MICROSOFT XPS DOCUMENT WRITER
Good Day! Does anyone know who to install the same MICROSOFT XPS DOCUMENT WRITER that installs on WINDOWS 10/11 on SERVER 2025. An application needs it to send emails with attachments via OUTLOOK. None of the drivers available to install manually are the same as the one on WINDOWS 10/11. Thank you!
DCs not replicating across VPN
I am at a loss here. I have looked at every CMD option I can find, verified DNS and cannot get my DCs replicating across the VPN. I don't understand how I was able to join the domain but now the connectivity is a problem. So here is my setup: 2 DCs in Site (my building) 2 DCs in Datacenter connected by IPSec VPN I can ping the IP, the DNS name, the short name, and the domain from all DCs regardless of location. I have verified on each DNS server that the name servers are correct and resolved. I have run nltest, dcdiag, syncall, repadmin, etc. The only error that keeps showing up in most commands is 1722 network error. RPC unavailable. Topology incomplete. One oddity that I found was that on the DCs in the datacenter Sites and Services was missing one of the local DCs. I added it manually but there are no NTDS Settings for it. I have flushed DNS, reregistered DNS, restarted the servers. All Windows firewalls are set to ANY ANY for domain services. My WAN firewalls are ANY ANY between the sites I have no idea what to look for next. Please if anyone has ideas let me know. Also I have already build new servers multiple times and this keeps happening.
What's the deal with Kerb3961?
Howdy, everyone! I wanted to write this blog post to discuss the new Kerb3961 library introduced in Windows Server 2025 / Windows 11 24H2. It is (hopefully) making encryption type (etype) usage within Kerberos much easier to anticipate and understand. Let's start with... What is Kerb3961? Kerb3961, named after RFC3961, is a refactor of the Kerberos cryptography engine in its own library. This library is now the authoritative source of: Etype selection Etype usage Etype management For the average IT administrator, the part that is going to be most interesting is #1. The Kerb3961 policy engine is what will authoritatively determine what etypes are available given different Kerberos key usage scenarios. Whereas in previous Windows releases, there were instances of hard coded etype usage due to technical limitations at the time of implementation. Kerb3961 still leverages existing Kerberos etype configuration group policy: Network security Configure encryption types allowed for Kerberos - Windows 10 | Microsoft Learn. However, it no longer honors the legacy registry key path of: HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Kerberos\Parameters REG_DWORD SupportedEncryptionTypes As a reminder, the group policy mentioned above is used to configure the supported encryption types for a machine account. The machine then propagates this information into Active Directory (AD) where it is stored in the msds-SupportedEncryptionType attribute for the account. It has no effect on non-etype related Kerberos settings such as those outlined in Registry entries about Kerberos protocol and Key Distribution Center (KDC) with the exception of the DefaultDomainSupportedEncTypes registry key. The biggest change is the reduction of hard-coded etype usage. We have heard the frustrations of customers who are trying to eliminate RC4 usage, and the seemingly unexplainable instances of RC4 usage with their environments. This new library removes these hard-coded dependencies and aggregates all those decisions into one place. With the goal of: More secure Kerberos operations by default More predictable Kerberos etype usage More stable etype additions More stable etype removals For example, if we had not done this refactor, the DES deprecation and on-going work towards RC4 deprecation would not be possible. Why did this need to happen? Kerberos was added to Windows in the early 2000's as a part of beginning the move away from NTLM and into modern cipher usage. Over these decades, there have been incredible strides in security hardening that the original developers could not have foreseen. As a result, some of the design decisions made during that initial implementation impacted our ability to reliably change the way Kerberos operates. This can be seen in things like: Kerberos changes for CVE-2022-37966 Kerberos changes for CVE-2022-37967 Additionally, with the long tail of code in this area and the etype that has been historically used, it had become a near impossibility to add or remove a cipher due to how the etypes were directly associated in Kerberos. What does this mean going forward? The Kerb3961 library has key implications going forward. The biggest one is the removal of hard-coded cipher usage and a stronger adherence to the administrators’ configured encryption types. The environment will operate as configured. Meaning IT administrators can have a high degree of confidence that their configurations will be honored. This increases the amount of knowledge required by administrators. Misconfigurations, previously hidden by loose adherence to the configured etypes, will now be exposed. For more information about Kerberos etype selection, refer to the Kerberos EType Calculator. What needs to be done? To configure an environment requires understanding what etypes are used within an environment. To help aid in this endeavor, we have improved Key Distribution Center (KDC) auditing. 4768(S, F) A Kerberos authentication ticket (TGT) was requested. - Windows 10 | Microsoft Learn 4769(S, F) A Kerberos service ticket was requested. - Windows 10 | Microsoft Learn We have also published two PowerShell helper scripts that leverage these new events. The goal of these scripts is to allow for easier identification of both etype usage and account key availability. These scripts are published on the Microsoft Kerberos-Crypto GitHub repository, where, going forward, we will be using scripts and information published there to better interface with the community. We acknowledge that substantial changes can introduce regressions and friction points for those with mature environments. It is our goal to allow for a smooth adoption of these new features and prevent any unnecessary pain for our already overworked and under-appreciated system administrators. Please be sure to leverage Feedback Hub to share your experiences with us. If you would like to see any of these features early, we highly recommend leveraging the Windows Insider Program and opting into Continuous Innovation and sharing feedback directly with the development team. We understand that this can be challenging, and Microsoft is committed to ensuring that the knowledge needed to make an informed decision about what is right for your environment.
Windows update failure Error 0x8024200B
Windows server 2022 standard version 21H2 Installed 08/04/2025 OS Build 20348.3807 KB5063880 installation failed. Error 0x8024200B Latest servicing stack installed 10.0.20348.4160 Can't get the update to install, been through the entire guide on how to reset windows update etc. The only solution I can find is to reset windows and reinstall the OS, but surely that is a bit drastic for a security update, especially since the server was installed only 5 months ago? Any help would be useful please!Introducing the VM Conversion tool in Windows Admin Center – Public Preview
As organizations update their infrastructure, a growing number are seeking adaptable, Microsoft-supported solutions that address current requirements while laying the path for future cloud and AI adoption. Azure provides an agile, scalable, cost-effective platform for infrastructure and innovation. Whether by modernizing to cloud technologies like Windows or Linux VMs, containers, Azure VMware Solution or PaaS services, Azure offers a world-class cloud experience. However, we recognize that some organizations must retain workloads on-premises due to data compliance, governance, or other regulatory requirements. For customers wanting to adopt Windows Server and Hyper-V for this use case, we are excited to provide a new option within Windows Admin Center, the VM Conversion tool, in public preview now. This agentless, cost-free tool streamlines the conversion of virtual machines from VMware to Windows Server with Hyper-V, providing customers flexibility with their on-premises virtualization environments while enabling a seamless transition path to Azure when desired. With minimal infrastructure requirements, the tool is particularly beneficial for small and medium-sized organizations. Additionally, with minimal setup time you can download the new VM Conversion tool extension in Windows Admin Center and begin converting virtual machines in under five minutes. Figure 1- VM Conversion tool in Windows Admin Center 🔑Key Features : Agentless, appliance-free discovery After establishing a connection to the virtualization environment, the tool conducts discovery of all virtual machines without requiring agents or appliances and does so in a non-intrusive manner. Minimal downtime The VM Conversion tool enables initial data replication while the source virtual machine remains operational, thereby preventing any interruptions to ongoing applications. After completing this initial replication, on user consent, the source VM is powered down so a subsequent replication pass can capture any data changes made during the first phase. This two-step process ensures that the cutover time from the source to the target VM is minimized. Group servers You can select and migrate up to 10 virtual machines at a time. This reduces manual effort and accelerates the transition to Windows Server. Boot configuration The tool automatically maps BIOS-based virtual machines to Generation 1 and UEFI-based machines to Generation 2, preserving boot configurations and ensuring compatibility. OS agnostic The tool supports conversion of both Linux and Windows guest OS VMs to Windows Server host. Multi-disk VM support Virtual machines that use several virtual hard disks—common in production environments—are fully supported. The operating system, data, and application disks all migrated together, so manual setup is not needed. ⚙️How It Works To ensure a smooth and reliable transition, the tool performs a comprehensive set of built-in prechecks. These checks validate critical VM attributes such as disk types, boot configuration (BIOS or UEFI), destination disk, memory requirements, and several more. By identifying potential issues early, administrators can proactively address them—minimizing the risk of migration failures and reducing downtime during the final cutover. The VM Conversion tool uses change block tracking (CBT) to efficiently replicate data from one virtual disk format to another. During the initial seeding phase, a full copy of the virtual machine is created while it remains online. This minimizes downtime and ensures data integrity. Before the final cutover, a delta replication captures all changes made since the initial copy, ensuring the destination VM is fully up-to-date post conversion to Hyper-V hosts. 🚀Ready to Take the Next Step? The VM Conversion tool is available now in the public feed of Windows Admin Center. You can install it directly from the Extensions settings in Windows Admin Center. To get started, ensure you're running the Windows Admin Center v2 GA release. 📘 For detailed setup instructions and prerequisites, refer to the Public Preview Documentation. 📍 Summary The VM Conversion tool offers a simple, supported path for organizations to streamline VM conversion to Hyper-V virtualization environments. With no added cost and minimal setup, it empowers customers to streamline VM migration and prepare for the cloud at their own pace. Support for Azure Arc-enabled servers is also planned for future releases, further enhancing hybrid management capabilities. We’re continuously evolving the VM Conversion tool based on user feedback. Please continue to share your feedback here and help us prioritize our efforts for future releases. Happy converting!Server 2016 Essentials coexisting with Server 2022 Standard
I am in the process of replacing an older Server 2016 essentials with a Server 2022 Standard. The 2016 Essentials server is today acting as the primary domain controller for the domain. My plan is to: 1. install the new Server 2022 Std 2. Join it to the existing domain as a Backup Domaincontroller 3. Promote the new server to PDC 4. Move contents and applications on the Essentials 2016 server 5. Demote the old 2016 Essentialsserver 6 Decomission the old server. 7. Lift the entire domain to a higher level. So the question is. Can these servers co-exist as domain controllers in the same environment or do I have to have another approach to the server change? Best regards, David
No SET-Switch Team possible on Intel X710 NICs?
Hello, we have lot of servers from different vendors using Intel X710 DA2 network cards. They work fine in standalone and they work fine if we create switch independet teams using Server Manager, Regardless of Dynmic or Hyper-V Port. But sadly we can't use these teams in Server 2025 because have to create SET-Switch Teams instead. But as soon as we create an Hyper-V SET-Switch Team with X710 cards, they have limited to no network communication. They still can communicate with some servers, are slow with some ohters, and can't communicate with some at all. Especially communication to other servers, which also use X710 cards with SET-Switches, is zero. SET-Teams with other cards like E810 work just fine. I've read several times that the X710 cards just wont work with SET, even since Server 2016. But I can't really give up on this, since we would have to replace a lot of them. We have tried to disable a lot of features like VMQ, RSS, RCS... but couln't make it work. Firmware and Drivers are the most recent, but it happens with older versions too. Does anyone have a solution? Thank you!Failed test VerifyReferences
Hello everyone, We are using Windows Server 2019 Standard as the primary and currently only domain controller. Previously, there were several additional domain controllers, but they have all been demoted. dcdiag test VerifyReference returns me the following error: Starting test: VerifyReferences Some objects relating to the DC 18DC06 have problems: [1] Problem: Missing Expected Value Base Object: CN=NTDS Settings,CN=18DC06,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vk, DC=local Base Object Description: "DSA Object" Value Object Attribute Name: serverReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 [1] Problem: Missing Expected Value Base Object: CN=18DC06,OU=Domain Controllers,DC=vk, DC=local Base Object Description: "DC Account Object" Value Object Attribute Name: msDFSR-ComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 ......................... 18DC06 failed test VerifyReferences Please advise on how to further investigate and resolve this issue. Thanks in advance.Can't RDP when in protected users group 2 domains no trust
I have the following issue and have read a lot about people with similar issues, but not quite the same setup as we have. We are working with 2 domains. I call them Domain A and B. So Domain A is our own domain, with our own DC and servers. Domain B is a shared setup for our customers. We all are working with our mailto:email address removed for privacy reasons accounts to gain access to servers from our customers. All customer servers are member of Domain B All admin accounts are members of protected users. When i am logged in to our management server, that is a member of domain A i cannot RDP with my mailto:email address removed for privacy reasons account to whatever server from our customers. When i am in the office, we can access domain B from our personal laptops who are only Entra ID joined. From our personal laptops we can RDP to the servers of the customers in Domain B with the mailto:email address removed for privacy reasons accounts. Strange thing is: not all admin accounts have this issue (at the same time) Issue is resolved spontaniously My first question is, do i need to have a domain trust between Domain A and Domain B Both the domains have higher domain functional level then 2012 R2. I have communication between my management machine in Domain A to the domain controllers of Domain B. Not only ping, but also KDC, DNS, LDAP, etc. Our domain controller in Domain A does not have communication to Domain B.
