Setting up a Windows Server 2022 VPN has me insane

I am setting up VPN remote access on a Windows Server 2022. It has me going insane. No matter what I do, I keep getting "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." error when trying to connect from the client machine.

I have made sure that ports are forwarded through the office router. I have verified settings on both the server and the client, and am going bonkers trying to figure it out. Does anybody have any experience with this because I am at the end of my tether over here.

I am using a pre-shared key and EAP+MSCHAPv2.

Please help.

https://redd.it/1nsjrlk
@r_systemadmin

Some devices appear disconnected, however they are connected to Action1

Sorry if this is not the right sub but i already posted in Action1 but got no answer there, so i thought maybe anyone would give me the right fix

I'm using Action1 as my device management software and I have an issue that i just noticed recently, some devices appear to be disconnected however they are active and connected to the internet, is there something i miss? i tried restarting the devices but still the same issue

https://redd.it/1nsnec0
@r_systemadmin

10 Copy-Paste Wins (Shadow APIs, npm scares, O365 detections, AI guardrails, more)

I pulled together things we keep re-inventing: runnable snippets, detections, and guardrails.
No vendor slides, no “strategic guidance”, zero fluff. Just copy-pasteable wins.

# 1) Shadow APIs: find them, fence them, document later

kubectl get ingress,svc,endpointslices -A -o json \
| jq -r '..|.hosts? // empty | .[]' | sort -u > hosts.txt

Probe `/openapi.json` etc., diff vs. spec registry, block unknown hosts/paths at WAF until reviewed.

# 2) npm supply chain: “one maintainer clicked the phish” playbook

* Quarantine new versions (<48h old).
* `npm ci --ignore-noscripts` everywhere, allowlist exceptions.
* Block [`registry.npmjs.org`](http://registry.npmjs.org) egress from CI.
* SBOM diff gate → require approver outside the committer’s team.

# 3) CI vuln noise → signal

Only gate if **Severity ≥ High + fix exists + reachable at runtime**.
Use KEV/EPSS > 0.5 as fast-track fail.

`.trivy.yml`:

severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: 1

# 4) O365/Entra detections that aren’t junk

**KQL – MFA fatigue:**

SigninLogs
| where ResultType in ("500121","50074","50097")
| summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 30m)
| where count_ > 6

# 5) Windows 4625 spam — find the process, not vibes

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4625;StartTime=(Get-Date).AddHours(-1)} |
Where-Object {$_.Properties[8].Value -eq 3} |
ForEach-Object {
$ip=$_.Properties[19].Value
Get-NetTCPConnection -State Established -RemoteAddress $ip |
ForEach-Object { Get-Process -Id $_.OwningProcess }
}

# 6) Android 15 classroom lockdown

Require EMM that supports: Device Owner, kiosk launcher, Wi-Fi lock, APK hosting outside Play, remote screen.
Bootstrap via Zero-Touch/QR → block ADB after.

# 7) AI guardrails that don’t kill productivity

* Browser DLP extension with redact/block regexes.
* Proxy: rate-limit & size-limit to AI domains, allow enterprise tenants.
* Bannered pre-prompt in approved tools.

Policy line you can ship:

>Don’t paste client data, secrets, or code with keys into AI tools. Use only \[approved list\].

# 8) SPF flattening without a pager

Public record:

v=spf1 include:_spf.YOURDOMAIN ~all

Nightly job resolves includes → IPs, dedupes, pushes `_spf.YOURDOMAIN`.
Alert if delta > N ranges.

# 9) Browser is the new OS

* Enforce uBO-equivalent at enterprise/DNS level.
* Block unsigned EXEs via AppControl/WDAC.
* IdP-only admin portals, MFA hardware keys.

# 10) Incident comms you can paste during npm/Okta/$vendor fires

**External:**

>We’re aware of reports involving X. Deploy freeze in place. Services remain \[status\]. Next update at +2h.

**Internal thread:**

* 📦 Freeze builds
* 🔍 Scope services & SBOM
* 🔒 Apply egress blocks/controls
* 🕒 Owners + next update time

# Tiny but mighty

* MFA fatigue → number matching.
* Exchange/Outlook → auto-label exfil attempts.
* WSL2 mirrored mode → needs IPv6.

If this saves you an hour, great.
If you want the full pack (Sigma/KQL/Trivy configs, k8s policies, SPF noscript, API crawler, incident templates), **DM me** and happy to help!

https://redd.it/1nspham
@r_systemadmin

Win Server Storage Spaces

Anyone using Windows server storage spaces how are you monitoring the storage pool / disk health for alerting ?

https://redd.it/1nsoodx
@r_systemadmin

Software used to deploy OS

I need to rebuild about 50 computers over a weekend next month at a remote site.

At our current site, we use MDT to install new OS and updated drivers but remote site doesn't have anything set up as of yet.


Are there any other options besides MDT for a small deployment? I could go around and boot to usb drives but would like a better option.

https://redd.it/1nssdd4
@r_systemadmin

Rsync File Transfer Guide – Efficient, Secure Bulk Transfers for Sysadmins

After seeing repeated questions about efficient large file transfers (especially the recent 4TB datacenter sync question), I thought I'd share some practical rsync workflows that have saved me countless hours and bandwidth over the years.



**Why Rsync Dominates for Bulk Transfers**



While tools like Quest Secure Copy and even simple file copies work, rsync's delta-sync algorithm is unmatched. It only transfers the changed portions of files, which can reduce transfer times by 80-90% on subsequent runs. The built-in integrity checking via checksums has prevented data corruption more times than I can count.



**Essential Flags Every Sysadmin Should Know**



• `-a` (archive mode) - Your bread and butter. Preserves permissions, timestamps, symlinks recursively

• `--progress` - Shows real-time transfer progress and ETA (invaluable for large datasets)

• `--bwlimit=50000` - Bandwidth limiting in KB/s to prevent network saturation

• `--dry-run` - **Always test first!** Shows what would be transferred without making changes

• `-z` - Compression for slower links (can double transfer speed on text/log files)

• `--delete` - Removes files from destination that no longer exist at source (use with caution)



**Production Workflows That Actually Work**



**Scenario 1: Initial 4TB Migration**

```

rsync -avz --progress --bwlimit=50000 --dry-run /data/ user@remote:/backup/

\# Review the output, then remove --dry-run

rsync -avz --progress --bwlimit=50000 /data/ user@remote:/backup/

```



**Scenario 2: Ongoing Incremental Syncs**

```

rsync -avz --progress --delete --exclude="*.tmp" --exclude=".DS_Store" /data/ user@remote:/backup/

```



**Scenario 3: Daemon Mode for Massive Datasets**

For petabyte-scale transfers, rsync daemon mode bypasses SSH overhead:

```

\# On destination server

echo '[backup\]

path = /backup

read only = no

hosts allow = 192.168.1.0/24' > /etc/rsyncd.conf

systemctl start rsyncd



\# On source server

rsync -avz --progress /data/ backup.server::backup/

```



**Real-World Performance Gains**



Last month, I needed to sync 2TB of VM backups between datacenters. Standard file copy was showing 6+ hours. Rsync with compression and the right buffer sizes completed the initial sync in 2.5 hours, and subsequent daily syncs take under 15 minutes due to delta-sync.



The key insight: rsync isn't just about speed—it's about reliability. The `--dry-run` flag has saved me from disasters, and the built-in resume capability means network interruptions don't restart your entire transfer.



**Advanced Tips**



• Use `--exclude-from` with a file list to skip temp directories, logs, etc.

• For Windows environments, consider Cygwin rsync or WSL

• Monitor with `iotop` and `nethogs` to ensure you're not saturating resources

• Test with small datasets first—rsync flags can be destructive



For those wanting to dive deeper into advanced rsync configurations, security settings, and performance tuning, I found this [comprehensive rsync best practices guide by LinuxHardened\](https://www.linuxhardened.com/rsync-file-transfer-guide/) particularly thorough in covering daemon setup and edge cases.



What are your go-to rsync workflows? Any flags or techniques that have saved your bacon in production environments?

https://redd.it/1nssup6
@r_systemadmin

Water usage in datacenters

I keep seeing people talking about new datacenters using a lot of water, especially in relation to AI. I don't work in or around datacenters, so I don't know a ton about them.

My understanding is that water would be used for cooling. My knowledge of water cooling is basically:

1. Cooling loops are closed, there would be SOME evaporation but not anything significant. If it's not sealed, it will leak. A water cooling loop would push water across cooling blocks, then back into radiators to remove the heat, then repeat. The refrigeration used to remove the heat is the bigger story because of power consumption.

2. Straight water probably wouldn't be used for the same reason you don't use it in a car: it causes corrosion. You need to use chemical additives or, more likely, pre-mixed solutions to fill these cooling loops.

I've heard of water chillers being used, which I assume means passing hot air through water to remove the heat from the air. Would this not be used in a similar way to water loops?

I'd love to some more information if anybody can explain or point me in the right direction. It sounds a lot like political FUD to me right now.

https://redd.it/1nstfzk
@r_systemadmin

One man shop, in over head, need help prioritizing

I recently took a help desk role under a sysadmin. He immediately quit and left me with an entire environment to deal with alone. Intune, networking, VMs, Azure Architecture & Help Desk.

Every where I look in our environment there’s a mess. I need help prioritizing what’s critical.

Current Issues:

-VPN VNG SKU Upgrade: I have a dynamic public IP labeled as a VNG that’s not listed as associated to anything. The deadline for SKU upgrades is sept. 30th. There’s no documentation on the network topology. I don’t know if I should switch this to a static IP and upgrade the SKU or hope it falls in the January 2026 deadline and risk it on the 30th… Our other VNG doesn’t have enough IPs to do the upgrade and I’ve never built one before. My networking knowledge is my weakest point.

-Network Switch Port Flapping non stop on a handful of ports

-User reported firewall may not be active in part of the office

-Finding repeat failed login attempts on old accounts from ex employees that are still active for “data retention” & mail forwarding purposes

-Huge spike in network traffic (like x10) showing sometime in mid September

-The antivirus is broads-coped and failing to apply an exclusion policy in event logs on every end point every ten seconds because the policy was only relevant for a single VM…

-The antivirus was fucking with Outlook Classic and had to scoped out of that application to get it to function… I documented the shit out of my interaction with this vendor.

-The eSXI host is failing domain authentication against a DC every ten seconds and the host its self shows a domain error. I have root access and am considering taking the host off the domain all together. I suspect this is impacting sign in times for users. I vaguely remember him telling me he was “cleaning up” the esxi accounts in AD.


Any guidance one can offer is much appreciated. I’m going to go pour myself a drink.


Please don’t tell me to run. I don’t want to give up just because shits gotten hard.

https://redd.it/1nswkfk
@r_systemadmin

Windows Admin Center/LAPS Extension

Has anyone been able to get the LAPS Extension fully functioning with their Windows Admin Center?

I was very excited to test out the RDP/PowerShell LAPS login feature but instead the boxes are greyed out. I verified I'm able to RDP and connect via PowerShell with the LAPS account through WAC PowerShell extension and Remote Desktop extension but through the LAPS Extension, the Remote Desktop and PowerShell buttons are greyed out and there doesn't seem to be much documentation from Microsoft.

Curious if others have this working and their thoughts on the Extension.

https://redd.it/1nswlv6
@r_systemadmin

Microsoft 365 test tenant

Hello sysadmins,
Since the Microsoft 365 Developer Program is no longer free, what are you doing for testing purposes?

Purchasing a Visual Studio Professional subnoscription, which makes you eligible for the Microsoft 365 Developer Program.
Buying a Microsoft 365 Business Premium (or another type of Microsoft 365) license.

https://redd.it/1nsyaxi
@r_systemadmin

How do you setup devices?

We buy some laptops from HP, insert an USB with Windows 11 ISO and install it with Intune/Autopilot. The thing is, that the ISO gets old over the time and i need to create a new one. The other problem is, when windows brings out 25H2 but this version is not released by out it departement - so thats the other case.


https://redd.it/1nsweh8
@r_systemadmin

Trying to understand how to use PWPUSH

Could anyone set me straight on the right way to use PWpush?

You want to send someone the login credentials for say m365.

Do you send the email address they should log in with and the PWPush link on the same page?

Seems the answer would be no. Someone intercepting the email have both parts of the login.

Do you send the user 2 emails? 1 with the email address to login with, a a separate email with the pwpush link? with minimal explaination in the 2nd? Or you could say 'password for m365 for email address sent separately?'.

In that case, someone would have to intercept both emails.

And if you are turning over several different credentials for different things, like these 3- m365, cloudflare, webhost, etc.

would you do that with the 2 emails? or with 1 email with the usernames to use for each site, and then separate pwpush emails, 1 for each service?

I don't want to overwhelm users but DO want to do things securely.



https://redd.it/1nt39wi
@r_systemadmin

PA-VM ↔ PA-VM Route-Based IPsec Tunnel over VyOS ISPs (Phase 2 not establishing)

Hey all,

I’m trying to bring up a route-based IPsec tunnel between two Palo Alto firewalls in my lab. Each site has a PA-VM behind a VyOS router that acts as the ISP. The VyOS boxes are connected back-to-back, simulating the internet.

Topology (simplified):

Site A LAN/DMZ → PA-VM (Untrust) → VyOS A → VyOS B → PA-VM (Untrust) → Site B LAN/DMZ

PA-VM Site A:
mgmt = 10.10.10.10/24
ethernet1/1 = [172.16.100.254/24](http://172.16.100.254/24)
ethernet1/2 = 10.10.10.100/24
ethernet1/3 = [10.20.20.200/24](http://10.20.20.200/24)
Tunnel.10: 20.1.1.1/30
PA-VM Site B:
mgmt = 192.168.10.50/24
ethernet1/1 = [10.100.1.254/24](http://10.100.1.254/24)
ethernet1/2 = 192.168.10.100/24
ethernet1/3 = [192.168.20.200/24](http://192.168.20.200/24)
Tunnel.10: 20.1.1.2/30
VyOS A:
eth0 = VMnet8 (NAT to host) (192.168.70.0/24)
eth1 = [172.16.100.10/24](http://172.16.100.10/24)
VyOS B:
eth0 = VMnet8 (NAT to host) (192.168.70.0/24)
eth1 = 10.100.1.10/24
I have 3 VRs: VR-VPN, VR-LAN, VR-DMZ

The Problem:

IKE Phase 1 comes up fine.
IKE Phase 2 will not be established.
Routing looks correct, but I suspect I’m misconfiguring the peer IP or missing something in the tunnel setup.

My Doubt:

When defining the IKE Gateway on each PA:

Local IP = Untrust interface (ethernet1/1)
Peer IP → should this be the VyOS NAT’d address of the remote site, or the Untrust IP of the remote PA-VM behind VyOS?

What I’ve Tried:

Verified routing on both PA and VyOS
Checked NAT rules
Tunnel interfaces are bound to the correct VRs
Static routes pointing interesting traffic into the tunnel

Ask:

In this double-ISP (VyOS) setup, what should the peer IP be for the PA-to-PA tunnel?
Any common Phase 2 gotchas in PA ↔ PA route-based VPNs with NAT’d ISPs?

Happy to share sanitized configs if needed. Just desperate to see Phase 2 green at this point.

Thanks!



https://redd.it/1nt4r80
@r_systemadmin

Disable browser extensions for your parents/grandparents/users

Many of us are defacto family tech support, so just putting this out there. My grandma had scammers get into her bank account and it looks like it was through a malicious browser extension, something about package/shipping tracker. I made some reg edits that just prohibited extensions for chrome and edge.

It’s so easy to accidentally install extensions I wish I’d thought of it sooner. She has mfa but I’m guessing the extension let them into her actual browser which was logged into her bank or they were able to steal the session otherwise. When I removed it, it was already flagged “potentially unsafe” in chrome and edge.

https://redd.it/1ntagp2
@r_systemadmin

Active Directory Course

hey all


we are planning to migrate our AD to windows server 2025, with this we are implementing ADCS and EntraConnect this time aswell.


My knowledge in AD is very average (i can troubleshoot, diag, know the basics of DC, DNS, DHCP, DFS, GP, just your average DC feature)


i wanted to learn a bit more deeper about AD and was wondering if anyone knows any good course that covers all the deeper technical side of AD?


thanks in advance!

https://redd.it/1nt755s
@r_systemadmin

PSA: Recent Windows 10 update force-binds Copilot to Alt+C

If you have an app that uses Alt+C or happen to be Polish (unable to type "ć" as it is bound to Alt + C on the polish keyboard) and also happen to still have Windows 10 on some devices and you have not uninstalled Copilot from them yet, you are gonna stumble upon a funny situation / start getting not so funny calls soon.

There is no official solution apart from from uninstalling/disabling the Copilot app as of today. The issue does not occur on Windows 11.

My org was hit today but apparently others got hit earlier - relevant MS Q&A thread (in Polish): https://learn.microsoft.com/pl-pl/answers/questions/5541180/jak-wy-czy-skr-t-prawy-alt-c-uruchamiajacy-now-kon

https://redd.it/1ntcc2h
@r_systemadmin

Font foundries and licensing

Those of you who use custom font foundries and host websites - how does one navigate the complicated font licensing world?

E.g.we want to use a font owned by Adobe. Adobe has three resellers and each gave us a different licensing interpretation and wildly different quotes. I want to host the font due to security requirements, use it in internal/dev sites, use it for official document templates.

https://redd.it/1ntcwvl
@r_systemadmin

Moronic Monday - September 29, 2025

Howdy, /r/sysadmin!

It's that time of the week, Moronic Monday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1ntdyto
@r_systemadmin

Microsoft Licenses / CSPs

We currently use Trusted Tech Team. We are ok with them, but we also want to make sure we are getting the best price possible. Your milage may vary, but on average are you willing to share how much you are paying monthly for and O365 E3? We are paying $30.96.

https://redd.it/1ntftob
@r_systemadmin

Is it just me, or does working in operations always come with having to babysit the helpdesk, no matter what position you move into?

I'm trying to move on from IT helpdesk, and while I'm technically no longer doing frontline support, I still get pulled back into it.

I work in operations now, but I'm stuck handling escalated tickets from the helpdesk and often end up babysitting the whole process. I don't do helpdesk work anymore, but I can't fully escape it either.

Now I'm being told I need to get ITIL certified. I'm starting to wonder if I've made a mistake in this transition. I just want to focus on real operations work or get into system builds and infrastructure. I'm honestly burnt out from anything helpdesk-related.

Has anyone else been in this situation? How did you get out of the helpdesk shadow for good

https://redd.it/1ntgtup
@r_systemadmin

What are some cheaper docking stations that you recommend?

We allow our users to work hybrid. We provide everyone with an in office setup, but if they want to be hybrid, we do not provide a setup for at home. Some people just use their laptop at home, but recently we've been getting asked for recommendations on what to buy for home setups that are the same as work.

There is a PC salvage place near by that they grab decent monitors for $30-40 each. The salvage place never has any docks. Most people don't want to shell out the $175-250 for a new Dell dock.

I personally don't know much about docks outside of what I use at work which are WD19 and P2424HEB conference monitors.

Does anyone know of any decent docks that work with Dell Latitude 5420,5440, and 5450's that are on the cheaper side of things? under 75? under 50?

https://redd.it/1ntgthn
@r_systemadmin