[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More



Microsoft Azure is a cloud computing platform and infrastructure for building, deploying and managing applications and services through datacenters. It provides both platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) services and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems. Cloud Services is a PaaS environment and can be used to create scalable applications and services; there are specific software development kits (SDKs) provided by Microsoft for Python, Java, Node.js and .NET. Azure also has file and storage services, data management, analytics and DNS services.

Share tech news, updates, or what's on your mind.

Sign up to Post

i want to implement Azure information protection policy (AIP)on on premise windows servers  like for example sql server where very important files are sitting there.

we have Active directory and user accounts are synced through AAD sync to office 365 , we have user mailboxes are in office 365.

we have ADFS server in place and HAVE SSO configured.

we dont have on premise exchange server.

Are there any steps to do in azure AD or any good article which can help me implement the policy
Protecting & Securing Your Critical Data
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

AD Azure connect is syncing the local AD and Azure.  All mailboxes have been migrated.   My understand is that we have to purchase as many CALs as number of mailboxes we have, no matter where the mailboxes are stored (on premise or Office 365)   As we no longer run anything on the on premise Exchange I would have liked to decommission the server.

But it looks like we need to run at least one one premise Exchange to keep syncing some attributes.

Workaround is not supported by Microsoft.  

Is there something we could think of to get rid of the on premise Exchange?  

I'm trying to trouble shoot account locks using Microsoft ALTools.  I've downloaded it, extracted it, copied "acctinfo.dll" to SYSWOW64 folder on DC, register it but I dont see the "Additional Account Info" in users properties.  Is there a something im missing, is there a better tool to use?
Server Roles InstalledPing and NSLookup Test from W2016TSW2016DC Shared FoldersNSLookup in DCDNS Manager in W2016DCHi,
I have set up two virtual machines (computer names:  W2016DC & W2016TS) running  windows server 2016 OS and both VMs have static IP addresses assigned.
I installed "Active Directory", "DNS" and" DHCP" roles  in W2016DC VM.
When I try to join W2016TS to the domain controller, it fails to find W2016DC. For troubleshooting, I did the following:
 (1) From W2016TS, I run "\\W2016DC" in Explorer and it shows default shared folders. I can ping W2016DC. But fails run "_ldap._tcp.dc._msdcs.kn.local" command.
 (2) From W2016DC, I can ping W2016TS  and can run NSLOOKUP command - "_ldap._tcp.dc._msdcs.kn.local"  - successfully. it runs DNS manager.

What can I check?
We have Windows Server 2016 Standard and have it setup correctly however all the users except for one are getting this message when they try to RDP into server?

“To sign in remotely, you need the right to sign in through Remote Desktop Services. By default members of the Administrators group have this right. If the group you’re in does not have the right, or  if the right has been removed from the Administrators group, you need to be granted the right manually.”

They are added to the Remote Desktop group.  Even the default Administrator can not RDP in locally or remotely.

Can anyone help me with what is going on?

Having some issue with Azure AD Sync.
I was playing around with a user that was currently synced.

I moved him to an OU that wasnt synced, in Office365 he got deleted.
I then restored the account in Office365, now hes "In-Cloud"
I moved him back to the correct OU and initialized a "Start-AdSyncSyncCycle -PolicyType Initial"

However, he does not get synced, and as of right now he cannot setup a Outlook profile or login to Skype for Business.
Any ideas what i can do?

I want to be able to sync this user.
I want him to be able to login to Skype For Business and Outlook.
OWA works without any problems.

Error message when signing into Skype:
You can’t sign in to Skype for Business Online because the certificate can’t be acquired or validated

In Azure we have a lots of dev vm in Pay-As-You-Go Dev/Test subscription. Is there a way to schedule a shutdown or start for all servers in that subscription?

Like shutdown all at 5pm and start all at 7am.


In Azure where can we assign or reserve an IP to VM?


I check on my Windows 2012 server and see an application called: "Host Agent Configuration". In details properties for product name it says: "Microsoft Azure Site Recovery"

What is that?

SSL CertificateHi,
I am try to set up Remote Access in Windows Server 2016 essentials and it is asking for SSL certificate.
(1) Is buying a certificate a must to set up remote access in Server 2016 essentials?
When I set up Remote Desktop Access in SBS2011, I used server-generated certificate which does not cost any money.
(2) If I am going to  set up Remote Desktop Access in Server 2016 Standard, do I also need to purchase SSL certificate? No server-generated certificate available anymore?

Rowby Goren Makes an Impact on Screen and Online
LVL 12
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Quick Backup of windows 2016 hyper-v server.

Can I just shut down hyper-v server . Then to copy vhdx file to a usb?
What does the double percentages before the numbers mean? "%%3%%8%%9.CRL"

CERTUTIL -SETREG CA\CRLPUBLICATIONURLS "1:%WINDIR%\SYSTEM32\CERTSRV\CERTENROLL\%%3%%8%%9.CRL\N2:http://pki.ECHOs.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=PublicKEY SERVICES,CN=SERVICES,%%6%%10"
Is office 365 Exchange separate service from Enterprise Mobility + Security?

Also, I need 6 years worth of successful and unsuccessful logins for HIPAA compliance.  Where do I set that up and or review those logs?  Feel free to suggest any other compliance related features that should be enabled.

Finally, anyone familiar with MDM and setting up the equivalent to GPOs for profile setup?   I would like a tutorial link on this.


I am trying to reset the local admin password for Windows Server 2K16. The only account that has access to the desktop is a basic user account so I am unable to make any changes in the GUI (lusrmgr.msc). I tried to boot to the windows recovery prompt but I can not seem to find the drive with the local os installed. Below are the following drives that I can see in recovery cmd:


How can I get C, or the hdd with the actual os to show? I do have a \windows\system32 folder in X but there is no utilman.exe file. This is a VMWare box if that helps

Thanks in advance!
After reading a bit more about AAD, I want to renew my question as I didn't get any responses anymore in my earlier post.

Our company is working on a webapplication that holds privacy-sensitive data.
Therefor we're looking for an appropriate way to secure the login to it.

Our product aims at about 500 users, which are customers, not users within or related to our company.
We only need to provide them a secure access to the website we're creating for them. That's all, no sharing or interacting with them.

However, our users are known to us. They are employees of a variety of completely different companies, with no link to eachother. For some bigger companies a few employees will get a login, for smaller companies only one user will get a login.

If bigger companies would have their own tenant, the application should be coupled to their tenant. For all small companies without one, we would create one basic aggregated tenant.

My questions are related to the license fees:
- Would this be B2C functionality?
If so, am I right that the costs would only be €0.026 per authentication (because we want MFA enabled)?
This is based on this page: https://azure.microsoft.com/en-us/pricing/details/active-directory-b2c/
Or do these costs come on top of another Azure license that I'm not aware of?

- If not, I reckon the costs would come from this page: https://azure.microsoft.com/nl-nl/pricing/details/active-directory/
And then the costs for 500 users including MFA would…
Hello, I am trying to configure SSO between Azure AD and Gsuite.  here is what i have done;

added a custom domain in azure ad
added a user with the custom domain upn sufix
added the enterprise application Gsuite and configured the sso settings
settings summarysettings summary
I have configured gsuite for third party sso and uploaded a certificate from azure

The Problem I am having is when I sign into a test account (gmail)I am redirected to the microsoft login from gsuite, I type in my username and passowrd and I am authenticated, I am then presented with this message :

 Request Id: 5106ce80-8b8b-4986-bcaf-482a67693b00
Correlation Id: 8f275842-ee87-4df5-8bad-095c79eabfaf
Timestamp: 2018-11-08T21:39:53Z
Message: AADSTS65005: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration. Or, The admin has not consented in the tenant. Or, Check the application identifier in the request to ensure it matches the configured client application identifier. Please contact your admin to fix the configuration or consent on behalf of the tenant. Client app ID: 01303a13-8322-4e06-bee5-80d612907131.
Advanced diagnostics: Disable
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

Any help is appreciated
Thanks in advance to all experts for your time and insights.
Issue: We had two 2008R2 Domain Controllers (AD FFL/DFL is 2008R2) that both acted as GC, DNS... I replaced one of them (DC2 - secondary DNS) with a new 2016 DC (using same name and IP, but DNS was cleaned properly and demotion of old one and promotion of new one worked flawlessly). All DNS records replicated between the remaining DC1 2008R2 and the new DC2 2016 and I do not see any replication or DNS issues in the Event logs. I now started the process of testing to replace the last 2008R2 DC (DC1) and part of the test was to turn off the existing 2008R2 DC1 and run the entire domain off the new 2016 DC2 which has all the FSMO roles on it. Everything seemed to work fine, but we experienced issues with Outlook seeing the Exchange servers as well as several application servers having issues with client application software (on W7 workstations) connecting to them. Pinging servers by name and IP worked fine, but nslookup kept insisting that it queries the DC1 which was off. So I removed the DC1 from the static network card DNS settings on the Exchange servers and Outlook managed to connect right away. I changed the priority of the DNS servers on the DNS list network card) on the application servers and as soon as I did that everything worked. I realize this was a DNS issue and know that it might take 15 min + before the workstations try for the secondary DNS server, but I am also wondering how to overcome the problem …
I am in the process of upgrading all DCs from 2008R2 to Server 2016.
On my 2nd DC (let's call it DC2) I have run into a problem - one Service Location record for the decommisioned DC will not go away.
DC2 was demoted, had its roles and features removed and was then taken out of the domain.

After removal I manually deleted the server object in Sites and Services, and cleaned up in DNS as well (the DNS is AD integrated with all DCs being DNS servers and Global Catalogs).

All DNS records stayed deleted, shot of one:
The Service Location _kerberos record representing DC2 keeps coming back - not matter how many times I delete it :-(
The record is located under "Forward Lookup Zones -> _msdcs.mydomain.name -> dc -> _sites -> Default-First-Site-Name -> _tcp -> _kerberos Service Location (SRV) [0][100][88] DC2.mydomain.name 26.10.2018 07:00:00

I did find a remnant of DC2 in the reverse lookup zone for its subnet using ADSI Edit - I deleted that record from in ADSI Edit.

It is now close to 48 hours since I deleted DC2 and I hesitate to move forward with my upgrade, because the next domain controller to be introduced into the domain will get DC2's old IP address (need to reuse the IP due to statically configured DNS server IPs on lots of hosts).

Anyone have an idea what could be causing this record the keep reappearing?
What am I missing?
I need to install a web-service related Win 2016 std / IIS server on the DMZ. We will use public SSL certificate on that. It will then query data form AD LAN SQL server.

What is the best practice to do this keeping in mind that I have read that you don't want to have AD joined servers on the DMZ?

I have installed public SSL certificates only to AD Servers and now I don't know what to do with this workgroup 2016 std server regarding public SSL certificate.

I believe tat I need to install IIS on this server.
Acronis True Image 2019 just released!
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.


I need to execute the Office 365 Azure AD Synch from my computer to the server running the Azure AD Connect v1.11 (PRDADC01-VM) I have made some changes to the AD Attributes.

    [Parameter(position = 0, mandatory = $true)]
    [ValidateSet('Delta', 'Full')]
    [string]$ComputerName = 'PRDADC01-VM'
Invoke-Command -ComputerName $ComputerName -ArgumentList $type -ScriptBlock {
    If ($Type -eq 'Full') {$Type = 'Initial'}
    Import-Module adsync
    Start-ADSyncSyncCycle -PolicyType $Type

Open in new window

Can someone here please assist me with the correct PowerShell to execute from my laptop which does not require me to install the ADSync ?

Because when I execute the above script from my VS Code, it is not doing anything and no confirmation of success either?

Thanks in advance.
Hello folks,
I have a very weird issues which prevents me on pushing network drives via GPO. It effects primarly Win 7 Pro but some WIn 10 Pro as well.

We had an old WIndwos 2012 Essentials with no GPOs what so ever. We installed a Windows 2016 Std. and migrated FSMO roles. We had some issues with DCDIAG, but was able to solve them with Auth/Non-Auth repair. See link bellow:

We created new DFS with new drives and migrated data from old server to new server via SyncBackSE. All works great. Started enabling the GPOs, and found some serious consistency issues.

Yesterday we had 5 Win 7 Pro which reused to get the drives. We have to do WBAM depository reset and that solved the issue. Today we have some Win10 issues.

What am I missing here with this migration? I never had so many issues with migrating from server to server. Is that becuase of Win2K12 Essentials?

See screen shots for event viewer issues.

Any ideas?
How to disable windows store in windows 10 pro?

Windows 10 pro joined to domain
Windows server 2016

I've tried to disable via gpo but nothing
Computer Configuration -> Administrative Templates -> Windows Components -> Store; in the Settings pane on the right, double click Turn off Store application, select Enabled in the properties page for the policy and click OK.
I need the best advice on setting file/folder permissions to accomplish a specific task.
I need a folder and under that folder to have subfolders of each of my users and within that folder have another folder that the users only has read only access.

If you look at the attached image
Active would be a hidden share and the user would have a shortcut on their desktop that brings them directly into Their folder , when user1 clicks the shortcut they will be in a folder that has another folder called complete and that is all they will see.  Files for them to work on will be placed in this user1 folder and when they are done either a batch file will move the files into complete or another user with access will move the files into complete. At that time user1 will be able to go into the complete folder and open the files and read them but will not be ale to modify or move the files.

In the past we had some problems with admins modifying rights on folders and inheritance really messing up our file server.  

I just want to know how an expert will tackle this task.  I also had another thought that the Complete folder instead would be a shortcut that brought the user to a different directory altogether which they only have read only access,  that way I don't have to worry about inheritance from folder above and setting deny permissions on the Complete folder.

All thoughts are welcome and I think this is an easy task, just don't want to do something and in time realize I …
In Azure RM  I have two Windows VM's that were encrypted which was enabled buy using a template from GitHut. What is the proper way to remove the encryption completely from all disk and monitor the decryption status in the process?
We have a HP Officejet Pro 6830 that is connected on a local network and trying to print to it via RDP from an Azure Windows Server 2016 VM.

It works fine and without issue locally.  However, when printed over RDP connection (printed from application on VM) this is how it looks:

Printing Issue
I am sure it is the correct driver and I know that the printer works fine (locally).  Any thoughts or ideas to try?


Microsoft Azure is a cloud computing platform and infrastructure for building, deploying and managing applications and services through datacenters. It provides both platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) services and supports many different programming languages, tools and frameworks, including both Microsoft-specific and third-party software and systems. Cloud Services is a PaaS environment and can be used to create scalable applications and services; there are specific software development kits (SDKs) provided by Microsoft for Python, Java, Node.js and .NET. Azure also has file and storage services, data management, analytics and DNS services.