Beefcrustycurtains

When your competent you will be overloaded in a lot of companies. Not a lot of people are extremely capable. But it's really bad management for a manager to try and call in his sick employee. If your sick or on vacation those that are working just have to figure it the fuck out.

Trust me business premium is a hell of a deal. You can role out Intune and windows defender stuff to make your infrastructure modern. Any hosted phone solution you are going to spend around 10-15 per user. Teams Phones are on the higher end, around 15 dollars for teams phone + calling plan zone 1 license, but having everything in one spot is really nice for users.

Yea the more hardware you can ditch the better though. I know some people will want their physical phones though.

You guys use office 365 and teams? Teams phones work okay and it's nice for heavy teams users because it puts it all in one spot. You might even be able to convince them to ditch physical phones for just the regular mics you use for teams meetings.

Most companies are using office 365. It's exposed to the internet. Look up evilnginx2 you can even create your own stolen session cookie phising page and test it out with a office 365 account (you could get one for like 6 bucks a month with business basic to test things). It works by proxying the real office 365 sign in flow and grabbing the resulting session cookie that can used to sign in from anywhere. It also will capture the password and that can be used to try that email and password on other cloud based stuff ie bank accounts or SAAS services. I spun one up so I could test why we haven't seen any stolen session cookie phishing with our external authentication method clients (Duo is what we use for most). I found they could capture the users password but not the steal the session cookie because it must be able to proxy every address the authenticator flow travels through to grab the cookie. Because Duo sends you through several of their own URLs it can capture unless it is extremely targeted to your organization and they know your Duo URLs (different for most orgs). We really push our clients to Duo as their 2factor whenever we can as a result. There are other ways to protect companies from this by using FIDO2 methods that use the devices TPM chip to bind to a physical key in the computer or windows hello. You can also have token protection policies that only work with windows OS or some device compliance policies. Duo wouldn't protect against stolen session cookie phishing if they have installed malware that can steal session cookies from browsers it only protects against the most common phishing attacks that are so common because they work and don't require a user to install any malware. Requiring FIDO2 would though.

The respond in 15 minutes is pretty insane too. We have an on call rotation for a week every 12ish weeks and that week sucks, but we aren't expecting 24/7 NOC support from our on call techs. If you are sleeping get to it when you wake up. If your not respond within an hour for emergencies. Non emergencies get worked the next day. If you need 24/7 NOC support with that SLA you need to be staffed with regular shifts 24/7.

Rising cost in hardware also makes VDI cost increase because it has to run on physical hardware somewhere. Regular workstations will always be cheaper than VDI.

Haven't seen any issues with one drive and s1 except occasionally flagging onedrive updater as suspicious. But I really like Defender better. It's more complete when you are dealing with clients that heavily use o365 stuff. I've had way more issues with s1 disrupting legitimate applications than defender.

You don't have to create an account if you setup a connector.

Subject Alternative Name. By default it's not something that gets set when you do an IIS cert. You have to make sure it gets added. Even if it's just the one [domain.com](http://domain.com) it still needs a SAN saying domain.com.

Indeed. Ran into this one a while back. Chrome/Edge require the SAN almost certainly this guys issue.

powerdmarc has really awesome pricing for MSPs. basically unlimited/customers domains. We use it for all of our clients as part of onboarding we setup dmarc monitoring for a month or two before we move them to the reject policy after we've gotten all unauthenticated email authenticated.

Helping build out databricks for a customer that went from synapse to fabric and now databricks. I only have to do the infra setup for it though.

Yup Boss sounds like a dumbass. The worst kind of dumbass too. The one that's too dumb to realize he's too dumb.

Parsec is used by a kid of engineering firms and can be sso'd with autoprovisioning from Entra.

You don't need to make a new user account. If you just change the username on the same account everything stays the same profile and the lock outs stop. Ever since we got SIEM for our clients I just look up where exactly the lockouts are coming from and can figure it out pretty easily. Netwrix also has a free lockout examiner tool.

How big is the users OST on the PC? If it's close to 50 GBs it will do this. Need to adjust caching to not cache shared mailboxes (if they have large shard mailboxes attached to them) or reduce the amount of total caching.

that sounds like my nightmare. I would much rather do infrastructure stuff than end user support, but if that's what you are in too, go for it man.

Yea, I've never heard of anyone attempting to reinstall DNS on an active DC. Just figure out which DC is healthiest and kill the other one and rebuild.

I would guess it's most likely the VPN Gateway SKU in use + encryption type. AESGSM256 is going to give you the fastest speed possible inany VPN Gateway sku.


I just figured out how to make my environment super secure. I have just taken away everyone's PCs and gave them etch-a-sketches.

They stopped blending near me too and I live in a pretty populated area with lots of choices. I think something changed.

You could just cover your food when you microwave so you never have to clean up a mess. Works really well for me. I cover with a wet paper towel.

No problem. I've done several of these for different organizations. It can be a real pain if you are heavily using onenote, onedrive/sharepoint, and if UPN changes entra joined (not hybrid) pcs are a little problematic as users will have to sign in with the new username.

No, it's been around for a while. You have to register a new .onmicrosoft.com address inside of your tenant, and then use that with the command.

There is a guide for a tenant rename process. It will break a lot of previously used onedrive links especially if changing the primary UPN domain. If you rename the organization name of the tenant, new sharepoint sites synced with onedrive will go to the new org's name folder, so you might end up with Old Name > Synced Sites before the rename, new name > synced sites after rename which is very annoying. That can be fixed, but have to unsync the sites and delete a registry key to get rid of the entry. [https://learn.microsoft.com/en-us/sharepoint/change-your-sharepoint-domain-name](https://learn.microsoft.com/en-us/sharepoint/change-your-sharepoint-domain-name) The article above gives you a list of things that will break as a result, but since you aren't really using SharePoint it probaly won't cause a lot of problems. People might just need to share out. Are you planning on changing the UPN for users? If you are Entra Joined only (not hybrid devices) you will have to sign in as other user after the UPN change. Things will still be the same profile, but it will fail to login otherwise.

I wouldn't bring the DC back online. If the trust is no longer needed, remove the trust. Raising functional level has always been no big deal. If your only a 22 person company. Do you really need the on prem AD at this point? Intune + O365 serverless is where we are trying to get to for any client that's small that doesn't actually need on prem infrastructure. As long as you don't have a ridiculous amount of files then SharePoint for Fileshares is easy. You want to limit OneDrive/Sharepoint sync to 300k files though as that's the max recommended for OneDrive sync. I've been able to run 500k without any issues but a million files things get real wonky. If you really need the on prem infrastructure. You will want to do a DFSR migration if you haven't already. You would be forced to on DCs running 2019+. Migrate DFSRMig For Adding 2019 DC to domain still using FRS **dfsrmig /getglobalstate**. Output explains it’s not initiated DFRS migration yet. **dfsrmig /setglobalstate 1** Type **dfsrmig /getmigrationstate** to confirm all domain controllers have reached prepared state Type **dfsrmig /setglobalstate 2** and press enter Type **dfsrmig /getmigrationstate** to confirm all domain controllers have reached redirected state **dfsrmig /setglobalstate 3** Type **dfsrmig /getmigrationstate** to confirm all domain controllers have reached eliminated state

I wouldn't do all of that, but yes windows backup can be configured to backup to a server's network share. Do you guys not have Office 365 at all? Pushing out policies to force pc's to backup their desktop documents pictures to OneDrive would be what I would recommend. It doesn't make sense in 2026 to still be trying to backup user machines in this way.

[https://techcommunity.microsoft.com/blog/itopstalkblog/step-by-step-manually-removing-a-domain-controller-server/280564](https://techcommunity.microsoft.com/blog/itopstalkblog/step-by-step-manually-removing-a-domain-controller-server/280564) leave it off and just manually remove from AD. Note: i haven't had to use the metadatacleanup util listed after this. Everytime i've manually run the deletion in the steps above, nothing is ever found, so I just stopped doing that.

Nope, have tons of AD connect servers that I manage and many of them are on that update without issue. Good news is, it's really easy to rebuild an ad connect server. Just get one of the recent JSON's from C:\\program data to figure out what custom sync rules and stuff might have been setup.

No problem!

Yea, if you use [www.domain.com](http://www.domain.com) as the primary website URL, then as longa s you have the cname for the [www.domain.com](http://www.domain.com) in your internal dns and tell people to type the www. while in the office your good to go without having to do the netsh portproxy commands on all the dcs. If you are unable to do that for whatever reason, then you have to use the netsh interface portproxy commands to point 443 on your dc's to the website and allow port 443 inbound in the windows firewall on the DCs

netsh interface portproxy add v4tov4 listenport=443 connectport=443 connectaddress=WEBSITEARECORDIPADDRESS on the dc's will do it. Or force your site to use www. as the primary domain, you can then use WWW cname record to keep it working internally and externally which is what I would recommend doing over the portproxynetsh command, but that one works as well. Just have to make sure port 443 inbound in the firewall on the dcs is working.

We've seen a ton of spoofed and phishing messages from Japan for some reason. I've never seen any legitimate mail from there, but none of the companies I support do business with Japanese companies. Geo-IP blocking mail from certain countries is a little silly anyways though. Tons of malicious emails get sent from the US every day, but I definitely wouldn't try to lock anyone down to only US IPs.

Exactly. There are a few countries that are fine to block that legitimate email won't come from. EX: China/Russia/Japan (normally). Just block the nefarious countries.

Definitely sounds like ABR.

Need to be a lot more specific on what the experiences were.

Why use the current manager as a reference? it's been standard practice to check references before even an offer is made.

You can just in-place upgrade with the most current 2025 iso. Way easier than rebuilding the box and will fix stuff like this. Unless that fails too, then yea rebuild.

Microsoft has the process all documented as well: [https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/migrate-certification-authority?tabs=server-manager](https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/migrate-certification-authority?tabs=server-manager) Definitely don't attempt the inplace upgrade on a CA.

I don't really have many 2025 servers in the environment's I manage. The few we do have patched no problem, but since you have other 2025's that patched it seems to be a problem specific to this box.

Script to mark corrupted packages as absent which allows the download of the good files. Normally used for 0x80073701/0x800f0831: `$name = 'CurrentState'` `$check=(get-childitem -Path 'HKLM:\software\microsoft\windows\currentversion\component based servicing\packages' -Recurse).Name` `foreach($check1 in $check)` `{` `$check2=$check1.replace("HKEY_LOCAL_MACHINE","HKLM:")` `if((Get-ItemProperty -Path $check2).$name -eq 0x50 -or (Get-ItemProperty -Path $check2).$name -eq 0x40 )` `{` `write-host (Get-ItemProperty -Path $check2).PSChildName` `Set-ItemProperty -Path $check2 -Name $name -Value 0` `}` `}`

That particular error is related to corruption with windows events. Some people had luck with previous updates by deleting some registry keys (always back up registry before, or better yet take a snapshot so you can easily roll back if shit goes sideways): [https://www.reddit.com/r/WindowsServer/comments/1o934sl/problems\_installing\_kb5066836\_on\_server\_2016/](https://www.reddit.com/r/WindowsServer/comments/1o934sl/problems_installing_kb5066836_on_server_2016/)

What's the error code?

If there aren't any more growth opportunities at your current company, then yes it's probably time to move on. I still keep in touch with my first few mentors, so it's not like it has to be the end of that relationship entirely.

When I'm hiring sys admins, I don't care about certs or college education, this is mainly because I have no certs or college education and I'm an IT Director at a decently successful MSP. Learning on the job always trumps certificates/education. If you work at a smaller MSP for a few years, you will definitely have enough knowledge to get an internal role as a jr sys admin at most organizations.

More AI!!

Lol what was the request for?

They are definitely trying to cheap out on the solution to make it affordable. Just sucks for you guys. You should document the amount of time you spend just trying to work and provide that to your manager. I'm an IT director at an MSP and we recently just won some business because the previous MSP highly recommended AVD when the people all had cloud based only apps. It didn't make any sense and everyone had a bad time working with the AVD. We set them up on actual laptops and they were extremely happy with us because things just worked. Is the only reason for the AVD because of this McLeod dispatch software?