Re: I give up using Fedora ... — Fedora Linux Users

Link: => ntenmecoverb.nnmcloud.ru/d?s=YToyOntzOjc6InJlZmVyZXIiO3M6MzY6Imh0dHA6Ly9iYW5kY2FtcC5jb21fZG93bmxvYWRfcG9zdGVyLyI7czozOiJrZXkiO3M6NDk6IlRoaXMgaG9zdCBkb2VzIG5vdCBzdXBwb3J0IHZpcnR1YWxpemluZyByZWFsIG1vZGUiO30=


Therefore, it seemed to perfectly fit our demands. You might ask why would someone want to do this. Still strange that there is a difference between the web and Windows client.

I didn't get this on my laptop or other test rigs that I did this on. A: That is a Human Resources Problem. So go on, grab the build from our community, give it a test drive on your lab machine and tell us what you think!

Virtualized Domain Controllers: 4 Myths and 12 Best Practices

A mountain of conflicting information exists on this topic, and few of us have time to make the expedition over all of that territory. Many outdated truths, fear, and blind guesses have led to the creation of abundance of misinformation on the subject of virtualized domain controllers. Myth 1: Domain Controllers Should Not be This host does not support virtualizing real mode We might as well start with this catch-all myth. Whatever arguments, whatever anecdotes are supplied as support, they are insufficient. The reasons that people used to maintain physical domain controllers had more to do with the comparatively primitive state of virtualization. Failures and issues were more common. It only made sense to be distrustful. So, the universe implodes and everyone becomes Justin Bieber fans. The problem for them is, this myth is demonstrably false, and ridiculously simply so. Anyone with a Hyper-V-capable physical machine and access to a trial copy of Windows Server can disprove this one in under an hour. No Microsoft kernel requires access to a domain controller in order to start. Anyone that has taken their laptop home from work can demonstrate this. They start, then they start the management operating system. This is no longer true in 2012 R2. With basic cluster troubleshooting techniques, you can bring a clustered virtual machine online without the cluster running. Hyper-V Hosting its Own Domain Controller Simply put, there is no chicken and egg problem. There are simple ways to deal with normal drift. Time drift is not a good argument against virtualizing domain controllers. What follows are the some of the best practices around domain controllers with an emphasis on running them in a virtualized environment. How many domain controllers do you need. Where should they be placed. Should domain controllers be highly available. What will the backup schedule look like. The answers to these questions will draw the most definitive picture of what your final deployment should look like. A single domain controller can easily handle thousands of objects. If you have multiple sites, try to place at least one domain controller in each site and make sure to configure those sites in Active Directory so that authentication and replication traffic is properly handled. Determine Where to Place Domain Controllers There are some very simple guidelines for domain controller placement. The primary purpose of multiple domain controllers is to provide 100% availability for domain services. The need for domain controllers in any given remote site is tied to the number of users in that site and the quality of the intersite connection. If you have a lot of users, you want a domain controller. If the intersite link quality is poor, you want a domain controller. Example: Multi Site Domain Controller Architecture 4. Do Not Checkpoint Virtualized Domain Controllers Prior to 2012, reverting a domain controller to a checkpoint snapshots in those days could cause irreversible damage to your domain. It would then resubmit object changes using Update Sequence Numbers that it had already used, causing inconsistencies in the directory. Microsoft has a if it happens to you. Your first, best choice is to never checkpoint a domain controller. A domain controller that runs no other services does not fit the envisioned use cases for checkpoints anyway, so you should be highly skeptical of any reasons that anyone submits to the contrary. Disable Hyper-V Time Synchronization for Virtualized Domain Controllers By default, Hyper-V is in charge of keeping the clocks updated in its guests. In days past, we recommended sharing responsibility for the clock in virtualized domain controllers. With a time-sensitive application like domain services, that can be a very bad thing. Unfortunately, the shared responsibility setting is no longer possible; something has changed in the Hyper-V Time Synchronization Service that causes it to override any other source set for the Windows Time service. This means that any guest with the Hyper-V Time Synchronization Service enabled at all will always get its time from the host. Because domain controllers expect that they are at the top of the local time hierarchy, this could cause issues. First, disable the synchronization service for virtual domain controllers: Disable Time Synchronization Second. This is a fairly lengthy procedure, but definitely worth it. For further reading, we have a recent article on. When a virtual machine resumes from a saved state or is reverted to a checkpoint, the only thing that is guaranteed to fix its clock is the Hyper-V Time Synchronization Service. If its clock skews too far, it might never fix itself automatically. A worse situation is a long-saved domain controller. Of course, in order for this to work at all, there must be multiple domain controllers. In the described scenario, that deleted account will be reanimated. This is because the object was active on that domain controller at the time that it was saved. When it resumed, it had an active record while no other domain controller in the environment is aware that it ever existed. It will resume its existence and be replicated as though nothing ever happened. If you have multiple domain controllers and you determine that one has been saved for a very long time, you can discard its saved state. Active Directory can handily deal with the data loss. I tried to find a definitive answer on default tombstone lifetimes, but I could not find a straightforward answer that covers all versions. Defaults have been 60 days and 180 days, depending on the Windows Server version. However, knowing the default only goes so far; if a domain began its life in one version, that tombstone lifetime will persist through upgrades unless changed. The best thing to do is find out what yours is. Set the Automatic Stop Action of Virtual Domain Controllers to Shut Down By default, shutting down a post-2012 Hyper-V host will save all the guests. We want to avoid Saved State wherever possible for virtualized domain controllers. Automatic Stop Action for Domain Controllers 8. Set the Automatic Start Action of Virtual Domain Controllers to Always Start without Delay Active Directory Domain Services typically provides core functionality to most everything else in a Windows environment. A highly available virtual machine must have an available virtualization right on every host that it will ever run on: Both groups require the same licensing, but the second group is more resilient 10. That configuration must be avoided. It does function, but behavior can be strange. Use mirroring or some other technology to protect them against storage failures. Do Not Perform Physical-to-Virtual Conversions on Domain Controllers Active Directory has one of the smoothest migration paths that I have ever seen for any application. Ensure that it connects with your existing domain. Ensure that it connects with your existing domain. No one else has any excuse. A Hyper-V host is just another member server with a very long track record of stability. Q: Do I Need a Second Domain Controller or is One Enough. A: Smaller Organizations Do Not Need a Second Domain Controller The purists and the textbook admins always say that multiple domain controllers are a minimum requirement. The textbook admins are so paralyzed by the fear of a 2% failure rate that the 98% success rate looks like a zero. This only requires a single Windows Server Standard Edition license and satisfies the best practice of separating domain services from other server applications. This could all then be backed up using any Hyper-V-aware solution as a shameless plug. This is a solution that I wish I had access to many years ago, as it would have fundamentally changed the way I worked with many small business customers. The single most important thing is backup. Backup provides data redundancy at a very low cost. Providing run-time redundancy more than doubles the cost. If that cost is too great and you understand the risks and you take the time to develop solid contingency strategies, then the single domain controller environment is just fine. I have seen it in common practice since 1998. Joining a domain does not affect the local credentials by default. Some domains rename the local administrator account. No domain should be disabling the local administrator, especially on servers. Doing so does not meaningfully improve security but exposes you to needless risks. You should already have a policy of maintaining local administrator credentials in a secure fashion. As long as you have those available, you can log on. As long as you have backup available, you can rebuild from scratch in the worst case scenario anyway. Never make a Hyper-V host into a domain controller. I have seen a number people going against this recommendation and I pity their users because of the problems they have needlessly introduced. A: That is a Human Resources Problem. Avoiding any technology because someone made a poor hiring decision results in an unmaintanable house of cards. I understand that there are politics involved that result in situations like this, but there is also a reason that good administrators tend to job hop a lot before they find their forever home and some never do. In my experience, many of the untrustables are more of a training issue than anything else, so I always try education before ostracization or termination. There is no right answer. I have a workstation that I log in to with non-domain-administrator credentials. It has VirtualBox guests with various versions of Windows. Those versions of Windows have Remote Server Administration Tools installed. When I need to manage a server, I either do so via an administrative PowerShell this host does not support virtualizing real mode from my primary instance or I log in to the matching VirtualBox instance as a domain administrator and manage the server. The bonus for some of you is that when a questionable administrator connects to one of those virtual machines and sees that black box with the flashing cursor, they panic and go into a catatonic state that lasts at least a couple of hours. There is no better preventative against Click Next Admins than Server Core. I am one of a nearly infinite set of possibilities. They both had to reboot after each patch cycle. Q: Should I Abandon Physical Domain Controllers. The additional resiliency is nice and a weaning period for the uncertain might be helpful. But, going forward, I personally would not create any new physical domain controllers. In those cases, adding domain controllers was the only solution. I spent some time researching for this article, and found that most of the official documentation that I used in those days has never been updated, even into the beginning of the 64-bit era. With the pricing of modern server hardware, building a stand-alone unit of that size is nearly pointless because you can more than double those numbers for only a fraction of the base cost. Use a bigger Hyper-V host and virtualize domain services. If a domain controller starts acting sluggish and has hit those numbers, then you should scale out, not up. Q: Should I Use Dynamic Memory for Domain Controllers. You can make the Minimum a little bit smaller. A: You Should Not Use Pass-through Disks. Q: Should I Use Virtual Domain Controllers with Fixed or Dynamically Expanding Virtual Hard Disks. Dynamically expanding is the way to go. Q: Should I Use Hyper-V Replica with Domain Controllers. If your disaster recovery site has sufficient connectivity for Replica to function, then it has more than enough connectivity for Active Directory replication to function. Active Directory replication is superior to anything that Hyper-V Replica can do for it. However, Hyper-V Replica cycles much more frequently than inter-site Active Directory replication does. I have worked in the information technology field since 1998. I have designed, deployed, and maintained server, desktop, network, and storage systems. I provided all levels of support for businesses ranging from single-user through enterprises with thousands of seats. Along the way, I have achieved a number of Microsoft certifications and was a Microsoft Certified Trainer for four years. this host does not support virtualizing real mode In 2010, I deployed a Hyper-V Server 2008 R2 system and began writing about my experiences. Since then, I have been writing regular blogs and contributing what I can to the Hyper-V community through forum participation and free scripts. Do Not Perform Physical-to-Virtual Conversions on Domain Controllers. So, what do I do now. Follow the steps to hard push it out of the domain:. If you have a name that you like, I cycle between single and double digits. Ex: svdc1 is replaced by svdc01 is replaced by svdc1. Promote new builds in, demote old builds out. I am a new admin for a company, and new admin in general. Can anyone shed any light on this. If things are over 15 minutes off but less than 2 hours, there might be some issues while things sync up, but still nothing insurmountable. Our hypervisor and storage admins are well vetted. They can still go rogue later, or be blackmailed or deceived, or just phished. And the local account on the hypervisor…. All because local accounts are much harder to audit at scale than domain accounts. Some people argue that workgroup mode is more secure than domain mode. That fallacy was my target. Local accounts are a problem in both modes, but domain membership grants access to superior tools for managing and auditing those local accounts. And ultimately, yes, rogue admins are always a human resources problem. The underlying Storage is a flash backed raid controller with a cache module. I had to restore my virtual domain controller on the hyper-v host machine. The permissions are not correct for some reason with the virtual hard disk. So, the virtual domain controller cannot start. If I had a physical domain controller, this would not be an issue because the domain controller would not rely on permissions from a machine that relies on the domain controller. A nice little cyclical loop of permissions requirements. If you however know how to solve domain trust problems in a virtual environment where the virtual host cannot start the domain controller please let me know. That is not normative behavior. First, log in with a local account that is a member of the Administrators group. Make sure that the Hyper-V Virtual Machine Management service this host does not support virtualizing real mode as LocalSystem and not a domain account. One of my constant problems is this though: how should I scale this practices down. Too much overhead on the hardware. And the best way to go. Like you say, backups are the biggest thing. I had to do some weird commands adding credentials to some internal datastore to finally be able to manage the host. That would take care of the initial configuration issues. Basically, avoid any need for remote management during deployment. Your current problem sounds frustrating, but leaving it out of the domain would not make anything better. But, I have in the following scenario — mot chicken-egg related, but interested. The Hyper-V hosts are domain members and the firewall is turned on. And this can be done by me or other one with proper credentials. Yes, I know, I can switch off the firewall on the hosts to avoid this issue, but it would be great if you have any other advice for this situation. A hackaround would be to duplicate the firewall settings across all profiles. Hyper-V is not causing that problem. Nice to see a thorough write-up about it and some validation of my method. I´ve seldom read such a good and easy to comprehend article regarding Hyper-V myths. The reason for this is, as you say, the myth regarding circular dependencies. To this day I´ve for some reason kept believing it. There is actually some weight to myth 3. Of course this can be mitigated easily by logging on locally. Though that setup will give you a set of management issues to deal with. The chicken and egg myths state that the configuration will not function due to a circular dependency, which is untrue. For example, if your local admin password is too long to remember in domain mode, it will still be too long to remember in workgroup mode. Exactly the opposite of where I was five or so years ago.

Because domain controllers expect that they are at the top of the local time hierarchy, this could cause issues. From then on, we went step by step from one virtualization event to the next. After enabling the second-stage translation, we measured the compilation test again and discovered a run-time overhead of 3. If your disaster recovery site has sufficient connectivity for Replica to function, then it has more than enough connectivity for Active Directory replication to function. That means they partially share the same interrupt line. This process was described in depth in the previous section. Anyone that has taken their laptop home from work can demonstrate this.