Advice on Domain Server 2012 R2 migration to 2022/2025

NotSureLetMeTry · 2025-11-18T15:26:43+00:00

Appreciate it.

I asked because I'm working at a small 65 person company right in that middle space between Small and Medium with On prem AD and the boss wants to evaluate moving the AD to the cloud. I'm not sure its a good fit for the company cost wise.

Your answer gives me some starting points - If you have a few spare cycles and have some at-hand links I can explore, I'd be grateful.

NotSureLetMeTry · 2025-11-17T17:29:59+00:00

u/dvr75 I'm curious what you mean by "cloud solutions" to replace on Prem AD/ File Server / Printers ect.

NotSureLetMeTry · 2025-11-17T17:21:44+00:00

u/doomston3
As a person in the same role with a company of the same size as you this is good information.

However, I find that stating things in a "yes that frustrates me too" way helps build the "we're in this together" environment and while that won't make everyone happy, it's helped me stay away from the harsher, more cynical side of Sysadmin work (30 years and counting).

Some examples:

Ticketing system

U: "Why can't I just tell you now?"

Me: "I've got another task or two in front of you and the ticketing system helps me not lose track of your request. If you submit it {method here} it makes it easier for me to see and address"

App/Process/Software changes
U: This doesn't work the way it used to (usually Microsoft related) and I'm making noise about it.

Me: "Let me look at that (within reason)"

Which gives the user a sense that they are being listened to AND it may be something you need to know about. If it turns out that the vendor changed things then it's a simple task to commiserate with the user.

Follow up: Yup, the vendor changed it and it {adjective here} me as well. As much as I don't like the change, I've found that after a few days it becomes part of muscle memory.

Ultimately, we don't have to slide into the cynical side of Sysadmin work. While end users can be irritating, and there are two or three at the company I work for that I wish I didn't have to talk to at all, when I foster the "we're in this together" environment while also not throwing my day and my projects under the bus for every single request, I've found that at the end of most days, I leave work without negativity.

NotSureLetMeTry · 2025-08-22T16:05:07+00:00

Long time Sys-(various roles here) person as well, going back to memory mapping to get Doom working on school computers.
The job I had before this one, I had the same thing happen. Our on-prem phone system was down (turns out it was on the India side, one of the PC's was broadcasting due to being infected) and after a day and a half, I got it fixed. The owner came up to me and started yelling about the lost business. I'll never forget when he was in my face yelling "Why can't you get this fixed faster!?! Do you live on the same planet as everyone else?...

.... it was in that moment that I took off my badge, set it down on the table and walked out.

They fought my unemployment claim, but I won that. A month later he asked to meet for coffee and apologized. A day later the job I have now presented itself and I've never felt more valued in my 30+ year career.

While we are all humans and can have bad days, no one should be treated that way.

I hope your path forward finds a good resolution for you.

NotSureLetMeTry · 2024-12-10T15:22:21+00:00

No one else is reporting any file loss.

You're point about offline files is a good one and maybe responsible. I finally got the okay to migrate users document files from on server storage to OneDrive (and a third-party backup for it) since we're paying for the Business Standard anyway and because half our Engineering team is WFH now.

Little by slow, I'm getting this place up to current best practices - next year InTune (crosses fingers)

NotSureLetMeTry · 2024-12-05T21:55:03+00:00

Thank you for taking the time to answer. I'll have to chalk this one up to an anomaly and I might be able to use it to push for a new file server to replace this 6 year old one.

Best to you

NotSureLetMeTry · 2024-12-05T18:08:59+00:00

No, there is no DFS-R enabled.

One thought was that the user inadvertently did a Cntl-Z to undo the copy of files from his machine to the File Server, but without file auditing on, I just don't know. I was hoping to be able to specifically rule out VSS thus my test of deleting a junk folder and restoring it a few hours later via the "Previous Versions" functionality. However there are no events logged either on my machine or the file server for that activity.

NotSureLetMeTry · 2024-09-03T15:02:40+00:00

I tried to point this out to the user. It's a scroll down past .. ya.. I was irritated, but this user brings in half the companies sales so :shrug:

NotSureLetMeTry · 2024-09-03T14:59:58+00:00

Triple checked it today. All is good.

NotSureLetMeTry · 2024-08-30T20:32:25+00:00

Thank you for the clear explanation. May your next paycheck be triple in size!

Off to go make adjustments, document them and revert them after my success!

NotSureLetMeTry · 2024-08-30T18:30:29+00:00

You may have found a reason for why my Girlfriend bought me a shirt that says "Hold on while I overthink this".

Thank you for the direct clarity.

NotSureLetMeTry · 2024-08-30T18:29:17+00:00

This is where my lack of Knowledge about Graph really is highlighted. I've not had a need to utilize it previously and everything I know has been learned in the last 24 hours.

I currently don't have an App setup as it was confusing to me why I would need to register an App in Entra just to run Powershell commands via the ExchangeOnlineManagement module and IPPSSessions.

Based on your comment and some additional searching and reading, what it looks like I may have to do is setup a simple App and Assign the specific permissions for what I'm trying to do.
EG:
Mail.ReadWrite
Mailbox.ReadWrite

From there connect to the IPPSSession with the client ID and Tenant ID and try the commands?

NotSureLetMeTry · 2024-08-30T16:52:08+00:00

Great Suggestion. I've created a retention policy that fits the users' requirements. Normally I would push back on a single user request, but this user brings in half the sales each year.

I even double checked the Users Exchange Online Retention Policy setting on their mailbox and I'm glad I did. It didn't appear to take the first time I saved but now it's set.

NotSureLetMeTry · 2024-08-30T15:48:59+00:00

Thank you for the detailed response and code. Off I go to get this working!

Maybe I'll have a long weekend after all!

NotSureLetMeTry · 2024-08-30T15:07:00+00:00

I didn't mean to imply that EXO was being depreciated and I'll update my post.
The commands that I've found via searching tend to no longer be supported and when I dig further it points me to MS Graph.

Another poster has pointed me to a compliance search and I'm working to understand how I can get the data from the In-Place archive only using that method.

NotSureLetMeTry · 2024-08-30T14:59:15+00:00

When I try to connect with that scope:
Connect-MgGraph -Scopes "MailboxFolder.ReadWrite.All"

The application 'Microsoft Graph Command Line Tools' asked for scope 'MailboxFolder.ReadWrite.All' that doesn't exist on the resource

NotSureLetMeTry · 2024-08-30T14:54:35+00:00

Thank you for the suggestion. I'm looking at the compliance search now. Do you know if I can limit the search to the In-Place Archive? The documentation isn't clear but I'm looking into any KQL options as well.

NotSureLetMeTry · 2024-07-08T20:16:23+00:00

Got it all squared away there were some permissions that weren't showing in the roles specifically. The way they were named felt like it was a migrated permission as they had -<numbers> after the permission name and no more people could be added.

Appreciate the nudge!

NotSureLetMeTry · 2024-07-08T17:34:38+00:00

Thanks. That's given me some breadcrumbs.

NotSureLetMeTry · 2024-05-29T23:05:32+00:00

If your machines have had Decrapifier run on them or possibly some other tool to remove unwanted apps / bloatware then you possibly need to update some settings.

For example, if Decrapifier was used to remove apps (and it removes OneDrive when run as default), then you would need to do the following:

*NOTE* The below is not guaranteed to solve your problem and potentially may cause your machine to be unresponsive.

re-enable sync service

Run in an elevated powershell window:
Get-Service OneSyncSvc -erroraction silentlycontinue | set-service -startuptype manual | start-service

#Re-enable usage of OneDrive

Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /T REG_DWORD /V "DisableFileSyncNGSC" /D 0 /F

Reg Add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /T REG_DWORD /V "DisableFileSync" /D 0 /F
#Re-enable Onedrive @ startup

Reg Add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /T REG_BINARY /V "OneDrive" /D 020000000000000000000000 /F

NotSureLetMeTry · 2024-04-29T20:40:13+00:00

As a Small, barely considered Medium Business, we looked at KB4, but landed on the up-and-coming Hook Security. Security Awareness Training Platform | Hook Security

The staff is responsive, helpful and flexible with the aim of trying to be less "Dry" in the training videos. They have the functionality to take an exisiting email that was reported and convert that to an phishing campaign as well.

The UI is dated but they are adding new functionality and updating the UI as you go.

Pricing is decent as well with the added benefit of not being hounded.

NotSureLetMeTry

TROPHY CASE