New 2012 R2 Essentials server: seeking ease in converting local accounts to domain accounts

[BonzaiDuck]

FINALLY. I'm replacing my WHS 2011 server with the 2012 R2 Essentials. Some will tell me "why not 2016 Essentials?" Well, I bought the license for 2012 in 2015, and this project has been on the back burner since 2016 -- when I finally had all the hardware together and tested.

2011 will stay in operation until I have this new one tweaked to the peak and ready.

Yesterday, I decided to install the Connector on my SKYLAKE workstation. Here's what I discovered: even with the same account names and passwords, creating a domain account for your workstation access creates a whole new profile. My old desktop is gone, and I see a lot of extra trouble nit-picking the resulting domain account until I can see my old desktop icons and preferences again.

So I reversed the process; uninstalled the Connector; dropped the domain account and reverted back to my local account.

I'm already turning up possible options for making the changeover easy when I do it again. In the meantime, does anyone know of (a) a step-by-step process or (b) some sort of utility which makes the conversion easy?

 

[mxnerd]

https://community.spiceworks.com/topic/1893984-how-to-migrate-local-profiles-to-domain-profiles

Haven't tried it myself.

 

[BonzaiDuck]

Thanks! "Forensit User Profile Wizard." I stumbled onto that just as I made my original thread post.

There is enough in an IT User Blog that offers confidence that it does what you want -- moving your profile from a local profile in a workgroup to a domain account profile.

But I also turned up something else. If follows from this thinking: you want to migrate from a WHS-2011 server with workgroup, passworded accounts and no homegroup -- to the 2012 R2 Essentials server, and do it as quickly as possible. Do you NEED to have computers join the domain now? Can they still join the domain later? And what functions to you lose if it were possible to circumvent joining the domain?

It CAN be done. And Microsoft provides the instructions:

How to skip domain joining during client deployment in a Windows Server 2012 Essentials network

If I can make my workstations circumvent domain joining, I only lose a few functions of W Server 2012 R2 Essentials that I'm not likely to miss. And I don't need to migrate my profile.

I'll back up my registry and try this on one computer. The MS "Windows Server" article addresses versions Win 7 through Win 8.1 -- Pro, Enterprise, Ultimate. Apparently, "Home Premium" is not a problem: you can install connector software and it isn't allowed to join the domain.

So that leaves the question -- asked by posters in the linked article -- "Is this still good for Windows 10?" Somewhere else, I thought I saw that it was, but I'll want to verify first.

The thing that bothers me about having a domain controller for all workstations: all of your internet access has to be routed through the server. If the server is "down," then there would be extra trouble getting access to the internet.

UPDATE: The Microsoft Windows Server link had been referenced in this web-page, which shows in later update log entries that the same approach works for Windows 10.

My old WHS-2011 server is working just fine, and can continue to work just fine. But it's old hardware, therefore slower. Migrating files to the new server for all users on the network is enough of a pain in the A** that quicker solutions, like this one, are desired.

You see, this is what happens, when you retired from an "enterprise" network and moonlighting to teach business database and networking, and you wanted to follow a similar paradigm or way of thinking for your home network. Some people would just create a peer-to-peer and use a Windows 7 box to share files and be a "server" (of sorts.)

I'm betting that I can continue backing up the household systems on the new server.

 

[mxnerd]

The thing that bothers me about having a domain controller for all workstations: all of your internet access has to be routed through the server

Where did you find this info?

Unless you setup this way,

http://www.dell.com/support/article...ng-windows-server-2012-r2-as-a-router?lang=en

and also configure the domain controller as DHCP server and set it hands out IP address with gateway points to the domain controller.

or I've never known any WIndows Server that will force you to use it as internet gateway.

You do need pro version and above to join a domain. It's been that way since Windows XP.

 

[mxnerd]

You can run a server as domain controller and still let Windows Home machines connect to it. But like you said, Home can't join a domain.

That means you can't control Home machines (change settings) from domain controller server, but Home machines still can access files on domain controller as long as the permissions are setup correctly.

 

[BonzaiDuck]

Where did you find this info?

Unless you setup this way,

http://www.dell.com/support/article...ng-windows-server-2012-r2-as-a-router?lang=en

and also configure the domain controller as DHCP server and set it hands out IP address with gateway points to the domain controller.

or I've never known any WIndows Server that will force you to use it as internet gateway.

You do need pro version and above to join a domain. It's been that way since Windows XP.

Granted. Getting my brother's system upstairs to communicate with the server won't be a problem for that reason. "Home" versions don't require any registry tweaks for installing the Connector. But any Pro, Ultimate or Enterprise OS version will automatically get a new profile for the user upon joining the domain, unless one uses a migration tool like Forensit's User Profile Wizard, or one otherwise goes through more tedious steps. MS has a procedure for this, also: MS TechNet Wiki

As to the other issue, I don't discount that you could be correct and I am wrong in my worries. I don't pretend to be an expert who attends all the MS training sessions available for certificates. I just need to "move up" from WHS 2011 (and WS 2008-R2 -- the basic core of 2011). I have -- it could be a thousand -- obsolete computer books that are destined for Good Will or the trash when I get around to disposal. So I buy a Kindle book on "Windows Server 2012 R2 Essentials." I even bought the Kindle book on 2016 Essentials in the bargain. I follow the text. It tells me that I either need to let the Server OS automatically change my router settings, or I must manually set up port-forwarding in conjunction with the Server system.

Did I misunderstand something? It seems I'm fussing over two issues. First, I don't want to go around and tweak every system because there are new user profiles after making them join the domain -- pissing off my family in the bargain, and causing a lot of extra work. Second, I don't want to risk a problem that the workstations might not suddenly have web access if the server is down -- as a result of them having joined its domain. Even if I'm wrong on the second count, I see from these links I've posted here of forum discussions that a lot of folks had moved up from WHS to 2012 R2 Essentials and see the workaround as a real blessing.

Another thing -- letting the workstations stay in a workgroup or home-group is supposed to make them dysfunctional for purpose of VPN. But I don't use VPN for any of the desktop systems here. Instead, I'd want to set it up for the server itself, but that wouldn't be affected by workstations that haven't been allowed to join the domain.

 

[BonzaiDuck]

OK! OH--- KAYYYY!

This is essentially what you have to do -- to preserve your existing profile, and circumvent joining the domain of Windows Server 2012 Essentials R2 (or non-R2, or Server 2016 Essentials . . ) so your Windows 10, Windows 7 or Windows 8 computer stays in a Workgroup or Homegroup, and Server 2012 Connector doesn't alter or "mess with" your DNS configuration.

1) Run elevated Command and enter this command-line:

reg add "HKLM\SOFTWARE\Microsoft\Windows Server\ClientDeployment" /v SkipDomainJoin /t REG_DWORD /d 1

If you ever wish to, you can simply delete this key.

2) Restart (probably a good idea). Then, using the computer name of your 2012 Server R2 (and it won't yet appear in your "Network" items of File Explorer), you install the Connector software: http://[server-name]/connect/

BUT -- you stop when it asks for credentials -- the account you set up on 2012 R2 matching your local name and password. Stop right there. Open regedit. Look for:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\Networking\ServerDiscovery

Edit or change "SkipAutoDNSServerDetection" from False to True.

3) Enter your account-name and password set up previously as a User on the 2012 R2 system, and let the Connector complete its work.

NOW the server appears as a computer on your "Network" File Explorer node, and the shared folders are available.

However, regardless of whether in workgroup or domain mode on the workstation, you still have to enter server credentials again at boot time. At least -- I think so. I'll have to restart and see.

But! Don't even have to migrate your well-tweaked customized profile to the "domain" profile that would otherwise be created without this.

 

[mxnerd]

Don't know which Kindle book you bought.

If it says you have to let Essentials 2012 to change router settings so you don't have to set port forwarding,
it's only for allowing you to access the server from outside remotely.

It doesn't mean your workstations have to use the domain controller as gateway.

==

This tell you how to configure your router (a lot of different brands and models) so you can access your server remotely.

https://social.technet.microsoft.co...dows-server-2012-essentials-router-setup.aspx

It doesn't mean you have to configure the server (domain controller) as a router.

 

[BonzaiDuck]

Don't know which Kindle book you bought.

If it says you have to let Essentials 2012 to change router settings so you don't have to set port forwarding,
it's only for allowing you to access the server from outside remotely.

It doesn't mean your workstations have to use the domain controller as gateway.

==

This tell you how to configure your router (a lot of different brands and models) so you can access your server remotely.

https://social.technet.microsoft.co...dows-server-2012-essentials-router-setup.aspx

It doesn't mean you have to configure the server (domain controller) as a router.

Sure -- that's good information, so thank you.

But it still leaves me with the borked local profile replaced by a new one upon joining the domain. For that, there are utilities like Forensit's Profile Wizard, or a procedure from a TechNet page.

A lot of folks just didn't want to use the domain controller feature, upgrading as they did from WHS. You see it over several online forums for the last five years or so.

Eventually, I could join all our workstations that way. But the hack or workaround I'd described has a log of comments spanning some two or three years, and it just works -- and continues to work. There is some speculation about how MS Updates or Feature Upgrades might require compensating tweaks after the fact, but I didn't see any indication that such a situation developed.

MY BIG PRIORITY THIS WEEK IS TO WEAN THE HOUSEHOLD FROM THE WHS-2011 SERVER SO I CAN TAKE IT APART AND RE-DEPLOY THE DISKS. I can worry about this other aspect as it suits me.

The price to pay for circumventing the domain controller so far seems to be a certain obscurity of the shared folders available for a machine and its local account. The server doesn't appear in the "Network and Sharing Center" diagram and list of devices. It only appears when you open the Launchpad of the connector software, which has a link for shared folders. Once you open File Explorer from that, you can map the drives.

And -- again -- the complaints I see on the forums of people who think this hack is a godsend, are that the domain controller "messes with" DNS configuration of the workstation. I'm not sure I understand the specifics of this, and it wouldn't be a problem for me if I didn't have to import and tweak the local profile to be a domain profile.

Anyway, the client backups seem to proceed expeditiously on the server.

By the way. The original procedure for circumventing the domain-join process was laid out for Windows Server 2012 and Essentials before the release of R2 -- by Microsoft techies addressing the complaints of users. The extra tweak required prior to entering credentials in Connector installation was an additional requirement for the R2 Essentials release.