To perform a Windows Server 2025 Domain Join (Local Domain). The end process is the same as it’s always been, they’ve just made the job of getting to there a little more convoluted, (this is the same with Windows 11).
Solution: Windows Server 2025 Domain Join
Before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related). Whilst logged in as a (local) administrative user, click the Windows button > Windows PowerShell.
Ensure you can ‘ping’ the domain name (see below), Also here I verify that the IP address that responds in my domain controller (Note: this will only work if your DNS zone has a correctly setup reverse DNS zone!)
Click the Windows button > System.
System > About.
Advanced System Settings.
Computer Name.
Change.
Select ‘Domain’ and enter the domain name > OK > enter credentials that have the rights to join a machine to the domain* > OK
*Note: All domain users have the right to join x10 machines to the domain.
OK > OK.
OK > Restart Now > The server will reboot.
Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.
Solution: PowerShell Windows Server 2025 Domain Join
As above, before attempting to join the domain, let’s make sure we can ‘resolve’ the domain name, (because most domain join problems are DNS related).
Use the following syntax.
[box]
Add-Computer -DomainName {your-domain-name}
[/box]
When prompted, provide credentials that have rights to add computer object to the domain.
When successfully joined, you will be asked to reboot.
[box]
Restart-Computer
[/box]
Ensure you don’t mistakenly log on as the local administrator > Other User > Then remember if you are logging on as domain administrator use DOMAIN/Administrator, or administrator@domain-name.domain extension.
Leave a Windows Domain Using PowerShell
Firstly I’m making sure I am correctly domain joined by using the following command.
Then to ‘leave’ the domain use the following command.
[box]
Remove-Computer
[/box]
When prompted reply to Y for yes then to complete the process reboot the server with the following command.
[box]
Restart-Computer
[/box]
Leave a Windows Domain Using GUI
To do the same graphically, it’s just the reverse of a domain join, use the instructions above you get you to the following dialog then select workgroup, and enter the workgroup name.
OK > OK.
Close > Restart Now.
Related Articles, References, Credits, or External Links
Server Evaluation Extending & Converting KB ID 0001879
Problem
If you download and install Windows Server evaluation, you get 180 days grace to upgrade it to a full licensed version. Now the internet is awash with articles telling you how you can extend that – In fact you can extend it by 180 days a further SIX TIMES. But what they fail to tell you, is this only works if you DONT LET IT EXPIRE. Once you’ve breached the 180 days you cannot extend it by 180 days (If you try you only get 10 days grace!)
Day 1
After 180 Days
Solution: Server Evaluation Extending
When the server is first deployed you will have 180 days and SIX REARMS available, which you can see with the following command.
[box]
slmgr -dlv
[/box]
Assuming you are within the 180 day period you can simply extend by 180 days with the following command.
[box]
slmgr -rearm
[/box]
Once rebooted you can check status with the same command we used above (slmgr -dlv).
Solution: Server Evaluation Extending (If Expired)
If you have been on the server it would have warned you with prompts like this.
What Happens If The Windows Server Evaluation License Expires?
The server will shut itself down, 1 hour after it has been powered on, (after logging Event ID 1074).
Event ID 1074
The License period for this installation of Windows has expired. the operating system is shutting down.
As mentioned above you can give yourself some breathing room (assuming you have a rearm count of 1 or more) by using the same command to extend (slmgr – rearm). But you will only get 10 days grace to enter a valid key/activation code.
Converting Windows Server Evaluation To Full Version
The other option, and of course what Microsoft want you to do, is convert the evaluation version to a full version. You can see what versions are available by running the following command.
[box]
DISM /Online /Get-TargetEditions
[/box]
My only option is ServerDatacenter – so I can convert to that version and enter a valid Windows Key to licence the server at the same time.
NDES, is the name for what we used to call MSCEP, which was an ‘add-on’ for the Server 2003 family of servers. In Server 2008 it was renamed to NDES. It is a role service that runs on a Certificate Services Server, and is used to create a registration authority (RA) that can issue certificates from your PKI infrastructure to network devices, i.e. Routers, Firewalls and Switches.
Solution
Installing Network Device Enrollment Service
I’m assuming you already have an Active Directory Certificate Services Server setup, if not you can deploy that and add in NDES at the same time.
1. Either: Launch Server Manager > Manage > Add Roles and Features > Below Active Directory Certificate Services select Network Device Enrollment Service.
2. Or: From within PowerShell run the following command;
1. Create a domain user (below I’ve called it SVC_NDES) > Add that user to the IIS_IUSRS group on the CA server.
2. From within Server Manager launch the post deployment configuration wizard.
3. Next.
4. Select Network Device Enrollment Service, (if not already selected).
5. Change the account details, to the service account you created above.
6. Enter the details that will be used to enroll the RA certificate.
7. Accept the defaults > Next.
8. Configure.
9. Close.
10. Launch the Certificate Authority management console > Certificate Templates > Right Click > Manage.
11. Open the properties of the ‘IPSec (Offline request)’ certificate > Security Tab > Make sure the account you created (above) has the ‘Enroll’ permission.
NDES Disable Password Requirement.
I’ve read a few blogs and articles that say;
“There is no way for Cisco devices to supply the required password to enroll with NDES/MSCEP, so you need to disable the requirement for a password.”
This is NOT TRUE, however the whole point of issuing certificates via your PKI infrastructure, is that it can scale dramatically. If you are creating passwords and embedding those passwords in all your enrollments, it can get a little unwieldy. So it may be sensible to remove the password requirement.
Update: 22/10/21: You may also need to recycle the SCEP application pool in IIS (on the Certificate Services Server)
From IIS Manager > CA > Application Pools, SCEP. > From the right hand panel > Advanced Settings. > Set Load User Profile to ‘True‘ > OK.
Again in the right panel > Recycle > From IIS Manager > Sites > Default Web Site. > From the right panel, click Restart.
Below you can see the difference, with the password requirement enforced, and without.
2. Restart the Certificate Services Service;
[box] net stop certsvc net start certsvc [/box]
NDES More Password Options and Renewing Certificates
If you do want the more secure option of using passwords, but don’t want to ad a new password every time you have a new enrollment, you can specify that the password does not expire after the default 60 minutes, in fact it never expires. This is handy if you want to renew certificates without generating new passwords. To do that carry out the following procedure;
[box] HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography > MSCEP[/box]
Create a new 32 bit DWORD value called ‘DisableRenewalSubjectNameMatch’ Set the value to 1 (one).
3. If (as above), you are running NDES under a service account, ensure that account has full control of the MSCEP key. (Again don’t forget to restart the Certificate Server service.)
IIS Query String Problem
You may find that with the default IIS settings you may encounter some problems. This is because (by default) IIS will only accept a Query String that’s less than 2048 characters long. If that happens you may see the following errors;
Request URL Too Long
HTTP Error 414. The request URL is too long.
HTTP Error 404.15 – Not Found
The request filtering module is configured to deny a request where the query string is too long.
When attempting a File Server Migration why isn’t this better publicised? Did you know Microsoft have a set of Migration tools, and one of them is for file servers? Now traditionally I’d use RoboCopy or XCopy to migrate files and folders, and for ‘User Profiles’ I would normally back them up, and restore them to the new server. This is because the file permissions on ‘correctly deployed’ user profiles mean you can’t open them.
How about a tool, that migrates all the files, folders and profiles while maintaining all the NTFS permissions, AND Share permissions!
Windows File Server Migration Tools
Source Server Pre-requisites
Server 2003: .Net 2.0 (With SP1), and PowerShell 2.0, and 25MB free drive space.
Server 2008: PowerShell and 25Mb free drive space.
Server 2008 R2 and Newer: 25Mb free drive space.
All: UDP port 7000 needs to be open, from source to the destination server.
File Server Migration Server 2008 to Server 2019
File Server Migration from Server 2003!
Source Server: Windows Server 2003 Standard x64 (x86 supported as well)
Destination Server: Windows 2012 R2 Data Center 2012
Source Server: Here you can see my user profiles, I’ll do the migration with them, as usually they are the most ‘challenging’.
You need to create a shared folder on the Source Server, I’ve just granted everyone full control, (this is just for the migration tools).
Destination Server: Open a PowerShell windows and install the tools with the following command;
Open an administrative command window > Now you need to deploy the migrations tools to the share on the destination server, to do that use the following command;
Note: For x86 (32 bit) source servers use x86 instead of amd64. WS03 (Windows Server 2003), WS08 (Windows Server 2008), WS08R2 (Windows Server 2008 R2), and WS12 (Windows Server 2012).
Source Server: Open the folder you created earlier and within it you will find another folder that has the tools in. Open an administrative command window and change to this directory > then execute the following command;
[box]
.\smigdeploy
[/box]
Another PowerShell window will open, leave it open, and return to the destination server.
Destination Server: Here I’ve created a folder that I’m going to migrate into.
Destination Server: Open a PowerShell window and issue the following two commands;
When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.
In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication
Solution
The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.
Make Internet Explorer Accept Your Certification Authority
Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.
1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.
2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.
3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.
4. Restart the browser and try again.
Set IIS to serve Certificate Services Securely (via https).
This assumes you have your CA and the web portal installed correctly.
1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.
Note: If https is missing simply add it!
2. Expand Default Web Site > Certsrv > SSL Settings.
3. Tick ‘Require SSL’ > Apply.
4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.
Related Articles, References, Credits, or External Links
I got a call last night to help out a colleague, this involved using a ‘dubious’ piece of software that is very old, (I wont elaborate further). But to run it on a modern Windows Server is nearly impossible. The host detects the software as being infected (It may well be, but I’ve never suffered). So I need to keep the software in a password protected Zip file. And only extract it on a Virtual machine that I don’t mind sacrificing!
That’s great, but Defender was having none of this, so I needed to ‘temporarily‘ stop its real time protection.
Note: Standard warning, disabling Windows defender on a production machine is not a good idea, (without another 3rd party anti virus/anti malware product.)
You can disable Defender using the following group Policy;
[box]Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Turn off Windows Defender Antivirus > Set to Enabled[/box]
I like to learn the keyboard shortcuts for these sort of things, (because developers will change the way things are done in the GUI). So in the good old days I simply ran msconfig, and located the offending software on the startup list and disabled it. Then that got removed and put in ‘Task Manager’, then that got removed. So I’m pulling a frowny face at Microsoft Developers for their lack of continuity 🙁 (It’s not just them Cisco and VMware are just as bad!)
I’ve got an administration server I use, (Server 2016,) and it’s got a load of software on there that usually would not be on a server, Skype Client, Citrix Client etc. So how do I stop them autoloading?
Solution
Well I could start digging around in the registry manually, but a much simpler option is to download and run AutoRuns;
Either untick the offender or right click and go to the source and manually disable it yourself.
Related Articles, References, Credits, or External Links
Massive thanks to Syinternals and Mark Russinovich, who has been bailing me out of the mire for many years!
Life was simpler when we had DVD Drives and a wallet full of CD/DVDs! I was building an HP DL360 This morning and needed to install Windows. I created a bootable USB with Unetbootin and selected a Windows Server ISO, it wouldn’t boot. So I thought ‘Fine I’ll play the game” I pressed F10 for Intelligent Provisioning.
After selecting USB media – the system could not see my USB Drive?
After a couple of seconds head scrathing the penny dropped, it wants the iso not a bootable drive, (doofus!) So I used a FAT formatted USB and that didn’t work either?
Option 1: Use iLO
Before you all start emailing me, you can install an operating system from virtual media WITHOUT and advanced iLO licence! Annoyingly I was building the server on the bench, so I had to connect my laptop into the iLO with a crossover cable but, here’s me proving it works.
Option 2: Use ExFAT
Format your USB drive using ExFAT, luckily I use macOS and Disk Utility will format a drive using ExFAT for me.
Note: Windows will also format as ExFAT 🙂
Then simply put your install .iSO file(s) on the media.
Now you can see your install media.
Option 3: Use the HP Media Creator
I didn’t try this option, but feel free to download it and give it a try, comment below to let me know how you get on.
There was a question on Experts Exchange this morning, the asker wanted to be able to add a ‘Trusted’ network range to their Windows Server Firewall settings as a ‘allow all ports’ rule.
Solution
You can of course add this manually in the GUI, normally I’d simply Add a Firewall Rule with a Group Policy. but the problem with that is, that’s fine if you want to open a particular TCP/UDP/ICMP port, but NOT if you want to open ALL ports. But you CAN use PowerShell like so;
For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.
Solution
1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.
2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.
3. Give the policy a sensible name so you can see what it is doing later.
7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.
<Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
<Name>: A simple text entry to define what the exception is.
8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.
9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)
10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.
11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.
Related Articles, References, Credits, or External Links