Tutorials, deep dives, and insights from our team of IT professionals.
How to install the DNS extension in Windows Admin Center and use it to manage a Windows DNS server — create forward and reverse lookup zones, add Host (A) and PTR records, and verify resolution from PowerShell.
How to install the Active Directory extension in Windows Admin Center and use the browser console to manage AD objects on a Domain Controller — create an OU, create a user, create a Domain Local group, and confirm group membership.
A full walkthrough of installing Windows Admin Center on a domain-joined Windows 11 PC and using it to remotely manage a Windows Server 2022 domain controller — MSI install, Express Setup, port 6516, self-signed certificate, adding DC.smart.local, and exploring Roles, Events, Performance Monitor, and PowerShell.
A full walkthrough of configuring Folder Redirection via Group Policy in Windows Server 2022 — OU and group setup, hidden SMB share, NTFS permissions, GPO security filtering with delegated Read for Authenticated Users, and a Windows 10 client test — plus a deep dive on why Folder Redirection still needs Authenticated Users to have Read on the GPO.
How to install the Data Deduplication role on Windows Server 2022, configure the General Purpose File Server profile with weekday and weekend Throughput Optimization schedules, and verify savings with Get-DedupStatus.
A reference for the five essential ports (88, 389, 445, 53, RPC) that must traverse a firewall for Active Directory clients to authenticate, fetch Group Policy, and replicate — plus how to pin RPC to a fixed port.
Account Lockout Policy converts a brute-force password attack from 'eventually wins' into 'locks the account and stops'. Three knobs configured at the domain level via Default Domain Policy: lockout threshold (failed attempts before lock - default 0 = no protection, recommended 5), reset counter (minutes before failed-attempt counter resets - default 30), and lockout duration (minutes account stays locked - 0 = manual unlock only). Walks the full setup in Server 2022 GPMC + Windows 10 client: edit Default Domain Policy, set the three values, disable Administrator account lockout (recommended - protects break-glass), gpupdate /force, deliberately lock a test user (5 wrong passwords), then unlock via ADUC Account tab or Unlock-ADAccount PowerShell. Includes the domain-scope constraint (must live in Default Domain Policy, not OU-linked - this is one of the rare exceptions to the don't-edit-defaults rule), the SIEM event-ID reference (4625/4740/4767), and pointers to Fine-Grained Password Policy for per-user/per-OU differentiation.
Default Windows 10/11 PowerShell policy is Restricted - .ps1 files are blocked, only interactive commands run. The right way to change that fleet-wide is one GPO at Computer Configuration / Administrative Templates / Windows Components / Windows PowerShell / Turn on Script Execution. Walks the round trip end to end on Windows Server 2022 + a Win10 client: verify the default Restricted state, create the GPO and set RemoteSigned (Allow local scripts and remote signed scripts), link to a pilot Test Computers OU, gpupdate /force + reboot on the client, confirm Get-ExecutionPolicy now reports RemoteSigned, then flip the GPO to Disabled to demonstrate rollback (returns to Restricted). Includes the five execution policies (Restricted / AllSigned / RemoteSigned / Unrestricted / Bypass), Get-ExecutionPolicy -List interpretation (MachinePolicy beats everything when the GPO is in effect), and the six common pitfalls (computer-vs-user OU link, missed reboot, Unrestricted-as-default, Not-Configured-vs-Disabled rollback semantics, mixed user+computer policies, and the powershell.exe -ExecutionPolicy Bypass admin-bypass that means execution policy is a safety not a security boundary - pair with AppLocker or WDAC for real restriction).
A roaming profile follows the user across machines - sign into PC-A, then PC-B, and the same desktop, files, and app settings appear. Five-step setup on Windows Server 2022: AD security group (Roaming Profiles Users), hidden SMB share (profiles$ with access-based enumeration and a custom ACL granting only Create-Folders to the security group on This folder only), user profile path attribute set to \\\\\\profiles$\\%username%, GPO 'Add the Administrators security group to roaming user profiles' linked to the client OU (must be in place BEFORE first roaming logon - not retroactive), then verify on a Windows 10/11 client (gpupdate, sign in, drop a Test folder on the desktop, sign out / in, browse the share, confirm sysdm.cpl reports profile Type: Roaming). Includes the .V6 profile-version suffix explainer (different OSes get separate folders), the logon/logoff lifecycle, and the seven common pitfalls (path-before-share trap, forgotten Admins GPO, caching-on-the-share, mixed-OS .V6 collisions, profile bloat without limits).
The minimum hardware floor for Windows Server 2022, with the technical reasoning behind each spec. CPU: 1.4 GHz x64 with DEP/NX/SLAT (use systeminfo to verify Hyper-V Requirements). RAM: 512 MB for Server Core, 2 GB for Server with Desktop Experience; ECC strongly recommended on physical hardware. Disk: 32 GB base, +4 GB for GUI; RAM > 16 GB scales pagefile.sys / hiberfil.sys / dump files (powercfg -h off reclaims hibernation space on servers that do not need it). Network: 1 Gbps PCIe-compliant Ethernet. TPM: optional in general, required for BitLocker, UEFI Secure Boot measurement, Credential Guard, and VBS - TPM 2.0 standard on modern servers. Includes the practical-vs-documented-minimum comparison table - the documented numbers are install-floors, real production sizing is several times higher on every dimension.
Active Directory has both physical and logical components. The logical side is what shapes how identity actually works - which objects exist, which DCs replicate which data, where to look for a setting. This article covers the five core logical components (Schema, OUs, Forest, Domain, AD DS Database) and the four partitions inside the database (Schema, Configuration, Domain, Application = DomainDnsZones + ForestDnsZones). Walks ADSI Edit inspection of each: connect to the Configuration well-known naming context, drill to CN=Partitions for the self-description; connect to Schema for classSchema and attributeSchema objects; connect to Default naming context for the Domain partition (matches ADUC); type explicit DNs for DomainDnsZones and ForestDnsZones to see how AD-integrated DNS records are stored. Includes the replication-reach matrix (which partitions replicate forest-wide vs domain-only), the Global Catalog partial-attribute subset, the Computers/Users-are-containers-not-OUs gotcha (use redirusr/redircmp), and the schema-extension-is-permanent caveat.
Active Directory does not audit security-relevant events out of the box. The legacy 9-category basic audit policy is high-volume and low-resolution; the right tool for granular AD audit is Advanced Audit Policy Configuration with its ~60 subcategories. Walks the full pipeline: create a dedicated GPO, enable two representative subcategories (DS Access -> Audit Directory Service Changes, Object Access -> Audit File System) with Success+Failure, link the GPO to the Domain Controllers OU, force gpupdate, then verify by creating a Test GPO and confirming Event ID 5137 fires on the DC's security log with the matching GUID. Includes a reference table of useful event IDs (4624/4625 logon, 4720/4726/4738 account, 5136-5141 directory service, 4663 file system), the SCENoApplyLegacyAuditPolicy basic-vs-advanced split, the SACLs-required-for-File-System gotcha, the default-16MB-security-log gotcha, and pointers to Windows Event Forwarding and SIEM ingestion for handling volume.
