ntp jitter on metas.ch

I sync my routers time with the Swiss meteorologic institute (metas) and use the router as my local ntp source. Yesterday I saw a jitter of under 0.5 today over 1.0 . What could cause this?

\## 31.01.2026

remote refid st t when poll reach delay offset jitter

==============================================================================

+ntp11.metas.ch .PZF. 1 u 10 64 377 14.604 -0.216 0.439

*ntp12.metas.ch .PZF. 1 u 39 64 377 14.433 -0.288 0.159

+ntp13.metas.ch .PZF. 1 u 42 64 377 14.435 -0.376 0.327

## 01.02.2026

remote refid st t when poll reach delay offset jitter

==============================================================================

*ntp11.metas.ch .PZF. 1 u 62 64 377 13.868 -0.253 1.246

+ntp12.metas.ch .PZF. 1 u 7 64 377 13.566 -0.351 1.150

+ntp13.metas.ch .PZF. 1 u 56 64 377 13.454 -0.435 1.296

https://redd.it/1qsvipl
@r_systemadmin

Conditional Access Initial Setup

I am just starting the process of building a set of CA policies. I have enabled the standard two (block legacy and enforce phishing-resistant for admins). I am playing with restricting login to home country (aware of the various caveats and loopholes that exist and that this is only part of the overall setup).


I have set the home country as a named location. I have set up a policy that includes all locations, excludes the named location (country), and blocks.


The issue is that users cannot log in - review of the sign in logs shows that the CA policy is matching the location despite the fact the login location is correctly seen by Entra as being in the home country (i.e. to mind, it is failing to respect the exclude setting in the rule).

Am I missing something simple?

I am aware that this set up is relatively high risk of generating login failures and tickets. As an alternative, I was considering setting up a rule to block the top 10 or 20 high risk locations worldwide (does anybody take this approach, and what list do you use). Again aware the many loopholes here but still makes sense to deploy some sort of location policy as part of the setup I think.


Very grateful for any advice!

https://redd.it/1qsyt9t
@r_systemadmin

How do you handle sharing supervision on Google Workspace Drive ?

At my work, we would like to have a global overview of external file shares. We are aware of the DLP solution in Google Workspace but we are on the standard Plan and paying 7$/user/month on top to upgrade to Business Plan seems a bit steep.

Also, it seems that you can only restrict from there. I do not foresee it as a viable solution, as we are a small company of 50 people, I am the only IT guy and we have a good amount of external partners. Having to approve each specific email/domain before being able to share seems a bit time-consuming (also it seems it does not allow specific rules for shared drives?)

Moreover, I would like to empower users by giving them the opportunity to say "This file is shared to this external entity for this reason". And being able to export that list to prove to auditors that we know what we are doing.

Finally, I don't see in there a good dashboard to see a global "health" of our current Google Drives.

Is this something you dealt with or are dealing with ? How do you deal with it ? Every solution that I look up for is more entreprise oriented, with steep cost and other tools I do not need. I am even thinking to build the solution myself in the future.

Thanks for your advices !(https://www.reddit.com/submit/?sourceid=t31qt0q4x)

https://redd.it/1qt0vii
@r_systemadmin

ISO 27001 risk assessment

Hi,

We are working theough ISO 27001. Then all the risk assessment are comming up.

What is expected and how is it expected to look? There is so much that is possible to assess, but how do you structure it?

Open for a discussion on how to do it propperly.

https://redd.it/1qt2tix
@r_systemadmin

Worst part of the Job today

Today I had to do the worst part of a sysadmin drive and disable the account of a coworker that passed away. This is only the second time I have had to do it. It sucks. We lost a great guy last night.

https://redd.it/1qw2e87
@r_systemadmin

Ringcentral = Professional Scammers

I'm the admin. Absolute nightmare trying to cancel this service. I attempted to cancel back in June 2025 with written requests via email and their portal, complete with chat logs and confirmation PDFs as proof. They completely ignored it, let my contract auto-renew without warning, and now they're refusing to let me out until next August while continuing to bill us monthly.

We've followed up multiple times—calls, more emails—and every time it's the same runaround: "We have no record," or "Your request wasn't processed in time."

RingCentral is running a scam operation—avoid them at all costs if you don't want to get ripped off.

https://redd.it/1qvwgaq
@r_systemadmin

Sometimes, I wish comments weren't locked on the ads here.

After talking in one post here about WordPress, and in a completely separate one here with someone trying to figure out how to deal with providing 24/7 support without staffing for 24/7 support on their little SaaS offering... I scrolled past this gem:

> You shouldn’t be your company website’s emergency contact at 3 a.m. Company has 24/7 WordPress support. We’ll take the call so you don’t have to.

Some days the ads are all over the place, some days they are just perfectly on point. Gotta give kudos on that one... misses the mark in both directions, but amusingly good targetting...

https://redd.it/1qw3b4c
@r_systemadmin

Thickheaded Thursday - February 05, 2026

Howdy, /r/sysadmin!

It's that time of the week, Thickheaded Thursday! This is a safe (mostly) judgement-free environment for all of your questions and stories, no matter how silly you think they are. Anybody can answer questions! My name is AutoModerator and I've taken over responsibility for posting these weekly threads so you don't have to worry about anything except your comments!

https://redd.it/1qwhazr
@r_systemadmin

Azure Global Admins

I am new to my company and my team just took over identity. After years of neglect, we finally took it and holy c*AP is it broken.

Couple of questions for the peeps here:

1. In Azure, besides Global Admins. What else do you consider to be level 1 roles (we call level 1 or L1) as being our most important roles?

2. How may identities have level 1 roles? I saw a Microsoft article that said global admins should be max 5. We are far from this number.

3. What controls do you put on people with level 1 roles? We are thinking of yubikey, paws and employees only as our primary controls. .

https://redd.it/1qw9ba7
@r_systemadmin

Kerberos on IIS website

Need some help boys and girls. :)

Background:

I am running a website with windows. Behind the website there is a oracle database hosting the data.

User is coming from domain X and going though a load balancer and into my website in domain Z.

Domain Z trusting domain X but X is not trusting domain Z.

Instead of NTLM I need to have Kerberos up and running.

I have followed this guide

https://techcommunity.microsoft.com/blog/iis-support-blog/setting-up-kerberos-authentication-for-a-website-in-iis/347882

Created the service acc in domain Z but now I am not sure if the acc should be created in domain Z or X.

What is the best way troubleshooting access with Kerberos.

https://redd.it/1qwjbk1
@r_systemadmin

M365 security

I have a bunch of smallish customers with M365 subnoscriptions. Some of them just can't be convinced of the value of Azure P1/P2 licenses, yet I want a break glass account, which IMO means MFA off, but I can't turn MFA off with security defaults on.

Then I default to some other company manager being registered for the MFA for the break glass account.

Hard to convince the SMB's to have P1/P2 licenses just so I can enable a BG account without MFA?



https://redd.it/1qwf0xb
@r_systemadmin

Nice way to say your webcam is covered?

I've been receiving this issue quite a bit where the user is complaining that their webcam isn't working. Only the issue is that the built-in cover is covering it. It's so frequent that I automatically check for it before any other troubleshooting, but at the same time I don't want the user to necessarily feel dumb for reporting it to me.

I (and collectively us) have come up with clever euphemisms such "layer 0 issue" if something is unplugged or even "computer needed a power cycle" when we simply restarted the computer even though we already told the user to do so. Curious if anyone has any clever euphemisms for when the webcam is cover?

Of course I should also pretend to do more work on their computer as opposed to switching the cover open and saying "ta da". Although we have established that I have developed an "IT aura" where things suddenly start to work when I observe it.

https://redd.it/1qwlxxj
@r_systemadmin

What do you use to automate IT tasks?

Looking for a product to automate IT tasks like on-boarding/off-boarding and other tasks like spinning up new servers or access requests, etc. Looking for hybrid capable as we still have on-prem hosted things and AD. I could probably noscript things out with Powershell, but that seems daunting and unwieldy.


Update: since many are pointing to Powershell, I am proficient at powershell, but maintaining either a bunch of noscripts or one big noscript doesn't seem efficient. I'd like something either a little more point and click with maybe some noscripts here and there.

https://redd.it/1qwmg1h
@r_systemadmin

Need help with Windows Remote Desktop Mobile app update and OpenVPN

Hello since the new update of microsoft windows remote desktop app on android. 11.0.0.78. We are unable to remote into any desktop when using a vpn on open vpn.

What works :
If i am on my phone data and i turnnon the vpn then it works.

It works on the network that the pc are on themselves.

It works on a hot spot from another phone with vpn turned on.

What does not work.
If i am at my home and on my wifi and i turn on the vpn it does not work.

We have tested this on multiple different wifis and phones and they all do the same. With the previous update. 11.0.0.68 it works no problem. And other rdp apps works well.

Does anyone have any idea at all how to fix this. Or does microsoft know about this?

https://redd.it/1qwp2cf
@r_systemadmin

Thanks, I can ask Copilot myself

Sometimes, when i am putting together a niche PowerShell noscript or looking for an option or setting Microsoft has buried ten menus deep, I found myself giving copilot a try. If it fails to provide a good answer without hallucinating and I have searched in the documentation I'll take the matter to an external consultant. The last few times I have contacted a consultant it went like this:

Copilot:
Hey have you tried command that looks too good and does not exist.

Consultant:
I think you should try command that also does not exist

In one case I even got the exact same hallucination from the consultant as from copilot.

Now don't get me wrong, I don't judge them for using AI, I bet it even solves a good portion of their tickets but seriously can't you be bothered to confirm if the command does what I want it to do or if it at least exists?

We don't pay you guys to ask copilot for me, I can do that myself. My last three cases in a row all went like this and it's just wasting time and money. Even Microsoft support does this but what do you expect from them anyway...

https://redd.it/1qwq4tp
@r_systemadmin

Windows Imaging current state

MDT and WDS are deprecated, FOG has not had major updates in years. None of the other free options that we've looked at are particularly appealing. Our current plan is to move to Packer and MAAS. (We are K12). Is anyone else using this or is it too obscure in a Windows environment? I know there are FOG fans on here, and I don't hate it, but I want a more automated system and be able to update existing images.

https://redd.it/1qwotfj
@r_systemadmin

Shoutout to Dell Support

Normally the posts on this community are either questions or rants, and I wanted to take the opportunity to share something more positive.

Nowadays it seems like most product support just gets worse and worse. The people with knowledge end up leaving, companies slash support budgets to increase profits, enshittification ensues. It's almost a guarantee that you're going to be routed to a call center in India where you'll spend hours getting nowhere.

Over the last couple of years, I've had to contact Dell support a handful of times. Here are my observations:

* When I call, I get routed to a person very quickly. There is an initial IVR menu, but I don't have to navigate excessive IVR menus or wait more than a minute before getting connected to a person.
* So far, every rep I've connected with has been in the US. At the risk of sounding racist or problematic in some way, I've never had to deal with language barriers, difficult to understand accents, or major timezone differences. To me, this is an indicator that Dell is not willing to cut costs by outsourcing their support overseas.
* Every support rep I've spoken to (for the most part) has been genuinely personable, helpful, and invested in trying to find a solution. It's all too common now for support reps to try to get out of doing work, listening for the key words that allow them to say "not my job" and send you along to the next team, or just doing the bare minimum. That hasn't been the case with Dell support.

So, if anyone working in Dell support sees this, kudos to you!

https://redd.it/1qwtub6
@r_systemadmin

Internal DNS Naming and HSTS

We decided a few years ago to move our internal DNS namespace away from a .local domain to a subdomain of our corporate domain (internal.company.co.uk). Our corporate site has an HSTS policy enabled that includes all subdomains. This is required because certain components are hosted on subdomains (for example, images.company.co.uk).

However, this causes us significant issues internally. For many of the internal interfaces that IT uses to manage devices and applications, anything served over HTTPS with a self-signed certificate is blocked because it does not satisfy HSTS requirements.
We are aware that, on a per-site basis, this can be bypassed using thisisunsafe, or by issuing certificates from our internal CA. However, many of these device management portals do not support dynamic or automated certificate renewal. As a small team, manually tracking and renewing certificates across a large number of devices is time-consuming and operationally painful.

We now have the opportunity to change this again and are wondering what others would suggest, as the general recommendation seems to be what we are already doing for internal DNS.

https://redd.it/1qwv4q2
@r_systemadmin

Windows SQL Cluster just died

About a month ago, I built a new windows server 2025 server with SQL Server 2019. The server worked flawlessly. I was able to roll the cluster and everything seemed fine. I loaded data on to the system and it sat there waiting on the vendor to do some testing.

Yesterday I go to connect to the cluster VIP with SSMS and can't connect. I start looking at the servers (VMWare VM's), and I don't see the additional IP addresses for the active nodes and the shared drives are not there in Windows. I can see them in disk management, but cannot bring them online. I also cannot start the cluster.

I looked at the data store for the first node I created and can see the shared drives. Without the quorum drive, the nodes seem to be fighting over who is active.

This is my first time in 20 years building a windows cluster of any sort, other than a DFS cluster. The shared drives are mapped from a SAN, and were added to the primary node as an RDM disk.

Has anyone seen anything like this before? I re-ran the cluster validation, and the only errors were related to disk storage.

I'm not looking for somebody to fix it, just point me towards some documentation to help me troubleshoot it.

https://redd.it/1qwtuuz
@r_systemadmin

labeling physical servers

How is everyone labeling physical servers?

I manage hundreds of physical systems that are all from different vendors, generations, and form factors. We've been through several methods for labeling physical servers, but the last several new systems we got have literally no flat surfaces on the front or back where one can apply a label. We have regulatory requirements to label the servers themselves, rather than removable bezels or the rack surface next to the server etc. The top, bottom, and sides are not accessible and are, obviously, inconvenient when looking for a server in a sea of racks.

We utilize Nautobot as a DCIM, but people are human and the data is not always accurate. For new techs, it's helpful for the server label to match nautobot.

Thanks in advance for your time and suggestions.

https://redd.it/1qww015
@r_systemadmin

HVAC Legend Dies at 28: The Presario That Never Quit

Pour one out for the Compaq Presario 2246, that faithfully maintained its role in handling the HVAC in a 40‑year‑old building until today—its well‑earned retirement.

Running Windows 98, this nearly 30 year old box controlled all HVAC duties for a 34,000‑square‑foot facility - it stood tall where many newer machines had fallen, weathered multiple electrical storms, and never missed a beat in it's relentless task of keeping unknowing humans comfortable when the weather became too challenging.

Were it not for the new control system taking its place, it would likely still be on duty—quietly keeping countless people comfortable through every season.

Inside, its AMD K6, 32 MB of RAM, and 2 GB hard drive endured decades beyond any end-of-life declaration that condemned it to the scrap heap—truly a testament to the quality of old tech that's often forgotten today.

Rest easy friend, most of us are not far behind.



https://redd.it/1qwzn9l
@r_systemadmin