If you want to enable virtualisation in a VM that is running inside Hyper-V (itself a hypervisor). Then you need to expose the virtualisation elements of the physical hosts processor to the nested VM.
To perform a Windows Server 2025 Domain Join (Local Domain). The end process is the same as it’s always been, they’ve just made the job of getting to there a little more convoluted, (this is the same with Windows 11).
Solution: Windows Server 2025 Domain Join
Before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related). Whilst logged in as a (local) administrative user, click the Windows button > Windows PowerShell.
Ensure you can ‘ping’ the domain name (see below), Also here I verify that the IP address that responds in my domain controller (Note: this will only work if your DNS zone has a correctly setup reverse DNS zone!)
Click the Windows button > System.
System > About.
Advanced System Settings.
Computer Name.
Change.
Select ‘Domain’ and enter the domain name > OK > enter credentials that have the rights to join a machine to the domain* > OK
*Note: All domain users have the right to join x10 machines to the domain.
OK > OK.
OK > Restart Now > The server will reboot.
Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.
Solution: PowerShell Windows Server 2025 Domain Join
As above, before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related).
Use the following syntax.
[box]
Add-Computer -DomainName {your-domain-name}
[/box]
When prompted, provide credentials that have rights to add computer object to the domain.
When successfully joined, you will be asked to reboot.
[box]
Restart-Computer
[/box]
Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.
Leave a Windows Domain Using PowerShell
Firstly I’m making sure I am correctly domain joined by using the following command.
Then to ‘leave’ the domain use the following command.
[box]
Remove-Computer
[/box]
When prompted reply to Y for yes then to complete the process reboot the server with the following command.
[box]
Restart-Computer
[/box]
Leave a Windows Domain Using GUI
To do the same graphically, it’s just the reverse of a domain join, use the instructions above you get you to the following dialog then select workgroup, and enter the workgroup name.
OK > OK.
Close > Restart Now.
Related Articles, References, Credits, or External Links
Are there any scripts or reports that would give me information on VMware VM’s with snapshots?
was pretty sure this was a straight forward one, so I jumped on the test network.
Solution: Get Snapshot Information
Connect to your vCenter and use the following commands.
[box]
Connect-viserver vCenter-Name
THEN AUTHENTICATEGet-VM | Get-Snapshot | Select-Object VM, Name, SizeGB, Created
[/box]
That was easy!
Get Snapshot Information : With RV Tools
You can also get the same information from RVTools, which if you don’t already use, do so!
Solution: PowerShell Delete Snapshots
You can delete all snapshots by simply piping the command above to Remove-Snapshot, But you will porbably want to do that on a VM by VM basis. Use the cfollowing command.
[box]
Get-VM VM-Name| Get-Snapshot | Remove-Snapshot
[/box]
Related Articles, References, Credits, or External Links
For over twenty years, I’ve been involved with domain migrations, and I’ve had to upgrade both domain and forest functional levels thousands of times. I’ve also had to deal with many clients who were somewhat nervous when they knew that I was updating, their forest and the domain functional levels. I’m not sure if it’s just embedded in IT folklore that something horrible might happen, and because you or unable to revert if you make the mistake of upgrading these levels when you should not have done so. But in all honesty, in all the time I’ve been involved in domain migrations only once have I ever had a problem, and in that instance, the upgrade process failed because the client had Exchange, 2000 (that’s how long ago that was).
What are Domain and Forest functional levels used for?
Each version of Windows that is released, introduces new functionality, that’s built into Active Directory, and so that the clients can take advantage of that functionality, there are certain prerequisites that must be met for this to work. One of the most obvious prerequisites, is that all domain controllers be running the same version to support those new functionalities. For example, way back with server 2008, the AD recycle bin was introduced, imagine, trying to enable that feature if half of the domain controllers in your environment did not support it. That’s all that the functional level, does it sits and waits for you to get all your servers at the correct version, before you can enable a feature.
Now active directory won’t let you upgrade functional levels if your servers are non-compliant. i.e. ruining an older or unsupported operating system, therefore all the functional level is, is just a safety gate that turns on features. With that in mind, why would you be nervous that you’re adding additional features to Active Directory?
Things to Consider Before Upgrading Functional Levels
Check that all domain controllers are working and replicating properly and are running a version of Windows Server that supports the desired functional level.
Back up all domain controllers and verify the backups.
Ensure that all domain functional levels are equal to or higher than the forest functional level.
Review the new features and requirements of the target functional level and plan for any changes or impacts on your applications, services, and clients. Pay particular attention to Microsoft Exchange (if still running on premises or in hybrid mode).
If possible, test the functional level change in a lab environment that mimics your production environment as closely as possible.
Communicate the functional level change to your stakeholders and schedule a maintenance window for the operation.
Official documentation says you CANNOT downgrade functional levels; however this is not true* however, you should only lower the functional level if you encounter a serious problem that cannot be resolved otherwise.
*Note: You can downgrade but no further than server 2008. It is possible to downgrade from Server 2016 (the current maximum) to Server 2012 R2, Server 2012, Server 2008 R2, and Server 2008. In reality (if you’ve been looking after your AD) you should never need to downgrade more than one version anyway.
Upgrading Functional Levels
Both the domain and forest functional levels can be upgraded with the ‘Active Directory Domains and Trusts” management console, the domain by simply right clicking the domain in question then checking the version you want to upgrade to, then click raise.
When Upgrading Functional Levels simply right click Active Directory Domains and Trusts > Raise forest functional level > Checking the version you want to upgrade to then click raise.
Look in the Directory Service Event log for the following events.
Event ID 2039 (Successful Domain Functional Level Update).
Event ID 2040 (Successful Forest Functional Level Update).
Downgrading Functional Levels (PowerShell)
The following procedure was carried out on my test bench, when upgrading Functional Levels (in the past) Microsoft released guidance on how to downgrade functional levels to Server 2008 R2 this was handy if you wanted to perform an ADMT domain migration and had raised your levels to Server 2012 (though the tool was later fixed to support newer functional levels).
Remember this is a last resort if you are having problems and remember to ensure you have decent backups of everything before proceeding.
Firstly check the currently domain and forest functional levels.
[box]
Get-ADDomain | Format-Table Name , DomainMode
Get-ADForest | Format-Table Name , ForestMode
[/box]
Then to downgrade (in this example to Serve r2012 R2 use the following commands).
Check that the change has occurred by running the same command you used above.
[box]
Get-ADDomain | Format-Table Name , DomainMode
Get-ADForest | Format-Table Name , ForestMode
[/box]
Then to prove its not all ‘smoke and mirrors’ look in ‘Active Directory domains and Trusts’ > {your-domain-name} > Right click “raise domain functional level’.
And in the same management snap-in check the forest functional level.
Related Articles, References, Credits, or External Links
This post was written because of a follow up question in this article. How do you go about convert certificates? Sometimes you get a certificate issued or sent toy you that is in a format you cannot import, so you need to convert it. Regardless of whether you are a mac/Linux user or a Windows user, the tool that I find best to use is OpenSSL.
OpenSSL is built into macOS to use OpenSSL on Windows you need to download, install, then run the openssl.exe (usually form command line, but you can also run from PowerShell (Note: See comment below if you intend to use PowerShell).
Linux Note: To install OpenSSL, different flavours of Linux differ e.g. sudo apt-get install openssl should work in most cases.
Windows Note: Remember to change to the directory in which OpenSSL.exe resides before executing the following command(s). See the Windows Examples for clarification.
Solution : Convert Certificates
The most common form of issued x509 certificates have a .crt or a .cer extension, CRT is based on DERDistinguished Encoding Rules, and the other (CER) is based on PEMPrivacy Enhanced Mail. OpenSSL can convert form one to the other. Note: Below I’ve shown the process on my mac and a Windows PC to illustrate the process is the same.
Convert Certificates CRT to CER
Use the following Syntax to convert from CRT to CER format. (Change the values in Red to match your source and destination certificate locations).
[box]
openssl x509 -inform PEM -outform DER -in /Users/petelong/CERTS/Source-Certificate.crt -out /Users/petelong/CERTS/Output-Certificate.cer
[/box]
Convert Certificates CER to CRT
Use the following Syntax to convert from CER to CRT format. (Change the values in Red to match your source and destination certificate locations).
[box]
openssl x509 -inform DER -outform PEM -in /Users/petelong/CERTS/Source-Certificate.cer -out /Users/petelong/CERTS/Output-Certificate.crt
[/box]
Convert Certificates CRT to PEM
Disclaimer: This is a bit of a misnomer, because .crt certificates are already in PEM format. You can simply open a .crt file and view it as a PEM file. Use the following Syntax to view a CRT in PEM format. (Change the values in Red to match your source and destination certificate locations).
[box]
Linux / macOS
cat /Users/petelong/CERTS/My-Certificate.crt
Windows
type C:/Certs/My-Certificate.crt
[/box]
Then copy the ‘text’ as shown in the examples above. DO NOT include any additional spaces (as shown above). And you have a PEM file you can paste this into a text editor and save it with a .pem extension if you need to ‘send’ it somewhere.
Can I simply rename .crt to .pem (YES YOU CAN)
Convert Certificates CER to PEM
This is slightly more complicated as .cer files are in DER format, if you try and open one with a text editor you will simply see gobbledegook. So you need to convert it into PEM format with he following syntax.
[box]
openssl x509 -inform DER -outform PEM -in /Users/petelong/CERTS/My-Certificate.cer -out /Users/petelong/CERTS/PEM-Certificate.pem
[/box]
Once that’s done (as above) you can simply open the .pem file in a text editor or cat (mac/Linux) or type (Windows) the content.
Converting Certificates (PowerShell)
Be Aware: When calling OpenSSL form a PowerShell command, you need to prefix the command with a ‘dot slash’ see the examples below for clarification.
Related Articles, References, Credits, or External Links
If you have deployed an NPS Server on your network, there may be a time when you want to replace that server – if all its doing is NPS and its 2012 or newer I’d be tempted to simply in-place upgrade it, but some people are rigid in their beliefs that that is not a good idea. So in that case you need to migrate to a new server.
Solution : Migrate NPS Server
Locate NPS Server
Just in case you know you have an NPS server, but you don’t know what server it’s on, (or how many you have!) The simplest way to find out is to look in the RAS and IAS Servers group in AD.
You can use the following procedure on Server 2012 (and newer) If your source server is Server 2008 then you need to use the netsh method I’ll outline below.
Migrate NPS Server : Export NPS Settings PowerShell
Then simply copy that exported XML file to the new NPS server.
Migrate NPS Server : Import NPS Settings PowerShell
At this point I’ll assume that your target server is built, updated and domain joined. So we have three tasks, install NPS, authorise the NPS server in AD, then import the settings from the file you exported above. Note: There is no direct PowerShell command to authorise the new server in AD (at time of writing) So we need to use the netsh command to do that.
Then at this point I’d stop and disable NPS services on the old server and give everything a test. REMEMBER if you have RADIUS clients you may need to change the IP address that THEY are set to to the new NPS Server.
WARNING: If you are using authentication protocols that need certification like PEAP–MS-CHAP v2, PEAP–TLS, or EAP–TLS – AND your client are set to check the server’s identification (this is optional usually). Then check the new server has the correct certificates.
Migrate NPS Server (Server 2008)
On older OSs you don’t have the Export-NpsConfiguration and Import-NpsConfiguration PowerShell commandlets to use, so you have to use the netsh command instead.
I needed to get a list of operating systems ‘in-use‘ in my active directory this week. bear in mind this will pull information from all enables computer accounts in AD, so if you are ‘not good‘ at tidying out old machines and servers you might get a lot of garbage in your output!
If you attempt to edit the authOrig attribute of a mail enabled group using ADSIedit you will get the following error.
There is no editor registered to handle this attribute type.
Why would you be doing this? This is done when you want to restrict who can email a group.
Solution
If you are running either on-premises Microsoft Exchange (or are running in Hybrid Exchange mode, and have retained an Exchange server for management,) You can simply use the Exchange Admin Center to add the person or group that you want to restrict access to.
Recipients > Groups > Group-Name > Edit > Delivery Management > Set accordingly.
Note: As I’m in Hybrid mode, and have AAD Sync setup, if I attempt to look at this group in O365 / Exchange online, it simply says.
You can only manage this group in your on premises environment. Use Active Directory users and groups, or Exchange AdminCenter tools to edit or delete this group.
Technical Pedantry: The fact it’s been called ‘Active Directory Users and Computers‘ since Windows 2000 makes my OCD flinch at that comment.
Use PowerShell
You can (if you have no access to Exchange Management tools) simply use PowerShell, the syntax is as follows.
[box]
Set-ADGroup -Identity "The-Group" -Server The-Domain-Controller -Add @{authOrig=@('The User or Group to Grand access to')}
e.g.
Set-ADGroup -Identity "CN=DG-Test-Disty-Group,CN=Users,DC=pnl,DC=com" -Server PNL-MGMT.pnl.com -Add @{authOrig=@('CN=Pete Long,CN=Users,DC=pnl,DC=com')}
[/box]
Then to prove it’s not all ‘smoke and mirrors’ you can go back to ADSIedit and check.
Related Articles, References, Credits, or External Links
Manually Update Windows Trusted Root Certificates KB ID 0001831
Problem
These days your trusted root certificates are simply updated with Windows Update, but what if your servers have no internet access? In this example I will manually update the root certs by downloading them on a machine WITH internet access then importing on another machine that has not.
Bear in mind: If none of your machines have internet access they cannot check certificate revocation lists etc – so you may still get some errors. You may want to consider deploying you own internal PKI.
I’ve been aware of Windows Terminal for a while, I’ve just never felt the need to set it up. Most of my work for the website involves me taking screenshots on Windows Server OS. So, when I decided to take a look at it I had to jump through a few hoops to get it to work, in the words of Juan Sánchez Villalobos Ramírez, Chief metallurgist to King Charles V of Spain, “I would save you that pain”. (If you get that reference, we can be friends).
Solution: Windows Terminal on Server 2022
So, Windows Server OSs cannot access the Windows Store, so you need to manually download the app packages (msibundle) then install them with PowerShell. If you want to install on Server 2022 then don’t download the Windows 11 package, if you do and try and install it you will see something like.
Deployment failed with HRESULT: 0x80073CFD, A Prerequisite for an install could not be satisfied. Windows cannot install package Microsoft.WindowsTerminal_1.16.10262.0_x64__8wekyb3d8bbwe because this package is not compatible with the device. The package requires OS version 10.0.22000.0 or higher on the Windows.Desktop device family. The device is currently running OS version 10.0.20348.1668
I walked back though a few versions before I realised you need to download the Windows 10 versions. go here and check for the latest version.
Previous Windows Server Versions: In some cases you may need to download and install the Preinstall kit (See above page for download link) Simply download it as a Zip file, extract it, and then use Add-AppxPackage to install the msibundle for that first. But for Server 2022 you don’t need to do that.
Firstly, you need to download another package as it’s a pre-requisite, the following commands will download and install it.