Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Business & Enterprise Computing

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old 12th January 2017, 1:34 PM   #271
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 920
Default

Quote:
Originally Posted by looktall View Post
the links between our sites aren't particularly high.
pushing content out to the DP's from the primary site server is a slow process that is often needed to be done out of standard business hours (and considering most of our sites run 24/7 even that can have a large impact).

instead we have a dedicated build server at about 8 sites configured with MDT, WSUS etc.
the images are built on and deployed from those servers to their respective sites, by the local onsite IT support.

drivers complicate matters too.
we don't run a fleet pc's consisting of only 2-3 models, that get replaced every x years.
instead it is a lists of various models as long as your arm dating back to the dawn of time.
managing the driver content on the DP's would be a fucking nightmare.
instead the drivers are managed on the MDT build servers by the local onsite IT support.
I think if you looked at the situation again you might reconsider your approach (depending on how many models you really have and how long it would take to test them).

If you enable binary differential replication on your WIM file you may be surprised at how little information ends up being transferred to your remote sites, (although this definitely increases the compute load at the other end).

Management of your WSUS/SUP would be very similar to what it is now.

The issue of requiring updates to content (pushing out things from the "central DP or DPs to remote DPs) can be managed all via the Rate Limits tab within SCCM. You could throttle during "peak times" (or disable it completely, which is the option I have taken in most sites) and increase the rate for "off peak" times.

The drivers would be the hardest part, but with SCCM 2012, the driver management is *significantly* easier than 2007 (if that's what has raised your concern). You could just import them all into SCCM 2012 and just create a per site package (temporarily until you work out how best to organise them). Then you could just use an Auto Apply Driver step, rather than what I assume you're doing, which is apply each "models" or each "sites" driver pack to their respective build.

These driver packages can also be deployed to remote sites with binary differential compression to minimise the impact to your links.

I imagine if you started to centrally mange your drivers, you would find that it actually isn't that hard to mange for wide and varying degrees of hardware. For example if you split the categories into video, system, network etc... If you pull down the current versions for the major vendors I think you will find it easy to manage new version upgrades, as well as reduce the overall size of the driver store. The tough part of finding the odds and bobs for weird devices around the place has already been done for you, you simply need to find which of these (from you collection of drivers from sites) are actually required.

Some of the benefits of this system would be the automated deployment of updates to all your machines centrally, the automated and centralised maintenance of your "SOE" WIM and the reduced overhead from having to manage all the individual instances, not to mention the centralised reporting of it all.

I don't expect that you'll do this, but just thought it might be some food for thought.
__________________
i own a pc
freaky_beeky is offline   Reply With Quote

Join OCAU to remove this ad!
Old 12th January 2017, 1:46 PM   #272
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 23,129
Default

Quote:
Originally Posted by freaky_beeky View Post
I don't expect that you'll do this, but just thought it might be some food for thought.
thanks for the advice and you're correct i won't be doing this but primarily because i'm looking for a new job elsewhere so i am disinclined to put any effort into the current situation.

hopefully wherever i end up working next has an existing setup in place that i can maintain and/or improve on.
if not, perhaps then i can look into building it all up from scratch in a better fashion than what i currently have.
looktall is offline   Reply With Quote
Old 12th January 2017, 3:09 PM   #273
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 920
Default

Quote:
Originally Posted by looktall View Post
thanks for the advice and you're correct i won't be doing this but primarily because i'm looking for a new job elsewhere so i am disinclined to put any effort into the current situation.

hopefully wherever i end up working next has an existing setup in place that i can maintain and/or improve on.
if not, perhaps then i can look into building it all up from scratch in a better fashion than what i currently have.
I've worked in quite a number of environments now, and I can't recall walking into one and thinking it couldn't use some improvements. With regards to SCCM specifically, it's almost like every business either Next Wizards the install, or gets an MSP to deploy a cookie cutter mould to their environment leading to all kinds of unreliability and general awkwardness. I'm sure if you find yourself a new environment you'll have plenty of work to do! (Best of luck on the job search front too)
__________________
i own a pc
freaky_beeky is offline   Reply With Quote
Old 12th January 2017, 6:19 PM   #274
tin
Member
 
tin's Avatar
 
Join Date: Jul 2001
Location: Narrabri NSW
Posts: 6,390
Default

Not very businessy, but last nights Win10 updates broke my "proper" sound card (an old SB X-Fi). The cheap Realtek HDA kept going though, so most business stuff should be fine based on that one anecdote....
Fix was to just remove the device in device manager (chose to delete the driver too - not sure if that was necessary). Worked straight away without reboot.

I'm starting to get sick of these "let's break shit" updates. Not looking forward to the update labelled "You didn't need that video card, right? (KB8403887762)".
__________________

The software required Win95 or better, so I installed Linux.
Question marks are the new full stop?
tin is offline   Reply With Quote
Old 27th January 2017, 9:04 AM   #275
PabloEscobar Thread Starter
Member
 
Join Date: Jan 2008
Posts: 9,560
Default

Win10 Update doesn't play nice with Wsus

https://support.microsoft.com/en-us/...-by-using-wsus
PabloEscobar is offline   Reply With Quote
Old 31st January 2017, 3:42 PM   #276
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 920
Default Root Certification Authorities - Missing Certs

Hey All,

Since January (as a result of what I presume was Microsoft's SHA1 expiration) any PC that we image up with our previously working Windows 10 build is missing a huge number of certificates from the Trusted Root Certification Authorities and Third-Party Root Certification Authorities. I've had a look on some of the older machines and confirmed they were signed with SHA1, but thought that they would be exempt.

We've disabled the following Group Policy:
Code:
Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings
Turn off Automatic Root Certificates Update
Which relates to the following reg key
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
This allows the certificate store to be updated from Microsoft via Windows Updates. This starts populating the store with certificates as you hit them, e.g. navigating to various websites adds the root cert to the trusted store, however it does not return them all to the store and is causing other issues for us.

The major issue is that it is preventing our internally hosted PAC file from functioning as expected, despite being hosted on HTTP (rather than HTTPS).

Anyone else run into this? I'm assuming this should be a relatively easy fix, however I just can't seem to work it out.
__________________
i own a pc
freaky_beeky is offline   Reply With Quote
Old 31st January 2017, 6:04 PM   #277
PabloEscobar Thread Starter
Member
 
Join Date: Jan 2008
Posts: 9,560
Default

May not be relevant, but I did notice

Addressed issue that loads websites that bypass the proxy server in the local intranet zone when the Intranet Sites: Include all sites that bypass the proxy server (Disabled) is set.

In the patch notes for the latest build, We've had some strangeness with what Windows determines as a "Local" site (anything with a (.) in it, was classed as not local). G fucking G.
PabloEscobar is offline   Reply With Quote
Old 31st January 2017, 7:06 PM   #278
rainwulf
Member
 
Join Date: Jan 2002
Location: bris.qld.aus
Posts: 3,902
Default

Quote:
Originally Posted by PabloEscobar View Post
May not be relevant, but I did notice

Addressed issue that loads websites that bypass the proxy server in the local intranet zone when the Intranet Sites: Include all sites that bypass the proxy server (Disabled) is set.

In the patch notes for the latest build, We've had some strangeness with what Windows determines as a "Local" site (anything with a (.) in it, was classed as not local). G fucking G.
Ran into that myself too. Thought it was bizarre. Had to pull a copy of the security zone information from a working machine.
__________________
derp
rainwulf is offline   Reply With Quote
Old 1st February 2017, 9:31 AM   #279
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 920
Default

Thanks for the suggestion. I used the short name rather than the FQDN for my PAC file path but unfortunately that had not effect.

If I image a new machine now, I cannot navigate to any website unless I explicitly specify the proxy rather than use the (working everywhere else) auto-configuration PAC.

Strangely enough if I leave the home page to load for an excessively long time (minutes) it will eventually load up as long as I have the aforementioned Group Policy configured to allow it pull down the certificate. This websites parent domain is also in the Local Intranet Zone via group policy as well.
__________________
i own a pc
freaky_beeky is offline   Reply With Quote
Old 1st February 2017, 10:23 AM   #280
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 23,129
Default

What if you use an IP address for your PAC file path?
looktall is offline   Reply With Quote
Old 1st February 2017, 11:56 AM   #281
freaky_beeky
Member
 
freaky_beeky's Avatar
 
Join Date: Dec 2004
Location: Brisbane
Posts: 920
Default

Quote:
Originally Posted by looktall View Post
What if you use an IP address for your PAC file path?
Great suggestion, tried it but to no avail.

I have recently imported all the certificates manually and am still experiencing the same problem, which makes me feel like I'm experiencing two different issues simultaneously now so I've elected to try the same steps on a physical machine... (different subnet, routes and the like)

EDIT: So to confirm, my PAC file is fine, networks have done some trickery on the subnet my VM is on preventing me from accessing the production proxy. Everything works fine if that Group Policy is set (the certs are missing, but they are automatically downloaded from Microsoft as requested)
__________________
i own a pc

Last edited by freaky_beeky; 1st February 2017 at 12:28 PM.
freaky_beeky is offline   Reply With Quote
Old 15th February 2017, 9:36 AM   #282
CptVipeR
Member
 
CptVipeR's Avatar
 
Join Date: Jun 2001
Location: Hobart
Posts: 707
Default

What!! some actual QA done and the patch held back. bravo!

https://www.itnews.com.au/news/micro...ily_newsletter
CptVipeR is offline   Reply With Quote
Old 16th February 2017, 4:04 PM   #283
PabloEscobar Thread Starter
Member
 
Join Date: Jan 2008
Posts: 9,560
Default

Quote:
Originally Posted by CptVipeR View Post
What!! some actual QA done and the patch held back. bravo!

https://www.itnews.com.au/news/micro...ily_newsletter
Held Back until march.

Quote:
Originally Posted by Microsoft
UPDATE: 2/15/17: We will deliver updates as part of the planned March Update Tuesday, March 14, 2017.
I think there was a SMB 0-day floating around. so make sure you're blocking outbound SMB, or someone will send a link to \\somerwhere.com\dodgy and wreck your shit.
PabloEscobar is offline   Reply With Quote
Old 23rd February 2017, 9:45 AM   #284
PabloEscobar Thread Starter
Member
 
Join Date: Jan 2008
Posts: 9,560
Default

So, although the windows updates have been delayed this month. There are still Flash updates, If you're unfortunate enough to require it on your desktops, you will need to update before you get owned .
PabloEscobar is offline   Reply With Quote
Old 28th February 2017, 2:41 PM   #285
millsy_c
Member
 
millsy_c's Avatar
 
Join Date: Mar 2007
Location: Brisbane
Posts: 11,143
Default

Edge / IE 11 (potential) RCE is now public.
https://bugs.chromium.org/p/project-...detail?id=1011

Exploit is not public but the means of building one is, probably will have RCE pretty soon assuming it's exploitable, reads like it though. If you're curious saving that exact page triggers Symantec AV
__________________
Quote:
Originally Posted by Luke212 View Post
You are talking like an expert beginner. Talk less and listen more.

Last edited by millsy_c; 28th February 2017 at 2:45 PM.
millsy_c is offline   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 8:08 AM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!