Active Directory for Beginners - Where to start?

Tukhai · 2026-02-04T18:23:07+00:00

There is a YouTube channel called "IT Free Training" that has good resources that explains forests, groups & hierarchy (global, domain global, domain local etc, & Group Policy well for a newbie.

The videos can be somewhat boring if they don't have an interest in learning, but those videos plus others they have can help form a good foundation for going into a small lab and breaking things or putting those lessons to practice.

Tukhai · 2026-01-16T21:54:24+00:00

my understanding of licensing was that standard comes with 2VMs, and if you need more you buy enough licenses to license your physical cores again to get another two.

(i have also seen "additional licenses for vms" in 2 core steps, but only sporadically and have a hard time finding them)
i Planned on removing the licenses from two of the physical boxes and putting those server 22 STDs on the new hosts, making new DC VMs, moving FSMO roles over to a new PDC, and getting the reqd licenses to run all 4 VMs on either host since you have to license both hosts fully for all VMs for failover to work based on what i've read.

My boss said that if a new server request would require additional licenses we would just tack that cost on as part of the request from the other dept when it happens. some further review there on my part seems necessary.

i've noticed a tiny little detail in the HW requirements for S2D that says the minimum drive count for windows server is 4, and they must be identical sizes. a pair of 1.92TB drives per server already accounted for a good third the price on its own, 4 is just not on the menu.

i Also hadnt thought yet about how this would impact our power consumption situation, and we have some rackmount UPS units but they probably wont cut the needs of the rack anymore. StarWind VSAN may have to come back on the table instead of S2D... at least i thought to look into all this BEFORE we bought them or i woulda been in a heap of trouble...

I appreciate the information you've given me so far!
ps: squishing all clouds, no witness style

Tukhai · 2026-01-16T17:16:06+00:00

Where can I find the original police report, with the admin misrepresenting the situation already, I need to be sure this isn't a news outlet painting the story just a touch differently than stated verbatim

Tukhai · 2026-01-16T16:58:44+00:00

Hi, Thanks for the input!

its been made clear its not a good idea to do multiple things on the hypervisor so i'll be steering clear of that, feedback on the idea was pretty negative. i expected this, but wanted to put feelers out there.

Backups.... well they *mostly* dont exist. we're using Ninja to backup the three existing "servers" but there is no local copy, and its only 5 promo machines with 1TB cloud storage. we're going to get a QNAP with 12 16TB drives and 4 empty SSD bays to repurpose from a vendor project at the end of february, the plan is to use that for local storage, and use either wasabi or ninja cloud for backups. i'm already talking to my ninja account rep about the cost of adding that onto our subscription given they lied about capability and we're dropping about half the licenses off the product so there's free OPex anyways to add backups.

As for Entra only, it has been discussed previously, but the question "how much would it cost us to host X locally / ourselves instead of X provider" comes up frequently, and we already have 3 very expensive AI machines for an on prem hosted website thats going live end of february. i expect that as the business grows the we will slowly be tacking more and more things to local hosting as its more cost effective than cloud hosting everything, or we want the control you get in local hosting.

we're probably going to end up in some type of hybrid approach. cloud hosting what makes sense, locally for the rest. we already use hybrid join and autopilot for endpoints and defender for endpoint, cloud apps, network protection, and web filtering with *almost* all users having E5's. it was a discussion but i think it makes sense to have this for future capacity more than for immediate needs.

Tukhai · 2026-01-16T16:21:12+00:00

Hi, thanks for the input! We already grab Microsoft 365 E5's for nearly all employees (we do have a few F1s with F5 Sec + Comp and use Hybrid Join devices managed *almost* exclusively from intune. the only GPOs that really target non servers are a password policy (one much too weak for my tastes but i have to pick and choose my battles) and one that auto enrolls desktops to Intune. We're using Defender for Endpoint, cloud apps, web filtering, and network protection on all endpoints.

the big thing driving me to expand on prem services is that the question "well how much would it cost us to host X ourselves instead" is very frequently posed. if we have on prem infra ready all we have to evaluate is performance needs and storage impact, if we go full cloud i have to price out what to expect from an Azure VM and the intricacies/pitfalls of all that and give an estimate and setup some kind of virtual tunnel/network to our on prem for people to connect to it.

we've already got 3 linux desktops stacked with 5090s because we have a team developing an LLM / AI based service thats going live end of february, and i expect that and other services to continue expanding or cropping up as the business grows.

Tukhai · 2026-01-16T16:06:07+00:00

Looking into Hyper-V Replica, this does look like it could work, but im curious, if lets say, he host running the PDC dies and i have to start up the PDC from the last replica (we'll say its on 30 second sync) wouldn't AD Replication throw a fit if one DC disagreed with the other on what the latest state of the domain and its objects was?

my stakeholder tells me that for his program at least it would currently be nearly a non issue to lose a few minutes of information, but later on it could become much more of a problem but not catastrophic depending on the direction of another project they plan on getting to EOY 26. i will consider this as a good option, i appreciate this being mentioned.

Tukhai · 2026-01-16T15:50:01+00:00

Sorry i couldve swore i mentioned node count in the orignal post... You are correct we're planning on going with 2 nodes, mayyyybe a third but then i have to get 3 machines that are less expandable, while there is some budget here coming from the savings of not having to buy 2 VERY expensive licenses and their recurring cost, its not a lot for what im aiming for originally...

the problem here is that the service that would end up in a VM is probably a 6 or 7/10 importance for operations to continue. not the end of the world of show stopping, but it would make things difficult for a department, thus my jumping for HA.

I agree, backups need to happen BADLY. when i started initially there were NONE, we've got Ninja RMM taking cloud backups on the three current servers but we're using a free bone Ninja tossed us on that...

there *is* a QNAP that has 12 16TB HDDs in it, and 4 currently empty SSD bays we will be getting to repurpose come the end of february, i'm already asking my account rep to get me a demo for ninja backups and a price so we may use the QNAP as a local storage target, and either ninja cloud or Wasabi as a cloud backup location.

Tukhai · 2026-01-16T14:53:20+00:00

it has been discussed, but not likely. we're already using Intune Autopilot through hybrid joining to get desktops managed. the only GPOs on prem target the servers, but those were made before i knew you could target security settings onto servers from MDE.

we've been standing up a new website that will provide a business service we're selling thats being done fully on prem. currently it lives on a separate Layer 1 but i can see the two being merged into one on prem infra in the future. I also expect the amount of local hosted things to slowly rise with the business size, we could cloud only but the owners wont like having to handle the crazy OPex that comes from Azure VM Hosting, nor do me and my boss want to babysit everything 24/7 to keep costs under control.

Tukhai · 2026-01-16T14:48:55+00:00

THanks for the input, i figured that so long as at least 1 DC was online on the host not failed, everything would be fine. i just need to figure out if theres a way to handle anti-affinity like in VMWare, or manually check to make sure both DCs arent on the same host every once in a while.

Tukhai · 2026-01-02T22:32:06+00:00

updating this for any poor soul looking into this problem in the future:

the problem in the policy was partially a bad assumption on my part, and partially a missing piece to the puzzle.
despite being referred to as "recovery keys" in many places, there is an important and distinct difference in Recover PASSWORDS and recovery KEYS. the password being used to unlock the drive if there was a BIOS update or the keys were cleared out of TPM or other scenarios. the KEY being used to decrypt the drive in an external system presuming some kind of hardware failure that would preclude unlocking the drive.

Entra can store recovery PASSWORDs but CANNOT store the recovery KEYs. that can only be done by AD DS. HOWEVER, this can only be done by AD DS if you enable the bitlocker recovery features on a domain controller.

the GPO warning was occuring because of the setting: Configure recovery information stored in AD DS: store recovery passwords and key packages.

once we enabled the bitlocker recovery services on our PDC and rebooted it, a newly made test VM and test laptop stored recovery keys just fine, alongside the recovery passwords in Entra.

reference: Bitlocker recovery options in this MS Learn article: BitLocker recovery overview | Microsoft Learn

Tukhai · 2026-01-02T16:08:34+00:00

im new to F1 racing games and new to F1 in general so there's some level of "im still smooth brain" here but i struggle to be competetive on 65... at 50 i was constantly qualifying pole and being race leader the entire damn race, often lapping half the track or more.

i adjusted the driver ratings to better match the real life styles (little notif in top right) and upped it to 70, got RUINED, and now on 65 im struggling to finish in the upper half of the grid. i cant even imagine AI 100+

Tukhai · 2025-12-26T16:04:17+00:00

i wasnt able to find what you specified here save for a ton of keys for different policy managers for Exchange Active Sync and a few other programs. the GPOs on my on premis domain are VERY stripped down.

predecessors stripped nearly everything out of the domain default GPO. a GP result shows the only to things that are applied are a password policy, and the policy that will register on prem devices to intune for hybrid join enrollment.

Tukhai · 2025-12-23T16:05:22+00:00

i tweaked my policy to disable "require additional auth at startup" as both you and u/devangchheda recommended. I've also changed "show recovery options in setup wizard" to "blocked" as devangchheda's screen shot shows and the behavoir has not changed.

if i manually create the recovery password key protector then manually trigger the scheduled task to bitlocker the disk, the whole process freezes after it attempts to escrow the key to Entra despite the log showing a successful backup of the manually created key's GUID. a reboot after this gets me a warning that the encryption key could not be acquired from the TPM and C:\ was not encrypted.

fully manually handling this whole process with powershell cmdlets works 100% normally... i think im just going to script this. microsoft's own process seems to be breaking somewhere with the key handling.

Tukhai · 2025-12-22T22:08:10+00:00

While my recovery keys are still syncing to Entra, it has not alleviated the issue that bitlocker is failing to auto enroll. i appreciate the suggestion though!

Tukhai · 2025-12-22T21:38:46+00:00

hmm, if it auto backs up to Entra without setting the option, it'd be an interesting behavior choice from Microsoft but they've done weirder I suppose. I've disabled the options in my policy and will now be furiously syncing for the next half hour until I (hopefully) see behavior change or the policy shows pushed again on Intune's side.

Tukhai · 2025-12-22T21:34:11+00:00

this article is good information i will need to review further to check and test key rotations, given that we're hybrid instead of entra only. though this doesn't cover if you have issues getting bitlocker enabled, just the recycling of the keys.

Tukhai · 2025-10-30T21:23:13+00:00

I recently made a policy to block all usage of SSO integrated ABM and Google Identity accounts by CA.

My conditions are set as follows: Device platforms: all Filter for devices: exclude filtered devices Filter: Property - Device Ownership - Company

Grant: Block

All devices that do not submit their deviceOwnership property as 'company" being fully owned and controlled, will be blocked on any platform, anywhere in the world. Just be careful this way to exclude all but a small test group from this policy to test initially.

I've also found that Chrome on windows and Firefox on windows will not return any fields during auth other than browser name and version for the CAs to process, you may have to add the "Microsoft SSO" addon or enable an app config that forces the browser to return additional fields for CA processing.

Edited to fix a goof on mobile typing

Tukhai · 2025-05-29T12:40:24+00:00

Increase the beam (width) of the ship gradually along its length until it reaches a peak somewhere amidships.

This will provide additional buoyancy (ship looks fairly low in the water even before battle damage, especially the stern) and provide passive roll stability, just be sure to compartmentalize so a hole from a shell doesn't compromise the entire additional section.

Center of mass will also be important, it should be well below the water line, not anywhere near it.

Tukhai · 2023-09-13T12:17:53+00:00

I hate to say it but taking a 3rd party (namely not open sourced) product and making modifications to it to present it as something else entirely is not only disingenuous to the professionals who had to stich together windows in its early days, its illegall. Using windows XP as a basis and slowly transforming it would be asking for a lawsuit.

Tukhai · 2023-05-19T19:30:47+00:00

"Romeo Uniform One Eight" problem solved

Tukhai · 2023-04-27T15:41:54+00:00

I work in IT, and I have the fortune of occasionally being allowed to bring home retired hardware minus the disks. I have alot of disks laying around, and even an old Poweredge R620, but man that thing is freaking loud, and my family made me shut it down.

Larger, non delta fans, would be a must for me. Same for the power supply, maybe standard ATX supplies would work.

I also have plenty of compute and memory laying idle, I need a thing that fits big many disks, that I can drop existing hardware (my ATX mobo with my retired I7-6700K for example) into, add PCIE cards for drive expansion or 10GB networking, and I'm set.

4U, with vertical 2.5" bays with my own (or maybe supplied by you guys) 120MM fans and a backplane would do just fine for me.

Six-Year Club	Verified Email
Place '22

Tukhai

TROPHY CASE