Windows failover cluster setup questions.

We are going to deploy a 3 node Windows server 2025 failover cluster for VMs and file shares on HCI hardware. I read that Scale-out file server (SOFS) role is not needed in Hyperconverged deployment. But then there is also reference about enabling SOFS in Hypercoverged setup. Are they for specific setup? For the file shares, should we enable the general File server role on the host instead of using the VM for file sharing to avoid overhead? Thanks

https://redd.it/1ppbpuc
@r_systemadmin

Docusign Question

My employer is implementing basic Docusign for its Procurement Department. The end users need to be able to:

(1) send a document to supplier for signature, (2) have the supplier sign, and
(3) countersign and download the fully executed document WITHOUT it being sent back to the supplier.

This is because the fully executed document is then attached to a PO in my employer’s ERP, and only released when the PO is approved.

Is anyone aware of a workaround to get this outcome? Looking for a solution that is workable on the most basic version of Docusign.

Thanks!

https://redd.it/1pp6ijh
@r_systemadmin

You disabled NTLM across all of your workstations. What problems did you not account for?

Disabling NTLM across all workstations has been added to 2026 roadmap, and I have been doing some research on potential impact.

In our case, out of 1000 workstations, only 10 might be impacted due to legacy processes/workflow. Business will be addressing those so nothing for IT to worry about there.

Windows 11, Entra joined, no on-prem, no hybrid. Reviewing past 30 days of logs shows NTLM being used on those 10 workstations only.

A bit shocked, I thought this would be more cumbersome to prep for, so I must be missing something.

Did you disabled NTLM? What did you miss so I don’t have to?

https://redd.it/1ppeuhv
@r_systemadmin

In your organization, who is the authority that decides what gets posted in your SPF record?

In your organization, who decides what gets to send email as your organization?

We are limited to 10 records in a domain's SPF record. Let's say 9 of your slots are used and there is 1 left, who makes the judgement call on using that last available record?

What happens if there is a future ask/need to allow yet another application/vendor send email on your behalf?

Just curious. Is it the team that manages Exchange? The team that manages DNS? Infrastructure Team? InfoSec Team? A CISO? The jack of all trades that's carrying IT?


https://redd.it/1ppe0d6
@r_systemadmin

I’m burnt-out

I’m slowly realizing that there’s a leadership/management/culture issue at work because my coworker, whose supposed to have shared responsibilities as me, isn’t even doing half his work, so a majority of it falls on me. And has been falling on me, for months.

I “spoke up” for myself, already, this past late spring and was given a near 10% salary increase, but that feeling of dread is creeping up on me again, and I don’t think any pay increase is going to shake it off. It’s obviously the dynamic.

I think I need a separation from this coworker. I can work with the most difficult person, easily, but I cannot work with someone who doesn’t even do their work.

I’ve been talking to my manager about “change” amongst us for the last 2 months, but it doesn’t sound promising or enthusiastic because my manager isn’t bringing any ideas to the table.

I told him that I’d wish they’d promote my coworker to some other area, to slack off over there, while I can do my thing and train someone that actually wants to work, collaborate, and work as a team. I just don’t have that with my current coworker, and after nearly 3 years of this, I know that it’s never going to happen.

Edit: also, before anyone says, “bring it up to your manager” - it’s not necessarily professional for me to criticize my coworker’s performance because that’s not under my role and/or functions of my job. That’s up for my manager to do, and that’s wherein the problem remains. If my manager can’t acknowledge his shortcomings, they’re going to eventually promote this guy to leadership/management and make this org a true shitshow. If that happened anytime soon, I would easily be looking for my exit plan because he is not leader material (at least not from what I’ve seen)

https://redd.it/1ppi42x
@r_systemadmin

Degree vs. Experience: Which would you rather have?

I’m currently in a position where I have the noscript and the experience, but no degree. I’m curious about the trade-off in today’s market.

* Which candidate is more valuable long-term?
* Does the degree eventually "expire" if there's no experience to back it up?
* For those who took the experience-only route, have you hit a ceiling?

https://redd.it/1ppgy2n
@r_systemadmin

Thickheaded Thursday - December 18, 2025

Howdy, /r/sysadmin!

It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1ppn4n8
@r_systemadmin

Refurbished vs new networking gear in 2025?

With budgets tight, I’ve been looking at used switches and routers like Juniper and Arista. Has the used market gotten better in terms of reliability and support, or is it still risky?



https://redd.it/1ppo25k
@r_systemadmin

Microsoft has finally added a native tenant-to-tenant migration option in M365.

It’s honestly something that should’ve existed years ago.

With this update, we can move:

* Exchange Online mailboxes
* OneDrive data
* Teams chats and meetings

between tenants directly.

Curious how well it handles real-world scenarios like coexistence, staged migrations, and post-move cleanup. Has anyone here started testing it yet, or planning to use it in a real M&A scenario?

https://redd.it/1ppmraq
@r_systemadmin

Windows keeps autodestructing ... i'm so fed up with it.

I'm so tired of it all ...
I used DOS as a kid, it had many issues, everything was manual but once it was set up it was all good.
Fast forward to windows 11, this thing keeps killing itself.
My work PC is online 24/7 and reboots every week or so. As an admin i only install what i need at the start when i installed my pc, nothing more, nothing less.
But the last few months/year nothing changes on my pc softwarewise except for the inevitable windows updates.
Lately it keeps having issues, start menu not working, search in start not reacting or reacting after a minute, network settings menu crashes the settings app, Windows update suddenly can't even search for updates etc ...

Now it happened AGAIN, it keeps indicating it can't download updates (not even search for them without an error.)
I tried the troubleshooting tool ... it's an online application now and ofcourse it cannot even launch that.
Now i'm running the usual stuff, SFC, DISM etc. and sure enough, files corrupt, component store corrupt.

How on earth does a computer that ONLY does it's windows updates keep having issues so much.

I checked the disk for actual errors but the disk is 100% ok.

I have another laptop here, similar issues. I reinstalled it from a fresh windows 11 25H2 image, it does everything, gets to the last step where it tells you to wait a bit, updates are applying and ... it just stays there.

Our internal exchange server (hybrid setup) bricked itself after normal windows updates, rolling them back didn't work, now we had to reinstall it completely.

I feel like nothing works correctly anymore lately and it's sucking the soul out of me.
I started working on MAC and Linux at home and both have their issues but on MAC a reinstall (if needed) takes 15 minutes and all is ready, same on linux.
On windows it can take an eternity.

I know it's a rant but i feel MS really dropped the ball and only care about this stupid AI stuff.
God i hate today's trend of shoving AI down your throat by any means necessary but neglecting just about anything else.

Cheers.

https://redd.it/1pppkwv
@r_systemadmin

You can now lock Windows 11 from Android remotely, send files to PC, share clipboard, mirror screen, and more...

I mean... did MS go to DEF CON and ask "What can we do to make this easier for you?"



https://redd.it/1ppq5d1
@r_systemadmin

How to Prevent IT approval Workflows from getting Stuck or lost in the shuffle?

I'm in a mid-sized IT team (around 100-200 users across the org), and we're constantly dealing with approval workflows that just... disappear. Whether it's access requests, change approvals, new software...
we tried some automated solutions but nothing really worked as there's no clear tracking when multi-level approvals are needed (e.g., manager + security + finance).

How to handle this to keep things moving?

What processes or setups ensure approvals don't get lost?
Any ways to improve tracking and escalations without constant manual follow-ups?

https://redd.it/1ppnqlw
@r_systemadmin

Small org PSA: if you don’t have this “boring” documentation, you don’t have a system

I’ve walked into too many environments where everything “works” until the one person who knows it goes on vacation. This isn’t about fancy tooling. It’s about a handful of boring docs that turn tribal knowledge into something survivable.

If you only document one thing this week, make it the stuff that prevents panic.

The minimum set I think every shop needs:

1. Access map
Who can access what, where creds live, how to request access, and how to remove it. Include break-glass accounts and where MFA recovery lives.


2. Inventory that actually matters
Not a 600-line spreadsheet of every laptop. The things that can take you down: firewalls, switches, hypervisors, domain controllers, identity provider, backups, DNS, email, key SaaS, and who owns each.


3. “How to restore” backups
Not “we have backups.” Actual restore steps. What gets restored first, where the keys are, how long it takes, and the last time a restore was tested.


4. Top 10 runbooks
Password reset, VPN down, internet down, storage full, cert renewal, user offboarding, mailbox issues, printer hell, critical SaaS outage, and “website is down.” One page each is enough.


5. Change log for the scary stuff
Firewall rules, DNS changes, cert changes, routing, SSO. Just a running note of what changed, when, and why.


6. Incident cheat sheet
Who to call, where status pages are, where logs live, where to look first, and how to communicate internally. The goal is to reduce “what do we even do” time.



One practical tip: write it as if future-you is half asleep at 3am and slightly angry at past-you.

What’s the one doc/runbook you wish every environment had on day one?

https://redd.it/1ppubjd
@r_systemadmin

Godaddy Outage 12/18

Appears to be an issue going on with the GoDaddy nameservers. DNS failing to resolve to a number of domains.

https://redd.it/1ppugb5
@r_systemadmin

Trying to decide between a Samba, TrueNAS Community Edition, and NextCloud AIO for file storage

Hi everyone,


I am planning to set up a self-hosted file server for a small organization (\~15 employees) that will still allow for remote access. I'd like to use a free and open-source setup if at all possible. We'd need to be able to connect to it from Windows, Mac, and Linux computers. It would also be nice to be able to edit files simultaneously, though this isn't a must-have feature.

These are the three options I have in mind (though I'm open to others):

1. Samba share on a Linux desktop (Seems like the simplest option overall. I would plan to use Wireguard to grant remote users access to it.)

2. NextCloud AIO (I have an installation at home that has been working well. I like that it offers many of the same capabilities as our current cloud-based setup along with a friendly UI, along with the ability to share files publicly via a link. I was nervous initially about setting up port forwarding, but 2FA, brute force protection, and strong passwords can help mitigate this risk.)

3. TrueNAS Community Edition (I'd like to give TrueNAS a try, but it may be overkill for our use case. As with Samba, I'd plan to enable remote access via Wireguard.)

Any thoughts on which option might be ideal for us--along with your experiences of using these tools at a small business--would be much appreciated.

https://redd.it/1ppshai
@r_systemadmin

Best method to keep stored laptops up to date

At my org we have 10 or so Windows 11 Dell laptops that are kept on hand for emergencies/crisis situations. In the event of a situation, these laptops need to be available for immediate use, no waiting around for updates to install etc.

I'm wondering what the best method to keep these laptops up to date would be.

I was considering using a storage cabinet and using Wake on Lan to wake them for monthly/bimonthly updates.

Is this the best way, or is there a better alternative?

https://redd.it/1ppvsei
@r_systemadmin

Not taken seriously because of my age.

Sup guys I am 20 years old working a Jr. Sys Admin position. Half the time I'm dealing with customer support, the other half is networking and infrastructure projects. I have my main 3 CompTIA certs (A+, Network+, Security+) and a CCNA. Ever since my first office job I feel like no one takes me seriously. I expected this for interviews, so I would wear a wedding ring and clothes that generally made me look older than I am. Once I am actually in the workplace and start conversing with co-workers that ask me my age, I make the mistake of telling them. As soon as they hear how old I am suddenly they stop taking me seriously. Support becomes that much worse with people making unreasonable requests, escalating with my manager for any reason they can find, or straight up just ignoring me. I love being the guy that fixes shit and I don't belittle people who I know aren't tech-savvy but this shit is so unbearable. This is more a vent post but from now on I'm just going to tell people I'm 24-25 because of this. My resume is good for someone my age since I started helping out an MSP when I was 14 (after-school, weekends, or during summers). It might also be a medical workplace thing, other people my age in research assistant positions also go through the same bullshit.

https://redd.it/1ppzm76
@r_systemadmin

SCIM locked behind Enterprise plans - are you kidding me?

I've been going through our list of apps trying to get automated provisioning set up. You know, basic stuff - user gets hired, account gets created. User leaves, account gets nuked.

Except apparently that's not basic stuff anymore.

Every vendor I've looked at locks SCIM behind their Enterprise tier.

So the ability to automatically deprovision someone when they leave the company is a premium feature? Are we serious right now?

I don't need your "Enterprise collaboration suite" or whatever garbage you bundled to justify the price jump. I need to not have ex-employee accounts sitting around for months after someone's been fired. That's it. That's the feature.

And it's not even hard! SCIM is just API calls. My IdP is already making them. Your app just has to... receive them.

These vendors love talking about security. "We take your security seriously!" "Zero trust architecture!" Cool story. Then why are you making me manually CSV import/export users like it's 2005? Why do I have to remember which of our 50+ apps each person has access to when they leave?

You KNOW what happens without automated provisioning? Tickets. Spreadsheets. Forgotten apps. That contractor who left 8 months ago still has admin access.

But sure, tell me more about how committed you are to security while you paywall basic lifecycle management.

At this point I'm tempted to just avoid vendors that pull this crap. If they want to treat basic security features as a cash grab, maybe they don't deserve the business.

Anyone else dealing with this? What are you doing for apps that don't support SCIM at all - just accepting the manual hell? Has anyone actually gotten a vendor to back down on this without upgrading?

https://redd.it/1ppzytp
@r_systemadmin

Are you looking at keyboard response rates? Amazon is.

They found a laptop being controlled by N Korea by monitoring keyboard input rates.

https://www.tomshardware.com/tech-industry/cyber-security/north-korean-infiltrator-caught-working-in-amazon-it-department-thanks-to-lag-110ms-keystroke-input-raises-red-flags-over-true-location

https://redd.it/1pq34wy
@r_systemadmin

Advice (given and hopefully received)

So I have been unemployed for about 4 months now. It sucks very much and I am having a hard time mentally right now. But, the mental strain isn’t yours or anyone else’s provlem. It’s my own.

So I’d like to give out some advice that probably is common sense to everyone else but I am gonna say it anyways. Trust your gut, if you think you’re on the way out, find a job. Don’t stick around because you think “I can rebound and make this work”. You don’t owe the company anything. And be damn sure that they won’t think they owe you anything. Take care of yourself, and never think that you owe anyone anything.

As for advice needed: anyone got a good job lead? I live in Pennsylvania but at this points I’ll move to bumblefuck
Middle America to have a job again.

https://redd.it/1pq5qqt
@r_systemadmin

Here's how you make a ton of money rolling out "AI"



Last quarter I rolled out Microsoft Copilot to 4,000 employees.

$30 per seat per month. $1.4 million annually.

I called it "digital transformation."

The board loved that phrase.

They approved it in eleven minutes.



No one asked what it would actually do.

Including me.

I told everyone it would "10x productivity."

That's not a real number. But it sounds like one.



HR asked how we'd measure the 10x.

I said we'd "leverage analytics dashboards."

They stopped asking.

Three months later I checked the usage reports.

47 people had opened it. 12 had used it more than once.

One of them was me.

I used it to summarize an email I could have read in 30 seconds.

It took 45 seconds.

Plus the time it took to fix the hallucinations.



But, I called it a "pilot success."

Success means the pilot didn't visibly fail.



The CFO asked about ROI.

I showed him a graph.

The graph went up and to the right.



It measured "AI enablement."

I made that metric up.

He nodded approvingly.

We're "AI-enabled" now.

I don't know what that means. But it's in our investor deck.

A senior developer asked why we didn't use Claude or ChatGPT.

I said we needed "enterprise-grade security."

He asked what that meant.

I said "compliance."

He asked which compliance.

I said "all of them."

He looked skeptical.

I scheduled him for a "career development conversation."

He stopped asking questions.



Microsoft sent a case study team. They wanted to feature us as a success story.

I told them we "saved 40,000 hours." I calculated that number by multiplying employees by a number I made up.

They didn't verify it. They never do.



Now we're on Microsoft's website.

"Global enterprise achieves 40,000 hours of productivity gains with Copilot."

The CEO shared it on LinkedIn.

He got 3,000 likes.

He's never used Copilot.

None of the executives have.



We have an exemption.

"Strategic focus requires minimal digital distraction."

I wrote that policy.



The licenses renew next month. I'm requesting an expansion.

5,000 more seats.

We haven't used the first 4,000.

But this time we'll "drive adoption."

Adoption means mandatory training.

Training means a 45-minute webinar no one watches.

But completion will be tracked. Completion is a metric.

Metrics go in dashboards. Dashboards go in board presentations.

Board presentations get me promoted.



I'll be SVP by Q3. I still don't know what Copilot does.

But I know what it's for. It's for showing we're "investing in AI."

Investment means spending. Spending means commitment.

Commitment means we're serious about the future.

The future is whatever I say it is.

As long as the graph goes up and to the right.


\--From Peter Gimus' post on X: https://x.com/gothburz/status/1999124665801880032

https://redd.it/1pq7ush
@r_systemadmin