User Profile
Alban1999
Iron Contributor
Joined Oct 23, 2019
User Widgets
Recent Discussions
Re: RDS - How relevant?
Hello, As always for all architecture-related questions, the response is "it depends". On your situation, RDS seems to be a well designed solution - however, Microsoft just decided to drop support for Office 365 on Windows Server 2022, and to shorten Office365 support on 2016/2019. On-premise Windows Server editions get the minimum amount of engineering these days - as far as I know, there are no differences between RDS 2019 and 2022 (and even 2016). You may keep using using RDS 2016 until Office 365 end of support for it (2025) - for what happens after, it 's Azure (ou Azure HCI) or nothing (or a non-Microsoft solution). Of course, these solutions costs are far higher than on-premise RDS.3.5KViews0likes0CommentsRe: Windows Server 2012 SMB shares result in very slow Office files
Hello, Building a new file server on an almost out-of-support OS (2012 EOL is next year) is a bad idea. You should check Microsoft best practices for building a new server : N/N-1 OS, Server Core, appropriate sizing using MS tool etc... Multiple issues can trigger this kind of behavior. I would check network/storage/antivirus client first, as well as Windows Server logs and perfmon.1.5KViews0likes0CommentsRe: Default Domain Controller Policy settings changed?
Hello, If you migrated from 2000 to 2022 over the years, you can expect two things: 1) Default Domain Controllers Policy (and Default Domain Policy) are slighty different between those OS - Microsoft hardened and updated those policies over time. 2) It is very likely someone has tampered with those policies, directly modifying them instead of pushing those changes to a seperate policy. You may also inherite from settings applied by legacy configuration on domain controllers (by example, IIS_USRS rights may indicate someone installed IIS role on domain controllers in the past). Please note some changes may be justified, like permissions added for on-premises Exchange infrastructure. If possible, current DDCP should match a DDCP extracted from a brand new 2022 domain lab, and I strongly recommend to fix the first one before implementing security baseline. Of course you must analyze and test such changes before implementing them. Once done, you can start testing and implementing Security Baseline policy settings. Of course, be sure to apply through a separate GPO.13KViews0likes0CommentsRe: Remote Desktop - Local Resources - Drives
Hello, Edit a GPO then browse Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection -> Do not allow drive redirection. Of course, be sure to test those changes before implementing them in your production environment.13KViews0likes1CommentRe: Use PowerShell to search for accounts in Active Directory that have gone stale!
Hello, Nice script, thanks ! I would add two exceptions to your script, one for "krbtgt", another for default AD administrator account ("administrator" in En-US) - if people start to disable/delete those because they think they are stale, it will backfire.8.6KViews0likes0CommentsRe: Discovery nTDSDSA Objects with no matching Discovered DC
Hello Samuel_Caunt, LainRobertson replied before me and explained in details how to clean up such items. Thanks to him ! Anyway I don not think it should trigger issues for day-to-day operations, but it's better to fix it before heavier operations like migrations.1.3KViews0likes0CommentsRe: Discovery nTDSDSA Objects with no matching Discovered DC
Hello, Adding the server back then forcing a decommission wasn't a good idea. If you have leftover after a migration, first wait for a bit until all logical/physical replication processes are completed - it may take some time, even within small environments. I guess you already try a metada cleanup ? If yes, then one solution could be manual cleanup using ADSI Edit - but it's risky and you may trigger even more issues instead.1.4KViews0likes3CommentsRe: How to upgrade Microsoft Endpoint Configuration Manager to suppot TLS 1.2
Hello, You'll find Microsoft official guidance here : https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-server Also, MECM 2010 is now unsupported, and you must upgrade to a newer version.790Views0likes0CommentsRe: A sample deployment of Authentication Policies and Authentication Policy Silos in Active Directory!
Hello, Thank you for this awesome post. For those who do not know this feature, managing Active Directory/Filer delegations through Authentication Policies/Authentication Policies Silos/Claims aimed to replace the good old AGDLP/GPO delegation model (which suffered from token bloat issues amongst other things). This was back in 2013. Sadly, I never saw it in production since - even Microsoft PFE still rely on AGDLP/GPO model for Active Directory delegation last time I checked.11KViews0likes2CommentsRe: Any potential problems with mixed OS versions for Active Directory PDC?
Hello Lain, I'm not thinking about AD features or domain/forest functional levels, but Exchange supported scenarios for Active Directory environments - you just cannot mix any Exchange versions with any OS versions for domain controllers. If you do not follow precisely those requirements, Exchange breaks.19KViews0likes1CommentRe: Any potential problems with mixed OS versions for Active Directory PDC?
If you don't want to break everything you need to double check Exchange on-premises requirements - usually install the latest CU to support the latest OS, which can be a tedious process, especially if those Exchange servers are updated once in a blue moon. Which is why it seems better imho to migrate to an Exchange-friendly OS first (2016) before making the next jump to 2019/2022 right away.19KViews0likes3CommentsRe: Any potential problems with mixed OS versions for Active Directory PDC?
Hello, It is best to avoid mixing operating systems for DC - promoting even one triggers an Active Directory migration, and having older OSes put you at risk - expect security and compatibility issues. You also need to take admin tools into account (newer OS = newer admin tools). Also, Active Directory migration isn't always straightforward - having on-premises Exchange will add prerequisites by example (and don't try to bypass - your Exchange infrastructure may explode). My advice : do not try to go faster than you should. Complete your file server migration first. Make sure your DC own only AD and DNS roles and nothing else, and there is no other server with DNS role. Make sure you build them with Server Core. Prepare a future Active Directory migration - check prerequisites (like DFSR), AD/DNS health and backup, enable optional features already available (like AD Recycle Bin), check new features available with newer OS and domain/forest levels. Then, migrate your 2008 R2 to 2016. Enable new features and increase domain/forest levels (you won't need to do this on you reach 2016). Then, trigger a global AD migration to 2022 using virtual machines if possible, or 2019 if you cant do better (end of support date for 2019 is slowly closing).19KViews0likes0CommentsRe: DNS Scavenging Question
Hello, First, you should activate DNS scavenging on all AD integrated DNS zones. Duration settings depend on other network settings like DHCP lease. Then, activate DNS scavenging on one DNS server only (PDC FSMO by example). Then, wait until DNS scavenging starts to kick in - by default, after 2 weeks. Never trigger scavenging manually, it's an excellent way to screw your DNS records. DNS scavenging works well - if you are patient.1.3KViews0likes0CommentsRe: Reasons why Windows Server Core installation option does not include dsrecmd?
Hello, while I agree Windows Server editions should share a common set of tools, I do not understand why we need to rely on an executable for this. Such tools should be made available as Windows Powershell modules - as far as I know "being scriptable with Powershell" is still an item from Microsoft Common Engineering Criteria for all Windows Server products.2KViews1like1CommentRe: Feature Request: SysWOW64 as optional feature
Tbh it looks like an impossible task, especially with Microsoft engineering resources focusing on Windows Server Azure Edition. Removing the 32-bit compatibility stack would break everything - from Windows Server components to Microsoft apps (MECM/Exchange etc) to third-party apps. Windows Server Nano tried this in the past. It failed.2.1KViews0likes1Comment
Recent Blog Articles
No content to show