@notverypunny said in I've been asked to set up MFA on internal computers and servers:

@dbeato said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.

It's also per-user perpetual licensing

oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.

Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.

Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.

Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/

Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.

@notverypunny said in I've been asked to set up MFA on internal computers and servers:

As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.

It's also per-user perpetual licensing

oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.

@pete-s said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

even internally for fully on-prem / non-remote access to user computers and servers?

Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.

Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.

Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin

If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.

Good to know for business continuity and disaster recovery.

Yes, that goes without saying, especially since many other things rely on our internet connection.

Also I'm learning that some of these MFA applications don't support auth events with things like psexec and powershell, etc.

@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:

@dave247 said in I've been asked to set up MFA on internal computers and servers:

even internally for fully on-prem / non-remote access to user computers and servers?

Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.

Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.

Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin

@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:

@dave247 Honestly, MFA for that use case is great. No complaints there. It's a pain for end users, but a good idea for financial services especially.

even internally for fully on-prem / non-remote access to user computers and servers? And is there a fully Microsoft solution that wouldn't require using a 3rd party app like Duo? (I'm just trying to avoid unnecessary complexity and cost)

I just wanted to get some input before I start diving into research and planning....

My company is in the financial services and we've been told from various sources that we should look at MFA across the board, which includes internal user computers and internal servers.

We currently have a Hybrid on-prem AD/Azure/Exchange 365 (E3) deployment and we already have MFA enabled with Microsoft Azure for all external-related auth/access (remote use employees sign in with their Microsoft identity and use MFA if their access request is coming from a non-company WAN IP address).

I am wondering if any of you can give some input/advice on enabling MFA internally with AD, preferably using Microsoft tools and settings (I'd like to avoid Duo). My thought currently is to utilize the Microsoft Authenticator app and the hybrid joined user workstations along with whatever settings need to be changed to request the MFA codes on the workstations and computers.

Additionally, I welcome any and all questions, criticisms and insults regarding the why and how of this question. I don't personally think we need internal MFA but I still want to gather as much information as possible

@scottalanmiller said in WSUS Location:

@dashrender said in WSUS Location:

@scottalanmiller said in WSUS Location:

@dafyre said in WSUS Location:

Splitting to split failure domains is terrible thinking. That doubles the chances of AN outage, and they don't solve anything.

Why is it terrible thinking? If I have two failure domains, half keeps working and the other half is down. Yes, there's an outage, but we're not completely dead in the water.

That's not at all correct. If DHCP fails and your IP fails, then AD fails TOO. If AD fails and DHCP does not, you still have a partial outage.

Your system makes ANY failure twice as likely. Half of the time it is just as bad as having them combined. The other half of the time isn't AS bad, but not good.

So it's that easy. Your dead in the water time is equal either way, because you have a complete DHCP dependency apparently. The other half of the time, even though you are not completely dead, is 100% unnecessary risk caused solely by having designed the system to fail unnecessarily often (by 50%.)

By merging the services you can dramatically reduce your overall risk with literally zero downsides.

I'm really trying to understand the math here considering - two AD servers, two DHCP servers - and crazily, we'll assume one DNS server, because he never stated that he has two DNS servers.

Assuming the DNS is either with the AD or with the DHCP. As DNS is an AD dependency, you have to keep them together for safety. However DHCP is also an AD dependency that you have to keep together for safety. So who knows.

Youtube Video

Scott Allan Miller - excellent video and thanks for you awesome input as always. I made it about 5 minutes before I got lost in your beard though xD

@jon-chris said in Backup Solution for XenServer:

Hello everyone

Now, I am using some VMs on XenServer and looking for the most suitable backup software.
The wide spectrum of these products dazzles me. Could you do me a favour to recommend me some?

Thanks a lot in advance.

Veeam Backup and Replication is hands down insanely great, and free up to 10 backed up systems.

@obsolesce said in Exchange Environment - Lab:

@dave247 said in Exchange Environment - Lab:

@obsolesce said in Exchange Environment - Lab:

@dashrender said in Exchange Environment - Lab:

As for the OP's error? No clue - but the person who asked if he actually had AD setup or not - that's a great starting place.

Has the OP looked at all of the prerequisites and ensured they are all in place before trying to install Exchange?

We're beyond that now. I answered his issue with why it happened, what happened, and how to fix it here.

Yeah but if he doesn't have AD set up, then he's gonna have a hard time despite running the setup.exe properly

I was addressing his error in his very first post. How far back do you go regarding prerequisites that has nothing to do with the error posted? I mean, should we verify he has an active network connection as well? The direct cause of the error is obvious, let's get past that first, and see what happens next. I mean, the whole point of the command is to extend the AD schema... if he doesn't have AD, then no guide will help him at this point, as it's also insanely clear in the guide he's following.

Ah yes, I see waht you're saying. I should have first asked him if his home has electricity. Then move on to Powershell. Yes.

@obsolesce said in Exchange Environment - Lab:

@laksh1999 said in Exchange Environment - Lab:

Hi Team,

I am trying to create a Exchange 2016 in Microsoft 2016 server DataCenter Evaluation version.I am trying to do this from my virtualbox application.Any one have followed this lab setup before ?

Followed Link : https://www.prajwaldesai.com/step-by-step-guide-to-install-exchange-server-2016/

Your whole issue here is that you didn't follow the instructions.

You first need to mount the Exchange Server 2016 installation Media.

Then from the location of where your media is mounted, you run that command.

What you are doing, is blindly running commands from where ever. You aren't running the command from the proper directory, which only you can know where you have mounted or extracted the Exchange Server 2016 media.

This is actually pretty hilarious though.

@obsolesce said in Exchange Environment - Lab:

@dashrender said in Exchange Environment - Lab:

As for the OP's error? No clue - but the person who asked if he actually had AD setup or not - that's a great starting place.

Has the OP looked at all of the prerequisites and ensured they are all in place before trying to install Exchange?

We're beyond that now. I answered his issue with why it happened, what happened, and how to fix it here.

Yeah but if he doesn't have AD set up, then he's gonna have a hard time despite running the setup.exe properly

@dashrender said in Exchange Environment - Lab:

@stuartjordan said in Exchange Environment - Lab:

At the end of the day, if the op want's to learn exchange that's up to him. This is a forum where we can give constructive criticism but, there is also no need to go on about it and give a little help instead. Just a thought??

At this point I was just trying to let dave know of the typical MO around here.

Yes, I understand that, in summary, it is the unified intent of the original initiative of SAM (and others) over at Spiceworks, before the banning and exodus. Given what that place was/still is, I guess I don't blame you all for the general tone and approach - but gottdamn, most the new posters here might be confused but they are friendly and want to learn. No need to push them away with rudeness.

@dashrender said in Exchange Environment - Lab:

@dave247 said in Exchange Environment - Lab:

@travisdh1 said in Exchange Environment - Lab:

@stuartjordan said in Exchange Environment - Lab:

@travisdh1 said in Exchange Environment - Lab:

@stuartjordan said in Exchange Environment - Lab:

I can see what others are saying, onsite exchange not really no point, but a lot of MSP's still host their own copy of exchange normally in a datacenter and you could sell your own hosted exchange to customers. This only would be advantageous with lots of users. But you just cannot beat the costs of 365 with normal Businesses.

If you want to host email, why would you use the worst platform possible to find? Why not Zimbra for example?

I'm not on about me, I personally use mailcow. But I'm stating big MSP'S and hosting companies still use hosted exchange in a datacenter enviroment.

I guess that requires the discussion about management not caring about the company and treating it like a hobby business yet again.

What are you even talking about?

you must be new around here - This is a general theme in many, I'd go so far as to say most, discussions around here.

Don't treat your company like a hobby. Do business correct, i.e. don't use local Exchange unless you have a regulation forcing you too.
Run the company like a real company - care about costs, do the 'right' thing, not just the simple get it done thing, etc.

No, I'm not that new around here but I don't view that many threads to be honest.

Arguing about someone treating their business like a hobby is stupid because at a certain point it's going to come down to matter of opinion, knowledge and experience - all things that are subject to change as people and businesses grow. Just because someone is using Product X vs Product Z doesn't mean they don't give a shit about making the business money.

@travisdh1 said in Exchange Environment - Lab:

@stuartjordan said in Exchange Environment - Lab:

@travisdh1 said in Exchange Environment - Lab:

@stuartjordan said in Exchange Environment - Lab:

I can see what others are saying, onsite exchange not really no point, but a lot of MSP's still host their own copy of exchange normally in a datacenter and you could sell your own hosted exchange to customers. This only would be advantageous with lots of users. But you just cannot beat the costs of 365 with normal Businesses.

If you want to host email, why would you use the worst platform possible to find? Why not Zimbra for example?

I'm not on about me, I personally use mailcow. But I'm stating big MSP'S and hosting companies still use hosted exchange in a datacenter enviroment.

I guess that requires the discussion about management not caring about the company and treating it like a hobby business yet again.

What are you even talking about?

@travisdh1 said in Exchange Environment - Lab:

@stuartjordan said in Exchange Environment - Lab:

I can see what others are saying, onsite exchange not really no point, but a lot of MSP's still host their own copy of exchange normally in a datacenter and you could sell your own hosted exchange to customers. This only would be advantageous with lots of users. But you just cannot beat the costs of 365 with normal Businesses.

If you want to host email, why would you use the worst platform possible to find? Why not Zimbra for example?

Case in point.

@obsolesce said in Exchange Environment - Lab:

@dave247 said in Exchange Environment - Lab:

The majority of people on this forum are arrogant assholes who like to pick apart your posts and criticize and insult what you are doing.

Some may see that way... while others will see it as questioning motives and pointing people in a better direction to improve their career and broaden their skillset to become more useful in the market.

But it is understandable some may not want that who are happy where they are and take offense to a better approach.

Yes, but there is a difference between constructive criticism and completely unhelpful sarcastic replies. I am referring to the latter.

@laksh1999 said in Exchange Environment - Lab:

I am not trying anything with the Government jobs.

I am in Exchange environment to learn new things.I cannot do anything with the Production exchange environment. Just to understand the alerts in the servers i am creating my own lab servers and testing it in the test environment.If any one can help do help me .If not no issues.

Close this thread or dont reply if no one is ready to help me on this topic

Corrected this as well
\Setup.exe /IAcceptExchangeServerLicenseTerms

Sorry about that. The majority of people on this forum are arrogant assholes who like to pick apart your posts and criticize and insult what you are doing. Then they will argue with your every reply. It really is an unprofessional IT forum. I'd suggest going to reddit and finding one of the many good technology subreddits. Sure, there's going to be a range of skill and knowledge there, but I find most the time I always get extremely helpful tidbits of info to get me going in the right direction. Plus, people are usually much more friendly there.

That said, I'd first ask you if you have an Active Directory domain controller set up first before installing Exchange?

@pete-s said in best way to map various combinations of mapped drives to AD users?:

@dave247 said in best way to map various combinations of mapped drives to AD users?:

Problem: we have about 10 different shared folders as mapped drives and a handful of simple bat scripts used as AD logon scripts for users...

I think it would make more sense to just have one mapped drive and use sub directories for each department. That's probably how the files are organized anyway - at least judging from the looks of it.

The users that have permissions to a particular directory can use it and the other can't. That way you don't have to mess with the different drive mappings because everyone get the same one drive.

This also also how I have seen organizations with many departments do it. They basically use one drive mapping per entire file server. Everyone has gets the same shared drive(s) but permissions determine what directories they can access. It's more flexible to do it like that.

Yes actually that's one plan I've had for a long time, just haven't gotten around to doing it mainly since it will disrupt everyone's workflow for a bit.

@travisdh1 said in best way to map various combinations of mapped drives to AD users?:

@dave247 said in best way to map various combinations of mapped drives to AD users?:

@travisdh1 said in best way to map various combinations of mapped drives to AD users?:

@dave247 said in best way to map various combinations of mapped drives to AD users?:

I could probably use group policy to make a mapping for each drive, then assign each GPO to the necessary user.. but I feel like that would still be a little numerous or something.

Also, I know usually this sort of things is group based access, but we have a small company and many people wear multiple hats and essentially we end up with multiple combinations of access for every employee which makes group based permissions and things challenging.

I think you're halfway there. Yes, use GPO, but instead of assigning users to each GPO, create a group and assign the group to the GPO. Once everything is created, all you have to do for who gets what is add/remove users from the group for the drive mapping.

You mean make a group and apply each GPO for each drive to it, then add users? That makes sense.

Yep

I'll give that a try, thanks for the idea

@travisdh1 said in best way to map various combinations of mapped drives to AD users?:

@dave247 said in best way to map various combinations of mapped drives to AD users?:

I could probably use group policy to make a mapping for each drive, then assign each GPO to the necessary user.. but I feel like that would still be a little numerous or something.

Also, I know usually this sort of things is group based access, but we have a small company and many people wear multiple hats and essentially we end up with multiple combinations of access for every employee which makes group based permissions and things challenging.

I think you're halfway there. Yes, use GPO, but instead of assigning users to each GPO, create a group and assign the group to the GPO. Once everything is created, all you have to do for who gets what is add/remove users from the group for the drive mapping.

You mean make a group and apply each GPO for each drive to it, then add users? That makes sense.