Printers “Some Of These Settings are Managed By Your Organisation”

Managed By Your Organisation KB ID 0001899

Problem

When attempting to add a printer, or engage with the printer settings dialog, you may see.

Some Of These Settings are Managed By Your Organisation

Solution : Managed By Your Organisation

This is usually because a policy is being applied, (or has been applied) that is making a change in your registry, to the following key.

[box]

HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Policies > Explorer > NoAddPrinter 

[/box]

Values are.

  • ENABLED  = 1 (Printers cannot be added).
  • DISABLED = 0 (Printers can be added).

Of course if this IS being enforced by group policy changing the registry key will only fix the problem until the policy is re applied!

I’ve previously written about how to locate where a group policy is coming from. the policy you are looking for is

[box]

User Configuration > Administrative Templates > Control Panel > Printers > Prevent addition of printers  

[/box]

In this case it was being enforced by Local User Policies

Running gpedit.msc got me to the culprit.

If yours is being enforced from your domain, gpresult will point to the correct policy.

Related Articles, References, Credits, or External Links

Allow Users to Install Printers with Group Policy

Deploying Printers with Group Policy Preferences

What GPO are Applied?

What GPO KB ID 0001898

Problem

There are a number of reasons for you to test and demonstrate group policy application. Recently on Experts Exchange there was a question. where a user could not add a printer because those settings were “Controlled by their organisation’ but was pretty sure no printer GPOs were applied.

Or you may simply be setting up a new GPO and it’s not applying, or not working as you would expect.

Solution : What GPO

I’ve been doing this a long time! Back in the day you could create a new MMC console (run mmc.exe) then add the “Resultant Set Of Policy” Snap in and rung that to evaluate and model different GPO applications and results. You can still do that but now you can simply run the RSOP command from an administrative command window.

In this case it will produce a list of applied group policies for the logged in user and the machine it was ran on (if you want results for differennt users or computers you can add the RSOP snap-in to mmc, or run the modelling from a machinesthat had the group policy management console installed)

But RSOP will give you output like this, you can see what policies are being applied, and what is the name of the group policy that applying that change.

But this will produce a complete list of all GPO settings and their status (even if they are not defined (see above)). An easier way to search is to use GPRESULT and send the output of that to an HTML file that you can open in a browser.

[box]

gpresult /h C:\{Path}\GPresult.htm

[/box]

This produces an easier to read report

You can get the same report and change the input parameters for users and computers etc, by running the Group Policy Results wizard that included with the AD DS RSAT tools

Related Articles, References, Credits, or External Links

Group Policy: Item-Level Targeting

Apply Group Policy To a Security Group

Add The ‘Group Policy Management Console’

Windows 11 – Remove Search Adverts

‘Remove Search Adverts KB ID 0001897

Problem

Why this has to be a ‘thing‘ in a business version of Windows I’m not really sure, but if you want to remove these adverts from the Windows Search function.

They are called ‘Search Highlights‘ or ‘Dynamic Search Box‘.

Solution: Remove Search Adverts

Option 1 Remove Search Adverts with Domain Group Policy

In a domain envronment we can simply crete a GPO and link it to the the computers you want to ‘remove’ this ‘feature’ from. On a domain controller > Administrative Tools > Group Policy Managment Console > Selct a policy that’s linked to the computers OU that the affected machines are in, or create a new policy and edit it.

Navigate to.

[box]

Computer Configuration > Policies > Administrative Templates > Windows Components > Search > Allow search highlights

[/box]

Wait there is no Allow Search Highlights option? If so click here

Then either wait a couple of hours for the policies to enforce, or manually force a policy renewal.

Option 2 Remove Search Adverts with Local Group Policy

If your PC is in a workgroup or simply a stand alone PC you can acheive the same by using Local Policies. (Note: Not avalable with Home versions of Windows). In the start menu search for and execute gpmc.msc

Navigate to.

[box]

Computer Configuration > Administrative Templates > Windows Components > Search > Allow search highlights

[/box]

Select Disabled > Apply  > OK > Close the policy editor and reboot or manually force a policy renewal.

Option 3 Remove Search Adverts with Local Settings

Another option, is to go to settings.

Privacy and Security > Search Permissions.

Scroll all the way to the bottom > More Settings > Show Search Highlights > Off > Then reboot the PC.

Option 4 Remove Search Adverts within The Registry

If you have a home edition of Windows then sometimes it’s easier to simply set this in the registry. Locate and execute regedit.

Navigate to.

[box]

Computer > HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > SearchSettings > IsDynamicSearchBoxEnabled

[/box]

Set to 0 (Zero) for Disabled.

Allow Search Highlights Option Missing From GPO

If you attempt to disable this but find the option missing like so.

You need to update your policy definitions for Windows 11 the updates are here and here. When you execute the updates, it will put the policy definisions in an odd place make sure you take a note of where the definisions are getting put.


Now you simply need to copy the ADMX and ADML files to the correct location on one of your domain contollers, to understand how to do that read the following article.

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Related Articles, References, Credits, or External Links

NA

In Place Upgrade of Window Server

 In Place Upgrade KB ID 0001895

Problem

An in-place upgrade of a Windows Server, where you update an existing server installation to a newer version without reinstalling from scratch, can be a powerful way to bring older infrastructure up to date without the lengthy process of rebuilding a system and restoring data. The allure of this method lies in its simplicity and time efficiency; theoretically, you can go from, say, Windows Server 2016 to Windows Server 2022 with much less downtime, keeping configurations, applications, and user data intact. This can be especially appealing in scenarios where budget or time constraints make a full migration impractical, or for environments where a server holds critical roles that are complex to reconfigure from scratch.

However, while in-place upgrades have their perks, they aren’t without pitfalls. For starters, there’s always a risk of compatibility issues, especially if the server runs legacy software that might not play nicely with the new OS version. Performance problems can also arise, as remnants of old files and configurations may lead to a less than optimised system, compared to a clean installation. Additionally, any existing issues on the server, such as misconfigurations, registry bloat, or malware, can carry over to the new version, potentially causing instability. Therefore, before deciding on an in-place upgrade, it’s essential to weigh these pros and cons carefully, considering both the potential gains and risks based on your environment and long-term plans.

As I’ve previously stated, I prefer to do in place upgrades, If you have less than 50 servers and an IT support team, you may want to plan a clean install and data migration, but there comes a point where that’s simply not practical. My firm looks after more than 10 thousand Windows servers, and when a ‘wave’ of them goes outside of supportability – We either stop supporting them or offer and in-place upgrade.

Windows Server In Place Upgrade Paths

Current OS Upgrade Path to Windows Server 2022 Upgrade Path to Windows Server 2025
Windows Server 2008 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2008 R2 → Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2008 R2 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2012 R2 → Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2012 R2 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2022 Upgrade to Windows Server 2019 → Upgrade to Windows Server 2025
Windows Server 2016 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2019 Direct upgrade to Windows Server 2022 Direct upgrade to Windows Server 2025
Windows Server 2022 NA Direct upgrade to Windows Server 2025

Note: Server 2025 information is not official at time of writing, information was provided my Microsoft Copilot.

Solution : In Place Upgrade

In Place Upgrade Planning and Pre Upgrade Steps

As well as making sure you have the compute and storage requirements (of the OS that you are upgrading to), make sure your hardware and/or Hypervisor supports the target OS. Then you have things to consider.

  • Roles And Features.
  • Microsoft Applications.
  • Third Party Applications.

Roles and Features: these are add-on components to the OS that you can enable (add) or disable (remove). Some common ones like DNS server or DHCP server, we just accept and don’t even worry about, but what about roles like certificate services? or a feature like NDES? What if the server is a domain controller? I’ll attempt to answer SOME of those questions below, but this is another reason why you should check, research, and test before upgrading

Show all Roles and Features With PowerShell

[box]

Get-WindowsFeature

[/box]

Microsoft Applications: Here I’m talking about things like Microsoft Exchange, Microsoft SQL, Microsoft Teams etc. Each one of those have their own dependancies OS requirements an upgrade paths that you may need to take into consideration. My personal preference is to migrate these applications onto new clean servers rather than in-place upgrade. I’ve done two in place upgrades of Exchange on the test bench and both of those were 100% successful, I’d be less happy doing them in production, and I’ve got a lot of articles showing you how to upgrade and migrate Exchange, I suggest you look there first! 

Third Party Applications: This will vary from use case to use case, but consider your AV and security products, do they support the new OS? Does you backup and replication software support the new OS. That’s before you look at you line of business or back office applications like print management software, or the software that controls your building access for example.

Show all Installed Software With PowerShell

[box]

Get-WmiObject -Class Win32_Product

[/box]

In Place Upgrade ‘Pre-flight checks’

Most servers these days are virtualised, and time spent on reconnaissance is seldom wasted, If you are considering in place upgrading anything, I would urge you to clone those machines, sandbox them, and perform the in place upgrade in isolation, this will give you a change to do some functional (post upgrade) testing of both the server OS, its installed roles and any third pert applications.

As with all things infrastructure, you’re only as good as your last backup, before doing anything MAKE SURE you have a reliable (tested!) backup. Not just for the server you intend to upgrade but for any server that has a service or software dependency on the server you intend to upgrade.

Ensure the upgrade server is FULLY UPDATED before proceeding.

If the server is virtual, we also have the advantage, to take a snapshot prior to upgrade. (You can even clone a copy and keep it on standby) .

In Place Upgrade Process

Well it’s 95& preparation and 5% execution, the actual upgrade process is alarmingly simple. Present the installation media ISO to the source server, (or copy the files to the server and run setup.exe)

At the welcome screen > Next > At this point the system may take some down getting update’s > Enter the Windows activation code for the new server OS > Next > Select the version you want to install, remember if you want a server with a GUI interface, select the Desktop Experience option > Next.

At the EULA screen > Accept > Select “Keep files settings and apps” > Next > Install.

At this point the upgrade will take place, the server may reboot, but the upgrade process will continue.

When complete, you will be looking at a login screen, simply authenticate with the same credentials as before.

In Place Upgrade of Domain Controllers

Yes it’s possible, yes I’ve done it multiple times, if all the server is doing is performing Active Directory domain services and other common roles like DNS and DHCP, then I would not bother in place upgrading a domain controller, I’d simply build a fresh one, then decommission the old one (possibly needing to migrate FSMO roles)

But I’ve said its possible, just beware you may come across this error during the upgrade.

Active Directory on this domain controller does not contain Windows Server {version} ADPREP / FORESTPREP updates

This one is pretty much self-explanatory, and makes complete sense if you’ve spent any time deploying domains controllers! Well of course it doesn’t! Think about it if this is the first domain controller with the new OS in the domain, the schema has not been updated for that version of domain controller, which would happen if you were installing a DC from scratch. Here there’s only one server in the domain, and I’m on it. DON’T CLOSE THE UPGRADE WINDOW.

Open a administrative command window and change to the D:\Support\Adprep directory, run adprep.exe /forestprep and when prompted press C {Enter} to continue.

I prefer to also perform a adprep.exe /domainprep  also, but you can progress in the upgrade without doing this, below I’m performing the command within PowerShell so I’m using ./adprep.exe /domainprep.

In Place Upgrade of Servers Running Certificate Services

Can you do this? Yes – Even if you have a multi-tier PKI deployment. see here I’ve personally done this twice (Server 2016 > Server 2022 and Server 2019 > Server 2022) and both were 100% successful. You can of course perform a traditional migration of Certificate Services to another server.

In Place Upgrade of Servers Running DHCP

I would not even worry about this, if you wanted to migrate a DHCP scope to another server it’s easy as peas. But in place upgrade of a DHCP server is not a concern. Even if they are performing DHCP HA

In Place Upgrade of Servers Running NPS (Network Policy Server)

I’ve done this successfully, if you wanted to migrate this role manually then simply see the following article Migrate NPS Server.

In Place Upgrade of Servers Running RDS (Remote Desktop  Services)

Whilst supported be aware that if you upgrade you RDS licensing server, ensure you have CALs/Licenses (or SALS if you’re SPLA licensed) that support the new version of Windows. e.g. 2016 RDS CALs will work with Server 2019 but will not with Server 2022. If you have problems ‘post upgrade‘ delete the following folder “\windows\system32\lserver ” then relicense correctly with new CALs/SALs.

Invitation

If you’re reading this and considering an in place upgrade there may be a role or feature, or piece of software your server is running I’ve not covered. If so please bookmark this article, and return later, then post below what OS you upgraded from and to, and what Role/Feature/Software you were running. Was it a seamless procedure, or did you encounter a problem, error message, of complete failure? Please post your follow ups below to help the next person.

Related Articles, References, Credits, or External Links

In Place Upgrade Windows 2016 to Windows 2019

Upgrade Server 2012 (In Place)

Copy Error 8×80070780

Error 8×80070780 KB ID 0001896

Problem

This is a really strange one, when attempting to copy a file from a network location to another Windows server, I got this error.

Error 0x80070780: the file cannot be accessed by the system

Solution : Error 8×80070780

I did some searching, and got the usual annoying, run CHKDSK, reformat drives, one poster had even replaced the computer with another one! I came across one post that didn’t fix the problem but pointed me in the right direction. the SOURCE location (I was copying from) was the folder I use on one of my test servers is a DROPBOX folder, I use it so I cand download files on my MacBook, and they sync to the server for me to use on my test network. I was attempting to copy a file (in this case a license file for Veeam) to my Veeam server, by opening an Explorer window on the Veeam server, browsing to the NETWORK location on the Dropbox folder on another server.

Why is that relevant? Well, I thought if I could not copy it TO the destination by initiating the copy on the destination server, what if I went to the SOURCE server and browsed to the destination servers C drive and initiated the copy FROM the source.

Which worked perfectly. Admittedly this is a work around more than a fix, but my Veeam is licensed, I’m happy, move on.

Related Articles, References, Credits, or External Links

NA

Microsoft Blue Screen of Death (BSOD)

BSOD KB ID 0001882

Problem

Recovering from a Microsoft Blue Screen of Death (BSOD) involves several steps to diagnose and resolve the issue. Here is a systematic approach to help you recover from a BSOD.

Solution : BSOD Resolution.

 

Note: If using Crowdstrike (18th Jul 2024) or you’re Stuck at the recovery screen. The problem is being worked on Ref:

TEMPORARY WORK AROUND

 

  1. Boot Windows into Safe Mode or WRE.
  2. Go to C:\Windows\System32\drivers\CrowdStrike
  3. Locate and delete file matching “C-00000291*.sys”
  4. Boot normally.

Alternative Crowdstrike Fix (from the recovery screen)

If you’re stuck at the recovery screen, try these steps:

  1. Click on ‘See advanced repair options’ on the Recovery screen.
  2. In the Advanced Repair Options menu, select ‘Troubleshoot’.
  3. Next, choose ‘Advanced options’.
  4. Select ‘Startup Settings’.
  5. Click on ‘Restart’.
  6. After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
  7. Open Command Prompt in Safe Mode.
  8. In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
  9. To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old

Alternative Crowdstrike Fix (For Virtual Machines)

  1. Attach an the system disk of the affected machine asunmanaged disk to another VM for offline repair (Note:Disks that are encrypted may need these additional instructions: Unlocking an encrypted disk for offline repair
  2. Once the disk is attached, customers can attempt to delete the following file. “Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys
  3. The disk can then be detached and re-attached to the original VM.

 

1. Note the BSOD Error Code

When a BSOD occurs, an error code is displayed on the screen. This code can be crucial in diagnosing the problem. Write down the error code and any associated information.

2. Restart Your Computer

Sometimes, a simple restart can resolve the issue. However, if the BSOD persists, proceed to the next steps.

3. Boot into Safe Mode

Safe Mode loads a minimal set of drivers and services. Booting into Safe Mode can help you determine if a default setting or basic device driver is causing the issue.

  • Windows 10/11:
    1. Restart your computer.
    2. As soon as your computer starts, press the F8 key repeatedly until the Advanced Boot Options menu appears.
    3. Select “Safe Mode” or “Safe Mode with Networking.”

4. Check for Hardware Issues causing BSOD

  • Disconnect External Devices: Unplug all external devices (USB drives, printers, etc.) and restart your computer to see if the BSOD persists.
  • Run a Memory Check: Use Windows Memory Diagnostic tool to check for memory issues.
    • Press Windows + R, type mdsched.exe, and press Enter.
    • Choose “Restart now and check for problems.”

5. Update or Roll Back Drivers

  • Update Drivers:
    • Open Device Manager (Windows + X > Device Manager).
    • Expand categories and update any drivers with a yellow exclamation mark.
  • Roll Back Drivers:
    • In Device Manager, right-click the driver causing the issue, select “Properties,” go to the “Driver” tab, and select “Roll Back Driver.”

6. Check for Software Issues

  • Uninstall Recent Software: Uninstall any software or updates installed recently.
    • Go to Settings > Apps > Apps & features and uninstall the problematic software.
  • Run System File Checker (SFC):
    • Open Command Prompt as Administrator.
    • Type sfc /scannow and press Enter.

7. Perform a System Restore

If the BSOD started after a recent change, performing a System Restore can revert your computer to a previous state.

  • Go to Control Panel > System and Security > System > System Protection > System Restore.
  • Follow the prompts to choose a restore point.

8. Check Disk for Errors

  • Open Command Prompt as Administrator.
  • Type chkdsk /f /r and press Enter.
  • Restart your computer to allow the check to run.

9. Update Windows

Ensure your Windows operating system is up to date.

  • Go to Settings > Update & Security > Windows Update and check for updates.

10. Perform a Clean Boot

A clean boot helps eliminate software conflicts.

  • Press Windows + R, type msconfig, and press Enter.
  • Go to the “Services” tab, check “Hide all Microsoft services,” and click “Disable all.”
  • Go to the “Startup” tab, open Task Manager, and disable all startup items.
  • Restart your computer.

11. Reset or Reinstall Windows

If none of the above steps work, you may need to reset or reinstall Windows.

  • Reset This PC:
    • Go to Settings > Update & Security > Recovery > Reset this PC.
    • Choose whether to keep your files or remove everything.
  • Reinstall Windows: Backup your data and perform a clean installation using a bootable USB drive with the Windows installation media.

Additional Tools and Resources

  • BlueScreenView: A utility to view minidump files created during BSODs.
  • WhoCrashed: Analyzes crash dumps to determine the cause of the crash.

Related Articles, References, Credits, or External Links

NA

Disable NTLM

Disable NTLM KB ID 0001880

Problem

NTLM (NT LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users in a network. It is an older protocol that has been largely replaced by Kerberos, (since Server 2008 and windows Vista!) In modern Windows environments due to its enhanced security features. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on a network. It operates in three versions: NTLMv1, NTLMv2, and NTLMv2 Session Security.

Key Components

Authentication Process:

    • Challenge-Response Mechanism: NTLM uses a challenge-response mechanism where the server challenges the client, and the client responds with a value that proves its knowledge of the user’s password.
    • Session Security: Provides confidentiality (encryption) and integrity (signing) for data sent over the network.

NTLM Versions:

    • NTLMv1:
      • Uses DES (Data Encryption Standard) for encryption.
      • The client sends a hashed password, and the server compares it to the stored hash.
      • Known for its vulnerabilities, including susceptibility to replay attacks and weak password hashes (LM hashes).
    • NTLMv2:
      • Introduced to address the security shortcomings of NTLMv1.
      • Uses HMAC-MD5 for cryptographic operations.
      • Provides stronger encryption and better resistance to replay attacks.
      • Supports mutual authentication where both client and server authenticate each other.
    • NTLMv2 Session Security:
      • Provides additional security by creating a session key based on both client and server challenge-response pairs.
      • Ensures integrity and confidentiality for the session.

Components of NTLM:

    • User Authentication: Verifies the identity of a user or system requesting access.
    • Message Integrity: Ensures that messages are not tampered with during transmission.
    • Message Confidentiality: Encrypts messages to protect sensitive information.

Security Weaknesses

  1. NTLMv1:
    • Weak Hashing (LM Hash): The LM hash is derived from passwords in a way that is susceptible to brute-force attacks.
    • Replay Attacks: Can be exploited to reuse valid authentication tokens.
    • Lack of Mutual Authentication: Only the client is authenticated, not the server.
  2. NTLMv2:
    • Improved but Still Vulnerable: While it significantly improves upon NTLMv1, it is still not as secure as Kerberos and can be vulnerable to certain types of attacks, especially in environments where NTLMv1 is still supported for backward compatibility.

Deprecation and Modern Alternatives

  • Kerberos: Introduced in Windows 2000, Kerberos provides stronger security features, including mutual authentication, and is now the default authentication protocol in Active Directory environments.
  • Recommendations: Organizations are encouraged to disable NTLM where possible, particularly NTLMv1, and to use Kerberos or other modern authentication protocols.

In Summary

NTLM played a crucial role in early Windows network security, providing a means of authenticating users and securing communications. However, due to its security vulnerabilities, especially in NTLMv1, it has been largely replaced by more secure protocols like Kerberos. NTLMv2 offers improvements but is still not as robust as modern alternatives, making it advisable for organizations to phase out NTLM in favour of stronger authentication methods.

As of Jun 2024 Microsoft has declared that NTLM (all versions) are depreciated.

Solution : Disable NTLM

Developers are being encouraged to STOP using NTLM, and the advice is to set your systems to ONLY use NTLM if Kerberos is not available. You first challenge is to find out what (if anything) is still using NTLM.

On your server(s) look in the (Security) Event logs for Event ID 4624 That mentions NTLM.

But there’s thousands of Event ID 4624 events, so let’s narrow the search with some PowerShell.

[box]

$query= @"
    <QueryList> 
           <Query Id="0"> 
              <Select Path="Security"> 
                *[System[(EventID='4624')]] 
                 and 
                *[EventData[Data[@Name='AuthenticationPackageName'] and (Data='NTLM')]]
               </Select> 
           </Query> 
    </QueryList>
"@
Get-WinEvent -FilterXml $query

[/box]

Now I can review each of those events (by their time stamp!) and I’ve only got two offenders to investigate.

You can also have a reconnoitre with WireShark, and scan for ntlmssp.

Disable NTLM v1

It’s considered best practice to disable NTLM version 1 first, then wait for a while (a period of a few weeks,) then you can attempt to disable NTLM version 2 also.

Edit the Default Domain Controller Policy and Navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: LAN Manager Authentication Level

[/box]

Settings;

  • Send LM and NTLM responses
  • Send LM and NTLM (use NTLMv2 session security if negotiated)
  • Send NTLM response only
  • Send NTLMv2 response only
  • Send NTLMv2 response only, Refuse LM: Domain controllers offer only NTLMv2 but still accept NTLMv1 authentication.
  • Send NTLMv2 response only, Refuse LM and NTLM: Domain controllers refuse LM and NTLMv1, accepting only NTLMv2.

To keep NTLM v2 and disable NTLM v1 choose the last option.

WARNING: This will effectively tattoo this setting into registry of the domain controller(s), even if you have a problem and revert the setting back to not defined, it will remain. If that happens to you, you can manually change the setting in the registry at.

[box]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

[/box]

 

There’s six settings (0 to 5) that correspond to the ones in the group policy for further information see this article.

Disable NTLM Completely

Before proceeding its a good idea to enable the “Restrict NTLM: Audit NTLM authentication in this domain” policy then waiting a while longer and reviewing the logs, if something does appear you can simply add it to the “Restrict NTLM: Add server exceptions in this domain” policy

This time in the default domain controller’s policy navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: Restrict NTLM: NTLM authentication in this domain

[/box]

  • Disable: the policy is disabled (NTLM authentication is allowed in the domain).
  • Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed.
  • Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears.
  • Deny for domain servers: NTLM authentication requests are denied for all servers unless the servername is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy.
  • Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

To stop client computers attempting to connect with NTLM you can edit the Default Domain Policy.

  • Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all

Related Articles, References, Credits, or External Links

NA

Windows Server Evaluation Extending & Converting

Server Evaluation Extending & Converting KB ID 0001879

Problem

If you download and install Windows Server evaluation, you get 180 days grace to upgrade it to a full licensed version. Now the internet is awash with articles telling you how you can extend that – In fact you can extend it by 180 days a further SIX TIMES. But what they fail to tell you, is this only works if you DONT LET IT EXPIRE. Once you’ve breached the 180 days you cannot extend it by 180 days (If you try you only get 10 days grace!)

Day 1

After 180 Days

Solution: Server Evaluation Extending

When the server is first deployed you will have 180 days and SIX REARMS available, which you can see with the following command.

[box]

slmgr -dlv

[/box]

Assuming you are within the 180 day period you can simply extend by 180 days with the following command.

[box]

slmgr -rearm

[/box]

Once rebooted you can check status with the same command we used above (slmgr -dlv).

Solution: Server Evaluation Extending (If Expired)

If you have been on the server it would have warned you with prompts like this.

What Happens If The Windows Server Evaluation License Expires?

The server will shut itself down, 1 hour after it has been powered on, (after logging Event ID 1074).

Event ID 1074
The License period for this installation of Windows has expired. the operating system is shutting down.

As mentioned above you can give yourself some breathing room (assuming you have a rearm count of 1 or more) by using the same command to extend (slmgr – rearm). But you will only get 10 days grace to enter a valid key/activation code.

Converting Windows Server Evaluation To Full Version

The other option, and of course what Microsoft want you to do, is convert the evaluation version to a full version. You can see what versions are available by running the following command.

[box]

DISM /Online /Get-TargetEditions

[/box]

My only option is ServerDatacenter – so I can convert to that version and enter a valid Windows Key to licence the server at the same time.

[box]

DISM /Online /Set-Edition:ServerDatacenter /ProductKey XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

[/box]

Then (when asked) reboot the server to complete the procedure.

Note: Before you email me to point out there’s a Windows licence key in that screenshot (above) that’s the Windows Server 2022 KMS Key.

Related Articles, References, Credits, or External Links

NA

Windows Create NFS Share

Windows Create NFS Share KB ID 0001869

Problem

It has been a while since I mentioned this, but if you have a Windows server, and you would like to present an NFS Share, the process is pretty straight forward. The following procedure was carried out on Windows Server 2022, but the process is pretty much the same going all the way back to Server 2012.

Solution : Windows Create NFS Share

Install Server for NFS (GUI)

You need to add the “Server For NFS” Server role. Server Manager > Manage > Add roles and features >  Next > Next > Next  > Next > Expand  “File and Storage Services” > Expand “File and ISCSI Services” > Server for NFS > Next > Next > Next > Install.

 

Install Server for NFS (PowerShell)

I much prefer this method. From an Administrative PowerShell prompt, use the following command.

[box]

Install-WindowsFeature FS-NFS-Service -IncludeManagementTools 

[/box]

Note: In some instances you may be asked to reboot (post role installation.)

Windows Create NFS Share

Assuming you have a folder to share > Right Click > Properties > NFS Sharing > Manage NFS Sharing > Tick ‘Share this folder” > Permissions > Change access to ‘Read and Write” and tick allow root access > OK > Apply > OK > Apply > OK.

Related Articles, References, Credits, or External Links

Windows NFS Overview

Migrate to Microsoft Entra Connect

 Migrate to Microsoft Entra Connect KB ID 0001857

Problem

You want to migrate from Microsoft Azure AD Connect to Microsoft Entra ID connect.

Let me let you into a secret, (at time of writing) Entra ID connect and Azure AD connect ARE THE SAME THING, if you go to download Entra ID connect, the file you will download is called AzureADConnect.msi. So what you want to do is, upgrade Azure AD Connect.

If your existing Azure AD connect is running on Window Server 2016 (or newer) you can simply ‘in place upgrade‘ the existing Azure AD connect to version 2 and there’s no need to migrate anything.

If you MUST Migrate, because you are deploying on a new server for example, the process is straight forward.

  • Install on New Server and put into Staging Mode.
  • Put Old Server into Staging Mode.
  • Take New Server out of  Staging Mode, (ensure there are no errors/problems).
  • Uninstall from Old Server.

Solution: Migrate to Microsoft Entra Connect

So if you simply want to perform an in place upgrade because your OS is Windows Server 2016 (or newer), use the following article.

Upgrade Azure AD Connect

If you’ve made it this far then you are WANTING to Migrate to Microsoft Entra ID Connect, or as previously mentioned migrate to Azure AD connect on another server!

Migrate to Microsoft Entra Connect Step One: Export Settings

On the Old Server, launch the Azure AD connect shortcut > Configure.

Select  ‘View or export current configuration’ > Next.

Export Settings > Save them (by default in C:\ProgramData\AADConnect) > Save > Exit.

Migrate to Microsoft Entra Connect Step Two: Import Settings

Assuming you’ve done nothing other than download the install package on the new server  > Run the installer package > Agree to the EULA > Continue.

Customise.

Select ‘Import synchronisation settings > In the Location section enter \\old-server-name\c$\ProgramData\AADConnect\filename.json >  Install.

From this point forward I will assume you want everything set the same, so other than usernames and passwords accept the defaults > Next.

Enter the password to authenticate to M365/Azure AD.

This next screen can be confusing because you can’t click Next, and it’s not apparent why! Next to your domain there should be a green tick, if there’s a red cross you need to select ‘change password’ > Then enter the (local AD account) account you use for synchronisation > Next.

Next.

Both options should be ticked by default > Install.

Exit.

Migrate to Microsoft Entra Connect Step Three: Put Old Server Into Staging Mode

I find this much easier to do with PowerShell, but I’ll put the graphical procedure below if you prefer. Issue the following two commands.

[box]

$aadSyncSettings=Get-ADSyncGlobalSettings
$aadSyncSettings.parameters

[/box]

Locate the ‘Microsoft.synchronize.StagingMode‘ section and you will see its value is set to ‘False‘ i.e. staging mode is NOT enabled (or it’s in production mode).

To change the value to ‘True‘ i.e. enable staging mode use the following command.

[box]

($aadSyncSettings.parameters | ?{$_.name -eq "Microsoft.Synchronize.StagingMode"}).value="True"
Set-ADSyncGlobalSettings $aadSyncSettings

[/box]

You can then  confirm that the staging mode value is set to ‘True’ with the following command.

[box]

$aadSyncSettings.parameters

[/box]

Migrate to Microsoft Entra Connect Step Four: Take the New Server Out of Staging Mode

On the New Server, use the following two commands.

[box]

$aadSyncSettings=Get-ADSyncGlobalSettings
($aadSyncSettings.parameters | ?{$_.name -eq "Microsoft.Synchronize.StagingMode"}).value="False"
Set-ADSyncGlobalSettings $aadSyncSettings

[/box]

You can then  confirm that the staging mode value is set to ‘False’ with the following command.

[box]

$aadSyncSettings.parameters

[/box]

Migrate to Microsoft Entra Connect Step Five: Check for Errors

On Premises: You can look in ‘Azure AD Connect Synchronisation Service.’

Microsoft 365: The main Admin console will tell you (in the user management pane).

Microsoft Entra Admin Panel: Look under identity > Provision from Active Directory.

Alternate Steps to Enable Staging Mode (From GUI)

On the Old Server, launch the Azure AD connect shortcut > Configure.

Configure Staging Mode > Next.

Enter your admin password > Next.

Tick to select ‘Enable Staging Mode‘ > Next.

Configure.

Exit

Alternate Steps to Disable Staging Mode (From GUI)

On the New Server, launch the Azure AD connect shortcut > Configure.

Configure Staging Mode > Next

Enter your admin password > Next.

Untick to deselect ‘Enable Staging Mode‘ > Next.

Configure.

Exit

Migrate to Microsoft Entra Connect Step Five: Uninstall Microsoft Azure AD Connect

On the Old Server, search for appwiz.cpl > run it > Select Microsoft Azure AD Connect > Uninstall > Yes > Remove.

Exit.

Related Articles, References, Credits, or External Links

Locate Your Azure AD Connect Server

Azure AD Connect: Correct Or Remove Duplicate Values

Cannot Recreate Azure AD ‘Local’ AD Connector

Forcing Azure AD Connect Sync