Windows/Server: Difference between revisions

Latest revision as of 20:31, 19 November 2025

Download

https://www.microsoft.com/de-de/evalcenter/download-windows-server-2025
- https://go.microsoft.com/fwlink/?linkid=2293216&clcid=0x407&culture=de-de&country=de

Active Directory

Rename server

Rename-Computer -NewName "RDS" -Restart

Server Manager -> Add roles -> Active Directory Domain Services + DNS

Install-WindowsFeature AD-Domain-Services, DNS -IncludeManagementTools

Active Directory -> Promote -> Add new forest (ad.example.de)

$SecurePassword = Read-Host -Prompt "SafeMode Admin Password" -AsSecureString

Install-ADDSForest -DomainName "ad.example.com" -DomainNetbiosName "AD" -InstallDns -SafeModeAdministratorPassword $SecurePassword

Remote Desktop Services

Add user group

Import-Module ActiveDirectory
New-ADGroup "RDS allow log on" -GroupScope Global -GroupCategory Security

Install role

Install-WindowsFeature RDS-RD-Server,RDS-Licensing -IncludeManagementTools
Restart-Computer

Group Policy Management (gpmc.msc)
- Forest → Domains → ad.example.de → Right click: Domain Controllers → Create GPO: "RDS"
- Right click: "RDS" → Edit

Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Licensing

-> Use the specified Remote Desktop license servers: Enable and add Server FQDN
-> Set the Remote Desktop licensing mode: Per User

Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment 
-> Allow log on through Remote Desktop Services → add "Administrators", "RDS allow log on"

Update policies

gpupdate

Verify policies
- "secpol"

Enable users - Add users to groups:
- Remote Desktop Users
- RDS allow log on

Time Service

w32tm /query /status
w32tm /query /peers
w32tm /query /source

w32tm /resync
w32tm /resync /force

#Standalone
w32tm /config /manualpeerlist:"time.cloudflare.com,0x8 time.google.com,0x8 0.de.pool.ntp.org,0x8" /syncfromflags:manual /update
net stop w32time
net start w32time
w32tm /resync /force

Windows Search Services

Install

Install-WindowsFeature Search-Service -IncludeManagementTools
Get-WindowsFeature Search-Service                                 # Verify

Enable Service

Start-Service WSearch
Set-Service WSearch -StartupType Automatic
Get-Service WSearch

Check Indexer Status

Get-CimInstance -Namespace "root\cimv2" -ClassName "Win32_Service" | Where-Object {$_.Name -eq "WSearch"}

control.exe srchadmin.dll

Disable perUser Index

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Search" -Name "EnablePerUserCatalog" -Value 0 -Type DWord
Restart-Service WSearch
control.exe srchadmin.dll
-> rebuild index

Automatic Updates (without WSUS)

# Enable automatic updates
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Value 0

# Configure automatic updates (4 = auto download and schedule install)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "AUOptions" -Value 4
# 2 = Notify for download and auto install
# 3 = Auto download and notify for install
# 4 = Auto download and schedule the install
# 5 = Allow local admin to choose setting

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "ScheduledInstallDay" -Value 0
# 0 = every day, 1 - 7 = sunday - saturday

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "ScheduledInstallTime" -Value 3
# Hour of the day in 24-hour format ( 3 = 03:00 )

M365

Set OneDrive Default Dir / Not working??

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft" -Name "OneDrive" -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" -Name "DefaultRootDir" -Value "D:\%username%\OneDrive" -PropertyType String -Force

@@ Line 1: / Line 1: @@
+== Download ==
+* https://www.microsoft.com/de-de/evalcenter/download-windows-server-2025
+** https://go.microsoft.com/fwlink/?linkid=2293216&clcid=0x407&culture=de-de&country=de
 == Active Directory ==
 * Rename server
@@ Line 17: / Line 22: @@
 <blockquote>
 <pre>
-Install-ADDSForest -DomainName "ad.example.com" -DomainNetbiosName "AD"
+$SecurePassword = Read-Host -Prompt "SafeMode Admin Password" -AsSecureString
+Install-ADDSForest -DomainName "ad.example.com" -DomainNetbiosName "AD" -InstallDns -SafeModeAdministratorPassword $SecurePassword
 </pre>
 </blockquote>
@@ Line 38: / Line 45: @@
 </blockquote>
-* Group Policy Management
+* Group Policy Management (gpmc.msc)
 ** Forest → Domains → ad.example.de → Right click: Domain Controllers → Create GPO: "RDS"
 ** Right click: "RDS" → Edit
-*** Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Licensing
+<blockquote>
-**** Use the specified Remote Desktop license servers: Enable and add Server FQDN
+<pre>
-**** Set the Remote Desktop licensing mode: Per User
+Computer Configuration → Policies → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Licensing
-*** Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment
-**** Allow log on through Remote Desktop Services → add "RDS allow log on"
+-> Use the specified Remote Desktop license servers: Enable and add Server FQDN
+-> Set the Remote Desktop licensing mode: Per User
+</pre>
+</blockquote>
+<blockquote>
+<pre>
+Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment
+-> Allow log on through Remote Desktop Services → add "Administrators", "RDS allow log on"
+</pre>
+</blockquote>
 * Update policies
 <blockquote>
@@ Line 71: / Line 89: @@
 #Standalone
 w32tm /config /manualpeerlist:"time.cloudflare.com,0x8 time.google.com,0x8 0.de.pool.ntp.org,0x8" /syncfromflags:manual /update
-net stop w32time && net start w32time
+net stop w32time
+net start w32time
 w32tm /resync /force
 </pre>
+== Windows Search Services ==
+* Install
+<blockquote>
+<pre>
+Install-WindowsFeature Search-Service -IncludeManagementTools
+Get-WindowsFeature Search-Service                                 # Verify
+</pre>
+</blockquote>
+* Enable Service
+<blockquote>
+<pre>
+Start-Service WSearch
+Set-Service WSearch -StartupType Automatic
+Get-Service WSearch
+</pre>
+</blockquote>
+* Check Indexer Status
+<blockquote>
+<pre>
+Get-CimInstance -Namespace "root\cimv2" -ClassName "Win32_Service" | Where-Object {$_.Name -eq "WSearch"}
+control.exe srchadmin.dll
+</pre>
+</blockquote>
+* Disable perUser Index
+<blockquote>
+<pre>
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Search" -Name "EnablePerUserCatalog" -Value 0 -Type DWord
+Restart-Service WSearch
+control.exe srchadmin.dll
+-> rebuild index
+</pre>
+</blockquote>
+== Automatic Updates (without WSUS) ==
+<blockquote>
+<pre>
+# Enable automatic updates
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "NoAutoUpdate" -Value 0
+# Configure automatic updates (4 = auto download and schedule install)
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "AUOptions" -Value 4
+# 2 = Notify for download and auto install
+# 3 = Auto download and notify for install
+# 4 = Auto download and schedule the install
+# 5 = Allow local admin to choose setting
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "ScheduledInstallDay" -Value 0
+# 0 = every day, 1 - 7 = sunday - saturday
+Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name "ScheduledInstallTime" -Value 3
+# Hour of the day in 24-hour format ( 3 = 03:00 )
+</pre>
+</blockquote>
+== M365 ==
+* Set OneDrive Default Dir / Not working??
+<blockquote>
+<pre>
+New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft" -Name "OneDrive" -Force
+New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" -Name "DefaultRootDir" -Value "D:\%username%\OneDrive" -PropertyType String -Force
+</pre>
+</blockquote>
 [[Category:Windows]]