No support for Protected Users in Microsoft Entra Domain Services?
I have been loooking into mapping best practices about configuring hardening / tiering model from on-premises Active Directory to Microsoft Entra Domain Services (MEDS). I'm well aware that MEDS is NOT a replacemenet for AD DS and have many restrictions and missing features, but that does not stop me from wanting to make it as secure as possible for member servers to be joined to. Since MEDS is a PaaS in Azure, deployed from within Azure and managed in another way than Active Directory, of course there are different ways of implementering a good tiering model. In my study I wanted to see if I could enable Protected Users feature (join users to Protected Users Group). However I find this group to be present but not possible to add members to (feature greyed out). I have a member server in the MEDS instance and have installed AD DS Tools. My user is member of AD DDS Administrators group. I would like to know if anyone have some knowledge on the subject to share?
How to diagnose lsass.exe leaking memory on Server 2022
Since last week, one DC (it differs, depending on reboot order as to which one, so clearly due to something on the network selecting the DC as a login server) has a huge lsass.exe memory issue. I had to reboot one DC after the process hit 6GB in size. Here's the progression of the process since that reboot: Is anyone else seeing this, perhaps since last week's updates? Any suggestions for how to diagnose?
Active directory allowing old and new password after reset
We are using windows 2019 server and once password is reset (before expired), we see a behavior that old password is valid for 5mins after password reset. Our replication delay is 15 seconds and we haven't set registry key OldPasswordAllowedPeriod. By documentation https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/new-setting-modifies-ntlm-network-authentication it is mentioned that if OldPasswordAllowedPeriod is not set, default will be 60mins. So where is this 5 mins configured?
Very basic question regarding SITELINKS and object behaviour after their removal.
Hi all. Im looking for the "MS official response' on this simple scenario: I create a sitelink between 2 Active Directory Sites and KCC internally auto creates object connections between dessignated domain controllers /Bridgeheadservers on each of those sites, and then DCs replicate. Everything is cool. But what should happen with those object connections when I manually delete the sitelink because i dont want the sites to replicate no more? Should KCC should remove them after x period of time or should I manually removed them? Im getting different answers and just looking for the official response, since my on lab testings the auto obj connections in both sites are NOT getting removed by KCC after Sitelink deletion and I dont know if that's by design or not. Thanks
BPA Errors: DNS can't resolve GC, Kerberos, PDC Resource Record, etc.
Hello, I've been poking around this for hours now and could use another set of eyes. This server has been the PDC for quite some time but I discovered the last people that managed this place, didn't demote the old 2008R2 server (thankfully it still existed virtualized). So I was able to do a graceful demotion of that and removed it from the domain. I'm now trying to resolve some other errors in that come up in the BPA scan... All reference DNS and I just can't figure this out. I've been beating head against the wall trying to understand what's happening, This is MS Server Standard 2022 only 1 DC and DNS. (yeah I know, don't get me started, but it's a really small office)... Would love some suggestions. Thanks!feature Installation Error
I am facing this issue in Windows Server 2019 STD. i am also tried to solve this issue to select sources\sxs path from the OS media but still i am getting the same error. Mistakenly i have removed .Net framework from this server and after that i am facing this issue. please help me to solve this issue.
Windows Server 2025 | Kerberos Local Key Distribution Center (LocalKDC) service fails to start
I have found that this service was disabled before the December update, for some reason it has gone to automatic and cannot be started, maybe this behavior is normal if you are not using this feature. After the January security patch the service still does not start, I think microsoft should report this problem. This happens on a clean installation without any role installed, I know there are many users with this problem. The January patch has not fixed it.
Group Policy object did not apply because failed error code:0x80070709 The printer name is invalid
Hi Everyone, I have a few AVD pools where we publish an app for users to access. Users report that printers are not being mapped after login. We use GPP user side to map printers and set as default. Many a times we see these events logged: VALUE>The printer name is invalid.</VALUE></PROPERTY>-</INSTANCE> Event ID 4098 is logged in the Application Log: Log Name: Application Source: Group Policy Printers Date: <DateTime> Event ID: 4098 Task Category: (2) Level: Warning Keywords: Classic User: SYSTEM Computer: server.fabrikam.com Description: The user 'HP Printer' preference item in the 'Define Printers {XXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}' Group Policy object did not apply because it failed with error code '0x80070709 The printer name is invalid.' This error was suppressed. For this one I found this KB which is really not helpful since there is no possible solution as the client is a AVD VM and used by many users at the same time. VALUE> No printers were found.' VALUE></PROPERTY>-</INSTANCE> Event ID 4098 is logged in the Application Log: Log Name: Application Source: Group Policy Printers Date: <DateTime> Event ID: 4098 Task Category: (2) Level: Warning Keywords: Classic User: SYSTEM Computer: server.fabrikam.com Description: The user 'Accounts - Main Printer' preference item in the 'Printers - Global {zzzzzzzzzzzzzzzzzzzzz}' Group Policy Object did not apply because it failed with error code '0x80070bc4 No printers were found.' This error was suppressed. VALUE>The specified printer has been deleted.</VALUE></PROPERTY>-</INSTANCE> Event ID 4098 is logged in the Application Log: Log Name: Application Source: Group Policy Printers Date: <DateTime> Event ID: 4098 Task Category: (2) Level: Warning Keywords: Classic User: SYSTEM Computer: server.fabrikam.com Description: The user 'Sales-Printer' preference item in the 'Printers - Global {zzzzzzzzzzzzzzzzzzzzz}' Group Policy Object did not apply because it failed with error code '0x80070771 The specified printer has been deleted.' This error was suppressed. No KB's or posts out there to help with these 2 errors. Really need assistance and printers are not being mapped on first logon, users need to come out of AVD and go back and relaunch the app to see the printers mapped. This is the same case with our internal app or Notepad. Thanks, M
