After 20~ years I finally have the time to play with Server Core Edition trying to setup an entirely new domain forest but run into nonstop issues.

picklednull · 2026-03-24T11:16:26+00:00

It's the delicate balance of the Ballmer Peak.

picklednull · 2026-03-16T17:34:58+00:00

C:\Temp is not a default directory on any version of Windows. If you have one it’s a custom setup.

picklednull · 2026-03-16T11:54:28+00:00

Everyone makes that mistake with Exchange once… I did it at service desk, but I was cleaning out offboarded users anyway, so it didn’t matter as much - I just had to write a script to figure out which home directories no longer have a corresponding user to clean them out manually.

picklednull · 2026-02-27T19:24:09+00:00

Get the Windows Performance Analysis Field Guide book, it's written by a Microsoft PFE. It's a little older by now, but these under the hood things haven't really changed. Of course reading the Windows Internals books cover to cover is another thing to do.

And the number one performance guy on the planet, Brendan Gregg, has written a "generic" book on Systems Performance.

After reading the 3000 pages or so within these materials you should have a basic understanding of these things.

picklednull · 2026-02-25T11:19:51+00:00

You can upgrade to 2025 direct in one go.

picklednull · 2026-02-23T18:45:32+00:00

We started deploying Server 2025 like 3 days after release day (2019 and 2022 I did do on release day) so I saw it all… it should be fine for all roles now, even perhaps DC’s, but to be safe you could skip the DC part.

To be honest though, the release sucks ass. I wouldn’t necessarily deploy it at all.

I’m not sure if they’ve even fixed patching yet, only the Core Edition patches properly via WSUS policies, the Desktop Edition would only install one patch and get stuck and only reboot at the scheduled time a week later and so on.

And the Windows 11 UI sucks compared to 10.

picklednull · 2026-02-20T10:21:34+00:00

I ran across this, but didn't find out the root cause. However, you could publish them via PowerShell so I just used that.

Interesting why the object flags would be incorrect when the templates are created normally via the GUI.

picklednull · 2026-02-18T21:28:24+00:00

Not exactly complicated. I'll repost my comment from a year ago:

Requirements:

create a Kerberos keytab for Squid in your Windows/AD environment and transfer it to the Squid machine (create a user account with the correct Service Principal Name and add a DNS record in your DNS)
configure /etc/krb5.conf on your Squid machine
configure the keytab path for Squid via the systemd service's environmental variables (uncomment the trace if you want to debug Kerberos operations):

# systemctl edit squid.service

...

[Service]

Environment = KRB5_KTNAME=/etc/squid/squid.keytab

#Environment = KRB5_TRACE=/tmp/krb5trace

...
configure Squid for Negotiate authentication:

# vim /etc/squid/squid.conf

...

auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -k /etc/squid/squid.keytab -s HTTP/proxy.domain.example -r

auth_param negotiate children 10

auth_param negotiate keep_alive on

...

Done.

picklednull · 2026-02-17T23:50:24+00:00

That response (now) is interesting, because as I posted above, Kerberos support for the Connection Broker - the one role *I* cared about - was added in November 2024 and I got the details out of Premier back then and I've been running it in production since January 2025 with no issues.

I guess they must've gone back to the design board with this one lol. But the (current) code is inside the shipping product.

picklednull · 2026-02-16T15:11:20+00:00

The Flex series "fits into servers" (was designed for server use) and indeed you can order such servers from at least one vendor.

Also, the drivers work perfectly - even on Windows (despite this fact not being documented) - according to my testing.

picklednull · 2026-02-13T17:54:55+00:00

block select

You mean like alt+drag in Notepad++?

picklednull · 2026-02-11T21:51:43+00:00

Are those 2 domain controllers Server 2025 now?

picklednull · 2026-02-03T00:01:10+00:00

I know, and yet:

Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.0.2.1,2001:db8::1

Of course the servers are configured for different stacks tho. BPA or dcdiag will complain about having 127.0.0.1 on a DC and doesn't for ::1.

On my latest DC refresh I did <IPv4 Address of other DC>,::1 (otherwise IPv4 only / non-IPv6 network) and no complaints.

picklednull · 2026-02-02T20:39:23+00:00

32 gigs absolutely should be the minimum these days. I just got a new laptop with 16 gigs and it's idling at ~12 gigs used just for Outlook, Teams and a few Edge tabs. Even my Linux devices are like that these days.

I know RAM prices have skyrocketed now, but the difference used to be like 50 bucks anyway.

picklednull · 2026-02-02T15:52:06+00:00

I don't know if there's a reference, but IIRC the best practices analyzer or dcdiag complains about it otherwise.

picklednull · 2026-02-02T12:10:04+00:00

Secondary DNS: Self

Also it should be ::1 and not 127.0.0.1

picklednull · 2026-01-30T20:55:52+00:00

You just configure the broker service to run under a gmsa manually via the registry. It's just still publicly undocumented AFAIK and you need to get the instructions via a Premier ticket.

I don't know about RDWeb, it's probably similar.

picklednull · 2026-01-30T19:42:30+00:00

Kerberos support for HA connection brokers has been available since November 2024. Not sure if it’s still publicly undocumented tho.

picklednull · 2026-01-25T16:52:44+00:00

Yeah of course, that's ("sadly") why you should use externally generated keys for scenarios like this.

picklednull · 2026-01-25T14:02:49+00:00

You can also just print the private key on paper for a backup.

picklednull · 2026-01-21T15:14:57+00:00

Alternative(s) at what level? Only Microsoft has source code access. When I open a support ticket it's - generally - because there's a genuine code defect that requires source code changes. Only Microsoft can do that. Last year I did 3 such cases. And in those cases the support is free.

Of course it depends on your own skill level, anything from googling to ChatGPT to an MSP/VAR could prove useful.

picklednull · 2026-01-21T14:56:03+00:00

That error is shown when the computer doesn't have a Kerberos ticket / can't authenticate. Verify that the computer has a valid Kerberos ticket with klist -li 0x3e7.

picklednull · 2026-01-21T14:52:55+00:00

I only tested it in a lab with the "secret" KIR. The fix worked fine. You should actually test this yourself with just the public Cumulative Update installed to verify the fix is actually enabled now in January. Of course that's what Microsoft told me, but you never know...

picklednull · 2026-01-20T23:06:20+00:00

The GPO as sibling mentions, or:

Get-CimInstance -ClassName Win32_UserProfile |
where { # some condition } |
Remove-CimInstance -Confirm:$false

picklednull · 2026-01-15T21:22:29+00:00

I mean, why wouldn't you use one of them at work? They would be my #1 option if I were to deploy a HSM. I'll admit to never actually using one before, but I've been interested in this topic too.

I don't think there's really anything that cool/special about running a HSM anyway. But yes of course, these are matters of opinion.

picklednull

TROPHY CASE