The Engine Room

Active Directory is the identity and access management backbone of virtually every on-premises Windows enterprise environment. Understanding what a domain controller actually does, how forests and trusts work, and why AD relies on Kerberos and DNS explains the foundation that everything from file shares to VPN authentication is built on.

Domain Controllers are the servers that make Active Directory work. This article covers what a DC does, how FSMO roles are distributed across the domain, the purpose of Read-Only Domain Controllers, and how to deploy DCs in Azure-connected hybrid environments.

AD DS replication is not a simple broadcast — it is a topology-aware system built around sites, site links, and an automatic topology generator. This article explains how changes propagate across domain controllers, how SYSVOL replication works, and how to diagnose replication failures.

Active Directory trusts define the boundaries across which authentication and resource access can flow. This article covers trust direction, transitivity, the major trust types, and the security controls — SID filtering and selective authentication — that constrain what a trust actually permits.

Service accounts with manually managed passwords are a persistent security liability. Group Managed Service Accounts (gMSAs) solve this by having Active Directory generate, rotate, and distribute complex passwords automatically, with no human ever knowing the credential.

Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service. It is not simply 'AD in the cloud' — it has a fundamentally flat structure with no OUs, uses OAuth 2.0 and OIDC instead of Kerberos, and is built around modern authentication concepts like conditional access and identity protection.

Most enterprise environments aren't purely on-premises or purely cloud — they're hybrid. Microsoft Entra Connect synchronises on-premises Active Directory identities to Entra ID so users can authenticate to both with the same credentials. Understanding the three sync modes and their security trade-offs determines whether a phished password can be used against cloud resources.

Entra Connect Cloud Sync is a provisioning agent that synchronises on-premises Active Directory identities to Microsoft Entra ID without requiring a dedicated sync server. This article covers its architecture, supported scenarios, limitations compared to full Entra Connect, and how to decide which tool fits your environment.

Hybrid identity failures are often silent — a sync error or DC issue can break cloud access for hundreds of users before anyone notices. Entra Connect Health provides centralised monitoring of the sync pipeline, domain controllers, and AD FS infrastructure, surfacing problems before they become outages.

Group Policy Objects (GPOs) are the primary mechanism for pushing configuration to every Windows machine and user in an Active Directory domain — from password complexity requirements and mapped drives to software installation and security baselines. Understanding how GPO inheritance and the LSDOU processing order works explains why a setting on a laptop isn't behaving the way the admin intended.

Windows Admin Center is a browser-based management interface that consolidates most Server Manager and MMC console tasks into a single, extension-driven web UI. It operates in either gateway mode (centralised) or desktop mode (local) and integrates natively with Azure hybrid services.

PowerShell Remoting uses the WinRM protocol to execute commands on remote machines, enabling both interactive sessions and parallel batch operations across large server fleets. Just Enough Administration (JEA) extends this model with constrained endpoints that delegate specific capabilities to non-administrator accounts.

Azure Arc extends the Azure management plane to servers running anywhere — on-premises data centres, third-party clouds, or edge locations — by installing a lightweight agent that registers each machine as an Azure resource. Once onboarded, Arc-enabled servers are subject to the same Azure Policy, RBAC, and monitoring tooling as native Azure VMs.

Unpatched servers remain the most common vector for infrastructure compromise. This article covers the evolution from on-premises WSUS through to Azure Update Manager, and explains how to think about patch rings, maintenance windows, and compliance reporting across a hybrid server fleet.

Microsoft Defender for Cloud combines cloud security posture management (CSPM) with cloud workload protection (CWP) into a single service. It continuously assesses your Azure, hybrid, and multi-cloud environments, produces a quantified secure score, and provides active threat detection through integration with Microsoft Defender for Endpoint.

Azure Automation is a cloud service for process automation and configuration management across Azure, on-premises, and multi-cloud environments. Runbooks automate repetitive operational tasks, while Desired State Configuration (DSC) declaratively defines and enforces server configuration — detecting and correcting drift without human intervention.

Microsoft Intune is the cloud-based MDM and MAM platform that replaces on-premises SCCM for device management in modern Microsoft 365 deployments. It enrolls and manages Windows, macOS, iOS, and Android devices — pushing configuration, enforcing compliance, deploying apps, and wiping lost devices — without requiring a VPN or on-premises infrastructure.

Imaging is the process of deploying a pre-configured Windows installation to multiple machines. The toolchain has evolved from WDS (unicast/multicast network PXE boot) through MDT (task sequences, driver injection, application installation) to Windows Autopilot (cloud-first, no custom image required). Understanding the full stack explains why enterprises choose each approach and where they're headed.

Hyper-V is Microsoft's Type 1 hypervisor, built into Windows Server and Windows 10/11 Pro. Unlike ESXi which runs on dedicated hardware, Hyper-V integrates with Windows Server to provide virtualisation alongside the existing management infrastructure — Active Directory, SCOM, SCVMM. Understanding the parent/child partition model, virtual switches, and Failover Clustering explains how Windows-centric shops build resilient virtualised infrastructure.

Hyper-V's virtual network stack translates physical network hardware into a flexible, software-defined layer that VMs and the host management OS share. Understanding vSwitch types, NIC teaming strategies, and hardware offload technologies like SR-IOV and RDMA is essential for designing performant and resilient virtualised infrastructure.

High availability for Hyper-V workloads is not a single feature but a stack of complementary technologies each addressing a different failure scenario. Live Migration handles planned downtime, Failover Clustering responds to unplanned host failures, and Hyper-V Replica provides site-level disaster recovery — understanding when each applies is fundamental to designing resilient virtualised infrastructure.

Windows containers package applications and their dependencies into portable, isolated units that share the host OS kernel rather than emulating full hardware. Understanding the two isolation modes, the available base images, and how Windows containers fit into a broader Kubernetes or Docker deployment is essential for modernising Windows Server workloads.

Windows Server DNS is not simply a DNS server that happens to run on Windows — its deep integration with Active Directory DS makes it the authoritative foundation for domain authentication, service location, and secure dynamic registration. Understanding AD-integrated zones, SRV record dependencies, and hybrid forwarding patterns is essential for any Windows infrastructure role.

Windows Server DHCP extends the base DHCP protocol with Active Directory integration, failover redundancy, and centralised management features that make it suitable for enterprise-scale deployments. Understanding scope design, option precedence, failover modes, and the relay agent model is foundational for any Windows Server infrastructure role.

Windows Server IPAM provides a centralised view of IP address space, DHCP scope state, and DNS zone data across the entire infrastructure from a single management point. Understanding what IPAM manages, how it discovers infrastructure, and where its limitations lie is important for evaluating when it meets enterprise needs and when a third-party solution is required.

Network Policy Server is Microsoft's RADIUS implementation, providing centralised authentication, authorisation, and accounting for 802.1X wired and wireless access, VPN, and other network access scenarios. Understanding how NPS policies are structured, which EAP methods apply to which use cases, and how the Azure MFA extension extends NPS capabilities is foundational for securing network access in Windows environments.

Windows Server's Remote Access role has evolved from simple dial-up routing through RRAS VPN and DirectAccess to the modern Always On VPN architecture. Each technology was designed for a different threat model and management approach, and understanding the architectural differences — not just the configuration — explains when each applies and why Always On VPN is the current standard for managed Windows devices.

Web Application Proxy is a Remote Access role service in Windows Server that publishes internal web applications and services to external users without placing servers in a DMZ or opening inbound firewall rules. It integrates tightly with AD FS to provide pre-authentication at the perimeter, ensuring unauthenticated requests never reach internal infrastructure.

Storage Spaces is the software-defined storage layer built into Windows Server, enabling administrators to pool heterogeneous physical disks into a unified capacity pool and provision virtual disks with configurable resiliency. It decouples storage management from physical hardware, allowing flexible provisioning, tiering, and high availability without dedicated storage controllers.

Storage Replica is a synchronous and asynchronous block-level volume replication feature built into Windows Server 2016 and later. It provides disaster recovery and high availability without third-party software by replicating storage at a level below the filesystem, making it applicable to any workload regardless of the data format stored on the volume.

The Distributed File System in Windows Server comprises two independently useful but complementary components: DFS Namespaces, which presents a unified virtual folder tree that maps to shares on multiple servers, and DFS Replication, which synchronises folder content between servers using an efficient delta-compression algorithm. Together they enable transparent, highly available file access across distributed environments.

Azure File Sync synchronises Windows file server shares to Azure Files, creating a cloud-backed copy of on-premises data while allowing servers to cache only the most-accessed files locally through cloud tiering. It supports multi-server sync, enabling branch offices and remote sites to share file content via a common cloud endpoint without requiring direct server-to-server replication.

Data Deduplication identifies and eliminates redundant data chunks across files on a volume, storing each unique chunk only once and replacing duplicates with lightweight pointers. Running as a post-process background job, it reduces storage consumption on eligible volumes without impacting write performance, and delivers the most dramatic savings on workloads with inherently repetitive data such as VDI environments and general-purpose file shares.

Exchange Online is the hosted email and calendaring component of Microsoft 365. It replaced on-premises Exchange Server for most organisations, but the underlying concepts — mailbox databases, transport pipeline, connectors, DAGs — are still relevant even if Microsoft now manages the infrastructure. Understanding Exchange Online's architecture explains why email delivery sometimes fails and how to fix it.

An M365 tenant is the top-level organisational boundary in Microsoft's cloud — a dedicated instance of Entra ID plus a subscription to Microsoft services. Understanding what a tenant is, how licenses map to services, and what the admin centres actually control is the prerequisite for everything from deploying Exchange Online to configuring Teams telephony.

Azure Monitor is Microsoft's unified observability platform, collecting time-series metrics and structured log data from Azure resources, on-premises servers via Azure Arc, and applications. Log Analytics Workspaces serve as the central repository for log data, queried using the Kusto Query Language, while alert rules, workbooks, and integrations with Defender for Cloud make it the operational backbone for both cloud and hybrid Microsoft environments.

Every Microsoft 365 tenant starts life with a .onmicrosoft.com domain, but real-world deployments require custom domain names. DNS is the bridge that proves ownership, routes mail, enables Teams, and ties every M365 workload to your organisation's identity.

Microsoft 365 provides a layered set of administrative roles that allow organisations to delegate specific management tasks without granting blanket control. Understanding which role fits which responsibility is fundamental to operating a least-privilege environment.

Privileged Identity Management converts permanent admin role assignments into time-limited, approval-gated activations. It is the primary tool Microsoft recommends for reducing the attack surface created by standing privileged access in an Entra ID tenant.

Administrative Units are containers in Entra ID that restrict an administrator's scope to a defined subset of users, groups, or devices. They solve the problem of over-broad role assignments in large organisations where different teams should only manage their own populations.

Conditional Access is the Entra ID policy engine that evaluates every access request against a set of signals — user identity, device state, location, application, and risk level — before deciding whether to allow, block, or require additional verification. It is the primary technical control for implementing Zero Trust in Microsoft 365.

How Multi-Factor Authentication and Self-Service Password Reset work together to protect identities and remove helpdesk dependency in Entra ID.

How Entra ID Identity Protection uses Microsoft threat intelligence to detect compromised users and suspicious sign-ins, and what risk-based policies do about them.

How Entra ID's banned password lists and Smart Lockout defend against predictable passwords and brute-force attacks, both in the cloud and on-premises Active Directory.

How Microsoft 365 Defender unifies signals from across the M365 security stack into a single XDR platform, and what Defender for Office 365 does to protect email and collaboration.

How Microsoft Purview classifies sensitive data, enforces retention, prevents data loss, and supports legal and regulatory compliance across the Microsoft 365 estate.

Windows Autopilot is a cloud service that transforms a factory-fresh Windows device into a fully configured corporate endpoint without IT ever touching the hardware. The four deployment modes cover everything from standard employee onboarding to kiosk provisioning to warehouse pre-staging.

Windows Update for Business (WUfB) is a policy-driven service that controls when Windows 10/11 devices receive quality and feature updates directly from Microsoft. No on-premises WSUS server required — deferral periods, deadlines, and update rings give organisations predictable update delivery without local infrastructure.

Before Intune can deliver policies, apps, or compliance checks to a device, the device must be enrolled. Enrollment establishes the management relationship and installs the MDM agent. The method varies by platform and ownership model — from fully automated Autopilot flows for new Windows devices to user-initiated Company Portal enrollment for BYOD.

Compliance policies define the minimum security state a device must be in to be considered trustworthy. Intune evaluates the device against the policy and reports a compliance state — which Conditional Access in Entra ID then uses as a gate for accessing corporate resources.

Intune supports multiple application types with different trade-offs in flexibility, packaging complexity, and supported platforms. Win32 apps offer the most control for traditional Windows software; Microsoft 365 Apps deploy Office without installation media; MSIX provides modern clean packaging. Assignment intents and dependency chains let administrators model the full application lifecycle from delivery to supersedence.

Microsoft Defender Antivirus is the built-in AV engine for Windows 10/11, active by default when no third-party product displaces it. Managed through Intune, GPO, or ConfigMgr, it provides real-time scanning, cloud-delivered verdicts, Attack Surface Reduction rules, Controlled Folder Access, and Network Protection — all tunable from a single Endpoint Security policy.

BitLocker is Windows' built-in full volume encryption feature, protecting data on lost or stolen devices by encrypting the entire OS and data volumes with AES. Integrated with the TPM for transparent unlock, managed through Intune for silent deployment, and tied to Entra ID for automatic recovery key escrow, BitLocker is the standard disk encryption solution for Intune-managed Windows estates.

Windows Hello for Business replaces the password at Windows sign-in with a TPM-bound cryptographic key pair unlocked by biometric or PIN. The password is never transmitted, never replayable from the network, and never useful to a phisher. Deployed via Intune, it integrates with Entra ID and on-premises AD through several trust models suited to different infrastructure maturity levels.

How Microsoft Defender for Endpoint provides endpoint detection and response (EDR) across Windows, macOS, Linux, iOS, and Android — collecting behavioural telemetry, detecting threats post-breach, enabling investigation timelines, and automating remediation through the Microsoft 365 Defender portal.

How Endpoint Analytics in Microsoft Intune measures the real-world performance and reliability of managed devices — tracking startup times, restart frequency, app reliability, and hardware readiness — giving IT teams data to proactively fix issues before users call the helpdesk.

How Azure organises resources into a hierarchy of management groups, subscriptions, and resource groups — and how resource locks, tags, and cost management give administrators control over what gets deployed and what it costs.

How Azure RBAC assigns permissions to identities at a specific scope — distinguishing Azure resource roles from Entra ID directory roles, how role assignments work, what the key built-in roles cover, and when to create custom roles.

How Azure Policy evaluates resources against defined rules and automatically enforces compliance — from simple tag-enforcement to deploying missing configurations — and how policy initiatives bundle related policies for assignment at scale.

How Azure Storage accounts work — choosing between Standard and Premium account types, selecting the right data redundancy option from LRS to GZRS, and using access tiers and lifecycle management policies to balance performance against cost.

How Azure Blob Storage organises unstructured data into containers and blobs, the differences between block, append, and page blob types, and how features like versioning, soft delete, immutability policies, and object replication protect data from accidental loss.

How Azure Files provides fully managed SMB and NFS file shares in the cloud — and how Azure File Sync extends those shares to on-premises Windows servers with intelligent cloud tiering that keeps frequently accessed files local while archiving the rest.

How Azure Storage protects data at rest and in transit — through shared access signatures for delegated access, storage account keys and their rotation, Azure AD authentication for blob and file workloads, customer-managed encryption keys, and infrastructure encryption.

How Azure Virtual Machines work — choosing VM sizes for workload requirements, selecting the right managed disk type, and architecting for high availability using availability sets, availability zones, proximity placement groups, and Azure Bastion for secure access.

How Azure Virtual Machine Scale Sets deploy and manage a group of identical VMs as a single resource — supporting manual scaling, metric-based autoscaling, and two orchestration modes that trade between strict uniformity and flexibility for mixing VM sizes and images.

How Azure Container Instances lets you run containers directly on Azure without managing any underlying infrastructure — and how Azure Container Registry stores and distributes private container images with geo-replication and automated build pipelines.

How Azure App Service provides a fully managed platform for hosting web applications, APIs, and mobile backends — covering App Service plan tiers, deployment methods, deployment slots for zero-downtime releases, autoscale, and custom domain and TLS configuration.

How Azure Virtual Networks provide isolated private network space for Azure resources — covering address space planning, subnet design, service endpoints versus private endpoints for PaaS connectivity, and VNet peering for connecting networks across regions.

How Azure secures network traffic at the subnet and NIC level with Network Security Groups — and when to graduate to Azure Firewall for centralised stateful inspection, threat intelligence, FQDN filtering, and cross-VNet policy enforcement.

How Azure DNS hosts both public DNS zones delegated from registrars and private DNS zones for internal Azure name resolution — covering record types, alias records for Azure resources, private zone VNet links, and auto-registration of VM names.

How Azure's four load-balancing services split traffic across backends — from the regional L4 Azure Load Balancer for TCP/UDP workloads, to the L7 Application Gateway for HTTP routing and WAF, to the global Traffic Manager for DNS-based routing, and Azure Front Door for global HTTP acceleration with caching and WAF.

How Azure connects on-premises networks to the cloud — through VPN Gateway for encrypted tunnels over the public internet, and ExpressRoute for private dedicated circuits that bypass the internet entirely — and how Virtual WAN simplifies hub-and-spoke connectivity at scale.

How Azure Monitor collects metrics and logs from every Azure resource, routes them to Log Analytics workspaces for KQL querying, and triggers alerts through action groups — providing the observability layer that spans VMs, containers, networks, and applications.

How Azure Backup protects VMs, databases, files, and on-premises servers through a Recovery Services vault — and how Azure Site Recovery provides business continuity by replicating entire workloads to a secondary region for failover when a primary region fails.

How Azure Network Watcher provides a toolkit of network diagnostic and monitoring capabilities — from testing whether traffic is allowed by NSG rules, to capturing packets on VMs, to analysing NSG flow logs for visibility into all traffic flows across your Azure network.

How Azure Application Insights provides application performance monitoring for live applications — automatically collecting request rates, response times, failure rates, and dependencies, then surfacing them through dashboards, smart detection alerts, distributed traces, and availability tests.

How Windows 10 and 11 get onto devices — covering clean install, in-place upgrade, and wipe-and-load deployment methods, the Windows Assessment and Deployment Kit tools, and the four activation methods that organisations use to license Windows at scale.

How DISM manages Windows images — capturing and applying WIM and FFU format images, servicing images offline to inject drivers, updates, and features, and using Sysprep to generalise a reference installation before deployment to multiple machines.

How Windows manages local user accounts and administrator elevation through User Account Control — the account types available, how UAC intercepts privilege escalation requests, and the Windows Hello authentication methods that replace passwords with biometrics and PINs.

How Windows devices connect to identity infrastructure — comparing workgroup, on-premises AD domain join, Entra ID join for cloud-native scenarios, and Hybrid Entra ID join for enterprises that need both on-premises Kerberos and cloud identity in the same device registration.

How Windows controls access to files and folders through NTFS permissions applied directly to the file system — covering the six standard permissions, inheritance and propagation, effective permissions calculation, and how NTFS and network share permissions combine when accessing files over the network.

How the Encrypting File System provides transparent per-file encryption on NTFS volumes — using public-key certificates to encrypt the file encryption key, enabling individual users to protect sensitive files without full-disk encryption, and how recovery agents and certificate backup ensure data is never permanently lost.

How Windows configures and troubleshoots network connectivity — covering IPv4 addressing including APIPA fallback, IPv6 address types and transition technologies, network profiles, and the command-line tools used to diagnose connectivity issues from name resolution to packet loss.

How Windows manages wireless network connections — the 802.11 standards from a to ax and their frequency and throughput characteristics, the WPA2/WPA3 security modes, how wireless profiles are created and prioritised, and the netsh wlan commands used to manage wireless connections from the command line.

How Windows enables remote access — through Remote Desktop Protocol for full graphical sessions, Quick Assist and Remote Assistance for helpdesk support, and the VPN protocols Windows supports natively for secure tunnelled connectivity back to corporate networks.

How Windows Defender Firewall controls inbound and outbound network traffic through a profile-based rule system — applying different rule sets depending on whether the device is on a domain, private, or public network — and how connection security rules use IPsec to authenticate and encrypt traffic between specific endpoints.

How Group Policy applies to Windows client devices — the LSDOU processing order that determines which settings win when policies conflict, the Local Group Policy Object for standalone devices, and the command-line tools that reveal exactly which policies applied, from which GPO, and why.

How Windows Recovery Environment provides a rescue toolkit when Windows won't boot — automatic startup repair, system restore, system image recovery, and a command prompt for manual recovery — plus the Reset this PC feature that reinstalls Windows without requiring external media.

How Windows 10 and 11 receive and apply updates — the servicing model separating quality from feature updates, deferral policies for controlling update timing, WSUS for centralised on-premises update management, and DISM plus SFC for repairing a corrupted Windows component store.

How to monitor and diagnose Windows performance issues — using Task Manager's seven tabs for real-time process and resource visibility, Performance Monitor for detailed counter-based analysis with Data Collector Sets, Resource Monitor for per-process network and disk I/O, and Event Viewer for correlating system events with performance degradation.

How AppLocker enforces application control policies on Windows Enterprise and Education devices — defining which executables, scripts, Windows Installer packages, and packaged apps users are allowed to run — and how the modern Windows Package Manager and MSIX packaging format fit into enterprise app management.