If users are getting an authentication prompt when accessing domain resources through Always On VPN, make sure that Domain Controllers have the appropriate digital certificates. The certificate must have KDC Authentication, Smart Card Logon, Server Authentication and Client Authentication in the Enhanced Key Usage (EKU) field. The pre-existing Kerberos Authentication can be duplicated and used as a baseline template for the certificates.

References:

https://directaccess.richardhicks.com/2019/05/20/always-on-vpn-clients-prompted-for-authentication-when-accessing-internal-resources/

Have you been having issues with Microsoft Azure AD Sync service after a simple reboot of the Windows Server? These simple steps might help:

Copy model.mdf and modellog.ldf files from

C:\Program Files\Microsoft SQL Server\150\LocalDB\Binn\Templates

to either

C:\Users\ADSyncxxxxx$\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\ADSync2019

or

C:\Windows\ServiceProfiles\ADSync\AppData\Local\Microsoft\Microsoft SQL Server Local DB\Instances\ADSync2019

This issue should not occur starting from version 2.1.1.0 of MS Azure AD Connect. Read the Microsoft doc below to perform a manual in-place upgrade of Azure AD Connect.

References:

https://www.reddit.com/r/sysadmin/comments/rxkd7m/has_your_azure_ad_connect_been_unable_to_start/

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version#in-place-upgrade

In Microsoft 365 / Exchange Online, to connect a soft deleted mailbox, you have need to use the cmdlet New-MailboxRestoreRequest to restore the mailbox to another user.

Get-Mailbox -SoftDeletedMailbox | select guid

Get-Mailbox <NewMailbox> | select guid

New-MailboxRestoreRequest -SourceMailbox <GUID> -TargetMailbox <GUID of new mailbox> -AllowLegacyDNMismatch

To check the status of the restore:

Get-MailboxRestoreRequest | Get-MailboxRestoreStatistics

References:

Reddit

If you are noticing seemingly random RDS session freezing on Windows 10/11 clients, this registry key might help. It disables the UDP protocol for RDP connections, which Microsoft enabled by default since Windows 10 1809/1909. I have had this issue occur on Windows 10 21H2.

HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\Client

DWORD fClientDisableUDP 1

A reboot of the machine was not needed, after closing the RDP session and reconnecting, TCP was being used. You can check which protocol is being used by clicking the symbol at the top:

References:

https://www.michaelmaw.com/how-to-fix-remote-desktop-freezing/

https://community.spiceworks.com/topic/2269433-remote-desktop-randomly-freezes-up

Having two logins for the same user isn’t practical for both the user and administrator. That’s why you should use this guide to convert a cloud user into an Azure AD Synced user. Having an Azure AD Synced user is very handy, because the user can then use one password for all the services he might need, plus you can combine login with Seamless Signon.

So you basically have this user in the Cloud:

That should be replaced by this on-prem user:

First of all, make sure that the on-prem user is not being synced.

Then connect to Microsoft Online through PowerShell. If you don’t have the module, install it first (hit y twice):

Install-Module MsOnline

Connect-MsolService

Link the objectGUID with the immutableID of the Cloud user:

$upn = “aku.test@ajni.it”

The objectGUID needs to be in Base64 format.

$id = [system.convert]::ToBase64String((Get-ADUser -filter {userprincipalname -eq $upn}).objectGUid.ToByteArray())

Set-MsolUser -UserPrincipalName $upn -ImmutableId $id

Now move the on-prem user to an OU that is synced to the Cloud and run a manual ADSync:

Start-ADSyncSyncCycle -PolicyType Delta

The user is now synced:

References:

https://jasonhowe.net/2019/08/11/convert-office-365-user-from-cloud-to-ad-synced/