Migrate to Server 2025 Domain Controller

Server 2025 Domain Controller KB ID 0001884

Problem

If you would like to add a new Windows Server 2025 domain controller to an existing domain here is the procedure.

Solution: Server 2025 Domain Controller

Server 2025 Pre Requisites

2025 Hardware Requirements

  • Processor: 1.4 GHz 64-bit processor (or faster) with support for security features.
  • RAM: Minimum of 512 MB (2 GB for Server with Desktop Experience installation).
  • Disk Space: Minimum of 32 GB or more, depending on the server installation options.
  • Network Adapter: Ethernet adapter capable of at least gigabit throughput.

Software Requirements

  • Operating System: Windows Server 2025 (evaluation version or full licensed version).
  • Static IP Address: Assign a static IP address to the server before promoting it to a domain controller.
  • DNS: The server should point to itself for DNS or to another DNS server that is already part of the Active Directory.

User Permissions

  • You must be a member of the Administrators group on the server where you are installing the AD DS role.

Minimum Required Functional Levels for Windows Server 2025

Note: These are estimated based on the previous versions of Window Server.

Forest Functional Level:

  • The minimum forest functional level required for Windows Server 2025 is expected to be Windows Server 2016.
  • This means all domain controllers within the forest must be running at least Windows Server 2016.

Domain Functional Level:

  • The minimum domain functional level required for Windows Server 2025 is expected to be Windows Server 2016.
  • This ensures that all domain controllers within the domain are running at least Windows Server 2016.

Additionally: Ensure your third party applications also support Windows Server 2025, e.g. AV, MDR, Endpoint protection, and backup solutions.

Server 2025 Domain Controller AD Services Role Installation

At this point I’m assuming your 2025 server is fully updated and added to the domain as a member server. Server Manager > Manage > Add Roles and Features.

You can tick ‘Skip by default’ if you wish > Next >  Next > Next > Tick ‘Active Directory Domain Services’ > Add Features (as shown) > Next.

Next >  Next > Next > Install > When complete click ‘Close’.

Server 2025 Domain Controller: Promote to DC

Once the role is installed, you need to actually promote the server so that it is a domain controller > From within Server Manager you will see you now have a waring triangle at the top of the screen, click it and you will get the option to ‘promote this server to a domain controller‘.

It will automatically assume that you want to promote it to be a Dc in the domain that you are in, ensure that the credentials used have the appropriate rights > Next > Check the Site is correct And enter a new DSRM password > Next > At the warning about ‘A delegation for this DNS server cannot be created…“*

Note: In case you are worried about this error, see the following article for peace of mind.
Windows – A Delegation For This DNS Server Cannot Be Created

Next > Next > Next,

Next > Next > Once the pre-requisite checks have passed > Install.

If you look in Active Directory Users and Computers > In the Domain Controller OU there, will be your new Domain Controller.

That’s the new Server 2025 Domain Controller successfully added as a new domain controller. Rember at this point if you are retiring any old Domain Controllers take a look at the following list of things to thing about.

Retiring a Domain Controller Checklist

  • DNS: Is the retiring domain controller specified in one of your DHCP scopes or been manually specified on servers/endpoints. Offenders are network printers, VMware ESX servers (or vCenters), Non Windows devices, Hardware appliances.
  • DHCP: Is the retiring domain controller Hosing a DHCP scope? Or involved in a HA DHCP scope, If so this will need migrating.
  • LDAP/Kerberos/AAA: Are there any devices that look to the IP/Name of the retiring domain controller that are providing authentication services e.g. RSA Appliances, Firewalls authenticating remote access, Door entry or security systems that lookup AD users. Note This includes IAS/NPS
  • MFA: Do you have an MFA system that required Active Directory? If so does that need migrating.
  • Email: Modens Microsoft Exchange does not care (as long as DNS works.) But older versions needed to look at a specific domain controller, and any third part email applications may need to do the same.
  • Third Party Applications: This is a bit of a catch all but in most cases, (especially in SMB environments) Other programs/applications/services sometimes get installed on domain controllers make sure you know what apps are on the old DC before retiring e.g. Printer auditing software, third party password and AD Management tools, Management consoles for other solutions, Agent software for monitoring AD users.
  • Backups: These days less of an issue, but if you backup solution had an Active Directory element, ensure that post migration id continues to function normally.

For the demotion and role removal procedure, please see the video (above).

Related Articles, References, Credits, or External Links

Migrate DHCP Scope

Windows: Migrate DHCP HA

Migrate NPS Server

Find Domain Schema Version

Find Domain Schema Version KB ID 0000025 

Problem

You want to upgrade or find out your current Schema version, or check that an” adprep / forestprep” command has worked correctly.

Solution

Find Domain Schema Version: PowerShell

Use the following sytax
[box]

Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectversion

[/box]

Post Server 2016 Find Domain Schema Version

The value is populated with Server 2016 again.

If you check the value above on a domain that has Windows 2012 domain controllers, you will see the value is ‘not set’.

If the entry is blank;

Instead navigate to this registry key;

[box][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters[/box]

Locate the ‘Schema Version’ Note: the figure in brackets is the decimal value!

Find Domain Scheman Version For Windows Servers Before 2012 RTM

1. For Windows Server 2003 you will need to Install the Support Tools on your server. (2008, 2008 R2, and 2012 have the tools built in).

2. Press (Windows Key+R) > adsiedit.msc > {enter}

3. Right Click > CN=Schema,CN=Configuration,DC=domain,DC=com > Properties

<pNote: If you cannot see this you need to select “Connect To” then pick “Schema”.

4. On the Attribute Editor tab > Locate objectVersion.

 

What Are The Windows Server Schema Versions?

20: Windows 2000

30: Windows 2003 RTM, Windows 2003 SP1, and Windows 2003 SP2

31: Windows 2003 R2

44: Windows Server 2008 RTM

47: Windows Server 2008 R2 (and SBS 2011)

56: Windows Server 2012 RTM

69: Windows Server 2012 R2

87: Windows Server 2016 RTM

88: Windows Server 2019 RTM

88: Windows Server 2022

91: Windows Server 2025

Related Articles, References, Credits, or External Links

NA

Windows Server 2025 Domain Join

Server 2025 Domain Join KB ID 0001883

Problem

To perform a  Windows Server 2025 Domain Join (Local Domain). The end process is the same as it’s always been, they’ve just made the job of getting to there a little more convoluted, (this is the same with Windows 11).

 

Solution: Windows Server 2025 Domain Join

Before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related). Whilst logged in as a (local) administrative user, click the Windows button > Windows PowerShell.

Ensure you can ‘ping’ the domain name (see below), Also here I verify that the IP address that responds in my domain controller (Note: this will only work if your DNS zone has a correctly setup reverse DNS zone!)

Click the Windows button > System.

System > About.

Advanced System Settings.

   

Computer Name.

Change.

Select ‘Domain’ and enter the domain name > OK > enter credentials that have the rights to join a machine to the domain* > OK

*Note: All domain users have the right to join x10 machines to the domain.

OK > OK.

OK > Restart Now > The server will reboot.

Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.

Solution: PowerShell Windows Server 2025 Domain Join

Windows button > Open an administrative PowerShell window.

As above, before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related).

Use the following syntax.
[box]

Add-Computer -DomainName {your-domain-name}

[/box]

When prompted, provide credentials that have rights to add computer object to the domain.

When successfully joined, you will be asked to reboot.

[box]

Restart-Computer

[/box]

Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.

Leave a Windows Domain Using PowerShell

Firstly I’m making sure I am correctly domain joined by using the following command.

[box]

Get-WmiObject win32_computerSystem | Select-Object -ExpandProperty domain

[/box]

Then to ‘leave’ the domain use the following command.

[box]

Remove-Computer

[/box]

When prompted reply to Y for yes then to complete the process reboot the server with the following command.

[box]

Restart-Computer

[/box]

Leave a Windows Domain Using GUI

To do the same graphically, it’s just the reverse of a domain join, use the instructions above you get you to the following dialog then select workgroup, and enter the workgroup name.

OK > OK.

Close > Restart Now.

Related Articles, References, Credits, or External Links

How to Join a Windows Domain

Windows: Join Azure AD (AAD)

Windows Server 2022 Domain Join

How to Join Windows 11 to a Domain

Microsoft Blue Screen of Death (BSOD)

BSOD KB ID 0001882

Problem

Recovering from a Microsoft Blue Screen of Death (BSOD) involves several steps to diagnose and resolve the issue. Here is a systematic approach to help you recover from a BSOD.

Solution : BSOD Resolution.

 

Note: If using Crowdstrike (18th Jul 2024) or you’re Stuck at the recovery screen. The problem is being worked on Ref:

TEMPORARY WORK AROUND

 

  1. Boot Windows into Safe Mode or WRE.
  2. Go to C:\Windows\System32\drivers\CrowdStrike
  3. Locate and delete file matching “C-00000291*.sys”
  4. Boot normally.

Alternative Crowdstrike Fix (from the recovery screen)

If you’re stuck at the recovery screen, try these steps:

  1. Click on ‘See advanced repair options’ on the Recovery screen.
  2. In the Advanced Repair Options menu, select ‘Troubleshoot’.
  3. Next, choose ‘Advanced options’.
  4. Select ‘Startup Settings’.
  5. Click on ‘Restart’.
  6. After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
  7. Open Command Prompt in Safe Mode.
  8. In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
  9. To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old

Alternative Crowdstrike Fix (For Virtual Machines)

  1. Attach an the system disk of the affected machine asunmanaged disk to another VM for offline repair (Note:Disks that are encrypted may need these additional instructions: Unlocking an encrypted disk for offline repair
  2. Once the disk is attached, customers can attempt to delete the following file. “Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
  3. The disk can then be detached and re-attached to the original VM.

 

1. Note the BSOD Error Code

When a BSOD occurs, an error code is displayed on the screen. This code can be crucial in diagnosing the problem. Write down the error code and any associated information.

2. Restart Your Computer

Sometimes, a simple restart can resolve the issue. However, if the BSOD persists, proceed to the next steps.

3. Boot into Safe Mode

Safe Mode loads a minimal set of drivers and services. Booting into Safe Mode can help you determine if a default setting or basic device driver is causing the issue.

  • Windows 10/11:
    1. Restart your computer.
    2. As soon as your computer starts, press the F8 key repeatedly until the Advanced Boot Options menu appears.
    3. Select “Safe Mode” or “Safe Mode with Networking.”

4. Check for Hardware Issues causing BSOD

  • Disconnect External Devices: Unplug all external devices (USB drives, printers, etc.) and restart your computer to see if the BSOD persists.
  • Run a Memory Check: Use Windows Memory Diagnostic tool to check for memory issues.
    • Press Windows + R, type mdsched.exe, and press Enter.
    • Choose “Restart now and check for problems.”

5. Update or Roll Back Drivers

  • Update Drivers:
    • Open Device Manager (Windows + X > Device Manager).
    • Expand categories and update any drivers with a yellow exclamation mark.
  • Roll Back Drivers:
    • In Device Manager, right-click the driver causing the issue, select “Properties,” go to the “Driver” tab, and select “Roll Back Driver.”

6. Check for Software Issues

  • Uninstall Recent Software: Uninstall any software or updates installed recently.
    • Go to Settings > Apps > Apps & features and uninstall the problematic software.
  • Run System File Checker (SFC):
    • Open Command Prompt as Administrator.
    • Type sfc /scannow and press Enter.

7. Perform a System Restore

If the BSOD started after a recent change, performing a System Restore can revert your computer to a previous state.

  • Go to Control Panel > System and Security > System > System Protection > System Restore.
  • Follow the prompts to choose a restore point.

8. Check Disk for Errors

  • Open Command Prompt as Administrator.
  • Type chkdsk /f /r and press Enter.
  • Restart your computer to allow the check to run.

9. Update Windows

Ensure your Windows operating system is up to date.

  • Go to Settings > Update & Security > Windows Update and check for updates.

10. Perform a Clean Boot

A clean boot helps eliminate software conflicts.

  • Press Windows + R, type msconfig, and press Enter.
  • Go to the “Services” tab, check “Hide all Microsoft services,” and click “Disable all.”
  • Go to the “Startup” tab, open Task Manager, and disable all startup items.
  • Restart your computer.

11. Reset or Reinstall Windows

If none of the above steps work, you may need to reset or reinstall Windows.

  • Reset This PC:
    • Go to Settings > Update & Security > Recovery > Reset this PC.
    • Choose whether to keep your files or remove everything.
  • Reinstall Windows: Backup your data and perform a clean installation using a bootable USB drive with the Windows installation media.

Additional Tools and Resources

  • BlueScreenView: A utility to view minidump files created during BSODs.
  • WhoCrashed: Analyzes crash dumps to determine the cause of the crash.

Related Articles, References, Credits, or External Links

NA

PowerCLI: Get Snapshot Information

Get Snapshot Information KB ID 0001829

Problem

The question was asked on Experts Exchange today.

Are there any scripts or reports that would give me information on VMware VM’s with snapshots?

was pretty sure this was a straight forward one, so I jumped on the test network.

Solution: Get Snapshot Information

Connect to your vCenter and use the following commands.

[box]

Connect-viserver vCenter-Name 
THEN AUTHENTICATE
Get-VM | Get-Snapshot | Select-Object VM, Name, SizeGB, Created

[/box]

That was easy!

Get Snapshot Information : With RV Tools

You can also get the same information from RVTools, which if you don’t already use, do so!

Solution: PowerShell Delete Snapshots

You can delete all snapshots by simply piping the command above to Remove-Snapshot, But you will porbably want to do that on a VM by VM basis. Use the cfollowing command.

[box]

 Get-VM VM-Name| Get-Snapshot | Remove-Snapshot

[/box]

Related Articles, References, Credits, or External Links

NA

Disable NTLM

Disable NTLM KB ID 0001880

Problem

NTLM (NT LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users in a network. It is an older protocol that has been largely replaced by Kerberos, (since Server 2008 and windows Vista!) In modern Windows environments due to its enhanced security features. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on a network. It operates in three versions: NTLMv1, NTLMv2, and NTLMv2 Session Security.

Key Components

Authentication Process:

    • Challenge-Response Mechanism: NTLM uses a challenge-response mechanism where the server challenges the client, and the client responds with a value that proves its knowledge of the user’s password.
    • Session Security: Provides confidentiality (encryption) and integrity (signing) for data sent over the network.

NTLM Versions:

    • NTLMv1:
      • Uses DES (Data Encryption Standard) for encryption.
      • The client sends a hashed password, and the server compares it to the stored hash.
      • Known for its vulnerabilities, including susceptibility to replay attacks and weak password hashes (LM hashes).
    • NTLMv2:
      • Introduced to address the security shortcomings of NTLMv1.
      • Uses HMAC-MD5 for cryptographic operations.
      • Provides stronger encryption and better resistance to replay attacks.
      • Supports mutual authentication where both client and server authenticate each other.
    • NTLMv2 Session Security:
      • Provides additional security by creating a session key based on both client and server challenge-response pairs.
      • Ensures integrity and confidentiality for the session.

Components of NTLM:

    • User Authentication: Verifies the identity of a user or system requesting access.
    • Message Integrity: Ensures that messages are not tampered with during transmission.
    • Message Confidentiality: Encrypts messages to protect sensitive information.

Security Weaknesses

  1. NTLMv1:
    • Weak Hashing (LM Hash): The LM hash is derived from passwords in a way that is susceptible to brute-force attacks.
    • Replay Attacks: Can be exploited to reuse valid authentication tokens.
    • Lack of Mutual Authentication: Only the client is authenticated, not the server.
  2. NTLMv2:
    • Improved but Still Vulnerable: While it significantly improves upon NTLMv1, it is still not as secure as Kerberos and can be vulnerable to certain types of attacks, especially in environments where NTLMv1 is still supported for backward compatibility.

Deprecation and Modern Alternatives

  • Kerberos: Introduced in Windows 2000, Kerberos provides stronger security features, including mutual authentication, and is now the default authentication protocol in Active Directory environments.
  • Recommendations: Organizations are encouraged to disable NTLM where possible, particularly NTLMv1, and to use Kerberos or other modern authentication protocols.

In Summary

NTLM played a crucial role in early Windows network security, providing a means of authenticating users and securing communications. However, due to its security vulnerabilities, especially in NTLMv1, it has been largely replaced by more secure protocols like Kerberos. NTLMv2 offers improvements but is still not as robust as modern alternatives, making it advisable for organizations to phase out NTLM in favour of stronger authentication methods.

As of Jun 2024 Microsoft has declared that NTLM (all versions) are depreciated.

Solution : Disable NTLM

Developers are being encouraged to STOP using NTLM, and the advice is to set your systems to ONLY use NTLM if Kerberos is not available. You first challenge is to find out what (if anything) is still using NTLM.

On your server(s) look in the (Security) Event logs for Event ID 4624 That mentions NTLM.

But there’s thousands of Event ID 4624 events, so let’s narrow the search with some PowerShell.

[box]

$query= @"
    <QueryList> 
           <Query Id="0"> 
              <Select Path="Security"> 
                *[System[(EventID='4624')]] 
                 and 
                *[EventData[Data[@Name='AuthenticationPackageName'] and (Data='NTLM')]]
               </Select> 
           </Query> 
    </QueryList>
"@
Get-WinEvent -FilterXml $query

[/box]

Now I can review each of those events (by their time stamp!) and I’ve only got two offenders to investigate.

You can also have a reconnoitre with WireShark, and scan for ntlmssp.

Disable NTLM v1

It’s considered best practice to disable NTLM version 1 first, then wait for a while (a period of a few weeks,) then you can attempt to disable NTLM version 2 also.

Edit the Default Domain Controller Policy and Navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: LAN Manager Authentication Level

[/box]

Settings;

  • Send LM and NTLM responses
  • Send LM and NTLM (use NTLMv2 session security if negotiated)
  • Send NTLM response only
  • Send NTLMv2 response only
  • Send NTLMv2 response only, Refuse LM: Domain controllers offer only NTLMv2 but still accept NTLMv1 authentication.
  • Send NTLMv2 response only, Refuse LM and NTLM: Domain controllers refuse LM and NTLMv1, accepting only NTLMv2.

To keep NTLM v2 and disable NTLM v1 choose the last option.

WARNING: This will effectively tattoo this setting into registry of the domain controller(s), even if you have a problem and revert the setting back to not defined, it will remain. If that happens to you, you can manually change the setting in the registry at.

[box]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

[/box]

 

There’s six settings (0 to 5) that correspond to the ones in the group policy for further information see this article.

Disable NTLM Completely

Before proceeding its a good idea to enable the “Restrict NTLM: Audit NTLM authentication in this domain” policy then waiting a while longer and reviewing the logs, if something does appear you can simply add it to the “Restrict NTLM: Add server exceptions in this domain” policy

This time in the default domain controller’s policy navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: Restrict NTLM: NTLM authentication in this domain

[/box]

  • Disable: the policy is disabled (NTLM authentication is allowed in the domain).
  • Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed.
  • Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears.
  • Deny for domain servers: NTLM authentication requests are denied for all servers unless the servername is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy.
  • Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

To stop client computers attempting to connect with NTLM you can edit the Default Domain Policy.

  • Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all

Related Articles, References, Credits, or External Links

NA

Windows Server Evaluation Extending & Converting

Server Evaluation Extending & Converting KB ID 0001879

Problem

If you download and install Windows Server evaluation, you get 180 days grace to upgrade it to a full licensed version. Now the internet is awash with articles telling you how you can extend that – In fact you can extend it by 180 days a further SIX TIMES. But what they fail to tell you, is this only works if you DONT LET IT EXPIRE. Once you’ve breached the 180 days you cannot extend it by 180 days (If you try you only get 10 days grace!)

Day 1

After 180 Days

Solution: Server Evaluation Extending

When the server is first deployed you will have 180 days and SIX REARMS available, which you can see with the following command.

[box]

slmgr -dlv

[/box]

Assuming you are within the 180 day period you can simply extend by 180 days with the following command.

[box]

slmgr -rearm

[/box]

Once rebooted you can check status with the same command we used above (slmgr -dlv).

Solution: Server Evaluation Extending (If Expired)

If you have been on the server it would have warned you with prompts like this.

What Happens If The Windows Server Evaluation License Expires?

The server will shut itself down, 1 hour after it has been powered on, (after logging Event ID 1074).

Event ID 1074
The License period for this installation of Windows has expired. the operating system is shutting down.

As mentioned above you can give yourself some breathing room (assuming you have a rearm count of 1 or more) by using the same command to extend (slmgr – rearm). But you will only get 10 days grace to enter a valid key/activation code.

Converting Windows Server Evaluation To Full Version

The other option, and of course what Microsoft want you to do, is convert the evaluation version to a full version. You can see what versions are available by running the following command.

[box]

DISM /Online /Get-TargetEditions

[/box]

My only option is ServerDatacenter – so I can convert to that version and enter a valid Windows Key to licence the server at the same time.

[box]

DISM /Online /Set-Edition:ServerDatacenter /ProductKey XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

[/box]

Then (when asked) reboot the server to complete the procedure.

Note: Before you email me to point out there’s a Windows licence key in that screenshot (above) that’s the Windows Server 2022 KMS Key.

Related Articles, References, Credits, or External Links

NA

Windows Connect to NFS Share

Windows Connect to NFS Share KB ID 0001861

Problem

I have an old Buffalo NAS box I use on my test network, its shared between some Windows servers and is also used by my vSphere ESX deployment as a datastore. I replaced my main admin server which had a drive mapped to the device and ‘forget’ how I’d mapped the drive originally, so it took me a while to work it out again.

Windows Connect to NFS Share: Solution

The first task is to install NFS client which you can do with the following PowerShell command.

[box]

Install-WindowsFeature NFS-Client

[/box]

Then to map the drive (persistently as Drive Letter S:) use the following command.

[box]

New-PSDrive -Name 'S' -PSProvider FileSystem -Root '\\server-name\folder-name' -Persist -Scope Global

[/box]

Your drive should now be present like so.

Windows Connect to NFS: SMB1 Warning Message

In my case, my target is a very old NAS box that still used SMB1, in production this might be a concern but as this is my test network and there only ever me on it, I enable SMB1 on the Windows 2022 server (Note: Add it as a feature from Server Manager).

Error: You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol which could expose your system to attack.

I’ve put the link to my normal SMB1 article below.

Related Articles, References, Credits, or External Links

SMB1 Is Dead? (Unfortunately Not Yet)

Adding Windows Server NFS Shares to VMware ESX

VMware vSphere: Adding NFS Storage

VMware Cannot Remove / Unmount an NFS Store