All posts tagged migration

Windows Server 2016 End of Life January 2027: Plan Your AD CS Migration Now

Happy New Year, everyone! As the calendar rolls over to 2026, it’s time to start planning the migration of workloads hosted on Windows Server 2016. Mainstream support ended for Windows Server 2016 on January 11, 2022, after which it entered extended support. However, extended support for Windows Server 2016 ends on January 12, 2027, at which point it will be end of life and no longer supported. Running production workloads on Windows Server 2016 beyond this date exposes organizations to significant security risk, as it no longer receives security updates, leaving these systems vulnerable to exploits.

Active Directory Certificate Services

Many organizations are still running critical infrastructure on Windows Server 2016. Administrators often delay upgrading Microsoft Active Directory Certificate Services (AD CS) due to its complexity. However, a well-planned AD CS migration not only reduces risk but also provides an opportunity to modernize cryptography, certificate templates, and operational practices.

Certificate Authorities

Administrators must carefully migrate Certificate Authorities (CAs) running on Windows Server 2016 to minimize downtime. In environments where ongoing CA maintenance has been limited, migrating the CA database can be especially challenging. If the CA is installed on a domain controller, now is a good time to consider separating these services to ensure reliable operation. Also, it’s a good idea to evaluate the CA’s configuration and security posture during migration to enhance security and improve service resilience.

NDES Servers

Microsoft Network Device Enrollment Services (NDES) servers, commonly deployed to facilitate certificate enrollment via Microsoft Intune, pose a unique challenge during migration. Unfortunately, configuring NDES is exceedingly complex and error-prone. NDES relies on a delicate combination of specialized IIS configuration, AD service accounts, custom certificate templates, and CA permissions, making even minor changes risky without proper planning. Not surprisingly, administrators are often hesitant to touch these systems as they are notoriously difficult to troubleshoot when problems arise.

Pro Tip: We spend an entire day covering NDES configuration in the Mastering Enterprise PKI Certificates with Microsoft Intune training course. The next session is March 10-12, 2026. Register now!

Intune Certificate Connectors

Don’t overlook Windows Server 2016 servers with the Intune Certificate Connector installed. Fortunately, this is one of the more manageable workloads to migrate. All that’s required is to install new connectors on supported servers and delete the old ones.

Summary

With extended support for Windows Server 2016 ending on January 12, 2027, organizations running production workloads—especially critical infrastructure such as Active Directory Certificate Services (AD CS), Certificate Authorities (CAs), and NDES servers—face significant security risks from unpatched vulnerabilities once the OS reaches end-of-life. Careful migration planning to newer versions such as Windows Server 2022 or 2025 is essential to minimize downtime, improve security posture, and ensure long-term resilience.

Start Planning Now

Don’t leave these mission-critical infrastructure services to the last minute! Begin planning your migration today. If you’d like expert guidance, I have many years of experience migrating these workloads. I have developed specialized tools and techniques to ensure a smooth, secure, and successful transition. Fill out the form below to schedule a free one-hour consultation to assess your Windows Server 2016 AD CS workloads, identify migration risks, and outline next steps.

Additional Information

Windows Server 2016 Lifecycle Policy

PKI Fundamentals with Microsoft Active Directory Certificate Services (AD CS) Online Training Course

Mastering Enterprise PKI Certificates with Microsoft Intune Online Training Course

Leave a comment
by Richard M. Hicks on January 1, 2026  •  Permalink
Posted in Active Directory Certificate Services, AD CS, ADCS, authentication, CBA, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, Consulting Services, Cryptography, Encryption, end of life, Enterprise, Entra Certificate-Based Authentication, EOL, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, Microsoft, Microsoft Intune, NDES, Network Device Enrollment Service, Network Device Enrollment Services, Operational Support, PFX Connector, PKCS, PKI, Professional Services, public key infrastructure, SCEP, Security, Simple Certificate Enrollment Protocol, Update, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on January 1, 2026

https://directaccess.richardhicks.com/2026/01/01/windows-server-2016-end-of-life-january-2027-plan-your-ad-cs-migration-now/

Migrating from Always On VPN DPC Commercial to Open Source

Always On VPN Dynamic Profile Configurator (DPC) is a software solution that enables administrators to deploy and manage Always On VPN client configuration settings using Active Directory and Group Policy or Microsoft Intune. DPC began life as a commercial product. Recently, DPC has been released to the public via open source. DPC open source allows administrators everywhere to deploy the solution without cost. If you’re not using DPC today, I’d strongly recommend it. If you were previously a DPC commercial customer, you’ll want to migrate to DPC open source soon.

We’re on Discord! Join the conversation: https://discord.aovpndpc.com/.

Migration

Migrating from DPC commercial to open source requires the administrator to deploy a Group Policy Object (GPO) and client software in a specific order to avoid disruption to end users. Perform the following steps to complete the migration.

GPO Files

Download the DPC v5.0 (open source) group policy settings file (ADMX) file here and the language definition (ADML) file here.

After downloading the files, copy dpc.admx to the following location.

\\<DC name>\sysvol\<domain name>\Policies\PolicyDefinitions

Next, copy dpc.adml to the following location.

\\<DC name>\sysvol\<domain name>\Policies\PolicyDefinitions\en-US

Once complete, allow domain controller replication to finish before deploying DPC group policy settings.

New GPO

Create a new GPO that will contain the VPN client configuration settings. Do NOT copy the original DPC commercial GPO. Starting with a blank GPO is best to ensure proper operation and prevent conflicts. Also, please note the location for DPC settings has changed. The new location for DPC v5.0 settings is:

Computer Configuration > Policies > Administrative Templates > DPC Client

You can now link the GPO to the applicable OU(s) or complete this task before deploying the new software.

Migration Tool

The easiest way to migrate from DPC commercial to open source is to migrate the settings from the current GPO to a new one. A PowerShell script is available to simplify this task. You can download the Migrate-DpcConfig.ps1 PowerShell script here.

Note: It is not strictly required to migrate your current settings from DPC commercial. Although this migration script makes importing settings easier, nothing prevents you from creating a new GPO for DPC open source and starting from scratch if you wish.

Prerequisites

The PowerShell migration script requires the installation of the Remote Server Administration Tools (RSAT). Specifically, the Group Policy Management tools are needed. Although it’s possible to run this script on a domain controller, it is not recommended. The best practice is to install the RSAT tools on an administrative workstation or server.

You can install the necessary RSAT feature on Windows 11 by opening an elevated PowerShell or command window and running the following command.

dism.exe /Online /add-capability /CapabilityName:Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

On Windows Server, you can install the Group Policy Management tools by opening an elevated PowerShell command window and running the following command.

Install-WindowsFeature -Name GPMC

Once complete, restart the server to complete the installation process.

Import Settings

To migrate the DPC settings, open an elevated PowerShell command window and run the following command.

.\Migrate-DpcSetting.ps1 -PreviousGPOName <name of old DPC GPO> -NewGPOName <name of new DPC GPO>

For example,

.\Migrate-DpcSetting.ps1 -PreviousGPOName ‘Always On VPN DPC’ -NewGPOName ‘Always On VPN DPC – Open Source’

Apply GPO

If not done earlier, link the new DPC open-source GPO to the applicable OU(s). Do NOT unlink or delete the old GPO until all endpoints have been upgraded to the DPC v5.0 client.

Install Software

Once the new GPO has been configured and applied in Active Directory, the next step is to upgrade the DPC commercial client to the DPC open source client (v5.0). Software can be deployed via GPO using Active Directory software installation, SCCM, or any other method you use in your environment to deploy software. No switches or additional parameters are required to perform the upgrade. Simply run the .MSI file on the device, and the upgrade will occur automatically.

Important Note: Administrators must ensure that the new GPO settings are applied to the endpoint before installing the DPC v5.0 client.

Clean Up

After all endpoints have been upgraded to DPC v5.0, administrators can remove the DPC commercial GPO from AD. In addition, the commercial DPC ADMX and ADML files can be removed from domain controllers if desired.

Need Help?

If you’d like assistance migrating DPC commercial to open source, please don’t hesitate to reach out! I’m available to answer questions or provide remote assistance if necessary. You can reach me on the DPC-Chat channel on Discord here. Alternatively, you can fill out the form below, and I’ll provide more information.

← Back

Thank you for your response. ✨

Additional Information

PowerON Platforms Are No More

Always On VPN DPC Open Source

Always On VPN DPC Advanced Features

Always On VPN DPC with Microsoft Intune

1 Comment
by Richard M. Hicks on January 6, 2025  •  Permalink
Posted in Active Directory, administration, Always On VPN, Always On VPN DPC, AOVPN, AovpnDPC, Deployment, Device Management, device tunnel, DPC, Dynamic Profile Configurator, Enterprise, enterprise mobility, GitHub, Group Policy, Infrastructure, InTune, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, Open Source, Operational Support, PowerShell, ProfileXML, Remote Access, RSAT, SCCM, System Center Configuration Manager, systems management, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , ,

Posted by Richard M. Hicks on January 6, 2025

https://directaccess.richardhicks.com/2025/01/06/migrating-from-always-on-vpn-dpc-commercial-to-open-source/

Windows Server 2012 and 2012 R2 End of Life

DirectAccess on Microsoft Windows

I want to remind you of a critical upcoming milestone that may affect your business. In just 60 days, we will reach the end of support for Windows Server 2012 and Windows Server 2012 R2. As of October 10, 2023, these operating systems will no longer receive security updates or technical support from Microsoft.

End of Support

End of support means your servers will be more vulnerable to security risks and potential threats. It is essential to take action now to ensure your IT infrastructure’s continued security and stability. Upgrading to newer, supported operating systems will protect your data and systems from potential cyber threats and provide access to enhanced features and performance improvements.

Don’t Wait

Now is the time to migrate those remaining workloads for those still running Windows Server 2012 and 2012 R2! Consider the following commonly deployed services that may still be running on Windows Server 2012 or 2012 R2 in your organization.

Remote Access – Windows Server Routing and Remote Access Service (RRAS) is commonly deployed to provide secure remote access for field-based workers. In addition, Absolute Secure Access (formerly NetMotion Mobility) is a widely implemented premium alternative to RRAS. Organizations may be hesitant to migrate these workloads because disrupting remote workers is painful.

DirectAccess – This remote access technology is widely deployed and extremely difficult to migrate. In addition, the complex nature of DirectAccess, with its many intricate interdependencies, poses a significant challenge to organizations migrating this role.

PKI – This is likely the most common enterprise service to be found running on Windows Server 2012 and 2012R2. Most organizations relying on Windows Active Directory Certificate Services (AD CS) to issue and manage enterprise certificates are reluctant to move this workload once it is deployed. This service is much easier to migrate than you might think! It can be done without disruption as well.

Consulting Services

We understand that upgrading might require careful planning and coordination, and our team is here to support you throughout the transition process. Don’t delay – take this opportunity to safeguard your organization’s data and systems by upgrading to the latest Windows Server version or exploring cloud-based solutions.

Get In Touch

Please don’t hesitate to contact us for further assistance or any questions regarding the upgrade process. Together, let’s ensure your business remains secure and productive. You can get started today by booking a free one-hour consultation to discuss your migration strategy. Just fill out the form below and I’ll provide more information.

Leave a comment
by Richard M. Hicks on August 14, 2023  •  Permalink
Posted in Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, Certificate Services, certificates, DirectAccess, end of life, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, Operational Support, PKI, Professional Services, public key infrastructure, Remote Access, RRAS, Security, VPN, Windows Server 2012, Windows Server 2012 R2
Tagged , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 14, 2023

https://directaccess.richardhicks.com/2023/08/14/windows-server-2012-and-2012-r2-end-of-life/