Recent Discussions
LDAPS and Certificate Creation
Hi, I've been asked to setup secure LDAP and convert all of our LDAP services to LDAPS. Something totally new to me, so I've been trying to teach myself. One issue I've run into is I'm not finding much information on how to create the secure certificates, so I'm looking for guidance. An ex-colleague stood up a certificate authority server (CA) and an intermediate certificate authority server (IA). Currently, the CA is powered down, which seems to be a best practice. The IA server is up and running, however, when I go to my domain controller (DC) and look at the Local Computer\Personal\Certificates section I do see a certificate, but it was issued by the CA and expired last summer. Shouldn't that certificate have been issued by the IA? How do I go about issuing certificates for this and other purposes, like all of the web-based control systems in my network like vCenter that complain about not being secure when I log into them? I've been searching for tutorials on the subject but only seem to find tutorials on how to install it, not how to use certsrv to issue and renew certificates. Does anyone know of any tutorials or walk-throughs like this? Thanks in advance!
Hyper-V: How do VMs communicate with external?
Simple scenario: VM --> vNIC --> vSwitch (external) --> physNIC --> physSwitch The vNIC assigned to the VM has MAC address aa:aa:aa:aa:aa:aa, the physical NIC (physNIC; the vSwitch of type external is connected to it) has bb:bb:bb:bb:bb:bb. What mechanism ensures that when the VM sends a network packet to the external network (the physical network connected to the physical switch physSwitch), the MAC address of its vNIC (aa:aa:aa:aa:aa:aa) is used, and not the MAC address of the physNIC (bb:bb:bb:bb:bb:bb)? In other words: what makes physSwitch "see" aa:aa:aa:aa:aa:aa when the VM communicates to an external endpoint?
ISO version reporting
Is there a standard way in which the Windows installer ISOs can be interrogated for which version of Windows is on them? This is a bit convoluted so I'll explain the use case. When installing W10 on one of the last generation of x64 Apple Macs, the Boot Camp installer will take the ISO and prepare it by injecting drivers - particularly that for the T2 security chip which handles the first part of the boot process and is the storage controller, among other things. With W10 going out of support (and W11 not really an option due to the hardware requirements) I have been looking at trying to install one ofthe W10-based server versions instead. These are obviously very similar in structure and would probably install and work from a technical standpoint - but if I try it the Boot Camp installer reports that the ISOs aren't Windows 10, and won't proceed. I'm basically looking to clarify whether there is any minor editing of the ISO (or files on it) which can be done to convince Boot Camp that actually this is W10. Anyone know? ThanksPowerShell counterpart for Failover Cluster Manager "Live Migration Settings"
In Failover Cluster Manager, there's "Live Migration Settings" where I can define what cluster networks I want to carry live migration traffic. Even after some research, I cannot find a PowerShell cmdlet that lets me do the same...
Noob needs help with RDP Services
I am new to Windows server management. I setup a 2019 Server in a VM (Hyper-V). I installed the licenses we got for RDP from MS after installing the Remote Desktop Services. I am getting an error about Remote Desktop Licensing Mode is not configured. Tells me to use Server Manger to specify RD Connection Broker. Either I neglected to install it or configure it, not sure. Articles I find say go to Server Manager -> Remote Desktop Services -> Overview... BUT, that tells me I am logged in with a local account but must use a domain account to manage servers and collections. Again, not using a DC. This server is not part of a domain. We do not run AD internally only AzureAD online. We have 1 program we still run internally and users RDP to it. Should I remove the service and reinstall? What about the licenses I added already? How to I keep them? Any assistance will be greatly appreciated... J
DNS Server cannot lookup domain AWS
Hi Everyone, I have an issue with the DNS service on Windows Server 2019. I have a CNAME record pointing from an internal domain to a domain hosted on Route53. However, this record frequently returns an 'unknown host' error. My server is already connected to the internet, and the record has a TTL 60. Please help me with this case.Implementing LAPS
Translated with google Good morning, in the test environment I am trying to activate the LAPS features. The activation seems to have been successful. From the computer that acts as DC in AD it shows me the DSRM user password. While from the computer account of the test PC for LAPS no account or password is displayed. Obviously I created a GPO for the application of the LAPS parameters I have already restarted the PC several times and performed a GPupdate /force What can I check to have LAPS active on the client too? This is the data of the test network PC: W11 Pro 10.0.26100 build 26100 Server: W2025 srv Datacenter 10.0.26100 build 26100 Domain functional level 2025 Forest functional level 2025 ----------------------------------------------------------------------------------------------------------------- Buongiorno,in ambiente di test stò provando ad attivare le funzionalità LAPS. L'attivazione sembra essere andata a buon fine. Dal computer che fà da DC in AD mi fà vedere la password dell'utenza DSRM. Mentre dall'account computer del PC di test per LAPS non è visualizzato nessun account e nessuna password. Ovviamente ho creato una GPO per l'applicazione dei parametri LAPS Ho già riavviato più volte il pc ed eseguito un GPupdate /force Cosa posso verificare per avere LAPS attivo anche sul client? Questi i dati della rete di test Pc: W11 Pro 10.0.26100 build 26100 Server: W2025 srv Datacenter 10.0.26100 build 26100 Livello funzionale del dominio 2025 Livello funzionale della foresta 2025
Windows 2022 server to Windows 2025 Active directory migration
Hi In the lab I had 2 servers dc1 which is Windows 2022 and dc2 which was 2025 server. I transferred all roles from 2022 and this was working perfect but then I made one mistake by demoting dc1 2022 using GUI server and looks like that took out whole domain dc2 2025 has all the roles however when I try to open Active directory users and computers this is what i get Naming information cannot be locateed because the specified domain either doesnt exist or couldnt be contacted This is when I try to open Active directory users and computers. Interestingly enough in my workspace I just shut down domain controller that i want to decomission and then cleanup metadata but in this instance i wanted to try demote domain controller and this is the process that took domain out Now I dont have backup all I have ntds dit file and I am not sure whether it is possible to restore domain with just this file dc2 is still domain controller but even netdom query fsmo says no domain controllers
Password change error message too generic on Windows Server 2025 domain
Hi everyone, In two different production environments running on Windows Server 2025 (fresh Active Directory installations), users reported an issue when trying to change their password via Ctrl+Alt+Del → Change a password. If the new password doesn't meet complexity requirements, the system returns only a generic error: "Unable to change the password at this time." There’s no indication that the failure is due to the password not meeting policy requirements (length, complexity, history, etc.), which creates confusion and unnecessary support tickets. In previous environments running on Windows Server 2016 or 2019, the error message was more informative, clearly stating when a password was too weak or did not meet domain policy. Is this generic message a known change in Windows Server 2025? Has anyone else encountered the same issue? Is there any way to re-enable the more detailed error descriptions? Thanks in advance for any insight!
Workgroup Failover Cluster backup service account
Hello, We have built a workgroup Hyper-V cluster. Live migration works well when taking a node. But the only account that we can use is the one used at the cluster creation. I found some post about account creating the same user / password on both node and grant cluster full access. But this account gets access denied in the cluster manager. But I would like to have specific account for backup and also a nominative account for administration. I just read Orin Thomas post , but it did not help. Have someone ever be able to use a different local local account to manager a workgroup cluster ? Or to achieve this need, I must stick to AD registered servers. Thanks for any help. Jean MarieWindows event collector (WEC) troubles
Hi all. I have really frustrating issue I can`t resolve. We have set up WEC, a long time ago... Now I upgraded in-place to server 2025 and it`s behaving really weird. Problem is this: I created new subscription and my PC was sending events just fine yesterday. I rebooted server and my PC, still all is fine. Turned off my PC, went to sleep, started working in the morning and NO logs from my machine in WEC. At all. Other PCs also randomy sending logs some yes some no. So I tested WinRM connectivity all fine. Error on my PC: The forwarder is having a problem communicating with subscription manager at address http://MYWECSERVER:5985/wsman/SubscriptionManager/WEC. Error code is 2150859263 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859263" Machine="MYWECSERVER"><f:Message> <f:ProviderFault provider="Subscription Manager Provider" path="%systemroot%\system32\WsmSvc.dll"> <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="2150859263" Machine="MYWECSERVER"> <f:Message>The event source of the push subscription is in disable or inactive on the Event controller server. </f:Message></f:WSManFault></f:ProviderFault></f:Message></f:WSManFault>. I have also some errors on WEC server: The Subscription DomainComputers could not be activated on target machine MY-PERSONAL-PC due to communication error. Error Code is 0. All retries have been performed before reaching this point and so the subscription will remain inactive on this target until subscription is resubmitted / reset. Additional fault message: eventsource is in either disable or inactive state OR The Subscription DomainComputers could not be activated on target machine MY-PERSONAL-PC due to communication error. Error Code is 20. All retries have been performed before reaching this point and so the subscription will remain inactive on this target until subscription is resubmitted / reset. Additional fault message: eventsource is in either disable or inactive state Also runtime status is like this: A lot of Active computers, mine is in yellow Inactive state... I have NO idea how to fix this, and why it works for some clients and not for others and most perplexing question, why it worked yesterday until sleep. Just like that WEC sets status to Inactive and then my PC sends logs and does not change status back to Active. Thanks for all suggestions!Migrate 2012 R2 to Server 2022
Hi I have Server 2012 R2 configured on a physical server that acts as a Domain Controller, along with Certificate Authority, DHCP, Single site, Also 2* Additional DC 2016. Below is the scope that I need to execute. Please share any steps if anyone do that, also what is best recommended steps to perform this deployment, also first what action i need to perform after review AD health check?? Should I follow same steps as mentioned as per scope?? Any issues or challenges faced while doing tranisiton? Review and validate existing Active directory health status across all sites. Promoting a new AD 2022 for root domain (3xDC -1 Physical and 2 virtual). Transferring the Flexible Single Master Operations (FSMO) Role. Test Domain functionality after upgrade all domain controllers and Ensure high availability and redundancy. Migrate existing Certificate Authority to a new dedicated CA Sever. Migrate existing DHCP to a new two highly available DHCP Servers (two Virtual Machines). Decommission the old three domain controllers in HQ site. Decommission Azure-DR site (two DCs).Unable to Install Windows Server 2022 standard Edition
Hi Team , i'm trying to install the iso of windows server 2022 downloaded from microsoft web site. but i'm receiving an error message at the beginning of the installation. the error message is saying : " windows cannot find the Microsoft Software License Terms. Make sure the installation source is valid " . i kindly request your help on how i can resolve this issueRDP Long delay between Longon-Event and GPO-Processing
Hello, i have an 2019 rdp connection-broker and some 2019 session-hosts with current os. Sometimes it takes a very long time (up to 15 minutes) between the logon at the session-host till i get an desktop. In the event-log i see the security-event 4624 (an account was logged on) at 08:02. If i check gpresult for this user i see the processing of the gpo startet at 08:16 and is finished in a few seconds. And this times match with the user-experience that they see a "loading user profile" message. How can i get information which task takes so long? Regards ArnoldRDP connection not possible and RDS-Virtualization role comes back after restart
Hello everyone, I have here an Windows Server 2022 Standard 21H2 (Build 20348.4052) (essentials) with the newest updates. This is the Domain Controller. Hyper-V is installed with one VM. The VM is a terminal server. In the past I have tried to install the terminal server on the Hyper-V Server. To do so I have installed all kind of remotdesktop roles. This was stupid of me. Especially it does not work on a DC. I want to connect as administrator by RDP (mstsc) to the server but it does not work anymore since I have installed all these roles and features. No other users are connected. I can still connect to the VM. In one situation I was able to connect to the server but after entering the password I have received the error 0x808 (0x101) that there is no licence server for remote desktop available. I have now removed all roles related to the terminal server and the rdp which I have installed. But I can not uninstall RDS-Virtualization. After uninstalling it comes back when I perform a restart. I have already tried Uninstall-WindowsFeature -Name RDS-Virtualization -Remove In the server manager appears a menu item about remote desktop services. But there is written that no connection broker server is in the pool. The submenu server lists my DC. I have found in the eventmanager a error related to the uninstalling process 0x80070057 wrong parameter But I do not have more information. DISM /RestoreHealth and sfc /scannow did not find any problems. I am not using VDI but is maybe the Hyper-V reinstalling the role after the restart? Do I need to uninstall the role to make RDP working again or could be there other reasons? Do you know where I find a detailed log about the problems about uninstalling the role and maybe the installing? Do you have any idea how I can find out more about the problem? Thank you!
Active Directory Unable to reset user passwords
I am managing a Windows Server 2025 Active Directory environment with client machines. I created a test user and enabled the option “User must change password at next logon.” I then provided a temporary password to the user, expecting them to get the prompt to change it on first login. However, when the user attempts to change the password, they receive the error: “The user must change password before signing in.” My goal is that when I provide a temporary password to a user: They get the prompt to change the password at next logon. When they change it, it should not throw the “user must change password before signing in” error. I need guidance on how to achieve this so users can reset their passwords successfully.DNS and host domain
I configured a Windows 2019 server with DNS service. The domain is contoso.com. The contoso.com domain is outside the local network. I entered the IP of the external domain and deleted the IPs of the Windows server and the replica server. After a few minutes, the server created two host domains again with the IPs of the DNS servers. How do I prevent it from setting the DNS servers as the host domain?
List with FQDNs and IPs for updates via proxy
Good day, I am sorry if its the wrong subspace. I have a couple of Windows servers above or equal server 2016 that do download updates directly from the internet via a proxy. I can not find a website by MS that lists all needed IPs and ports that are to be opened on the proxy to do that successfully. Since a month ago, it failed and we think the reason is that some more requirements we were not aware of were added. Best Regards
Recent Blogs
- 5 MIN READAbout media-based upgrade to Windows Server 2025 With N-4 media based upgrades, you can upgrade your organization’s physical devices and virtual machines directly from Windows Server 2012R2, Window...Sep 23, 2025
- Hello team, Manuel here. In recent years, Microsoft has introduced Strong Certificate Name Mapping (Strong Mapping) as a requirement for certificate-based authentication in Active Directory environme...Sep 05, 2025
