Windows Server, Active Directory, and on-prem infrastructure
Configure your on-premises Active Directory UPNs before syncing to Office 365. Add an alternative UPN suffix in AD Domains and Trusts, then bulk-change every user's UPN with Get-ADForest / Set-ADForest and Get-ADUser / Set-ADUser - either across the whole forest or scoped to a single OU. Verification commands included.
How to read the current Active Directory forest functional level (FFL) and domain functional level (DFL), what each level unlocks, the pre-flight checklist before raising, and how to actually raise it with Set-ADForestMode / Set-ADDomainMode. Includes the schema-version-to-OS table, a decision flow for whether to raise, and the common pitfalls (forgotten DCs, Server 2019/2022 reporting Windows2016Forest, irreversibility).
Export AD users to CSV using the three-cmdlet pipeline (Get-ADUser, Select-Object, Export-Csv). Covers scope selection (-Filter, -SearchBase, -SearchScope), the computed-property pattern for columns like Manager-DN-to-name and clean OU paths, a reusable function with parameters, and common variations (disabled accounts, stale logons, group membership exports).
Drive Windows Update from a single PowerShell window using the PSWindowsUpdate module. Covers installing the module from the PowerShell Gallery, querying and installing updates on local and remote machines, looping over a hard-coded computer list, and patching every member of an Active Directory OU dynamically with Get-ADComputer -SearchBase.
Get-ADInfo.ps1 is a single PowerShell script that prints ten Active Directory facts in one output: computer/workstation/server/user/group counts, forest and domain functional levels, schema version translated to a Windows Server release name, and all five FSMO role owners. The right script to run before a migration, an audit, or a tier-zero handover.
Bulk-create AD users from a CSV in seconds instead of clicking the ADUC wizard for hours. Covers designing the CSV template, generating strong passwords, finding the target OU's distinguishedName, importing the file with Import-Csv, and the Add-NewUsers.ps1 script that splats parameters into New-ADUser with a duplicate check and try/catch error handling.
Audit and harden Active Directory against breached passwords using Lithnet Password Protection and the Have I Been Pwned compromised hash list. Covers installing Lithnet PP on a Domain Controller, syncing the HIBP store, running the Audit-Passwords.ps1 script to find pwned accounts, and configuring the GPO that rejects new pwned passwords on every set/change.
Step-by-step guide to backing up and restoring the Windows registry: open Registry Editor, choose File > Export, pick All or a single branch, save the .reg file, and restore later via File > Import or by right-clicking the .reg file and choosing Merge - including the Safe Mode workflow when Windows will not boot.
Three reliable ways to check FSMO role holders in Active Directory: the netdom query FSMO command, the Get-ADForest/Get-ADDomain PowerShell cmdlets (and the Get-ADInfo.ps1 script), and the GUI walkthrough across Active Directory Schema, Active Directory Domains and Trusts, and Active Directory Users and Computers.
Why downloaded PowerShell scripts trigger a 'not digitally signed' error and how to fix it. Covers the Mark of the Web (Zone.Identifier) NTFS alternate data stream, three fix options (GUI Unblock, Unblock-File cmdlet, -ExecutionPolicy Bypass), and the execution policy values you should and should not use.
Step-by-step guide to enabling the Active Directory Recycle Bin forest-wide using Active Directory Administrative Center. Covers prerequisites, the irreversible nature of the change, GUI and PowerShell verification, restoring deleted objects with Restore-ADObject, and follow-up hardening like Protect from accidental deletion.
Step-by-step walkthrough for adding a second Windows Server Domain Controller to an existing AD domain. Covers prerequisites, installing the AD DS role on the member server, promoting through the Configuration Wizard, replicating from the existing DC, cross-configuring DNS, and verifying replication health with repadmin /replsummary.
