User Profile
Alban1998
Iron Contributor
Joined 3 years ago
User Widgets
Recent Discussions
Re: Best practices needed - new DC, migrate mailboxes from Exchange 2010 to exchange online
Hello, Having both AD and Exchange on a single DC is not supported, and using a version as old as 2010 on top of that, means migrating these mailboxes may prove fairly difficult if not downright impossible. Do you still need a on-premise domain controller anyway ? I would just populate a new Entra ID tenant with users, associate them with M365 licenses and be done with it. For Exchange 2010 mailboxes, export them to a PST, and give it to an user or export them to an archive mailbox if it is possible. If there is a huge technical debt, and you don't know its history, better start from scratch for everything.301Views0likes1CommentRe: FEATURE REQUEST - Enable / Configure Delivery Optimization via sconfig
Hello, I beg to differ here - you can already manage DO through regedit, scripting, GPO, management software etc...sconfig aims to provide a minimal set of configuration settings, and DO goes way beyond that. If you could manage DO through sconfig, what about hundreds of other GP settings which could be as useful as DO by example. Let's not bloat sconfig imho.345Views0likes0CommentsRe: Force password in network drive with GPO
Active Directory provides you the ability to centralize authentication and identity management through a set of features including, notably single sign-on (SSO). File access management is tied to your account, assuming file servers and workstations are also part of Active Directory. You implement this through good old AGDLP model or claims/dynamic access. This is an on-premise model however, modern file management relies on Microsoft Entra ID, Azure file shares etc.1.3KViews1like0CommentsRe: AD Sysvol Staging / Staging area folders missing after migrated FRS to DFRS
If it ain't broken, don't fix it. You are bound to have some strange bugs/behavior when migrating decades old components (DFSR-based replication for AD exists since 2008). If repadmin/ADReplStatus/event logs/gpmc don't report issues, if you don't detect any incident regarding replication, then there's no need to worry.2.9KViews1like4CommentsRe: SCCM On Domain Controllers
Hello, Your security team is right - any software installed on domain controllers should be considered Tiers 0. While you may delegate domain controllers access within Config Manager as explained above, Config Manager admins will be able to easily bypass or disable it, making them effectively Domain Admins. This is also true for some service accounts tied to Config Manager. There is no one-size-fits-all solution for this. A good compromise would be to build a dedicated WSUS server for all Tiers 0 servers.5.1KViews0likes1CommentRe: Windows Server 2022 WDS & OEM License
Hello, Configure the public client KMS key available on Microsoft website on your image -it should be configured by default if the image comes from MVLSC). On your domain, enable Active Directory Activation (or AVMA if using Hyper-V). Nothing else to do. Better use Microsoft Deployment Toolkit rather than WDS to build your image tho.1.7KViews0likes0CommentsRe: Unexpected Automatic Windows Server Updates Despite GPO and WSUS Configurations
Hello, First, I would avoid disabling automatic approval of updates - it's a tedious, time-consuming job, and very prone to mistakes. Let WSUS do it - just do not configure deadlines, and manage deployments using GPO. As usual, make sure host OS for your GPMC is still supported (2019, but I strongly recommend 2022) and fully updated. Make sure your Central Store is also up-to-date with latest ADMX (that would June, 2023). Check your GPO settings again. Then check WSUS configuration, and Windows Update logs on servers. There should be something wrong there.3.3KViews0likes0CommentsRe: Replication
Hello, That's not a good idea. Don't expect tight security within a forest - this is by design. You may either create separate forests (without trust relationships), or just create a single domain, single forest with separate OU for dev, test and prod, then apply a hardening/delegation model to it (best option).1KViews0likes0CommentsRe: Restrict Active Directory LDAP "bind" to specific accounts
Hello, This is by design - Active Directory is a directory, not a secured vault. You can always restrict read/browse rights by applying a delegation model (updating OU ACL, updating access rights...), but the more you restrict it, the more technical issues and management complexity you'll get.3KViews0likes1CommentRe: GPMC cant view RSoP if no User Policy settings is selected
Hello, Rsop.msc has been deprecated many years ago, not sure if it is revelant. However I'm indeed able to reproduce the bug within "Group Policy Results" category of a GPMC based on a fully updated (2023-05) Windows Server 2022. Generating a report with "Display user settings only" works fine, genrating a report with both user and computer settings works fine. Issue only appears when selecting "do not display user policy settings in the result (display computer settings only)" on the wizard. it does not matter if you target a local or remote computer. As a workaround, Group Policy modeling does not seem to be affected. Not sure Microsoft is gonna fix this issue unless you open a Support ticket tho.3.9KViews0likes0CommentsRe: Make Print Spooler and DHCP services Redundant?
Hello, 1) Don't mix WSFC with DC, Active Directory has its own resiliency mechanism. It doesn't mix well at all with WSFC (not even sure it is supported). Don't mix Print Server with DC too - too much of a security risk. For resiliency, you could rely on VM failover if it's a virtual machine. WSFC could work but it's kinda overkill for 120 users. 2) DHCP failover is easy to configure and reliable, and much easier to implement/manage than WSFC. Like 1), don't mix DHCP server roles with DC - put it on its own server. VM failover is also a solution (rebuilding a DHCP server take barely more time than reinstalling the OS). You should avoid WFSC unless you have a very specific need tbh, it's overkill for most use cases wherever built(in resiliency is available.2.1KViews0likes0CommentsRe: Install CA from scratch, already have an existing one
Not much is required, as domains will automatically trust each others, and DNS solvers should also do the work. Check required certificate template permissions changes and CA availability requirements on Microsoft documentation. You may also try to build your forest PKI right now, and slowly migrate your domains on it.2.6KViews0likes0CommentsRe: Install CA from scratch, already have an existing one
Then you will have the same issue on every domain - mixing AD DS and AD CS role is not supported, and will prevent you from migrating your domain controllers until you uninstall AD CS. For short-term, your migration plan is solid. For long-term, you may want to review your current Active Directory architecture : By example, you could use a single PKI for the entire forest. Or merge all domains into a single one, if each of them holds a very limited number of clients.2.7KViews0likes2Comments
Recent Blog Articles
No content to show