In order to reorganize an Active Directory forest, with multiple child domains into a single domain, I used the ADMT (Active Directory Migration Tool) 3.2 from Microsoft. This modification is an intraforest migration because all domains are in the same forest.
While ADMT supports an intraforest migration, I encountered a specific issue for migrated computers from a child domain to the parent domain: “The security database on the server does not have a computer account for this workstation trust relationship“
Security database trust relationship
Well, I was very perplex by this error, because the ADMT agent reported an successfully operation, and the computer account existed in the new Active Directory domain.
In fact, you will get this error each time you want to migrate a computer with an intraforest and the target operating system is Windows Server 2012 R2. Let’s see why and how to resolve this issue.
Sometimes, you may need to check the information stored in the Active Directory Global Catalog. This can happen if you want to check that the replication between GC located in separate site is done.
We can easily view the information in GC with ADSI Edit:
Let’s see how to connect to a GC using ADSI Edit.
During an Active Directory migration, I needed to do an inventory of the computers to migrate. Because some computers do not exist anymore but not removed from Active Directory. I created a Powershell script based on the Last Logon Timestamp property.
CSV file from the script
This powershell script creates a CSV file with the computer name, the last logon property and the operating system. Some domains were based on Windows Server 2003 or 2008, I could not use Active Directory commandlets, so I used the LDAP Search.
Microsoft released the Cumulative Update 11 for Exchange 2013 and Exchange 2016 CU1 in December 2015. With these new packages, they changed the behavior of Exchange Management Shell, (Exchange Powershell).
Prior to 2013 CU11 and 2016 CU1, when you start the EMS, it will connect by default to the local Exchange Server. But with CU11, Exchange Powershell will be proxy to the server where the user’s mailbox is located. It means that when you start the EMS console, it will probably try to connect to another server.
When all your servers are up to date, in some circonstances, you can get an error when launching the EMS: “No mapping for the Unicode character exists in the target”:
Mapping Unicode error
If you get this error, do not panic and stay calm :). You can find some posts where you need to rebuild the powershell virtual directory, but do not do this! Let’s see how to resolve this issue easily.
With an Office 365 business subscription, Microsoft provides a new service in order to make the migration easier: Import File. This service allows us to import PST files into Office 365 mailboxes with a web interface. For the moment, you can use it for free, but it will be available for purchase later in 2016.
However, if you try this function without prerequisites, you will get an error for each mailbox. On the status page, you will see this error: Please add Mailbox Import Export role for user running Import and check back in 60 minutes.
Status page import export error
Let’s see how to correct this error:
Sometimes, you may need to change the product key, the license, of an existing SQL Server installation. This can happen if you installed the product in Evaluation mode or if you want to upgrade to Enterprise from Standard edition. Fortunately, this modification does not require to uninstall and reinstall SQL Server. It can be done using Setup Wizard.
SQL Server Product Key
But, you may not have the Product Key displayed in your msdn subscription portal. It can be find in the .iso file that you downloaded from the website.
Let’s see how to do that:
For each product, like Windows or Office, Microsoft introduces new features or new configuration options. All of these can be managed using Group Policy Object (GPO) but you must get the latest policy definitions if you want set the new options. For exemple, with Windows Server 2012 R2, you need to import Windows 10 ADMX in order to manage it by GPO.
Windows 10 ADMX with Server 2012
Let’s see how to import ADMX file for Group Policy Object.
Using System Center Configuration Manager on a wide computer scope can result in unexpected or untrue reporting. For example, some computers can be off for a long time or an administrator has removed it from managed computers, they are inactive clients.
When you deploy an Application or Software Updates with SCCM 2012, some reports can be totally wrong, they don’t reflect the reality, if a lot of computer are no more managed but still exist in SCCM.
To workaround this, Microsoft introduced the Inactive Client property. SCCM Client gets and puts information to the management point and if it doesn’t report for a number of days, it will be set as Inactive Object. Inactive Clients can be excluded from reporting in order to be more accurate.
Inactive Client report
Let’s see how to change the default number of days before an object will be set as inactive .
With Windows 8.1 and previous operating systems when you want to change the priority of a network card, you could change the Network Bindings using Advanced Settings in Network center.
This interface always exists in Windows 10 but this function was deprecated. Changes in “Connections” are no more applied. You can tell me that on a workstation, we don’t use this feature, and it is true. But I faced an issue with Windows 10, VMware Workstation and OpenVPN client.
When my LAB is up and running (Host-Only network), host connected to internet using OpenVPN Client, sometime the host loses access to internet. After troubleshooting, my host queries the DNS in my LAB and not the DNS of OpenVPN interface, and so the query failed because the DNS server does not have access to internet.
Let’s see how to solve this minor issue.
If you manage one or several file servers in your infrastructure, you may have the will to customize the Access Denied error message displayed to users. This feature can be used since Windows 8 and Windows Server 2012. It is called Access-Denied Assistance.
Access Denied Custom Message
Access-Denied Assistance can be useful if you want to simplify the process to grant folder permissions to users. Sometime, the user does not know the full path, neither rights needed.
With Access-Denied Assistance, shared folder administrator will receive an email with all information required. No more call for user access.
Let’s see how to do that with Server 2012 R2.