In the Choose Products screen of WSUS configuration, there is an option for both Windows 10 GDR-DU and Windows 10:
What is the difference between the two? I can't find any Microsoft documentation that explains the difference between the products.
I am trying to verify functionality of dynamic quorum in a new failover cluster setup.
Is there a command in PowerShell that I can use to see the current vote for the witness disk? I have been digging through TechNet, and have been unsuccessful locating the command (if it even exists in the first place).
We have mission-critical Windows 7 workstations on our network that must be available to any user at any time, even when it has been locked by a prior user. Thus, we have fast user switching enabled. Unfortunately, it's not unusual for us to have a dozen or more different users logged onto the same machine at the same time, with a corresponding degradation in service.
We've done our best at educating the masses to log off at the end of their shift. But users being users, this does not happen on a consistent basis. Does anyone know of a clean way to force logoff idle users after a certain amount of time has elapsed? I am open to any method that could be deployed/configured via script, GPO, or SCCM.
We just received a new Cisco Catalyst 2960, and in the box came an item we've never seen before. Interestingly enough, the documentation shows an image of the object, but it is not listed anywhere else in the guide (including the legend, which is numbered incorrectly)!
My buddies and I think it's some type of cable management device. Can anyone identify and elaborate as to its proper use?
Here is an image from the getting started guide (with the object circled):
Our SCCM 2007 R2 environment, which runs in native mode, just had its PXE client certificates renewed. Now, the site server automatically blocks the old certificates, but it appears that there is no functionality to actually delete them.
I know it doesn't really affect anything other than aesthetics, but as we've had a few renewals now, the certificate list is getting long and cluttered (and unlike my desk, I like to try to keep our servers neat and organized). Does anyone know of a way to remove the old certs?
We have a native mode SCCM installation on our network. For security reasons, we have two servers that are NOT domain joined, but have the native mode SCCM client installed (and functioning nominally).
SCCM just renewed the site server signing certificate (since the current one is expiring) and I am not able to find any information on Technet regarding what, if anything, needs to be done with the non-domain joined computers.
Does anyone have experience with this? Should the non-domain clients just "pick up" the renewed cert, or are there additional actions I need to take?
Does anyone have an authoritative source of policies that, if set, MUST be set within the Default Domain Policy (if one chooses to set them)? Off the top of my head, I know that password policies and certain user session policies must be set within the Default Domain Policy. I'm doing a cleanup of our Domain GPOs and trying to separate any GPs that can be set outside the default...
To clarify, I am not asking what policies must be set, I am asking which policies, should I choose to set them, must be set within the Default Domain Policy.
I've been told that one should not sysprep a Windows image too many times... kinda like using a Nuralizer too many times on one person :) Can anyone provide additional information on this?
We like to periodically roll updates into the image we deploy with SCCM (so that deployment patching is reasonably short) and our process takes the last wim made, patches and syspreps it. Since we've done this to our Windows 7 image about half a dozen times so far, just hoping it doesn't cause some type of inbreeding situation...
I have two policies which are supposed to modify the setting, and the they do not seem to be proccessed the way I believe they should.
The two policies control the the visibility of the administrative tools on the start menu setting.
Show_Admin_Tools:
- Applies to Domain Admins, and nothing else
- Linked at the root only
- Link order position = 1
Hide_Admin_Tools:
- Applies to Authenticated Users
- Linked at the root only
- Link order position = 2
There is no loopback processing, policies are not enforced, and inheritence is not blocked.
When gpupdate is run as an administror... the Administrative Tools link does not show on the Start Menu. If it is manually turned on, it is removed again at GP refresh. Checking Group Policy results on a machine shows shows three GPO applications, in the following sequence: first the Authenticated Users GPO, then the Domain Admins GPO, then the Authenticated Users GPO again.
Unfortunately, I am unable to provide a graphic of the GP result, due to security issues.
Can anyone explain why the Authenticated Users GPO would apply last, even though it has already been applied and the link order seems to suggest that the show tools policy should take precedence? How do I use group policies to display the admin tools for admins, and hide them for everyone else?
We have implemented credential roaming for user certificates on our domain. Everything is set up per Technet in Certification Authority and Group Policy. User certificates are roaming correctly, but only on Windows 7 workstations. For some reason, our XP workstations (all are SP3), are not picking up the user certs from AD. I've verified that KB907247 is in fact included as part of SP3.
Can anyone provide some help on this issue?
So today, I'm going through and cleaning up/consolidating our GPOs and moved a couple from a second-level OU to the domain level. These (user) policies are used to block/allow access to the command prompt. By default, all users are blocked from using the command prompt. Users can then be added to a security group that has permission to run the second (higher precedence) GPO to turn it back on.
When the GPOs are in the second level, they work as expected. But once I move them to domain level, all users are blocked from using the command prompt, to include the onces that should have access.
Our GPOs are well segregated, and I verified there were no conflicting GPOs. Link order and policy inheritance precedence was verified. Group Policy results showed both policies applying on the appropriate users, yet command prompt access is still blocked. Moved the GPOs back down... and everything works again?
What gives? Is there something special at the domain level that would cause this behavior?
One of our secondary site servers in SCCM 2007 has become corrupt. IIS, WSUS and WDS have failed. Unfortunately, in Server 2008 there is no way to repair these server roles. I have cleared the roles from SCCM and all but one role has cleared. I am getting an error that it cannot remove the PXE service point. As such, the component server role will not clear and I am unable to delete the site server from the site.
Due to the corrupt state of the server, I cannot bring WDS online, and SCCM will not deinstall the PXE service point until it can talk with WDS.
Is there a good way to force remove a site server? I need to do this before I can scrape the server and rebuild it.
We're currently using Dell OptiPlex workstations with the Intel vPro feature. A remote location is requiring their computers be connected via fibre for security reasons. This will require us to install third-party FO NICs in the workstations. My question is: will vPro OOB management (which we rely on) still work via this NIC?
I have a Windows Server 2008 (RTM) 32-bit box configured for File Services Role. I installed the File Server Resource Manager feature on the server. When I try to use the snap-in, it gives me the error:
Unable to connect to FSRM on computer \\(local machine). This can happen if the remote computer does not have the Windows Server 2008 or later version of FSRM installed, or if a connection cannot be established because it was blocked by Windows Firewall.
Choose 'Connect to another computer' to manage a different computer running Windows server 2008 or later.
I know there is some stuff out on the Interweb about a bad dll, but that seems to apply only to Server 2003. That dll does not exist on 2008. Has anyone experienced this issue and discovered a fix?
Firewalls are turned off via Group Policy (our network is completely isolated from the Internet). DFS is working in all other respects.
We are using OCS 2007 R2 with Group Chat. The Group Chat client starts up quickly on our Windows 7 boxes, but takes over two minutes (!) to start on our Windows XP SP3 boxes. The July 2010 hotfix has been applied to all of the clients.
This has become a huge issue because users get no indication at all that the program is loading until it is finished. We have to do training over and over again to tell users to wait at least two minutes for the application to start, even though they see nothing on the screen. Our Windows network is isolated from the Internet as has no external connectivity. I suspect that the client is waiting on a timeout of some sort. Has anyone else experienced this issue?
I know that this application is a dog, but it is what we have for now, and I could really, really use some help from the community.
Our group recently implemented 14+ character passwords on our Windows domain in order for us to be compliant with our organizational security directives.
On password change, users are now receiving a password length warning saying:
The Password is longer than older versions of Windows; such as
Windows 98 or Windows 95, can use.
Is there a way to disable this warning? Our support team is being inundated with users asking about this.
Our network uses Windows XP SP3 and Windows 7 client operating systems only. The AD domain is at functional level 2008. We have GPOs set so LAN manager hash vales are NOT stored and LAN manager authentication level is NTLMv2 only.
My organization is about to implement 802.1X on our enterprise, but we currently use PXE-based OS deployment sequences in SCCM. I'm looking for a way to continue using PXE in an 802.1X environment. Our infrastructure uses Cisco network gear running at 12.2 (or newer). We are an all Windows network and all clients support 802.1X. All new workstations have Intel AMT available (but not factory configured).
In a worst case scenario, we'll use a guest vlan for OSD, but I'd rather have the OSD occur in an authenticated session. I've seen white papers that describe using AMT to act as a supplicant for PXE boot, but can't find any implementation details...
I have a IPv6 static route on a Cisco 2600 that is being redistributed to other Routers in the same OSPFv3 area. One of the routers (not the one with the static route) is also a participant in a RIPng group. The OSPF routes are set to redistribute connected routes to RIPng, but the static route is not included in the redistribution. The border router that is connected to both areas has the static route as type OE2. Is there a command that I'm missing?
EDIT : I've created a diagram that shows a (simplified) topology of what I'm working with. We have a 6to4 tunnel between R1 and R5 (to traverse an IPv4 section of our network). Unfortunately, this link is treated as NBMA, thus static routes are required to establish the link between these two routers. The static route is defined at R1 (with redistribute statc on), visible through OSPFv3 on R2, but not being redistributed on R3 (even though all other learned routes on R2 ARE being redistributed).
My shop is putting together a three-node cluster for use as a Hyper-V host for our customer. Previous installations we did for this customer only had two nodes per cluster, so we did Node and Disk Majority. Easy enough. But now that we're moving on to an odd number of nodes, it has put us in a quandry: do what Microsoft recommends and use Node Majority or go with No Majority: Disk Only?
I wanted to ask the community:
- Has anyone has used No Majority in an operational environment?
- If so, is it something you would recommend?
The reason I ask, is that using the recommended settings we could only tolerate one server failure versus two. The flip side, is that No Majority would result in a "single" point of failure (which is something I think we can mitigate). My customer would really like to have this cluster up, even if only one node is available. To give proper context to the questions, here is our physical configuration:
- Our three servers have multiple NICs, with two on each dedicated exclusively to SAN traffic
- The servers have Device Specific Modules installed to support multipathing SAN traffic
- We have two iSCSI SAN appliances, each running 8 disks in a RAID-5 configuration with two way replication (data is mirrored between the two). Each has two bonded NICs.
- The SANs are full-mesh connected to the servers via two dedicated switches
- The quorum disk is on a dedicated LUN and used only for that purpose
- VHDs will be stored on the SAN as well, so if we don't have access to it at all, there's really no need for quorum (since that's the purpose of this cluster)
- The number of VM guests will be limited, so that they can all be hosted on one server at the same time without overloading it
Everything I've seen online is saying the same thing about this configuration being dangerous, but I don't know if they're just parroting or have actually validated the information. I guess I'm looking for reassurance from the community that I'm making the correct choice, since I'm deviating from what Microsoft recommends.
Is there a way to modify the NIC bind order in Hyper-V Server/Server Core? For some reason, one of our Hyper-V servers decided to reverse the bind order of two of the six NIC ports on the machine, making it inconsistent with all of our other servers (not to mention being out of sequence with the phyical layout of the NICs).
I know this can be done via a network settings GUI in the full server installation, but alas, said GUI does not exist in Server Core. I believe that this will require a direct registry edit, but I am not sure where.
Any help would be appreciated.