Kerberos on IIS website

Need some help boys and girls. :)

Background:

I am running a website with windows. Behind the website there is a oracle database hosting the data.

User is coming from domain X and going though a load balancer and into my website in domain Z.

Domain Z trusting domain X but X is not trusting domain Z.

Instead of NTLM I need to have Kerberos up and running.

I have followed this guide

https://techcommunity.microsoft.com/blog/iis-support-blog/setting-up-kerberos-authentication-for-a-website-in-iis/347882

Created the service acc in domain Z but now I am not sure if the acc should be created in domain Z or X.

What is the best way troubleshooting access with Kerberos.

https://redd.it/1qwjbk1
@r_systemadmin

M365 security

I have a bunch of smallish customers with M365 subnoscriptions. Some of them just can't be convinced of the value of Azure P1/P2 licenses, yet I want a break glass account, which IMO means MFA off, but I can't turn MFA off with security defaults on.

Then I default to some other company manager being registered for the MFA for the break glass account.

Hard to convince the SMB's to have P1/P2 licenses just so I can enable a BG account without MFA?



https://redd.it/1qwf0xb
@r_systemadmin

Nice way to say your webcam is covered?

I've been receiving this issue quite a bit where the user is complaining that their webcam isn't working. Only the issue is that the built-in cover is covering it. It's so frequent that I automatically check for it before any other troubleshooting, but at the same time I don't want the user to necessarily feel dumb for reporting it to me.

I (and collectively us) have come up with clever euphemisms such "layer 0 issue" if something is unplugged or even "computer needed a power cycle" when we simply restarted the computer even though we already told the user to do so. Curious if anyone has any clever euphemisms for when the webcam is cover?

Of course I should also pretend to do more work on their computer as opposed to switching the cover open and saying "ta da". Although we have established that I have developed an "IT aura" where things suddenly start to work when I observe it.

https://redd.it/1qwlxxj
@r_systemadmin

What do you use to automate IT tasks?

Looking for a product to automate IT tasks like on-boarding/off-boarding and other tasks like spinning up new servers or access requests, etc. Looking for hybrid capable as we still have on-prem hosted things and AD. I could probably noscript things out with Powershell, but that seems daunting and unwieldy.


Update: since many are pointing to Powershell, I am proficient at powershell, but maintaining either a bunch of noscripts or one big noscript doesn't seem efficient. I'd like something either a little more point and click with maybe some noscripts here and there.

https://redd.it/1qwmg1h
@r_systemadmin

Need help with Windows Remote Desktop Mobile app update and OpenVPN

Hello since the new update of microsoft windows remote desktop app on android. 11.0.0.78. We are unable to remote into any desktop when using a vpn on open vpn.

What works :
If i am on my phone data and i turnnon the vpn then it works.

It works on the network that the pc are on themselves.

It works on a hot spot from another phone with vpn turned on.

What does not work.
If i am at my home and on my wifi and i turn on the vpn it does not work.

We have tested this on multiple different wifis and phones and they all do the same. With the previous update. 11.0.0.68 it works no problem. And other rdp apps works well.

Does anyone have any idea at all how to fix this. Or does microsoft know about this?

https://redd.it/1qwp2cf
@r_systemadmin

Thanks, I can ask Copilot myself

Sometimes, when i am putting together a niche PowerShell noscript or looking for an option or setting Microsoft has buried ten menus deep, I found myself giving copilot a try. If it fails to provide a good answer without hallucinating and I have searched in the documentation I'll take the matter to an external consultant. The last few times I have contacted a consultant it went like this:

Copilot:
Hey have you tried command that looks too good and does not exist.

Consultant:
I think you should try command that also does not exist

In one case I even got the exact same hallucination from the consultant as from copilot.

Now don't get me wrong, I don't judge them for using AI, I bet it even solves a good portion of their tickets but seriously can't you be bothered to confirm if the command does what I want it to do or if it at least exists?

We don't pay you guys to ask copilot for me, I can do that myself. My last three cases in a row all went like this and it's just wasting time and money. Even Microsoft support does this but what do you expect from them anyway...

https://redd.it/1qwq4tp
@r_systemadmin

Windows Imaging current state

MDT and WDS are deprecated, FOG has not had major updates in years. None of the other free options that we've looked at are particularly appealing. Our current plan is to move to Packer and MAAS. (We are K12). Is anyone else using this or is it too obscure in a Windows environment? I know there are FOG fans on here, and I don't hate it, but I want a more automated system and be able to update existing images.

https://redd.it/1qwotfj
@r_systemadmin

Shoutout to Dell Support

Normally the posts on this community are either questions or rants, and I wanted to take the opportunity to share something more positive.

Nowadays it seems like most product support just gets worse and worse. The people with knowledge end up leaving, companies slash support budgets to increase profits, enshittification ensues. It's almost a guarantee that you're going to be routed to a call center in India where you'll spend hours getting nowhere.

Over the last couple of years, I've had to contact Dell support a handful of times. Here are my observations:

* When I call, I get routed to a person very quickly. There is an initial IVR menu, but I don't have to navigate excessive IVR menus or wait more than a minute before getting connected to a person.
* So far, every rep I've connected with has been in the US. At the risk of sounding racist or problematic in some way, I've never had to deal with language barriers, difficult to understand accents, or major timezone differences. To me, this is an indicator that Dell is not willing to cut costs by outsourcing their support overseas.
* Every support rep I've spoken to (for the most part) has been genuinely personable, helpful, and invested in trying to find a solution. It's all too common now for support reps to try to get out of doing work, listening for the key words that allow them to say "not my job" and send you along to the next team, or just doing the bare minimum. That hasn't been the case with Dell support.

So, if anyone working in Dell support sees this, kudos to you!

https://redd.it/1qwtub6
@r_systemadmin

Internal DNS Naming and HSTS

We decided a few years ago to move our internal DNS namespace away from a .local domain to a subdomain of our corporate domain (internal.company.co.uk). Our corporate site has an HSTS policy enabled that includes all subdomains. This is required because certain components are hosted on subdomains (for example, images.company.co.uk).

However, this causes us significant issues internally. For many of the internal interfaces that IT uses to manage devices and applications, anything served over HTTPS with a self-signed certificate is blocked because it does not satisfy HSTS requirements.
We are aware that, on a per-site basis, this can be bypassed using thisisunsafe, or by issuing certificates from our internal CA. However, many of these device management portals do not support dynamic or automated certificate renewal. As a small team, manually tracking and renewing certificates across a large number of devices is time-consuming and operationally painful.

We now have the opportunity to change this again and are wondering what others would suggest, as the general recommendation seems to be what we are already doing for internal DNS.

https://redd.it/1qwv4q2
@r_systemadmin

Windows SQL Cluster just died

About a month ago, I built a new windows server 2025 server with SQL Server 2019. The server worked flawlessly. I was able to roll the cluster and everything seemed fine. I loaded data on to the system and it sat there waiting on the vendor to do some testing.

Yesterday I go to connect to the cluster VIP with SSMS and can't connect. I start looking at the servers (VMWare VM's), and I don't see the additional IP addresses for the active nodes and the shared drives are not there in Windows. I can see them in disk management, but cannot bring them online. I also cannot start the cluster.

I looked at the data store for the first node I created and can see the shared drives. Without the quorum drive, the nodes seem to be fighting over who is active.

This is my first time in 20 years building a windows cluster of any sort, other than a DFS cluster. The shared drives are mapped from a SAN, and were added to the primary node as an RDM disk.

Has anyone seen anything like this before? I re-ran the cluster validation, and the only errors were related to disk storage.

I'm not looking for somebody to fix it, just point me towards some documentation to help me troubleshoot it.

https://redd.it/1qwtuuz
@r_systemadmin

labeling physical servers

How is everyone labeling physical servers?

I manage hundreds of physical systems that are all from different vendors, generations, and form factors. We've been through several methods for labeling physical servers, but the last several new systems we got have literally no flat surfaces on the front or back where one can apply a label. We have regulatory requirements to label the servers themselves, rather than removable bezels or the rack surface next to the server etc. The top, bottom, and sides are not accessible and are, obviously, inconvenient when looking for a server in a sea of racks.

We utilize Nautobot as a DCIM, but people are human and the data is not always accurate. For new techs, it's helpful for the server label to match nautobot.

Thanks in advance for your time and suggestions.

https://redd.it/1qww015
@r_systemadmin

HVAC Legend Dies at 28: The Presario That Never Quit

Pour one out for the Compaq Presario 2246, that faithfully maintained its role in handling the HVAC in a 40‑year‑old building until today—its well‑earned retirement.

Running Windows 98, this nearly 30 year old box controlled all HVAC duties for a 34,000‑square‑foot facility - it stood tall where many newer machines had fallen, weathered multiple electrical storms, and never missed a beat in it's relentless task of keeping unknowing humans comfortable when the weather became too challenging.

Were it not for the new control system taking its place, it would likely still be on duty—quietly keeping countless people comfortable through every season.

Inside, its AMD K6, 32 MB of RAM, and 2 GB hard drive endured decades beyond any end-of-life declaration that condemned it to the scrap heap—truly a testament to the quality of old tech that's often forgotten today.

Rest easy friend, most of us are not far behind.



https://redd.it/1qwzn9l
@r_systemadmin

HP purposely makes newer printers “insecure”

I I hate printers. I also hate software limiting. I would love to be proven wrong here or hear a solid explanation for why this is the way it is, so if you’ve got a couple cents let me know.

We just got vuln scan results back at my org, and one of the most common findings was printers with TLS 1.0 or 1.1 enabled or weak ciphers allowed.

Before anyone says “just isolate them in their own VLAN” I know. I’m not the network guy.

Normally this is a quick and easy fix. Except on specific printer models. Some HP models do not have any TLS or encryption related settings at all, even after firmware updates from as recent as 2022.

Models I’ve personally run into:
M277
M377
M402

Most of these were released around 2015 to 2016.

At first I figured maybe the hardware just can’t support it. But then I stumbled across a few P4515s that are already scheduled for replacement. I logged into the web GUI and sure enough I can lock them down to TLS 1.2 only.

These P4515s are from 2008. Firmware date is 2017.
Older hardware. Older software. Somehow more secure.

So what gives?

My personal guess is money, assuming the consumer will just buy a new printer.

https://redd.it/1qx17lv
@r_systemadmin

At what point do you stop backing up data?

Our company is failing. Not from bad leadership but from a major industry change. We lost 65% of our staff and are in survival mode. It’s a shame because this job has been my “happy story” job that I love.

Recently we were made aware that we just cannot afford a SharePoint backup. We have around 50 TB of data. But our financial system is backed up appropriately.

This isn’t a “leadership doesn’t see it as important”, or “they are greedy and reckless” but just a lack of resources. I don’t know if I should push harder on getting it approved.

https://redd.it/1qx4cni
@r_systemadmin

PSA: Foxit working well for us to replace Acrobat Pro and Docusign

A while back, I asked r/sysadmin for opinions on Foxit. As a result, I recently migrated my org to Foxit to replace Adobe Acrobat and Docusign. So far, so good.

Foxit Editor PDF+ replaces Acrobat:

$160/user/yr versus $180/user/yr

Foxit eSign replaces Docusign:

$0/user/yr versus $480/user/yr

I have no idea if Foxit will work for every org, but we have somewhat strict regulatory guidelines we have to follow and feel it will meet most needs:

\--The installed PDF editor does not seem to require admin rights to install updates. In the previous post I made, there was some doubt about this, but so far, it has updated without admin rights. There is a updater service that runs as SYSTEM.

\--The installed PDF editor has an ADMX template to allow for basic policies to be configured via on-prem Active Directory and Intune.

\--The web-based Foxit eSign platform is SOC 2 Type II attested.

\--The web-based Foxit eSign platform and the installed PDF editor licensing component allows for SSO via SAML.

\--Licenses are assigned to named users via the web-based Foxit admin console.

Our users are not super enthused by Foxit, but nobody has run into any reported issues so far. It's boring, and I am okay with that.

Foxit support seems okay. I don't know if we have phone support, but all of our tickets so far have been responded to within 8 hours.

Here is the one thing I don't like, mostly because I am afraid it might get the TikTok treatement: fundamentally, Foxit is a Chinese company. I don't know if that makes it untrustworthy, but being from the U.S., I never know when the federal government might get a hair up its ass and decide to sanction the company. To be clear, Foxit *does* have U.S. operations and is not purely Chinese, but if you trace it back to its roots, it's definitely Chinese.

Anyway, I say all the above to give encouragement to anyone who needs to find a cheaper alternative to Adobe's shitty products and Docusign's overpriced platform.

https://redd.it/1qx5922
@r_systemadmin

We are doomed if we don't find out a fix - KB5074109

Hi, recent my company's environment got hit with the update (KB5074109) which caused 100s of machines to go into Blue/black screen of death. The environment has been down for more than 1 day now.

-We've tried resetting the machines, it isn't reliable it goes back to where it was.
-Restore points might or might not work.
-We have tried uninstalling quality updates.
-We tried few commands through command lines.
-We tried connecting with dell support, they say it's a software and not a hardware issue so cannot help here.
-Microsoft isn't responding.

Questions for you guys:

Is there any other reliable way through which we can resolve the issue? It's 100s of systems worldwide. Few of the machines got impacted, few did not. I need a perfect solution because we've tried out multiple things and we feel lost now.

Is microsoft paid support gonna be of any help here? What are the quotations and how we should reach them out?

We usually delay the environment in our system before pushing it to the prod but somehow we seem to have missed out on this update and a major issue has occurred. Any help or suggestions to fix would be a great deal to us.

https://redd.it/1qx77i0
@r_systemadmin

After 10+ years in network security, here's the audit checklist I actually use

I've done security audits for SMBs for years and got tired of reinventing the wheel every time. Finally documented my actual process — figured I'd share the key points.



The 80/20 of SMB security audits:



Network Perimeter (where most breaches start):

\- Firewall rules review — look for "any/any" rules, unused rules, and rules older than 2 years

\- Open ports audit — if you can't justify why it's open, close it

\- VPN config — split tunneling enabled? MFA required?

\- DNS filtering — still amazed how many don't have this



Identity & Access:

\- Admin account audit — who has Domain Admin and why?

\- Service accounts — when was the password last changed? (answer is usually "never")

\- MFA coverage — not just email, but VPN, RDP, cloud admin portals

\- Terminated employee accounts — check against HR list



Endpoint Security:

\- EDR/AV coverage — 100% or are there gaps?

\- Patch compliance — focus on internet-facing + critical CVEs

\- Local admin rights — who has them and do they need them?

\- USB/removable media policy



Backup & Recovery:

\- 3-2-1 rule compliance

\- When was the last restore TEST? (not backup, restore)

\- Air-gapped/immutable backups — ransomware protection

\- RTO/RPO — does the business actually know these numbers?



The stuff people skip:

\- Egress filtering — most only filter ingress

\- DNS query logging — goldmine for incident response

\- Network segmentation — flat networks are attacker's paradise

\- Physical security — unlocked server rooms, no visitor logs



Common findings (every single time):

1. Service accounts with Domain Admin + password = company name + year

2. No egress filtering whatsoever

3. Backups exist but never tested

4. Ex-employees still have active accounts

5. "Temporary" firewall rules from 5 years ago



Happy to answer questions if anyone's setting up their own audit process.

https://redd.it/1qx8vmc
@r_systemadmin

Weekly 'I made a useful thing' Thread - February 06, 2026

There is a great deal of user-generated content out there, from noscripts and software to tutorials and videos, but we've generally tried to keep that off of the front page due to the volume and as a result of community feedback. There's also a great deal of content out there that violates our advertising/promotion rule, from noscripts and software to tutorials and videos.

We have received a number of requests for exemptions to the rule, and rather than allowing the front page to get consumed, we thought we'd try a weekly thread that allows for that kind of content. We don't have a catchy name for it yet, so please let us know if you have any ideas!

In this thread, feel free to show us your pet project, YouTube videos, blog posts, or whatever else you may have and share it with the community. Commercial advertisements, affiliate links, or links that appear to be monetization-grabs will still be removed.

https://redd.it/1qxdmhf
@r_systemadmin

We need to stop the divide between those who prefer in office work and those that work better from home. People are different and they require varying environments to thrive.

I have noticed a growing divide and in some case outward hostilitly to those of us that work mostly remote by choice. I am far more efficient working from my home office and have no issue with going into the office to catch up or discuss work when required. However, there is a persistant group who openly admit that they get distracted working from home and prefer the office. Snarky comments over time have become persistant like 'well your never in the office so .....', or 'stop being a hermit' are persistant; and cliques have formed. There seems to be some misguided narritive that those that go to office are better in some way. If we were to measure output, it's not even close. When I do go to the office, I enjoy it, but its not productive and those that are there easily spend over half the day doing no work. I have never seen this dynamic the other way round, where hard working remote workers gang up on in office workers. Note this is a dynamic where everyone has the choice to do whatever they want, not that some are not allowed to work remotely. What are your thoughts?

https://redd.it/1qxddzf
@r_systemadmin

Apparently, Microsoft support survey results are not anonymized

So I opened a ticket for an Office 365 (or whatever they've decided to call it this week) issue. A support agent called and after some back and forth the issue was resolved. I got the automated survey afterwards and didn't think much of it, just quickly put in a 4 out of 5 on most questions since the support was good but nothing exceptional, and the problem wasn't very difficult to begin with. To me, a 5/5 rating would mean the support was absolutely exceptional, or they solved a serious, complex issue that had been ruining my day.

A few minutes later I get an angry call from the same support agent who accused me of tanking his rating by not giving 5's across the board, acting like I had given him 1/5 or whatever. He demanded I reply to the ticket email saying how great the support was.

I was a bit taken aback, not just by the unprofessional call, but also by the fact that the results are immediately presented to the support agent after a call. I would have thought they got anonymized and averaged over a period of time, since that's more useful for long-term work anyway.

It may be a difference in work culture, since I'm in Europe where this would be seen as degrading and unnecessarily stressful. Having worked as a 1st line support agent in the past, I also understand how bad the job is even in a EU country known for good working conditions. I understand why they want the highest rating so they can move up the ladder, but if we're all giving perfect ratings out of sympathy this kind of defeats the purpose of those surveys.

I probably won't answer any more surveys to avoid awkward situations like that. I'll just hope I don't get a call back from an agitated support agent asking why I didn't answer the survey...

https://redd.it/1qxfbbs
@r_systemadmin

Another week and another shitty, broken, ai slop riddled, dumpster fire of an update from Microsoft.

I am at my wits end with Microslop. I've been doing sys admin as part of my role for years now, and I've never seen Microsoft so frequently and catastrophically break the most basic fucking functionality of their os.

I work for a manufacturing company. We have several business critical programs we use for inspecting parts and building reports.

Microsoft 365 Apps received an update on February 3rd that would cause ALL of the programs we use to crash when they would attempt to open a file browsing window.

A file browsing window. The most basic functionality of any program.

Why is a 365 update even fucking with the file browser?

This issue was fixed by mass downgrading 365 apps to a build from January 13th.

Week after week I am fixing something that Microsoft broke. The most basic and banal features of windows are breaking. Blue screens, notepad doesn't work, copy paste is broken, ai slop bloatware is installed, massive slowdowns, outlook shits the bed, and on and on and on...

A business focused Linux distro that can run Windows apps can't come soon enough. One can dream I guess.

My only hope is that some of Microslops biggest customers get so fed up that they start complaining and hitting them where it hurts.

It's just inexcusable. I am so fed up.

rant over

https://redd.it/1qxk3nn
@r_systemadmin