Can't RDP when in protected users group 2 domains no trust
I have the following issue and have read a lot about people with similar issues, but not quite the same setup as we have. We are working with 2 domains. I call them Domain A and B. So Domain A is our own domain, with our own DC and servers. Domain B is a shared setup for our customers. We all are working with our mailto:email address removed for privacy reasons accounts to gain access to servers from our customers. All customer servers are member of Domain B All admin accounts are members of protected users. When i am logged in to our management server, that is a member of domain A i cannot RDP with my mailto:email address removed for privacy reasons account to whatever server from our customers. When i am in the office, we can access domain B from our personal laptops who are only Entra ID joined. From our personal laptops we can RDP to the servers of the customers in Domain B with the mailto:email address removed for privacy reasons accounts. Strange thing is: not all admin accounts have this issue (at the same time) Issue is resolved spontaniously My first question is, do i need to have a domain trust between Domain A and Domain B Both the domains have higher domain functional level then 2012 R2. I have communication between my management machine in Domain A to the domain controllers of Domain B. Not only ping, but also KDC, DNS, LDAP, etc. Our domain controller in Domain A does not have communication to Domain B.Windows Server 2016 and internet issues
Hello everyone, I'm relatively new here and hoping for some help. I'm IT at a school in Manhattan that has an old Dell tower running Windows Server 2016 in the basement that is not in use any more with the school as they have transferred over everything to digital. This was set up before my time working here and the person who set it up unfortunately did not leave any notes. We are ready to disconnect the machine as all of it's functions have been moved elsewhere. But, every time it is turned off or disconnected from our network patch, the internet in the entire building goes dead. I do not have previous experience with these kinds of servers and am trying to figure out what could possibly be causing this. I am concerned because the machine is old and feels like it's being held together by duct tape, and if it goes down, I hoping internet doesn't go with it. Looking for any advice or knowledge about these servers and what I can try to do to disconnect it.Does GPO "Install updates for other Microsoft Products" still work on Server 2019?
We've configured Automatic Updates (option 4 - auto download and install) on a server that has SQL Server installed. The option Install updates for other Microsoft products is disabled. We've also set the Microsoft update service location to our internal WSUS server. To confirm, I pulled a RSOP report, as shown below. Now this server has a SQL Server security updates pending for installation, and during the last scheduled update run, an update installation for SQL Management Studio was started, but eventually failed. In my understanding, these are other Microsoft Products and should not be downloaded and installed by Windows Auto Update. But they were and are. Side note, because the Microsoft Support Premiere engineer I'm working with on this case thought this was important: The two SQL updates are approved in WSUS, because we do have SQL servers where we'd like to have them offered for installation. But in my understanding, this should only offer these updates and the Update Agent should then decide based on the setting, whether or not to install updates for other Microsoft products. I do not agree with the support engineer, that the WSUS approval is responsible for the installation of that update. Can someone exactly explain, how the update agent works in this case? Or better, why the update agent does install updates for other Microsoft products, although I did not enable that?
Run As Administrator not always working?
I have dealt with this for about 10 years now since Server 2003/Windows XP. Just now getting around to addressing this. If this isn't the right place, I'd appreciate a link to the right place. Have a Server 2019 domain with 13 workstations all running Windows 11 Pro. Workstation user only have user access rights. On occasion I'll need to run something, such as services.msc for example with admin rights. On some workstations I can right-click services, select Run As Administrator, enter the domain admin credentials and can then stop/start/change services as needed. Yet on other workstations the Run As Administrator doesn't work. It runs services.msc. But I'm not prompted for admin credentials and can't start/stop/change the service. What can I do to make it work so I don't have to waste time logging of the normal user to log in with a domain admin account? Note that I do have and use group policies on the server. I've never "knowingly" set any policy that would prevent the Run As Administrator for working. I also have WSUS set up and it's configured with SSL if that matters. Thanks for any feedback on this. - Carl
HTTP.sys request logging
Hi, several services like Remote Access (Windows Server Reverse Proxy) or KDC Proxy do use HTTP.sys as engine to deliver their sites to the user. I am aware that there is an error log in "C:\Windows\System32\LogFiles\HTTPERR" but how do I enable a normal "request logging" like IIS does? I want to track every connection, its source ip address and other information in a log file but how can I do this?Windows Server 365 Edition
Windows Server 365 Edition (working title) This is a new product idea for Microsoft for a specialized version of Windows Server that is tightly integrated with MS365/Azure and geared towards small - medium sized businesses and MSP's. As an admin that works in the MSP space the need comes from supporting clients that are basically cloud managed but still have a need for on-premise servers to support local network applications (think QB SQL Server) locally. The central ideal behind this edition is ditching active directory for EntraID and reworking core services around this. Benefits No such thing as local accounts, you log in with your work account and can take advantage of MFA, Conditional Access etc. Rework Admin Center so you can manage MS365 and the local server seamlessly. Still provide services like DHCP, DNS, Group Policies Group Policy would be redesigned to abstract policies to Intune for deployment File Shares and Security permissions would be tightly integrated with EntraID users and security groups... Having this work with WinClient would be helpful too. For On-prem applications that integrate with AD for ACL (SQL Server) either provide a service that abstracts EntraID to a virtual DC. OR better yet provide API's for applications to integrate with EntraID or proxied via a service on the server. OneDrive Server edition to Sync SharePoint Document Library, Aure File Shares etc. that can be shared locally on the network and additional act as a cached proxy for OneDrive on WinClient machines to optimize WAN usage. Imagine your ISP has an extended outage, but you still have access to everything locally and very fast. PowerShell would come pre-packaged and logged into Azure to make our lives that much easier. Certificate Services would integrate with Intune's Premium addons and extend that use case.. think device authentication for AP's and Switches. Radius server would become that much more useful if it worked with EntraID. These are some of the ideas I can think of, but I'm sure there is a lot more that could enhance our use of a solution like this.Add Passkey support to Active Directory
Everyone, Please go to the feedback hub and upvote my suggestion to add passkey support to Active Directory Domain Services: https://aka.ms/AAw8z54 The reason I am recommending this is because there needs to be a standard way to use passkeys in an AD environment.Windows Server OSConfig and DSCv3
Introduction I wanted to formalize putting a post out here to get some discussion going on the attempts at modernization of Windows configuration, and importantly, infrastructure-as-code. Hopefully this is a healthy discussion that others can engage in. Much of what I'm going to try and post about is stuff we already are aware of, but I want to highlight how this is an ongoing concern with the Windows Server platform that makes it difficult to encourage people to even consider Windows in their environment other than for extremely legacy purposes. I want Windows Server to be the best it can be, and I encourage others to join in on the conversation! Problem Statement Windows Server needs a modernized configuration-as-code system. Must be capable of orchestrating without cloud tools (offline orchestration) Must provide for regular validation and attestation Ideally should be easily available to 3rd party configuration tools. Since Microsoft appears to have little interest in building their own modernized system that isn't Azure-based, this means that this MUST be orchestrated easily and securely by 3rd party tools. Should be as robust as GPO at maintaining and enforcing state. Security configurations in Windows are a right pain to manage with any 3rd party tooling, with the closest coming to it being the SecurityDSC module which wraps secedit.exe and security policy INFs. Why is OSConfig not the answer? OSConfig doesn't provide for me, as an engineer, to clearly define what the state of my machines are based on my company's business requirements. While the built-in Microsoft policy recommendations are great, there are reasons to deviate from these policies in a predictable and idempotent manner. Applying an OSConfig Baseline -> Then changing settings as-needed with special PowerShell commands This is not the answer. This is a bunch of imperative code that serves nobody. And it makes implementing this feature extremely challenging in today's modern world of Kubernetes, Docker, etc. I encourage the Windows Server team to engage with the PowerShell team on DSC 3.0. I think that team has it right, but they are a small group of people and do not have the resources to implement everything that would make DSC 3.0 a first-class configuration as code platform on Windows. And this is where the Windows team should come in. Steve Lee and crew have done a bangup job working on DSC 3.0, including taking feedback from folks to leverage Azure Bicep language for configuration. Security Policy Challenge The way to access security policies need to change. Even if I were to take DSC 3.0 I'd end up having to create a similar security policy INF file to import into Windows. It just seems so silly to me to have to write all of that out when Windows really should just provide an interface for doing this. In fact, security policy remains to be one of the largest problems to getting a good platform stood up. Windows Firewall Policy and GPO - The reason why host-based firewalling is painful to manage at scale in a Windows environment. GPO is definitely not the right place to be managing Windows firewall policy at scale. Particularly when you often have a core set of management rules you want to implement and application-specific needs. Making robust changes becomes a challenge since each policy is separate, preventing you from doing things like inheriting rules for higher level policies. While this is an inherent limitation of Group Policy, it highlights the need to get off of GPO as the core policy configuration tool for Windows. My recommendations I'd like for the Windows team to implement DSC 3.0-compatible resources for managing all core functionality of Windows. If you can do it in a GPO, you should be able to do it with Configuration as Code. Please stop relying on the community to make this work. All of this should be first party to the platform itself. Furthermore, I'd like to recommend that Microsoft either work with 3rd party configuration systems (Chef, Ansible, Puppet, Octopus, etc.) OR to also provide a way to hit the ground running. Perhaps something that integrates visually into Windows Admin Center would be nice. Conclusion This is a huge problem in the Windows world and continues to seem to fall on some deaf ears somewhere in the organization. While I no doubt am confident that the engineers on all of these teams very well know these issues and maybe even have discussed fixing them, clearly there's a breakdown somewhere.
