Posts made by Obsolesce

If you have a mix of a lot of servers, or even just a lot of physical servers, I prefer Unitrends over Veeam.

I did not see in your post if anything is physical or virtual, but...

Veeam was designed from the ground up for Virtualized environments (hypervisors and virtual machines). Due to this, you need multiple Veeam products and licenses to cover physical machines in a mixed environment, separate products for Windows physical machines, and another Linux physical machines.

Unitrends does it all from a single point, and supports 200+ OS/Applications/Hypervisors.

@JaredBusch Thank you

@Kelly said in S/MIME and Office 365:

@Tim_G said in S/MIME and Office 365:

@Kelly Maybe the problem is your Global Address List (GAL), or you simply aren't waiting long enough.
Let me try a run-through here:

1. User joins the company.
2. O365 email account is set up for new user.
3. New user logs on to new Mac computer, sets up Outlook.
4. IT Admin sends new user his/her certificate via email (or by whatever means). Preferably a .PFX so it contains private key and whole CA chain.
5. New user or IT admin goes into new users Outlook trust center/email security settings to set signing/encryption certificate(s).
6. While still in Outlook Email Security settings, "Publish to GAL" button is clicked, success confirmation pops up.
7. After 24 hours, or via users manually updating their Address Book in Outlook, users are now able to send encrypted emails to new user.

Basically, when you publish to GAL, it's loading all certificate information to O365. Every else's address books will automatically update I think the default is once per day. So if users can't send the new user encrypted emails, they either need to update their address book in Outlook, or simply wait a day or so. As long as they are all part of the same organization in Office 365, they'll share the GAL and get the same one.

No, we're not doing anything from 6 on. There is no "Publish to GAL" button in Outlook for Mac. This is why we're distributing the public keys manually.

I did not know that. I'm not as familiar with Outlook on Macs. What percentage of users use Outlook on a Mac?
When I get some more time, I'll take a look at some things and get back to you.

@art_of_shred said in what windows server should I choose for Active directory?:

@Grey said in what windows server should I choose for Active directory?:

@Alan said in what windows server should I choose for Active directory?:

@Grey This is my first IT job and started as a part-time help desk and part-time network tech . I don't have the experience but I do have a good background as I graduated with a computer engineering degree and got Cisco certs!
but this is my first step on getting experience

I wish you all the best as you start your career. I've a lot of experience in coming in after someone such as yourself, with limited experience, has set up an AD system and/or infrastructure, and I get paid as a contractor (at $150/hour) to clean up the mess. Typically, what I see is that someone had absolutely no clue how things actually work and set up login scripts instead of GPOs, only set up one domain controller, didn't set up any virtualization and had no plan for backups, if any were even implemented.

Since you're starting with a clean slate, I suggest you go with server 2016, and set that up on a robust hypervisor like Hyper-V (so you can leverage some license benefits and save money). Be sure to talk to your MS resale rep and get your licensing under control before you really embark on your design. Once you are satisfied that you and your reps have the licensing planned out, get a pair of domain controllers set up with both of them running DNS and DHCP -- do not use Cisco devices despite what your cert training said; just use helper addresses. Both servers should be set up and running as a peer (the concept of primary and secondary domain controllers is a dead concept, despite what your computer engineering degree or professors may have said). They will have the ability to fail over, and tehy should not be running on the same hypervisor platform (yes, you need 2 hypervisors -- 2 hosts). If your business is cheap, you can get away with a single hypervisor and 2 servers (guests) on them, though you need to explain the concept of uptime and service requirements to them if that's the case. Of course, it's the business that makes the decision on how much to spend and, I gather that they've hired a Jr. SysAdmin to do Sr. work, so they're likely unwilling to spend on infrastructure. Check with xByte and/or Stallard Tech to see if you can get some good second-hand equipment.

When you start adding systems to the domain, people are going to lose files and settings. They'll be in the workstation, but under a different profile. You'll have to migrate them. Check out Easy Transfer; it's part of Win7. I've used it before for exactly this kind of migration and it should do what you need.

You'll want to set up a file and printer server at some point; be sure to spec out storage with backup (Unitrends is my go-to) that's at least 50% over current capacity, if not more.

Once you have your AD servers and your file/print, you can look at exchange, or O365 to start leveraging more features of AD.

How are things going with regard to 2016? Does anyone here have much experience with it yet? I'm just curious, as I've not seen a lot from it yet.

I've been using and implementing Windows Server 2016 and many of its different services in Enterprise (production) environments. It's very firm and stable, no reason not to use it. I also became familiar with it during all of the technical previews, so that helped with the academic parts of it.

@Dashrender said in what windows server should I choose for Active directory?:

@Alan said in what windows server should I choose for Active directory?:

@Dashrender
-most of the Pcs are running windows 7 pro, we have few windows 10 pro

Please remind the client that Windows 7 only has 3 more years of support left. Jan 2020 is when MS stops making security updates. Definitely not to early to start looking at the requirements to get away from Windows 7.

Wish I could upvote this more. 3 years doesn't mean wait 3 years then look to move. Start now.

Well, without knowing anything at all about your environment...

-I'd go with Hyper-V Server 2016 for your HOST. This is free.
-Buy a Windows Server 2016 Standard license. This will allow you to create two virtual machines on your HOST.
-VM1 = Domain Controller, DNS, etc
-VM2 = File Server, Applications
-Buy enough user CALs to cover everyone as others have mentioned.

There's no reason to go with 2012 R2 anymore. 2008 R2 shouldn't even be a thought.

@Kelly Maybe the problem is your Global Address List (GAL), or you simply aren't waiting long enough.
Let me try a run-through here:

1. User joins the company.
2. O365 email account is set up for new user.
3. New user logs on to new Mac computer, sets up Outlook.
4. IT Admin sends new user his/her certificate via email (or by whatever means). Preferably a .PFX so it contains private key and whole CA chain.
5. New user or IT admin goes into new users Outlook trust center/email security settings to set signing/encryption certificate(s).
6. While still in Outlook Email Security settings, "Publish to GAL" button is clicked, success confirmation pops up.
7. After 24 hours, or via users manually updating their Address Book in Outlook, users are now able to send encrypted emails to new user.

Basically, when you publish to GAL, it's loading all certificate information to O365. Every else's address books will automatically update I think the default is once per day. So if users can't send the new user encrypted emails, they either need to update their address book in Outlook, or simply wait a day or so. As long as they are all part of the same organization in Office 365, they'll share the GAL and get the same one.

@Kelly For digitally signing emails, it's definitely not supposed to work like that. You should be able to send a digitally signed email to anyone in the world at any emails address. And as long as their email client is capable of reading certificates, such as Outlook, Thunderbird, or OWA, then (basically) they will see a red ribbon saying it's signed and all is well.

Now if you are encrypting emails, within an organization using a Windows AD Domain and Enterprise CA, it should work the same way..... But, if you want someone outside the organization who has nothing to do with you (the outsider), to send one of your users an encrypted email, your user will need to send them a signed email first, so the outsider can use your users public key to encrypt the email (in Outlook by adding your user to their contacts list), where your user will use their private key to decrypt it once they get the email. This is normal and no other way to do it.

What I am understand now from you, is that internal users sending signed emails to each other within your organization, it's as if they are all outsiders sending encrypted emails as described above.

If that's still the case and I'm finally correctly understanding your issue, could you take the time to describe and lay out how everything is set up so I can try and see what's wrong? Perhaps then I can guide you on setting it up a little differently so it will work as expected or as it should.

It's not a question of if it will work or not. <insert Linux flavor here> will run any service just fine. You can run a web server on Linux Mint without issue. Just like you could run a basic file server on Windows XP, that doesn't mean you should.

But when we are talking about what's best for Enterprise server stability, CentOS without question.

@gjacobse said in Office 365 Distribution list:

Looking at o365 to create a new distribution group, it would appear that while that is what I click on, I am getting the 'new' improved Office 365 Group instead.

I don't need all the function of an Office 365 Groups . I just need a distribution group

Has anyone run into this, and can you get around it - easily?

I create them in AD and let them sync to O365. They show properly then.
If I do create one in O365, you just got to make sure you create the correct one, look carefully, as others already stated.

@scottalanmiller CentOS, because of what SAM said.

Getting your certificates from on-prem to O365 for users is a manual process, and probably always will be a manual process, unless you are using Azure AD Connect (formerly DirSync), as discussed on SW.

Once a user has their certificate in their local user certificate store on their computer (done via group policy AutoEnrollment), you will always need to go into the Outlook properties to select the correct certificate(s) for signing and encryption, as you already know. After that, the only way to get it to Office 365 for that user, is to hit the "publish to GAL" button there in those Outlook options where you select the certificate.

If you revoke a certificate, which I should question why it happens so frequently that it's causing you extra work, and you distribute a new one, the user (or someone in IT) will just need to go into Outlook and select the new certificate. Surely you have an easy how-to on your Intranet showing users how to do it... basically just choosing the newest one available, then hitting the publish to GAL button. (kind of the same thing if one expires)

It sounds possible that there's a way to grab the cert data from AD and push it to O365 via powershell. It's probably just a matter of knowing how to arrange the data properly for O365 to take it. I'd submit a ticket to Microsoft via their O365 Admin portal. Surely they will have more info than me.

As for your Mac users, if they do not have a domain account or a certificate on a Windows computer, you can create a Certificate for them, export it, email it to them. Then they can install it on their Mac device via Outlook for Mac. I have a separate template set up for the purpose of creating external user certificates that are outside the scope of our domain, via CertSrv (hosted on your IIS server).

*** I re-read your first paragraph (after writing all of the above), and I am now looking at it a different way. Do you mean that the only way for someone to be able to send signed emails is if everyone in the entire company FIRST sends them a signed email or something? And then everyone needs to add that person in outlook? Now sure what you mean there, but I'm sticking with all the above I wrote anyways, as that's the standard. ***

@scottalanmiller How does it compare to Duolingo? What makes it better or more effective?

I'm interested as well. But I would also like to see Nutanix and Simplivity in there because Scale uses KVM... I'd like to see the comparisons with Hyper-V, VMWare, and VSAN in other HCI's rather than by themselves or custom built if you know what I mean. Or perhaps that's for a different thread. Either way, still interesting.

@scottalanmiller I wish I could find the time to keep up. Some days I can get a small streak going, but not usually.

@Tim_G That's out of about 1 billion write Ops, and 750 million read Ops. So as time goes on the percentages will most likely change.

@travisdh1 It is. And they are using an SSD cache to speed up read/writes to those slow 3.5" drives. About 98% of all writes and an average of about 75% of all reads are to/from SSD cache.

@scottalanmiller That must have been the issue, it's working now.

I did see a pop up saying I don't have permissions. I'll get the exact text...

New arrival, set to run Hyper-V 2016 for a smaller company:

Here's another like it, with a slightly different configuration already racked: