Trials and tribulations of a new Admin.

[ubern00b]

For DHCP, don't bother with split scope, that has always been a horrible hack. With 2012 R2 DHCP you now have full multi-master replication, so simply setup 2 DHCP servers, and tell the 1st one to replicate to the 2nd one, job done. They replicate in real time, so they always have the latest lease information and can always take over from each other. Would usually have one on a delay (200ms?) just so that by default the 1st one is the one that is always responding (just to make troubleshooting simpler).

Duuuude, thanks a whole bunch. I have been wanting something like this (always wondered why DHCP didn't have a shareable DB that multiple machines could connect to and share lease info etc, this is basically the same thing) for ages. Need to have a full read of new features in 2012R2 it seems

 

[nutcase]

On the bright side, it's a fun challenge to get it all cleaned up.

Very true, each time I've fixed something it has been a bit of a buzz I won't lie!

I am in constant fear of breaking something though, so the stress levels are WAY UP Especially at the moment - anything exchange wise I'm putting to the IT consultants. I pointed out a couple of weeks back we were getting warnings and errors about the self-signed certs running out of time (yes I know, and it's on the list...). They said don't worry you don't use them. Ok. Down to 50 hours remaining yesterday so thought I'd have a look. Of course we use them. So I asked the consultants to have another look, which they did and renewed them.

The net effect of this, is all the mobile devices have complained about the new cert being untrusted. Fine, just accept it. Except on windows phones you CAN'T just accept it. The only way we've found to do it is to delete the account off the phone and put it back on. Thanks microsoft, we have about 100 un-computer literate field staff who currently have no emails on their phone!

 

[#Chri5#]

Ring the consultants and ask why you are messing around with self-signed cert's for OWA/ActiveSync when a proper (trusted) SSL is £50 (or less) for a year.

 

[nutcase]

It's an "issue" I've known about for years, but as I've been getting closer and closer to the middle of the IT department (i.e. - now it's only me lol) it's got closer to the top of the list. By the end of yesterday, it was top of the list, just had to get director approval to get the change made.

By the end of tomorrow we should have a CA issued cert. Could I have done it myself? Probably. Am I ready to start messing with exchange on a live system that's already flaky? Nope. So we're paying for them to do it.

 

[nutcase]

Argh, new cert is in, and instantly all the windows phones are refusing to use the new one without removing the account again.

Microsoft can suck my

 

[nutcase]

Will using an SRV record make up for the (insert expletive here) idiots not including autodiscover.xxx.com on the cert?

 

[nutcase]

And now, 24 hours later the idiots at namesecure still haven't actually put the SRV record on, let alone it start propagating through - so still no autodiscover.

I even called them to request it as well as email. Eejits

 

[nutcase]

Think I'm tempting to ask this thread to be renamed "trials and tribulations of a new admin".

Still no sign of my SRV record. And I'm in the office this morning for some other stuff and thought I'd have a poke around at a "quiet" time (still 7 people logged into terminal servers, and 3 of us in this office...). Getting errors from the VSS writers on the backups sometimes. I've gone through most things, but thought I'd check the level of fragmentation on the data drive.

40%

Ok, best get that sorted then.

edit: so it's taken about an hour to defrag 1000 files. There are 269000 files to do. Don't think it's going to be finished today. Or this week. Or next.

 

[jameshurrell]

Another thing to add to your list is to take back control of your external DNS for your domain name! Having to wait days for an SRV record to be created is terrible. It should only take them 5 mind to do it. I use a third party DNS provider for all my clients... I have complete control and no waiting for someone else to do something you could do in a snap.

 

[nutcase]

It's definitely something added to the list...!

 

[nutcase]

Ugh - so the defrag has been running for 24 hours now. It's somewhere between 1 and 2%. It's only managed to do 16000 files out of 269000.

I don't think there's anything slowing it down - there's 15% free disk space but presumably that is horrifically fragmented as well.

I'll leave it until about 8am tomorrow but then I'll have to pause it.

 

[nutcase]

Wasn't even at 2% after 35 hours, so stopped it. Using defraggler to target heavily used files - PST archives for example* Going through the files list, a very large number are sub 5 fragments, so not much of an issue there. Going to run a few files each night I guess to get this mess sorted.

Was interesting to note that the exhange database was measured in the 300,000 fragment range. Not really a surpise becuase of the amount of activity but quite a number!

* - I am fully aware that server stored PST files is the "wrong" way to do email archiving... It's another thing on the list. As you can imagine, I have a very long list.

 

[nutcase]

Allegedly namesecure have finally done what I asked. Waiting for it to propagate.

And the old G5 has now been turned off for the last time. Removed from the domain, IPs set to DHCP in case someone decides to fire it up again (not that they will!).

 

[nutcase]

Old server removed from the rack this morning, the new one has been running on a desk for a while, but migrated all the VMs off onto a spare ML330 - will rack the new one this afternoon then migrate them all back.

Hurrah for virtualisation!

 

[nutcase]

Been a little while since any updates as had a holiday (came back to all sorts of carnage), and have been trying to get things back on track.

The biggest mess up was the backup, got into a complete mess. I'm putting together a whole new method, instead of individual tapes, a tape library.

 

[HungryHippos]

Local Exchange running self signed certs? if you wanted more than one name on the cert such as owa.domain.com as well as autodiscover.domain.com then you would have needed a proper SAN certificate, which can have multiple names, rather than just a regular SSL certificate.

Have you considered moving Exchange into a hosted exchange/O365 model? Would take a lot of the management issues of Exchange away from you at least, and provide potentially larger mailboxes as well (your mention of PST files..).

What version of Exchange is it? How redundant is it at the moment? How reliable is it? What disaster recovery have you got in place?

 

[nutcase]

I've not had a chance to get back to the cert issue, but I also believe we need a SAN cert instead of the single name one they have supplied

We did look at 0365 a little while back, but with the money already invested in the current on premises licence and CALs the business doesn't want to entertain it. Currently there is no redundancy...

It is (touch wood rather reliable, and I do have a DR plan in place to get it back from bare metal in a few hours (involves me popping home and taking the drives out of my VEEAM server which is same model!).

 

[nutcase]

Priorities changes again. The second G5 (second remote desktop server) has restarted 3 times and shut itself down 4 times in 5 days.

So have prevented new connections and everyone is running on the other server (Gen8) and a few people on the brand new VM one I built a while back which is running 2012 R2. Can't have too many people on there though without going shopping for more 2012 RDS CALs.

Very rare do I get a quiet day lol

 

[nutcase]

I do like the apple app for remote desktop with Server 2012 R2. Works very well indeed - which has now earned me some brownie points with managers

 

[nutcase]

Interesting - HP MSL drivers install nice and easy on Hyper-V server 2012 R2 without issue. When I've installed the Dell equivalent I had to amend the registry to pretend it was regular server 2012 R2 first.