Configure Domain Controller ( PDC emulator) as NTP source for Cisco switch 6509

Similar Messages

• 2008 R2 Domain Controller PDC Emulator for SP1 upgrade

  So my PDC is 2008 R2 and need to bring it up to SP1. Does anyone think I need to move that role to another server before upgrading it or upgrade it in place?

  Simply install SP1. No need to move anything.
  Of course, it is recommended to take a system state backup of your DC before proceeding.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile
  And what if it did eventually fail? Wouldnt it be easier just to clean out the dc, rebuild it and let the other one take care of the domain?
  Best Regards,
  Jesper Vindum, Denmark
  Systems Administrator
  Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.
  Either you restore it from backup or you simply seize its FSMO roles to another DC, do a metadata cleanup and then re-install the server and promote it again.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Windows 2008 R2 Domain Controller (PDC) - NTP server - time showing local CMOS clock

  I'm having issues setting an external source on a Windows 2008 R2 domain controller (PDC emulator role for the domain)
  Here is the output showing its source is the Local CMOS clock.
  C:\Windows\System32>w32tm /query /status
  Leap Indicator: 0(no warning)
  Stratum: 1 (primary reference - syncd by radio clock)
  Precision: -6 (15.625ms per tick)
  Root Delay: 0.0000000s
  Root Dispersion: 10.0000000s
  ReferenceId: 0x4C4F434C (source name:  "LOCL")
  Last Successful Sync Time: 06/11/2014 15:44:15
  Source: Local CMOS Clock
  Poll Interval: 6 (64s)
  1) I have performed the following on the DC with the PDC role:
  net stop w32time
  w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
  w32tm /config /reliable:yes
  net start w32time
  w32tm /query /configuration 
  [Configuration]
  EventLogFlags: 2 (Local)
  AnnounceFlags: 5 (Local)
  TimeJumpAuditOffset: 28800 (Local)
  MinPollInterval: 6 (Local)
  MaxPollInterval: 10 (Local)
  MaxNegPhaseCorrection: 172800 (Local)
  MaxPosPhaseCorrection: 172800 (Local)
  MaxAllowedPhaseOffset: 300 (Local)
  FrequencyCorrectRate: 4 (Local)
  PollAdjustFactor: 5 (Local)
  LargePhaseOffset: 50000000 (Local)
  SpikeWatchPeriod: 900 (Local)
  LocalClockDispersion: 10 (Local)
  HoldPeriod: 5 (Local)
  PhaseCorrectRate: 7 (Local)
  UpdateInterval: 100 (Local)
  [TimeProviders]
  NtpClient (Local)
  DllName: C:\Windows\System32\w32time.DLL (Local)
  Enabled: 1 (Local)
  InputProvider: 1 (Local)
  AllowNonstandardModeCombinations: 1 (Local)
  ResolvePeerBackoffMinutes: 15 (Local)
  ResolvePeerBackoffMaxTimes: 7 (Local)
  CompatibilityFlags: 2147483648 (Local)
  EventLogFlags: 1 (Local)
  LargeSampleSkew: 3 (Local)
  SpecialPollInterval: 3600 (Local)
  Type: NTP (Local)
  NtpServer: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org (Local)
  NtpServer (Local)
  DllName: C:\Windows\System32\w32time.DLL (Local)
  Enabled: 1 (Local)
  InputProvider: 0 (Local)
  AllowNonstandardModeCombinations: 1 (Local)
  VMICTimeProvider (Local)
  DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
  Enabled: 1 (Local)
  InputProvider: 1 (Local)
  But still showing the output:
  C:\Windows\System32>w32tm /query /status
  Leap Indicator: 0(no warning)
  Stratum: 1 (primary reference - syncd by radio clock)
  Precision: -6 (15.625ms per tick)
  Root Delay: 0.0000000s
  Root Dispersion: 10.0000000s
  ReferenceId: 0x4C4F434C (source name:  "LOCL")
  Last Successful Sync Time: 06/11/2014 15:58:45
  Source: Local CMOS Clock
  Poll Interval: 6 (64s)
  2. If I resync and rediscover the following error appears: 
  w32tm /resync /rediscover 
  Sending resync command to local computer
  The computer did not resync because no time data was available.
  3. I've also clearing the current time config, by
  net stop w32time
  w32tm /unregister
  w32tm /register
  net start w32time
  But no change, it still shows the Local CMOS clock. 
  4. This event is showing 
  Log Name:      System
  Source:        Microsoft-Windows-Time-Service
  Date:          06/11/2014 15:43:30
  Event ID:      12
  Task Category: None
  Level:         Warning
  Keywords:      
  User:          LOCAL SERVICE
  Computer:      domaincontroller1
  Description:
  Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.
  It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy.
  If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
      <EventID>12</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2014-11-06T15:43:30.465619200Z" />
      <EventRecordID>77295</EventRecordID>
      <Correlation />
      <Execution ProcessID="256" ThreadID="2056" />
      <Channel>System</Channel>
      <Computer>domaincontroller1</Computer>
      <Security UserID="SID" />
    </System>
    <EventData Name="TMP_EVENT_DOMAIN_HIERARCHY_ROOT">
    </EventData>
  </Event>
  5. If I perform the below it appears DC2 is having problems but I'm not sure if related. 
  C:\w32tm /monitor
  DC1.domain.local *** PDC ***[192.168.1.1:123]:
      ICMP: 0ms delay
      NTP: +0.0000000s offset from DC1.domain.local
          RefID: 'LOCL' [0x4C434F4C]
          Stratum: 1
  DC2.domain.local[192.168.1.2:123]:
      ICMP: 0ms delay
      NTP: -110.4925481s offset from DC1.domain.local
          RefID: (unspecified / unsynchronized) [0x00000000]
          Stratum: 0
  DC3.domain.local[192.168.2.1:123]:
      ICMP: 0ms delay
      NTP: -0.0256084s offset from DC1.domain.local
          RefID: DC1.domain.local [192.168.1.1]
          Stratum: 2
  DC4.domain.local[192.168.2.4:123]:
      ICMP: 0ms delay
      NTP: -0.0011524s offset from DC1.domain.local
          RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
          Stratum: 2
  Warning:
  Reverse name resolution is best effort. It may not be
  correct since RefID field in time packets differs across
  NTP implementations and may not be using IP addresses.
  Any help would be much appreciated. Thanks. 
  Craig Brand

  I suspected some issue with AV so uninstalled. 
  To resolve the Access Denied I followed these steps: 
  stop w32time
  w32tm /unregister
  reboot
  regsvr32 /u w32time.dll
  w32tm /register
  sc query w32time -- you should see that the service is set to
  shared mode -- this is presumably how it should be -- if you try to start right now, you'll get the expected 1290 SID-related error
  reboot
  w32time should now automatically start at boot up and be running -- that was my result -- it's running as shared, started on its own, and I can do the w32tm /query commands successfully
  After rebooting the time service started. 
  I then repeated the steps: 
  net stop w32time
  w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
  w32tm /config /reliable:yes
  net start w32time
  w32tm /query /configuration 
  And all worked. I'll wait a short while to see if this fixes the issue. I also have am SA case with MS so will confirm fix when resolved. 
  Craig Brand

• What is the best practice and Microsoft best recommended procedure of placing "FSMO Roles on Primary Domain Controller (PDC) and Additional Domain Controller (ADC)"??

  Hi,
  I have Windows Server 2008 Enterprise  and have
  2 Domain Controllers in my Company:
  Primary Domain Controller (PDC)
  Additional Domain Controller (ADC)
  My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred
  (5) FSMO Roles from (PDC) to (ADC).
  Now my (PDC) is rectified and UP with same configurations and settings.  (I did not install new OS or Domain Controller in existing PDC Server).
  Finally I want it to move back the (FSMO Roles) from
  (ADC) to (PDC) to get UP and operational my (PDC) as Primary. 
  (Before Disaster my PDC had 5 FSMO Roles).
  Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  Example like (FSMO Roles Distribution between both Servers) should be……. ???
  Primary Domain Controller (PDC) Should contains:????
  Schema Master
  Domain Naming Master
  Additional Domain Controller (ADC) Should contains:????
  RID
  PDC Emulator
  Infrastructure Master
  Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.
  I will be waiting for your valuable comments.
  Regards,
  Muhammad Daud

  Here I want to know the best practice
  and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
  There is a good article I would like to share with you:http://oreilly.com/pub/a/windows/2004/06/15/fsmo.html
  For me, I do not really see a need to have FSMO roles on multiple servers in your case. I would recommend making it simple and have a single DC holding all the FSMO roles.
  In case if
  Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
  No. This is not true. Each FSMO role is unique and if a DC fails, FSMO roles will not be automatically transferred.
  There is two approaches that can be followed when an FSMO roles holder is down:
  If the DC can be recovered quickly then I would recommend taking no action
  If the DC will be down for a long time or cannot be recovered then I would recommend that you size FSMO roles and do a metadata cleanup
  Attention! For (2) the old FSMO holder should never be up and online again if the FSMO roles were sized. Otherwise, your AD may be facing huge impacts and side effects.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• What's "SAVE" configuration command for Cisco switch/ router?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well,
  but so long, any other command that easy to remenber?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well, but so long,
  any other command that easy to remenber?
  yes, here: Switch#write,and want to know more about the Cisco switch, please visit:http://www.3anetwork.com/cisco-switches-price_c1

• W32tm always on "Local CMOS clock" on virtual domain controller - cannot change to NTP server

  The domain controller (Server 2012R2) is hosted on Hyper-V (Server 2012R2). It is a PDC.
  - firewall disabled
  - cleaned up w32tm:
  net stop w32time
  w32tm /unregister
  w32tm /register
  net start w32time
  - applied ifixit from http://support.microsoft.com/kb/816042 to enable external ntp server de.pool.ntp.org
  - disabled
  VMICTimeProvider in registry
  (HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider\Enabled = 0)
  I can manually query the ntp server de.pool.ntp.org:
  w32tm /stripchart /computer:de.pool.ntp.org /samples:5 /dataonly
  de.pool.ntp.org wird verfolgt [131.188.3.221:123].
  5 Proben werden gesammelt.
  Es ist 24.04.2014 10:07:36.
  10:07:36, +00.0115379s
  10:07:38, -00.0025048s
  10:07:40, -00.0008595s
  10:07:42, -00.0010477s
  10:07:44, -00.0014516s
  But still, w32tm does NOT query the ntp server:
  PS C:\Windows\system32> w32tm /query /source
  Local CMOS clock
  rosch

  Hi rosch,
  Based on your description, please check if disable the "Time synchronization" Integration service. Please refer
  to the following operation.
  In Hyper-V Manager, right click the DC and select “Settings…”.
  In the left panel of Settings, navigate to Integration Services and click it.
  Then in the right panel, please uncheck Time synchronization.
  By the way, please check if can connect to the time server and UDP port was opened for NTP.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Configuring access to Internal server from external source for public users ( DNS HTTP HTTPS FTP )

  Hello there :) 
  i,ve faced a problem as the following : 
  i,ve internal network ( domain network ) with standlone TMG i want TMG to Allow public users to access
  1-  web server with load balance on port 5555 
  2- mail server with HTTPS for OWA 
  3- DNS to make public users make query to solve Domain name 
  4- FTP with load balance on port 5555
  please anyone can help me with configuring this n make external users access the following mentioned above 

  Hi,
  You could get start from the following blogs.
  Microsoft Forefront TMG – Webserver Load Balancing
  http://www.isaserver.org/articles-tutorials/configuration-general/Microsoft-Forefront-TMG-Webserver-Load-Balancing.html
  Enabling Forms-based Authentication for External and Internal OWA 2010 Users in Exchange 2010 published using Forefront TMG 2010
  http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part2.html
  TMG Firewall Name Resolution
  http://www.isaserver.org/articles-tutorials/installation-planning/TMG-Firewall-Name-Resolution-Part3.html
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Is there any way to configure domain name in place of IP address for "Peer VPN device"

  Hi,
  When I configure site to site vpn on asa it asks for the ip address for the remote vpn device and it works pretty fine if I confgure like this.
  The problem is that the remote vpn device does not have static IP address, it changes on every reboot. I have configured Dymamic DNS for the interface but the problem is ASA does not take domain name as the "peer vpn device" address.
  Is there any work around for this issue so that I don't need to configure vpn from scratch everytime the ip address of the remote device changes.
  P.S. ASA vpn configuaration also does not allow me to change just the ip address of the remote device in the VPN configuration, I have to delete the current vpn and confgure a new one from the sratch everytime the ip address changes.
  Thanks

  Hello Mahendra,
  yes you can set a hostname in the 'crypto map set peer' command insetad of IP address, however, the ASA will resolve that name only once it is applied, hence, it will take the IP that name currently holds, and if it changes, it will not update it.
  the easy solution for your case is to use static-to-dynamic L2L configuration. on your ASA, configure a dynamic crypto map, assign it to the static crypto map you have, and then add the pre-shared key to the Default L2L tunnel-group.
  an example is given below:
  crypto dynamic-map dyn_map set transform-set
  crypto map VPN ipsec-isakmp dynamic dyn_map
  tunnel-group DefaultL2LGroup ipsec-attributes
  pre-shared-key
  this way, you must initiate the tunnel from behind the remote device (not your ASA where the dynamic crypto map is configured) and it should work fine.
  the document below explains that in details:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml
  hope that help
  Othman

• Configuring SAP R/3 system as data source for SAP BW3.5 system

  HI All,
  Please help me in getting some document for integrating SAP R/3 4.7 with SAP BW3.5 as data source system.
  Thanks in advance.
  Regards,
  Nalla.

  Hi,
  I have got the link which has solution for my question from old questions in this Forum.
  http://help.sap.com/saphelp_nw04/helpdata/en/00/dc54384ac9a81be10000009b38f8cf/frameset.htm
  So stopping this thread.
  Regards,
  Nalla.

• NTP sync for Cisco routers through a VPN tunnel

  I have a 3002 tunnel to a 3015. Behind the 3002 is a Cisco router with NTP setup on it. No NTP traffic appears to be traversing the tunnel, there are no filters on the tunnel prevent NTP (123) traffic.
  Is there something in the 3015 that has to be set to allow NTP traffic to go through?
  NTP working on all other non-tunnelled connections.

  Make sure the 3002 is in NEM mode, and remember that the 3002 will only tunnel the directly-connected subnet's traffic. Unless that router has an interface in the 3002 private interface's subnet, and it is using that as the source address in its NTP requests, it won't work. Can you ping from that router to the NTP server across the tunnel?

• Using a Cisco Switch as the NTP Master time source for a Windows PDC

  Hi all,
  We have a closed network (no connectivity to the internet) and we have a Core router setup as the NTP Master for the rest of the network.
  All network devices are getting the time synced as intended but we are having issues getting the Primary Domain Controller (PDC) registering to it as a valid NTP time source.
  The problem we have is that we are affected by IOS bug CSCed13703 which rejects the PDC as an NTP associated device. Short of changing the IOS on the Router which is the main router feeding 30 other sites I would like to point the PDC at a different switch (an NTP Client switch) as it’s NTP source, rather than it going to the actual NTP Master.
  I have changed the values in the PDC to point to a different switch (3750) that has it’s time synced with the NTP master, but the PDC doesn’t want to know. I assume it will only accept the time from an official NTP Master .
  Could any of you fine people advise if what I am trying to do is possible and if so how I would go about it. I was thinking of setting the 3750 with the NTP Master command also, but I don’t want to confuse the other cisco devices in the network
  Thanks in advance
  David

  Thanks Marvin,
  I can confirm the Stratum on the 3750 is set to 15.  This is due to the NTP Time source being an internal router and not an authoritative time source out on the internet.  When setting the clock and using the NTP Master command on my internal router it sets the Stratum level to 14.
  I have pointed the PDC at the Router (Stratum 14) and it does successfully sync time, but won't trust it as a valid source after the first sync.  Upon reading I believed this to be the IOS bug as the symptoms are identical. Your theory of the PDC requiring a Stratum 2 time source is logical (especially in this scenario) but I have seen them use Stratum 4 before and it worked just fine.
  I guess I could change the Router acting as a time source for the network to be NTP Master 1 which should force Stratum 1 giving the PDC and all other switches pointing to it a Stratumlevel of 2 which would prove it either way.  I don't mind pointing the PDC at the router instead of the switch so long as it gets the time synced and trusts it from that point on.
  I was going to make the 3750 switch an NTP Master for the Network and point the PDC to it (as per my previous post) but I have noticed this morning that the NTP Master command isn't available on the 3750 as it has no hardware clock!
  Are you aware of any other way of forcing the 3750 to become a time source for the PDC without using the NTP Master command?  I have looked at the NTP Peer command and I have ruled this out already and I still need the switch to be a client of the NTP Master Router on the network
  Cheers for getting involved,
  David

• OD Master/PDC, 10.4.11, why xp clients unable to locate domain controller?

  After a migration/upgrade from 10.3.9 to 10.4.11 Server, windows XP clients are intermittently unable to log in to or even bind to the PDC running on that server.
  I did a clean format and install from the 10.4 media, choosing the standalone server type, and applied all the Software Updates, I got forward and reverse DNS working for my zone, then I followed the instructions at http://www.afp548.com/article.php?story=20050615173039158 to move my OD from a working 10.3.9 server to 10.4.
  This server goes against the usual recommendations, as it provides DNS, OD master, PDC and file services to 32 clients all in the same subnet, 20 running Windows XP SP2 and 12 running OS X Client 10.4.x or 10.5.x.
  File services and various other users of the OD/LDAP, for example Wildfire Jabber/XMPP server and Apache2/LDAP running on a separate Linux server, are able to authenticate against the new 10.4.11 OD.
  However, at this point the symptoms become intermittent approx. 40% of the Windows XP clients were unable to log in with various domain accounts, yielding errors of the form "Unable to find domain FOO". If I remove a client from the domain by joining it to WORKGROUP and rebooting, then try to join FOO again, I'll get an error, "Unable to locate Domain Controller for FOO..."
  The set-up:
  My server's FQDN is myserver.foo.example.com
  The server's DNS is authoritative for the 10.10.10.0/24, foo.example.com zone and I have the trailing dot's in the right places, so ping myserver.foo.example.com, ping myserver, and ping 10.10.10.10 (server's example IP from the foo.example.com zone) all work correctly.
  The DHCP server for this vlan is providing my DNS server to the clients, but is providing no netbios server. The XP clients are all set to use the DHCP server setting, which, according to the TCP/IP Advanced Settings panel, means that they'll revert to netbios over tcp/ip since no wins server is specified.
  In Server Admin->Windows->General:
  Role: Primary Domain Controller (PDC)
  Description: FOO Domain at example.com
  Computer Name: myserver
  Domain: FOO
  Server Admin->Windows->Access:
  Allow Guest Access: Check
  Client Connections: Unlimited
  Authentication: NTLMv2 & Kerberos, NTLM, and LAN Manager: All check
  Logging->Log Detail: High
  Advanced->Code Page: Latin US
  Services: Workgroup Master browser and Domain master browser: check
  WINS Registration: Off
  Homes: Enable virtual share points: check
  Should my Windows service on 10.4.11 be providing WINS or not? If so, should the DHCP server be set to point the clients to it? If not, how do the XP clients reliably resolve the FOO domain?
  Why did all these XP clients work fine with a 10.3.9 Windows PDC but don't work with 10.4.11?
  Another strange point - I can use the XP-side 'net view' command to poke around and things look reasonable. I.E. even the clients that aren't joined to the domain and can't locate the domain controller will return sane results for 'net view /domain:FOO'.

  The new PDC does use the same domain name as the old PDC, and the SID mismatch is at least partially to blame. After I'd performed the upgrade and confused the windows clients, I saw the advice on using samba's net command to duplicate the old PDC's SID to the new PDC. Maybe someday I'll have the opportunity to try that.
  I resorted to removing all the XP clients from the domain and re-joining them. The XP clients were still able to contact the domain intermittently. I used various command-line tools on the XP side, including the built-in net command as well as some others I downloaded such as the quite useful http://www.joeware.net/freetools/tools/findpdc/index.htm, as well as the client-side error messages during the domain join attempts and the messages in the Event log, to determine that the clients couldn't find the domain.
  The XP client TCP/IP settings state that the clients will revert to using netbios if no WINS server is specified, but that clearly wasn't working reliably, so I just enabled the WINS server on the PDC, told the DHCP server to hand out its address for the netbios-related options for that subnet, rebooted the PDC, waited a while for things to settle out, and now all the clients can reliably find the PDC.
  I still have no idea why the WINS-less set-up worked in 10.3 server but didn't work in 10.4 server, but believe me, I'll remember it now!

• PDC Emulator Dynamic Group

  Hi,
  I'm new to SCOM and have started with some basic monitoring of security events such as those raised when a new users is added to the Domain Admins Group and when a user account lockout occurs.
  The latter of these relies on us monitoring the security logs of a Domain Controller, but specifically the PDC emulator for the domain.
  We run a multi-domain environment and whilst I could make a group and then explicitely define the Servers that hold the PDC Emulator role it seems an unwise way to do things as ultimately it means we have to change the group memberships if we ever move the
  role.
  Is there any way to make a group that will dynamically populate?  I've had a look at defining such a group but I can't see anything under the dynamic section that I could use to identify the Server holding the PDC emulator role.
  Grateful for any assistance people can offer.
  Pete

  Hi,
  Someone has asked a similar question, see the thread
  here
  The PDC emulator role is stored as a string on each instance of the DC role.
  It would be technically feasible to create a discovery based on the output from a script to identify the FSMO role holder however this would take some time to test/implement. In this case I would simply monitor every DC and use consolidation rules to supress
  duplicate alerts. This would also mean that you get the information from the originating DC (as the event is logged at the local DC first and then replicated to the DC hosting the PDC emulator role), this could potentially highlight issues with one DC/site
  causing account lockouts so could be beneficial in the long run.
  There’s more information on the other codes you could check
  here
  Hope I've understood what you're asking correctly

• Windows Server 2012 Foundation, in a Workgroup - "The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller"...

  Every few days we see two dialogs with the following messages:
  Dialog 1, title: Check for Licensing Compliance is Incomplete
  The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller.
  Dialog 2, title: Check for Licensing Compliance is Incomplete
  The server did not finish checking the license compliance. If the server is joined to a domain, make sure that the server can connect to a domain controller. If the license compliance check cannot be completed, the server will automatically shut
  down in 8 day(s) 23 hour(s) 0 minute(s).
  The server is not (and never has been) joined to a domain or had any DC roles installed. In fact its still connected to the default Workgroup.
  The server was configured in our office and never showed this message until it was installed on site. The main difference from what I can see is that when installed on site it was given a static IP address and does not have any DNS settings in the network
  adapter properties. 
  I have scoured a number of forums on this error but in almost every other instance of this error message the servers are connected to a Domain Controller and the solutions generally are linked to dis-joining and rejoining the domain. Unfortunately this is
  not an option for this scenario.
  I initially thought that adding some relevant DNS server IP address may resolve the issue, however, we have the exact same model server configured exactly the same running at a different site that does not experience this problem. This server also has no
  DNS server configured.
  I have seen a post that suggests turning off the servers "Foundation Checking", but I'm unsure how to do this.

  Thanks for your response Vivian.
  I can confirm that this server is not (and never has been) a member of any active directory, it is configured as a Workgroup server. It was initially configured on a network that does have an active directory, but was never joined to it. During that time it
  never displayed these messages.
  The server was moved into production on a different site and network and setup with a static IP address.The site network does have its own active directory but the server was not joined to it. It is whilst on this new network that these messages began.
  Since my original post DNS servers have been added and the Microsoft activation has been verified, however, the messages are still appearing.
  There are only 2 user accounts configured on this server. The local admin account and another local admin user.
  The remote desktop services roles have been installed but not yet configured. I don't think that has any bearing on this scenario though.
  The description of this error in the above "Introduction to Windows Server 2012 Foundation" link states:
  This error occurs when the server cannot finish checking the requirements for the root domain, forest trust configuration, or both. It usually happens when the server cannot connect to a domain controller. If the situation persists, the server will
  shut down 10 days after the first time the compliance check failed. Each time this error message occurs, it will state the actual time remaining before the server will shut down. If you restart the server after it has shut down because of non-compliance, the
  server will shut itself down again in 3 days.
  The above description leads me to the following question - In a Workgroup environment, does the server still try to contact a domain controller to establish a level of trust? If this is the case could it be that the server can no longer see the initial DC
  on its new network and this is what is triggering the messages?
  Am I clutching at straws here?

• Cannot generate Account Logon Events (Event ID 4624) in Security Event Log on Server 2008 R2 Domain Controller

  I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
  Default Domain Controllers Policy
  Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
  What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
  System audit policy
  Category/Subcategory                      Setting
  System
    Security System Extension               No Auditing
    System Integrity                        No Auditing
    IPsec Driver                            No Auditing
    Other System Events                     No Auditing
    Security State Change                   No Auditing
  Logon/Logoff
    Logon                                   No Auditing
    Logoff                                  No Auditing
    Account Lockout                         No Auditing
    IPsec Main Mode                         No Auditing
    IPsec Quick Mode                        No Auditing
    IPsec Extended Mode                     No Auditing
    Special Logon                           No Auditing
    Other Logon/Logoff Events               No Auditing
    Network Policy Server                   No Auditing
  Object Access
    File System                             No Auditing
    Registry                                No Auditing
    Kernel Object                           No Auditing
    SAM                                     No Auditing
    Certification Services                  No Auditing
    Application Generated                   No Auditing
    Handle Manipulation                     No Auditing
    File Share                              No Auditing
    Filtering Platform Packet Drop          No Auditing
    Filtering Platform Connection           No Auditing
    Other Object Access Events              No Auditing
    Detailed File Share                     No Auditing
  Privilege Use
    Sensitive Privilege Use                 No Auditing
    Non Sensitive Privilege Use             No Auditing
    Other Privilege Use Events              No Auditing
  Detailed Tracking
    Process Termination                     No Auditing
    DPAPI Activity                          No Auditing
    RPC Events                              No Auditing
    Process Creation                        No Auditing
  Policy Change
    Audit Policy Change                     No Auditing
    Authentication Policy Change            No Auditing
    Authorization Policy Change             No Auditing
    MPSSVC Rule-Level Policy Change         No Auditing
    Filtering Platform Policy Change        No Auditing
    Other Policy Change Events              No Auditing
  Account Management
    User Account Management                 No Auditing
    Computer Account Management             No Auditing
    Security Group Management               No Auditing
    Distribution Group Management           No Auditing
    Application Group Management            No Auditing
    Other Account Management Events         No Auditing
  DS Access
    Directory Service Changes               No Auditing
    Directory Service Replication           No Auditing
    Detailed Directory Service Replication  No Auditing
    Directory Service Access                No Auditing
  Account Logon
    Kerberos Service Ticket Operations      No Auditing
    Other Account Logon Events              No Auditing
    Kerberos Authentication Service         No Auditing
    Credential Validation                   Success

  Hi Lawrence,
  After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
  setting was applied successfully.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen