Day-to-day OS-level tasks that aren't AD-specific: storage and FSRM, file screens, DFS, backup and restore, Windows Updates, firewall, RDP hardening, PowerShell scripting, and the post-install configuration that turns a fresh box into a server.
15 articles • follow them in order
Windows Server 2022 packs meaningful improvements in security, performance, and storage that justify attention from administrators still running 2019. Here's what actually matters for your environment.
PowerShell 7 (built on .NET 6+) is a genuine upgrade from Windows PowerShell 5.1. It's cross-platform, significantly faster for parallel workloads, and brings modern language features that make complex automation dramatically cleaner.
Learn how to configure DFS Namespaces and DFS Replication on Windows Server. This step-by-step guide covers installing DFS roles, creating a domain-based namespace, adding folder targets on multiple servers, configuring share permissions, and setting up a replication group to keep files synchronized automatically.
Learn how to configure File Screens using File Server Resource Manager (FSRM) on Windows Server. This step-by-step guide covers installing the FSRM role, understanding File Screens, File Screen Templates, and File Groups, creating a reusable template with Active or Passive screening, applying the screen to a specific folder, testing the block behavior, and modifying or deleting file screens. Includes best practices for rolling out screening policies without disrupting users.
A step-by-step post-installation checklist for Windows Server. Configure Server Manager, disable IE Enhanced Security, set a static IP, enable Remote Desktop, run Windows Update, and activate your server.
Why downloaded PowerShell scripts trigger a 'not digitally signed' error and how to fix it. Covers the Mark of the Web (Zone.Identifier) NTFS alternate data stream, three fix options (GUI Unblock, Unblock-File cmdlet, -ExecutionPolicy Bypass), and the execution policy values you should and should not use.
Step-by-step guide to backing up and restoring the Windows registry: open Registry Editor, choose File > Export, pick All or a single branch, save the .reg file, and restore later via File > Import or by right-clicking the .reg file and choosing Merge - including the Safe Mode workflow when Windows will not boot.
Drive Windows Update from a single PowerShell window using the PSWindowsUpdate module. Covers installing the module from the PowerShell Gallery, querying and installing updates on local and remote machines, looping over a hard-coded computer list, and patching every member of an Active Directory OU dynamically with Get-ADComputer -SearchBase.
How to install File Server Resource Manager, build a reusable quota template (e.g. 500 MB hard quota with an 85% warning threshold), apply it to a folder, and test that hard enforcement returns the same not-enough-space error a full disk would. Includes the New-FsrmQuotaTemplate / New-FsrmQuota PowerShell equivalents for scripting many folders, the NTFS-quotas-vs-FSRM-quotas trade-off, and 6 common pitfalls (auto-apply at the wrong root, hard quota on an already-over folder, missing SMTP, edited-quota-not-matching-template, permission errors masquerading as quota issues, SrmSvc stopped).
Re-enable Windows Defender Firewall on a Windows Server with one cmdlet per profile. Get-NetFirewallProfile reads the per-profile state (Domain / Private / Public); Set-NetFirewallProfile -Enabled True flips them all on at once. Covers the three profiles, the read-then-set-then-verify pattern, the rest of the per-profile properties (default actions, logging, notifications), per-rule operations (New-NetFirewallRule, Get-NetFirewallRule, Enable/Disable), and the common pitfalls (turned off for testing, disabled only one profile, GPO override, block-all-outbound footgun).
When you legitimately need to turn the host firewall off (debugging, lab, migration window) and how to do it cleanly with PowerShell. Get-NetFirewallProfile reads the per-profile state; Set-NetFirewallProfile -Enabled False flips them off; the same cmdlet with True flips them back. Includes the targeted-single-rule alternative (Disable-NetFirewallRule), a try/finally cleanup pattern, the schedule-a-forcing-function-to-re-enable pattern, and the common pitfalls (forgot to re-enable, wrong profile, GPO override, trusted-the-wrong-tool).
How to add a new disk to a Windows Server, bring it online, initialize it as GPT, create one or more volumes (NTFS / ReFS), and the design choices that decide whether the storage stays predictable or gets weird six months later. Walks the Hyper-V add-disk flow, the Server Manager bring-online + initialize + New Volume Wizard procedure, the NTFS vs ReFS trade-off (general purpose vs resilient / VM-host / backup), the PowerShell equivalent (Get-Disk / Initialize-Disk / New-Partition / Format-Volume), and 7 common pitfalls (MBR by accident, Disk Management on Storage Spaces, wrong file system, forgot Bring Online after reboot, drive-letter collision).
An orphaned SID is an ACL entry whose underlying user, group, or computer was deleted but the access control entry was left behind. They show up as raw S-1-5-21-... numbers on the Security tab of AD objects and clutter audit reports without breaking access control. This article ships a complete RemoveOrphanedSID-AD.ps1 PowerShell script that recursively walks AD objects, identifies ACEs whose IdentityReference is a domain-prefixed SID that no longer resolves, and either lists or removes them. Includes the two-pass workflow (list, then remove), the -WhatIf dry-run mode, the AD: PowerShell drive provider details, why RemoveAccessRuleSpecific is the right method, and the common pitfalls (running -Remove first, scoping to forest before testing on one OU, confusing this with file-system ACL cleanup).
MBR caps at 2 TB per disk and four primary partitions; GPT lifts both ceilings (9.4 ZB, 128 primary partitions). For data disks on a running Windows Server, the right tool is DiskGenius - free, online, three clicks per disk, no data movement, no reboot. This article walks the workflow: identify MBR disks with Get-Disk, convert with DiskGenius (right-click - Convert To GUID Partition Table - Save All - Yes), repeat for each disk, verify with Get-Disk, restart the server when the maintenance window allows. Includes why mbr2gpt.exe is the wrong tool for data disks (it is system-disk-only and requires WinPE), the gotchas (skipping Save All, converting from the wrong DAG node, BIOS-only servers and the system-disk constraint), and the difference between the in-place metadata-only conversion DiskGenius does and the copy-everything-over fresh-GPT-disk migration Microsoft suggests.
When a remote Windows box hangs and nobody is on site to power-cycle it, the fastest fix is Restart-Computer -ComputerName from your own PowerShell. The default refuses to kick logged-on users; the -Force switch overrides that. Verify with a continuous ping (ping -t) that walks the box through online -> timeout -> back-online states, or use the more PowerShell-native Test-Connection. The article also walks the longer-form alternative: full PowerShell Remoting via Enable-PSRemoting on the target, Enter-PSSession for interactive shells, Invoke-Command for single-shot fleet operations, and the TrustedHosts caveat for workgroup boxes. Includes the common pitfalls (forgetting -Force, expecting workgroup PSRemoting to work without TrustedHosts, restarting DCs without checking replication).
