In certreq -new, the mangled text

“template�?
�?WebServer�?

appears.
Unfortunately, it's in critical sections regarding inf file syntax that make the correct syntax difficult to guess.
Please fix these text encoding issues?

"Configure DNS and Firewall Settings for Always On VPN" URL doesn't work

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 8ae99a07-be14-63a1-d5bb-1e92f9cde0b7
• Version Independent ID: ed219e40-9a0e-794b-110d-d82418d456e7
• Content: Remote Access Always On VPN Deployment | Microsoft Docs
• Content Source: WindowsServerDocs/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment.md
• Service: unspecified
• GitHub Login: @jamesmci
• Microsoft Alias: jamesmci

Is there a reason for that the following links are pointing to the technet website link rather than the sub-topics within the document?

• Privileged access management
• Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
• Connecting domain-joined devices to Azure AD for Windows 10 experiences
• Enable Microsoft Passport for Work in your organization
• Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels

It breaks the PDF document if downloaded; rather than going to the subtopic it opens a webpage.

If the links should be going to technet, perhaps they could be added to a More Information... section at the end of the document or after each section.

For example:

• Privileged access management
  Privileged Access Management
  verbiage about PAM
  For more information on PAM see: Privileged Access Management for Active Directory Domain Services

Some grammatical corrections needed but also some functional errors.

I'm following the guide, step-by-step, and running into warning messages that prevent me from completing steps. We're running a 2012 R2 PDC in a test environment. Most everything works except those noted below.

5. b. (iii), (i,ii) reads:

i. Go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally.
ii. Select Define these policy settings and add "PAW Users".

This results in warning in GPO dialog when clicking OK:

“Administrators must be granted the logon local right.”

7. b. (iii) reads:

(iii) In Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally, select Define these policy settings and add the Tier 0 groups:

Groups to add to policy settings:

Enterprise Admins
Domain Admins
Schema Admins
DOMAIN\Administrators
Account Operators
Backup Operators
Print Operators
Server Operators
Domain Controllers
Read-Only Domain Controllers
Group Policy Creators Owners
Cryptographic Operators

Problem:

GPO dialog window warning message:
“You cannot deny all users or administrator(s) from logging on locally.”

Hi Team!

When trying to clone a DC in a SPanish Edition Windows Server, we have the "Controladores de dominio clonables" Security group instead of "Cloneable Domain Controllers", if you add the computer account to that Group, the New-ADDCCloneConfigFile cmdlet fails, because it wants to look for the group in english "Cloneable Domain Controllers". I don't know if this happens for all non English editions, but it might be worth to check. The workaround is to create a group called Cloneable Domain Controllers (in English).

Thanks and best regards!

The article contains the section "Are third party proxies supported with AD FS?" twice.

https://raw.githubusercontent.com/MicrosoftDocs/windowsserverdocs/master/WindowsServerDocs/get-started/whats-new-in-windows-server-1709.md

The VM Loadbalancing section seems to just switch over to copy-pasted storage-class memory section or at least it looks weird to me.
Pasting it here ( emphasis mine )

VM Load Balancing is also improved with OS and Application awareness, ensuring optimal load balancing and application performance. Storage-class memory support for VMs enables NTFS-formatted direct access volumes to be created on non-volatile DIMMs and exposed to Hyper-V VMs. This enables Hyper-V VMs to leverage the low-latency performance benefits of storage-class memory devices.

Also this doc is a bit too high level to me. Would be nice to have more details or links to the details.

Hi

It's written in: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming

"SET is not compatible with the following networking technologies in Windows Server 2016"

• 802.1X authentication
• IPsec Task Offload (IPsecTO)
• QoS in host or native operating systems
• Receive side coalescing (RSC)
• Receive side scaling (RSS)
• TCP Chimney Offload
• Virtual Machine QoS (VM-QoS)

It would be a good improvement of the documentation if it was described how to properly disable these technologies with use of PowerShell/commandline.

Br. Rune

Hello,

There are two links in troubleshoot-windows-server-software-defined-networking-stack.md to detailed description of "NetworkControllerDiagnostics" and "hnvdiagnostics" modules and both are broken:

• Network Controller Diagnostics Cmdlet Topic
• Hyper-V Network Virtualization (HNV) Diagnostics Cmdlet Topic

Best,
Ruslan.

I have passed the "hosting windows desktop and applications using remote desktop services in azure learning pass assessment" and i am not showing up n the RDS-Hosting-Partners list is there any thing i need to do or is this document updated periodically.

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/Windows-Server.md

However, it offers great advantages such as smaller hardware requirements, much smaller attack surface, and a reduction in the need for updates.

Is this the correct message from Microsoft? (Server Core is truly reduce the need for update?)

Now, Windows Server is adopt to monthly rollup model. Usually, we will receive updates every month. It's almost the same frequency as Full Server (Desktop). So I think ”reduction in the need for updates” is not an advantage for Server Core.

windowsserverdocs/WindowsServerDocs/identity/ad-fs/operations/Access-Control-Policies-in-AD-FS-2.md
rules in this article do not work at all. I am using ADFS 2.0 update roll up 3 and it isnt working at all

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-with-sharepoint%2c-exchange-and-rdg

I think there are few errors on that site above.
It states that Exchange Activesync works only with pass-through but this site claims that it can be configured with ADFS & HTTP Basic. Referring to : https://docs.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-using-ad-fs-preauthentication & https://docs.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/web-application-proxy-windows-server

Also EAC should work like the OWA. Referring to link: https://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx

At RDG section there is a statement: "If the External and Internal FQDN's are different you should disable request header translation on the RDWeb publishing rule. "
---> Shouldn't this be the opposite? If the URLS are different, then it needs translation enabled which is by default.

It should really be mentioned in the prerequisites that OpenID will not work with using WID in an ADFS farm with multiple servers. Those ADFS servers all have to point to a centralized SQL server for OpenID to function. I discovered this the hard way, and I'm sure it would be helpful for others to know. Thanks

Most cmdlets have a required Properties field. Using the examples and reverse engineering the sdnscripts allowed me to find out some properties but can we please get documentation about what properties there are for each specific class type. thanks

It would be really helpful if WindowsServerDocs/identity/ad-ds/deploy/Schema-Updates.md could be extended historically, to include the earlier schema updates, including Windows 2003, 2003R2 but most importantly 2008R2? I know these files are available elsewhere on technet, but the great thing about this new approach to doc publishing is that it is all in one place and is under a clear MIT licence.

Thanks,

Andrew Bartlett

Change the following sentence under minimum processor requirements

Coreinfo is a tool you can use to confirm which of these capabilities you CPU has.

to

Coreinfo is a tool you can use to confirm which of these capabilities your CPU has.

Avoid Write-Host should mention that the primary purpose of Write-Host is to format the console, and clarify whether [Console]::WriteLine() is the .NET alternative to it.

There should also be mention of other ways to provide output, such as Write-Output. Taking some of the information from Jeffrey Snover's blog may be beneficial for this section

Add a note explaining why "Server with Desktop" is not included in semi-annual.
It's unclear and makes no sense why it's excluded - please add a note to this documentation page explaining the technical reasons behind the decision:

https://github.com/microsoftdocs/windowsserverdocs/blob/master/WindowsServerDocs/get-started/semi-annual-channel-overview.md

Update table in doc referenced below to reflect support for Hyper-V VMs of version 8.2. Should also reflect that VMs created on 1709 cannot be imported into a server which is still running 1703.

windowsserverdocs/WindowsServerDocs/virtualization/hyper-v/deploy/Upgrade-virtual-machine-version-in-Hyper-V-on-Windows-or-Windows-Server.md

Updating Issue Description

The published page is displaying incorrect contributor info for this article:

https://github.com/microsoftdocs/windowsserverdocs/blob/master/WindowsServerDocs/manage/honolulu/deployment-guide.md

This may be a docs publishing platform bug. Exploring...

Hi

Is it possible to elaborate on the NIC Teaming compatibility in following article?
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/networking/technologies/nic-teaming/NIC-Teaming.md

In following article on page 20 & 23 it states that HNVv1 is only supported with Stand-alone NIC Teaming and HNVv2 is only supported with SET teaming.
https://gallery.technet.microsoft.com/Windows-Server-2016-839cb607

The article was written for a technical preview of Server 2016 and is also still referenced here:
https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming

I haven't found any newer guidelines on this.

Thanks
Rob

On page /windows-server/identity/ad-fs/ad-fs-design, the link for "AD FS capcity planning worksheet." should be "AD FS capacity planning worksheet."

images are missing like this
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/networking/media/hyper-v-network-virtualization-technical-details-in-windows-server/VNetF6.gif

We have a ADFS2016 farm which is used by 4 different domains (DomA, DomB, DomC and DomD). Whenever I enable "extranet lockout" it works fine for DomA, DomB and DomC but not dor DomD, those users can't be authenticated.
We have upgraded fo ADFS2016 ("farm behavior level 3") because we thought the requirement for PDC was the issue but it is still not working. Is there some additional firewall requirement that is needed for this to work? We can authenticate fine to the PDC's in DomD and everything works normally, but when we enable extranetlockout the authentication fails but only for DomD. The only thing we have been able to find when comparing this with the other 3 domains that this works for is that we cannot access the AD Web Services (TCP port 9389?) in DomD's domain controllers but I can't see any note that this feature would require additional ports?
Regards // Kristoffer

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 25643e14-4b84-c492-a60b-eacef63a491d
• Version Independent ID: 93348a46-9024-6798-8356-be09f482e0b1
• Content: Configure AD FS Extranet Lockout Protection | Microsoft Docs
• Content Source: WindowsServerDocs/identity/ad-fs/operations/Configure-AD-FS-Extranet-Lockout-Protection.md
• Service: unspecified
• GitHub Login: @billmath
• Microsoft Alias: billmath

@billmath
We should add this part into this article, just copy paste from:
https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#secure-azure-ad-resources-using-ad-fs

On the following screenshot:
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/networking/media/NIC-Teaming/nict_overview.jpg

There is a red spell checker underline which has to be removed.

Link in this file returns a HTTP 404 code.

In the first sentence of the "Install Hyper-V Manager" section (https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/remotely-manage-hyper-v-hosts#install-hyper-v-manager), "operating" is misspelled.

as mentioned in #239

Could we have a section about Windows Server Core and what's is not supported ?

Things like WDS, Echange, SQL SSIS/SSRS, SCCM, SCOM.
Right now its a hunt between outdated posts and forums and trials to figure out what's going to work, which is far from ideal.
Plus once someone figures this out, it would benefit the community to properly document it.

I would love to run everything on core preferably. Who needs GUI for servers, can't understand, but seemingly even some Msft products won't run on it like WDS, which is very weird to me as it only does TFTP, Jet DB, SMB share none of which would require GUI. ( at least per random blogs or old MSDN docs )
So yeah, would love to have some clarity here from the Server TEAM.

Thanks

TechNet used to have a nice listing and explanation of all the event log codes, eg Event ID 6005.

In typical Microsoft fashion with the latest web content re-org all these URLs have disappeared although the content is still 100% valid so lots of HTML pages linking to these URLs are SooL, eg Windows Server restart / shutdown history on serverfault.

Can someone suggest where in the new MicrosoftDocs universe we revive this content, re-writing it or pulling it from the Internet Archives?

In the guide above it indicates that an AD group should be used to grant access to the certificate templates which issue certificates to the VPN servers. This would seem to suggest that the VPN servers should be Domain Joined - however I have always thought that machines in a DMZ should not be joined to the Domain. Is it no longer best practice for DMZ / Perimeter machines to be non domain joined?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 0e886cf2-b2cc-1942-2e93-b83ba3f5c81a
• Version Independent ID: 14185f76-c920-66a5-9d3b-51ddc4845ee8
• Content: Configure the Always On VPN Server Infrastructure | Microsoft Docs
• Content Source: WindowsServerDocs/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-server-infrastructure.md
• Service: unspecified
• GitHub Login: @jamesmci
• Microsoft Alias: jamesmci

In the text "For a detailed list of Active Directory concepts, see Understanding Active Directory.", the Understanding Active Directory link is broken, and goes to a retired content download page.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 94251036-29c8-87b0-eb8f-2516600d4aac
• Version Independent ID: f5309f09-ad43-619b-c23c-269f37177d2c
• Content: Active Directory Domain Services Overview | Microsoft Docs
• Content Source: WindowsServerDocs/identity/ad-ds/get-started/virtual-dc/Active-Directory-Domain-Services-Overview.md
• Service: unspecified
• GitHub Login: @billmath
• Microsoft Alias: billmath

I was plagued with issues during setup. Even after 2 weeks with support there was no progress being made. I ended up finding a 3rd party guide and found that much of this article is out of order and inaccurate. The biggest example I have is that it first has you create app registrations and then the native app and two app proxies. The way it is actually done is you create the app proxies, then you open those proxies in app registration and set the URIs to the addresses in the app registration steps. These steps result in 5 total app or registrations where there should only be 3.

This article resulted in about 3 weeks of frustration only to find the official documentation was wrong and missing massive important steps.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 21d1d072-911f-92c0-248a-9e44efbff42d
• Version Independent ID: 0fdb921d-d97d-5b12-ae28-286216e130df
• Content: Deploy Windows Server Hybrid Cloud Print | Microsoft Docs
• Content Source: WindowsServerDocs/administration/hybrid-cloud-print/hybrid-cloud-print-deploy.md
• Service: unspecified
• GitHub Login: @msjimwu
• Microsoft Alias: coreyp

Is there a typo in the last couple of Powershell commands?

The provided command refers to -ZoneScope "AmericaZoneScope":
Add-DnsServerQueryResolutionPolicy -Name "AmericaPolicy" -Action ALLOW -ClientSubnet "eq,AmericaSubnet" -ZoneScope "AmericaZoneScope,1" -ZoneName "woodgrove.com"

However, the instructions before that actually said that we shall create a ZoneScope called USZoneScope - not AmericaZoneScope:
Add-DnsServerZoneScope -ZoneName "woodgrove.com" -Name "USZoneScope"

In the documentation file https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/get-started/Supported-Upgrade-Paths.md#converting-a-current-evaluation-version-to-a-current-retail-version there is the following text regarding converting an evaluation version to a retail version:

If the server is running an evaluation version of Windows Server 2016 Standard or Windows Server 2016 Datacenter, you can convert it to a retail version as follows:

1. If the server is a domain controller, you cannot convert it to a retail version. [...]

We have also documented it in this way in our wiki here https://www.thomas-krenn.com/de/wiki/Windows_Server_Evaluierungsversion_in_Vollversion_umwandeln

But meanwhile we got lots of feedback, that converting an Server (which is running an evaluation license and acting as a domain controller) to a retail version works. So I think that this restriction might not apply anymore.

Could you check this and update the doc in case that it is officially supported to convert an evaluation server (running as a domain controller) to a retail version?

Best regards,
Werner

The FAQ states the following with respect to "HTTP String [sic] Transport Security" support:

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps mitigate protocol downgrade attacks and cookie hijacking for services that have both HTTP and HTTPS endpoints. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using HTTPS and never via the HTTP protocol.

All AD FS endpoints for web authentication traffic are opened exclusively over HTTPS. As a result, AD FS effectively mitigates the threats that HTTP String Transport Security policy mechanism provides (by design there is no downgrade to HTTP since there are no listeners in HTTP). In addition, AD FS prevents the cookies from being sent to another server with HTTP protocol endpoints by marking all cookies with the secure flag.

Therefore, implementing HSTS on an AD FS server is not required because it can never be downgraded. For compliance purposes, AD FS servers meet these requirements because they can never use HTTP and all cookies are marked secure.

I disagree with this answer because I feel that it neglects to consider an attacker with active MitM capabilities - where AD FS not listening on port 80 is irrelevant (and it's probably a bad idea anyway). Consider the following scenario:

• Attacker is able to intercept and respond to traffic on the network.
• Attacker uses something like sslstrip to coerce the victim's browser into requesting the AD FS URL in plaintext (maybe the victim visits an application over http: which redirects to AD FS for auth).
• Attacker intercepts the response and switches the redirect to use http. There's no HSTS so the browser happily tries to connect using port 80.
• Attacker proxies requests from AD FS using port 443, stripping Secure flag on any Set-Cookie headers.
• Credentials are captured.

Is there anything I have missed which would mitigate this sort of attack?

On WindowsServerDocs/virtualization/hyper-v/Supported-FreeBSD-virtual-machines-on-Hyper-V.md, the two bash quotes appear to be swapped in the two notes near the bottom.

It's seems that this document has a merge conflict.
In the section "Related topics"

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 5be3773d-783c-115d-4945-9ec79b407877
• Version Independent ID: 3993b5ed-9b01-4759-6083-1586c8cf7fdd
• Content: Virtual Private Networking (VPN) | Microsoft Docs
• Content Source: WindowsServerDocs/remote/remote-access/vpn/vpn-top.md
• Service: unspecified
• GitHub Login: @shortpatti
• Microsoft Alias: pashort

Many of the windows commands have problems with markdown formatting. There are angle brackets that should be escaped, and some sections and notes that do not display properly because there isn't enough spacing. The capitalization also seems to have disappeared in many places. I'm guessing these problems resulted from when the documents were converted into markdown.

i have did all that and my printer driver fine and print test page good. it's USB printer>and printer say currently being printed > and do nothing when run from cmd

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: ab4325a5-e272-9360-32ca-acd01a75a883
• Version Independent ID: a839fd55-3997-e5e7-b43f-c30cbec39c94
• Content: print | Microsoft Docs
• Content Source: WindowsServerDocs/administration/windows-commands/print.md
• Service: unspecified
• GitHub Login: @coreyp-at-msft
• Microsoft Alias: coreyp

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskcomp

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Compares the contents of two floppy disks. If used without parameters, diskcomp uses the current drive to compare both disks.

For examples of how to use this command, see Examples.

Should display

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Compares the contents of two floppy disks. If used without parameters, diskcomp uses the current drive to compare both disks.For examples of how to use this command, see Examples.

Regarding use-local-resources-on-hyper-v-virtual-machine-with-vmconnect, I am not getting the dialog box (connect to / local resources) when I connect to the VM. It used to come before but is not coming anymore. Please include documentation on steps to follow if the dialog box does not show up while connecting.

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/RODC/Forest-Wide-Updates.md

On operation 118: {3fb79c05-8ea1-438c-8c7a-81f213aa61c2}, on the Impact property, there appears to be a copy-paste error as it reproduces the Department property description.

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/RODC/Forest-Wide-Updates.md

Operation 126: {0e848bd4-7c70-48f2-b8fc-00fbaa82e360} on the Global Resource Property List configuration object indicates a displayName of 'Folder Usage' (Operation 125) where no such display name appears to actually exist on the object.

The picture in the document https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/virtualized-domain-controller-architecture is incorrect.

The picture URL is https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/media/virtualized-domain-controller-architecture/adds_vdc_virtualizationsafeguardsduringsnapshotrestore.png

In the bottom right corner of the picture there is the following information

DC1(A)@usn = 200
DC1(A)@usn = 250

this should be

DC1(A)@usn = 200
DC1(B)@usn = 250

This is the old picture https://docs.microsoft.com/en-us/windows-server/identity/media/introduction-to-active-directory-domain-services--ad-ds--virtualization--level-100-/adds_vdc_exampleofhowsafeguardswork.gif and information in this picture is correct -- (A) and (B)

• PAWs should be used for managing the operating system and applications that provide Directory Synchronization and Identify Federation for cloud ....

Should read

• PAWs should be used for managing the operating system and applications that provide Directory Synchronization and Identity Federation for cloud ...

The download link for the ADFS Rapid Restore Tool is not working:

https://go.microsoft.com/fwlink/?LinkId=825646

Hi

In: https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/virtualization/hyper-v-virtual-switch/RDMA-and-Switch-Embedded-Teaming.md#changing-the-load-distribution-algorithm-for-a-set-team

It's written Set-VMSwitchTeam -Name TeamedvSwitch -VMSwitchLoadBalancingAlgorithm Dynamic

I cannot find the parameter VMSwitchLoadBalancingAlgorithm in Set-VMSwitchTeam, but I can find LoadBalancingAlgorithm

On this article:
https://github.com/microsoftdocs/windowsserverdocs/blob/master/WindowsServerDocs/remote/remote-desktop-services/clients/remote-desktop-allow-outside-access.md

I suggest that this are added:
After:
then the router's port forwarding will always point to the correct IP address.

But before VPN section:

add this:
"You can in most routers, set which source IP or source network, that are able to utilize the port mapping. So if you know you are only connecting from work, you can add the IP of your workplace, and then you avoid opening the port to the public internet. If the host you are connecting from have a dynamic IP, you can set the source restriction to allow the whole range of that particular ISP."