'Hi, I was given your name as an IT person from XYZ..' Ouch

dbwillis

[H]F Junkie
Joined
Jul 9, 2002
Messages
9,668
Got a call on Saturday afternoon from an unknown number, answered it and found a current small biz customer (Campground in VT) gave them my number since they were 'having a problem with there backup' and 'wanted to upgrade some office computers'
OK, got some basic info over the phone, made an appt to stop down Thursday
Its an eye dr office, dr is 72yo, small office of 5 users
No issues right now, but he wasnt sure on his backup status and wanted to get some new PC to replace the old ones....
OK, he shows me around the office, then the 'server closet', OUCH
2 servers crammed in a corner under a staircase, Cisco 24pt 1g switch behind them (covered with dust bunnies of course), decent 20' monitor in the corner of the, some black WD USB drive plugged into server 2, but power for it plugged into NOTHING, Comcast modem stacked on top of server 1, Netgear wifi router on top of server 2 (all wires look to be factory twist tied still)
OK
Server 1....he isnt sure what that does, but if they turn it off, the internet goes down...
Server 2...this is the newest server he put in when upgrading his office software (OfficeMate / Eyefinity)
desktops.....Dell Opti's...old as in they came with XP COA on them, but now run Win7 32bit
NO AV anywhere, his account is full admin everywhere, everyone else is user level perms (least thats good)
I get his signon info and poke around....Server2 is 2008R2 64bit, on a domain...Ad tools are there, but they point to server1...AH, OK, that ones your DC.....RDP to it..... domain_info1.jpg

Checked out the Server1 hardware (pic above)....no raid, single 20gb drive, 100mb connection, first thing I did was plug in my USB and disk2vhd server1 to a file
Upped the domain from 2000 to 2003 and made myself a few accounts (ServerGuy203, dbwillis, DumbGuy1, DumbGuy2)
Checked out Server2....no raid, 500gb sata, 16gb memory, 2008R2, backups stopped in 2019 ! Plugged in the power and the drive just clicks...

I have a new server sitting in the box at home (Server 2022, Supermicro X10DRG, 2x Xeon 10c/20t ea, 128gb mem, 2x 240 SSD-os, 2x480gb SSD-vm, 2x240gb SSD-shares, 1tb sata-temp backup, 1 open bay)

He needs to have a VM for a lady in Delaware to RDP into to run his insurance things, and Id prefer to run a VM to run VPN software, then a VM or two for me to test GPO and logons, etc, so maybe leaning towards adding the HyperV role, but the new server is going to be a domain controller...I know its bad to add things on the DC, anyone done it ? That server will also run the eye dr applications...which I believe are SQL express related

Ive got the MS doc on upgrading 2003 AD to 2022, but Im kind of torn for having the new server run the office DR apps, file shares, 2 printers, then a VM for the DC *or* the server be the DC and run the office DR apps, file shares, 2 printers, then a VM for the lady to use and for me
Thoughts?
Cant go with ESX or Proxmox since the DR uses the GUI to change passwords if needed
 
Last edited:
Too much "Linux is hard, Windows is easy." And, behold, the result...
 
Hyper-V the new server and make the new DC a VM. I usually like to have at least one other DC on different hardware but given the size of the office you're dealing with here, that may not be feasible. Run a few more VMs for the other software you need and the insurance RDP.

For backups, set up a VM for Veeam and use that to backup to some other disk not in this all in one Hyper-V server. At that point you'll be able to restore these VMs anywhere you need to should something catastrophic happen. You can go even further and setup backup copy jobs to get them into Wasabi storage for cheap offsite backup.
 
Proxmox VE can be utilized through a browser. He'd just need a bookmark.
 
These days, some small business routers do a great job at providing VPN into the network. For example, my ASUS ExpertWiFi EBM68 does a great job as a VPN server, and provides a free DDNS. You can use PPTP, OpenVPN, IPSec VPN, or WireGuard VPN. All you'd need then is to setup a VM server, and wouldn't really need a DC since network access can be provided at the router level, and users at the VM workstation level.
 
Dental offices are required to meet certain HIPAA requirements so however you end up updating everything keep this in mind. Make sure in the edge case something does go bad with patient data, records, or backups you're able to properly do your job in supporting the IT systems, but not assuming liability.
 
whatever you do, KISS. no need to overcomplicate things in such a small environment.
+1 HyperV is great for installs like this, people are much less intimidated by a local console than trying to use a web console with different hotkeys and mouse tracking that may or may not work right every time.
 
Don't upgrade existing DCs, bring up new ones and gracefully transfer roles. Seize if you're sure the old one is dead in the water. If one of those 2003s has Exchange on it for some reason, don't demote it. It'll fuck Exchange up.

And don't ever touch the new one once it's up. There's practically no reason for a human to ever directly RDP to one outside of the most exceptional circumstances. Keep your workloads off it.

Actually, whatever you do - do _not_ have RDP open to the internet. You need a VPN or RDP Gateway with MFA. Your server will be on shodan.io within a month and you'll be getting hit with logins 24/7. If they ever land on a working one, you're getting ransomed.
 
All understood...no exchange, current DC is alive, Looks like the consensus is to run the office apps on the physical, then hyperV a new DC (I started building a 2012r2 hyperV to migrate roles just now), then a few other hyperV machines for the insurance lady and my testing.
I have the veeam install and a few other HV related ones, just have to see which one fits him....only has a total of ~20gb, including the OfficeMate DB of 3gb
 
I wouldn't put anything in the physical box except the base Hyper-V install. Makes it much easier to rebuild if you have a failure, get a base install again and restore the VMs.
 
Id love to have tons of VMs running as this box can handle it (all SSD, 128gb, 20c/40t) but I think thats overly complicated for him, I take it he doesnt mess with the servers (backups stopped years ago) and he just lets them run. I found the old IT guys Ad account....hadnt logged in since 2019
 
Are you not going to be managing this for him once it's all setup?
 
Most of my small biz customers are like this, I dont charge unless work/change is needed....I check backups and windows updates for free.
Auto shop: free oil changes, any work for only parts price/no labor (parts at the price they pay, great for tires) free use of the paint bay when needed, can store off season wheels in there attic
Campground: free weekend cottage for a weekend every year - usually pick 4th of july weekend, free firewood as needed when there, get managers price if I need a second cottage for additional family
Oil/propane company: oil/propane at family price, free furnace cleanings, free 55gal barrels as needed
This is an eye dr, maybe work out a year's supply of contacts each year
 
Most of my small biz customers are like this, I dont charge unless work/change is needed....I check backups and windows updates for free.
Auto shop: free oil changes, any work for only parts price/no labor (parts at the price they pay, great for tires) free use of the paint bay when needed, can store off season wheels in there attic
Campground: free weekend cottage for a weekend every year - usually pick 4th of july weekend, free firewood as needed when there, get managers price if I need a second cottage for additional family
Oil/propane company: oil/propane at family price, free furnace cleanings, free 55gal barrels as needed
This is an eye dr, maybe work out a year's supply of contacts each year
Barter is a lost art for most.
 
I wouldn't run anything other than Hyper-V on the host OS and just create three separate VMs for for the DC, App \ File server, and Billing RDP. (I would actually run 2 DCs but historically your Windows Server license is only compliant for a host and two VM installs.)

IMHO this is a bit cleaner while being easier to maintain and recover if needed.
 
Last edited:
I wouldn't run anything other than Hyper-V on the host OS and just create three separate VMs for for the DC, App \ File server, and Billing RDP. (I would actually run 2 DCs but historically your Windows Server is only compliant for a host and two VM installs.)

IMHO this is a bit cleaner while being easier to maintain and recover if needed.
Good point, if at some point they'll care about licensing then Hyper-V as the only role doesn't consume a license.
 
All good points, advise taken a bit....
Have the server in the office, created a few VM:> Temp2012DC, DCa, W10LTSC01, W11LTSC01, VPN01.
Promoted the 2012 to PDC/Ops master, moved all the roles, moved the DHCP and File share to the physical server, created new printer shares (for W10+) on the physical server
Updated the BAT logon script to VBS as I didnt want to create any GPO that might blow up W7 32bit and the 32bit printers right now (printers on W7 were added by the logon script BAT file)
Demoted the 2003 server, then the next day cloned it to a VM on the new physical server (Disk2VHD) JUST to use as the printer server, shut down the physical box.
Chatted with the Insurance person who needed VPN....set her up with Tailscale (Ive never done it on a MAC, but learned LOL), found what office PC she was using...cloned that from 'SharonsPC' to 'PC-Gisell', she is able to connect VPN, then 'Office App' (RDP) to the VM..works faster than her physical she used to use lol
Cloned the 'Reception1' PC to a VM 'Reception5' so I can use it to confirm I dont break anything
Also created a few users :> Dumb Guy 1 'DG1', Dumb Guy 2 'DG2', ServerGuy456, WorkstationGuy789, ServiceDude1:: Dg1 is in the same OU as the current staff, DG2 is in the OU I created to better organize things, ServerGuy is the server admin, workstationguy is obviously the PC admin, ServiceDude is for backup stuff to run.
Few GPO created (google home page which was there first request even before any work started), common wallpaper, folder/file copy to PC's (for the wallpaper), some PC settings, workstation admin groups, server admin groups, windows updates, firewall policy

First time Ive worked with anything SQL related, but I was able to backup the current office DB server, ZIP the files, then copy them to my server at home (VM) and tst the office app install and DB restore, and client install process....took 2 tries but got it working !

TO DO:
promote DCa to new DC (its server 2022), move the roles over, remove Temp2012DC a week later,
Rebuild my spare laptop at home for a test seat of Win11 for them to use and see what they want to change, add, etc. Make any changes needed, then have him order some client machines (hes paying and buying, Im just OK'd the specs for him), Ill pick up when delivered and wipe/reinstall W11 Pro, add Office, VLC, Chrome.

Edit - going to log some perfmon info on the current office app server to see what its maxing at during the day, going with a VM for it is probably aok, just want to make sure
 
Last edited:
Perfmon for 7am to 1pm:
CPU max 22%
Mem used ~6gb (has 16gb, also has uptime of ~2 weeks, so 6gb isnt bad)
No disk or network bottlenecks
guess a VM with 8 cores and 24gb ram and 200gb 'C' should be perfectly AOK (current server is a single 400gb sata with 280gb free)
Created 2 additonal GPO's from my testing at home:
"Printer Add - Lexmark" targeting 1 security group for downstairs users, there is another HP printer upstairs thats USB and shared from a Win7 PC...will redo that one on Win11 and maybe GPO connect that one down the road
"Map O for OfficeMate" Forces the O drive to map to \\APPServer\Data
"OfficeMate RunAsInvoker" enters REG entry 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers'
  • Value data: RunAsInvoker
  • Value name: C:\OfficeMate\Wait4SvrInstall.exe
I found when logging in as DumbGuy1 or 2, the app launches, but calls another file, Wait4SvrInstall.exe in C:\OfficeMate, which prompts a UAC prompt to enter admin creds, this reg file gets around that, so I dont have to fully disable UAC
I plan to remove the logonscript in the users profiles and go all GPO mapped drives, its actually going to be only the 'office' drive that gets mapped, Ill call it "Map I for Shares"
 
Another GPO for File and folder perms related to OfficeMate (3 folders and 1 INI file)
Added 2022 VM for DC (4c, 4gb, 100gb), updated AD to use DFRS, confirmed replication status is good !
Created the app server VM (8c, 24gb, 150gb), backed up and restored the sql express DB's to it, tested with a current Win7 office machine and everything seems to work !
 
Back
Top