Windows Server for IT Pro topics Windows Server for IT Pro topics Thu, 21 Oct 2021 11:29:48 GMT WindowsServer 2021-10-21T11:29:48Z Windows server 2019 <P><SPAN><SPAN class="">Hello colleagues. Please, help!! I contacted Nvidia support for this error and told me to write to you. Can you help what could be the reason</SPAN></SPAN></P><P><SPAN>Faulting Application Name: dwm.exe, Version: 10.0.17763.831, Timestamp: 0xd5c9fdea</SPAN><BR /><SPAN>Faulting module name: udwm.dll, version: 10.0.17763.1852, timestamp: 0x6f3c3f5d</SPAN><BR /><SPAN>Exception code: 0xc00001ad</SPAN><BR /><SPAN>Error offset: 0x00000000000b15d5</SPAN><BR /><SPAN>Faulting Process ID: 0x46358</SPAN><BR /><SPAN>Faulting application start time: 0x01d7c5abbe4dae07</SPAN><BR /><SPAN>Faulting Application Path: C: \ Windows \ system32 \ dwm.exe</SPAN><BR /><SPAN>Faulting module path: C: \ Windows \ SYSTEM32 \ udwm.dll</SPAN><BR /><SPAN>Report ID: 416a4057-de3d-4ff6-9b99-641771569d1b</SPAN><BR /><SPAN>Bad package full name:</SPAN><BR /><SPAN>Application code associated with the failing package:</SPAN></P> Wed, 20 Oct 2021 16:42:49 GMT Suleymanov_Arsen 2021-10-20T16:42:49Z Why is Remote Desktop app from MS Store not aligned with Windows Desktop app releases? <P>Hi,&nbsp;</P><P>&nbsp;</P><P>I recently struggled to login to some new "Azure Virtual Desktop" VMs, using the MS Store version of "Remote desktop".&nbsp; This app is, at time of writing, the version 1.2.1810 (<A href="#" target="_blank" rel="noopener"></A></P><P>&nbsp;</P><P>Unfortunately, if you try to connect to these VMs with your AAD account/UPN, you get a nice username/password incorrect (I am also connecting from a machine that is AAD-bound in same tenant). However, if you install the so-called "Windows Desktop" app (that is BTW also called "Remote Desktop" in your start menu...), then everything is fine.&nbsp; &nbsp;At time of writing, the app version is&nbsp;<SPAN>1.2.2459.</SPAN></P><P>&nbsp;</P><P><SPAN>So while they were already few "Windows Desktop" recent revisions published by MS, the version from the Store is still the one from march 2021 (<A href="#" target="_blank" rel="noopener">What's new in the Microsoft Store client | Microsoft Docs</A>)</SPAN></P><P>&nbsp;</P><P><SPAN>Beside this authentication annoyance, I am wondering why the "Remote Desktop" MS Store version has no feature-parity with the "Windows Desktop" app, and why the one from the Store (which is basically easier to install in 1-click, then playing with a MSI download/installation...), seems always lagging behind?</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>When you look at&nbsp;<A href="#" target="_blank" rel="noopener">Remote Desktop clients feature comparison | Microsoft Docs</A>, there is here yet another naming scheme :&nbsp;Windows Inbox,&nbsp;Windows Desktop,&nbsp;Microsoft Store. Is there no way to harmonize the naming and articles?</SPAN></P> Sun, 17 Oct 2021 12:50:31 GMT Olivier NAGY 2021-10-17T12:50:31Z Windows server administration <P>Hi All,&nbsp;</P><P>I am new to this forum; please excuse me. I am recently joining a windows server administration role. I don't have much practical experience in it. Can you please guide me best study material/lab setup/forums etc., to become pro through the fast track? I know the basic stuff.&nbsp;&nbsp;</P><P>Please guide. Thanks in advance.</P><P>Best Regards</P><P>&nbsp;</P> Sat, 16 Oct 2021 08:41:28 GMT NJ777 2021-10-16T08:41:28Z Server 2022 WSUS shows Windows 11 clients as Windows 10 <P>Title; See attached image I did as a test since our production WSUS is still on Server 2019.</P><P>&nbsp;</P><P>Windows 11 sticks out by build number so it's not an Earth-shattering ordeal, but still. Any chance of this being accounted for via future updates to Server 2022? (or downlevel for those not on the bleeding edge)&nbsp; Microsoft had to know this was coming, right?</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-15 141746.png" style="width: 400px;"><img src=";px=400" role="button" title="Screenshot 2021-10-15 141746.png" alt="Screenshot 2021-10-15 141746.png" /></span></P><P> </P> Fri, 15 Oct 2021 19:39:34 GMT ajc196 2021-10-15T19:39:34Z ADBA Air Gapped Network <P>Hello, I am trying to find out how the ADBA operates within an air gapped network. I have an isolated network with 200 windows 10 clients. I know that once I load the KMS license to the ADBA and create the object that the clients will activate and check in every 180 days. What I don't know is does the ADBA need check in with Microsoft on an interval as that is impossible within my environment. If it cannot check in does it expire the license and stop activating? Any clarity on this matter would be greatly appreciated as I have not found any articles that speak to this.</P> Wed, 13 Oct 2021 14:48:28 GMT scruggst 2021-10-13T14:48:28Z Writer issues - unable to create a quiesced snapshot <P>The problem is that any attempt at a quiesced snapshot fails on every Windows 2012R2 server that has any installs completed that use UNC paths. The only exception is the one particular server is able to create a quiesced snapshot. My theory on this server is the UNC path(s) are actually local to this server anyway so they are reachable and can be modified. All servers in the base infrastructure with no software product installed that reference UNC paths are able to produce a quiesced snapshot with no issue. They still have the same event ID’s 140, 137, 157 and 50 events but the snapshot succeeds. The KB2955164 update has been applied to a few servers and a quiesced snapshot still fails. We are using vSphere 7.01 and the latest vmware tools installation. There was a case opened with VMWare but they deemed this to be a MS related issue - not sure I completely agree but it is what it is.</P><P>&nbsp;</P><P>Any suggestions as how to resolve this would be appreciated. I used diskshadow in an attempt to determine the issue. From the attached it looks like the failure is due to a volume that "does not exist" and was only relevant for the installation of an application using a UNC path.</P><P>&nbsp;</P><P>Thanks in Advance</P><P>Henry</P> Tue, 12 Oct 2021 14:40:49 GMT HGoverde 2021-10-12T14:40:49Z Question around joining Windows Server VMs to Azure AD <P>Hello experts,</P><P>one of our customers has just adopted a new on-prem Hyper-V host running Windows Server 2019. It will be used to run a few VMs such as a SQL Server, an application server and a small RDS farm (for which Active Directory is required to enable full RDS functionality based on my knowledge).</P><P>Currently our customer has no existing on-prem infrastructure in place. In fact, all users have an Office 365 license and their computers are joined to Azure AD.</P><P>I am seeking technical advice in order to check whether:</P><P>==================================================<BR />1) It is possible to join the new VMs to Azure AD in a way that Azure AD can actually be the complete replacement to the on-prem AD (which i doubt)<BR />2) It is not possible to completely replace the on-prem AD and join the new VMs to Azure AD. As a result, at least one domain controller will need to be implemented on-prem along with the other VMs on the new Hyper-V host<BR />==================================================</P><P>Unfortunately, running the new VMs in the cloud is not currently an option.</P><P>Any help will be greatly appreciated.</P><P>Thanks and Regards,</P><P>Massimiliano</P> Tue, 12 Oct 2021 13:52:36 GMT mrizzi2 2021-10-12T13:52:36Z Server 2022 always shows ethernet as a Metered Connection. <P>Hi</P><P>&nbsp;</P><P>anybody seen this behaviour? - i have various server 2022 installs, physical and virtual. Fresh and in-place upgrades, all seem to show the Ethernet connection as 'metered' in GUI. Not a huge issue (despite the slider to change it doing nothing)..BUT if we are building&nbsp; new 2022 RDS instance then this can impact office installs, updates etc, has anybody seen this or know how to change it?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="metered connection1.png" style="width: 400px;"><img src=";px=400" role="button" title="metered connection1.png" alt="metered connection1.png" /></span></P> Tue, 12 Oct 2021 11:49:55 GMT Simon_Stack 2021-10-12T11:49:55Z Workgroup server authenticate external AD account <P>Hello.</P><P>&nbsp;</P><P>For security and infrastructure reasons, I got a server which has to stay in a "workgroup" domain, not integrated in an active directory.&nbsp;</P><P>Meanwhile, I have a list of 15 users of my Active Directory who have to log on this server through TSE/RDP Cals.</P><P>Is there any way for a server not in my AD to authenticate "external" (from another AD) users and to open a session on the server ?</P><P>&nbsp;</P><P>Thank you.</P> Tue, 12 Oct 2021 07:11:31 GMT stephnane 2021-10-12T07:11:31Z ldaps vs. Require LDAP Signing on domain <P>Hello</P><P>&nbsp;</P><P>I'm trying to understand the preferred method?&nbsp; Currently i have a number of client\applications that are making ldap binds to DC's over non secure port. From reading on how to remediate this it sounds like i have two options . #1 configure GPO on all DC's for "Require LDAP Signing on domain" or #2 install a cert on every DC, then configure client\apps to connect over port 636</P><P>&nbsp;</P><P>Trying to understand the best option ?</P><P>Thank you&nbsp;</P> Mon, 11 Oct 2021 17:38:53 GMT Skipster311-1 2021-10-11T17:38:53Z Force ldaps on domain controllers <P>Hello</P><P>&nbsp;</P><P>How do i prevent clear text ldap to my domain controllers? I want to force ldaps to all DC's&nbsp;</P> Mon, 11 Oct 2021 13:19:34 GMT Skipster311-1 2021-10-11T13:19:34Z ISSUE: vCenter Reports Server 2022 as Server 2021 despite the OS version is correct <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="K_WesterEbbinghaus_0-1633954291157.png" style="width: 999px;"><img src=";px=999" role="button" title="K_WesterEbbinghaus_0-1633954291157.png" alt="K_WesterEbbinghaus_0-1633954291157.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="K_WesterEbbinghaus_1-1633954323789.png" style="width: 999px;"><img src=";px=999" role="button" title="K_WesterEbbinghaus_1-1633954323789.png" alt="K_WesterEbbinghaus_1-1633954323789.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Is seem like there was a change in the product name from Windows Server 2021 to Windows Server 2022 later in the process? I can just guess this, as this is the same version as MS Office (2021) and also the Server Version <A href="" target="_self">reported in VAMT 3.x</A></P><P><LI-USER uid="51043"></LI-USER>&nbsp;can you tell more about why different tools report Windows Server 2022 as Windows Server 2021?</P><P>&nbsp;</P> Mon, 11 Oct 2021 12:14:56 GMT K_Wester-Ebbinghaus 2021-10-11T12:14:56Z ISSUE: Windows Server 2022 Generic KMS Keys appear as Server 2021 in VAMT 3.x <P>When implementing Windows Server 2022 Generic Volume License Keys, the Server is recognized as Windows Server 2021.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="K_WesterEbbinghaus_1-1633954173079.png" style="width: 999px;"><img src=";px=999" role="button" title="K_WesterEbbinghaus_1-1633954173079.png" alt="K_WesterEbbinghaus_1-1633954173079.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>Please triage. There is a blocking regression in VAMT / ADK for Windows 11 / 2022 anyway that needs to be fixed, reference:&nbsp;<A href="" target="_blank"></A></P><P>&nbsp;</P><P>&nbsp;</P><P>fyi&nbsp;<LI-USER uid="51043"></LI-USER>&nbsp;.</P><P>&nbsp;</P> Mon, 11 Oct 2021 12:09:58 GMT K_Wester-Ebbinghaus 2021-10-11T12:09:58Z Server 2019 Standard Retail Product Key Damaged <P>Recently purchased a new HP server bundled with&nbsp;Server 2019 Standard.</P><P>I was going to activate with the product key but I was rubbing off the sticker to get the key, i invertedly scratched off parts of the key as well.</P><P>I have contacted the supplier who i purchased the HP Server bundle and they basically said that i have to either guess the missing number or buy a new license. Both of which dont work for me.</P><P>&nbsp;</P><P>i have been trying for a few days now to get in touch with the right person or team to assist but all i have to show for is hours on hold and today marks the 6 different support person who has called me up to pass me on to the next.&nbsp;</P><P>i&nbsp; know it not per say a technical problem but i hope that someone else may have had this problem and know how to resolve it.&nbsp;</P><P>appreciate any help</P><P>&nbsp;</P><P>cheers</P><P>&nbsp;</P><P>MB</P> Fri, 08 Oct 2021 15:55:35 GMT MarkusB1985 2021-10-08T15:55:35Z Windows 11 clients cannot authenticate to NPS server using computer authentication <P>We have a Windows server 2019 datacenter server running NPS. Our WiFi Office clients authenticate to this server for access to the corporate WiFi network. We use computer authentication, so members of the "domain computers" group are allowed access in the policy (we only want domain computers on this network and we don't want users to need to enter their user credentials).&nbsp;</P><P>&nbsp;</P><P>We use GPO to provision a WiFi profile to the domain computers, in which we configure that computer authentication is needed. Our Windows 10 clients (literally all of them) are connecting nicely (I have anonimized the event log for security purposes:</P><P>&nbsp;</P><P>Network Policy Server granted access to a user.</P><P>User:<BR />Security ID: DOMAIN\COMPUTER$<BR />Account Name: host/<BR />Account Domain: DOMAIN<BR />Fully Qualified Account Name: DOMAIN\COMPUTER$</P><P>Client Machine:<BR />Security ID: NULL SID<BR />Account Name: -<BR />Fully Qualified Account Name: -<BR />Called Station Identifier: xx-xx-xx-xx-xx-xx:SSID<BR />Calling Station Identifier: XX-XX-XX-XX-XX-XX</P><P>NAS:<BR />NAS IPv4 Address: x.x.x.x<BR />NAS IPv6 Address: -<BR />NAS Identifier: AP01<BR />NAS Port-Type: Wireless - IEEE 802.11<BR />NAS Port: 1</P><P>RADIUS Client:<BR />Client Friendly Name: SonicPoint HQ 1<BR />Client IP Address: x.x.x.x</P><P>Authentication Details:<BR />Connection Request Policy Name: NAP 802.1X (Wireless)<BR />Network Policy Name: NAP 802.1X (Wireless) Non NAP-Capable<BR />Authentication Provider: Windows<BR />Authentication Server:<BR />Authentication Type: PEAP<BR />EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)<BR />Account Session Identifier: "edited"<BR />Logging Results: Accounting information was written to the local log file.</P><P>&nbsp;</P><P>When a Windows 11 client (all of them actually) tries to connect, we see the following logged (again, anonimized):</P><P>&nbsp;</P><P>Network Policy Server denied access to a user.</P><P>Contact the Network Policy Server administrator for more information.</P><P>User:<BR />Security ID: NULL SID<BR />Account Name: host/<BR />Account Domain: DOMAIN<BR />Fully Qualified Account Name: DOMAIN\COMPUTER$</P><P>Client Machine:<BR />Security ID: NULL SID<BR />Account Name: -<BR />Fully Qualified Account Name: -<BR />Called Station Identifier: XX-XX-XX-XX-XX-XX:SSID<BR />Calling Station Identifier: XX-XX-XX-XX-XX-XX</P><P>NAS:<BR />NAS IPv4 Address: x.x.x.x<BR />NAS IPv6 Address: -<BR />NAS Identifier: AP01<BR />NAS Port-Type: Wireless - IEEE 802.11<BR />NAS Port: 1</P><P>RADIUS Client:<BR />Client Friendly Name: SonicPoint HQ 1<BR />Client IP Address: x.x.x.x</P><P>Authentication Details:<BR />Connection Request Policy Name: NAP 802.1X (Wireless)<BR />Network Policy Name: -<BR />Authentication Provider: Windows<BR />Authentication Server:<BR />Authentication Type: PEAP<BR />EAP Type: -<BR />Account Session Identifier: "edited"<BR />Logging Results: Accounting information was written to the local log file.<BR />Reason Code: 16<BR />Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.</P><P>&nbsp;</P><P>The only real difference I see is that for the Windows 11 client, NULL SID is provided as "Security ID". Could it be that this is causing NPS to not be able to verify that the machine that is attempting to connect is a member of the security group which is allowed to connect (the default group "Domain Computers")?</P><P><BR />Looking forward to either a quick bug fix or a configuration change I need to make. Maybe other Windows Server admins are also experiencing this issue?</P> Fri, 08 Oct 2021 14:52:10 GMT PaulvDam 2021-10-08T14:52:10Z Use only Kerberos, disable NTLMv2 <P>Hi everyone,</P><P><SPAN>In order to fix a security breach "Microsoft ADV210003: Mitigating NTLM Relay Attacks" I would like to disable the NTLM completely and to be sure to avoid impact I decide to audit the logon of my infrastructure in order to list if some application use it and to monitor user logon process. So I've enabled NTLM audit through GPO on some servers. I would like to understand the behavior I experience and get a confirmation if this is normal behavior ...</SPAN></P><P>&nbsp;</P><P><SPAN>When I logon through RDP on a server (hour is provided to help to understand the request order): </SPAN></P><P><SPAN>- At 1:46:00PM, This server shows in security log eventID 4624 a logon process with NTLMv2 =&gt;&nbsp;</SPAN></P><P><SPAN>"Authentication Package: NTLM<BR />Transited Services: -<BR />Package Name (NTLM only): NTLM V2"</SPAN></P><P><SPAN>- At 1:46:00PM, This server shows in "Application and Services Logs-&gt; Microsoft -&gt; Windows -&gt; NTLM section of the Event Viewer" an eventID 8003</SPAN></P><P><SPAN>"NTLM server blocked in the domain audit: Audit NTLM authentication in this domain"</SPAN></P><P><SPAN>- At 1:46:03, In my Domain controller, I see in security eventlog an eventID 4624&nbsp;</SPAN></P><P><SPAN>"An account was successfully logged on" with "Logon Process: Kerberos" &amp; "Authentication Package: Kerberos"</SPAN></P><P><SPAN>My question is the follow, why when logon process the NTLMv2 is used at first instead Kerberos ? Kerberos should by the default authentication protocol, isn't it ?</SPAN></P><P><SPAN>Thanks in advance for your support on this difficult topic (For me ;)</img></SPAN></P><P><SPAN>Regards,</SPAN></P><P><SPAN>Bernard</SPAN></P> Fri, 08 Oct 2021 14:39:11 GMT Bernard_Buyle06 2021-10-08T14:39:11Z APP ALWAYS VISIBLE IN SYSTEM TRAY IN WINDOWS SERVER 2019 THROUGH GPO <P><SPAN>Hello everyone,<BR />I would like to be able to set icons via GPO that are always visible to every user who joins the domain on Windows Server 2019.<BR />It's possible?<BR />Thank you some much</SPAN></P> Fri, 08 Oct 2021 08:41:22 GMT Alessandr35 2021-10-08T08:41:22Z Issues with Remote Desktop access on Server 2019 Virtual Server <P class="">Hi everyone,</P><P>&nbsp;</P><P>I'm having some issues with using a terminal server that I've setup inside of Server 2019. We currently have a company with about 30-40 employees that use a VPN and remote desktop into a server that is virtually hosted (VMware) on a local server.</P><P>&nbsp;</P><P>I'm running into an issue where some employees remote in and the session freezes at either the login screen or afterwards using a program on the server. This happens almost daily, but does not affect everyone at the same time. If they exit the connection and go back in, it will work properly for a few seconds and then freeze again. It also seems to register any clicks on the server when frozen, like if I open a program it will be open the next time I reconnect. It's almost like the viewing of the screen is frozen but the session is still working properly. I find that a server reboot or a restart of the Remote Desktop service will fix this issue, usually for the full day.</P><P>&nbsp;</P><P>I've created a task that restarts the service early in the morning, but the issue sometimes still crops up.&nbsp;There are no errors in the event log as far as I can tell. This issue has been happening ever since I created this new server and gave it the remote desktop roles.</P><P>&nbsp;</P><P>Please let me know at least a direction I can look into, or what information is needed for more troubleshooting.</P><P>&nbsp;</P><P>Thanks in advance,</P><P class="">Devon LaVoy</P><P>Systems Administrator</P> Thu, 07 Oct 2021 14:42:18 GMT devonlavoy 2021-10-07T14:42:18Z The number of connections to this computer is limited & all connections are in use right now. <P>Hello all,</P><P>I have configured RDS per device for 100 users on Windows Server 2019. But I am getting error as 'The number of connections to this computer is limited &amp; all connections are in use right now.' after utilizing 40 licenses only. I am not able to use complete 100 licenses.</P><P>&nbsp;</P><P>As per RDS reports, it shows that only 77 licenses are issued to computers. But still I am not able to use more than 40 licenses on server. Can anyone help me on this?</P><P>&nbsp;</P><P>Regards,</P><P>AmolShelar</P> Wed, 06 Oct 2021 16:36:50 GMT AmolShelar 2021-10-06T16:36:50Z Server 2022 downgrade rights <P>Any supporting documents or article for&nbsp;Server 2022 downgrade rights?</P><P>&nbsp;</P><P>Thanks</P> Wed, 06 Oct 2021 08:24:09 GMT Marvin Oco 2021-10-06T08:24:09Z Windows Server Essentials 2016 Client Backup on Windows 11 Pro unusably slow <P>I have just upgraded one machine to Windows 11 and everything appears to be working fine (a few tweaks needed for networking printing and some software updates). For WSE2016, I had to uninstall/reinstall the Windows Server Essentials 2016 Client Connector for it to connect correctly to the server - but everything seem OK with the ability to configure the backup working fine (a useful test of proper connectivity of the client to the server).</P><P>HOWEVER, now I have started a client backup <STRONG>it has currently taken around 16 hours to backup to currently get to less than 40% complete</STRONG>. Previously the (incremental) client backups take minutes and they continue to work fine on my other machines, running Windows 10 Pro 21H2. All machines connected via Gbit wired network.</P><P>Has anyone else tested WSE2016 Client Backup on Windows 11? Have you seen the same issue?<BR />How do we report this to Microsoft - I am reporting through Insider Feedback, but suspect the WSE2016 client may need updates, so want to make sure that the "bug" gets to the WSE2016 team as well, whilst it is still formally supported (End of Life being 11 January 2022).</P><P><EM>The PC is an Asus ROG Maximus XI Hero (WiFi) with Intel Ethernet adapter running Intel's latest driver (26.4) so I am also waiting for Intel to release updates with specific Windows 11 support, and for the first round for updates for WIndows 11 expected on 12 October.</EM></P> Wed, 06 Oct 2021 06:49:39 GMT TheAndyMac 2021-10-06T06:49:39Z Windows Server 2022 App Compatibility FOD breaks Remote Desktop <P>When installing the App Compatibility FOD on Windows Server 2022, Remote Desktop connections to the server seem to be no longer possible. I think this is a bug, but haven't found any other reports. Can someone confirm?</P><P>&nbsp;</P><P>How to reproduce:</P><UL><LI>Install Windows Server 2022 Standard Core (physical and virtual installs are equally affected).</LI><LI>In SConfig, enable Remote Desktop.</LI><LI>Connect to the server via Remote Desktop using the default 'Administrator' account. Works fine.</LI><LI>Install the App Compatibility FOD and reboot:</LI></UL><P>&nbsp;</P><LI-CODE lang="powershell">Add-WindowsCapability -Online -Name ServerCore.AppCompatibility~~~~ Restart-Computer</LI-CODE><P>&nbsp;</P><UL><LI>Try establishing a Remote Desktop connection again. Doesn't work. You either get a blank screen or get disconnected immediately.</LI><LI>Install all applicable Windows Updates and try again. No change.</LI><LI>Remove the App Compatibility FOD and reboot:</LI></UL><P>&nbsp;</P><LI-CODE lang="powershell">Remove-WindowsCapability -Online -Name ServerCore.AppCompatibility~~~~ Restart-Computer​</LI-CODE><P>&nbsp;</P><UL><LI>Try again. Remote Desktop functionality is now restored.</LI></UL><P>This did work fine in Server 2019.</P> Fri, 01 Oct 2021 22:28:58 GMT mauricewalker 2021-10-01T22:28:58Z Exclude loopback interface from cluster network <P>I'm trying to setup Direct Server Return for my Exchange on-prem front ended by a GSLB setup.&nbsp; I've reviewed countless articles regarding setting up the loopback, metric and weak send/receive.</P><P>&nbsp;</P><P>The problem appears to be that the failover cluster backing the Exchange DAG is including the loopback IP in the cluster network.&nbsp; This causes obvious problems as any heartbeat sent to the loopback would just terminate at the load balancer with no place to go.</P><P>&nbsp;</P><P>Example:</P><P>&nbsp;</P><P>Site A</P><P>VIP</P><P>Exchange ServerA:</P><P>Loopback ip:</P><P>&nbsp;</P><P>Site B</P><P>VIP</P><P>Exchange ServerB:</P><P>Loopback ip:</P><P>&nbsp;</P><P>Cluster Networking:</P><P>Cluster Network1:</P><P>&nbsp; ExchangeA Ethernet0 (</P><P>&nbsp; ExchangeA Loopback (</P><P>&nbsp;</P><P>Cluster Network2:</P><P>&nbsp; ExchangeB Ethernet0 (</P><P>&nbsp; ExchangeB Loopback (</P><P>&nbsp;</P><P>&nbsp;</P><P>I'm able to see with captures that heartbeat requests are sent to and; They, of course, arrive at the load balancer and are dropped as they aren't valid https,smtps traffic.</P><P>&nbsp;</P><P>I'm at a loss why others haven't had this issue (I see a few similar unresolved articles around the web).&nbsp; The only thing I can think of to resolve the issue is to keep the loopback and it's "spoofed" ip out of the cluster networks but failover clustering doesn't seem to support that.</P> Thu, 30 Sep 2021 21:42:33 GMT trentrobinson 2021-09-30T21:42:33Z Microsoft's PrintNightmare update is causing a lot of problems with network printers <P>Dears,<BR />the latest Windows updates is causing a lot of problems with network printers mapped on a print server.</P><P>Reference:<BR /><A title="Manage new Point and Print default driver installation behavior" href="#" target="_blank" rel="noopener">Manage new Point and Print default driver installation behavior</A><BR /><A title="Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464)" href="#" target="_self">Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464)</A></P><P>The two recent patches (KB5004945, KB5004760, or KB5003690) causes these two main problems:<BR />1) unable for users without administrative rights to install new print drivers.<BR />The end user receive this error</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="johnfrank_0-1633019560736.png" style="width: 400px;"><img src=";px=400" role="button" title="johnfrank_0-1633019560736.png" alt="johnfrank_0-1633019560736.png" /></span></P><P>&nbsp;</P><P>2) unable to use the print server with the new registry key RpcAuthnLevelPrivacyEnabled<BR />**The system logs reports this error: 0x0000011b**</P><P>The two workarounds that you have to apply to survive and allow corporate users to be able to use the print server are:<BR />1) Even if you have a GPO with "Point and Print Restrictions=disabled", you have to apply this registry key to allow non administrative users to install the latest print drivers from the print server<BR /><EM><STRONG>HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint</STRONG></EM><BR /><EM><STRONG>RestrictDriverInstallationToAdministrators = 0</STRONG></EM></P><P>2) Apply this registry key to disable the new default settings related to the print spooler vulnerabilities</P><P><STRONG><EM>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print</EM></STRONG><BR /><STRONG><EM>RpcAuthnLevelPrivacyEnabled = 0</EM></STRONG></P><P><BR />The above workarounds are only a temporary solution to survive and allow users to print.<BR />What is unclear to me is what should be the right way to manage these settings in a corporate environment without any end user interaction.<BR />So, if I want to be protected and apply the recent security fixes without asking the end users to do something, what should I do?</P><P>Microsoft states that you need to set "RpcAuthnLevelPrivacyEnabled" to "1" on both Client and Print Server in order to be protected, but if you do this, you can't print.<BR />So, what should we do in a Corporate environment to be secure and print without any end user interaction about "driver installation" etc.?</P><P>Thanks in advance</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 30 Sep 2021 16:33:58 GMT johnfrank 2021-09-30T16:33:58Z Can NDES server for Windows Server 2019 holds two certificates? <DIV class=""><P>Hi,</P><P>&nbsp;</P><P>As we are migrating the server to Windows Server 2019, previously 2012 R2, we fear that the connecting devices will break in terms of the connectivity as we still require the devices to be still working with the 2012 R2 NDES setup before the migration.</P><P>&nbsp;</P><P class="">Thus, my question would be if we need to remove and add new role for NDES (which from my understanding new certificate is issued which may break the connectivity) or we may do so in MMC &gt; Certificates &gt; Personal, and request new certificates?</P></DIV> Thu, 30 Sep 2021 13:32:08 GMT DanDen1 2021-09-30T13:32:08Z Windows Error 2147942403 <P>While applying Windows Patch KB5005573,&nbsp;I<SPAN>&nbsp;received an error code 2147942403 (installer encountered an error 0x8007003 the system cannot find the path specified windows 10)</SPAN></P><P>&nbsp;</P><P><SPAN>Running on a Windows server 2016</SPAN></P><P>&nbsp;</P><P><SPAN>Help?</SPAN></P> Wed, 29 Sep 2021 19:41:16 GMT rob2222 2021-09-29T19:41:16Z Getting different results with GPRESULT <P>Hello I have a question on running gpresult. We are starting an Inter-Forrest migration of users and computers. After migrating my user account from the source domain to the target domain, I have run the <STRONG>gpresult /v /scope user</STRONG>&nbsp;from command prompt, and the results show that I am applying user GPO's from the target AD domain I am logging into now. BUT when I run <STRONG>gpresult /h filename.html</STRONG> it shows that I am applying user GPO's from my previous domain. I am showing the correct computer GPO's (target domain) running gpresutl in both command prompt and html methods. I am confused about this and wondering if anyone else has run into this after migrating a user account from one domain to another.<BR /><BR />Thanks!</P> Wed, 29 Sep 2021 12:54:15 GMT charlie4872 2021-09-29T12:54:15Z Cannot access File Server (Windows Server 2019) from one workstation (Windows 10 Pro) <P>Hi everybody.</P><P>&nbsp;</P><P>I have Small Business network with one file server and 5 workstations in domain.&nbsp;There was a blackout and I've been experiencing some difficulties.&nbsp;</P><P>&nbsp;</P><P>Now, none of the Workstations can see the server into the network.&nbsp;The five workstation were configured with "map network drive" to access certain APPs to the server into the network.</P><P><BR />Four of the workstation can access the APPs, even though they can't see the server on the network.&nbsp;One in particular cannot access the APPs, nor see the server into the network.</P><P><BR />All workstations have Windows 10 Pro 64 bit, Norton antivirus and our file server is Windows Server 2019. I tried few things suggested on the Internet but it didn't work.</P><P>&nbsp;</P><P>Please, I need your suggestions</P> Wed, 29 Sep 2021 04:14:58 GMT felias59 2021-09-29T04:14:58Z Anyone using Essential Role on Windows server 2016 Datacenter? <P>Hi,<BR /><BR />I have been try to integrate Office 365 add in on Windows server 2016. But I am getting the following error repeatedly.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="there was an issue configuring the integration Windows server 2016.jpg" style="width: 622px;"><img src=";px=999" role="button" title="there was an issue configuring the integration Windows server 2016.jpg" alt="there was an issue configuring the integration Windows server 2016.jpg" /></span></P><P>&nbsp;</P><P>Server: Windows server 2016 Datacenter with Essential role Installed.&nbsp;<BR /><BR />I tried to create multiple VMs in Azure with&nbsp;Windows server 2016 Datacenter, when I try to integrate all of them are showing the same above error.</P><P>&nbsp;</P><P>Later I installed the Windows Server 2016 datacenter on local computer, here also getting the same above integration error?</P><P>&nbsp;</P><P>Does Windows server 2016 support integration with O365 and Azure?<BR /><BR />kindly help</P> Tue, 28 Sep 2021 15:15:11 GMT Mohammed Nihal Javeed Ahmed 2021-09-28T15:15:11Z ACTIVATING RD CALS LICENSE USING HOST SERVER <P>Hi I need help regarding with activating CAL License. I have read Microsoft documentation and bunch of videos but it just not. Here's the scenario and my question.</P><P>1. We have 3 new servers that will join in the existing domain. This "existing domain" has the RD CALS.</P><UL><LI>Is it possible to use this on 3 additional servers?&nbsp;</LI><LI>Do we need new Device CALS?</LI></UL><P>2. Those 3 servers has a new Volume license. But we want to use the license</P><UL><LI>do it has complication if it joining in the same server domain?</LI></UL><P>TYIA, I really appreciate your help.</P><P>&nbsp;</P> Tue, 28 Sep 2021 09:20:28 GMT Andrei_Topias 2021-09-28T09:20:28Z WSUS Console - Very Slow load of Synchronization History <P>Does anyone know how to speed up the load of the Synchronization history in the WSUS Console. even on Windows 2019 after running the community SUSDB maintenance scripts it takes minutes to load. Drives me nuts! :)</img></P> Mon, 27 Sep 2021 09:05:53 GMT shocko 2021-09-27T09:05:53Z Windows Server 2016 automatic Reboot with Event id 1001, BugCheck <P>Hi to all sorry for my bad English<BR />One of our server is getting rebooted automatically with system event "The computer has rebooted from a bugcheck. The bugcheck was: 0x00000133 (0x0000000000000001, 0x0000000000001e00,&nbsp; 0xfffff80312a2d540, 0x0000000000000000,). A dump was saved in: C:\Windows\Minidump\090921-21031-01.dmp.Report id: 9776a020-534c-4f8d-96ea-9f943d7fba9e.</P><P>Server OS is : Windows Server 2016</P><P>and&nbsp;</P><P>Hardware support informs that there is no problem</P><P>&nbsp;</P><P>Could you please help to identify the issue?</P><P>Kevin</P> Mon, 27 Sep 2021 02:38:08 GMT KevinHsieh 2021-09-27T02:38:08Z Powershell - bulk decryption of files <P>Hi all,</P><P>&nbsp;</P><P>Hope someone with some scripting skills can help here.</P><P>&nbsp;</P><P>I'm using openssl to encrypt and decrypt files. I can decrypt single files via command line but the problem comes when I'm trying to bulk decrypt using a wildcard like *.crypt in the command line doesn't work.&nbsp;</P><P>&nbsp;</P><P><SPAN>openssl.exe cms -decrypt -inkey C:/key.pem -recip C:/cert.pem -inform DER -in "E:/*.crypt" -out" E:/*.xml"</SPAN></P><P>&nbsp;</P><P><SPAN>I'm unable to find a parameter in openssl to do a bulk decrypt s</SPAN>o I thought hey I'll use powershell to decrypt each file, maybe something like</P><P>&nbsp;</P><P>$file = *.crypt</P><P>for each file in C:\folder\*.crypt</P><P>&nbsp; &nbsp; &nbsp;{&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &lt;run command&gt; $file</P><P>&nbsp; &nbsp; &nbsp; }</P><P>&nbsp;</P><P>can anyone help with how I can script this in PS or point me in the right direction. Or even tell me if this is even possible.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Thu, 23 Sep 2021 21:27:48 GMT Chi_L 2021-09-23T21:27:48Z Windows Server 2016 - Search Indexing Issue <P>Hi to all&nbsp;</P><P>sorry for my bad english :)</img></P><P>&nbsp;</P><P>I've this issue with Windows 2016 Search Indexing Service.</P><P>&nbsp;</P><P>So this is my scenario:</P><P>i've selected only 1 folder (Extra Start Menu) for search indexing : this folder is a specific folder "F:\FileServer\Documenti Aziendali".&nbsp;</P><P>Well, at this point indexing service start to index the folder, and the search from both SMB and direct Windows Explorer (of the server) it works fine.</P><P><SPAN>At some undefined point (1 Hour or 2 days later or ? ), the searches return white file icon results (these are not clickable ). (Attachment_1.png) both direct server and SMB.</SPAN></P><P>&nbsp;</P><P><SPAN>If i open the Search Indexing GUI, the folders are gone! (Attachment_2.png)</SPAN></P><P>&nbsp;</P><P>I can temporarily fix the problem by restarting the service or rebuilding the index (Attachment_3.png)</P><P>As long as the service returns the indexed folders, everything works. Conversely I get white file icon results</P><P>&nbsp;</P><P>EDIT: No Error or Significant Event in EventViewer :(</img>&nbsp;</P><P>&nbsp;</P><P><SPAN>How i can resolve?</SPAN></P><P>&nbsp;</P><P><SPAN>Thank you for support :)</img></SPAN></P><P>&nbsp;</P><P><SPAN>Federico</SPAN></P><P>&nbsp;</P> Thu, 23 Sep 2021 15:58:08 GMT Federico1985 2021-09-23T15:58:08Z Windows 2019 Primary WSUS Server - Supported Downstream Versions <P>Can a Windows 2019 WSUS server have a downstream Windows 2016/2012 R2 WSUS server?</P> Thu, 23 Sep 2021 12:40:31 GMT shocko 2021-09-23T12:40:31Z Change User Account Control setting under Windows Server 2016 <P>Hi, A new user has set but he requires an admin permission each time to open an App which is main one we use.&nbsp; To drop his Notify bar under admin login, it has only changed admin profile in this pc.&nbsp; To do it under user login, it has message as Only Admin allowed to make this change.&nbsp; Could not continue as I have the admin right.&nbsp; &nbsp;So, one way or other can not reach to it.&nbsp;&nbsp;</P><P>Any solution to fix ?&nbsp; Thanks&nbsp;</P> Thu, 23 Sep 2021 01:52:39 GMT Jensen20 2021-09-23T01:52:39Z Offline Domain Controller - Security Strategy <P>Hi</P><P>&nbsp;</P><P>Wanted to start a discussion and pick thoughts on an old strategy of keeping a domain controller offline (disconnected from network or turned off) for 2-4 weeks as a backup apart from taking daily backups. Some choose delayed replication but it has its own drawbacks. What do you think?</P> Wed, 22 Sep 2021 22:28:01 GMT didentity 2021-09-22T22:28:01Z VM's are not pingable/traceble from Hyper-V host (and vice versa) <P>I have a fresh installation of 2019 Datacenter Hyper-V host (member of domain) with two VMs (all members of the same domain). The host has static IP, one VM has static IP the other DHCP (all have same GW, mask and DNS servers)</P><P>&nbsp;</P><P><STRONG>My problem is that the VM's are not pingable or traceable from the host (or vice versa) and the problem exists from day 1</STRONG></P><P>&nbsp;</P><P><STRONG>The same host and VMs are fully accessible and pingable from other PCs or servers on the same domain/network&nbsp; so the issue is clearly between the host and the VMs</STRONG></P><P>&nbsp;</P><P>The host has four physical NICs and all of them are members of the same NIC team</P><P>Both VMs are on the same Hyper-V vSwitch (external) and the vSwitch is connected to the team above</P><P>Windows firewall is disabled by domain GPO on all devices</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hyp3.jpg" style="width: 593px;"><img src="" width="593" height="366" role="button" title="hyp3.jpg" alt="hyp3.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hyp1.jpg" style="width: 603px;"><img src=";px=999" role="button" title="hyp1.jpg" alt="hyp1.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hyp5.jpg" style="width: 484px;"><img src=";px=999" role="button" title="hyp5.jpg" alt="hyp5.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.jpg" style="width: 618px;"><img src=";px=999" role="button" title="1.jpg" alt="1.jpg" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="hyp21.jpg" style="width: 484px;"><img src=";px=999" role="button" title="hyp21.jpg" alt="hyp21.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 15 Sep 2021 08:22:49 GMT Talws 2021-09-15T08:22:49Z Windows failed to apply the Deployed Printer Connections settings <P>Dears all,</P><P>&nbsp;</P><P>I have a problem in subject when use the command gpupdate on cmd.</P><P>I noted this error on all new computers that are configured in these days.</P><P>The new computers are Windows 10 21H1 and the printer server is Windows Server 2012 R2.&nbsp;</P><P>&nbsp;</P><P>Do you have any idea?</P><P>&nbsp;</P><P>Thanks for your help</P> Wed, 22 Sep 2021 15:51:33 GMT RiccaVannu 2021-09-22T15:51:33Z installing exe via gpo <P>Hi all,</P><P>&nbsp;</P><P>How do I deploy exe via gpo? I am trying to install Python but they only do EXEs now!</P><P>&nbsp;</P><P>Help!</P> Wed, 22 Sep 2021 11:20:03 GMT AB21805 2021-09-22T11:20:03Z Server 2019 no "Server Hello" when using TLS_RSA_WITH_AES_ ciphers (TLS1.2) schannel 36874 <P>Hi</P><P>Hoping someone might have come across something similar as the support forum entries are filled with irrelevant responses and tumbleweed.</P><P>&nbsp;</P><P>A recently migrated CA cluster is not sending any TLS conversation completion when the client uses a cipher from the TLS_RSA_WITH_AES_* type (so <SPAN>TLS_RSA_WITH_AES_128_CBC_SHA256 or similar). This also seems to be negatively impacting RPC certificate enrolment from Windows 7 systems.</SPAN></P><P>&nbsp;</P><P>Using Nartac tools and manually (double, triple, quadruple) checking the registry settings myself I can see that the ciphers are present in the list of supported/available ciphers. I can see that TLS1.2 is working. As soon as a client offers TLS_ECDH_* the server responds like an enthusiastic puppy. using TLS_RSA_WITH_AES_ it ignores the traffic (no server hello or attempt to negotiate) and logs&nbsp;Schannel Errors 36874 in the server event log.</P><P>I have verified this using wireshark on client and server.</P><P>&nbsp;</P><P>Whilst these are hosted in azure there shouldn't be any network layer kit interfering with the connection. There is a standard load balancer which single routes all traffic to the active AD CS cluster node. No inspection or TLS termination should be occurring.</P><P>&nbsp;</P><P>There are no GPOs controlling anything to do with TLS or communication security (checked with gpresult and gpmc, along with repeated verification of the registry settings)</P><P>&nbsp;</P><P>has anyone seen anything like this before?&nbsp;</P><P>&nbsp;</P><P>yes I have been through the enabling TLS 1.2 articles a bajillion times and know where to enable TLS 1.2 for both schannel and .net</P><P>&nbsp;</P><P>In need of more straws to clutch at.</P><P>&nbsp;</P> Mon, 20 Sep 2021 17:05:43 GMT Peter Holland 2021-09-20T17:05:43Z How to stop users creating shortcuts <P>Hi,</P><P>&nbsp;</P><P>Is it possible to stop users creating their own shortcuts?&nbsp;</P><P>&nbsp;</P><P>Please help!</P> Fri, 17 Sep 2021 14:36:26 GMT AB21805 2021-09-17T14:36:26Z Connecting Windows server Std to an existing domain require cals? <P>Connecting Windows server Std to an existing domain with windows server essentials, only to be a file server, do I need a license (cals) for windows server std or does server essentials manage the accesses?</P> Fri, 17 Sep 2021 14:21:38 GMT JorgeAssuncao 2021-09-17T14:21:38Z Logon to Domain Controllers <P>we had windows 3 windows 2012 Domain Contorllers with many window 7 and windows 10 clients<BR />I have created 2 more domain controllers recently and notice no users are loging in to new one. Even local Users to these DCs are loging in to remote location Domain controllers. new DCs subnet is added in AD. How I can force users to logon local DCs ? is there any metrics I need to change OR How can I setup priority/weight in AD for these DCs to change logon priorities ?</P> Thu, 16 Sep 2021 15:53:56 GMT Bundoo 2021-09-16T15:53:56Z Resolution of Active Directory Replication Error 8606 &1988 <P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN><STRONG>Scenario</STRONG></SPAN></P><P><STRONG>&nbsp;</STRONG></P><P><SPAN>DC is Virtualized in&nbsp;VMware, I got it restored from Veeam backup, meaning it is not in the current state, that caused <A href="#" target="_blank" rel="noopener">Active Directory</A> Broken, how could I get it fixed? I forced replication between 2 DCs it failed. Here and there we&nbsp;got&nbsp;several&nbsp;PCs that&nbsp;have the error:</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>“The trust relationship between this Workstation and the primary Domain failed”</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Based on above use case, identified certain errors.</SPAN></P><P>&nbsp;</P><P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P><P><SPAN><STRONG>Investigation</STRONG></SPAN></P><P>&nbsp;</P><P><SPAN>So&nbsp;first,&nbsp;a piece of advice&nbsp;that,&nbsp;you&nbsp;should never restore a domain controller in a multi-domain controller environment.&nbsp;Instead, you should stand up a new DC and start replication, it will take time but will replicate from a fully healthy DC.</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Then&nbsp;we ran the&nbsp;below command-lets&nbsp;and collected the logs for review.</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Dcdiag&nbsp;/v /c /d /e /s:%computername% &gt;C:\dcdiag.log</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>repadmin&nbsp;/showrepl&nbsp;&gt;C:\repl.txt</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>ipconfig /all &gt; C:\dc1.txt</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>ipconfig /all &gt; C:\dc2.txt</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>ipconfig /all &gt; C:\problemworkstation.txt</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN><STRONG>Errors Observed in DC Diagnostic Report &amp; Replication Summary</STRONG></SPAN></P><P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P><P><SPAN>We found following two errors in DC diagnostic report and Replication summary</SPAN><SPAN>&nbsp;:</SPAN></P><P>&nbsp;</P><UL><LI><SPAN><STRONG>Active Directory Replication Error 8606</STRONG></SPAN><SPAN><STRONG>:</STRONG></SPAN><SPAN> Insufficient attributes were given to create an object.</SPAN><SPAN>&nbsp;</SPAN></LI><LI><SPAN><STRONG>Active Directory Replication Error 1988:</STRONG></SPAN><SPAN> The local domain controller has attempted to replicate the following object from the following source domain controller. This object is not present on the local domain controller because it may have been deleted and already garbage collected.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P><P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P><P><SPAN><STRONG>Logging Conditions for Error 8606 </STRONG></SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Upon further research, we found out that&nbsp;Error 8606 is logged when the following conditions are true:</SPAN><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><UL><LI><SPAN>A source domain controller sends an update to an object (instead of an originating object create) that has already been created, deleted, and then reclaimed by garbage collection from a destination domain controller's copy of Active Directory.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>The destination domain controller was configured to run in strict replication consistency.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P><SPAN>&nbsp;</SPAN></P><P><STRONG>Cause of Error 8606</STRONG></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>The error is caused by one of the following:</SPAN><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><UL><LI><SPAN>A permanently lingering object whose removal will require admin intervention</SPAN><SPAN>.</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>A transient lingering object that will correct itself when the source domain controller performs its next garbage-collection cleanup. Introduction of the first domain controller in an existing forest and updates to the partial attribute set are known causes of this condition.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>An object that was undeleted or restored at the cusp of tombstone lifetime expiration</SPAN><SPAN>.</SPAN></LI></UL><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>Key Points to Remember for Troubleshooting Error 8606</STRONG></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>When you troubleshoot 8606 errors, think about the following points:</SPAN><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><UL><LI><SPAN>Although error 8606 is logged on the destination domain controller, the problem object that is blocking replication resides on the source domain controller. Additionally, the source domain controller or a transitive replication partner of the source domain controller potentially did not inbound-replicate knowledge of a deleted tombstone lifetime number of days in the past.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>Remember to search for potentially lingering objects by object GUID versus DN path so that objects can be found regardless of their host partition and parent container. Searching by&nbsp;objectguid&nbsp;will also locate objects that are in the deleted objects container without using the deleted objects LDAP control.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>The NTDS Replication 1988 event identifies only the current object on the source domain controller that is blocking incoming replication by a strict mode destination domain controller. There are likely additional objects "behind" the object that is referenced in the 1988 event that is also lingering.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>The presence of lingering <A href="#" target="_blank" rel="noopener">objects on a source domain controller</A> prevents or blocks strict mode destination domain controllers from&nbsp;inbound replicating&nbsp;"good" changes that exist behind the lingering object in the replication queue.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>Because of the way that domain controllers individually delete objects from their deleted object containers (the garbage-collection daemon runs every 12 hours from the last time each domain controller last started), the objects that are causing 8606 errors on destination domain controllers could be subject to removal in the next garbage-collection cleanup execution. Lingering objects in this class are transient and should remove themselves in no more than 12 hours from problem start.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN>The lingering object in question is likely one that was intentionally deleted by an administrator or application. Factor this into your resolution plan, and beware of reanimating objects, especially security principals that were intentionally deleted. Resolution</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P><SPAN>&nbsp;</SPAN></P><P><SPAN><STRONG>Resolution</STRONG></SPAN></P><P><STRONG>&nbsp;</STRONG></P><P><SPAN>For our need,&nbsp;to check the replication status in between only 2 DCs (The affected one and a healthy one),&nbsp;we have also tried disabling “Strict Replication Consistency”&nbsp;that prevents destination domain controllers from replicating in lingering objects, but it is highly recommended not to disable “Strict Replication Consistency”,&nbsp;there can be a risk that lingering objects could be replicated to a domain controller&nbsp;or many where this setting is not enabled.&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Reference Microsoft Documentation for enabling this setting:</SPAN></P><P>&nbsp;</P><P><A href="#" target="_blank" rel="noopener"><SPAN></SPAN></A><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>As an actual fix, we must have to remove the lingering objects from the recovered DC for the smooth replication.&nbsp;While many methods exist to remove lingering objects, there are&nbsp;two&nbsp;primary tools commonly used: Lingering Object Liquidator (LoL) and repadmin.exe.</SPAN></P><P>&nbsp;</P><UL><LI><SPAN><STRONG>Lingering Object Liquidator (LoL)</STRONG></SPAN><SPAN>&nbsp;</SPAN></LI></UL><P>&nbsp;</P><P><SPAN>The easiest method to clean up Lingering Objects is to use the&nbsp;LoL. The&nbsp;LoL&nbsp;tool was developed to help automate the cleanup process against an Active Directory Forest. The tool is GUI-based and can scan the current Active Directory Forest and detect and cleanup lingering objects. </SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>The tool is available on&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft Download Center</SPAN></A><SPAN>.</SPAN><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN><STRONG>&nbsp;</STRONG></SPAN></P><UL><LI><SPAN><STRONG>Repadmin</STRONG></SPAN><SPAN>.<STRONG>Exe</STRONG></SPAN></LI></UL><P>&nbsp;</P><P><SPAN>The following command in REPADMIN.EXE can remove lingering objects from directory partitions:</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN><STRONG>Repadmin.Exe /RemoveLingeringObjects</STRONG></SPAN></P><P><STRONG>&nbsp;</STRONG></P><P><SPAN>Repadmin / RemoveLingeringObjects can be used to remove lingering objects from writable and read-only directory partitions on source domain controllers. The syntax is as follows:</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>c:\&gt;repadmin /removelingeringobjects&nbsp;&lt;Dest_DSA_LIST&gt; &lt;Source DSA GUID&gt; &lt;NC&gt; [/ADVISORY_MODE]</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Where:</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><UL><LI><SPAN><STRONG>&lt;Dest_DSA_LIST&gt;</STRONG></SPAN><SPAN> is the name of a domain controller that contains lingering objects (such as the source domain controller that is cited in the NTDS Replication 1988 event).</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P>&nbsp;</P><UL><LI><SPAN><STRONG>&lt;Source DSA GUID&gt;</STRONG></SPAN><SPAN> is the name of a domain controller that hosts a writable copy of the directory partition that contains lingering objects to which the domain controller in &lt;Dest_DSA_LIST&gt; has network connectivity. The DC to be cleaned up (first DC specified in the command) must be able to connect directly to port 389 on the DC that hosts a writable copy of the directory partition (specified second in the command).</SPAN><SPAN>&nbsp;</SPAN></LI><LI><SPAN><STRONG>&lt;NC&gt;</STRONG></SPAN><SPAN> is the DN path of the directory partition that is suspected of containing lingering objects, such as the partition that is specified in a 1988 event.</SPAN><SPAN>&nbsp;</SPAN></LI></UL><P><SPAN>&nbsp;</SPAN></P><P><SPAN><STRONG>Monitoring Active Directory Replication Health Daily</STRONG></SPAN><SPAN>&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>If error 8606 / Event 1988 was caused by the domain controller's failing to replicate Active Directory changes in the last tombstone lifetime number of days, make sure that Active Directory replication health is being monitored on a day-to-day basis going forward. Replication health may be monitored by using a dedicated monitoring application or by viewing the output from the one inexpensive but effective option to run "repadmin&nbsp;/showrepl&nbsp;* /csv" command in a spreadsheet application such as Microsoft Excel.&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Thus, keeping tabs on Active Directory Health overall is significant. In order to do that, its important for an IT Professional to have an understanding of &nbsp;<A href="#" target="_blank" rel="noopener">How to define Active Directory Health</A>?</SPAN></P><P>&nbsp;</P> Wed, 15 Sep 2021 20:53:52 GMT aliat_IMANAMI 2021-09-15T20:53:52Z How to continue to receive monthly updates for Windows Server 2019 Version 1809? <P>Is it possible to still download monthly updates for Windows Server 2019 Version 1809? If not, is it possible to upgrade in place from Version 1809 to Version 20H2?&nbsp;</P><P>&nbsp;</P><P>Thanks.</P> Wed, 15 Sep 2021 17:59:17 GMT WilliamJin 2021-09-15T17:59:17Z Unable to Print after installing 2021-09 Cumulative Update (KB5005573) <P>Anyone else having user print issues after installing this update on a Windows Server 2016 Standard? We can send jobs to the spooler just fine from the server itself, but a user submitted job is just simply terminated. Problem started happening after installation. We've removed the update on 1 server to test, and it appears that jobs are now printing again properly. Problem is, it's been installed many servers. We will likely uninstall update to remedy issue, but that's not a real solution.</P><P>&nbsp;</P><P>Thanks,</P><P>Michael</P> Wed, 15 Sep 2021 17:29:12 GMT mramaley 2021-09-15T17:29:12Z Windows Server 2012 R2 AD suspect user profile crash (Icons Disappear, Windows button no response) <P>Hello All,</P><P>&nbsp;</P><P>Our company using Windows Server 2012 R2, and setup AD in this server.</P><P>&nbsp;</P><P>All user using Remote Desktop to sign in this server.</P><P>&nbsp;</P><P>One of user find all icons disappear after login to AD server by remote desktop, Windows logo no response, and system tray is empty. But through Administrator profile to check this user found all icons still in it's profile.</P><P>&nbsp;</P><P>This issue happen twice in 3 months time.</P><P>&nbsp;</P><P>My solution is create new account and copy all files to new account but we would like to check is it possible to fix this issue.</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P><P>Jason</P> Wed, 15 Sep 2021 03:48:22 GMT JasonMobi 2021-09-15T03:48:22Z No network for Server 2022 in Hyper-v with 2012R2 host <P>Greetings,</P><P>I'm having network issues running virtual Server 2022 in Hyper-V with a Server 2012 host.&nbsp;</P><P>Neither of my two Server 2022&nbsp;VM's have any network connection...?</P><P>First one was an upgrade from (a working) Server 2016 and second a clean install.</P><P>&nbsp;</P><P>The Hyper-V host in question has multiple VM's ( 2008 -&gt; 2019 + Linux ) and none of them have any network issues, only the newly added 2022's.&nbsp;I also tried to set static ip, but no go...same problem.</P><P>&nbsp;</P><P>And yes, the 2022's use the same virtual switch as the working ones.</P><P>&nbsp;</P><P>I can see in the dhcp-server (running wireshark) that the failing servers are sending DHCP Discover(s), and the dhcp-server replying with Offer(s) but the 2022's ignores these requests.</P><P>&nbsp;</P><P>Interestingly, when running a virtual 2022 in a Win10 Hyper-V is works...</P><P>&nbsp;</P><P>So, known feature or..?</P><P>/Bjarne</P> Wed, 15 Sep 2021 13:56:09 GMT Bjarne_Ingelsson 2021-09-15T13:56:09Z File hash for ISO downloads (server SW - Where are they?) <P>For the life of me, I can not understand why there is nothing posted on the downloads page(s) for windows server regarding verification of the download.&nbsp; Not even an MD5.&nbsp;</P><P>&nbsp;</P><P>This day in age we need more security, and the most basic thing is missing from what is critical. I understand MS does not like to use public certificates as they use signatures for their products.&nbsp; However, that is AFTER the file has been downloaded, and opened.&nbsp;</P><P>&nbsp;</P><P>I'm trying to verify Server software.&nbsp; This is mean to be at the center of business.&nbsp; Why is there not more professionals demanding MS correct this problem. I know it's has been going around for a while, and I haven't had a need to download server software for many years so I had no idea of the change.&nbsp; Can someone tell me where to find a file hash from the microsoft domain?&nbsp; I have already seen 3rd-party, but those can not be trusted.</P><P>&nbsp;</P><P>Frustrated!</P><P>&nbsp;</P> Wed, 15 Sep 2021 05:51:25 GMT Bobby75 2021-09-15T05:51:25Z SSPI handshake failed with error code 0x80090311 <P>The full error I'm getting:</P><P>SSPI handshake failed with error code 0x80090311, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. No authority could be contacted for authentication.</P><P>&nbsp;</P><P>I was configuring a new server as a 2019 Domain Controller to replace a 2008 R2 one. In addition I have two other DC's for a total of 3. All in different sites.</P><P>&nbsp;</P><P>One with all FSMO roles which is what is referred to as PDC back in the day running 2012 R2. The other running Windows Server 2019 and now the new one that I mentioned above that replaced the 2008 R2 also running 2019.</P><P>&nbsp;</P><P>The problem I ran into is that I forgot to raise the domain functional level from 2008 R2 to 2012 R2 before I demoted it. Once that happened I started to receive errors from a couple of servers regarding the SSPI handshake and after researching this, I found that it's most likely or I can honestly say it's probably close to 100% that what I did caused this error.</P><P>&nbsp;</P><P>So, I took the same server and brought it back to 2008 R2 Domain Controller status but what's weird is that even prior to completing this task, the errors seemed to stop...but accessing some of our applications didn't work until I fully brought it back.</P><P>&nbsp;</P><P>My goal is to raise the domain functional level to 2012 R2 then test to make sure that the new DC in that site works for authentication of the SQL and application servers running there. I was wondering if shutting down the 2008 R2 DC temporarily and monitoring to make sure no errors are thrown is a good way to make sure my environment is ready to demote the 2008 R2 DC once and for all?</P><P>&nbsp;</P><P>I appreciate any help I can get and thanks in advance!</P> Tue, 14 Sep 2021 19:46:58 GMT A-CAST 2021-09-14T19:46:58Z Certificate Enrollment Policy <P>Hello I have a question about Certificate Enrollment Policies. I am seeing two different policies on two different computers and not sure why. Both users are logged into the same domain but when I go to request a certificate from UserA using the certmgr.msc console I see "Configured by your Administrator" Active Directory Enrollment Policy ID: xxxxx-xxxx-xxxx etc.. on one computer and am able to see certificate templates listed.<BR /><BR />When I log on as UserB on a different computer using certmgr.msc console I see&nbsp;"Configured by your Administrator" Active Directory Enrollment Policy ID: yyyyyy-yyyyyy-yyyyy etc.. and I don't see ANY certificate templates listed.<BR /><BR />Both users and the computers they are logging into are on the same domain but receiving two different Enrollment Policy ID's. Could someone help me out on why that would be? It is driving me crazy and need to figure this out so I can request certificates using the certmgr.msc&nbsp;<BR /><BR />Thanks in advance!!</P> Tue, 14 Sep 2021 18:22:47 GMT charlie4872 2021-09-14T18:22:47Z Windows Server 2012 R2 AD suspect user profile crash (Icons Disappear, Windows button no response) <P>Hello All,</P><P>&nbsp;</P><P>Our company using Windows Server 2012 R2, and setup AD in this server.</P><P>&nbsp;</P><P>All user using Remote Desktop to sign in this server.</P><P>&nbsp;</P><P>One of user find all icons disappear after login to AD server by remote desktop, Windows logo no response, and system tray is empty. But through Administrator profile to check this user found all icons still in it's profile.</P><P>&nbsp;</P><P>This issue happen twice in 3 months time.</P><P>&nbsp;</P><P>My solution is create new account and copy all files to new account but we would like to check is it possible to fix this issue.</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P><P>Jason</P> Tue, 14 Sep 2021 08:11:47 GMT JasonMobi 2021-09-14T08:11:47Z Corrupted Mainfests/Payloads Windows Updates Server 2016 0x80073712 <P>I have tried dism, sfc scans to no avail. Cumulative updates have been failing since january. I tracked the update (KB4530689) related to the corruptions by looking at the registry (components hive). From what I understand, you can get the manifests/payload in their respective KB by extracting them.&nbsp; Sadly, I cannot download this particular KB in Microsoft's catalog site.&nbsp;<BR /><BR />I'd like to avoid reinstalling ang migrating stuff as much as possible. any ideas?&nbsp;</P> Tue, 14 Sep 2021 06:18:06 GMT musashiro 2021-09-14T06:18:06Z some settings are managed by your organization <P>I'm using windows server 2019 and dc. My all the workstation showing this message and not able to do a windows update, not enable remote deskop too. Please assist</P> Tue, 14 Sep 2021 05:43:45 GMT nsenthilmurugan 2021-09-14T05:43:45Z Windows Server Summit: Last chance to register for September 16 <P><A href="#" target="_self"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WindowsServerSummit_2021_On24_WebsiteHeroBanner_965x200.png" style="width: 966px;"><img src=";px=999" role="button" title="WindowsServerSummit_2021_On24_WebsiteHeroBanner_965x200.png" alt="WindowsServerSummit_2021_On24_WebsiteHeroBanner_965x200.png" /></span></A></P> <P>Explore the latest Windows Server capabilities—and take your first in-depth look at Windows Server 2022. Discover how to support and enhance your current investments with the newest Windows Server innovations and updates—presented by technical product experts. Learn how to:</P> <P>&nbsp;</P> <UL> <LI>Simplify IT management with hybrid cloud solutions.</LI> <LI>Deploy modern Windows Server apps with Azure Kubernetes Service on Azure Stack HCI.</LI> <LI>Modernize server management with Microsoft System Center and Azure Arc.</LI> </UL> <P>&nbsp;</P> <P>You’ll also be able to ask the experts your Windows Server questions during the live Q&amp;A.</P> <P>&nbsp;</P> <P><A href="#" target="_self">Register now &gt;</A></P> <P>&nbsp;</P> <P><STRONG>Windows Server Summit</STRONG></P> <P>Thursday, September 16, 2021</P> <P>10:00 AM–11:30 AM Pacific Time</P> Fri, 10 Sep 2021 18:59:49 GMT David_Ellis 2021-09-10T18:59:49Z LDAP over SSL using third party SSL <P>I configure LDAP on windows 2016 DC and during setup I selected default port 50001 for SSL. After installing third party SSL I can only connect to LDAP over SSL on default prot 636 but not on port 50001. I had another test server where I configured MS CA when I do test on port 50001, I can see the name of LDAP service in details, but on the production server even when I connect on port 636 I can't see the LDAP service that I created during setup.</P><P>&nbsp;</P><P>During the setup I selected Network Service and the event logs it also show following warning:</P><P>&nbsp;</P><P>Log Name: ADAM (LDAPoverSSL)<BR />Source: ADAM [LdapOverSSL] General<BR />Date: 10/09/2021 6:10:15 AM<BR />Event ID: 2537<BR />Task Category: Internal Processing<BR />Level: Warning<BR />Keywords: Classic<BR />User: ANONYMOUS LOGON<BR />Computer:<BR />Description:<BR />The directory server has failed to create the AD LDS serviceConnectionPoint object in Active Directory Lightweight Directory Services. This operation will be retried.<BR /><BR />Additional Data<BR />SCP object DN:<BR />CN={097b461d-5f8b-45b7-bc46-9fc7da18a2c0},CN=DC3,OU=Domain Controllers,DC=,DC=com,DC=au<BR />Error value:<BR />5 Access is denied.<BR />Server error:<BR />00000005: SecErr: DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0<BR /><BR />Internal ID:<BR />33903ab<BR />AD LDS service account:<BR />NT AUTHORITY\NETWORK SERVICE<BR /><BR />User Action<BR />If AD LDS is running under a local service account, it will be unable to update the data in Active Directory Lightweight Directory Services. Consider changing the AD LDS service account to either NetworkService or a domain account.<BR /><BR />If AD LDS is running under a domain user account, make sure this account has sufficient rights to create the serviceConnectionPoint object.<BR /><BR />ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.<BR />Event Xml:<BR />&lt;Event xmlns="<A href="#" target="_blank" rel="noopener"></A>"&gt;<BR />&lt;System&gt;<BR />&lt;Provider Name="ADAM [LdapOverSSL] General" /&gt;<BR />&lt;EventID Qualifiers="32768"&gt;2537&lt;/EventID&gt;<BR />&lt;Level&gt;3&lt;/Level&gt;<BR />&lt;Task&gt;9&lt;/Task&gt;<BR />&lt;Keywords&gt;0x80000000000000&lt;/Keywords&gt;<BR />&lt;TimeCreated SystemTime="2021-09-09T20:10:15.755562400Z" /&gt;<BR />&lt;EventRecordID&gt;1064&lt;/EventRecordID&gt;<BR />&lt;Channel&gt;ADAM (LDAPoverSSL)&lt;/Channel&gt;<BR />&lt;Computer&gt;;/Computer&gt;<BR />&lt;Security UserID="S-1-5-7" /&gt;<BR />&lt;/System&gt;<BR />&lt;EventData&gt;<BR />&lt;Data&gt;CN={097b461d-5f8b-45b7-bc46-9fc7da18a2c0},CN=DC3,OU=Domain Controllers,DC=mydomain,DC=com,DC=au&lt;/Data&gt;<BR />&lt;Data&gt;5&lt;/Data&gt;<BR />&lt;Data&gt;Access is denied.&lt;/Data&gt;<BR />&lt;Data&gt;00000005: SecErr: DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0<BR />&lt;/Data&gt;<BR />&lt;Data&gt;33903ab&lt;/Data&gt;<BR />&lt;Data&gt;NT AUTHORITY\NETWORK SERVICE&lt;/Data&gt;<BR />&lt;/EventData&gt;<BR />&lt;/Event&gt;</P><P>&nbsp;</P><P><BR />Error when connecting through LDP.exe using port 50001<BR />0x0 = ldap_unbind(ld);<BR />ld = ldap_sslinit("", 50001, 1);<BR />Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);<BR />Error 81 = ldap_connect(hLdap, NULL);<BR />Server error: &lt;empty&gt;<BR />Error &lt;0x51&gt;: Fail to connect to</P><P><BR />Event Log when connecting through port 50001<BR />Log Name: System<BR />Source: Schannel<BR />Date: 10/09/2021 3:42:22 PM<BR />Event ID: 36870<BR />Task Category: None<BR />Level: Error<BR />Keywords:<BR />User: SYSTEM<BR />Computer:<BR />Description:<BR />A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.<BR />Event Xml:<BR />&lt;Event xmlns="<A href="#" target="_blank" rel="noopener"></A>"&gt;<BR />&lt;System&gt;<BR />&lt;Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" /&gt;<BR />&lt;EventID&gt;36870&lt;/EventID&gt;<BR />&lt;Version&gt;0&lt;/Version&gt;<BR />&lt;Level&gt;2&lt;/Level&gt;<BR />&lt;Task&gt;0&lt;/Task&gt;<BR />&lt;Opcode&gt;0&lt;/Opcode&gt;<BR />&lt;Keywords&gt;0x8000000000000000&lt;/Keywords&gt;<BR />&lt;TimeCreated SystemTime="2021-09-10T05:42:22.597896600Z" /&gt;<BR />&lt;EventRecordID&gt;22350&lt;/EventRecordID&gt;<BR />&lt;Correlation ActivityID="{307C8C55-9B87-0002-638C-7C30879BD701}" /&gt;<BR />&lt;Execution ProcessID="812" ThreadID="2716" /&gt;<BR />&lt;Channel&gt;System&lt;/Channel&gt;<BR />&lt;Computer&gt;;/Computer&gt;<BR />&lt;Security UserID="S-1-5-18" /&gt;<BR />&lt;/System&gt;<BR />&lt;EventData&gt;<BR />&lt;Data Name="Type"&gt;server&lt;/Data&gt;<BR />&lt;Data Name="ErrorCode"&gt;0x8009030d&lt;/Data&gt;<BR />&lt;Data Name="ErrorStatus"&gt;10001&lt;/Data&gt;<BR />&lt;/EventData&gt;<BR />&lt;/Event&gt;</P><P>&nbsp;</P> Fri, 10 Sep 2021 05:45:38 GMT Arif_Shaikh 2021-09-10T05:45:38Z AD broken <P>Hi All,</P><P>&nbsp;</P><P>DC is Virtualized in vmware, I got it restored from Veeam backup, meaning it is not in the current state, that caused AD broken, how could I get it fixed?&nbsp;</P><P>I forced replication between 2 DCs it failed. Here and there we got a number of PCs that have the error:</P><DIV><STRONG>The trust relationship between this Workstation and the primary Domain failed</STRONG></DIV><DIV>Any help/ advice would be appreciated.</DIV><DIV>Cheers</DIV><DIV>&nbsp;</DIV> Fri, 10 Sep 2021 04:43:19 GMT Dzung Vu 2021-09-10T04:43:19Z Server 2022 KMS host key bug; Can't activate Win10 Enterprise LTSB/LTSC <P>We recently dropped our new Server 2022 KMS host key onto our KMS server. After the necessary update to accept the 2022 key and activating the new 2022 host key, we were able to activate our most common OS types in a quick test afterward -- Win10 Education 21H1, Server 2022, Server 2019, etc.</P><P><BR />In the next few days, and even more today, we've been getting reports that Win10 Enterprise LTSB/LTSC&nbsp; across some signage devices and laboratory machines stopped activating. Sure enough, I could reproduce the issue from a known good network.</P><P><BR />Just this morning I spun up entirely fresh VMs and verified all the above is still reproducible with the following results:</P><P>&nbsp;</P><P>Windows Server 2022 = Successfully activated</P><P>Windows Server 2019 = Successfully activated</P><P>Windows Server 2016 = Successfully activated</P><P>Windows 10 Education 21H1 = Successfully activated</P><P><U>Windows 10 Enterprise LTSC 2019 = FAILED ACTIVATION</U> (0xC004F074: License server reported that the computer could not be activated.)</P><P><U>Windows 10 Enterprise 2016 LTSB = FAILED ACTIVATION</U> (0xC004F074: License server reported that the computer could not be activated.)</P><P>Windows 10 Enterprise 2015 LTSB = Successfully activated (odd, after the previous two)</P><P>Windows 8.1 Enterprise = Successfully activated</P><P>Windows 7 Enterprise = Successfully activated</P><P><BR />Anyone else seeing this or could possibly test and confirm? I feel like this **has** to be a bug with 2022 host keys, but it's so new that I can't find anyone else in the same boat. I have a Premier ticket open for this.</P> Tue, 14 Sep 2021 16:31:09 GMT ajc196 2021-09-14T16:31:09Z Incorrect Administrator Password on Windows Server 2016 <P>hi,</P><P>&nbsp;</P><P>Recently, i have changed my administrator password on the windows server 2016. I have logged in to the server few times. However, yesterday, I couldn't log in any more. what can i do?&nbsp;</P><P>&nbsp;</P><P>Anna</P> Fri, 27 Aug 2021 05:43:02 GMT annacheungsk 2021-08-27T05:43:02Z WSUS 0x80244022 <P>Hi,</P><P>&nbsp;</P><P>We deploy a WSUS server using Windows Server 2019 (version 1809) with latest updates. Some Windows 10 clients are not reporting to WSUS and show an 0x80244022 error when you try to check updates manually.</P><P>&nbsp;</P><P>WSUS services has 10.0.17763.1.</P><P>This is our GPO:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mgfeal_0-1631177460146.png" style="width: 999px;"><img src=";px=999" role="button" title="mgfeal_0-1631177460146.png" alt="mgfeal_0-1631177460146.png" /></span></P><P>&nbsp;</P><P>Some Windows 10 clients receive this GPO and we found all keys at registry:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mgfeal_1-1631177758751.png" style="width: 999px;"><img src=";px=999" role="button" title="mgfeal_1-1631177758751.png" alt="mgfeal_1-1631177758751.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mgfeal_2-1631177809551.png" style="width: 999px;"><img src=";px=999" role="button" title="mgfeal_2-1631177809551.png" alt="mgfeal_2-1631177809551.png" /></span></P><P>&nbsp;</P><P>We modify IIS this pool: 'WsusPool'</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mgfeal_3-1631178054186.png" style="width: 999px;"><img src=";px=999" role="button" title="mgfeal_3-1631178054186.png" alt="mgfeal_3-1631178054186.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mgfeal_4-1631178073395.png" style="width: 999px;"><img src=";px=999" role="button" title="mgfeal_4-1631178073395.png" alt="mgfeal_4-1631178073395.png" /></span></P><P>&nbsp;</P><P>But they show the same errors.</P><P>We try to delete 'SoftwareDistribution' folder, wuauclt /reportnow command and more without success.</P><P>&nbsp;</P><P>I try to search updates in a computer (Windows 10 21H1). Attached are the wsus client logs.</P><P>It shows that <A href="#" target="_blank" rel="noopener"></A> is overloaded and it takes an 503 code. But if I try to connect to this URL, it works.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mgfeal_5-1631179829968.png" style="width: 999px;"><img src=";px=999" role="button" title="mgfeal_5-1631179829968.png" alt="mgfeal_5-1631179829968.png" /></span></P><P>&nbsp;</P><P>Anyone can help us?</P><P>Thanks!</P> Thu, 09 Sep 2021 09:32:05 GMT mgfeal 2021-09-09T09:32:05Z Understanding Windows Update Services Product categories for Windows Server 2022 and Azure Stack HCI <P>The new Server 2022 LTSC has arrived. And it is a great release.<BR />Some customers still struggle to find their SA benefits and ISOs / licenses and RDSH licenses in VLSC, but it is officially released. If you miss to find it contact the VLSC support via phone.</P><P>&nbsp;</P><P>The Microsoft Teams have written excellent and brief blogs about the news in Storage, SMB, Security and other topics, you can find on<BR /><BR /><BR /><STRONG>Unrelated to this topic, links to <U>some</U>&nbsp;key improvements of Windows Server 2022 LTSC:</STRONG><BR /><BR /><A href="" target="_blank" rel="noopener">Windows Server 2022 Security Baseline - Microsoft Tech Community</A><BR /><A href="" target="_blank" rel="noopener">Enabling HTTP/3 support on Windows Server 2022 - Microsoft Tech Community</A><BR /><A href="" target="_blank" rel="noopener">Storage Innovations in Windows Server 2022 - Microsoft Tech Community</A><BR /><A href="" target="_blank" rel="noopener">SMB over QUIC is now in public preview! - Microsoft Tech Community</A><BR /><A href="" target="_blank" rel="noopener">SMB Compression in Windows Server 2022 and Windows Insider - Microsoft Tech Community</A></P><P><A href="" target="_blank" rel="noopener">OPS104 Securing SMB from within and without - Microsoft Tech Community</A></P><P>&nbsp;</P><P><BR /><STRONG>What's not yet published is changes to WSUS.</STRONG></P><P>&nbsp;</P><P>"Hey Karl, do you speak about this legacy stuff to deploy Updates for on-premises?"<BR /><BR />Yes, it still exists and is still needed for SMB and SMC and bigger organizations, while latter might use ConfigMgr or MEMCM or ISV solutions, where WSUS is often a needed requirement.</P><P>&nbsp;</P><P><BR /><STRONG>Technically we cannot expect anything new in WSUS?</STRONG></P><P>&nbsp;</P><P>Why? The rule to not update any legacy MMCs is in place with Windows Server 2022 LTSC, so also there are <U>no</U> improvements or additions to any MMC consoles, Server Manager, or Active Directory Administrative Center (ADAC).<BR />An exception to this rule was an important bug in ADAC that got caught.<BR /><BR />- Ultimately the issues with detection of WU client OS strings - since Windows Server 2016 and Windows 10 is not fixed in the WU database either. While it possible, there is a paid solution doing this for you to make your reporting great again.<BR />&nbsp;- Windows Admin Center support for Windows Update Services is not on the horizon either. I hope for Ignite 2021.</P><P>&nbsp;</P><P><BR /><STRONG>So what has changed? Product Categories, naming, that one need to learn and understand.</STRONG></P><P>&nbsp;</P><P>But before we get into let us recap about the history and where we come from.</P><P>Over the past decades, naming of product categories was rather simple.<BR /><BR />- Windows Client had own category per major release<BR />- Windows Server had own category per major release<BR />- SQL Server had and own category per major release&nbsp;<BR />etc.&nbsp;<BR /><BR /></P><P>With the era of Windows 10 OS, which applies to Server and Client OS alike, as these are very similar to the core, this has game changed a bit.&nbsp;<BR /><BR />At first all Windows 10 versions have been assigned to "Windows 10" category.<BR />Later, thankfully, the team added new categories per release. I will explain why this was important.</P><P>&nbsp;</P><P><BR /><STRONG>What changed with Windows 10?</STRONG></P><P>&nbsp;</P><P>With Windows 10 1903 Microsoft introduced "1903 and later" category which I supposed and promoted the idea to have one category for 1903 and 1909 as these share the <U>binary same</U> updates.&nbsp;</P><P>Well, that did not happen. 1903 and later now includes updates for the following:<BR />1903, 1909, 2004, 20H2 and 21H1, where 2004-21H1 share the <U>same binary</U> updates.<BR /><BR /><BR /><STRONG>So how about Windows Server, Windows Server product like SQL Server etc?</STRONG><BR /><BR />Simple as that one category for each release:</P><P><BR />Windows Server 2008, 2008R2, 2012, 2012 R2, 2016, 2019&nbsp;</P><P>SQL Server each release had an own category from 2000 through 2019.&nbsp;<BR />So far so good and simple.<BR /><BR />Another OS emerged called <STRONG>Azure Stack HCI,</STRONG> again own category.<BR />Another OS emerged for those with Software Assurance rights, called&nbsp;<STRONG>Windows Server <U>version</U></STRONG> xxxx</P><P>aka <STRONG>Windows Server SAC</STRONG>, while xxxx follow the Windows 10 OS naming of YYMM so 1903 for March 2019 release - or more precisely end of development cycle (branch), as release happened sometimes later. <STRONG>Windows Server version will no longer be available after version 2004.</STRONG><BR /><BR />Microsoft noticed hindsight putting Azure Stack HCI, which is a SaaS product - same to Windows Server version (SAC) and has a similar release schedule - in one product category was an <EM>unfortunate</EM> design decision.</P><P>&nbsp;</P><P><BR /><STRONG>Why is one product category for any SAC product an unfortunate decision?<BR /></STRONG><BR />It means that the issue as with earlier Windows 10 versions having all one product category has been repeated and suffer the same problem.<BR /><BR />If you place any same SAC product into one category, it makes it ultimately harder for your to decide and decline products of SAC versions that are no longer in use across your organization.<BR />This is because SAC products do have an intended and short support period and will be replaced in production and so will play no further role but bloat up your database and metadata and compliance lists (WSUS reports) with unneeded versions.<BR /><BR />In this perspective, it would have been wise to not repeat the same mistake name it Azure Stack HCI from the start but Azure Stack HCI, version 20H2.<BR />Same as Microsoft factually did separate for Windows Server version, xxx in WSUS product categories. Well that did not happen, did it?</P><P>&nbsp;</P><P><BR /><STRONG>To the core of this article. What's next?<BR /><BR />Starting with Windows Server 2022&nbsp;and all 21H2 releases this familiar game will change rules.<BR /></STRONG><STRONG><BR /></STRONG>Windows Server 2022 will not see an own product category called "Windows Server 2022" as we would assume and how it is officially named.<BR /><BR />Azure Stack HCI OS will not be included into Azure Stack HCI OS category, except the first release version 20H2.<BR /><BR />Both updates will be included in a new category named "Microsoft Server operating system-21H2"<BR />Does this break any naming convention and former logic? Does it bother? You decide.&nbsp;</P><P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kwesterebbinghausbusiness_1-1633612083032.png" style="width: 400px;"><img src=";px=400" role="button" title="kwesterebbinghausbusiness_1-1633612083032.png" alt="kwesterebbinghausbusiness_1-1633612083032.png" /></span><BR /><BR /><BR /></P><P>&nbsp;</P><P><STRONG>How about the driver and servicing drivers categories?<BR /></STRONG>That's still complicated. see:&nbsp;</P><P><A href="#" target="_blank" rel="noopener"></A></P><P><BR /><STRONG>Any other caveats?<BR /><BR /></STRONG></P><P>There are Windows Server categories for 2019 and other in the developer tools section.<BR />This happened due to a catalogue update error, which causes WSUS and ConfigMgr to sync any updates in 2021. These categories do contain any updates. So, make sure you do not check or bother with the Server Categories in the Developer Tools Products.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kwesterebbinghaus_0-1631266831808.png" style="width: 999px;"><img src=";px=999" role="button" title="kwesterebbinghaus_0-1631266831808.png" alt="kwesterebbinghaus_0-1631266831808.png" /></span></P><P>&nbsp;</P><P><BR /><STRONG>TLDR:</STRONG></P><P>&nbsp;</P><P><STRONG>- do not use product categories for Windows Server in Developer tools. These are dead.</STRONG></P><P><STRONG>- you will find Azure Stack HCI OS in the Azure Stack HCI product category, but only the initial version 20H2. No future ones.</STRONG></P><P><STRONG>- you will find future Azure Stack HCI OS version 21H2 and Server 2022 LTSC in the category named Microsoft Server operating system-21H2.<BR /></STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>Source and kudos:</STRONG></P><P><BR />Thank you Artem Pronichkin, for the excursion and your help on the topic.<BR /><A href="#" target="_blank" rel="noopener"></A><BR /><BR />History:&nbsp;<BR />09/24/2021 - typo / grammar corrections<BR />09/10/2021 - more insight from Artem, see reply<BR />09/10/2021 - formatting, typo / grammar corrections, added screenshot<BR />09/09/2021 - formatting, corrections</P> Thu, 07 Oct 2021 13:08:49 GMT kwester-ebbinghaus-business 2021-10-07T13:08:49Z Creating Multiple Hyper-V VMs via PowerShell <P><SPAN>Assuming we want to create multiple <A href="#" target="_self">Hyper-V VMs via PowerShell</A>, </SPAN></P><P>&nbsp;</P><UL><LI><SPAN>Below script thinks that you have VMName list and Creates VM names according to each name which are separated coma and single quoted VM Names in a variable.</SPAN></LI></UL><P>&nbsp;</P><P><SPAN><STRONG>Pre-requisites </STRONG></SPAN></P><P>&nbsp;</P><UL><LI><SPAN>Add an ISO file for OS Installation and puts the HDD in to the directory you will mention in $VMLOC variable and assigns existing Hyper-V Switch to all VM’s.</SPAN></LI></UL><P>&nbsp;</P><P><SPAN><STRONG>Script starts---------</STRONG></SPAN></P><P><SPAN>#Below command will load the Hyper-V module for PowerShell.<BR />Get-Command -Module Hyper-V</SPAN></P><P><SPAN># This script creates a Multiple VM's Based on the Names you provided.</SPAN></P><P><SPAN>#Enter the VM names as mentioned below.<BR />$VMName = 'Server001','server002'</SPAN></P><P><SPAN>#Enter the ISO File path which contains the Windows Installation files<BR />$ISOpath = "D:\library\Windows Server 2008 R2 SP1_x64fre_server_eval_en-us-DVD.iso"</SPAN></P><P><SPAN>#Path of the VM HDD file stored<BR />$VMLOC = "d:\test"</SPAN></P><P><SPAN>#Name of virtual switch which will be used in the VMs<BR />$VMNet = "vEthernet-ADDC-M2"</SPAN></P><P><SPAN>#Create the VM's<BR />Foreach($vm in $VMName) { New-VM -Name $VM -Generation 2 -SwitchName $VMNet<BR />New-VHD -Path "$VMLOC\$VM\$vm.vhdx" -Dynamic -SizeBytes 40GB<BR />ADD-VMHardDiskDrive -VMName $vm -Path "$VMLOC\$VM\$vm.vhdx"<BR />Set-VM $VM -MemoryStartupBytes 1GB<BR />Add-VMDvdDrive -VMName $vm -Path $ISOpath<BR />Set-VMFirmware -VMName $vm -FirstBootDevice ((Get-VMFirmware -VMName $vm).BootOrder |<BR />Where-Object Device -like *DvD*).Device</SPAN></P><P><SPAN>}<BR />#Starts all of the VMs and installation of OS will be started.<BR />Start-VM -Name $VMName</SPAN></P><P><SPAN><STRONG>Script Ends-------------</STRONG></SPAN></P><P>&nbsp;</P><P><SPAN>The only problem I have faced with this script is by using Microsoft ISO files for OS, which is marked by an end user's input when installation starts, asking for "Press any key to start installation........."</SPAN></P> Wed, 08 Sep 2021 21:31:56 GMT aliat_IMANAMI 2021-09-08T21:31:56Z Active Directory Certificate Services (ADCS) <P>Our domain has never had a ADCS services.</P><P>&nbsp;</P><P>We have approx. 20K AD users.&nbsp;</P><P>&nbsp;</P><P>We are looking into deploying a single ADCS Root Server along with NPS and RADIUS server.&nbsp;</P><P>We are only looking at using this for 802.1x for now, but we may consider for other use in the future.&nbsp;</P><P>&nbsp;</P><P>We currently use CA services (godaddy issues wildcard) for use on our servers that are accessible for public use.&nbsp;</P><P>&nbsp;</P><P>My question is: Will installing and configuring the new sever as an Enterprise ADCS Server cause any issues with current AD authentication?&nbsp;</P><P>&nbsp;</P> Wed, 08 Sep 2021 14:09:16 GMT apiazza 2021-09-08T14:09:16Z Storage Replica and HyperV physical / passthrough disk <P>Hi,</P><P>&nbsp;</P><P>I tried to deploy an stretched HyperV cluster with Storage Replica. All is working flawlessly so far, however, I am unable to add an physical/passtrough disk to a HyperV VM after I enable the Storage Replica feature (this is a disk not replicated, or planned to replicate in the future). When I remove the Storage Replica feature, I am able to add the physical/passthrough disk to that VM.</P><P>&nbsp;</P><P>I tried to remove Storage Replica, add the disk to VM, add Storage Replica again just to see the error message "Physical disk not found" in HyperV VM settings.</P><P>&nbsp;</P><P>I expect this to be the behaviour by design, as it looks like the Storage Replica is claiming all disks upon arrival. So could please anybody from Microsoft confirm this?</P><P>&nbsp;</P><P>Is there any chance to selectively exclude some devices/disks from claiming by Storage Replica (for example with specific device id/description through registry) and freeing them to HyperV VM physical disk?</P><P>&nbsp;</P><P>Thank you,</P><P>&nbsp;</P><P>Martin</P> Wed, 08 Sep 2021 07:47:59 GMT Martin Nečas 2021-09-08T07:47:59Z Enable storage bus cache with Storage Spaces on standalone servers generic failure message to create <P>With the release of server 2022 i have looked forward to implementing storage bus cache.&nbsp; The KB to do so is rather straight forward&nbsp;<A href="#" target="_blank">Storage bus cache on Storage Spaces | Microsoft Docs</A>&nbsp;.&nbsp; i have prepped a new bare metal server with SSD's and HDD's on SAS and have followed the steps as in the KB.&nbsp; however it appears that the function Enable-StorageBusCache has a bug or error in it, it appears that the cache drives get configured and space reserved but the part that preps the HDD's to pair with a cache drive fails with a not so useful error message.</P><P>&nbsp;</P><P>it appears enable-storagebuscache calls new-storagebusbinding and then the section of preparehddforcache fails.&nbsp; little to no documentation appears to exist for this so i am not sure where what to do next.&nbsp; i have tried to take a look at maybe some issues in the MS script however its rather long and complicated, and i did not see any typo's jump out at me.&nbsp; im assuming i have found some type of bug</P><P>&nbsp;</P><P><LI-USER uid="875404"></LI-USER>&nbsp;<A href="" target="_blank">Storage Innovations in Windows Server 2022 - Microsoft Tech Community</A></P><P><BR /><STRONG>New-StorageBusBinding</STRONG> : Exception calling "<STRONG>PrepareHddForCache</STRONG>" : "<STRONG>Generic failure</STRONG> "<BR />At C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\StorageBusCache\<STRONG>StorageBusCache.psm1:2941 char:17</STRONG><BR />+ ... New-StorageBusBinding -CacheGuid $bindOrder[$nextCache] - ...<BR />+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<BR />+ CategoryInfo : NotSpecified: (:) [New-StorageBusBinding], MethodInvocationException<BR />+ FullyQualifiedErrorId : WMIMethodException,New-StorageBusBinding</P> Tue, 07 Sep 2021 23:59:29 GMT Joe_Fortini 2021-09-07T23:59:29Z Azure AD: Cross Tenant access requires multiple MFA registration? <DIV><P><SPAN>It is a requirement for Microsoft Partners to enable MFA for all users in organization, but as far as <A href="#" target="_self">multi-tenant Azure AD MFA</A> is concerned, Organizations can choose to enable/disable MFA for guests and single users.</SPAN></P><P>&nbsp;</P><P><SPAN>Mostly organizations select MFA to be enabled for whole Azure AD while setting up tenant, which can be later enabled/disabled for individuals.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Let's focus on "<STRONG>Why can a guest's home tenant not send some kind of attestation that MFA is in place on the home user account?</STRONG><STRONG>"</STRONG></SPAN></P><P>&nbsp;</P><P><SPAN>One of the user to above question with in community speaks as follows:</SPAN></P><P><SPAN>“We have lots of our customers in our tenant as guests for Teams channels because we invite the customer primary contact(s) into a channel that has their support engineers present. When we switched on conditional access to enforce MFA on all users the guests got prompted to setup MFA even though they already have MFA on their home account.</SPAN></P><P>&nbsp;</P><P><SPAN>For the time being I've added an exclusion on our conditional access policy to exclude guests and the dashboard is still saying we're 100% compliant after a few days, but what I'm reading here is that potentially these guest accounts are going to become useless unless all the guests wrestle with adding MFA on every instance they're a guest (which is totally mad).</SPAN></P><P>&nbsp;</P><P><SPAN>We're not creating another tenant and shoving all our CSP stuff in there, it just adds so much friction and if anything reduces security because right now when someone joins or leaves our organization their <A href="#" target="_blank" rel="noopener">Azure AD</A> account sets up and cuts off their access to everything. If we begin having separate accounts in another tenant for CSP you can bet someone is going to forget to cut that off when someone leaves and access carries on until someone notices.</SPAN></P><P>&nbsp;</P><P><SPAN>We are 100% on board with MFA being required, and I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it?”</SPAN></P><P>&nbsp;</P><P><SPAN><STRONG>MY TAKE:</STRONG></SPAN></P><P><SPAN>I understand requiring MFA on a guest that doesn't reside in another Azure AD tenant (like a random user should be made to setup MFA), but where the user originates from Azure AD and has MFA on their home account, can it be that hard for MSFT to pass some kind of trusted flag across to the guest login that skips MFA if the home account has it? In same thread another user shared a suggestion for this feature to be available, but link may have expired or feature no longer being considered.</SPAN></P></DIV> Tue, 07 Sep 2021 20:59:41 GMT aliat_IMANAMI 2021-09-07T20:59:41Z Windows server 2019 black screen stuck on vmware machine <P>We have an esxi server with vmware. our vm machine is Windows server 2019 .&nbsp;</P><P>Probably after 2 updates yesterday KB5004244 and KB4589208 we have a problem to login with all users.</P><P>&nbsp;</P><P>the problem is that we cant login with any user . after we enter our user and password we get a black screen ... and thats it .</P><P>the login is via RDP session .&nbsp;</P><P>also through the vm console ... same result... black screen.</P><P>&nbsp;</P><P>tried uninstalling the above updates... with no success.</P><P>&nbsp;</P><P>Only if I open task manager and run: explorere.exe am I able to see my desktop&nbsp;</P><P>&nbsp;</P><P>Any help would be appreciated&nbsp;</P><P>&nbsp;</P><P>thanks</P><P>&nbsp;</P><P>Omer&nbsp;</P> Tue, 07 Sep 2021 05:30:45 GMT orrtech 2021-09-07T05:30:45Z Low disk space error due to log files in C:\Users\XX\AppData\Local\Temp\ <P>I have a UiPath bot running on a server at an hour interval, which is using MS office applications to complete the process. The bot logs its data in&nbsp;"C:\Users\xx\AppData\Local\UiPath\Logs" folder. But the "C:\Users\XX\AppData\Local\Temp\" folder is filled up with numerous temp folder which has nothing in it also some of the files are too big in size. I am not sure for what purpose it is so huge in size.</P><DIV>&nbsp;</DIV><DIV>Is there any way to stop the process of logging temporary files in the "C:\Users\XX\AppData\Local\Temp\" folders rather than the deletion once the space is full or the bot gets an error?</DIV><DIV>&nbsp;</DIV><DIV>Below is the screenshot of the folder with temporary files</DIV><DIV><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="subrata_bose37_2-1630925890532.png" style="width: 400px;"><img src=";px=400" role="button" title="subrata_bose37_2-1630925890532.png" alt="subrata_bose37_2-1630925890532.png" /></span><P>&nbsp;</P></DIV> Mon, 06 Sep 2021 11:02:12 GMT subrata_bose37 2021-09-06T11:02:12Z 打开 dfs 共享出来的bat文件时,会出现如截图的安全警告 <P>打开 由dfs 共享出来的bat文件时,会出现如截图的安全警告。</P><P>例如这样打开:\\domain\dfs\mvp.bat&nbsp;</P><P>&nbsp;</P><P>但同样的文件,如果直接通过文件服务器共享出来后打开,就不会跳出该文件的安全警告。</P><P>例如这样打开:\\server01\sharefolder\mvp.bat</P><P>这是为什么呢?有办法调整为不出现安全警告吗?应该不是客户端的问题。</P><P>警告截图如下:<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="安全警告.jpg" style="width: 468px;"><img src=";px=999" role="button" title="安全警告.jpg" alt="安全警告.jpg" /></span></P> Mon, 06 Sep 2021 08:13:17 GMT HankLiujh 2021-09-06T08:13:17Z Windows Server 2022 Unable to restart 'Network List Service' <P>Testing server 2022 (core) GA on two machines; one physical, one virtual. When I attempt to restart the network location awareness service using the command:</P><LI-CODE lang="powershell">restart-service -Name NlaSvc -Force</LI-CODE><P>I receive the below error message:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bradcope_0-1630884320199.png" style="width: 400px;"><img src=";px=400" role="button" title="bradcope_0-1630884320199.png" alt="bradcope_0-1630884320199.png" /></span></P><P>Narrowing down the error, i run the below command:</P><LI-CODE lang="powershell">restart-service -Name netprofm -Force</LI-CODE><P>Which results in the below error:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bradcope_1-1630884579854.png" style="width: 400px;"><img src=";px=400" role="button" title="bradcope_1-1630884579854.png" alt="bradcope_1-1630884579854.png" /></span></P><P><BR />This is happening on both of our Server 2022 builds, I have had no issue running these commands on 2012/2012 R2/2016/2019, so why can't i run this command on server 2022?</P> Sun, 05 Sep 2021 23:31:25 GMT bradcope 2021-09-05T23:31:25Z Using FFU Imaging; after Optimize-FFU it no longer works <P><SPAN>Hi,</SPAN><BR /><BR /><SPAN>I installed a fresh copy of Windows Home v21H1. In audit mode, I ran installed all the Windows Updates and then ran System Prep with "System Cleanup Action &gt; Enter System Audit mode" and shutdown the system. I then booted to WinPE and was able to successfully capture an FFU image to a network share.</SPAN><BR /><BR /><SPAN>I was also able to successfully deploy this image to another machine with a larger SSD.</SPAN><BR /><BR /><SPAN>However, anything with a small drive won't work so I ran the 'Optimize-FFU' command from the Deployment and Imaging Tools command prompt on my sever which hosts the network share and that process went through successfully. My understanding is that this modifies the image so that it will work on small drive sizes.</SPAN><BR /><BR /><SPAN>My issue is that AFTER running this 'Optimize-FFU' the image will not deploy on ANY machines.</SPAN><BR /><BR /><SPAN>When I try to deploy the 'optimized' image to the same machines the original image worked or any other machine on I get an error: 0x8000ffff</SPAN><BR /><BR /><SPAN>ANY IDEAS?</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="applescript">2021-09-05 13:56:54, Info DISM PID=1488 TID=1464 Scratch directory set to 'X:\windows\TEMP\'. - CDISMManager::put_ScratchDir 2021-09-05 13:56:54, Info DISM PID=1488 TID=1464 DismCore.dll version: 10.0.22000.1 - CDISMManager::FinalConstruct 2021-09-05 13:56:54, Info DISM Initialized Panther logging at X:\windows\Logs\DISM\dism.log 2021-09-05 13:56:54, Info DISM PID=1488 TID=1464 Successfully loaded the ImageSession at "X:\windows\system32\Dism" - CDISMManager::LoadLocalImageSession 2021-09-05 13:56:54, Info DISM Initialized Panther logging at X:\windows\Logs\DISM\dism.log 2021-09-05 13:56:54, Info DISM DISM Provider Store: PID=1488 TID=1464 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger 2021-09-05 13:56:54, Info DISM Initialized Panther logging at X:\windows\Logs\DISM\dism.log 2021-09-05 13:56:54, Info DISM DISM Manager: PID=1488 TID=1464 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession 2021-09-05 13:56:54, Info DISM DISM.EXE: 2021-09-05 13:56:54, Info DISM DISM.EXE: &lt;----- Starting Dism.exe session -----&gt; 2021-09-05 13:56:54, Info DISM DISM.EXE: 2021-09-05 13:56:54, Info DISM DISM.EXE: Host machine information: OS Version=10.0.22000, Running architecture=amd64, Number of processors=4 2021-09-05 13:56:54, Info DISM DISM.EXE: Dism.exe version: 10.0.22000.1 2021-09-05 13:56:54, Info DISM DISM.EXE: Executing command line: dism /apply-ffu /ImageFile=W:\Win10-9-5-21.ffu /ApplyDrive:\\.\PhysicalDrive0 2021-09-05 13:56:54, Error DISM DISM FFU Provider: CFfuMiscHelpersT&lt;class CEmptyType&gt;::GetSignerInfoFromCatalog#998 failed with 0x80091008. 2021-09-05 13:56:54, Info DISM DISM FFU Provider: -------- Security Header ---------------------------------- 2021-09-05 13:56:54, Info DISM DISM FFU Provider: Size = 32 2021-09-05 13:56:54, Info DISM DISM FFU Provider: Signature = SignedImage 2021-09-05 13:56:54, Info DISM DISM FFU Provider: ChunkSizeInKB = 128 2021-09-05 13:56:54, Info DISM DISM FFU Provider: AlgorithmId = 32780 2021-09-05 13:56:54, Info DISM DISM FFU Provider: CatalogSize = 328 2021-09-05 13:56:54, Info DISM DISM FFU Provider: HashTableSize = 5505024 2021-09-05 13:56:54, Info DISM DISM FFU Provider: ----------- Image Header ---------------------------------- 2021-09-05 13:56:54, Info DISM DISM FFU Provider: Size = 24 2021-09-05 13:56:54, Info DISM DISM FFU Provider: Signature = ImageFlash 2021-09-05 13:56:54, Info DISM DISM FFU Provider: ManifestLength = 1723 2021-09-05 13:56:54, Info DISM DISM FFU Provider: ChunkSize = 128 2021-09-05 13:56:54, Info DISM DISM FFU Provider: ----------- Store Header ---------------------------------- 2021-09-05 13:56:54, Info DISM DISM FFU Provider: UpdateType = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: MajorVersion = 1 2021-09-05 13:56:54, Info DISM DISM FFU Provider: MinorVersion = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: FullFlashMajorVersion = 3 2021-09-05 13:56:54, Info DISM DISM FFU Provider: FullFlashMinorVersion = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: PlatformId = 2021-09-05 13:56:54, Info DISM DISM FFU Provider: BlockSize = 131072 2021-09-05 13:56:54, Info DISM DISM FFU Provider: WriteDescriptorCount = 172004 2021-09-05 13:56:54, Info DISM DISM FFU Provider: WriteDescriptorLength = 3440080 2021-09-05 13:56:54, Info DISM DISM FFU Provider: ValidateDescriptorCount = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: ValidateDescriptorLength = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: InitialTableIndex = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: InitialTableCount = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: FlashOnlyTableIndex = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: FlashOnlyTableCount = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: FinalTableIndex = 0 2021-09-05 13:56:54, Info DISM DISM FFU Provider: FinalTableCount = 172004 2021-09-05 13:56:54, Info DISM DISM FFU Provider: CompressionAlgorithm = 3 2021-09-05 13:56:55, Info DISM DISM FFU Provider: Anti-theft feature is not supported on this machine. 2021-09-05 13:56:55, Error DISM DISM FFU Provider: (Partition) Name is not present in manifest. 2021-09-05 13:56:55, Error DISM DISM FFU Provider: CManifest::GetDriveLayoutInfoEx#788 failed with 0x8000ffff. 2021-09-05 13:56:55, Error DISM DISM FFU Provider: CFfuReader::ProcessWriteDescriptors#1260 failed with 0x8000ffff. 2021-09-05 13:56:55, Error DISM DISM FFU Provider: CFfuReader::PreApply#303 failed with 0x8000ffff. 2021-09-05 13:56:55, Error DISM DISM FFU Provider: FfuApplyInternal#477 failed with 0x8000ffff. 2021-09-05 13:56:55, Error DISM DISM FFU Provider: FfuApplyImage#85 failed with 0x8000ffff. 2021-09-05 13:56:55, Error DISM DISM FFU Provider: PID=1488 TID=1464 onecore\base\ntsetup\opktools\dism\providers\ffuprovider\dll\ffumanager.cpp:515 - CFfuManager::Apply(hr:0x8000ffff) 2021-09-05 13:56:55, Error DISM DISM FFU Provider: PID=1488 TID=1464 Failed to apply an FFU image to '\\.\PhysicalDrive0'. - CFfuManager::InternalCmdApply(hr:0x8000ffff) 2021-09-05 13:56:55, Error DISM DISM FFU Provider: PID=1488 TID=1464 "Error executing command" - CFfuManager::InternalExecuteCmd(hr:0x8000ffff) 2021-09-05 13:56:55, Error DISM DISM FFU Provider: PID=1488 TID=1464 onecore\base\ntsetup\opktools\dism\providers\ffuprovider\dll\ffumanager.cpp:224 - CFfuManager::ExecuteCmdLine(hr:0x8000ffff) 2021-09-05 13:56:55, Error DISM DISM.EXE: FfuManager processed the command line but failed. HRESULT=8000FFFF 2021-09-05 13:56:55, Info DISM DISM.EXE: Image session has been closed. Reboot required=no. 2021-09-05 13:56:55, Info DISM DISM.EXE: 2021-09-05 13:56:55, Info DISM DISM.EXE: &lt;----- Ending Dism.exe session -----&gt; 2021-09-05 13:56:55, Info DISM DISM.EXE:</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IMG_3382.jpg" style="width: 806px;"><img src=";px=999" role="button" title="IMG_3382.jpg" alt="IMG_3382.jpg" /></span></P> Sun, 05 Sep 2021 18:45:45 GMT AdamNYC31 2021-09-05T18:45:45Z DHCP server do not show MAC address <P>hello&nbsp;</P><P>i wanted to use DHCP to assign IP to vmware VM. my VMs are ubuntu.&nbsp;</P><P>i used MAC address that show on Vmware photo: NIC-1.</P><P>i create a new ip reservation by mac that show in photo-1 by the client send a UDID and there is no MAC address, photo: NIC-2.</P><P>so the client take a new IP address.</P><P>what should i do to see client MAC address ?&nbsp;&nbsp;</P> Sun, 05 Sep 2021 13:42:50 GMT soheil-Amiri 2021-09-05T13:42:50Z windows datacenter firewall - micro segmentation <P>hello&nbsp;</P><P>according to this topic "<A href="#" target="_self" rel="noopener noreferrer">windows Datacenter firewall</A>", we can configure micro-segmentation security ok vswitch port not on vm&nbsp; guest. am i right ? our major vm are linux ubuntu.&nbsp;</P><P>i did not find any step-by-step guide that help me to setup MS SDN.</P> Sat, 04 Sep 2021 15:42:29 GMT soheil-Amiri 2021-09-04T15:42:29Z ADK for Windows 11 and ADK for Windows Server 2022: VAMT does not work anymore <P>In both ADK post 2004 version VAMT 3.1 fails to connect to the SQL instance.</P><P>&nbsp;</P><P>- cannot connect to existing instance of SQL (2014)</P><P>- cannot connect to new database in above instance</P><P>&nbsp;</P><P>Workaround:</P><P>uninstall ADK Windows 11 or Server 2022 and install ADK 2004. Works immediately.&nbsp;</P><P>&nbsp;</P><P>Who from Microsoft Team can help to triage and fix this?</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 04 Sep 2021 14:07:01 GMT K_Wester-Ebbinghaus 2021-09-04T14:07:01Z Computer Monitoring Error? <P>A few days ago Windows Server 2019 Essentials starting reporting "Computer Monitoring Errors."&nbsp; &nbsp;It appears that the hardcoded fwlink in Essentials:&nbsp;<A href="#" target="_blank" rel="noopener"></A>&nbsp; is being forwarded to bing HTML for download rather than the expected: OnlineServicesConfigFile.xml file.&nbsp; This is likely impacting prior versions of Windows Server also.&nbsp;</P><P>&nbsp;</P> Mon, 06 Sep 2021 12:24:56 GMT porschev 2021-09-06T12:24:56Z Rds famr 2019 and microsoft remote desktop android <P><SPAN>Hi all.</SPAN><BR /><SPAN>In my rds farm 2019 i use microsoft remote desktop for android vers. 8 to connect in my Remote Resource Feed with specific url. In new client version 10.0 no ther isn't Remote Resource Feed but there is Workspace. How can connect my rds farm in workspace? Or is there another app can connect in my&nbsp;Remote Resource Feed inviroment?</SPAN><BR /><SPAN>Thanks.</SPAN></P> Fri, 03 Sep 2021 11:08:39 GMT from-rome77 2021-09-03T11:08:39Z Fresh install of Server 2016 Standard - Core - No eventvwr.msc in system32 <P>Sorry if this is a basic question. I have installed Windows Server Core 2016 Standard on a hyper-v cluster, provisioned with 4 V-CPU and 4096 mem. (ISO&nbsp;SW_DVD9_Win_Server_STD_CORE_2016_64Bit_English_-4_DC_STD_MLF_X21-70526)</P><P>&nbsp;</P><P>Booted up and joined the device to the domain using SCONFIG.</P><P>&nbsp;</P><P>Then used&nbsp;Install-ADDSDomainController -domainname "contoso" -InstallDNS:$True -credentials (get-credentials)</P><P>&nbsp;</P><P>Following a reboot the domain services appear to be working. I can connect to the DC remote using DSA.msc. However, if I run dsa.msc on the server I get "Class not registered" - "Access Denied" error. I can't open services.msc, it just does nothing, no error, the command is accepted but nothing happens.&nbsp;</P><P>&nbsp;</P><P>The icing on the cake is when I tried to open eventvwr to see what was happening. There is no eventvwr.msc in system32. (C:\Windows\System32&gt;eventvwr.msc'eventvwr.msc' is not recognized as an internal or external command, operable program or batch file.)</P><P>&nbsp;</P><P>I have run SFC /scannow and no validation errors were found. I also tried chkdsk /f /r and the repair was performed. I also ran DISM /Online /Cleanup-Image /CheckHealth which showed no corruption detected.&nbsp;</P><P>&nbsp;</P><P>I know the obvious solution here is to rebuild but I am curious as to what I did wrong to cause such a mess of an installation so I can avoid in future.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 03 Sep 2021 09:42:49 GMT Zakarakus 2021-09-03T09:42:49Z Access Based Enumeration <P>Hello Everyone ,</P><P>we can apply ABE on root folders , where we can apply on Subfolders only , I shared more than one folders when user access example \\server IP need user view the only folders have permission but in current case any user can view all folders .&nbsp;</P><P>Thanks in advance ..</P> Thu, 02 Sep 2021 08:02:19 GMT Walid_Fawzy 2021-09-02T08:02:19Z Fail on In-place Upgrade to Windows Server 2019 <P><SPAN>I have a Windows Server 2016 desktop experience VM I want to in-place upgrade to Windows Server 2019 DE. I get to where the upgrade starts then after bit it fails with no error. Just a square that says "windows server 2019 upgrade has failed." No error.&nbsp; I checked what i thought were the correct logs but couldn't find any errors. Would something be in the event viewer?</SPAN></P> Tue, 31 Aug 2021 20:18:40 GMT Greggo2020 2021-08-31T20:18:40Z Cannot publish remoteapp program <P><SPAN>Single server 2019 remote desktop services cannot publish new remoteapp, although it does appear in program list. I can unpublish remoteapps</SPAN><BR /><SPAN>Event ID: 16393 Publishing failed . . .could not create a published application instance</SPAN><BR /><SPAN>Most solutions point to certs. A wildcard cert has been working for months, I changed to a new single cert, still same problem.</SPAN><BR /><SPAN>Same error in powershell. Restarted server a few times.</SPAN><BR /><SPAN>Any help? TIA</SPAN></P> Tue, 31 Aug 2021 18:39:51 GMT JohnnyBravo 2021-08-31T18:39:51Z RPC server is unavailable <P>Hello,</P><P>&nbsp;</P><P>I have this weird issue where I can't change domain controllers from ADUC or any active directory services. I'm not sure where to start troubleshooting this kind of issue. I can reach all other domain controller from the problematic DC but I can't do it from other DC's to the problematic DC.&nbsp;</P><P>&nbsp;</P><P>Any help would be appreciated.</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="seyah96_0-1630434190180.png" style="width: 400px;"><img src=";px=400" role="button" title="seyah96_0-1630434190180.png" alt="seyah96_0-1630434190180.png" /></span></P><P>&nbsp;</P> Tue, 31 Aug 2021 18:25:12 GMT seyah96 2021-08-31T18:25:12Z Windows Components missing from Administrative Templates in GPO <P>I am in the process of configuring Windows Hello for Business and have hit a bit of a road block. When editing a GPO, the folder for Windows Components is missing from the Administrative Templates directory for both Computer Configuration and User Configuration. I have read several articles on importing .ADMX files and that didn't make a difference. What am I missing here? Domain Controller is on Server 2019.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GPO-Windows-Components-Missing.PNG" style="width: 788px;"><img src=";px=999" role="button" title="GPO-Windows-Components-Missing.PNG" alt="GPO-Windows-Components-Missing.PNG" /></span></P> Tue, 31 Aug 2021 14:13:01 GMT Matthew Pilar 2021-08-31T14:13:01Z Hyper-V Monitoring <P>Does anyone have good recommendations for monitoring Hyper-V Virtual Machines? I know I can logon to the server and view the Hyper-V Manager dashboard. I would like something a little more detailed if possible. We currently are running 3 Hyper-V Hosts with a total of 23 Virtual Machines, so it would be nice to be able to monitor all of these in one place. Thanks for any recommendations.</P> Mon, 30 Aug 2021 14:41:25 GMT Hawkins_IT 2021-08-30T14:41:25Z RDP Not Working | Not listening the port 3389 in windows server 2016 <P>Windows server 2016 not listening port 3389, due to this i am not able to RDP in to that server from a remote machine.&nbsp;</P><P>&nbsp;</P><P>I have checked below but still no luck.&nbsp;</P><P>RDP services are running</P><P>RDP Related registry keys are fine</P><P>Restarted the machine and checked</P><P>Remote Desktop setting enabled</P><P>Windows Firewall disabled</P><P>&nbsp;</P> Mon, 30 Aug 2021 09:47:32 GMT mohamedmydeen 2021-08-30T09:47:32Z why my shared file deleted by itself? <P>I have one server and 24 clients in my company. There are shared office files when new clients(3 clients introduced) change in a set of office, especially excel and word, and save my shared office files.</P><P>My share office files are hidden and if my new client is the administrator can see the shared office files but can not open and encounter access denied error and can not be copied or anything. If the new client wasn't administrator can not see it<BR />I do not have this problem if I share photo files or other items.<BR />Office files that are not shared and they are on their computers new clients change them they do not have this problem.<BR />All permissions and settings in the active directory are correct and other old clients have no problem. Only new customers have this problem.</P> Sun, 29 Aug 2021 05:07:30 GMT mehran_rahnama 2021-08-29T05:07:30Z Windows Server 2022 features comparisons <P>Hi,</P><P>&nbsp;</P><P>After Windows Server 2019 release, Microsoft released Windows Server 2019 features comparison.</P><P>Pls find the attachment.</P><P>&nbsp;</P><P>I am searching same comparisons for Windows Server 2022.</P><P>Please share. We’ll be thankful for members.</P><P>&nbsp;</P><P>With Regards</P><P>NndnG &nbsp;</P> Fri, 27 Aug 2021 17:34:55 GMT NndnG 2021-08-27T17:34:55Z Task Scheduler <P>I need some help setting up the task scheduler on a second server, so if one server isn't available the tasks will still get run</P> Fri, 27 Aug 2021 16:50:36 GMT Randy_Thomas 2021-08-27T16:50:36Z DNS block list <P>Hi,</P><P>is it possible to block a list of domain that i have on a txt file on a dns server?</P> Thu, 26 Aug 2021 07:56:55 GMT alescan 2021-08-26T07:56:55Z How many domain users can be created in the standard version of Windows Server 2019? <P>Hello to all,</P><P>I have a Hamletic doubt as reported by the object ...</P><P>How many domain users can be created in the standard version of Windows Server 2019?</P><P>I try to describe in a few words the structure and use of the DC WS 2K19 currently in use ...</P><P>Current DC WS 2K19 Essential -&gt; 25 active domain users reached, upgrade to Standard version of WS 2K19 required</P><P>The DC manages:<BR />- AD / DC; PrintServer; Volume E: Company data / Network directory with relative ACLs;<BR />- Total domain clients (Desktop and / or Laptop workstations) -&gt; 15</P><P>Domain Users:<BR />- 25 including active default users;</P><P>- real domain users (about 19) connect to their workstations directly and physically, from time to time they use the GUACAMOLE server (configured by me) for remote access to their own domain users and physical workstations.</P><P>The question:</P><P>How many users can I add / create without problems of incompatibility with the Standard Edition of WS 2K19?<BR />In this case (for how the domain is used and therefore the Server), are they necessary? How should I take this into account? Don't I have to take this into account?</P><P>Thanks to anyone who can help me.<BR /><BR /><BR /></P><P>Greetings<BR />M.</P> Wed, 25 Aug 2021 07:57:56 GMT ManueleF 2021-08-25T07:57:56Z Windows Server 2022 as Domain and DHCP Server <P>Hi,</P><P>&nbsp;</P><P>Windows Server 2022 announced.</P><P>&nbsp;</P><P>There are many IT Executives or Organizations who use Windows Server only for DNS Server, DHCP Server, managing network resources and implementing group policies.</P><P>&nbsp;</P><P>For this purpose, if we compare Windows Server 2012R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022; can we find any differences?</P><P>&nbsp;</P><P>Moreover, for those executives or organizations, does it matter Windows Server 2022 announced?</P><P>&nbsp;</P><P>Please let us know differences in Windows Server from above perspectives.</P><P>&nbsp;</P><P>With Regards</P><P>NndnG &nbsp;&nbsp;</P> Tue, 24 Aug 2021 16:50:09 GMT NndnG 2021-08-24T16:50:09Z silsvc.exe (..) initiated a shutdown of the computer. Windows Server 2019 Essentials. No domain. <P>&nbsp;</P><P>Helo,</P><P>I have a problem on one server winth Windows Server 2019 Essentials. The problem is every Monday morning from 08/02/2021 :</P><P>&nbsp;</P><P><EM>"Proces&nbsp;C:\Windows\system32\silsvc.exe&nbsp;(********) <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>initiated a shutdown of the computer</SPAN></SPAN></SPAN> ******** <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>on behalf of the user </SPAN></SPAN></SPAN>ZARZĄDZANIE&nbsp;NT\SYSTEM <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>for the following reason</SPAN></SPAN></SPAN> : <SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>The title could not be found for this reason</SPAN></SPAN></SPAN><BR /></EM></P><P><EM><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>Reason code</SPAN></SPAN></SPAN> :&nbsp;0x2000c</EM></P><P><EM><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>Shutdown Type: Shutdown</SPAN></SPAN></SPAN> </EM></P><P><EM>&nbsp;Komentarz:&nbsp;Usługa&nbsp;zgodności&nbsp;licencjonowania&nbsp;spowodowała&nbsp;zamknięcie&nbsp;systemu.&nbsp;Sprawdź&nbsp;zdarzenia&nbsp;dla&nbsp;elementu&nbsp;Microsoft&nbsp;&gt;&nbsp;Windows&nbsp;&gt;&nbsp;Usługa&nbsp;licencjonowania&nbsp;infrastruktury&nbsp;serwera&nbsp;&gt;&nbsp;Operacyjne,&nbsp;aby&nbsp;uzyskać&nbsp;szczegółowe&nbsp;informacje."</EM></P><P>&nbsp;</P><P>Microsoft&nbsp;Windows&nbsp;Server&nbsp;2019&nbsp;Essentials<BR />OS&nbsp;Version:&nbsp;&nbsp;10.0.17763&nbsp;N/A&nbsp;Build&nbsp;17763<BR />No domain.</P><P><BR />I am asking for help in finding a solution.</P> Tue, 24 Aug 2021 09:34:31 GMT ddzioba 2021-08-24T09:34:31Z Configuring WSUS on Virtual Machine <P>I've configured a server 2019 WSUS and having trouble trying to add the computers that are not part of a DOMAIN.</P><P>Is there a way that we can add the physical PC's on virtual machines that are not part of a DOMAIN?&nbsp;</P> Mon, 23 Aug 2021 01:01:50 GMT enaugavule 2021-08-23T01:01:50Z Side effect of primary UPN Change <P>Hello we are planning to make primary UPN change in our prod environment due to migration from ADFS to Azure AD, currently we are trying to identify side effects primary UPN change. it might break access to the many on-prem AD integrated applications and we dont have any inventory to identify applications. please let us know&nbsp; &nbsp;if any one know process for identifying.&nbsp;</P> Sat, 21 Aug 2021 21:03:59 GMT LakshmiKanthK 2021-08-21T21:03:59Z ACLs on privileged groups <P>Hi everyone, We are trying to clean up the security ACLs on a few privileged groups. My biggest issue right now is when I select disable inheritance and remove all of the groups/users off the main group, after a little bit the users/groups will show back up under the security tab. I'm assuming SDPROP is causing it. I'm testing on one group of changing the admincount to 0 from 1 and removing a user off the security tab to see if it gets added back or not. Anyone had this issue before?<BR /><BR />Thanks!</P> Fri, 20 Aug 2021 17:47:05 GMT Parzival30 2021-08-20T17:47:05Z Reporting error in Observium on all Windows servers simultaneously <P>I am running a mixed network of windows and Linux.&nbsp; Currently have 3 versions of windows server running (2012R2, 2016, and 2019) and about 5 flavors of linux and different versions within those, about 3 dozen windows servers and 80-85 linux.&nbsp; Everything is in Amazon EC2.</P><P>There were no updates done in Observium.&nbsp; No patching done in Windows that day.</P><P>However Monday evening, every single Windows instance stopped reporting CPU information.&nbsp; No current usage, history went blank, and now the CPUs say "Unknown CPU type" and many of these are the same instance type as linux servers that were unaffected.</P><P>We are using SNMPv2 to connect them to Observium.&nbsp; Also these had all been up for nearly 2 months without any issue.</P><P>Any idea what the cause could be, how to resolve, any ideas at all?</P><P>&nbsp;</P><P>Thanks</P> Fri, 20 Aug 2021 16:41:00 GMT John_Doe762 2021-08-20T16:41:00Z how to keep active directory replication master domain <P>Dear: Support&nbsp;</P><P>&nbsp;</P><P>I have domain controller main then i replicate 2 server from main domain so now i need to shutdown old one and keep the new replication the master so how to configure that&nbsp; &nbsp;because when i shutdown old one i can't join new user to active directory&nbsp; because the old one shutdown .</P><P>&nbsp;</P><P>Kind Regards&nbsp;&nbsp;</P> Thu, 19 Aug 2021 10:16:14 GMT solom1335 2021-08-19T10:16:14Z Storage Pools on windows failover cluster : pool assignment cluster / nodes? <P>Dear,</P><P><U><STRONG>Scope:</STRONG></U></P><P>Windows 2019 : two&nbsp;node failover cluster ; no shared disks (SQL AOAG purpose).</P><P><EM>We have already enabled this on the cluster :</EM></P><P><EM>Get-StorageSubSystem | Where AutomaticClusteringEnabled -eq $true | Set-StorageSubSystem -AutomaticClusteringEnabled $false</EM></P><P>&nbsp;</P><P><U><STRONG>Observations:</STRONG></U></P><P>Storage pools created before clustering feature was enabled : they are assigned to the node.</P><P>Storage pools created after clustering software is installed : they are assigned to the cluster (using GUI)</P><P>&nbsp;</P><P><STRONG>Q: Can you transfer Storage pool ownership from cluster &lt;-&gt; nodes ?</STRONG></P><P><STRONG>Q: How can you influence this using GUI / PowerShell?</STRONG></P><P>&nbsp;</P><P><EM>Assignment using GUI (see Available to) :</EM></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clusterpool.png" style="width: 999px;"><img src=";px=999" role="button" title="clusterpool.png" alt="Clusterpool (see available to)" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Clusterpool (see available to)</span></span></P><P>&nbsp;</P><P><EM>Assignment using PowerShell</EM></P><P>$storagePool = New-StoragePool -FriendlyName $storagePoolName -StorageSubSystemUniqueId $storageSubSystem.uniqueID -PhysicalDisks (Get-PhysicalDisk -StorageSubSystem $storageSubSystem -CanPool $true)</P><P><EM><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nodepool.png" style="width: 999px;"><img src=";px=999" role="button" title="nodepool.png" alt="Nodepool (see available to)" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Nodepool (see available to)</span></span></EM></P><P>I don't understand why it assigns storage pool to the nodes this time and not cluster? I don't see it in the command (value for $storageSubSystem was : Clustered Windows Storage on LAB-SQL150AO)</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Tim</P> Wed, 18 Aug 2021 20:27:46 GMT Tim Braes 2021-08-18T20:27:46Z Unable to install July 2021 rollup patches on Windows 2012 R2 KB5004285 and KB5004298 <P><SPAN>I am having trouble installing the recent July rollup updates KB5004298 and KB5004285. Updates install fine but after reboot it rolls back.</SPAN></P><P>&nbsp;</P><P><A href="#" target="_blank">Unable to install July 2021 rollup patches on Windows 2012 KB5004285 KB5004298 - Microsoft Q&amp;A</A></P><P>&nbsp;</P><P><SPAN>Any help would be much appreciated.</SPAN></P> Thu, 22 Jul 2021 19:38:50 GMT Marco Antonio da Silva 2021-07-22T19:38:50Z Set Up for Active Directory Backup <P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block"><SPAN>I came across the following question regarding Backup Setup for Active Directory.</SPAN></P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block"><SPAN>“<STRONG>Creating a forest in every location and every forest has 2 DCs and has a 1way trust to Global AD which is in&nbsp;</STRONG></SPAN><STRONG><SPAN class="q-inline"><A title="" href="#" target="_blank" rel="nofollow noopener">Azure.</A></SPAN></STRONG></P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block"><STRONG>For the current AD backup, based on their design and current back up. they don't have a 3rd party backup tool. they have a file storage for backup. backup is taken everyday and stored in online and offline storage locations. The backups are stored in the azure cloud as well.</STRONG></P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block"><SPAN><STRONG>So I'm planning to do the system state backup only then the backup path/location would be their file storage and also in VSS. Is this a good setup?</STRONG>”</SPAN></P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block" data-unlink="true"><SPAN class="q-inline"><A href="#" target="_self">Active Directory (AD)</A>&nbsp;</SPAN><SPAN>&nbsp;is one of the most critical component of any IT infrastructure. In a Windows-based environment, almost all the applications and tools are integrated with Active Directory for authentication, directory browsing, and single sign-on.&nbsp;</SPAN><SPAN>Due to this heavy dependency, it is necessary to have a well-defined process for AD Backup.&nbsp;</SPAN><SPAN>Restoring Active Directory Backup should be the LAST option for any Disaster Recovery.</SPAN></P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block"><SPAN>As above question got 2 DC's in each forest so for a single Domain Controller failure, the recommended option is to demote the Domain Controller, wait for few hours to replicate the demotion, and then promote it back again. There is no need to restore Active Directory Backup to recover a single Domain Controller.</SPAN></P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block"><STRONG>The most common and recommended approach for AD Backup is the&nbsp;System State Backup of Domain Controller.</STRONG></P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block"><SPAN>A System State Backup of Domain Controller includes following:</SPAN></P><OL class="q-box"><LI><SPAN>Sysvol Active Directory Database and related files.</SPAN></LI><LI><SPAN>DNS Zones and records (Only for AD Integrated DNS) System Registry.</SPAN></LI><LI><SPAN>Call Registration database of Component Service. System Start up files.</SPAN></LI></OL><P class="q-text qu-display--block"><SPAN>You can use a third party tool if required. However, the Windows Server Backup (WBADMIN) tool that comes bundled with all versions of Windows Servers is just fine for this purpose. Lastly, the recommendation is to take daily scheduled backup.</SPAN></P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block"><STRONG>Preferred Backup Pattern in Active Directory &amp; Azure AD</STRONG></P><P class="q-text qu-display--block">&nbsp;</P><P class="q-text qu-display--block"><SPAN>One preferred backup pattern is&nbsp;</SPAN><SPAN>First Full Backup &gt; 14 Incremental Backups &gt; 1 Full backup &gt; 14 Incremental Backups &gt; 1 Full backup &gt; 14 Incremental Backups...and so on.</SPAN></P> Wed, 18 Aug 2021 20:43:57 GMT aliat_IMANAMI 2021-08-18T20:43:57Z