The Print Spooler service (spoolsv.exe) runs by default on every Windows host. It manages print jobs, talks to printers, and historically has been one of the most fertile sources of…
Part 2 finished with the headquarters location built out and two DCs in Surat-HO. Now the branch. The challenge: promoting a DC over a slow WAN link with a default…
Part 1 of this series covered the “why” of multi-location Active Directory and built out the four-VM lab. That post ended with one root DC sitting alone in Default-First-Site-Name. This…
Active Directory replication is the silent plumbing that keeps every domain controller in lockstep — password changes, group memberships, GPO edits, schema updates, every directory write fans out from the…
Use ntdsutil to create IFM media on an existing healthy Domain Controller, copy it to a target server at a remote site, and promote that server with the Install from media option to skip full WAN replication.
Active Directory does not audit security-relevant events out of the box. The legacy 9-category basic audit policy is high-volume and low-resolution; the right tool for granular AD audit is Advanced Audit Policy Configuration with its ~60 subcategories. Walks the full pipeline: create a dedicated GPO, enable two representative subcategories (DS Access -> Audit Directory Service Changes, Object Access -> Audit File System) with Success+Failure, link the GPO to the Domain Controllers OU, force gpupdate, then verify by creating a Test GPO and confirming Event ID 5137 fires on the DC's security log with the matching GUID. Includes a reference table of useful event IDs (4624/4625 logon, 4720/4726/4738 account, 5136-5141 directory service, 4663 file system), the SCENoApplyLegacyAuditPolicy basic-vs-advanced split, the SACLs-required-for-File-System gotcha, the default-16MB-security-log gotcha, and pointers to Windows Event Forwarding and SIEM ingestion for handling volume.
Raising AD functional level is a one-way change that unlocks newer features (PAM at 2016 forest, Protected Users at 2012 R2 domain, AD Recycle Bin at 2008 R2 forest) and removes support for older Windows Server DCs. The wizard click is fast; the pre-flight is where rollout time lives. Walks the full end-to-end procedure: replication health checks (repadmin /replsummary, Get-ADReplicationFailure), DC OS-version inventory (Get-ADDomainController), raise each domain via Active Directory Domains and Trusts (right-click domain - Raise Domain Functional Level - pick target - Raise - confirm), then raise the forest (right-click root - Raise Forest Functional Level), verify both via Properties dialog and Get-ADForest / Get-ADDomain PowerShell, then post-raise housekeeping (repadmin /syncall, Restart-Service kdc on each DC). Includes the order-matters rule (every domain must be at the new level before the forest dropdown will offer it), the FRS-to-DFS-R prerequisite for 2016, the powered-off-DC trap, and the irreversibility caveats.
Functional levels are the rule book that controls what an Active Directory forest and the domains in it can do. They lock the minimum Windows Server version DCs can run, gate the features available across the directory, and shape every upgrade plan. Two attributes, two scopes - forest functional level (the floor for the whole forest) and domain functional level (per-domain, must be >= forest level). The current ceiling is Windows Server 2016; 2019 and 2022 DCs run at the 2016 level. Functional levels apply only to DCs - workstations and member servers can run any Windows version. Walks the theory: schema vs forest vs domain, the forest-beats-domain rule, the features unlocked at each level (DFS-R for SYSVOL at 2008, AD Recycle Bin at 2008 R2, gMSA at 2012, Protected Users at 2012 R2, PAM at 2016), the GUI check (Active Directory Domains and Trusts) and PowerShell check (Get-ADForest / Get-ADDomain), the FRS-to-DFS-R prerequisite for raising to 2016, and the four common misconceptions (functional level does NOT control client OS, does NOT speed up DCs, etc.).
The DSRM password is the local-Administrator credential a domain controller uses when AD is offline - the only account that works during authoritative restores, ntds.dit corruption recovery, or last-DC rebuilds. Forgetting it means none of those recoveries work when you actually need them. This article walks the full reset + verify cycle on a real DC: rotate the password with ntdsutil (set dsrm password / reset password on server null - takes one minute, no reboot, no downtime), then prove the new credential works by rebooting into DSRM via F8 or 'bcdedit /set safeboot dsrepair', signing in as .\\administrator with the new password, observing the directory is offline (NTDS / Intersite Messaging / DFSR / KDC stopped, dsa.msc red-crossed), then rebooting back to normal with 'bcdedit /deletevalue safeboot'. Includes the multi-DC rotation pattern, the local-admin-vs-DSRM-vs-domain-admin distinction, and why storing the DSRM password in an AD-integrated vault is a circular dependency.
The Active Directory promotion wizard reaches Creating the NTDS Settings object and never advances. The Directory Service log on the candidate fills with events 1963 / 1962 / 1125. The cause is almost always one of two things: a credential mismatch (local Administrator password matches the domain Administrator password, or the wizard credential was supplied without a domain qualifier) or stale residue from a prior failed promotion. This article walks the five-step path: prerequisite check, fix the two credential mistakes, four-step residue cleanup (reboot, delete computer object, force-leave domain, uninstall AD DS role), retry the promotion, and only then chase the deeper network and DNS causes. Includes the LDAP port 389 sweep, SRV-record verification, and replication health check on the existing DC.
The three most common AD-DNS failure modes and how to fix each: clients pointing at the wrong DNS server (point at a peer DC + loopback, never the DC's own external IP); the AD-integrated zone gone missing (recreate as Primary AD-integrated, restart Netlogon to re-register SRV records, verify with dcdiag /test:dns); and inter-DC replication broken (repadmin /replsummary, /showrepl, /syncall /A /e /P, plus time skew and firewall checks). Includes the four-tool diagnostic kit (nslookup SRV / dcdiag / repadmin / Event Viewer Directory Service) and 7 common pitfalls.
One PowerShell script that walks every Primary forward zone on a DNS server and removes every record (A, NS, SRV, CNAME, PTR) that names or points at a demoted host - in one pass. Covers why scavenging alone doesn't catch them, the manual DNS Manager review (zone Properties Name Servers, DomainDnsZones host records, _msdcs SRV records under sites), the full Remove-DNSRecords.ps1 with -WhatIf-first usage, the trailing-dot trap on SRV/NS data, verification with Resolve-DnsName + dcdiag /test:dns, and 7 common pitfalls (skipped -WhatIf, missed trailing dot, non-Primary zones, reverse zones, scavenging assumptions, downstream-DNS confusion, client caches).
