Dear Experts,

My Domain Controller is a Windows Server 2012 Standard.
My Clients are mixed workstations of Win 7 Pro and Win 10 Pro since we are currently upgrading all clients to Win 10 Pro.

The upgraded Win 10 users were complaining that the computer will auto-lock in short period of time (about 20 minutes).
From the other side the existing Win 7 clients are not affected from the auto-lock issue.
If you leave the Win 7 client unlocked it will remain unlocked.
Same applies to Windows Server 2012 Domain Controller.

In addition please be advised that nothing was initially changed from Domain's Group Policy.
Once the Win 10 Client joined the Domain it would automatically receive this 20 minutes auto-lock.

I searched the internet to locate the correct group policy in order to increase the auto-lock from 20minutes to 60minutes.

I found an article indicating the setting "Interactive logon: Machine Inactivity Limit".
In order to test the setting, I entered 30seconds and I confirmed that the Windows 10 would now lock from 20minutes to about 40seconds.
Following I changed again the setting from 30seconds to 3600seconds (1hour) but unfortunately the auto-lock remains at 40seconds.


I have tried with no luck to:
- gpupdate /force domain controller
- reboot domain controller
- disable "Interactive logon: Machine Inactivity Limit" setting
- reboot Win 10 client

Under Group Policy Objects of the Domain Controller I have…

Windows 2012 R2 was installed with all FSMO role & windows essential service. (DC1)
I was having another DC with windows 2016 installed (ADC2)

Windows 2012 R2 was having some issue, so I decided to transfer FSMO roles to ADC2 https://www.dtonias.com/transfer-fsmo-roles-domain-controller/
So I successfully transferred all FSMO role to ADC2

Then I removed Windows essential service (as I was not using it) from DC1.

I forced demoted the DC1 ignoring warning that Certificate service is installed on DC.

I missed backing up CA  as given on :https://social.technet.microsoft.com/Forums/windowsserver/en-US/d922860b-c8cd-4ed5-9b0b-05391c18afc0/demoting-a-domain-controller-with-a-ca-on-it

I never added any certificate on CA. In the network, MS exchange 2013 server is also running that is using public SSL certificate.

Do I need this active directory CA role or service for smooth working of network?
https://community.spiceworks.com/topic/373554-demote-a-dc-with-certificate-authority

Or I should ignore this & proceed to shutdown DC1.

Hi,
 
I have a Stand-alone Windows 2012R2 server with 8 users. it has two drive letters: C (OS & business software) and E (User Files).  Current server is domain controller, file and print server (one big office copier/scanner/fax) and runs  Remote Desktop gateway service (there are two users who connect to their office PCs from home).

I have a new replacement the server loaded with Windows Server 2019 running Hyper-V  and am considering two options:

(1) In-Place Upgrade:
 -  Create a vhdx file from W2012R2 server using Disk2VHD and use it as existing hard drive in new virtual machine. Start the W2012R2 VM and assign static IP address. After making sure that W2012 VM is running like when it was in a stand-alone server environment, I would  change Image file to Windows2019.ISO file in Settings, Copy Windows Server 2019 setup files to a temporary folder, run Setup.exe and choose "Keep personal files and apps" option.  All Done!

(2) Create two VMs
 - First VM will be domain controller, print server and runs remote desktop gateway service . Join this VM to existing domain, transfer Master FSMO roles from current server to this new VM. Import/export printer registry and DHCP . Add remote desktop gateway service, create new Certificate and install it in user's home computers.
 - Second VM would have user files and folders and run business specific software. Install Business software. Copy Files and Folders and import Share registry from old server.
 - Demote old …

Hello, we have created a policy in Group Policy, Default Domain Policy, that locks out client screens after 15 minutes of inactivity. It works fine but we have some machines that we do not want the screens to lock. The DC is a Windows Server 2012 r2 and the clients are Windows 10. Any ideas on how we could accomplish this? I have attached a 2-page file that shows where this is enabled.

Thank you.

Following a step by step from techcommunity.microsoft.com, which closely matches a few other step by steps guides I was reviewing at the same time for consistency.

All health checks passed on all DCs prior to initial step "dfsrmig /setGlobalState 1".
(execept 'expected' errors when running the health checks on 2012R2 DCs using FRS for sysvol replication - and yes this should have happened when we first migrated to 2012R2 DCs, but apparently that step was overlooked)  I ran the following checks:

•     dcdiag /e /c /d /v
•     dcdiag /e /test:sysvolcheck /test:advertising

It's been 18+ Hrs since then, and all except one of the DCs moved into the global state 'prepared' as expected except one, which is still stuck at "Writeable DC".  

Locally, the sysvol folders appear to have replicated properly:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating SysVols> Local State = 1

I have found a few other online posts with this issue, and they all seem to refer to the same solution, but without a lot of detail, and what they've described seems to fit my situation.  They refer to the following in ADSIEdit:

CN=DFSR-LocalSettingsCNF:<hexnumber> under CN=<servername>,OU=Domain Controllers,DC=<domain>,DC=local with some DFSR Entrys.

They talk about deleted the "corresponding replications" for this server with the dfs administration tool.

and finally after the CN=DFSR-LocalSettingsCNF:<hexnumber> …

Task with a project of upgrading Windows 2012 R2 domain Controllers to Windows 2016

I need to come up with a script to perform a rolling domain controller promotion, using powershell.

What I mean is do not want to promote all domain controllers at the same time.   I would like to do only 3-4 at a time.
 
Can you provide me with a powershell script to handle these task.

Future Domain controller names - DC01@contoso.com,DC02@contoso.com,DC03@contoso.com

I have a windows 2012 domain with password requirments (Complexity, min password length etc.). However, some of my windows 10 users can change their paasswrd and simply hit "return" making a blank password...if they type one character they get a message that it's too short,m but it allows a return (blank)....is this a bug?

We are having some issues with a couple of users accounts that login to a terminal server via vpn.
The server is running 2012 R2
So what I need to do is delete the users profiles of which they use roaming profiles.
So do I delete this on the Terminal server I would think, and if so, what are the steps that I need to perform to delete these?
I am thinking there is a folder location some place for the roaming profiles that needs deleted?
Thanks

Compact Repair Removing Tables from the ACCDB

Short version: I recently upgraded my office machines to Win 10 Pro.  Now, when I pull an accdb from my client’s machine to my office machine, then run a compact/repair on the transferred data, on my machine, tables are lost.

This is new behavior since I upgraded my office machines to Win 10 Pro.  I have been working with this client for 10 years and many times have pulled accdb’s from their machine to my machines and compacted them with no issues.  I tried this on another machines in the office that was recently upgraded and the compact/repair also removed tables.

Here’s the current configuration.

Client Machine            Windows 2012 R2      Access 2013
Office machine            Windows 10            Access 2013

Compacted ACCDB size      1.03GB


Much longer story with much more, probably too much, detail
I am adding new functionality to a client’s Access 2013 application.  I wanted to test with their current data so I pulled it to my office machine from their server.  The first thing I did on my office computer was run a compact/repair.  At the end of the compact repair there were tables missing from the accdb.  I thought maybe the data was corrupted so I created a blank database, pulled in all of the tables from their original, non-compacted DB and then ran the compact repair on the new DB.  Same result, tables were removed.

I connected back into the client’s server backed up the accdb, then ran a compact/repair on their server.  No issue …

Windows Server 2012 R2 with SQL Server 2014 Web.

Event Log Error:
Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

Let me be clear, I DO NOT WANT TO INSTALL PRINTER DRIVERS to fix this issue.

I simply want to TURN OFF THE THING THAT IS WANTING TO PRINT. Do you know how that is done?

thanks!

Hello,
    I'm deploying a new Windows 2012 R2 server for the sole purpose of AD FS.  My only use case for AD FS at this point is to setup SSO with an application we use.  I'm good with the install portion of the AD FS role but my question comes in with my domain being a .corp and the certificate I'm planning on using is a wildcard cert with a .net suffix.  During the Active Directory Federation Services Configuration Wizard when you get to the Specify Service Properties it asks you for the SSL Certificate, Federation Service Name and Federation Service Display Name.

I hit the drop down for SSL Certificate and pick mydomain.net.

Federation Service Name I put adfs.mydomain.net or adfs.mydomain.corp?

Any thoughts are appreciated....