If you want to enable virtualisation in a VM that is running inside Hyper-V (itself a hypervisor). Then you need to expose the virtualisation elements of the physical hosts processor to the nested VM.
Originally released 2023, Microsoft 365 Backup is now general release. Microsoft 365 Backup is a comprehensive backup and recovery solution designed to protect your critical data stored in OneDrive, SharePoint, and Exchange*. This service ensures that your data is always recoverable, providing peace of mind in the face of potential data loss scenarios like ransomware attacks, accidental deletions, or data corruption.
*Note: As of now, it does not include native backup options for Microsoft Teams. The service primarily covers only OneDrive, SharePoint, and Exchange data. However, you can set retention policies and archive Teams, which helps maintain the retention of Teams data. For comprehensive Teams backup, you might need to look into third-party solutions like Veeam, (which offers backup and restore options for Teams, including Channels, Tabs, Posts, and Files.)
Microsoft 365 Backup Key Features
Ultra-Fast Recovery
One of the standout features is its fast recovery times. Microsoft claims that mass restores can be up to 20 times faster than traditional backup methods. This means you can get your business back up and running quickly minimising downtime and disruption.
Comprehensive Coverage
Microsoft 365 Backup covers the following data
OneDrive: Backup and restore entire accounts or specific files.
SharePoint: Full site backups with the ability to restore to specific points in time.
Exchange: Granular item restores, including emails, contacts, and calendar items.
Security and Compliance
Security is a top priority with Microsoft 365 Backup. The service keeps your backups within the Microsoft 365 trust boundary, reducing the risk of security breaches. Additionally, it complies with major regulations like GDPR, ensuring your data is handled with the utmost care.
Microsoft 365 Backup: How It Works
Microsoft 365 Backup operates through the Microsoft 365 admin centre and is available as a standalone pay-as-you-go (PAYGO) solution. There are no additional license requirements, making it accessible and straightforward to implement.
Backup Process
Initiate Backup: Use the admin centre to select the data you want to back up.
Automated Backups: The service automatically creates backups at frequent intervals, ensuring you always have recent recovery points.
Storage: Backups are stored securely within the Microsoft 365 infrastructure.
Recovery Process
Select Recovery Point: Choose the specific point in time you want to restore from.
Restore Data: Initiate the restore process, and your data will be recovered quickly and efficiently.
Microsoft 365 Backup: Partner Integrations
Microsoft 365 Backup also supports integrations with third-party backup solutions through the Microsoft 365 Backup Storage platform. This allows independent software vendors (ISVs) to build applications that leverage the same high-speed recovery and security features
Getting Started
PAYGO Ensure you have setup “Pay as you go billing”
Access the Admin Center: Log in to your Microsoft 365 admin centre. (Assuming you are a global administrator or SharePoint administrator)
Navigate to Backup: Find the backup section (within settings) and follow the prompts to set up your backups.
Monitor and Manage: Use the admin centre to monitor backup status and manage recovery points.
Points to Note
At time of writing this will cost $0.15 (Per Gb, Per Month) in backup storage.
When restoring SharePoint site(s) ensure sites are not locked in a read-only state.
Default retention period is 1 year (RPO = Exchange every 10 mins for 1 Year, SharePoint/OneDrive = every 10 mins for last 14 days then Every week for weeks 2 to 52).
Exchange full mailbox or granular item restores are available.
Related Articles, References, Credits, or External Links
I had a bunch of old user profile folders I needed to delete today, When setup properly even the domain administrator can’t get in there and delete them;
You need permission to perform this action.
You don’t currently have persmission to access this folder
If it’s just one folder then simply take ownership, grant yourself rights and delete it! But I had a lot of folders so I needed a more robust (read less work) solution.
Solution: Take Ownership
Take Ownership of all Folders/Sub-Folders, and Files
Open an administrative command window, and execute the following command;
[box]
takeown /a /r /d Y /f C:\"Path-To-Folder"
[/box]
Grant ‘Full Control’ Rights to all Folders/Sub-Folders, and Files
Just because you are the owner, that does not mean you have any rights to the folders and files, to grant full control to the administrators group.
I’ve done a few migrating to {version} domain controller articles, and today I got asked,
How can you rename the “Server Name” back to the old one after migration ?e.g. from “Lan-2025” to “Lan-2019”
So, as the VMs from the last article were still running on the test bench, I ran though it to demonstrate.
Solution: Rename a Domain Controller
If you would like to add a new Windows Server 2025 domain controller to an existing domain here is the procedure.
Note: if you are not changing the domain controller name to a previous one, and simply want to rename a DC to something else, skip to THIS SECTION.
Rename a Domain Controller: Remove Stale DNS records
Never assume that demoting, and removing the old DCs does a great job of tidying up DNS it does not. So before we rename out new DC to the old DC name let’s make sure there’s nothing ‘hanging about’ that needs to be cleaned up. You can of course go hunting for them manually and remove them, but why when we have PowerShell. Typically a simple domain will have a” _msdcs.domain-name.domain-extension” and a “domain-name.domain-extension” forward lookup domain. (Your DNS server might have many forward lookup zones so run through them sequentially.
I’m stating with my _msdcs.test.net forward lookup zone, First I’m reading in ALL the DNS records for that domain.
[box]
$alldnsrecords = Get-DnsServerResourceRecord -ZoneName “_msdcs.test.net”
VIEW THE RESULTS BY SIMPLY CALLING THAT BACK
$alldnsrecords
[/box]
In my example there are not many records and I can see there’s none for the old DC name LAN-2019.test.net or for its IP address 192.168.110.10 so I’m skipping to the next step. Yours may have, if so you can delete them with the following commands;
As you can see (below) there a a few old records here for the LAN2019.test.net server, and a few for its old IP address (192.168.110.10) WARNING: I’m making the assumption your DCs have static IP addresses and those IP addresses ARE NOT in a DHCP scope, or some clown HAS NOT issued the old IP to another server!
Let’s filter those records so we just see the ones we are interested in.
And we can remove them with. (WARNING add -whatif to the end of the command if you are nervous and want to check what will happen before proceeding, if you are happy rerun the command without the -whatif switch).
Rename a Domain Controller: Remove Stale Reverse DNS Records
Reverse DNS lookup zones typically are a lot easier to just do manually.
Rename a Domain Controller: Domain Cleanup
There should not be any need to do a metadata cleanup if the demotion and removal went smoothly, but there will probably be some junk left behind. I’ve demoted the old DC and removed it from the domain, but the computer object still remains (in a disabled state) let’s remove that.
Also often there’s an orphaned object in sites and services for the old DC, let’s remove that.
Rename a Domain Controller
Finally! The process is simple, we add a secondary name to the Domain controller (the old DC name), then we make that second name the primary name, reboot the server, and remove the unwanted server name. To add a new secondary name open an administrative PowerShell Window and use the following syntax.
[box]
netdom computername LAN-2025.test.net /add:LAN-2019.test.net
THEN TO VIEW THE RESULTS
netdom computername LAN-2025.test.net /enumerate
[/box]
Change the OLD DC name to be the primary with the following command, which will need to reboot the server, so then execute a Restart-Computer.
REMEMBER at this point the old and new server names have swapped, so your commands will now assume that (in this case) LAN-2019.test.netis the name of the DC you are on. Once the server has rebooted.
[box]
netdom computername LAN-2019.test.net /enumerate
CHECK THE NEW NAME IS LISTED FIRST, THEN REMOVE THE UNWANTED NAME
netdom computername LAN-2019.test.net /remove:LAN-2025.test.net
FINALLY CHECK AGAIN
netdom computername LAN-2019.test.net /enumerate
[/box]
Related Articles, References, Credits, or External Links
If you would like to add a new Windows Server 2025 domain controller to an existing domain here is the procedure.
Solution: Server 2025 Domain Controller
Server 2025 Pre Requisites
2025 Hardware Requirements
Processor: 1.4 GHz 64-bit processor (or faster) with support for security features.
RAM: Minimum of 512 MB (2 GB for Server with Desktop Experience installation).
Disk Space: Minimum of 32 GB or more, depending on the server installation options.
Network Adapter: Ethernet adapter capable of at least gigabit throughput.
Software Requirements
Operating System: Windows Server 2025 (evaluation version or full licensed version).
Static IP Address: Assign a static IP address to the server before promoting it to a domain controller.
DNS: The server should point to itself for DNS or to another DNS server that is already part of the Active Directory.
User Permissions
You must be a member of the Administrators group on the server where you are installing the ADDS role.
Minimum Required Functional Levels for Windows Server 2025
Note: These are estimated based on the previous versions of Window Server.
Forest Functional Level:
The minimum forest functional level required for Windows Server 2025 is expected to be Windows Server 2016.
This means all domain controllers within the forest must be running at least Windows Server 2016.
Domain Functional Level:
The minimum domain functional level required for Windows Server 2025 is expected to be Windows Server 2016.
This ensures that all domain controllers within the domain are running at least Windows Server 2016.
Additionally: Ensure your third party applications also support Windows Server 2025, e.g. AV, MDR, Endpoint protection, and backup solutions.
Server 2025 Domain Controller AD Services Role Installation
At this point I’m assuming your 2025 server is fully updated and added to the domain as a member server. Server Manager > Manage > Add Roles and Features.
You can tick ‘Skip by default’ if you wish > Next > Next > Next > Tick ‘Active Directory Domain Services’ > Add Features (as shown) > Next.
Next > Next > Next > Install > When complete click ‘Close’.
Server 2025 Domain Controller: Promote to DC
Once the role is installed, you need to actually promote the server so that it is a domain controller > From within Server Manager you will see you now have a waring triangle at the top of the screen, click it and you will get the option to ‘promote this server to a domain controller‘.
It will automatically assume that you want to promote it to be a Dc in the domain that you are in, ensure that the credentials used have the appropriate rights > Next > Check the Site is correct And enter a new DSRM password > Next > At the warning about ‘A delegation for this DNS server cannot be created…“*
Next > Next > Once the pre-requisite checks have passed > Install.
If you look in Active Directory Users and Computers > In the Domain Controller OU there, will be your new Domain Controller.
That’s the new Server 2025 Domain Controller successfully added as a new domain controller. Rember at this point if you are retiring any old Domain Controllers take a look at the following list of things to thing about.
Retiring a Domain Controller Checklist
DNS: Is the retiring domain controller specified in one of your DHCP scopes or been manually specified on servers/endpoints. Offenders are network printers, VMware ESX servers (or vCenters), Non Windows devices, Hardware appliances.
DHCP: Is the retiring domain controller Hosing a DHCP scope? Or involved in a HA DHCP scope, If so this will need migrating.
LDAP/Kerberos/AAA: Are there any devices that look to the IP/Name of the retiring domain controller that are providing authentication services e.g. RSA Appliances, Firewalls authenticating remote access, Door entry or security systems that lookup AD users. Note This includes IAS/NPS
MFA: Do you have an MFA system that required Active Directory? If so does that need migrating.
Email: Modens Microsoft Exchange does not care (as long as DNS works.) But older versions needed to look at a specific domain controller, and any third part email applications may need to do the same.
Third Party Applications: This is a bit of a catch all but in most cases, (especially in SMB environments) Other programs/applications/services sometimes get installed on domain controllers make sure you know what apps are on the old DC before retiring e.g. Printer auditing software, third party password and AD Management tools, Management consoles for other solutions, Agent software for monitoring AD users.
Backups: These days less of an issue, but if you backup solution had an Active Directory element, ensure that post migration id continues to function normally.
For the demotion and role removal procedure, please see the video (above).
Related Articles, References, Credits, or External Links
To perform a Windows Server 2025 Domain Join (Local Domain). The end process is the same as it’s always been, they’ve just made the job of getting to there a little more convoluted, (this is the same with Windows 11).
Solution: Windows Server 2025 Domain Join
Before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related). Whilst logged in as a (local) administrative user, click the Windows button > Windows PowerShell.
Ensure you can ‘ping’ the domain name (see below), Also here I verify that the IP address that responds in my domain controller (Note: this will only work if your DNS zone has a correctly setup reverse DNS zone!)
Click the Windows button > System.
System > About.
Advanced System Settings.
Computer Name.
Change.
Select ‘Domain’ and enter the domain name > OK > enter credentials that have the rights to join a machine to the domain* > OK
*Note: All domain users have the right to join x10 machines to the domain.
OK > OK.
OK > Restart Now > The server will reboot.
Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.
Solution: PowerShell Windows Server 2025 Domain Join
As above, before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related).
Use the following syntax.
[box]
Add-Computer -DomainName {your-domain-name}
[/box]
When prompted, provide credentials that have rights to add computer object to the domain.
When successfully joined, you will be asked to reboot.
[box]
Restart-Computer
[/box]
Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.
Leave a Windows Domain Using PowerShell
Firstly I’m making sure I am correctly domain joined by using the following command.
Then to ‘leave’ the domain use the following command.
[box]
Remove-Computer
[/box]
When prompted reply to Y for yes then to complete the process reboot the server with the following command.
[box]
Restart-Computer
[/box]
Leave a Windows Domain Using GUI
To do the same graphically, it’s just the reverse of a domain join, use the instructions above you get you to the following dialog then select workgroup, and enter the workgroup name.
OK > OK.
Close > Restart Now.
Related Articles, References, Credits, or External Links
Recovering from a Microsoft Blue Screen of Death (BSOD) involves several steps to diagnose and resolve the issue. Here is a systematic approach to help you recover from a BSOD.
Solution : BSOD Resolution.
Note: If using Crowdstrike (18th Jul 2024) or you’re Stuck at the recovery screen. The problem is being worked on Ref:
TEMPORARY WORK AROUND
Boot Windows into Safe Mode or WRE.
Go to C:\Windows\System32\drivers\CrowdStrike
Locate and delete file matching “C-00000291*.sys”
Boot normally.
Alternative Crowdstrike Fix (from the recovery screen)
If you’re stuck at the recovery screen, try these steps:
Click on ‘See advanced repair options’ on the Recovery screen.
In the Advanced Repair Options menu, select ‘Troubleshoot’.
Next, choose ‘Advanced options’.
Select ‘Startup Settings’.
Click on ‘Restart’.
After your PC restarts, you will see a list of options. Press 4 or F4 to start your PC in Safe Mode.
Open Command Prompt in Safe Mode.
In the Command Prompt, navigate to the drivers directory: cd \windows\system32\drivers
To rename the CrowdStrike folder, use ren CrowdStrike CrowdStrike_old
Alternative Crowdstrike Fix (For Virtual Machines)
Attach an the system disk of the affected machine asunmanaged disk to another VM for offline repair (Note:Disks that are encrypted may need these additional instructions: Unlocking an encrypted disk for offline repair
Once the disk is attached, customers can attempt to delete the following file. “Windows/System/System32/Drivers/CrowdStrike/C00000291*.sys“
The disk can then be detached and re-attached to the original VM.
1. Note the BSOD Error Code
When a BSOD occurs, an error code is displayed on the screen. This code can be crucial in diagnosing the problem. Write down the error code and any associated information.
2. Restart Your Computer
Sometimes, a simple restart can resolve the issue. However, if the BSOD persists, proceed to the next steps.
3. Boot into Safe Mode
Safe Mode loads a minimal set of drivers and services. Booting into Safe Mode can help you determine if a default setting or basic device driver is causing the issue.
Windows 10/11:
Restart your computer.
As soon as your computer starts, press the F8 key repeatedly until the Advanced Boot Options menu appears.
Select “Safe Mode” or “Safe Mode with Networking.”
4. Check for Hardware Issues causing BSOD
Disconnect External Devices: Unplug all external devices (USB drives, printers, etc.) and restart your computer to see if the BSOD persists.
Run a Memory Check: Use Windows Memory Diagnostic tool to check for memory issues.
Press Windows + R, type mdsched.exe, and press Enter.
Choose “Restart now and check for problems.”
5. Update or Roll Back Drivers
Update Drivers:
Open Device Manager (Windows + X > Device Manager).
Expand categories and update any drivers with a yellow exclamation mark.
Roll Back Drivers:
In Device Manager, right-click the driver causing the issue, select “Properties,” go to the “Driver” tab, and select “Roll Back Driver.”
6. Check for Software Issues
Uninstall Recent Software: Uninstall any software or updates installed recently.
Go to Settings > Apps > Apps & features and uninstall the problematic software.
Run System File Checker (SFC):
Open Command Prompt as Administrator.
Type sfc /scannow and press Enter.
7. Perform a System Restore
If the BSOD started after a recent change, performing a System Restore can revert your computer to a previous state.
Go to Control Panel > System and Security > System > System Protection > System Restore.
Follow the prompts to choose a restore point.
8. Check Disk for Errors
Open Command Prompt as Administrator.
Type chkdsk /f /r and press Enter.
Restart your computer to allow the check to run.
9. Update Windows
Ensure your Windows operating system is up to date.
Go to Settings > Update & Security > Windows Update and check for updates.
10. Perform a Clean Boot
A clean boot helps eliminate software conflicts.
Press Windows + R, type msconfig, and press Enter.
Go to the “Services” tab, check “Hide all Microsoft services,” and click “Disable all.”
Go to the “Startup” tab, open Task Manager, and disable all startup items.
Restart your computer.
11. Reset or Reinstall Windows
If none of the above steps work, you may need to reset or reinstall Windows.
Reset This PC:
Go to Settings > Update & Security > Recovery > Reset this PC.
Choose whether to keep your files or remove everything.
Reinstall Windows: Backup your data and perform a clean installation using a bootable USB drive with the Windows installation media.
Additional Tools and Resources
BlueScreenView: A utility to view minidump files created during BSODs.
WhoCrashed: Analyzes crash dumps to determine the cause of the crash.
Related Articles, References, Credits, or External Links
Are there any scripts or reports that would give me information on VMware VM’s with snapshots?
was pretty sure this was a straight forward one, so I jumped on the test network.
Solution: Get Snapshot Information
Connect to your vCenter and use the following commands.
[box]
Connect-viserver vCenter-Name
THEN AUTHENTICATEGet-VM | Get-Snapshot | Select-Object VM, Name, SizeGB, Created
[/box]
That was easy!
Get Snapshot Information : With RV Tools
You can also get the same information from RVTools, which if you don’t already use, do so!
Solution: PowerShell Delete Snapshots
You can delete all snapshots by simply piping the command above to Remove-Snapshot, But you will porbably want to do that on a VM by VM basis. Use the cfollowing command.
[box]
Get-VM VM-Name| Get-Snapshot | Remove-Snapshot
[/box]
Related Articles, References, Credits, or External Links
NTLM (NT LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users in a network. It is an older protocol that has been largely replaced by Kerberos, (since Server 2008 and windows Vista!) In modern Windows environments due to its enhanced security features. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on a network. It operates in three versions: NTLMv1, NTLMv2, and NTLMv2 Session Security.
Key Components
Authentication Process:
Challenge-Response Mechanism: NTLM uses a challenge-response mechanism where the server challenges the client, and the client responds with a value that proves its knowledge of the user’s password.
Session Security: Provides confidentiality (encryption) and integrity (signing) for data sent over the network.
NTLM Versions:
NTLMv1:
Uses DES (Data Encryption Standard) for encryption.
The client sends a hashed password, and the server compares it to the stored hash.
Known for its vulnerabilities, including susceptibility to replay attacks and weak password hashes (LM hashes).
NTLMv2:
Introduced to address the security shortcomings of NTLMv1.
Provides stronger encryption and better resistance to replay attacks.
Supports mutual authentication where both client and server authenticate each other.
NTLMv2 Session Security:
Provides additional security by creating a session key based on both client and server challenge-response pairs.
Ensures integrity and confidentiality for the session.
Components of NTLM:
User Authentication: Verifies the identity of a user or system requesting access.
Message Integrity: Ensures that messages are not tampered with during transmission.
Message Confidentiality: Encrypts messages to protect sensitive information.
Security Weaknesses
NTLMv1:
Weak Hashing (LM Hash): The LM hash is derived from passwords in a way that is susceptible to brute-force attacks.
Replay Attacks: Can be exploited to reuse valid authentication tokens.
Lack of Mutual Authentication: Only the client is authenticated, not the server.
NTLMv2:
Improved but Still Vulnerable: While it significantly improves upon NTLMv1, it is still not as secure as Kerberos and can be vulnerable to certain types of attacks, especially in environments where NTLMv1 is still supported for backward compatibility.
Deprecation and Modern Alternatives
Kerberos: Introduced in Windows 2000, Kerberos provides stronger security features, including mutual authentication, and is now the default authentication protocol in Active Directory environments.
Recommendations: Organizations are encouraged to disable NTLM where possible, particularly NTLMv1, and to use Kerberos or other modern authentication protocols.
In Summary
NTLM played a crucial role in early Windows network security, providing a means of authenticating users and securing communications. However, due to its security vulnerabilities, especially in NTLMv1, it has been largely replaced by more secure protocols like Kerberos. NTLMv2 offers improvements but is still not as robust as modern alternatives, making it advisable for organizations to phase out NTLM in favour of stronger authentication methods.
As of Jun 2024 Microsoft has declared that NTLM (all versions) are depreciated.
Solution : Disable NTLM
Developers are being encouraged to STOP using NTLM, and the advice is to set your systems to ONLY use NTLM if Kerberos is not available. You first challenge is to find out what (if anything) is still using NTLM.
On your server(s) look in the (Security) Event logs for Event ID 4624 That mentions NTLM.
But there’s thousands of Event ID 4624 events, so let’s narrow the search with some PowerShell.
[box]
$query= @"
<QueryList>
<Query Id="0">
<Select Path="Security">
*[System[(EventID='4624')]]
and
*[EventData[Data[@Name='AuthenticationPackageName'] and (Data='NTLM')]]
</Select>
</Query>
</QueryList>
"@
Get-WinEvent -FilterXml $query
[/box]
Now I can review each of those events (by their time stamp!) and I’ve only got two offenders to investigate.
You can also have a reconnoitre with WireShark, and scan for ntlmssp.
Disable NTLM v1
It’s considered best practice to disable NTLM version 1 first, then wait for a while (a period of a few weeks,) then you can attempt to disable NTLM version 2 also.
Edit the Default Domain Controller Policy and Navigate to.
[box]
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >
Network Security: LAN Manager Authentication Level
[/box]
Settings;
Send LM and NTLM responses
Send LM and NTLM (use NTLMv2 session security if negotiated)
Send NTLM response only
Send NTLMv2 response only
Send NTLMv2 response only, Refuse LM: Domain controllers offer only NTLMv2 but still accept NTLMv1 authentication.
Send NTLMv2 response only, Refuse LM and NTLM: Domain controllers refuse LM and NTLMv1, accepting only NTLMv2.
To keep NTLM v2 and disable NTLM v1 choose the last option.
WARNING: This will effectively tattoo this setting into registry of the domain controller(s), even if you have a problem and revert the setting back to not defined, it will remain. If that happens to you, you can manually change the setting in the registry at.
There’s six settings (0 to 5) that correspond to the ones in the group policy for further information see this article.
Disable NTLM Completely
Before proceeding its a good idea to enable the “Restrict NTLM: Audit NTLM authentication in this domain” policy then waiting a while longer and reviewing the logs, if something does appear you can simply add it to the “Restrict NTLM: Add server exceptions in this domain” policy
This time in the default domain controller’s policy navigate to.
[box]
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >
Network Security: Restrict NTLM: NTLM authentication in this domain
[/box]
Disable: the policy is disabled (NTLM authentication is allowed in the domain).
Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed.
Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears.
Deny for domain servers: NTLM authentication requests are denied for all servers unless the servername is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy.
Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.
To stop client computers attempting to connect with NTLM you can edit the Default Domain Policy.