@scottalanmiller said in Windows file server query:
Seems that something like Netwrix must have something simpler to use. But I can see that if he is used to just using the Windows tools that learning something else seems silly. If all he's doing is auditing stuff, while odd, it seems fine.
Not that odd, not normal for a boss to be seeing those small things but he is the one who is very particular to security of our files...I've learned to understand them and adjust.
@tim_g said in Windows file server query:
No, it was originally a direct response to the OP, in the context of the OP, considering only what was in the OP. Had it contained circumstances that would justify the use of 2012, I would suggest as such. But it didn't, so no reason that I could find in the OP to use 2012.
Guys, from the context of my boss, it seems that she implies that 2016 is buggy and we would want to wait before upgrading. But it has been 2018 and has been patched several times and server 2019 is coming, so I think bringing in 2016 wouldn't be that hard the last time I tried.
@tim_g said in Windows file server query:
This doesn't make sense.
If someone wants to see who has access to a given share, then you show open up the group that has access, which shows all the members.
When you start granularly adding users to this folder that file here and there, there's no way at all to manage or audit that. You'd have to manually go through each and every folder and file properties to see who has permissions. That's got to be horrible!
For example, if you have a folder named \server\Accounting\invoices:
You:Create two groups in Active Directory:
ACL_Accounting Invoices_READ
ACL_Accounting Invoices_WRITEAssign ONLY those two groups with appropriate permissions to that "invoices" folder (in addition to the default permissions, admins group for example).
Then if your boss says, "hai who is permissions of invoices folder mang?"
Then you simply show the members of the above two groups. If someone new needs permissions, or needs permissions revoked, you simple add/remove them from one of those two groups.
Got that. I also wanted to implement it badly as changing NTFS permission means I have to wait for the propagation to finish which could take a while depending on the folder size. If part of a group, no waiting.
They, the directors, usually work late out at night, some weekends and holidays. At times, usually the one which I have stated (brother of my direct boss), checks who has access to which folder.
I have gone into saying I can install a program which he can list all users and members of each group but he stopped me saying it takes extra steps for a simple task of checking who has access to that folder.
@scottalanmiller said in Windows file server query:
Wait, what? You can't use VMware with IBM. That's literally impossible.
VMware is AMD64 only, IBM only makes Power.
When I said newer, it was the later ones deployed but still old in some standards. About 2011 (the beefier one) and 2013 (the one with the 4GB RAM) consecutively. I was looking into provisioning a hyper-v for it for lower task servers which we do not have right now...those we can do without--more of IT stuff monitoring--and perhaps an additional DC.
@jimmy9008 said in Windows file server query:
@vhinzsanchez
Yeah, that makes sense. Still doesnt mean the director needs to see how the ACLs are done (user/group) himself.
For example, i'd ask you to give, say, Karen, access to a share. You would go an do it. I'd not care how you do it. Thats your job to figure out.
I could ask you to report and audit for me who has access to what shares, and you would report it. I'd not need to login and check for myself... the Director has trust issues, otherwise you would do it how you see fit and report the permissions when asked.
Have been called more than once when I implemented it. He would like to see who is the member of those group.
I've not changed the groupings so I can retain it in the shares tab (since he can not see the tab), but on the permissions tab, I need to individually key in the users.
@jimmy9008 said in Windows file server query:
Why would the director be looking at that at all? They should be off playing golf or something... who is in which group/ACL is way below what a director should be doing. That is what the minions are for...
Here, its quite different. He (being a director, a brother of my boss...he is also a boss) wanted to know how has access to what. It is the same reason we can't have backup outside our network (cloud).
If an access is needed, he'll need to approve and what kind of access, R+W or ReadOnly. I usually give full access to directors and the administrator of the shared folder...who does nothing as I am the one updating the ACL...with the permission of that boss.
@black3dynamite said in Windows file server query:
Role-based access is the way to go. This site has a good example using role-based.
http://www.yster.org/role-based-access-control/
Thanks @black3dynamite, one of our directors would want to see the names themselves when checking for ACL. If I am to keyin the group, he can not see each individual. What I'm doing is the group is for Share tab and individual accounts in Permissions tab.
@vhinzsanchez said in Windows file server query:
It actually is an IT Infrastructure request but is so large a project that I would have to break it down to several phases or steps as what my boss told me.
IT infrastructure refresh to be exact. Present servers are custom-built, not even Super-Micro or 2nd hand Dells. Custom-built as in bought a server board, throw in some HDD, RAMs and a capable trurated PSU (not even dual) on a server rack-capable casing.
2 newer servers are IBMs. It houses an ERP (with big RAM) and the other one houses 2nd DC (no file sharing and with only 4GB RAM). It was that way when I arrived that is why I am asking for an upgrade.
@scottalanmiller said in Windows file server query:
Honestly, this could be your chance to move up. Sounds like your director isn't even aware of the role of IT and is thinking like a bench tech (tech for tech's sake) instead of thinking like an IT person. IT is a business function and doesn't exist outside of the context of servicing the business. If it doesn't meet business needs, IT shouldn't want to do it.
Oooppsss...sorry, perhaps I juggled words. I was directly reporting to a Director (my boss), one of the owners of the family-owned SME business who is in-charge of Operations. She's the one who got in-touch with VMWare and was present when they presented. However, on the occasions when VMWare's partner visited us, she was unavailable.
For the goals, I initially listed last year (but has been in discussion over 2 years ago) all IT goals, not business goals....but it includes, as I have solicited before, minimize electricity, better server management, backup and restore, and be a baseline for developing a disaster recovery solution.
It actually is an IT Infrastructure request but is so large a project that I would have to break it down to several phases or steps as what my boss told me.
@scottalanmiller said in Windows file server query:
You mean a salesman is running the show and the boss is just throwing the company's money to them? Every hypervisor comes with "proper" support. VMware has great support, but that's neither here nor there if it isn't a sensible product for your business.
Not quite, not quite there yet as my boss and the vendor still have to meet. But she made clear she wanted virtualization with VMWare. 2 years prior, I have made a point to virtualize, presenting (then good solution) XenServer and have read about HA-Lizard, I also introduced Hyper-V....she insisted on VMWare, let's see where it goes :smiling_face_with_open_mouth_closed_eyes:
@scottalanmiller said in Windows file server query:
Why are you looking at three hosts, instead of two? There is no capacity planning data, but the description makes it sound more likely that two would be all you need (and a far better solution.) Is the third host just a favour to the salesman to add 50% cost onto the project?
That's the other thing! My initial proposition is with XenServer for 2 hosts with HA-Lizard. VMWare presented with HCI with boss watching -- 3 hosts and the game changes.
VMWare passed me to their local partner who echoes the same. Initially wanting 3 hosts for HCI but I have have them pass a proposition for HPE VSA which did not happen as according to the sales personnel, the future of HPE VSA is unclear since HP bought and is favoring SimpliVity.
They passed a higher quote for a traditional 2 host but with SAN (2-storage clusters).
Boss wanted to have local implementation and local support so StarWind is out of the picture...for now. I am using a personal email account in contacting StarWind and present to management when necessary.
@scottalanmiller said in Windows file server query:
I think the biggest problem that I see here is a list of tech, without any goals. Flip it around.
Define your goals, then work towards them with the tech. Don't use tech just because it's on a list somewhere. That's how you end up with a disaster that cost a fortune, and doesn't do what is required. What are you trying to accomplish with all of this tech?
We don't know why you have any of it, so commenting on whether you should use it or not comes down to just ruling out tech that isn't production ready and guessing at the rest.
Like dedupe, nothing wrong with it, it's a great technology, but it doesn't make sense for most companies. So without knowing why you are looking at it, we have nothing to go on.
The goal is to virtualize...then at a latter point, upgrade to 2016 (or if boss really wanted 2012R2). Just listing what I thought I was using before then have been doubting if it was really needed.
@tim_g said in Windows file server query:
Has always worked well in my experience. I've used it for a long time, and used it on massive data stores... never any data loss, but then again, never had any issues to have to mess with it.
Depending on who you ask, you may get some horror stories.
@tim_g said in Windows file server query:
This is the only way to use it, really.
I have file servers virtualized that use Dedupe (via Hyper-V). Never any data corruption.
But I wouldn't base it on my experience alone, others have had issues.
I was thinking the same but have read some horror stories. It would have been nice as we have duplicating files in network shares.
What backup solution have you used?
@tim_g said in Windows file server query:
These three suck and just cause issues.
Ideally, they sound great and look great on paper, but in practice, they break and cause issues the more you use it and the more users use it.
But quite the contrary on our present physical install...but offline files are contained in few users at the moment.
@tim_g said in Windows file server query:
ABE works as it's designed, never ran into anything with that that would be a reason to not use it when it fits the business needs.
Have read about it years ago but has not implemented it. Will be trying to convince management to use it...such great feature to be left out.
@tim_g said in Windows file server query:
DFSN works great and is a great way to not have shares based on servers or IPs. I do recommend DFSN when able.
DFSR, depends on the use case... generally it's fine, but sometimes can cause issues depending on your setup, what you are replicating, and where it's replicating to.
@tim_g said in Windows file server query:
I'm going to assume that you mean ability for a VM to be "restored" to another host...
Define site? Single building? Skyscraper with multiple floors? Single campus with multiple buildings?
I'm not exactly sure what you're asking, but DFSN is useful in single sites just so you can get away from server names and IPs.
This is for a single site and buying a large server with storage with it so I don't think we would need a DFS-N for that, for a single file server that is. I was initially looking into replicating to another virtual server for availability, but then if server can be restarted to another host, then it should not be needed. Correct me if I'm wrong pls.
@scottalanmiller said in Windows file server query:
Insanely expensive, requires Windows Enterprise licensing and is considered not production ready and has very few large users, of those using it, data loss rates are through the roof. Avoid this at all costs.
@scottalanmiller said in Windows file server query:
Some of them would never be used. Your software RAID and RAIN systems would be expensive and never get touched, as the Vmware VSAN is already handling that stuff.
I also think so, that is why I re-thought the whole idea of Storage Spaces and Storage Spaces Direct, while good feature (but nonetheless you spoke of it as not enterprise ready) has no place in VMWare's solution.
Wow, thanks for the advises...many of them, especially when I was trying to read a find in other site why SAM was missing 
:
@tim_g said in Windows file server query:
This is extremely foolish to not go to Server 2016, especially while 2012 R2 is set to lose MS support soon.
@scottalanmiller said in Windows file server query:
Especially when Server 2019 is right around the corner!
@scottalanmiller said in Windows file server query:
What does this mean? If he's worried about bugs, it's 2012 R2 he'd be avoiding. Two really key points...
- 2016 is not "new" in the slightest, it's old. Not old like a problem, old like it is mature as its own release and just about to get replaced. It's YEARS since you could avoid it from being "new".
- 2016 is the latest version of 2012 R2. It's MORE mature than 2012 R2, not less. Old, static code isn't somehow "more stable" than the same code with more updates and fixes. That's insane.
Sounds like your boss is quite a bit confused about how software works.
@tim_g said in Windows file server query:
What do you have that is a requirement to have Windows-based file servers and VMWare?
What we have is a physical Windows 2008 and would like to virtualize it. We are now speaking with VMWare (my boss' choice...would have been contented with Hyper-V but happier that boss wanted VMWare with proper support) and their partner.
I am to virtualize windows file server so it can retain the ACL (NTFS as well as sharing) which has detailed access. I was, before, trying to group users based on their access but one of the boss wanted to check who has access to which folder/file and not interested in group--he wanted names--so I am left with retaining individual access (though made a group for share access).
I also stand corrected, its Server 2019 not 2018.
Hi,
Previously, I was eager to use the following MS Server features on my proposed server upgrade but it may not be advisable or economical so I am soliciting advice from you guys, ‘coz I might have been mistaken:
• Roaming Profiles
• Folder Redirection
• Offline Files
• Access-Based Enumeration
• Data Deduplication
• DFS-Namespace
• DFS-Replication
• Storage Spaces – software RAID?
• Storage Spaces Direct – LAN RAID or VSAN?
We will soon be upgrading/refreshing our infra and sooner, our server (Windows 2008—not the R2) but for the reason of this discussion, let’s just focus on the Windows Server. We will be migrating it and if at some time, I will need to upgrade it to 2012 R2 or 2016 (our Director is against going directly to 2016 as it may have bugs….I am for using the latest and greatest but then again, its her call—anyways, server 2018 is just around the corner 
)
The 1st phase is virtualizing our physical servers to whichever supports it including the Windows Server 2008. I understand that and I still wanted to use the 1st 3 items in our server (Roaming Profiles, Folder redirection and Offline files) and still thinking over the ABE.
Now the questions are if the rest of the items are still useful in virtualized environment of 3 hosts and VSAN (Hypervisor is VMWare with VSAN).
• Is data de-dupe working in virtualized environment? Does it present any cons or data corruption in terms of backup and restore?
• If there is an ability for a virtual server to be restarted to another host server (even if manual restart is required), is DFS (namespace and/or replication) still useful in a single site (though we have multiple sites but everything is just in a single site (HQ)?
• Now I think that the last 2 will not necessarily be needed as VMWare VSA will take care of it (also, if we upgrade, still to Pro version not Data Center), but what’s your take?
Thanks in advance for your inputs.
Congrats on beating the deadline @olivier and xcp-ng team
@dbeato said in Zimbra help..multi-domain each with own external relay:
limit of gmail relay sending at all.
Hi @dbeato, thanks! No, definitely not. I've not configured relay through gmail. I'm also not hitting a limit in my smtp.domain1.com and smtp.domain2.com as we are using both in our present Zimbra install.
I think what they are implying above is that emails sent to non-existent address/account should be dropped rather than generating a non-delivery receipt/response to the sender.
There's a pros and cons in the implementation. Ofcourse, it would be nice if the sender will be receiving a response that the mailbox is non-existent on the email server (being courteous). It might totally be non-existent or entered incorrectly, however, it will also get the idea that the domain exist, and that the sender with malicious intention will try to guess another recipient (instead of waiting forever for a response). Especially true for those with companies using generic addresses like cio, coo, sales01, sales02, etc.
Hope I'm not too late at the party!
Happy Birthday Scott!
Cheers!