Active Directory’s permission model is so granular it’s effectively unusable to configure by hand. Every container, every object, every attribute can carry its own access control entries; combining the right…
Anyone who’s ever exposed RDP on a public IP and watched the Security log fill up within minutes already understands the threat model intuitively: every internet-facing RDP listener attracts continuous,…
Group Policy normally applies in a clean two-track way: Computer Configuration follows the computer wherever it goes, User Configuration follows the user wherever they sign in. That clean separation breaks…
Group Policy is the centralised configuration system that drives every domain-joined Windows endpoint — security baselines, drive maps, software restrictions, audit settings, the lot. The mechanics are well-documented; the design…
Three concrete AD delegation scenarios with the right ACL technique for each: targeted Deny ACEs to hide mobile and pager from a Hardware Support team, the schema confidential bit to restrict national-ID attributes to HR, and a volume-object ACL to make a published share invisible to everyone except Finance.
Use Windows Admin Center to toggle Remote Desktop on a Windows Server without first having to RDP in — enable RDP with NLA, then verify with the classic mstsc client and with WAC built-in in-browser Remote Desktop tool.
How to install the DNS extension in Windows Admin Center and use it to manage a Windows DNS server — create forward and reverse lookup zones, add Host (A) and PTR records, and verify resolution from PowerShell.
How to install the Active Directory extension in Windows Admin Center and use the browser console to manage AD objects on a Domain Controller — create an OU, create a user, create a Domain Local group, and confirm group membership.
A reference for the five essential ports (88, 389, 445, 53, RPC) that must traverse a firewall for Active Directory clients to authenticate, fetch Group Policy, and replicate — plus how to pin RPC to a fixed port.
When a remote Windows box hangs and nobody is on site to power-cycle it, the fastest fix is Restart-Computer -ComputerName from your own PowerShell. The default refuses to kick logged-on users; the -Force switch overrides that. Verify with a continuous ping (ping -t) that walks the box through online -> timeout -> back-online states, or use the more PowerShell-native Test-Connection. The article also walks the longer-form alternative: full PowerShell Remoting via Enable-PSRemoting on the target, Enter-PSSession for interactive shells, Invoke-Command for single-shot fleet operations, and the TrustedHosts caveat for workgroup boxes. Includes the common pitfalls (forgetting -Force, expecting workgroup PSRemoting to work without TrustedHosts, restarting DCs without checking replication).
MBR caps at 2 TB per disk and four primary partitions; GPT lifts both ceilings (9.4 ZB, 128 primary partitions). For data disks on a running Windows Server, the right tool is DiskGenius - free, online, three clicks per disk, no data movement, no reboot. This article walks the workflow: identify MBR disks with Get-Disk, convert with DiskGenius (right-click - Convert To GUID Partition Table - Save All - Yes), repeat for each disk, verify with Get-Disk, restart the server when the maintenance window allows. Includes why mbr2gpt.exe is the wrong tool for data disks (it is system-disk-only and requires WinPE), the gotchas (skipping Save All, converting from the wrong DAG node, BIOS-only servers and the system-disk constraint), and the difference between the in-place metadata-only conversion DiskGenius does and the copy-everything-over fresh-GPT-disk migration Microsoft suggests.
The Active Directory promotion wizard reaches Creating the NTDS Settings object and never advances. The Directory Service log on the candidate fills with events 1963 / 1962 / 1125. The cause is almost always one of two things: a credential mismatch (local Administrator password matches the domain Administrator password, or the wizard credential was supplied without a domain qualifier) or stale residue from a prior failed promotion. This article walks the five-step path: prerequisite check, fix the two credential mistakes, four-step residue cleanup (reboot, delete computer object, force-leave domain, uninstall AD DS role), retry the promotion, and only then chase the deeper network and DNS causes. Includes the LDAP port 389 sweep, SRV-record verification, and replication health check on the existing DC.
