Decommissioned old AD CA Server - several computers lost domain trust. Trying to understand why.
We had an old AD certificate services authority server that we had planned to decommission. We created and new CA server around a year ago, and made sure it was handling all new cert requests, etc. and waited to see if anything broke. It all seemed to be working well, so we then followed the Microsoft documentation for decommissioning a CA server here:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/decommission-enterprise-certification-authority-and-remove-objects
We started getting reports of mapped drives failing. The affected computers all seemed to have lost their domain trust. Can't ping the domain, or any DC. Event logs complaining about not being connected to the domain, etc.
Deleting the computer object and re-joining to the domain resolves the issue.
I'm trying to understand what broke, or what went wrong here with the retirement of this CA server, given that we followed the MS documents, and waited around a year while running on the new CA to remove the old one.
Any thoughts or ideas are welcome!
https://redd.it/1or48ga
@r_systemadmin
We had an old AD certificate services authority server that we had planned to decommission. We created and new CA server around a year ago, and made sure it was handling all new cert requests, etc. and waited to see if anything broke. It all seemed to be working well, so we then followed the Microsoft documentation for decommissioning a CA server here:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/decommission-enterprise-certification-authority-and-remove-objects
We started getting reports of mapped drives failing. The affected computers all seemed to have lost their domain trust. Can't ping the domain, or any DC. Event logs complaining about not being connected to the domain, etc.
Deleting the computer object and re-joining to the domain resolves the issue.
I'm trying to understand what broke, or what went wrong here with the retirement of this CA server, given that we followed the MS documents, and waited around a year while running on the new CA to remove the old one.
Any thoughts or ideas are welcome!
https://redd.it/1or48ga
@r_systemadmin
Docs
Decommission a Windows enterprise CA - Windows Server
Provides step-by-step instructions for removing a CA from Windows Server.
How many on-prem DCs you all roll with?
Hey all,
3 branch SMB here, currently rolling a DC at each site. We are expanding two more branches, but they are small locations. I'd rather not invest in 2 or even 1 more DC at the small sites...
In fact, I'm considering dialing down to 2. Do think I'm off my rocker on this and that should i go full resiliency and spin a DC at each site?
https://redd.it/1or65aw
@r_systemadmin
Hey all,
3 branch SMB here, currently rolling a DC at each site. We are expanding two more branches, but they are small locations. I'd rather not invest in 2 or even 1 more DC at the small sites...
In fact, I'm considering dialing down to 2. Do think I'm off my rocker on this and that should i go full resiliency and spin a DC at each site?
https://redd.it/1or65aw
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
What’s the hardest task you’ve have to do at minimum more than once in your career.
I’ll start. Running and terminating cat6 in a clean room, full suit, rubber gloves, trying to crimp rj45s while sweating your ass off with latex gloves has gotta be some sort of hell
https://redd.it/1oreo1i
@r_systemadmin
I’ll start. Running and terminating cat6 in a clean room, full suit, rubber gloves, trying to crimp rj45s while sweating your ass off with latex gloves has gotta be some sort of hell
https://redd.it/1oreo1i
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Just hired for a startup
I just got hired at a startup, their first sysadmin ever. Also my first ever job, so kinda excited! I was wondering where should I start?
\- MDM for the macbooks the company gives out? (about 5 in the whole company)
\- Network (as in blocking and tracking)
\- Company storage
\- Or something else I am missing
https://redd.it/1orfdru
@r_systemadmin
I just got hired at a startup, their first sysadmin ever. Also my first ever job, so kinda excited! I was wondering where should I start?
\- MDM for the macbooks the company gives out? (about 5 in the whole company)
\- Network (as in blocking and tracking)
\- Company storage
\- Or something else I am missing
https://redd.it/1orfdru
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Anyone figured out a sane way to clean up OneDrive junk from ex-employees?
We archive mailboxes and disable accounts, but OneDrive always turns into a black hole. Anyone automated this in PowerShell or using a third-party tool?
Is it really worth it to remove it? or You guys leave the data forever unless you come across storage issue?
https://redd.it/1orjlei
@r_systemadmin
We archive mailboxes and disable accounts, but OneDrive always turns into a black hole. Anyone automated this in PowerShell or using a third-party tool?
Is it really worth it to remove it? or You guys leave the data forever unless you come across storage issue?
https://redd.it/1orjlei
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Privileged Access Workstation architecture?
We are giving all IT employees a separate laptop for admin access to separate their standard access (emails, web browsing) from their admin work (Intune, Entra, on-prem).
Is there any reason the following wouldn't work and be more secure than what we are currently doing (which is standard access and admin access in the same device)?
--PAW is Entra-joined and Intune-managed
--VM on the laptop via Hyper-V is on-prem AD-joined and has access to on-prem resources via Entra Private Access (the client is installed on the VM, not the laptop proper)
--PAW itself is logged into using cloud-only admin account (a step below a Global Administrator but mostly has admin access to third-party SPs and basic Entra functions like password resets)
--VM is logged into via on-prem admin account
--PAW (non-admin) manages all cloud resources
--VM manages all on-prem resources, such as Windows Servers and Linux servers
Edit: I had a list above but Reddit ruined the formatting.
https://redd.it/1orpk9t
@r_systemadmin
We are giving all IT employees a separate laptop for admin access to separate their standard access (emails, web browsing) from their admin work (Intune, Entra, on-prem).
Is there any reason the following wouldn't work and be more secure than what we are currently doing (which is standard access and admin access in the same device)?
--PAW is Entra-joined and Intune-managed
--VM on the laptop via Hyper-V is on-prem AD-joined and has access to on-prem resources via Entra Private Access (the client is installed on the VM, not the laptop proper)
--PAW itself is logged into using cloud-only admin account (a step below a Global Administrator but mostly has admin access to third-party SPs and basic Entra functions like password resets)
--VM is logged into via on-prem admin account
--PAW (non-admin) manages all cloud resources
--VM manages all on-prem resources, such as Windows Servers and Linux servers
Edit: I had a list above but Reddit ruined the formatting.
https://redd.it/1orpk9t
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
What are you guys using for tech time tracking? The built-in ConnectWise timer is killing my team's morale.
I need to vent, but also genuinely need advice. We're an MSP and we use ConnectWise for our PSA. The built-in time tracking is a complete disaster.
It's clunky, our techs hate using it, and half the time they forget to log their hours, which means our client billing is a nightmare to reconcile. We're losing money on the admin side just trying to clean up the mess.
I'm ready to switch to a dedicated, lightweight time tracker. Something that's simple for the techs to use and gives us clean reports without a dozen clicks. I've seen some people mention using separate tools like Monitask or Harvest alongside their PSA.
For the other MSP folks here, what's your stack? Are you actually using the built-in stuff, or have you found a separate tool that doesn't make everyone want to pull their hair out?
https://redd.it/1orsn0p
@r_systemadmin
I need to vent, but also genuinely need advice. We're an MSP and we use ConnectWise for our PSA. The built-in time tracking is a complete disaster.
It's clunky, our techs hate using it, and half the time they forget to log their hours, which means our client billing is a nightmare to reconcile. We're losing money on the admin side just trying to clean up the mess.
I'm ready to switch to a dedicated, lightweight time tracker. Something that's simple for the techs to use and gives us clean reports without a dozen clicks. I've seen some people mention using separate tools like Monitask or Harvest alongside their PSA.
For the other MSP folks here, what's your stack? Are you actually using the built-in stuff, or have you found a separate tool that doesn't make everyone want to pull their hair out?
https://redd.it/1orsn0p
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
25H2 breaks remote search on SMB shares (server index ignored)
I'm running into a reproducible issue with Windows 11 25H2 where File Explorer no longer uses the server-side search index for SMB network shares.
What works:
Windows 11 22H2 → network content search works (uses server index)
Windows 11 24H2 → also works
What doesn't work:
Windows 11 25H2 (upgrade from 24H2) → no content results, only filenames
Windows 11 25H2 (fresh install, clean VM) → same issue
Server side:
Tested with Windows Server 2012 and Windows Server 2022
Windows Search Service enabled, shares are indexed
Other clients (22H2/24H2) get instant content results from the server index
Symptoms on 25H2:
File Explorer does not do "RemoteIndexedSearch" anymore
Only filename search works, no file content results
"Include in Library" is missing in the right-click menu on network folders (Windows thinks the location is not indexable)
Windows Search (WSearch) service is running
Same user, same domain/network, same SMB share
So it looks like:
25H2 broke remote indexed search over SMB. Could be a search protocol change, security change or a regression.
Anyone else seeing this?
Is this a known issue? Any workaround or registry/GPO fix?
I also submitted this to the Feedback Hub (already getting lots of upvotes).
Would be super helpful to know if others can confirm or if Microsoft acknowledged this somewhere.
https://redd.it/1ors6bh
@r_systemadmin
I'm running into a reproducible issue with Windows 11 25H2 where File Explorer no longer uses the server-side search index for SMB network shares.
What works:
Windows 11 22H2 → network content search works (uses server index)
Windows 11 24H2 → also works
What doesn't work:
Windows 11 25H2 (upgrade from 24H2) → no content results, only filenames
Windows 11 25H2 (fresh install, clean VM) → same issue
Server side:
Tested with Windows Server 2012 and Windows Server 2022
Windows Search Service enabled, shares are indexed
Other clients (22H2/24H2) get instant content results from the server index
Symptoms on 25H2:
File Explorer does not do "RemoteIndexedSearch" anymore
Only filename search works, no file content results
"Include in Library" is missing in the right-click menu on network folders (Windows thinks the location is not indexable)
Windows Search (WSearch) service is running
Same user, same domain/network, same SMB share
So it looks like:
25H2 broke remote indexed search over SMB. Could be a search protocol change, security change or a regression.
Anyone else seeing this?
Is this a known issue? Any workaround or registry/GPO fix?
I also submitted this to the Feedback Hub (already getting lots of upvotes).
Would be super helpful to know if others can confirm or if Microsoft acknowledged this somewhere.
https://redd.it/1ors6bh
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
How to prove IPv6 is disabled?
So, Management asked me to disable IPv6 on our Windows machines. Now I know that disabling IPv6 is not a good idea but unfortunately I can't do anything about it, so I went ahead and disabled the IPv6 using a registry key per the following article and deployed it to machines using GPO:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
Now the problem is that with this method, the "Checkmark" in the network adapter is still there and I have no idea how to Prove that I have disabled it. Is there any tool or method that reports it's disabled?
https://redd.it/1orv6ij
@r_systemadmin
So, Management asked me to disable IPv6 on our Windows machines. Now I know that disabling IPv6 is not a good idea but unfortunately I can't do anything about it, so I went ahead and disabled the IPv6 using a registry key per the following article and deployed it to machines using GPO:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows
Now the problem is that with this method, the "Checkmark" in the network adapter is still there and I have no idea how to Prove that I have disabled it. Is there any tool or method that reports it's disabled?
https://redd.it/1orv6ij
@r_systemadmin
Docs
Configure IPv6 for advanced users - Windows Server
Provides step-by-step guidance for how to use the Windows registry to disable IPv6 or certain IPv6 components in Windows.
IT Director rant - Onboarding
Our new IT director has made quite a few changes since he started but the one that bugs me the most (right now) is onboarding.
We have a ticket system (Freshservice) that handles onboarding but he insists on scrapping it.
He wants the HR dept to email IT with the name of the new hire and the manager. After that, we need to conduct an interview with the manager to see what is needed.
These managers barely have time to talk (always in meetings) so we need to play phone tag so we can ask the same questions onboarding already had asked in our previous set up and manually create tickets from it?
It is just so annoying to me. Our company just acquired another one and we are pushing them to do the same.
Ugh.
https://redd.it/1orxeb3
@r_systemadmin
Our new IT director has made quite a few changes since he started but the one that bugs me the most (right now) is onboarding.
We have a ticket system (Freshservice) that handles onboarding but he insists on scrapping it.
He wants the HR dept to email IT with the name of the new hire and the manager. After that, we need to conduct an interview with the manager to see what is needed.
These managers barely have time to talk (always in meetings) so we need to play phone tag so we can ask the same questions onboarding already had asked in our previous set up and manually create tickets from it?
It is just so annoying to me. Our company just acquired another one and we are pushing them to do the same.
Ugh.
https://redd.it/1orxeb3
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Future Job prospects
Hello, I am an IT in the US Navy. I have been thinking on getting out on shore duty as I am about to reenlist for that. I was thinking what certs I should get. Background, I have an IT schooling NEC from my A school, a Top Secret clearance, ePolicy Orchestrator and VMWare experience, along with SubLAN COMPOSE 4.0 experience. I deal with unlocking user accounts to LAN health/security monitoring How should I go about getting into the civilian aspect of my field?
https://redd.it/1orzx7x
@r_systemadmin
Hello, I am an IT in the US Navy. I have been thinking on getting out on shore duty as I am about to reenlist for that. I was thinking what certs I should get. Background, I have an IT schooling NEC from my A school, a Top Secret clearance, ePolicy Orchestrator and VMWare experience, along with SubLAN COMPOSE 4.0 experience. I deal with unlocking user accounts to LAN health/security monitoring How should I go about getting into the civilian aspect of my field?
https://redd.it/1orzx7x
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Yubikeys in Entra, still being promoted for MS Authenticator
We have a few admin users who we have supplied yubikey keys to for their admin accounts, however when they login they are still being promoted to set up the MS Authenticator. I’ve gone though the CA policies and can’t see anything in there that could be causing it. Does anyone have any ideas?
https://redd.it/1ort2e2
@r_systemadmin
We have a few admin users who we have supplied yubikey keys to for their admin accounts, however when they login they are still being promoted to set up the MS Authenticator. I’ve gone though the CA policies and can’t see anything in there that could be causing it. Does anyone have any ideas?
https://redd.it/1ort2e2
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Feeling Like a Fraud
I am an IT Systems Administrator at a company of ~500 employees. I am the sole IT worker. I started there as an IT Technician, but after my coworker left, they promoted me to IT Systems Administrator, no interview or anything. They then closed my old position, leaving myself as the only IT staff.
I graduated college less than 2 years ago and am now tasked with maintaining and updating this 24/7 infrastructure. I feel that there is too much for me to do and I cannot learn fast enough (I understand that this is a pretty common mentality in IT). Even as a Systems Administrator, I feel I have a very rudementary knowledge of Networking and Active Directory.
Can anyone give me any advice on how to work on these skills? Unfortunately, as I work on my own, I do not really have the opportunity to learn from someone senior to me.
I understand homelabbing is how most people learn, I just don't really know where to start at this point.
https://redd.it/1os9mzn
@r_systemadmin
I am an IT Systems Administrator at a company of ~500 employees. I am the sole IT worker. I started there as an IT Technician, but after my coworker left, they promoted me to IT Systems Administrator, no interview or anything. They then closed my old position, leaving myself as the only IT staff.
I graduated college less than 2 years ago and am now tasked with maintaining and updating this 24/7 infrastructure. I feel that there is too much for me to do and I cannot learn fast enough (I understand that this is a pretty common mentality in IT). Even as a Systems Administrator, I feel I have a very rudementary knowledge of Networking and Active Directory.
Can anyone give me any advice on how to work on these skills? Unfortunately, as I work on my own, I do not really have the opportunity to learn from someone senior to me.
I understand homelabbing is how most people learn, I just don't really know where to start at this point.
https://redd.it/1os9mzn
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
iGPU and RDS
Should RDS have good enough performance for watching 4k or whatever videos if session host has iGPU (CPU with integrated graphics on chip)?
https://redd.it/1os2sj1
@r_systemadmin
Should RDS have good enough performance for watching 4k or whatever videos if session host has iGPU (CPU with integrated graphics on chip)?
https://redd.it/1os2sj1
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
very niche post - sysadmins working at a larger org using employment hero
We’re past the point of People and Culture slamming an unstructured ticket into our PSA, but at the funny size where that team still like Employment Hero (no SuccessFactors or Workday on the horizon yet).
Does anyone here have automation using data coming from Employment Hero into an on-premise AD?
https://redd.it/1osdwvb
@r_systemadmin
We’re past the point of People and Culture slamming an unstructured ticket into our PSA, but at the funny size where that team still like Employment Hero (no SuccessFactors or Workday on the horizon yet).
Does anyone here have automation using data coming from Employment Hero into an on-premise AD?
https://redd.it/1osdwvb
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Microsoft keeps flagging our domain as spam, how can we fix this?
Hey everyone,
We’re running into a frustrating email deliverability issue and could really use some advice.
We’re a gym management platform, so we send quite a few transactional and notification emails to end users (class reminders, membership updates, etc, onboarding etc).
A while back, our website was hosted with Lovable, and they provided us with an IP to link through our DNS. Turns out Lovable uses Cloudflare, and the IP they assigned was associated with Cloudflare’s Germany data center. Apparently, someone else using that same node was sending spam, and as a result, our domain/IP got caught up in the same blocklist.
We’ve since moved our website off Lovable entirely, but Microsoft (Outlook, Hotmail, etc.) still flags all our emails as spam.
We’ve checked all the basics, SPF, DKIM, DMARC are correctly set up — but Microsoft still seems to “hate” our domain.
Has anyone dealt with something like this before? .Is there a way to formally appeal or delist our domain with Microsoft?
Or do we need to switch to a new domain altogether?
Any guidance or experience would be hugely appreciated, this has been a nightmare as we just launched two weeks ago and onboarded our founding clients.
Thanks in advance!
https://redd.it/1osg1oz
@r_systemadmin
Hey everyone,
We’re running into a frustrating email deliverability issue and could really use some advice.
We’re a gym management platform, so we send quite a few transactional and notification emails to end users (class reminders, membership updates, etc, onboarding etc).
A while back, our website was hosted with Lovable, and they provided us with an IP to link through our DNS. Turns out Lovable uses Cloudflare, and the IP they assigned was associated with Cloudflare’s Germany data center. Apparently, someone else using that same node was sending spam, and as a result, our domain/IP got caught up in the same blocklist.
We’ve since moved our website off Lovable entirely, but Microsoft (Outlook, Hotmail, etc.) still flags all our emails as spam.
We’ve checked all the basics, SPF, DKIM, DMARC are correctly set up — but Microsoft still seems to “hate” our domain.
Has anyone dealt with something like this before? .Is there a way to formally appeal or delist our domain with Microsoft?
Or do we need to switch to a new domain altogether?
Any guidance or experience would be hugely appreciated, this has been a nightmare as we just launched two weeks ago and onboarded our founding clients.
Thanks in advance!
https://redd.it/1osg1oz
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
The Midwest NEEDS YOU
With all the job uncertainty lately, I just wanted to remind everyone that the Midwest is full of companies in desperate need of good sysadmins. I work in Nebraska, and we have towns with zero IT people. I even moonlight in three different towns near me because there's so much demand.
If you're struggling to find stability in larger cities, this might be a great time to consider making a change.
Admins, sorry if I used the wrong flair for this.
https://redd.it/1oshy57
@r_systemadmin
With all the job uncertainty lately, I just wanted to remind everyone that the Midwest is full of companies in desperate need of good sysadmins. I work in Nebraska, and we have towns with zero IT people. I even moonlight in three different towns near me because there's so much demand.
If you're struggling to find stability in larger cities, this might be a great time to consider making a change.
Admins, sorry if I used the wrong flair for this.
https://redd.it/1oshy57
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
From IT Admin to DevOps / Cloud Engineer — worth getting certified without experience?
Hey everyone,
I’ve been working as an IT Administrator for over 5 years now — from big corporations to smaller companies. Most of my day is the usual stuff: updates, tickets, user issues, server maintenance, monitoring… it’s getting repetitive and I feel like it’s time for something new.
I recently passed my first AWS certification (Cloud Practitioner) and I’m now looking at the AWS DevOps Pro.
But I’m wondering — is it even worth pursuing that cert if I don’t currently work as a DevOps engineer?
My goal is to transition from IT Admin to a Cloud / DevOps Engineer.
What would you recommend to make that switch realistically?
What should I focus on learning? Are there any good hands-on projects, GitHub labs, or home setups to build real experience?
I’ve got an IT degree and solid sysadmin background, but I want to make the move the right way — not just collect certifications that don’t lead anywhere.
Any advice or personal stories would be greatly appreciated 🙏
https://redd.it/1osieay
@r_systemadmin
Hey everyone,
I’ve been working as an IT Administrator for over 5 years now — from big corporations to smaller companies. Most of my day is the usual stuff: updates, tickets, user issues, server maintenance, monitoring… it’s getting repetitive and I feel like it’s time for something new.
I recently passed my first AWS certification (Cloud Practitioner) and I’m now looking at the AWS DevOps Pro.
But I’m wondering — is it even worth pursuing that cert if I don’t currently work as a DevOps engineer?
My goal is to transition from IT Admin to a Cloud / DevOps Engineer.
What would you recommend to make that switch realistically?
What should I focus on learning? Are there any good hands-on projects, GitHub labs, or home setups to build real experience?
I’ve got an IT degree and solid sysadmin background, but I want to make the move the right way — not just collect certifications that don’t lead anywhere.
Any advice or personal stories would be greatly appreciated 🙏
https://redd.it/1osieay
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
Battery backup barand choice - from business perspective
Hi, we're looking to purchase an "emergency kits" for key employees -> something very simple: starlink kit + 1-2 kwh battery backup + a portable solar panel, so they can "connect" in case of an outage (or whatever).
My question is which brand do you think is the most "reliable" one as far as "recalls", documented cases of battery fires, general business conduct, etc..
EcoFlow, Jackery, Anker, Bluetti - i think these are potential candidates.... we're located in the US
https://redd.it/1osjnsu
@r_systemadmin
Hi, we're looking to purchase an "emergency kits" for key employees -> something very simple: starlink kit + 1-2 kwh battery backup + a portable solar panel, so they can "connect" in case of an outage (or whatever).
My question is which brand do you think is the most "reliable" one as far as "recalls", documented cases of battery fires, general business conduct, etc..
EcoFlow, Jackery, Anker, Bluetti - i think these are potential candidates.... we're located in the US
https://redd.it/1osjnsu
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community
FortiClient 7.4.3 + Windows 11 25H2 + SAML IPsec VPN connection failing
My setup:
* FortiGate 61F running FortiOS 7.4.9 (GA)
* SAML IPsec VPN integrated with Azure Entra ID
* FortiClient 7.4.3 on Windows 11 25H2
Everything worked perfectly on 24H2 same config, same Entra ID app, same certificate. After upgrading to 25H2, SAML login just stopped working until I did the two fixes below.
After breaking my head for days thinking my FortiGate 7.4.9 setup or Entra ID (Azure AD) enterprise app were to blame, turns out the real culprit was Windows 11 25H2.
If you suddenly can’t connect your FortiClient 7.4.3 IPsec SAML tunnel (it just hangs or fails to redirect properly), here’s what finally fixed it for me:
# Install the VC++ Redistributable (dependency nobody tells you about)
You must have the latest Microsoft Visual C++ Redistributable installed FortiClient won’t tell you, and there’s almost zero documentation pointing to this dependency.
Download it directly from Microsoft:
[https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170#latest-supported-redistributable-version](https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170#latest-supported-redistributable-version)
(Just grab the latest x64 installer, install it, and reboot for good measure.)
# Enable “Use external browser as user-agent for SAML user authentication”
Inside FortiClient → *Settings* → *VPN* → make sure “Use external browser as user-agent for SAML user authentication” is enabled.
I haven’t been able to make the connection work with it disabled (still testing), but enabling it allows the proper browser redirect and token exchange with Entra ID.
https://redd.it/1osofn1
@r_systemadmin
My setup:
* FortiGate 61F running FortiOS 7.4.9 (GA)
* SAML IPsec VPN integrated with Azure Entra ID
* FortiClient 7.4.3 on Windows 11 25H2
Everything worked perfectly on 24H2 same config, same Entra ID app, same certificate. After upgrading to 25H2, SAML login just stopped working until I did the two fixes below.
After breaking my head for days thinking my FortiGate 7.4.9 setup or Entra ID (Azure AD) enterprise app were to blame, turns out the real culprit was Windows 11 25H2.
If you suddenly can’t connect your FortiClient 7.4.3 IPsec SAML tunnel (it just hangs or fails to redirect properly), here’s what finally fixed it for me:
# Install the VC++ Redistributable (dependency nobody tells you about)
You must have the latest Microsoft Visual C++ Redistributable installed FortiClient won’t tell you, and there’s almost zero documentation pointing to this dependency.
Download it directly from Microsoft:
[https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170#latest-supported-redistributable-version](https://learn.microsoft.com/en-us/cpp/windows/latest-supported-vc-redist?view=msvc-170#latest-supported-redistributable-version)
(Just grab the latest x64 installer, install it, and reboot for good measure.)
# Enable “Use external browser as user-agent for SAML user authentication”
Inside FortiClient → *Settings* → *VPN* → make sure “Use external browser as user-agent for SAML user authentication” is enabled.
I haven’t been able to make the connection work with it disabled (still testing), but enabling it allows the proper browser redirect and token exchange with Entra ID.
https://redd.it/1osofn1
@r_systemadmin
Docs
Latest supported Visual C++ Redistributable downloads
This article provides download links for the latest Visual C++ Redistributable packages.
Should I give my users touchscreen laptops?
For the first time in years I am actually buying new laptops. I am shopping for higher-end models for some of my users. It seems like most business laptops these days have touchscreen options. Honestly I don't think they need touchscreens, but the touchscreen versions are not much more expensive than the non-touch versions. And I have the budget to spend basically as much as I want.
I am mainly looking at the Asus Expertbook B5 14inch or the Dell Pro 14 Premium. If anyone has experience with these laptops let me know if they are good or not. Any advice is much appreciated.
https://redd.it/1ospdxj
@r_systemadmin
For the first time in years I am actually buying new laptops. I am shopping for higher-end models for some of my users. It seems like most business laptops these days have touchscreen options. Honestly I don't think they need touchscreens, but the touchscreen versions are not much more expensive than the non-touch versions. And I have the budget to spend basically as much as I want.
I am mainly looking at the Asus Expertbook B5 14inch or the Dell Pro 14 Premium. If anyone has experience with these laptops let me know if they are good or not. Any advice is much appreciated.
https://redd.it/1ospdxj
@r_systemadmin
Reddit
From the sysadmin community on Reddit
Explore this post and more from the sysadmin community