Category Archives: Windows Server 2008

Step-by-Step Guide to publish proxy settings via GPO for IE10 and IE11 in windows server 2008 R2 AD environment

Before IE10, the internet explorer settings were able to manage using Internet Explorer Maintenance (IEM) in group policy. If your organization have IE settings published using IEM, it will not applying anymore to IE10 and IE11.

If its windows 2012 or later AD environment it is not a problem you can simply publish these settings using new IE setting publish method in GPO, but if its Windows 2008 and Windows 2008 R2 it need to follow different method. In this post I will explain how to do it in windows 2008 R2 AD environment.

Before IE10 you can publish settings via GPO using User Configuration > Policies > Windows Settings > Internet Explorer Maintenance. But if your server running with IE10 or IE11 you can’t see it any more in GPO.


The new method is to publish IE settings via, User Configurations > Control Panel Settings > Internet Settings. There you can create settings based on IE version. In my demo I am using a DC server with windows 2008 R2 and IE 11 installed. But here I can’t see option to publish IE10 or IE11.


So how we can do it?

In order to publish IE10+ settings need one of following from same domain,
1)    Windows 2012 or newer server with Group Policy Management Feature installed
2)    Windows 8.0 machine with latest RSAT tools
3)    Windows 8.1 machine with latest RSAT tools
4)    Windows 10 machine with latest RSAT tools

Also make sure the system is running with latest updates.

Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 from a computer that is running Windows 8.1, Windows 8 or newer.

In my demo I am using a windows 8.1 machine with RSAT installed.

1)    To start log in to the PC with Domain Administrator Privileges.
2)    Then go to programs and click on Group Policy Management


3)    Once its load up, expand the console and go to the domain, right click and select Create GPO in this domain, and Link it here.
In my demo I am going to create new GPO to publish the IE settings.


4)    Type the new policy name and click ok


5)    Then right click on newly added policy and click on edit


6)    Expand the policy settings and go to User Configuration > Preferences > Control Panel Settings > Internet Settings. The Right click and select new. Here now we can see the IE 10. There is no IE11 settings. IE10 settings valid for IE11 too. Click on “Internet Explorer 10” to publish the settings.


7)    Now it will open up the window and its looks similar to typical IE settings interface.


8)    Type the changes you like to publish.


9)    One thing you need to make sure is once publish the changes press “F6” to apply the changes. If its works fine the red dotted line will change to green dotted line. It doesn’t matter what ever the changes you put, if you not activate it with pressing F6 it will not publish.


10)    Click ok to submit the settings and in here you can see it save the IE10 Browser settings.


11)    It’s time for testing and let’s see if it’s applied the new settings published for IE11.


12)    Yes it is worked fine. One thing you need to keep in mind is if you need to do changes to the GPO, need to use one of the above mentioned option. You can’t edit new values with windows 2008 r2.

If you have any questions feel free to contact me on

The Active Directory Replication Status Tool (ADREPLSTATUS)

Healthy Active directory replication is important for active directory infrastructure. REPADMIN is command line utility which can use to check the AD replication status. I wrote an article before about common replication errors and how to use these command line utilities for troubleshooting. If you till not read it you can find it in here.

The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published which can use to analyze the replication status of active directory environment. The output is similar to output of command REPADMIN /SHOWREPL * /CSV but with few enhancements.

Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirement

Domain membership requirements:

    • Must be joined to the Active Directory domain or forest you intend to monitor
.NET Framework requirements:
    • .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

Required User Credentials:

    • Target forest/domain user account

Other Requirements:

ADREPLSTATUS will not work when the following security setting is enabled on the operating system:
    • System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

The tool can be download from


It is very straight forward. All need to do is double click on the file.

Once install, double click on the icon to run the application.



Once tool is loaded, you can check the replication on entire forest or specific domains.


After you specify the replication boundaries, click on refresh replication status button. It will discover the current configuration and replication status.




If you required you can export the data to xps or csv format.


hope this info helps. If you have any questions feel free to contact me on

Step by Step Guide to downgrade domain and forest functional level

Till Windows server 2008 R2, forest and domain functional level are not possible to downgrade once it’s upgraded. Well it’s not a problem if you properly plan you active directory upgrades. But sometime it’s save life with difficulties admins face with AD upgrades. With starting windows server 2008 R2 you can downgrade forest and function levels. The minimum level it can downgrade is windows server 2008.

In here on my demo I am using domain controller with forest and domain function level set to windows 2012 R2.

There is no GUI to perform this downgrade. We have to use PowerShell commands to do it.

First, log in to the domain controller as domain admin / Enterprise admin.

Then load PowerShell with Admin rights.


Then we need to import the AD module.

To do that type Import-Module -Name ActiveDirectory


Before proceed as confirmation here my domain and forest function levels are set to windows server 2012 R2.



First I am going to set forest function level to windows server 2008.
To do that,

Set-ADForestMode –Identity “” –ForestMode Windows2008Forest

In here my FQDN is you can replace it with your domain name.
After run the command ask for the confirmation, type Y or A to confirm the change.


Next step is to downgrade the domain function level to windows server 2008.
To do that,

Set-ADDomainMode –Identity “” –DomainMode Windows2008Domain


After successfully commands, next step is to confirm the new forest and domain function levels. This time I am using PowerShell.


If you have any questions feel free to contact me on

Compacting DHCP database using Jetpack.exe

Like any other database, DHCP server database also need maintenance in periods to keep the performance and availability. In large infrastructures, DHCP database can grow fast. Like we do for other databases, DHCP server DB also can compact. Microsoft recommends to do this for any database larger than 30mb.

Back in windows NT time Microsoft introduce a utility call “Jetpack” which can use to compact WINS and DHCP databases. This tool still available even for windows server 2012 R2.

In this demo I will show how we can do the database compact. The compact process happens in 3 steps.

1)    Copy running DHCP database in to temporary databases.
2)    Delete Original DHCP DB
3)    Rename temporary database to the original database file name.

Please note that to do this first we need to stop the DHCP server. So make sure to pre-plan for the downtime.

In this demo I am using windows server 2012 R2 which is connected to domain. It holds DHCP server role for the network.

1)    Log in to the server as Domain admin or Enterprise Admin.
2)    Open command prompt as admin


3)    Then type cd %systemroot%\system32\dhcp


4)    Then type net stop dhcpserver. It will stop the DHCP server.


5)    Then type jetpack.exe dhcp.mdb tmp.mdb


Well this is the interesting part, if you do not have “wins server” role installed on the server, you will get error like, 'jetpack' is not recognized as an internal or external command, operable program or batch file.
But friends unfortunately, jetpack only comes with WINS server package. So you need to add this role if you do not have it.


6)    Finally type net start dhcpserver to start the dhcp server.


If you have any question feel free to contact me on

Tools to help with group policy design

Design a group policies for organization some time getting more complex. It can make chaos as some time it very hard to revert back the changes pushed from group policies to workstations. Especially things which involves with registry value changes. So proper design is very important.

There are some tools/features comes GPO management which can help with design, test or troubleshooting group policies. Please note none of these recommended to use as permanent solutions to fix group policy design issues.

Block Inheritance

Any GPO setup on the higher level in GPO structure automatically applies to the lower level in the model. For example the “Default Domain Policy” by default in the highest level in structure. So any changes done on that (which is not recommended) also applies to lower level in hierarchy.

In following screenshot, as you can see the default domain policy is automatically inherited to “Test OU” I have created.


We can disable this inheritance. To do that, right click on the OU which we need to block the inheritance and click “Block Inheritance”.


Once it’s done, we no longer can see the default domain policy which was inherited.


Enforced Policies

Using enforced policy option we can enforce policies to apply on lower level in hierarchy. For example let’s assume we have two polices called Policy A and Policy B in height level in hierarchy. In lower level in hierarchy some OU are blocked policy inheritance so these 2 policies by default will not apply to those two. But we still need to push Policy A for everyone in organization no matter what. So by enforcing the policy we can even push it to the OUs even its use block inheritance.

To enforce a policy, right click on the policy you needs to enforce and click on “Enforced”.


Then we can see in Test OU, it is inherited even its use block inheritance option.


Loopback Processing

As we know we can apply group policies based on the user object or the computer object n active directory. But some special occasions we need to only consider the policies based on computer object. For ex- in a library or public lab, many users may uses the same computer. In that case the computer should stay same for every users. It should not change based on the user policies. It only should use the computer policies which is applied to it.

In group policy management, start to edit the policy you like to configure with loopback processing. Under Computer Configuration\Policies\Administrative Templates\System\Group Policies\ double click on the option “Configure user Group Policy loopback processing mode”.


There are 2 modes we can use with it.


Replace – This will not consider about user polices at all. It will only apply the computer GPO.
Merge – in this mode it will consider both user and computer polices. But if there is any conflict it always uses the computer policies.

If you have any question about post feel free to contact me on

Group Policy Slow Link Detection

In an active directory infrastructure, we use group policies to push security settings and other computer configuration from central location. It can be apply for computer level or user level. In an organization it’s important to maintain proper design on group policies and its hierarchy as complexity, applying order can cause issues on network.

This is very important when you deals with multi-site environment. Because these group policies can be bottleneck to the bandwidth usage between remote sites to the main site. This is something most administrators do not pay attention. I agree it’s depend on the group policies and its use, but for ex- let’s assume we have 10 group policies from to apply users in remote site.  The link between locations are 512kb, just imagine if 100 workstations log on in morning and initiate these group policies how much bandwidth will use? Also what about a user logs from remote location? Can we expect they always get good speed?

Well, Microsoft have an answer for this. Before apply group policies to a workstation it check for the connection speed from distributing server to workstation, by default any link speed below 500kbps Microsoft take as Slow-Link. Once it’s detected a slow-link, it will automatically block some of the group policies. So if you having issues with getting all the group policies on workstation on remote location (can be even in local network if NIC are maxed out due to its activities or virus) this is one place to check.

Here is list of components will process and will not process in slow-link detection.



Administrative Templates


Group Policy Preferences




802.3 Group Policy




IE maintenance


Internet Explorer Zone Mapping


IP Security


QoS Packet Scheduler


Microsoft Offline Files


Software Restriction Policies


Windows Search




Deployed Printer Connections


Disk Quotas


Folder Redirection




Software Installation


How to change this default limit?

We can change the default limit as per our infrastructure needs. To do this,

Log in to the DC server as the domain admin or enterprise admin.

Then Server Manager > Tools > Group Policy Management


Then go to the relevant policy and right click on and edit.


This setting can be change on computer configuration level or user configuration level. Both are located in same path. Policies\Administrative Templates\System\Group Policy

In here there is option called, configure group policy slow link detection


Double click on it to change. By default it is in not configure status. Even if you disable this or not configure it, system still detects any link below 500kbps as slow-link.


Once it is enabled, you can set speeds in kbps (kilobyte per second).


If you set speed to 0 it will disable this feature. Also we can force system to think all WWAN connections as slow links.

If you have any question about the post feel free to contact me on

How to change UPN (User Principle Name) suffix for entire domain?

In organization, company may need to use multiple UPN suffixes for their operations. I wrote an article before explaining how to add multiple UPN suffixes to the domain. You can read it from

There are situation where you will need to do mass UPN suffix change. One of the recent challenge I face was, changing domain name suffix which end with .local to public domain name which ends with .com. because I was working with Azure AD integration with local AD. It only supports with public domain name. In my issue it was only few users since its demo, but what happen if you need to change it for hundreds of users? If you use manual method it will take ages to complete.

In following demo I am going to show how it can be done using power shell script.

In AD I have 3 users under “Test OU” called user1 to user3. All 3 are using canitpro.local as the UPN suffix.


I need to change all users in to UPN suffix “”.

To do that, open PowerShell ISE with appropriate admin permissions.


Then type and press enter,

Import-Module ActiveDirectory
$oldSuffix = "canitpro.local"
$newSuffix = ""
$ou = "DC=canitpro,DC=local"
$server = "DCM1"
Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn

In above $oldSuffix represent the old domain UPN suffix. $newSuffix represent the new UPN suffix it should change in to. $ou represent the search path. You can use specific OU or entire domain. I used entire domain for the demo. $server represent the DC server name.


Now, let’s go and check if it’s changed. As we can see its changed in to new suffix.


If you have any question about the post feel free to contact me on

How to allow/prevent domain users from join workstations to domain?

In an active directory domain environment by default any authenticated user from domain, can add workstations to domain up to 10 times. But there are situations where you may need to increase this limit or completely disable this limit.

For ex- Let’s assume an employer bring his laptop in to office and plug it in to company network. Unless its control via NPS (network policy server) or network level port protection user can simply add it to the company domain using his/her user credentials. It’s defiantly a threat to the organization’s network and data.

On another example let’s assume we restructured company domain hierarchy and we need to change domain to the different domain. If the company have 500+ workstations it will take days to move them to the new domain. But if we adjust this limit we can get help from department leads, managers to help with the process without delegating permissions.

So based on the requirement, let’s see how we can edit this limit. In demo I am using a domain controller which runs windows server 2012 R2. But same steps can use for server 2008 environment as well.

Note – This limit is do not apply for any user account which is a member of domain admins or enterprise admins group.

1)    Log in to the DC server as domain admin or enterprise admin.
2)    Go to Server Manager > Tools > ADSI Edit


3)    In console expand default naming context and select the correct domain. ( in forest there can be different domains based on the config )


4)    Then right click on it and select “properties


5)    Once list is open find the attribute called ms-DS-MachineAccountQuota. This is the attribute responsible for above limit. By default its set to 10. If set it to 0 it will disable this limit and otherwise the value can adjust based on the requirements.


6)    Once done click on ok until you exit from the popup window.

This is the end of the post and if you have any questions feel free to contact me on

Domain In-Place Upgrade Method


It is important to keep the domain environments running with its latest versions. It allow organizations to use new features, enhancements available on new directory services. Typically when we upgrade from old DC to new version, we add a new server or servers to the same network and then add it to the existing forest, domain. Then promote it as DC and move roles to the new system. Later on we demote the old DC and later we go with forest and domain functional level upgrades (once all legacy domain controllers are demoted). This is the seamless and preferred method. This we call as swing-server upgrade method.

But due to limitations on budget, resources not all organizations or companies can go with swing-server upgrade method. This issue can address using the in-place upgrade method. In this method we upgrade the operating system of the running domain controller.

Currently available in-place upgrade path is windows server 2008 or windows 2008 R2 to Windows server 2012 or windows server 2012 R2. In following table you can find the versions it can upgrade in to. Please be aware that you can’t use in-place upgrade to upgrade from windows 2003 or 32 bit versions of windows server 2008 to latest windows server 2012. If you need to upgrade from those versions you must use the swing-server method. Also windows server core 2008 R2 to windows server core 2012 not supported for in-place upgrade.

Current Version

Version that can upgrade into

Windows Server Standard 2008 with SP2, Windows Server Enterprise 2008 with SP2

Windows server 2012 Standard or Datacenter

Windows Server Datacenter 2008 with SP2         

Windows server 2012 Datacenter

Windows Web Server 2008

Windows server 2012 Standard

Windows Server Standard R2 2008 with SP1, Windows Server Enterprise R2 2008 with SP1

Windows server 2012 Standard or Datacenter

Windows Server Datacenter R2 2008 with SP1

Windows server 2012 Datacenter

Windows Web Server 2008 R2

Windows server 2012 Standard

Once upgrade is completed you need to manually change the forest and domain functional levels.

Before in-place upgrade it is important to consider on following points,

1)    Hardware Requirements – Before upgrade make sure the current hardware setup support for the new operating system. Verify the free disks space on the server. It is recommended to have at least 20% free space on the partition / disk which holds the active directory database.
2)    Application Compatibility – Sometime DC server also runs different applications (even its not recommended) for the company. So before upgrade you must make sure those are compatible with the new operating system and DC.
3)    Downtime – during the upgrade process the domain services will be down, so you need to prepare for the downtime.
4)    Permissions – you must have domain admin or enterprise admin rights to proceed with upgrade.

Known issues – please refer to find out about the known issues for in-place upgrade method.

This is the end of the post and if you have any questions feel free to contact me on

Image source: