what did you learn today?

[WarheadsSE]

Ditto.

"Critical" my ass. Writeup for misuse of company resources asshat.

 

[Rick25]

You have to configure machine policy for auto-passing of credentials.
I'd have to look it up, but I have mine configured locally on my Win7 work PC to auto-pass to all of my managed servers. However, this is not available on previous windows versions.. so fair chance, no.

Configure the websites to be in your Trusted Sites list, configured IE in that Security setting to automatically pass current credentials. Also make sure the website is set to accept Windows/Integrated Authentication Works like a charm. Got it working with XP and Exchange 2010.

 

[jaericho]

I learned that I am lucky I don't have to deal with a user that flat out refuses to use the company issued Dell desktop and instead brings in his personal macbook and uses sugarsync to send files from his macbook on the guest network to his desktop that sits in the corner of his office... Well, I do have to deal with it a bit, although it's more along the lines of: hey jaericho, block this ip from the guest network. (1 day later) hey jaericho, this guy is smarter than we thought, he must have switched to static address and gave himself a different ip, block this one too. (1 day later) hey jaericho, wanna see something funny, he gave himself another ip but this one is outside the subnet, so its not working <snicker> oh he went back down 20 addresses and found one that works, lets block it again.

(Then we had our own facepalm moment and realized a mac address filter is better idea.)

Then the director of marketing (his employee is using the mac) and the director of IT almost came to blows over all this 3 offices down from my cube.

I love being the passive-agressive networking guy. This strategy is winning.

 

[afidel]

Today I was reminded that when it comes to attention to detail I can't rely on anyone but myself. A few years ago I noticed that our generator that had been installed 6 months prior was starting to show rust on the nuts that tie it to the pad. I mentioned this to our facilities folks and the PM for the datacenter expansion and was told by both that it would be taken care of. Well, it was, by replacing the nuts with ones that just took longer to rust. Now the nuts look like they are rusted solid to the tiedowns and the tiedowns are rusted as well. I told my boss we're probably going to have to break those nuts off and clean the rods then put new ones on and have them covered in antiseize so that the generator doesn't break itself off the pad in a few years.

 

[Digitlman]

That if you use the same NewSID you've been using for years on 2003 R2, it blows up the OS. Instead, use the sysprep tool built into the OS.

So, you really can't use the clone tool built into vCenter (and select the configure option). Once you clone, take NIC offline, power on, dis-join from domain offline, reboot, run sysprep, change name, reboot, rejoin domain.

Then there's the whole "SID change not needed" argument, but habits are *so* hard to break!

 

[sryan2k1]

Yup, SID Change isn't needed.

 

[xcrunner529]

Technically, NO user accounts should be domain admins; there should be separate privileged accounts (i.e. ronelson for daily usage, ronelson-admin for maintaining shit), but I *rarely* see that anywhere. Nor has any auditor ever even looked for that stuff.

I have that separation on my home domain... I even run SQL as a domain user.

So do I. But once you learned to do it properly it's actually MORE work to be lazy.

Except it becomes a pain in certain ways, especially with apps that use your current credentials and don't run well with runas. Also, MS made it HARDER in Win7 to auto runas apps. It's even harder with MMC stuff without downloading sysinternals tools. MS apparently doesn't think it's important.

 

[Arbelac]

MMC stuff? That's the easiest thing ever: You author a custom MMC console with the snap-ins you need, then just shortcut a RunAs.

 

[afidel]

That if you use the same NewSID you've been using for years on 2003 R2, it blows up the OS. Instead, use the sysprep tool built into the OS.

So, you really can't use the clone tool built into vCenter (and select the configure option). Once you clone, take NIC offline, power on, dis-join from domain offline, reboot, run sysprep, change name, reboot, rejoin domain.

Then there's the whole "SID change not needed" argument, but habits are *so* hard to break!

What? Of course you can deploy from template/clone with customization. I do it almost every day (ok every week). I've done it for everything from 2003 SP1 to 2008 R2. You have to have the sysprep tools for that OS in the correct directory on the vcenter server but otherwise it's all automated.

 

[Danger Mouse]

That if your HQ Org's CIO's, former division (when IT Manager) gets caught violating $BigSoftwarecompany's licensing agreement, that the CIO will turn around and volunteer the entire Org to undergo an audit, so the issue can't be used against him.

FML

 

[Digitlman]

You have to have the sysprep tools for that OS in the correct directory on the vcenter server but otherwise it's all automated.

I have the 2003 sysprep tools in there, but there's no spot for 2008.

 

[afidel]

You have to have the sysprep tools for that OS in the correct directory on the vcenter server but otherwise it's all automated.

I have the 2003 sysprep tools in there, but there's no spot for 2008.

They're builtin to the OS with 2008 =)

 

[Digitlman]

They're builtin to the OS with 2008 =)

Right.

I had an issue when using the "clone to new VM" function in vcenter, and then electing to customize the 2008 R2 SP1 OS.

I'm going to try again later and se if it was PEBCAK (which is likely).

 

[afidel]

They're builtin to the OS with 2008 =)

Right.

I had an issue when using the "clone to new VM" function in vcenter, and then electing to customize the 2008 R2 SP1 OS.

I'm going to try again later and se if it was PEBCAK (which is likely).

Not sure if it would work without 4.1 U1. If you're up to date then it might be or it might be some kind of bug =)

 

[Deleted member 192806]

Today I was reminded that when it comes to attention to detail I can't rely on anyone but myself. A few years ago I noticed that our generator that had been installed 6 months prior was starting to show rust on the nuts that tie it to the pad. I mentioned this to our facilities folks and the PM for the datacenter expansion and was told by both that it would be taken care of. Well, it was, by replacing the nuts with ones that just took longer to rust. Now the nuts look like they are rusted solid to the tiedowns and the tiedowns are rusted as well. I told my boss we're probably going to have to break those nuts off and clean the rods then put new ones on and have them covered in antiseize so that the generator doesn't break itself off the pad in a few years.

Six months and rusting? What kind of enviroment is it in?

 

[afidel]

Today I was reminded that when it comes to attention to detail I can't rely on anyone but myself. A few years ago I noticed that our generator that had been installed 6 months prior was starting to show rust on the nuts that tie it to the pad. I mentioned this to our facilities folks and the PM for the datacenter expansion and was told by both that it would be taken care of. Well, it was, by replacing the nuts with ones that just took longer to rust. Now the nuts look like they are rusted solid to the tiedowns and the tiedowns are rusted as well. I told my boss we're probably going to have to break those nuts off and clean the rods then put new ones on and have them covered in antiseize so that the generator doesn't break itself off the pad in a few years.

Six months and rusting? What kind of enviroment is it in?

A NE Ohio winter next to a sidewalk that gets salted every time there's snow because it's the entry way from our employee parking lot.

 

[Digitlman]

Not sure if it would work without 4.1 U1. If you're up to date then it might be or it might be some kind of bug =)

Ahh. I am not up to that version yet. Still on 4.1.

 

[PVO]

Ditto.

"Critical" my ass. Writeup for misuse of company resources asshat.

Preaching to the choir here. Too bad the poor guy assigned to it had the same mentality as me, called it as BS, and got called out for "poor customer service". We have to deal with an organization that wonders where it's failed with education when assclowns use corporate cards for buying smokes. Me, I'd fire their ass. Not apologize for not being more clear about the guidelines.

Now, I'm all for "customer service". But our coworkers and colleagues are not our "customers". In fact, I always advocate that the relationship should in fact be even more respectful, trustful and above all fair both ways because they are our colleagues. They can't tell us to take a hike and get services elsewhere, and neither can we! We have to usually form a good working relationship with them to get work done. They're better than "customers", and we sure as hell deserve better than being treated as a "vendor".

I am but a lonely voice in a crowd of nonsense. I'm sure my "attitude" will see me out the door one of these days. But dammit, people who work IT deserve better. And you're sure as hell I'll fight for my team until they do show me the door.

Thank God it's Friday. End of day can't come soon enough.

 

[bigmikebrooklyn]

Me:I'm Resigning.
GM:what? i don't understand.
me:I'm resigning.
GM:What does that word mean?
me:I quit.
GM:EEEEEEHHHHHHHHHHYYYYYYYY? Really?! wait one minute, i have to get the guy beneath me who actually runs the department because he is much smarter.

Smart snakier boss: really, you are leaving? that is a shame, i was looking forward to managing you. you will give us 2 weeks.
me:well, i'm giving you until next friday.
Smart snakier boss:no, you are required to give us two weeks.
me: no, i am not.
Smart snakier boss: i will go talk to legal.
me: new york is an at will state. i could walk out of here right this second and face no consequences.
Smart snakier boss: what about your vacation time
me: took it all
Smart snakier boss: will you give us 2 weeks?
me: nope. definitely not now.

next work day-

Really awesome AGM that should be GM, but is not Japanese so never will be: Mike, i just had a conversation with Smart snakier boss, remember when we all went to HR a month ago to complain about those two guys? And then GM called you into the conference room and told you "if you don't want to work for my team, you can go." in retaliation? Well Smart snakier boss just told me that they started interviewing replacement candidates for you that evening. They also offered them $20K more than they pay you. I asked Smart snakier boss why didn't you just pay mike that, and he didn't respond. so even though you leaving is the worst thing that could happen for your side of the department, I think you made the right decision in leaving.

me: you know what Really awesome AGM that should be GM, but is not Japanese so never will be, I really respect you and thank you for your kind words. I told you ahead of time because of that respect, and i also told HR in my exit interview that you should be the GM and they should stop rotating mind numbing assholes with authority trips in from japan every 5 years to be the ultimate decision maker when they don't know their ass from a hole in the ground for the first 2 years, maybe get something done for a year, and then don't do shit for the last two years because they are afraid to make a mistake before going back to japan. also, the person having the overview of the entire infrastructure should not be regularly replaced. that is dumb.

Really awesome AGM that should be GM, but is not Japanese so never will be: i met with HR today and we discussed some interesting things. maybe you will be back some time in the future/
me: don't hold your breath, but i'm a reasonable man.


today is the end of the torture.
at least i'm not having my guts ripped out of my still living torso as i scream FFFFRRREEEEEEEEEEEEDDDDDOOOOOOOOOMMMMMMMMMMMMMMMM

also, the best part is, i knew since mid feb i was out, so all this babymomma drama bs was inconsequential.
and my bonus check cleared. YUS!!

next week, i'll be in key largo, catching a couple days of scuba diving. anybody wants to join, PM me.
bigmikebrooklyn Out. (for a week or two anyways)

i might post the 7 message back and forth chain of the ESL GM editing the content of an email to be sent to a single user explaining why he can't update his company PC from the raw internet like he used too now that we installed the corporate network in his far flung branch office, just so you guys can get a real taste of the personal hell i have been wading through...

 

[PVO]

Mike, congrats on exiting one of the lower levels of hell. Enjoy your time off!

It always amazes me how devalued a person can be by an organization, right up until they walk out the door. I've gotten 2 callbacks in my past;

Them: "Please, we cannot find anyone suitable to replace you and we have critical issues. We need to contract you for another few weeks to transition."

Me: "I already have new work, and I can't be bothered. Go rot in a hole. Have a nice day."

You know, I could have worked the extra hours and made the extra cash... but there comes a point in your IT career where the money just doesn't matter anymore. As long as you can pay your way and can afford to have some fun on the side, you need to have a life before it sucks what's left of that life out of you.

 

[Soko]

Congrats on escaping, bigmikebrooklyn! May you find recovery, for a short time anyway.

As for this:

i might post the 7 message back and forth chain of the ESL GM editing the content of an email to be sent to a single user explaining why he can't update his company PC from the raw internet like he used too now that we installed the corporate network in his far flung branch office, just so you guys can get a real taste of the personal hell i have been wading through...

That partiular corner of Hell is behind you - my advice is just leave it there. Your escape is amusing enough.

 

[WarheadsSE]

You have to configure machine policy for auto-passing of credentials.
I'd have to look it up, but I have mine configured locally on my Win7 work PC to auto-pass to all of my managed servers. However, this is not available on previous windows versions.. so fair chance, no.

Configure the websites to be in your Trusted Sites list, configured IE in that Security setting to automatically pass current credentials. Also make sure the website is set to accept Windows/Integrated Authentication Works like a charm. Got it working with XP and Exchange 2010.

Ah, I did it at the RDS level, directly, and not from a webpage so... slightly different

 

[Danger Mouse]

Mike,

congrats on the escape. My boss isn't so bad and neither are the coworkers. It's just the work environment.

I too, yearn to escape.

I actually liken my career to the protagonist's in Kentaro Miura's Berserk. Horrible beginnings, middling middle times, finally the horror and then fighting against a hellish fate for eternity.

Or something.

 

[Josh A.K.A CLF]

Me:I'm Resigning.
GM:what? i don't understand.
me:I'm resigning.
GM:What does that word mean?
me:I quit.
GM:EEEEEEHHHHHHHHHHYYYYYYYY? Really?! wait one minute, i have to get the guy beneath me who actually runs the department because he is much smarter.

Smart snakier boss: really, you are leaving? that is a shame, i was looking forward to managing you. you will give us 2 weeks.
me:well, i'm giving you until next friday.
Smart snakier boss:no, you are required to give us two weeks.
me: no, i am not.
Smart snakier boss: i will go talk to legal.
me: new york is an at will state. i could walk out of here right this second and face no consequences.
Smart snakier boss: what about your vacation time
me: took it all
Smart snakier boss: will you give us 2 weeks?
me: nope. definitely not now.

next work day-

Really awesome AGM that should be GM, but is not Japanese so never will be: Mike, i just had a conversation with Smart snakier boss, remember when we all went to HR a month ago to complain about those two guys? And then GM called you into the conference room and told you "if you don't want to work for my team, you can go." in retaliation? Well Smart snakier boss just told me that they started interviewing replacement candidates for you that evening. They also offered them $20K more than they pay you. I asked Smart snakier boss why didn't you just pay mike that, and he didn't respond. so even though you leaving is the worst thing that could happen for your side of the department, I think you made the right decision in leaving.

me: you know what Really awesome AGM that should be GM, but is not Japanese so never will be, I really respect you and thank you for your kind words. I told you ahead of time because of that respect, and i also told HR in my exit interview that you should be the GM and they should stop rotating mind numbing assholes with authority trips in from japan every 5 years to be the ultimate decision maker when they don't know their ass from a hole in the ground for the first 2 years, maybe get something done for a year, and then don't do shit for the last two years because they are afraid to make a mistake before going back to japan. also, the person having the overview of the entire infrastructure should not be regularly replaced. that is dumb.

Really awesome AGM that should be GM, but is not Japanese so never will be: i met with HR today and we discussed some interesting things. maybe you will be back some time in the future/
me: don't hold your breath, but i'm a reasonable man.


today is the end of the torture.
at least i'm not having my guts ripped out of my still living torso as i scream FFFFRRREEEEEEEEEEEEDDDDDOOOOOOOOOMMMMMMMMMMMMMMMM

also, the best part is, i knew since mid feb i was out, so all this babymomma drama bs was inconsequential.
and my bonus check cleared. YUS!!

next week, i'll be in key largo, catching a couple days of scuba diving. anybody wants to join, PM me.
bigmikebrooklyn Out. (for a week or two anyways)

i might post the 7 message back and forth chain of the ESL GM editing the content of an email to be sent to a single user explaining why he can't update his company PC from the raw internet like he used too now that we installed the corporate network in his far flung branch office, just so you guys can get a real taste of the personal hell i have been wading through...

FUCKING AWESOME!

Will read again!

 

[PaveHawk-]

I actually liken my career to the protagonist's in Kentaro Miura's Berserk. Horrible beginnings, middling middle times, finally the horror and then fighting against a hellish fate for eternity.

I'm not a fan of much Japanese manga, but I am a fan of Berserk. Thats probably the most apt description of your environment, based on what you've told us.

 

[PsychoStreak]

bigmikebrooklyn: Glad to hear you made it out!

Today, I re-learned a few things:
1. Incidents that require all available hands to drop everything and help fix it never happen on a Monday. NEVER.

2. The team I'm in and the ones we work with are pretty damned good when we're not trapped in meetings about the previous meeting to discuss possible future meetings.

3. The assh*les who write trojans should all be nailed to the bottom of an (initially) empty septic tank with their mouths and eyes wired open so they can watch.(This the worlds first LED lit septic tank.) Oh, and the septic tank is connected to a White Castle, every bad, but very cheap mexican, indian, two of whatever takeout place that runs through you like water through a sieve, and every bar in a big college town. The day after finals. And their last meal? Catfish Biffs. If you know what that is, 100 Bonus points for you. If not, look it up.

4. Symantec Antivirus Corp Ed. 10.whatever is apparently blind, deaf and dumb to most trojans. Yay. F'ing YAY. Huzzah for other vendors products that I cannot name at present.

5. It is now tomorrow, and I'm now leaving work. ++ for leaving work, -----(imagine a 1000 more of those) for it being tomorrow.

6. Work has had me so damned busy for the last year I just saw this. (Seen the more recent ones, but not the older stuff.)

 

[Danger Mouse]

bigmikebrooklyn: Glad to hear you made it out!

4. Symantec Antivirus Corp Ed. 10.whatever is apparently blind, deaf and dumb to most trojans. Yay. F'ing YAY. Huzzah for other vendors products that I cannot name at present.

Somewhere about 6 months prior to SEP 11, SAV CE 10.1 stopped being effective against newer malware packages. There were some that were able to easily remove/kill SAVCE 10.x.

Then there's the whole issue of SAV CE 10.x (and apparently even previous versions down to 8.x) causing domain joined systems to not load the local cached profile because the SAV client would somehow make it appear to Windows to be corrupt. A reboot would usually fix this

I am finding that SEP 11.06 is slowly becoming less and less able to handle malware packages as time goes on There's far too many carried on flash drives that are infecting systems. The safest and quickest way to kill the malware is to do it from a Mac or a Linux box. 64 bit systems with UAC enabled also do the trick. I haven't checked to see if a 32bit system with UAC enabled would catch it in time.

There's 3 basic classes of malware I see now:

-flash drive based ones (always hide in a folder within the recycler with the name starting with the letter K or a short named one starting with the letter S)
-the ones that will hide a user's local profile, sometimes will declaring all file contents to be encrypted (it just adds another filename extension on top of the current filename for every file in the profile)
-the ones that plant themselves somewhere in a user's local cached profile copy or in the all users folder

Sometimes I get to see the more pernicious ones that appear rootkit based, but that's pretty rare these days. It's kinda obvious when you see extraneous files of recent modification date in the system32 folder.

I think I'm about a week away from converting my work desktop to Ubuntu and putting all my admin tools on a 2008 R2 server for use in RDP (Rdesktop, really) sessions. Also, kvm sounds really really nice.

 

[BajanDude]

If you implement CA-signed RSA keys, and configure sshd to use an authorized principals file, your ssh keys will fail if you somehow forget to restart the daemon (No, I didn't forget to restart, I just came across some machines that the state management tool hadn't updated properly.)

 

[flameboy]

Today, I re-learned a few things:
1. Incidents that require all available hands to drop everything and help fix it never happen on a Monday. NEVER.

Don't ever say NEVER!

They don't normally happen.. until you have worked the last 7 days (and most nights) on a site move, the other SA is out with a stress migraine, your manager is in another country, one helldesk guy and the mainframe guy are on holiday, the other helldesk guy is sick *again*. Then, why then all the company email goes down, the mainframe fails to recover from an event, the company can't trade and the General Manager is sitting on your desk asking when he can get a new Blackberry. Oh and half of the BES services crashed too.

For the record I got the mainframe up in 20 minutes, email took an hour or so (the mainframe start procedure and email gateway rules were undocumented.. gahh!). I forgot about BES, then fixed it in a few minutes. The GM got his new Blackberry 2 days later.

What a way to start the week, I answered 90 phone calls in under 2 hours and fixed all that. Answering all the helldesk calls for the rest of the day didn't help my nerves..

 

[sporkme]

BigMike - So is this possibly KDD or Telehouse? Something sounds vaguely familiar there...

 

[gradster]

Welcome to the world of consulting, gradster.

Get thrown into a situation where a client was apparently in the middle of a transition from SBS 2003 to regular Server 2008. Server has until tomorrow until the migration period expires - meaning old SBS 2003 server would start rebooting once every hour. Outside of having mailboxes moved to new Exchange server, migration wasn't anywhere close to complete. It's fixed now though. Go me.

 

[akro]

I learned several thing recently..

That customer should have "black" phones with in reach of the system conoles in thier datacenter.
The handset should have significant enough volume so that you can hear the person on the other end over the tousands of machines in the data center.
When you see two guys from a previous project walk up to a troublesome 800tb nas cluster and you are the guy who installed it from the vendor you know it's going to be a long friday.


At least after 8 hours on the phone trying to read logs to engineering when you can barly hear them we got said cluster working.

Oh yeah x9000 clusters can be mistreated and still survive. Apparenly someone pulled a failed controller only it was the non failed on and well someone pissed off the cluster royally trying to fix the isue.


By the way black phone means unclassified phone as in no logs ever leave and no remote support because well it's all classified. I love working in the federal space... least there is good job security...

EDIT :Late Night Typo

 

[Danger Mouse]

The power company has scheduled an overnight power outage for the coming weekend.

The great thing is that we have no night time staff, so it will be overtime. I highly doubt that one of my coworkers would be able to do a proper shutdown of all servers on location, let alone in the data center.

What's even funnier is that the network consultant has begun a network backbone migration, which may or may not have actually been saved on the individual switches and core router. This ought to be loads of fun when everything has to be brought back up on the following morning.

I suspect that I'm going to see a LOT more failures on the Saturday morning powerup. I'm supposed to be there for something else, but I suspect I'll be there for that instead.

 

[Heresiarch]

I have the week off. And it's sunny.

So my laptop decided it would die just to even things out. Time for a roam through the MCO.

 

[Incarnate]

The power company has scheduled an overnight power outage for the coming weekend...
What's even funnier is that the network consultant has begun a network backbone migration, which may or may not have actually been saved on the individual switches and core router. This ought to be loads of fun when everything has to be brought back up on the following morning.

Good, then you have 5 business days to have him verify that everything is saved.

 

[PVO]

How quickly "the powers that be" forget what happened the last time we got lax on our patching and antivirus clampdown, as a result of the time before that.

Endless loop detected.

 

[Danger Mouse]

The power company has scheduled an overnight power outage for the coming weekend...
What's even funnier is that the network consultant has begun a network backbone migration, which may or may not have actually been saved on the individual switches and core router. This ought to be loads of fun when everything has to be brought back up on the following morning.

Good, then you have 5 business days to have him verify that everything is saved.

1. It's a company.
2. Getting them to actually verify, versus just report that they verified are two different things.

And in not so comedic notes, since it's almost the same amount of time to manually unfsck the computers in a given location, to allow them to be joined to a non-dead domain controller, I wound up doing it that way.

Attempting to script it would have resulted in too much comedy, given the way the systems were (incorrectly) locked down. Ah well.

That location needs a reimage, as well as a few others, because the person who was responsible for them is dead. Literally. And the f'ed up things he left behind would take too long to undo. Reimaging with clean images is the only way.

So, why all this again? So the farkin script from that farkin company can run.

I feel like Homer Simpson with 20 gallons of rage for a 10 gallon hat. Or maybe it's brains. I dunno at this point.

 

[Graeme K]

First day back in the Office since my trip to my new site. I'm going from the manager of a small IT department (in addition to my operations duties) to the manager of a small IT department with multiple locations (...in addition to my operations duties). Time to figure out how I want to integrate this branch office into our network...whoooo.

 

[jshiplett]

Today, I learned that I should never underestimate some individuals ability to be completely and utterly inept.

 

[Barmaglot]

Apparently IBM x3550 servers (first generation, type 7978) have some kind of manufacturing flaw. One of our techs just opened up two of them to upgrade RAM from 8GB to 24GB and both had one of the chipset heatsinks broken loose - one of the spring-loaded catches failed, same on both servers. Let's how good IBM is with their 4-hour warranty.

Edit: Yay! Opened up a third x3550 that I had in office (it arrived for a fresh deployment a few days ago; the first two are at a customer site), lo and behold, the same busted mounting. Except in this case IBM are making noises that it might be out of warranty, bleh.

Edit2: here's a picture, if I'm not mistaken, it's the disk controller underneath: