When demoting a 2003 domain controller using dcpromo, you may run into the following error:
The error message is quite misleading as the real cause has got nothing to do with NETLOGON, but is in fact a DNS issue. You will most likely have the server's primary DNS pointing to itself using loopback address (127.0.0.1) or its own IP address.
You can correct the issue by having the DNS point to remaining domain controllers, and remove any DNS pointing to itself (i.e. loopback address or any other IP owned by the server being demoted).
There are two ways to see which Certificate Authority servers exist in your AD domain.
The AD group Cert Publishers contain the servers that are permitted to publish certificates to AD. As a consequence, this gruop will contain all servers that are CAs.
You can use the certutil command to view (and select from) a list of CAs in the current AD domain:
certutil -config - -ping
Note: type the command as-is, including all spaces and hyphens.
A window will appear, listing the CA name and the server it runs on.
It has always been a bit tedious to manage and customize Internet Explorer through group policies, especially when your network has different versions of Windows and/or different versions of Internet Explorer.
To reduce complexity of maintaining Internet Explorer in a network, since long, Microsoft has made available the Internet Explorer Administration Kit. This tool allows you to exert more control over Internet Explorer, its settings and its behaviour.
More information and downloading the IEAK: https://technet.microsoft.com/en-us/ie/bb219517.aspx
A bit of a hidden feature in Windows 8: you can actually "quit" Windows Explorer.
Right-click the (empty) taskbar while holding down Ctrl+Shift to reveal Exit Explorer as an additional menu item. Clicking it will then end Windows Explorer, leaving you with a blank screen, same as ending explorer.exe from the task manager.
You can then call up task manager (Ctrl+Shift+Esc), and start Windows Explorer again (File > Run > explorer.exe).
When attempting to log on with a domain account on a computer joined to a domain that has both 2012R2 and 2003 domain controllers, you may encounter the following error:
Additionally, an Event ID 4 on Source: Kerberos is logged. You can only log on using local accounts.
Mixed 2012R2 and 2003 AD environments require hotfix 2989971 to be installed on every 2012R2 DC. See the KB for a full explanation.
By default, it is not possible to specify passwords (the SecureString type) directly as a plain-text cmdlet parameter because it is unsecure to do so (and they are right). But sometimes, there's no other way to run a cmdlet without specifying the password as plain text as a cmdlet parameter. Luckily, there's an easy workaround by performing a conversion from plain text and store the password in a SecureString object.
$pw = ConvertTo-SecureString -String "your-pw" -AsPlainText -Force
You can then use the $pw object to specify the password in a cmdlet.
For example: resetting the password of an AD account:
Set-ADAccountPassword -Identity my-account -NewPassword $pw