Wrapping RDP inside SSH to protect NTLM?

We have some Windows servers and appliances that are not AD-joined and never will be. They're OT. When we RDP to them, they're unfortunately using NTLM because that's what Windows requires when you're not using Kerberos (and Kerberos requires a KDC/domain controller). These are all on-prem so the risk is already pretty low, but we still don't like NTLM hashes floating across our network.

Does anyone have any experience with wrapping RDP sessions inside SSH sessions? I don't mind doing an extra step of establishing an SSH session when we need to RDP into them, but I do want the sessions to be stable.

https://redd.it/1oz8ufh
@r_systemadmin

Dumper v1.9.0 — This is a CLI utility for creating backups databases of various types (PostgreSQL, MySQL and etc.)

1. support docker
2. support shell noscript before and after backup

https://redd.it/1oz9cwp
@r_systemadmin

Cheapest - secure way to clean Fortinet firewalls

Hello,

We did a network upgrade recently and have lots of 101E which is close to End of life with some HP switches. What is the easiest way to clean and dispose them?

I checked and they do not have any financial value at the moment.

Ps: I am junior system eng.

Thanks in advance!

https://redd.it/1ozaojc
@r_systemadmin

Exchange Server migration

Hi,

I'm tasked with migrating an Exchange Server 2016 currently sitting on a Windows Server 2012 R2. Management wants me to move this to a 2016 Server (And eventually further to 2019 Exchange/2022 Server) using CommVault.

Has anyone done that? I've already indexed/backed up the mailbox contents that need to be moved but I have 0 idea on if there's a procedure that needs to be followed in terms of setting up the new server. CommVault also allows Exchange Database (DAG) Backups. Should I restore the Database on the target server and then the content? Any suggestions/help would be appreciated.

Thanks!

https://redd.it/1ozbz4i
@r_systemadmin

OPNSense and Netgate firewall appliance reliability

Hello Experts,


We’re planning to upgrade our perimeter firewall in the next few months and are currently evaluating our options. Right now, we’re using a SonicWall NSA-series appliance, but over the past two years Dell has increased the cost of its security service licenses nearly fourfold. Because of this, we’re considering switching to an open-source solution, specifically OPNsense or pfSense.

I’d like to get your feedback on the following hardware options:

Netgate 8300 series
OPNsense DEC4240 appliance

Specifically, I’m interested in hearing about:

Their overall reliability (we plan to deploy two units in an HA setup with hot standby)
The effectiveness of their web-filtering and anti-malware plugins
Your experience with ZenArmor—especially stability, performance, and ease of configuration
Can they last over 5+ years of use

Any insights, real-world experiences, or recommendations would be greatly appreciated.

https://redd.it/1oz96xf
@r_systemadmin

Advice on Domain Server 2012 R2 migration to 2022/2025

The one and only domain server is running windows server 2012 and we seriously need to upgrade besides all the security issues some of the software is no longer updating.

What is the best way to go about this? (we have a 2025 license ready to apply to the 2012)
The domain server is also doing DNS and file server, what worries me the most here is the file server part, because its a mixed setup:

* OS drive with 3 file partitions
* Another Drive with a single 4TB partition
* 2 ISCSI Partitions

We have another server 2022 that is supposed to take over as the domain controller but it already has 2 HyperV VMs running production Portals.

I have looked through a couple of reddit posts and they seem to also migrate the files but we don't have enough space to migrate the files.
At first my colleague was thinking of doing a inplace upgrade on the server 2012 but I read that there's a very high chance of failure and not the best way to do it.


How would the IP/DNS work in case we migrate to the other server when the other servers/pc will be pointing to the old domain controller?


So I want the opinion of everyone what you would do in this situation?


Thanks for any help.

https://redd.it/1ozdzb8
@r_systemadmin

Thinking through why branch deployment is still so painfully slow.

Reflecting on why every new location rollout is a multi month slog and I think part of it is structural not just vendor incompetence. Traditional MPLS circuits still offer SLAs that broadband doesn’t so we rely on them for critical sites. But ordering them takes forever. On top of that our SD WAN setup is supposed to help but there’s so much configuration complexity routing BGP failover that it adds its own delay. Even our zero touch devices don’t always behave how we expect once on site.

Maybe the real hang up is that we haven’t fully reconciled business speed expectations with network reality. Maybe it’s not about picking faster tech but about building a rollout model that matches how we actually grow.



https://redd.it/1ozedxc
@r_systemadmin

PSA: November 2025 Update is failing to use server-index for Search/File Explorer SMB search

As the noscript says, the November 2025 Update is failing to use the server-index for Search/File Explorer SMB search. This is apparently a known issue now and being investigated: https://www.windowslatest.com/2025/11/17/windows-11-kb5068861-issues-update-wont-install-file-explorer-smb-search-not-working-on-network-shares-handheld-performance/

If you are affected, you will see empty results or slow results, as the index is messed up.

https://redd.it/1ozh2ph
@r_systemadmin

Ennoscriptd/spoiled users rant

Okay so bit of a rant to get opinions how to deal with spoiled users. So I'm basically the solo IT-guy, I take care of everything sysadmin & IT-support for some odd 60 people, there's one guy who took care of the IT stuff before me but he swiveled away from it, he still sometimes helps me if he has time aside from his main job. When I started there were little over 40 people and I was the first dedicated inhouse IT-guy here.

At the start I got a proper hang on things, the work wasn't overwhelming and it was going smooth, there never was any ticket system in place just users coming to my door and I'd jump on to fix their problem no matter what I had going on at the moment(this is where they start to get spoiled and that's on me). There was plenty of administration to be done, we have two servers on-site with different environments and requirements, but it was all good.

We moved to new and bigger office mid 2024 and for the past year I've started to get behind on my duties. I'm a bit of a yes-guy, talked to HR about that too and they suggested I'd start saying no to things when I have too much on my table, which I have since, but now the users are acting pretty damn ennoscriptd and spoiled. For example when I have to tell them there has been changes on ISP side, software side or what ever, not in our our control "why do I have to press one more button while scanning - why is the new outlook like this - why can't things be this and that and what not".. When I'm on a lunch or on a coffee break they just imagine I'll drop the fork and jump on to solve their usually bs problems, I mean I have been doing that for years so ofc they think I'll do it.

The thing is I'm a people person and have been managing it for years, just now it's been getting too much since I keep falling behind on my own administration work because of that and I'm getting bit burn out by it all.

It doesn't help that I have created/raised these ennoscriptd users myself by bending over and backwards for them, for them to have it easy... I just realised (from reddit promoting me joblistings in my area lol) that I get paid way too little for the work which isn't helping to deal with the whole thing. I don't want to say I'm one foot out of the door but I have been putting few applications to new jobs all because of the current situation.


Now I know the problem, I know I created it, and I know the solution (to put a ticket system up and tell the users to put ticket in or don't get service, rather than come up to my door disrupting my work... I wouldn't want to leave this place to another poor sysadmin like this.. The thing is I'm too burnt out to do anything about it, just get to office, say yes, yes, yes, fall behind some more and just do work on weekends like yesterday.. It's not healthy and I just thought if ranting here would get some perspective on things.

Have you had to interact with users expecting you to act on their every whim? And if So how have you dealt with it?


TL;DR I spoiled the users and need to deal with it now

https://redd.it/1ozib9d
@r_systemadmin

How are you providing NTP in your company?

So we have an on-premise Active Directory so every DC is serving NTP by default but all syncing to the FSMO master.

Right now we have an internal dns alias of time.internal.ad that has the IP of the FSMO master.

Hypervisors point to external NTP.

In that sort of setup what are you pointing on-prem stuff to like switches and firewalls for NTP please?

https://redd.it/1ozlj8u
@r_systemadmin

I fixed an issue and don't know what was broken. Networking issue.

I just fixed an issue by flushing DNS on a local computer, that had issues accessing the DC, which is hosted on Azure.
Ticket came in as "i cant print". First thing I noticed the printer names on her PC had different naming than what they actually are. The PC had ping to the DC, but would not able to open the \\\\dc01\\ in file explorer. I was getting error "0x800004005", which I did not follow up on.
I tried deleting the printer and re-adding it, but I could not find it in the Manually Adding it either. I did restart the PC at this point, but the issue persisted.

First thing that came to my mind was two things:
1. ICMP doesn't mean everything is working.
2. It's always DNS joke

I ran ipconfig /flushdns and restarted the computer. If this didn't work I was going to try using the VPN, they usually use for remote work, but seems that flushdns fixed the issue.

PC was connected via ethernet, WiFi was off, VPN was off.

Now, I wonder what was broken.

https://redd.it/1ozlj95
@r_systemadmin

Mix 208 and 240 inputs

I have two services coming into my data center, each going to an individual UPS then feeding my equipment.

One service is 208V, the other is 240V, each UPS outputs 208V to connected equipment.

This input/output mismatch prevents me from having a UPS self test on one of them as it would bypass a different voltage and it won’t allow that.

Does anyone have experience with feeding equipment 208 on one supply and 240 on another? Most of the equipment are one or two generation old PowerEdges and a few switches.

I know it can be model dependent mixing 120 and higher voltages, but it sounds like generally there is only a concept of “low” voltage, 100-127, and “high” voltage - 200-240.

Any thoughts?

https://redd.it/1ozluyr
@r_systemadmin

Email. Isn't. A. File. Transfer. Service.

Why? Why do I spend 30 minutes per Executive, over and over again every 2 weeks explaining why emails are NOT a file transfer service and that the 365 license we pay for lets them share files for free without affecting their email size?

If one more person asks me why they can't send 50 PDF's in an email, I am going to lose, my god damn mind.



Anyways! How's everyone's Monday going? :)


Bonus rant! If I have to explain to another Executive why they need to use Outlook app over Apple Mail client app, I'm going to burn it all, to the ground.

No, NO salt on the rim.

https://redd.it/1ozq3r2
@r_systemadmin

Is there a reason not to SSO everything?

Something I've read up on recently was SSO... and was wondering, is there a reason not to SSO everything supported?

Obviously, you'll want to have break-glass accounts excluded.

Just a topic of conversation.

https://redd.it/1ozqkza
@r_systemadmin

DC's starting to have amnesia

Seeing a trend of domain controllers forgetting who they are which wreaks all sorts of havoc with DNS, DHCP, AD, Kerberos, etc.

The fix is very easy - restart NLA Service - Network Location Awareness

Changes network location from private/public to Domain as it should be,

Anyways, I had a few different DC's do this over the weekend.

Has anyone seen this and/or have a more stable fix?

https://redd.it/1ozrd6f
@r_systemadmin

Barracuda started rejecting our emails

A few months ago, we started getting bouceback emails from a company that stated it was rejected due to suspected spam. As we were investigating why, we got another, and another. Eventually I figured out all those companies were using Barracuda as their email filter service.

I tried contacting Barracuda, but since we're not a customer, they just said contact the companies and have them put us on their whitelist. That and to use their reputation checker, which said our domain is not blocked/banned.

We use Exchange Online and have DMARC all set up correctly. Any ideas what may be happening or has anyone else experienced this? Maybe someone here using Barracuda that I could test with to see if you can see why it is getting marked as spam?

I sure hope this isn't it, but it sounds a lot like the issue in this post.

https://redd.it/1ozrrun
@r_systemadmin

Are we legally required to have a DPA?

We just got our first european customer inquiry. They're asking us to sign a DPA before they'll move forward with the trial. I had to google what a DPA even was because compliance wise I'm super uninformed
From what I understand it's a legal contract about how we handle their data which is required under GDPR. The only issue is that we've never had one before because all our customers have been based in the States ever since start.

I found some templates online but they're super technical with all this legal language about sub-processors and data transfers and SCCs (nobody here has a clue what compliance is unfortuantely)
Do most Saas companies have a standard DPA template they just send out? Or does it need to be customized for each customer? And if we sign one with this EU customer do we need to offer it to our US customers too? Sorry if these questions sound stupid but I just want to make sure that we're fully correct when it comes to compliance 

https://redd.it/1ozz238
@r_systemadmin

Had a good one today.

Ticket regarding failed SharePoint sync in one drive.

The cause was determined to be a folder name that was almost a paragraph long with a file in it named the same.

Unsure how one drive let the file and folder to be created but it sure didn’t want to sync after the fact.

https://redd.it/1ozzwe7
@r_systemadmin

Docking station advice for new hires

Our team just got a bunch of new hires and they’re all doing hybrid work. Company laptops are all MacBook Air M4, and somehow I got assigned to handle the docking station setup. I’m not really into this stuff. I just use a Samsung S80UD with a built-in KVM and it works fine when I plug in USB C.

I don’t want to deal with support tickets every week, so I’m planning to buy the same dock for everyone. Some of them might want to connect two monitors, so having both HDMI and DP port would be good. Looking for something in the 100 to 200 dollar range. Any recommendations?

https://redd.it/1ozxu29
@r_systemadmin

Why do hackers perform huge DDoS attacks on big names like Microsoft?

I saw this article (15 Tbps DDoS attack against Azure) and it made me wonder, why do they bother with attacks like this? Where's the money in attacks like this?

https://redd.it/1p04lyp
@r_systemadmin

Why does every “simple” change request turn into a full-blown fire drill?

Lately I feel like I’m losing my mind. Every week we get “small” change requests from the business. Things like “just add one group,” “just open one port,” “just update one app.” On paper these are 10 minute tasks.

But the moment I start touching anything, everything unravels.
Dependencies nobody documented, legacy configs from 2014, random noscripts someone wrote and never told anyone about, services that break for reasons that don’t make sense. Suddenly my whole day is spent tracing something that should have been trivial.

I’m starting to wonder if this is just how the job is now or if our environment is uniquely cursed.
Do you guys also feel like even basic changes trigger chaos because the stack is too old, too interconnected or too undocumented?

Just needed to vent and hear how others deal with this without burning out.

https://redd.it/1p05vv8
@r_systemadmin