Active Directory – Replication issues after promoting new 2012 R2 DC

This week i’ve set up the first Windows 2012 R2 domain controller at a customer. All worked good and looked fine. But when i had to create two new user accounts i found out that these two accounts weren’t replicated to the new domain controller, i’ve just set up a day erlier, nor to another domain controller in another site. I discovered also that the NTDS settings and replication topology wasn’t complete. The new domain controller had not a single connection to active directory domain services. The customer has two sites which are connected over a leased line. Both sites have their domain controllers. Those new user accounts i’ve created on an existing Windows 2008 R2 domain controller.

After nearly two days of testing and troubleshooting the problem seems to be solved. All domain controllers are replicating and talking with each other domain controllers. When i create a user account it will show up instantly on all other domain controllers. Also the replication topology is now looking good. KCC generated the missing topology now automatically, which wasn’t the case directly after the new domain controller was on duty.

I want to provide you some information about this issue and how i solved it. Probably it will help you solving your Active Directory replication issues. And if not i hope it will be at least something you can check if this patricular thing is ok and help you with troubleshooting.

Read moreActive Directory – Replication issues after promoting new 2012 R2 DC

Microsoft Active Directory – Desktop Shortcuts with Group Policy

A really cool feature in Microsoft Active Directory is the  Group Policy (or Group Policies in general). With Group Policies you can install (small) software packages, set the Internet Explorer start page, set wallpapers, execute scripts on user or computer security context and many things more. You can also deploy specific desktop icons for a user or a user group. Hence this blog post will show you how you deploy simple desktop shortcuts to a users desktop.

The group policy

If you have some specific applications in your company (for example a simple timesheet application) which your users should use, then you can create a group policy or a group policy preference respectively to deploy this desktop shortcut.

  1. In Group Policy Management, create a new group policy object (GPO) in the “Group Policy Objects” folder.
  2. Right click this newly created GPO and select “Edit…”.
  3. Navigate to “User Configuration => Preferences => Windows Settings => Desktop”
  4. Right click the “Desktop” object and select “New => Shortcut”
    Group Policy - Shortcuts

  5. Now set all the configuration details of your application shortcut in the next dialog box.
    Group Policy - Shortcut Target Type

    Note: Please be aware of the “Target type” setting. If the shortcut has to be an application shortcut, you have to choose “File System Object”. As default it’s set to “URL” and thus creates only a shortcut for a website. Therefore if your user wants to open this shortcut, Internet Explorer (or the default browser) opens with a “cannot display this website” message instead of the application.

  6. On the “Common” tab check if this group policy preference should run in logged-on user’s security context or not.
    Group Policy - Shortcuts Security Context

    Note: If you set the „Location“ to „Desktop“ then you should make sure on the „Common“ tab the check box „run in logged-on user’s security context“ is set, because the shortcut will be published on the users own desktop. If you whish to deploy a shortcut to the „All Users“ profile then you have to set the target to „All Users Desktop“ and also uncheck the box to run this group policy preference in logged-on user’s security context. Usually a normal user doesn’t have access to all users profile, but the system account, which runs this group policy preference, has access to it.

  7. Now click Apply / OK and close this dialog box.

As the last step, back in GPO Management, link the created GPO with the Organizational Unit in which your users reside.

Now your users have only to restart the computer or do a single log-off log-on. So they will receive the newly created desktop shortcut.

Microsoft Active Directory – Change UPN for all users


change UPNToday i had to change the UPN (User Principal Name) for a whole company. Well, go through each user account in Active Directory, change the UPN the way it has to be, and you’re done. That would be the way if you want to do it manually. And this is a slow way. For sure, if there are only five users or so you’re good to go. But what when there are dozens of user accounts? Perhaps in different organizational units? At the present time, where everything in IT has to be quick and fast and with the least amount of effort, you can do it more clever.

Well, that was some challange to find it out. But as often, Powershell is your friend. With few lines of code, fully customizable, you can change the UPN for all users within an organizational unit. So you will save time, because you just have to change the OU in the script.

The change UPN script

[code language=”powershell”]
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase " Users,OU=LAB-Users,DC=lan,DC=driftar,DC=com" | ForEach {
$UpdatedUPN = $_.GivenName + "." + $_.SurName + ""
Set-ADUser $_.samAccountName -UserPrincipalName $UpdatedUPN

What does the script?

The script searches within the organizational unit specified for the user accounts, combines givenname and surename with the domain prefix, and changes then the UPN for all the user accounts withing this organizational unit. In this example the new User Principal Name for a user will be “” (for example


To be honest it was some time needed to search for the right script parameters and test it out, to make sure everything works. But you don’t do that every time. You can save this script and customize it every time for the customer you work for. It’s a quick way to change the UPN, and it’s an easy way to save time.

Windows Server 2012 – Lernen mit Virtual Labs

Windows Server 2012Windows Server 2012, das neuste Server-Betriebssystem aus dem Hause Microsoft wurde im September 2012 veröffentlicht. Es ist das Nachfolgesystem für Server 2008 R2 und bietet viele Neuerungen.

So ist es neben einer Vollinstallation auch möglich, eine sogenannte Core-Installation durchzuführen, also ein Setup gänzlich ohne grafische Oberfläche. Doch neben der Core-Installation lässt sich auch ein Minimum an GUI installieren, sodass man zumindest den Server-Manager drauf hat, damit man die ersten Setup-Schritte auch direkt am Server abschliessen kann.

Generell empfiehlt Microsoft die Server in der Core-Version zu installieren, um sie remote über den Server-Manager zu installieren. Mit der Core-Installation minimiert man die Angriffsfläche des Servers, da wesentliche Komponenten wie Windows Explorer und Internet Explorer nicht installiert sind. Sämtliche Rollen und Features des Servers lassen sich bequem remote installieren, sodass nur das notwendigste an Bord ist. So lassen sich die Neustarts wegen Updates minimieren, der Server läuft schneller und noch stabiler.

Der Vorteil der Remote-Administration über den Server-Manager ist jedoch nicht nur Sicherheit. Über den Server-Manager lassen sich Aufgaben und Konfigurationen parallel auf diversen Servern starten. Möchte man also bspw. auf mehreren Server die Rolle des Print-Servers installieren, geht das bequem über den Server-Manager parallel auf allen ausgewählten Servern. Die Server können im Server-Manager auch in Gruppen zusammengefasst und die entsprechenden Aufgaben und Tasks auf diese Gruppen angewendet werden.

Für diejenigen welche sich mit Windows Server 2012 noch nicht gross beschäftigt haben, und natürlich auch für die Profis unter uns, bietet Microsoft sogenannte Virtual Labs an. Virtual Labs sind vorinstallierte und -konfigurierte Server, welche sich remote verwalten lassen. Mit diesen Labs kann man bestimmte Übungen durcharbeiten, um z.B. die Verwaltung über PowerShell kennen zu lernen, oder um zu wissen was Storage Spaces sind.

Die Virtual Labs können kostenlos und ohne Registrierung genutzt werden. Voraussetzung ist lediglich eine Internetverbindung.

Quellen zu Windows Server 2012: