Time server in a domain
i just set my pdc emulator on a 2012 r2 domain to get time from the ntp.org time servers
looks to be working, when i do a w32tm /query /status i get the source either 1, 2, or 3.north-america.pool.ntp.org,0x8
Likewise when i do it on my "backup" domain controller (no roles on this one) i get the source as the PDCe above.
My domain contollers are fine. My member servers, which i thought by default would synch with the DC that it authenticates with, i get all sorts of sources.
One has source:CMOS clock, another source:time.windows.com,0x1
Should I be configuring the time settings for my member servers as well? If so, GPO would be the preferred way if anyone has tips....thank you.
Any machines joined to the domain should synchronize their time with the server holding the PDC role, no further configuration is required. Are these member servers on the same subnet as the PDC role holder? If not then perhaps the connection is being
blocked by a firewall somewhere. Are there any errors in the event logs of the member server relating to the time service that might have logged a fault in the event viewer.
Similar Messages
-
Hello,
I'm trying to get my 2008 R2 server (physical server) to synch with an external time server. I've read other threads on the topic but have not found a solution. I'm sure i'm missing something.
First the step leading to the error:
w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
Following is the history:
Here are the steps
C:\>netdom /query fsmo
Schema master DC-01.coastal.local
Domain naming master DC-01.coastal.local
PDC DC-01.coastal.local
RID pool manager DC-01.coastal.local
Infrastructure master DC-01.coastal.local
The command completed successfully.
next:
w32tm /config /manualpeerlist:time.nist.gov,0x1 /syncfromflags:manual /reliable:yes /update
The command completed successfully.
next:
net stop w32time && net start w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.
The Windows Time service is starting.
The Windows Time service was started successfully.
Next:
w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
Next:
Did a restart of the server and repeated:
w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
Next:
Ran the following:
w32tm /query /configuration
C:\>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Policy)
MaxPollInterval: 10 (Policy)
MaxNegPhaseCorrection: 172800 (Policy)
MaxPosPhaseCorrection: 172800 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)
FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 50000000 (Policy)
SpikeWatchPeriod: 900 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 100 (Policy)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
Any feedback/guidance appreciated!!Hi,
You may need to update command w32tm /config /syncfromflags:domhier /update, to change the IntranetServer w32time type to nt5ds (this sets the service to pull from the AD).
For more detailed information, please refer to the thread below:
The computer did not resync because no time data was available (w32tm)
http://social.technet.microsoft.com/Forums/windowsserver/en-US/127e7fe7-6fff-469d-8536-8da1c9825cb0/the-computer-did-not-resync-because-no-time-data-was-available-w32tm
You could refer to the article below to configure time in Active Directory:
“It’s Simple!” – Time Configuration in Active Directory
http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Configuring group policy for user profiles in Windows Server 2012 R2 Domain
Requesting some experts advise on configuring group policy for user profiles.
We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
The settings which I am concerned:
1. Folder Redirection: Desktop, Documents, Favorites.
2. Quota for Folder Redirection - 1 GB per user.
3. Map a networked drive - 1 GB per user.
4. Roaming profile - (Will ignore if it does not suit our requirement).
The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
Thanks a lot for your valuable time and efforts.Hi,
>>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
This depends on where our outlook data files are stored. If these data files are stored under
drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
However, regarding your question, we can refer to the following thread to find the solution.
Roam outlook profiles without roaming profiles
http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
Configuring Folder Redirection
http://technet.microsoft.com/library/cc786749.aspx
Hope it helps.
Best regards,
Frank Shen -
Upgrade to Server 2012 R2 domain controllers from 2003
I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
We had two Server 2003 domain controllers and one of them was failing. I raised the forest functional level of our old primary domain controllers to 2003. I built the first replacement Server 2012 R2 domain controller. Added the AD DS roles
and promoted it as a domain controller. I let it sit for a couple days. The FSMO roles were currently being handled by our other 2003 domain controller. Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
server and demoted it. Once demoted I shut it down and pulled it out of the rack. I then built our second 2012 R2 server and gave it the same IP as the failing one. Installed the AD DS roles and integrated DNS as prompted by the wizard.
I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master. Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network. I then demoted
the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again. I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
just not a second subnet that is through a hardware firewall. I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\username>dcdiag /v /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine WGDDC01, is a Directory Server.
Home Server = WGDDC01
* Connecting to directory service on server WGDDC01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=wgd,DC=inet
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WGDDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... WGDDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WGDDC01
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... WGDDC01 failed test DNS
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : wgd
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : wgd.inet
Starting test: DNS
Test results for domain controllers:
DC: WGDDC01.wgd.inet
Domain: wgd.inet
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard (Service Pack level:
0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
MAC address is B0:83:FE:C1:98:07
IP Address is static
IP address: 10.240.1.23
DNS servers:
10.240.1.23 (WGDDC01) [Valid]
10.240.1.24 (WGDDC02) [Valid]
127.0.0.1 (WGDDC01) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
Warning: no DNS RPC connectivity (error or non Microsoft DNS s
erver is running)
[Error details: 5 (Type: Win32 - Description: Access is denied
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 10.240.1.23 (WGDDC01)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
DNS server: 10.240.1.24 (WGDDC02)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: wgd.inet
WGDDC01 PASS WARN n/a n/a n/a
n/a n/a
......................... wgd.inet passed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
When I try to bind a machine to the domain I get an error message that says "
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.240.1.24
10.240.1.23
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
Please let me know if I'm missing something or if there are other things I can check.
Thanks!
I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2. All clients in the environment are Windows XP Pro or above. The XP Pro boxes will be going away as
soon as our vendor supports their software to run on Windows 7.We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error. An Active Directory Domain Controller for the domain wgd.inet could not be contacted. It seems that this is just a DNS issue for one
particular subnet (10.240.2.0/24). This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out. The route is there and I can watch it connect through our hardware firewall over port 53.
DC01
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>
DC02
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC02
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter NIC1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.24
10.240.1.23
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe> -
Setting up Time Sync when all domain controllers are virtual machines?
We have 2 existing server 2008 domain controllers on 2008 Hyper-V. We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
PDC role DC is on one of the DCs in the original site.
How should time syncing be set?
From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
What happens with this process during a PDC reboot or if that PDC role domain controller becomes unavailable for any other reason? Does one of the other DCs then take over the role of domain time source even through they don't have access to the external
time source?
Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain (since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?We have 2 existing server 2008 domain controllers on 2008 Hyper-V. We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
PDC role DC is on one of the DCs in the original site.
How should time syncing be set?
Simply make sure that time sync is disabled on your Hyper-V VM. For time configuration in AD domain, I have documented that here: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
They don't take over the role of PDC. The downtime of your PDC should not take a long time. That is why it is important to regularly monitor the health status of your DCs using SCOM or third party tools. The one I usually recommend is
Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html. The solution allows you also to trackchanges
in your AD domain.
Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain
(since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?
I would recommend turning off the Hyper-V time sync on all your Hyper-V VMs that are domain-joined.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Setting time or time server on clients with ARD
Does anyone know what files need to be copied to OS X clients to set their time or time server? I know that time server info is stored in /etc/ntp.conf, but this isn't the only file that needs to be sent to set up a client to get its time from a time server. I haven't been able to find the correct .plist file that includes these settings and am not familiar enough with UNIX to know which other files are used for these settings.
Thank you,
PeggyUsing the ARD Send Unix Command option send the following command to the workstations:
systemsetup -settime <hh:mm:ss>
where <hh:mm:ss> is the time you want the systems to have (don't include the brackets). Send the command as the root user (enter root in "send command as:")
To set the time server to use, send:
systemsetup -setnetworktimeserver <timeserver>
substituting the domain name of the time server (again, no brackets).
For more such commands, in Terminal enter:
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/netw orksetup -help
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Support/syst emsetup -help
or from within the Remote Desktop Admin in the Send Unix Command window type:
networksetup -help
systemsetup -help
Regards. -
Adding a Server 2008 R2 Domain Controller at a remote site
Hello. I have been trying to set up a hot site at a remote location. The story is long and involved but a few weeks ago it seemed to be finally working. Our setup is two mirrored 2008 R2 servers at main site, mirrored with Double Take.
The hot site is the same except that so far I only had one server working. The two sites connected via site to site VPN.
About a week later our primary server basically crashed. At first it worked but very slowly. I was on vacation at the time and so I am not sure of the sequence of events, or exactly what errors were presented, but my associate first tried rebooting.
It took over 20 minutes to boot and then it said something to the effect that no domain controllers were available (not sure about this message). He then discovered that the server at the remote site had some fsmo roles assigned to it. He transferred
the roles to the primary at the main site and then demoted the remote server to a workstation (but still a domain member).
After that, rebooting the primary was much faster and everything at the primary site is working again. Now I want to set the remote site up again, but avoid the problem. The way I originally set up the remote server was to use an IFM file, generated
from our primary. This should have made the remote server a catalog server, with DNS (which it did), but as far as I know should not have transferred any fsmo roles.
The remote server(s) are wanted to be in the same domain as the primary. They will also be mirrored from the primary (with Double Take). If we had total failure at the main site, we wish to be able to immediately begin operations at the hot site
(after a fail over). I freely admit that I am swimming out of my depth here. I am not sure that I have selected the correct architecture or used the correct options in setting up the remote servers. I am looking for information about what
went wrong, and whether some other setup is more desirable.
Thanks for any help, Russ
RussPhilippe, thank you for you answers. I do not understand everything you said but I will address each point as best I can:
1. "In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?" Yes, but I use the method described at
http://technet.microsoft.com/en-us/library/cc753720(v=ws.10).aspx, The GUI method. At step #8 I specified to use advanced mode so I could use the IFM file.
2. "In your AD' Site and Service MMC, do you configured the remote site ?" R do not know what you mean by this. How does one configure the site as 'remote'?
3. "Do you added that remote server as a Global catalogue ?". Yes, when I built the IFM file I specified to add the global catalog.
4. "Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash." I am not sure I understand this item. After the remote server
was added, all of the members of both domain servers automatically appeared in the DNS of all servers in the domain. I do not recall if the new items were last, but I expect that they would be.
I have since reviewed the happenings with my associate and have a little more information. The order of the problems and the actions taken are:
1. Our primary (production) system was still working but extremely slow, and he observed that the slowness was caused by a lot of traffic with the remote site. Rebooting the production server took over 25 minutes and the server to came up saying
that domain information was not available. After another 30 minutes or so he discovered that the domain data was now available and the server worked, but still slow.
2. He did not check to verify that roles were held by the remote server, but he transferred all roles from the remote to the production server using ntdsutil. I would expect that if the role was not held by the remote, the transfer command would have
shown that fact.
3. He then tried to demote the remote server but had an error that it could not be demoted because "the active directory service is missing mandatory configuration information".
4. He forcefully demoted the remote server.
5. After rebooting the production server again performance was slightly better but still slow (and the rebood was still very slow).
6. After some research he removed the remote domain controller's meta data from the production server and then rebooted the production server again.
At that point reboot was fast (under 5 minutes) and the production system was working at normal speed again.
All of the above leads me to believe that somehow the FSMO roles got added to, or moved to the remote site when I used the IFM file to create the new domain controller. However nothing I have read says that this should happen. I hope someone
here can give me a better answer as to what caused the problem, as I do not wish to interrupt our production system like this again.
Thank you, Russ
PS: Sorry for the delay in getting back to this but some other priorities took me away from it for a week.
Russ -
Issues with starting weblogic server for my domain
This is part of the adminserver log file:
####<Apr 29, 2009 3:47:18 PM EDT> <Critical> <WebLogicServer> <mycomputername> <AdminServer> <main> <<WLS Kernel>> <> <> <1241034438142> <BEA-000386> <Server subsystem failed. Reason: java.lang.AssertionError: java.lang.reflect.InvocationTargetException
java.lang.AssertionError: java.lang.reflect.InvocationTargetException
at weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService._invokeServiceMethod(AbstractDescriptorBean.java:1011)
at weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService.decrypt(AbstractDescriptorBean.java:1039)
at weblogic.descriptor.internal.AbstractDescriptorBean$SecurityService.access$200(AbstractDescriptorBean.java:963)
at weblogic.descriptor.internal.AbstractDescriptorBean._decrypt(AbstractDescriptorBean.java:960)
What could the issue be?I finally got so frustrated that I uninstall and reinstalled it. I did not import any projects at this time, but created a simple, out-of-the-box domain. Then tried to start the server under that domain, and now I get:
Invalid table name "USERS" specified at position
Please find part of log output below (I don't see a place in this forum to attach a file). I've copied the portions out of the log that reference exceptions. I appreciate the help!
ava.sql.SQLException: Invalid table name "USERS" specified at position 23.
at com.pointbase.net.netJDBCPrimitives.handleResponse(DashoA13*..:335)
at com.pointbase.net.netJDBCPrimitives.handleJDBCObjectResponse(DashoA13*..:383)
at com.pointbase.net.netJDBCConnection.prepareStatement(DashoA13*..:545)
at weblogic.security.providers.authentication.DBMSSQLReadOnlyDatabaseConnectionImpl.getPreparedStatement(DBMSSQLReadOnlyDatabaseConnectionImpl.java:37)
at weblogic.security.providers.authentication.shared.DBMSSQLRuntimeQueryImpl.passwordStringQuery(DBMSSQLRuntimeQueryImpl.java:78)
at weblogic.security.providers.authentication.shared.DBMSSQLRuntimeQueryImpl.executeUserPassword(DBMSSQLRuntimeQueryImpl.java:71)
at weblogic.security.providers.authentication.shared.DBMSAtnLoginModuleImpl.authenticateDBMS(DBMSAtnLoginModuleImpl.java:666)
at weblogic.security.providers.authentication.shared.DBMSAtnLoginModuleImpl.login(DBMSAtnLoginModuleImpl.java:270)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:91)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:61)
at $Proxy17.login(Unknown Source)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.login(WLSJAASLoginServiceImpl.java:89)
at com.bea.common.security.internal.service.JAASAuthenticationServiceImpl.authenticate(JAASAuthenticationServiceImpl.java:80)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:61)
at $Proxy19.authenticate(Unknown Source)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:366)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:911)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1029)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:854)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
>
####<May 1, 2009 7:50:55 AM EDT> <Critical> <Security> <lmv25-ite89695> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1241178655172> <BEA-090403> <Authentication for user weblogic denied>
####<May 1, 2009 7:50:55 AM EDT> <Critical> <WebLogicServer> <mycomputername> <AdminServer> <main> <<WLS Kernel>> <> <> <1241178655172> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
weblogic.security.SecurityInitializationException: Authentication for user weblogic denied
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:947)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1029)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:854)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181) -
Transferring PDC Emulator and Time Server Roles to New 2008 R2 DC
We are upgrading our Windows 2000 domain to Windows 2008 R2, and I introduced the first 2008 R2 domain controller into the environment. Currently the PDC emulator role is running on a Windows 2003 DC, which is configured to sync its time with external time
servers.
My question is very similar to what was asked in the following post:
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/a58660fe-72c7-4e44-b6cb-ba885b676286
However, what I would like to know is if I should first transfer the PDC emulator role before performing the instructions shown in the thread? Or do I transfer the PDC emulator role after running the commands shown in the thread that are to be run
on the old PDC emulator? Hopefully that makes sense.
Thank you.Hi,
You may perform the following steps:
1.
On the old PDC Emulator, run the following commands:
w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time
net start w32time
2.
Transfer the PDC Emulator to the new Domain Controller.
3.
On the new PDC Emulator, run the following command:
w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update
Please set for
PEERS the time source as listed above, either with it’s IP address or DNS name. If more than one is needed separate them with a space in between and don't forget the quotes: "time.domain.com time1.domain.com".
For more information, please refer to the following Microsoft KB article:
How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042
Regards,
Arthur Li
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
[email protected] .
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Promote this server to a domain controller still appears
Hi All, I've change one DC 2003 with a new DC 2012 in my forest (I've 4 DC e 3 sites) following these steps:
1 - Demote DC 2003
2 - Remove DNS 2003 Role
3 - Rename e change IP on Server 2003
4 - Waiting and verify replica
5 - Give the same Hostname and IP of Server 2003 to New DC 2012
5 - Add Role AD Directory Service and when finished I use the notification "promote this server to a domain controller" to promote it to a member domain controller.
6 - After reboot the notification STILL APPEARS, but it result as a DC and all work fine.
Any help me?
ThanksHi Federico,
Can you please confirm, whether you are seeing the notification as given in the below screenshot,
This notification implies that “Active Directory Domain Services” role binaries have been installed and now it is time to promote the server to a Domain Controller.
Checkout the below link on Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller,
http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
Regards,
Gopi
www.jijitechnologies.com -
[Solved] Need pointer for setting up an email server for other domains
I am trying to setup a mail server that can handle multiple domains. Followed this tutorial [1]
What I have:
mailserver.domain.tld
domain.tld
domain2.tld
I have set up postfix with dovecot through postfixadmin, have configured roundcube as my web email client. For the emails coming from and going to the @mailserver.domain.tld addresses work as I would expect them to.
But what I am not grasping I guess is how do I add the domain.tld and domain2.tld domains so that the emails are @domain.tld but they are properly routed to be received on @mailserver.domain.tld
I have been reading the wiki and the postfix virtual readme, but I feel like I am getting lost and confused on terms. Can someone point me back on path for what the proper next step is to be able to get the other domains to receive mail properly. Should it be done with a virtual email or domain or? I have tried both, but probably not properly and any time I send from @domain.tld the email headers do not say to send back to @mailserver.domain.tld .
Thanks for your time and help.
[1] https://wiki.archlinux.org/index.php/Si … ail_System
Last edited by vwyodajl (2013-03-26 21:03:17)Did you add MX records for mailserver.domain.tld to your domains? That should basically all that is needed to get it working, assuming you configured the domains in postfixadmin already so your postfix feels responsible for them.
-
Unable to edit Default Domain policy on Server 2012 R2 domain controller
Hello,
I recently built a Server 2012 R2 domain controller and added it to my domain. When trying to edit the default domain policy I get the following error:
I can make edits to other GPO objects. All the other domain controllers are Server 2008 and are able to edit that GPO. The issue is on the Server 2012 box only. I've checked the delegated permissions, I'm a domain admin, and have opened
GPMC as administrator. Does anyone know what I'm missing? Thank you for your time.
TinoHi Tino,
>>Could that be the problem?
I don't think so, for we can still use FRS to replicate Sysvol. However, it is recommended that we use DFSR to replicate Sysvol if our domain
function level is Windows Server 2008 or above.
Besides, we can follow the suggestions from the following thread to check out which replication mechanism we are using.
DFS-R on 2008 R2 by default?
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8f2042d3-193d-4414-b9da-cbcedc6a4c32/dfsr-on-2008-r2-by-default?forum=winserverDS
If the Sysvol is replicated by FRS mechanism, as I suggested in the last reply, we can do a non-authoritative restore for the Sysvol on the new Windows
Server 2012. This will restore the Sysvol from a healthy DC.
To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
1. Click Start, and then click Run.
2. In the Open box, type cmd and then press ENTER.
3. In the Command box, type net stop ntfrs.
4. Click Start, and then click Run.
5. In the Open box, type regedit and then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
7. In the right pane, double-click BurFlags.
8. In the Edit DWORD Value dialog box, type D2 and then click OK.
9. Quit Registry Editor, and then switch to the Command box.
10. In the Command box, type net start ntfrs.
11. Quit the Command box.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Hope it helps.
Best regards,
Frank Shen -
NW 6.5.8 CIFS access from Server 2012 R2 (domain auth)
Need to access (without installing client) NW 6.5.8 server from Server 2012 R2.
Up to Server 2008 R2 Domain authentication works perfectly fine, on 2012 R2 I managed to get it working a couple of times, never again. Reverting to eDir authentication with SMB Signature disabled works (can access shares fine)
Is that known issue? (not that I would expect any fix for an obsolete OS)
Sebspgsitsupport,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://www.novell.com/support and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Forums Team
http://forums.novell.com -
Bind Mavericks to Windows Server 2012 R2 domain
I have a Windows 2012 R2 domain controller (only one in the domain) with the forest and domain in native (not mixed) mode.
I am trying to bind a Mavericks Macbook Pro to the domain.
I have checked that I can ping the domain and domain controller by name and IP address.
I have set the NTP on the Macbook to use the domain controller as the time source.
I even set the "Prefer this domain server" to the domain controller.
When I attempt bind the Macbook, the time tested message of "Authentication server could not be contacted."
Any suggestions? Something about Windows Server 2012 R2 that I am missing? I admit that I am just learning Windows
Server 2012 R2, so it is possible my lack of knowledge of it is the adding to the problem.
Thank you in advance!I have 3 Server 2012 DC's here on my network. No issues binding Macs to the DC. I haven't had the time to roll out R2 DCs yet, but will be doing so shortly as I am now done with some other upgrades. I would roll out one right now so I can test this for you, but don't have the time...sorry man.
One of the most important thing with AD is DNS. 1 of my 3 AD's is my DNS and DHCP server. I have not had to mess with any special settings, just let my Mac get it's IP from the DC and then bind away. Are your windows machines (if you have any) on the same LAN able to bind? Also make sure the account you are logged into the mac with is an Admin on the local mac.
Remove all the custom info you put in, keep it simple, I have never had to fill in any of those details, and make sure you use the FQDN of your DC (host.domain.com). Once you put in the FQDN, does the utility recognize the Domain and then ask for the AD admin credentials? If yes, then thats a good sign.
Let me know if it's still not working. Also make sure you are using the correct login and password, the admin of your DC.
Is your DC virtual or Physical? Do you have the firewall enabled on your DC? Are you using wireless or wired?
I'm sure you will get this... S12R2 is really sweet, all my Hyper-V hosts are S12R2. -
Currently i am using Windows Time Server(NTP) not any third party software, I need to use the windows time server in Cisco Devices. As my network admin team asking to share the key. this key can be only created by third party NTP server.
But how i can map windows time server in cisco devices.There are few things you will have to check it with in Windows Server.
This document will work on server as well
http://support.microsoft.com/kb/314054/en-us
Here are the registry key you should change on Domain Controller
Depending on your Windows version, there are some registry settings you need to set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NTPServer\Enabled
Changing the ‘Enabled’ flag to the value 1 enables the NTP Server.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
Change the server type to NTP by specifying ‘NTP’ in the ‘Type’ registry entry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
Set the ‘Announce Flags’ registry entry to 5, to indicate a reliable time source.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\LocalClockDispersion
Set 'LocalClockDispersion' to 0
The last one is most important one.
After changing registry, you need to restart "Windows Time" service.
http://www.arabitpro.com
Maybe you are looking for
-
can you please tell me what am i missing. i am getting below error. Error(8,12): PLS-00103: Encountered the symbol "C_SEL" when expecting one of the following: := . ( @ % ; CREATE OR REPLACE PACKAGE BODY "XXDL_PN_LOAD_EMP_ASSIGN_PKG" AS FUNCTION
-
After the next updating of the browser to 13th version such problems have occured : 1. At each start of Firefox constantly there comes a window of check of additions on compatibility, that on the previous versions was not observed. 2. To the homepage
-
Transfer Timecode to Output File
I'm using a Settings file (detailed below) to transcode a 10-bit Quicktime file to Streaming H.264 My 10-bit file has DF timecode on it but the resulting H.264 file does not. Is there any way to tell Compressor to carry the timecode over? Name: MP4_8
-
Plumtree and Weblogic Portal Server | URL rewriting incompatibility
Hi All, I am using Weblogic Portal as the Producer and Plumtree as the consumer for my WSRP portlets. I have enabled Producer URL rewriting. When i invoke an action URL i get a "Mode is not supported in this portlet." error. The template being passed
-
Optimization steps for Uncompressed cube
I am new to Oracle OLAP, I have designed a cube with 4 dimensions and three measures. Since I have measures like count of staff and hours encoding, I have to group (sum) # of staff and hours encoded for each team and roll up with its tree. At the sam