2018/04/vsphere-6-7-esxi-tpm-2-0.html

I made this one minute video a while back to demonstrate SCSI UNMAP/TRIM reclaim. I'm curious how many of you are doing this (doesn't have to be on vSphere/VSAN) and if not what's stopping you from getting back dead/wasted space from deleted files?

Youtube Video

@scottalanmiller said in VM replication vs vSAN on two hosts?:

Correct. Just replicating, whether async or sync, carries extremely little risk. But this stuff, automating VM management, is when things can go haywire.

Automatic HA with ASYNCHRONOUS replication is a terrible idea at a block or VM level. This is why Veeam doesn't support it (You would have to build your own scripts, and Gostev would likely say "this is a stupid idea"), as you are potentially automating dataloss.

Note Veeam Replication (TODAY) uses VADP. This requires snapshots and carries performance overhead. Alternatively, in the future they will support VAIO replication (which gets you down from a 15 minute RPO to a 15 second PRO). VAIO bassed replication is a resource heavy (as is any async near-realtime write split journal system).

How many of you are using any of the advanced fancy memory options SDDC, ADDDC etc? or are you just avoiding that part of the BIOS?

I did some research over memory protection over the holidays and wrote a blog about some of the stuff.

https://thenicholson.com/vmware-vsphere-reliable-memory-a-few-thoughts/

@scottalanmiller It also weeded out bad clients. "You don't want to pay for good advise?" Cool we'll move on and find someone who does and you can call CDW and see what they are excited to sell you today. Its not like we didn't have tons of work/clients/growth as it was...

@Jimmy9008 said in How would you counter offer a job proposal:

For real, if 55k is similar to what you make now, and the benefits are the same, but the drive is 4x longer, and you don't need to move jobs... Pass. Nope. Not for you. Working g for an MSP sucks imo.ch."

Boom.

I liked working for a MSP a lot more than in house. Learned a lot more, very rapidly, got to do a lot of project work. Went from having access to 1-2 new servers a year, to having access to millions of capital budget for new IT projects (total customer spend for the year). Had a good team, and advanced my career a lot.