Part 1 of this series covered the architecture and prerequisites — the cloud-versus-on-prem split, the proxy-as-egress design, the network ports, the licensing matrix, the FRS-versus-DFSR Sysvol gotcha. With those out…
Part 1 covered creating, applying, and managing snapshots. This post is the consolidation half — what happens when you delete a snapshot and the differencing-disk overlay has to be merged…
VHDX disks come in two allocation modes. Pre-allocated reserves the full configured size on the host filesystem at creation time; on-demand allocates space as the guest writes. Each has a…
Spinning up a Windows 11 VM through the Hyper-V Manager GUI works fine for one-off lab setups. For anything you might need to repeat — a fresh test environment for…
The third tab in the Create-Task dialog is the smallest of the five and the easiest to misconfigure in subtle ways. It defines what the task does when its trigger…
The PowerShell execution policy is the first thing that gets in the way of running a freshly downloaded script and the first thing every Windows administrator learns to bend. It…
How to install the DNS extension in Windows Admin Center and use it to manage a Windows DNS server — create forward and reverse lookup zones, add Host (A) and PTR records, and verify resolution from PowerShell.
How to install the Data Deduplication role on Windows Server 2022, configure the General Purpose File Server profile with weekday and weekend Throughput Optimization schedules, and verify savings with Get-DedupStatus.
Default Windows 10/11 PowerShell policy is Restricted - .ps1 files are blocked, only interactive commands run. The right way to change that fleet-wide is one GPO at Computer Configuration / Administrative Templates / Windows Components / Windows PowerShell / Turn on Script Execution. Walks the round trip end to end on Windows Server 2022 + a Win10 client: verify the default Restricted state, create the GPO and set RemoteSigned (Allow local scripts and remote signed scripts), link to a pilot Test Computers OU, gpupdate /force + reboot on the client, confirm Get-ExecutionPolicy now reports RemoteSigned, then flip the GPO to Disabled to demonstrate rollback (returns to Restricted). Includes the five execution policies (Restricted / AllSigned / RemoteSigned / Unrestricted / Bypass), Get-ExecutionPolicy -List interpretation (MachinePolicy beats everything when the GPO is in effect), and the six common pitfalls (computer-vs-user OU link, missed reboot, Unrestricted-as-default, Not-Configured-vs-Disabled rollback semantics, mixed user+computer policies, and the powershell.exe -ExecutionPolicy Bypass admin-bypass that means execution policy is a safety not a security boundary - pair with AppLocker or WDAC for real restriction).
The conceptual reference for Group Policy: what GPOs actually are, the difference between local and domain GPOs, the two built-in defaults (Default Domain Policy and Default Domain Controllers Policy) and why you should not modify them for general settings, the Computer-Configuration vs User-Configuration split, what GPOs can and cannot be linked to (sites/domains/OUs yes; individual user/computer accounts no), administrative templates (ADMX = engine, ADML = dashboard labels), GPO scope (link + Security Filtering + WMI Filtering + Item-Level Targeting for Preferences), and the LSDOU processing order with last-write semantics. Walks inheritance / Block Inheritance / Enforced precedence (Enforced beats Block), the GUI tools (gpmc.msc, gpedit.msc) and CLI tools (gpupdate, gpresult, LGPO.exe, the GroupPolicy PowerShell module), every GPO attribute (Name, GUID, Links, Security Filtering, WMI Filtering, Version Number, Enabled/Disabled state), and the Azure AD DS differences (no site links, no software deployment, predefined OUs, AAD DC Administrators group). Includes seven best practices and cross-links to the practical articles in the pathway.
Raising AD functional level is a one-way change that unlocks newer features (PAM at 2016 forest, Protected Users at 2012 R2 domain, AD Recycle Bin at 2008 R2 forest) and removes support for older Windows Server DCs. The wizard click is fast; the pre-flight is where rollout time lives. Walks the full end-to-end procedure: replication health checks (repadmin /replsummary, Get-ADReplicationFailure), DC OS-version inventory (Get-ADDomainController), raise each domain via Active Directory Domains and Trusts (right-click domain - Raise Domain Functional Level - pick target - Raise - confirm), then raise the forest (right-click root - Raise Forest Functional Level), verify both via Properties dialog and Get-ADForest / Get-ADDomain PowerShell, then post-raise housekeeping (repadmin /syncall, Restart-Service kdc on each DC). Includes the order-matters rule (every domain must be at the new level before the forest dropdown will offer it), the FRS-to-DFS-R prerequisite for 2016, the powered-off-DC trap, and the irreversibility caveats.
Functional levels are the rule book that controls what an Active Directory forest and the domains in it can do. They lock the minimum Windows Server version DCs can run, gate the features available across the directory, and shape every upgrade plan. Two attributes, two scopes - forest functional level (the floor for the whole forest) and domain functional level (per-domain, must be >= forest level). The current ceiling is Windows Server 2016; 2019 and 2022 DCs run at the 2016 level. Functional levels apply only to DCs - workstations and member servers can run any Windows version. Walks the theory: schema vs forest vs domain, the forest-beats-domain rule, the features unlocked at each level (DFS-R for SYSVOL at 2008, AD Recycle Bin at 2008 R2, gMSA at 2012, Protected Users at 2012 R2, PAM at 2016), the GUI check (Active Directory Domains and Trusts) and PowerShell check (Get-ADForest / Get-ADDomain), the FRS-to-DFS-R prerequisite for raising to 2016, and the four common misconceptions (functional level does NOT control client OS, does NOT speed up DCs, etc.).
