Windows Server 2012





Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.

Dear Experts,

I am trying to formalize our server update procedures.  Since the existing procedure was not created recently, I would like to bring it to date.
We have a WSUS server, and I was thinking of using Group Policy for deployment.  (right now, we are using SolarWinds patch manager, and manually pushing the patches every week)
I am only including Microsoft Windows Server and SQL Server updates, and we have test server group we can use first before rolling out to production.
I would like to know what would be the more recent best practices for:

1. How long I should wait to deploy the patch after it comes out. (Unless it is Zero-day security category)  
2. How should I track the success/failure rate, besides going through WSUS app report on the WSUS server.
3. What should be the Automatic Approval policy?  Always with Critical patches?
4. Is there a better way rather than using GPO?

Please advise.  Thank you.
Hello Experts, I'm preparing to make changes to my Global Password Policy without a test environment available to me, and I'm trying to determine what happens when I increase the password length requirements. To be exact, I need to know when these would kick in after I make the change.

For example, after I increase the password length, will all accounts be forced to change the password immediately, OR will they need to do that when the next password expiration date comes around?

What about service accounts set to never expire? Those are my main concern, rather than standard users. Does the change trigger immediately, or after a reboot or login?

Any insights will be appreciated, thanks!
Dear Experts,

My Domain Controller is a Windows Server 2012 Standard.
My Clients are mixed workstations of Win 7 Pro and Win 10 Pro since we are currently upgrading all clients to Win 10 Pro.

The upgraded Win 10 users were complaining that the computer will auto-lock in short period of time (about 20 minutes).
From the other side the existing Win 7 clients are not affected from the auto-lock issue.
If you leave the Win 7 client unlocked it will remain unlocked.
Same applies to Windows Server 2012 Domain Controller.

In addition please be advised that nothing was initially changed from Domain's Group Policy.
Once the Win 10 Client joined the Domain it would automatically receive this 20 minutes auto-lock.

I searched the internet to locate the correct group policy in order to increase the auto-lock from 20minutes to 60minutes.

I found an article indicating the setting "Interactive logon: Machine Inactivity Limit".
In order to test the setting, I entered 30seconds and I confirmed that the Windows 10 would now lock from 20minutes to about 40seconds.
Following I changed again the setting from 30seconds to 3600seconds (1hour) but unfortunately the auto-lock remains at 40seconds.

I have tried with no luck to:
- gpupdate /force domain controller
- reboot domain controller
- disable "Interactive logon: Machine Inactivity Limit" setting
- reboot Win 10 client

Under Group Policy Objects of the Domain Controller I have…
change gpo’s  so. domain controller and client are set to ldap. require signing

nothing is broken but what’s a good test to make sure the setting is in action.  two domains (trusted) and. clients and member servers to domain controllers.  windows 2012 r2. and win 8.1. 10
Windows 2012 R2 was installed with all FSMO role & windows essential service. (DC1)
I was having another DC with windows 2016 installed (ADC2)

Windows 2012 R2 was having some issue, so I decided to transfer FSMO roles to ADC2
So I successfully transferred all FSMO role to ADC2

Then I removed Windows essential service (as I was not using it) from DC1.

I forced demoted the DC1 ignoring warning that Certificate service is installed on DC.

I missed backing up CA  as given on :

I never added any certificate on CA. In the network, MS exchange 2013 server is also running that is using public SSL certificate.

Do I need this active directory CA role or service for smooth working of network?

Or I should ignore this & proceed to shutdown DC1.
I look after a company with a Windows Server 2012 Essentials server and Windows 10 Workstations.

All of a sudden, all but one of the workstations and the server is unavailable via the remote desktop connection.

On the dashboard of the Server, they are also listed as Offline (Except one workstation and server) under devices.

They seem to be working OK otherwise.  They can access files on the server and are using re-directed folders that I believe are working fine too.

I am going on-Site on Wednesday and wondering if anybody has any ideas what the issue may be or where to start looking?

Thanks in advance.
I have a Stand-alone Windows 2012R2 server with 8 users. it has two drive letters: C (OS & business software) and E (User Files).  Current server is domain controller, file and print server (one big office copier/scanner/fax) and runs  Remote Desktop gateway service (there are two users who connect to their office PCs from home).

I have a new replacement the server loaded with Windows Server 2019 running Hyper-V  and am considering two options:

(1) In-Place Upgrade:
 -  Create a vhdx file from W2012R2 server using Disk2VHD and use it as existing hard drive in new virtual machine. Start the W2012R2 VM and assign static IP address. After making sure that W2012 VM is running like when it was in a stand-alone server environment, I would  change Image file to Windows2019.ISO file in Settings, Copy Windows Server 2019 setup files to a temporary folder, run Setup.exe and choose "Keep personal files and apps" option.  All Done!

(2) Create two VMs
 - First VM will be domain controller, print server and runs remote desktop gateway service . Join this VM to existing domain, transfer Master FSMO roles from current server to this new VM. Import/export printer registry and DHCP . Add remote desktop gateway service, create new Certificate and install it in user's home computers.
 - Second VM would have user files and folders and run business specific software. Install Business software. Copy Files and Folders and import Share registry from old server.
 - Demote old …
How big does AD have to be (and how slow does the link need to be) to justify installing a new domain controller in a regional office using the IFM (Install From Media) method?

I think we'll have a 50 mbps symmetrical site-to-site VPN.

Our NTDS folder is 375 megs in size.

Should I use IFM or just do it the regular way?

I'm no pro so picking the easy method is very much preferable.

Reading about IFM here:

I became concerned reading this passage:

"Important :
The next steps are required to change the SYSVOL folder security settings. These steps change the file hash, which will become the same file hash as in the IFM. If you use DFS Replication, SYSVOL will keep the presided data only if the file hash on the source domain controller and the destination server are the same
On the destination server, right-click the SYSVOL folder, and then click Properties.
Click the Security tab, and then click Advanced.
Click the Auditing tab, and then click Edit.
Clear the Include inheritable auditing entries from this object’s parent check box, and then select it again.
Click Apply, and then click OK.

The existing domain controllers are Server 2012 and the new one will be Server 2016.  The functional level will remain at Server 2008 R2
Hello, we have created a policy in Group Policy, Default Domain Policy, that locks out client screens after 15 minutes of inactivity. It works fine but we have some machines that we do not want the screens to lock. The DC is a Windows Server 2012 r2 and the clients are Windows 10. Any ideas on how we could accomplish this? I have attached a 2-page file that shows where this is enabled.

Thank you.
I have a simple network, all flat, using default vlan 1 on my LAN.  I do have 2 switches that have a different vlan to separate my camera traffic.

I am implementing 2 more switches, stacked, (vlan 90) that I need them to be able to access the rest of my current network, vlan 1.
I'm going to create the new vlan on the core switch and add an IP address to it.  I know that all my uplink ports need to also be trunk ports,
so it can pass all the vlans,  I'm guessing, all I need to do is add the new vlan on every current switch in my network and that's all I have to do from a
networking standpoint.  I also need to add the IP helper command on my core switch, so I can pass the DHCP info to my DCs.  Am I missing anything else
I need to do?

In regards to my AD, I'm running windows server 2012R2 for all 3 of my domains.  I'm running DHCP and DNS.
So I'm assuming I need to create a new lookup zone for this new vlan and IP range.
Besides that, am I missing anything?  What else would I need to do?

Is there anything else I need to do to make this happen?

Following a step by step from, which closely matches a few other step by steps guides I was reviewing at the same time for consistency.

All health checks passed on all DCs prior to initial step "dfsrmig /setGlobalState 1".
(execept 'expected' errors when running the health checks on 2012R2 DCs using FRS for sysvol replication - and yes this should have happened when we first migrated to 2012R2 DCs, but apparently that step was overlooked)  I ran the following checks:
  •     dcdiag /e /c /d /v
  •     dcdiag /e /test:sysvolcheck /test:advertising

It's been 18+ Hrs since then, and all except one of the DCs moved into the global state 'prepared' as expected except one, which is still stuck at "Writeable DC".  

Locally, the sysvol folders appear to have replicated properly:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating SysVols> Local State = 1

I have found a few other online posts with this issue, and they all seem to refer to the same solution, but without a lot of detail, and what they've described seems to fit my situation.  They refer to the following in ADSIEdit:

CN=DFSR-LocalSettingsCNF:<hexnumber> under CN=<servername>,OU=Domain Controllers,DC=<domain>,DC=local with some DFSR Entrys.

They talk about deleted the "corresponding replications" for this server with the dfs administration tool.

and finally after the CN=DFSR-LocalSettingsCNF:<hexnumber>
Hi all,
How can set group policy for wallpaper for all client PC.
I have configured but some time it is going to black screen. because I kept wallpaper in shared folder.
please suggest how we can avoid this issue and suggest me.
Any other group policy suggestion.
Task with a project of upgrading Windows 2012 R2 domain Controllers to Windows 2016

I need to come up with a script to perform a rolling domain controller promotion, using powershell.

What I mean is do not want to promote all domain controllers at the same time.   I would like to do only 3-4 at a time.
Can you provide me with a powershell script to handle these task.

Future Domain controller names -,,
Hi guys,

We have set password complexity across our domain. We are sending out communications to targeted users when passwords are nearing expiry, but I fear that with the number of users we have that most people won't read those and that they will keep trying to type passwords that don't meet complexity.

I don't believe people will understand the term 'complexity' or 'history' and hence I wanted to change that to a different message. I want it to show something like this: Password requirements not met. Passwords must be minimum of 8 characters, cannot repeat any of your previous 3 passwords, only have 1 repeating character and must contain alpha and numeric characters only (no special characters). Please select another password.

Any ideas of how to do this?

Thanks for helping
I have a windows 2012 domain with password requirments (Complexity, min password length etc.). However, some of my windows 10 users can change their paasswrd and simply hit "return" making a blank password...if they type one character they get a message that it's too short,m but it allows a return (blank) this a bug?
I just installed a new Microsoft Surface for my customer on their Windows 2012 domain network.

The network has a WSUS server for all updates.

.NET 4.0 was installed by default on the laptop.

However the customer has some applications that need .NET Framework 3.5 which is NOT installed by default on new Windows 10 install.

When I try to add it through Control Panel / Programs / Windows features I get an error :
Error code:  0x800F0954

I've done some googling which is suggests there is Microsoft BUG or problem where Windows 10 is unable to install .NET Framwork 3.5 from WSUS.

I can't believe Microsoft would fail to provide for a WSUS mechanism to install .NET - or in indeed any feature from Windows Features.....

Can someone please assist / advise here ?

We are having some issues with a couple of users accounts that login to a terminal server via vpn.
The server is running 2012 R2
So what I need to do is delete the users profiles of which they use roaming profiles.
So do I delete this on the Terminal server I would think, and if so, what are the steps that I need to perform to delete these?
I am thinking there is a folder location some place for the roaming profiles that needs deleted?

We are using Windows 2012 Domain controller Windows 10 workstations.

I have 2 users and when they log into the Windows 10 PCs,  I would like a shared drive mapped on any PC they log into the network.
The shared derive is located on the windows 2102 server.

Please let me know the best way of doing this and any tutorials will be great.

Compact Repair Removing Tables from the ACCDB

Short version: I recently upgraded my office machines to Win 10 Pro.  Now, when I pull an accdb from my client’s machine to my office machine, then run a compact/repair on the transferred data, on my machine, tables are lost.

This is new behavior since I upgraded my office machines to Win 10 Pro.  I have been working with this client for 10 years and many times have pulled accdb’s from their machine to my machines and compacted them with no issues.  I tried this on another machines in the office that was recently upgraded and the compact/repair also removed tables.

Here’s the current configuration.

Client Machine            Windows 2012 R2      Access 2013
Office machine            Windows 10            Access 2013

Compacted ACCDB size      1.03GB

Much longer story with much more, probably too much, detail
I am adding new functionality to a client’s Access 2013 application.  I wanted to test with their current data so I pulled it to my office machine from their server.  The first thing I did on my office computer was run a compact/repair.  At the end of the compact repair there were tables missing from the accdb.  I thought maybe the data was corrupted so I created a blank database, pulled in all of the tables from their original, non-compacted DB and then ran the compact repair on the new DB.  Same result, tables were removed.

I connected back into the client’s server backed up the accdb, then ran a compact/repair on their server.  No issue …
I am proposing a major upgrade for one of my clients.

Up till now, we have been using a 3rd party registrar for business emails. Lately my client continues to ask for additional emails accounts to be setup - exceeding our purchased quota. I have also been pressed for synchronization on inboxes with iphones. For the time I have been configuring via IMAP.  Needless to say, they have out grown this basic email package.

Yes I have considered Office 365 Business, and Premium w/ Exchange, but, I want to investigate my options in-house. I can't seem to get past that reoccurring annual charge.

We currently have a 1 Dell PE R320 running Windows Server 2012 R2 Standard. There are 13 users in the office environment, 10 out in the field.  We have a 3rd party business application running off of SQL on this same server. Our system comes with the ability to created 2 VM'S, running the Server 2012 R2 Standard. I'm thinking great, I don't have to spend another 2,500 on a server, I'll use what I already have. Then I read the following on Microsoft:

•      Only management software (for example, antivirus software, backup software, or virtual machine management software) can be deployed on the physical host machine. No other server-based applications (for example, Exchange, SQL Server, Active Directory, or SAP) should be installed on the host machine. The host machine should be dedicated to running guest virtual machines.

So, that is the warning. Has anybody actually tried to do this, …
Windows Server 2012 R2 with SQL Server 2014 Web.

Event Log Error:
Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

Let me be clear, I DO NOT WANT TO INSTALL PRINTER DRIVERS to fix this issue.

I simply want to TURN OFF THE THING THAT IS WANTING TO PRINT. Do you know how that is done?

We a couple of users that each time they login to the VPN, their AD accounts get locked out after they login. (server 2012 R2)
So there able to login but their AD do lockout after that.
If we reset their accounts after a few minutes their AD account locks out again.
They are using Cisco VPN.
Anyone have any idea on why it keeps locking out their AD account when logging into the VPN?
If they don't login to the vpn, their AD does not ever lock.
    I'm deploying a new Windows 2012 R2 server for the sole purpose of AD FS.  My only use case for AD FS at this point is to setup SSO with an application we use.  I'm good with the install portion of the AD FS role but my question comes in with my domain being a .corp and the certificate I'm planning on using is a wildcard cert with a .net suffix.  During the Active Directory Federation Services Configuration Wizard when you get to the Specify Service Properties it asks you for the SSL Certificate, Federation Service Name and Federation Service Display Name.

I hit the drop down for SSL Certificate and pick

Federation Service Name I put or adfs.mydomain.corp?

Any thoughts are appreciated....
At a location, we have a Domain Controller running. We had another location close and that location had a Domain Controller as well. We brought the secondary server to the main location and plugged it in and corrected the IP and such, The issue is, now users will get  "trust relationship between this workstation and the primary domain failed" when both servers are up and running. They are both on the same domain and when I power off the secondary server the problem is fixed. My question is what changes or things need to be done in order to allow these two servers to run on the same network without clashing. Thank you
So im experimenting with a dedicated server that is offsite in attempt to move current server off prem. I purchased one through and fired it up. I copied a VHDX hard drive to hyper v and fired that up as well. So far so good.. the Virtual machine has no internet connection. So on the main server I assigned an ip address and also assigned an ip of On the virtual machine I assigned an ip address of They can communicate but the virtual machine cannot reach out to the internet. Im not even sure if thats how its done. I have the same gateway on the virtual machine that was provided by They have no tutorials, and the support is minimal.

Windows Server 2012





Windows Server 2012 is the server version of Windows 8 and the successor to Windows Server 2008 R2. Windows Server 2012 is the first version of Windows Server to have no support for Itanium-based computers since Windows NT 4.0. Windows Server 2012, now in its second release (Windows Server 2012 Release 2) includes Foundation, Essentials, Standard and Datacenter, and does not support IA-32 or IA-64 processors.