Windows 2008 R2 Domain Controller (PDC) - NTP server - time showing local CMOS clock
I'm having issues setting an external source on a Windows 2008 R2 domain controller (PDC emulator role for the domain)
Here is the output showing its source is the Local CMOS clock.
C:\Windows\System32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 06/11/2014 15:44:15
Source: Local CMOS Clock
Poll Interval: 6 (64s)
1) I have performed the following on the DC with the PDC role:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\System32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org (Local)
NtpServer (Local)
DllName: C:\Windows\System32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
But still showing the output:
C:\Windows\System32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 06/11/2014 15:58:45
Source: Local CMOS Clock
Poll Interval: 6 (64s)
2. If I resync and rediscover the following error appears:
w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
3. I've also clearing the current time config, by
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
But no change, it still shows the Local CMOS clock.
4. This event is showing
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 06/11/2014 15:43:30
Event ID: 12
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: domaincontroller1
Description:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.
It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy.
If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Time-Service" Guid="{06EDCFEB-0FD0-4E53-ACCA-A6F8BBF81BCB}" />
<EventID>12</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-11-06T15:43:30.465619200Z" />
<EventRecordID>77295</EventRecordID>
<Correlation />
<Execution ProcessID="256" ThreadID="2056" />
<Channel>System</Channel>
<Computer>domaincontroller1</Computer>
<Security UserID="SID" />
</System>
<EventData Name="TMP_EVENT_DOMAIN_HIERARCHY_ROOT">
</EventData>
</Event>
5. If I perform the below it appears DC2 is having problems but I'm not sure if related.
C:\w32tm /monitor
DC1.domain.local *** PDC ***[192.168.1.1:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from DC1.domain.local
RefID: 'LOCL' [0x4C434F4C]
Stratum: 1
DC2.domain.local[192.168.1.2:123]:
ICMP: 0ms delay
NTP: -110.4925481s offset from DC1.domain.local
RefID: (unspecified / unsynchronized) [0x00000000]
Stratum: 0
DC3.domain.local[192.168.2.1:123]:
ICMP: 0ms delay
NTP: -0.0256084s offset from DC1.domain.local
RefID: DC1.domain.local [192.168.1.1]
Stratum: 2
DC4.domain.local[192.168.2.4:123]:
ICMP: 0ms delay
NTP: -0.0011524s offset from DC1.domain.local
RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
Stratum: 2
Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.
Any help would be much appreciated. Thanks.
Craig Brand
I suspected some issue with AV so uninstalled.
To resolve the Access Denied I followed these steps:
stop w32time
w32tm /unregister
reboot
regsvr32 /u w32time.dll
w32tm /register
sc query w32time -- you should see that the service is set to
shared mode -- this is presumably how it should be -- if you try to start right now, you'll get the expected 1290 SID-related error
reboot
w32time should now automatically start at boot up and be running -- that was my result -- it's running as shared, started on its own, and I can do the w32tm /query commands successfully
After rebooting the time service started.
I then repeated the steps:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration
And all worked. I'll wait a short while to see if this fixes the issue. I also have am SA case with MS so will confirm fix when resolved.
Craig Brand
Similar Messages
-
How to reset Windows 2008 R2 Domain Controller "Administrator" password?
Hello Everyone,
I have lost Administrator password for the following system:
Windows 2008 R2
Domain Controller setup on same machine
Stand alone server - no workstations or other servers invovled
I still have the "Directory Service Restore Password" but I don't think that helps me for lost Administrator password. I beleive I need to boot from an .iso file to gain access. I already tried "Offline NT Password & Registery Editor" and it has set
Administrator password to (blank) but that is not allowing me access as it seems that I have to login to domain controller Administrator. So, how can I reset that password?
ThanksIt wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Thanks, -
2008 R2 Domain Controller PDC Emulator for SP1 upgrade
So my PDC is 2008 R2 and need to bring it up to SP1. Does anyone think I need to move that role to another server before upgrading it or upgrade it in place?
Simply install SP1. No need to move anything.
Of course, it is recommended to take a system state backup of your DC before proceeding.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile
And what if it did eventually fail? Wouldnt it be easier just to clean out the dc, rebuild it and let the other one take care of the domain?
Best Regards,
Jesper Vindum, Denmark
Systems Administrator
Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.
Either you restore it from backup or you simply seize its FSMO roles to another DC, do a metadata cleanup and then re-install the server and promote it again.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Dear All,
We recently gave permissions to group of level 1 staff to unlock OR reset password of users. In case user calls and report his account is locked OR if his password expires.
I want to track by auditing just in case something goes wrong, I can check in auditing. I have created a new GPO and select success/failure for Computer Config > Windows Settings > Security Settings > Local Policies > Audit Policy "Audi
Account Management"
applied it on domain top level and I did not changed settings of 'default Domain Policy' which is also linked on top level of domain.
But after applying this I am unable to see any event 4724 of password re-set when I attempted to test this GPO. What else is required to be done in order to trace users in group 'level1' if they change any body password.
Please assist.
thank youHello,
Total two DC's in our environment. But now I figured out and it is working now. It was supposed to set in Advanced audit policy > User account management, I enabled it for success and failure and my newly created GPO is applied on domian top in addition
to default domain policy.
I am able to see unlock events, password change events in my security log. So, it is working.
Thank you,
Wajeeh -
Domain Controller - Time Syncing with CMOS Clock
Hello!
We have a DC that is syncing time from "local CMOS clock." This DC is a VM (hyper V). Integration services has "time sync" turned off.
I've attempted syncing the DC to an external time source per http://www.thirdtier.net/2011/02/how-to-set-an-ntp-time-server-in-windows-2008-sbs-2008-and-sbs-2011/ and the issue persists.
Also of note - I've attempted syncing the VMHOST to an external source as well, and it is only syncing with CMOS clock
w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /reliable:yes /update
- results>
I manually restarted Windows Time service, still syncing to CMOS
w32tm /resync /rediscover
- results>
the computer did not resync because no time data was available
w32tm /stripchart /computer:time.windows.com /samples:5 /dataonly
- results>
Tracking time.windows.com [65.55.56.206:123].
Collecting 5 samples.
The current time is 4/14/2014 12:34:41 PM.
12:34:41, -16.0686354s
12:34:43, error: 0x800705B4
12:34:46, -16.0885249s
12:34:48, -16.0981303s
12:34:50, -16.0785199s
w32tm /monitor
- results>
EVEREST.COMPANYNAME.local[192.168.45.34:123]:
ICMP: 0ms delay
NTP: +17.4000482s offset from COMPANYNAME-DC1.COMPANYNAME.local
RefID: 'LOCL' [0x4C434F4C]
Stratum: 1
COMPANYNAME-DC1.COMPANYNAME.local *** PDC ***[192.168.45.31:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from COMPANYNAME-DC1.COMPANYNAME.local
RefID: 'LOCL' [0x4C434F4C]
Stratum: 1
COMPANYNAME-MGMT.COMPANYNAME.local[192.168.45.33:123]:
ICMP: error IP_REQ_TIMED_OUT - no response in 1000ms
NTP: error ERROR_TIMEOUT - no response from server in 1000ms
COMPANYNAME-DS1.COMPANYNAME.local[192.168.45.32:123]:
ICMP: 0ms delay
NTP: +14.7149589s offset from COMPANYNAME-DC1.COMPANYNAME.local
RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
Stratum: 2
EVEREST.COMPANYNAME.local = 2k3 box
COMPANYNAME-MGMT.COMPANYNAME.local = old DC improperly removed from domain (aka was just deleted from Hyper V by another technician...)
COMPANYNAME-DC1.COMPANYNAME.local = primary "main" DC, 2k8
COMPANYNAME-DS1.COMPANYNAME.local = backup DC, 2k8
I can provide whatever other info that may prove useful. I've looked @ other posts RE: this issue and feel like I might be missing something obvious, but I am at a loss.
Thank you!Hi,
Is UDP 123 open on the machine? I suggest you try to disable firewall to see if it works.
More information for you:
Can't get NTP time working on SErver 2008 R2 DC
http://social.technet.microsoft.com/Forums/windowsserver/en-US/e5e26e4f-1988-4ec1-8837-6d1d503130e7/cant-get-ntp-time-working-on-server-2008-r2-dc?forum=windowsserver2008r2general
Configuring the Windows Time Service for Windows Server
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
Error message when you run the "w32tm /resync" command to synchronize Windows Server 2003 or Windows SBS to an external time source: "The computer did not resync because no time data
was available"
http://support.microsoft.com/kb/929276
Time synchronization is not performed even though the W32Time service is successfully started in Windows Server 2008 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2493006
Best Regards,
Amy -
Can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server
im my environment we are trying to upgrade from server 2k3 to 2k8, out testing done on server 2k3 to 2k8, but can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server ...kindly suggest
Nitin Gaurav
[email protected]Yes you can. If you have two 2003 AD servers currently and upgrade one of them to 2008 AD then they'll continue to be able to work together. The domains functional level will remain as 2003 across both servers so at this stage you won't get any benefit from
the new AD functionality available in 2008.
Once you've then upgraded the second 2003 server to 2008 you can then upgrade the functionality levels in AD to make it 2008. It's been a while, but I believe it doesn't happen automatically, so once all AD servers have been upgraded you have to go into
AD and upgrade the functionality levels yourself. -
Windows Server 2008 R2 Domain Controller NOT logging EventID 4740
EventID 4740 (account lockout) is not being logged to the event viewer. When searching through the security log there are none to be found. Having accounts locked out and no logging is driving me nuts. Hope someone has run into this before. This is what
i have checked thus far.
>Windows Server 2008 R2 Domain Controller
>Verified the following GPO settings are set and correct:
>Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ all are set for Success & Failure
>Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff) is set for Success and Failure
>Powershell command Get-Eventlog -log Security -InstanceId 4740 returns no results which makes sense since there are no entries in the security log file.
>No 4740 entries in the netlogon.log debug file
AD and the LockoutStatus tool show the account is locked out but i still have nothing in the logs.
Anyone have any ideas? From everything i can find online , it appears i have everything set properly.
Thanks, ChicoHi Chico,
I suggest you try to enable this group policy below:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management
More information for you:
Missing 4740 EventID's
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c9871d72-7439-46b5-98e6-a7fadfa6ff28/missing-4740-eventids?forum=winserversecurity
If you have multiple Domain Controllers, check this event on other DCs, too.
Please feel free to let us know if there are any further requirements.
Best Regards,
Amy Wang -
W32tm always on "Local CMOS clock" on virtual domain controller - cannot change to NTP server
The domain controller (Server 2012R2) is hosted on Hyper-V (Server 2012R2). It is a PDC.
- firewall disabled
- cleaned up w32tm:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
- applied ifixit from http://support.microsoft.com/kb/816042 to enable external ntp server de.pool.ntp.org
- disabled
VMICTimeProvider in registry
(HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider\Enabled = 0)
I can manually query the ntp server de.pool.ntp.org:
w32tm /stripchart /computer:de.pool.ntp.org /samples:5 /dataonly
de.pool.ntp.org wird verfolgt [131.188.3.221:123].
5 Proben werden gesammelt.
Es ist 24.04.2014 10:07:36.
10:07:36, +00.0115379s
10:07:38, -00.0025048s
10:07:40, -00.0008595s
10:07:42, -00.0010477s
10:07:44, -00.0014516s
But still, w32tm does NOT query the ntp server:
PS C:\Windows\system32> w32tm /query /source
Local CMOS clock
roschHi rosch,
Based on your description, please check if disable the "Time synchronization" Integration service. Please refer
to the following operation.
In Hyper-V Manager, right click the DC and select “Settings…”.
In the left panel of Settings, navigate to Integration Services and click it.
Then in the right panel, please uncheck Time synchronization.
By the way, please check if can connect to the time server and UDP port was opened for NTP.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
I have configured the Default Domain Controller's policy to log SUCCESS for Account Logon Events in the Server 2008 R2 Domain Controller, but these events are not logging in the Security Event log.
Default Domain Controllers Policy
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies/Audit Account Logon Events = Success.
What tools can I use to troubleshoot this further? The results of "Auditpol.exe /get /category:*" are below.
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation SuccessHi Lawrence,
After configuring the GPO, did we run command gpupdate/force to update the policy immediately on domain controller? Besides, please run command gpresult/h c:\gpreport.html to check if the audit policy
setting was applied successfully.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Best regards,
Frank Shen -
I current have a two server domain, both Windows 2008 R2 and fully updated. The two servers are on subnet 10.0.1.0 /24
- Windows 2008 R2 Server A: 10.0.1.1 (DC, GC, FSMO, DNS)
- Windows 2008 R2 Server B: 10.0.1.2 (DC, GC)
AD Domain: COMPANY.LOCAL
I have a second connected subnet, 192.168.1.0 /24) which is routed to the 10.0.1.0/24 subnet and I would like to install a Windows 2012 R2 server onto a server on that subnet and make it a domain controller with AD-Integrated DNS and DHCP for the 192.168.1.0
/24 subnet.
- Windows 2012 R2 Server C: 192.168.1.1
What are the proper progression steps, in order to bring up the Windows 2012 R2 server and then add it to my COMPANY.LOCAL domain and then promote it do a DC/GC/AD-Integrated DNS server? Are they anything like the following:
1. Install Windows 2012 R2 server (Server C)
2. Point Windows 2012 R2 server DNS servers at Server's A and B
3. Perform AD prep to extend AD schema to support Windows 2012 R2 domain controllers
4. Promote Windows 2012 R2 server to domain controller (install local DNS service on Server C, during this step)
* Question: Will Windows automatically create a DNS zone for the Windows 2012 R2 subnet (192.168.1.0/24) AND also include the DNS zone from the previous Windows 2008 R2 domain (10.0.1.0 /24)? Or will I need to add the 10.0.1.0 /24 zone to the DNS
server on Server C, even though the DNS from the Windows 2008 R2 domain is AD integrated?Hi,
Regarding the issue here, please take a look into below articles:
System Requirements and Installation Information for Windows Server 2012 R2
http://technet.microsoft.com/en-us/library/dn303418.aspx
Release Notes: Important Issues in Windows Server 2012 R2
http://technet.microsoft.com/en-us/library/dn387077.aspx
Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
http://technet.microsoft.com/en-us/library/jj574134.aspx
Here is an example for promoting Windows Server 2012 to a DC, see:
Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller
http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
As the server is promoted to a DC, DNS Zones will be replicated and synchronized to it automatically whenever the new one is added to an AD DS domain, bascially there is no special need to add zones, for more information, please see:
Understanding Active Directory Domain Services Integration
http://technet.microsoft.com/en-us/library/cc726034.aspx
Hope this may help
Best regards
Michael
If you have any feedback on our support, please click
here.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Hi,
What is the proper way to demote a Windows 2003 Domain Controller running SQL Server 2008 WorkGroup Edition?
I will be migrating AD from Win 2003 to 2012....
Thanks in advanced.Running SQL on a domain controller is highly not recommended for performance reasons and for complexities it introduces in the management of both systems (You are already facing this situation now).
I would recommend proceeding like the following before demoting your domain controller:
Install a new SQL server on a member server
Migrate your databases to the new SQL server
Once done, you can safely demote your DC.
More if you ask them here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=sqlserver
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Hi,
I have Windows Server 2008 Enterprise and have
2 Domain Controllers in my Company:
Primary Domain Controller (PDC)
Additional Domain Controller (ADC)
My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred
(5) FSMO Roles from (PDC) to (ADC).
Now my (PDC) is rectified and UP with same configurations and settings. (I did not install new OS or Domain Controller in existing PDC Server).
Finally I want it to move back the (FSMO Roles) from
(ADC) to (PDC) to get UP and operational my (PDC) as Primary.
(Before Disaster my PDC had 5 FSMO Roles).
Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
Example like (FSMO Roles Distribution between both Servers) should be……. ???
Primary Domain Controller (PDC) Should contains:????
Schema Master
Domain Naming Master
Additional Domain Controller (ADC) Should contains:????
RID
PDC Emulator
Infrastructure Master
Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.
I will be waiting for your valuable comments.
Regards,
Muhammad DaudHere I want to know the best practice
and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
There is a good article I would like to share with you:http://oreilly.com/pub/a/windows/2004/06/15/fsmo.html
For me, I do not really see a need to have FSMO roles on multiple servers in your case. I would recommend making it simple and have a single DC holding all the FSMO roles.
In case if
Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
No. This is not true. Each FSMO role is unique and if a DC fails, FSMO roles will not be automatically transferred.
There is two approaches that can be followed when an FSMO roles holder is down:
If the DC can be recovered quickly then I would recommend taking no action
If the DC will be down for a long time or cannot be recovered then I would recommend that you size FSMO roles and do a metadata cleanup
Attention! For (2) the old FSMO holder should never be up and online again if the FSMO roles were sized. Otherwise, your AD may be facing huge impacts and side effects.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Hi
Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
ThanksWhen Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
RAC on windows 2000 with domain controller
Guys,
I need advise on the following implementation.
We have 2 IBM Xseries 365 Servers , 1 FastT600 Storage Windows 2000 Advanced Server, Oracle 9i, Oracle RAC
We have plan of integrating 2 servers in Windows 2000 Cluster, one server would act as Domain Controller and second will act as Additional Domain Controller in the MS Cluster. We would be installing Oracle 9i Enterprise s/w on each one of these server's internal disks and datafiles on shared storage ( FastT600 ).. We would need to install Oracle RAC as well. As per Oracle recommandation, the cluster nodes shouldn't act as Domain controller. We didn't find any logical and techinical answer for this recommandation. Can anyone guide me as why is it so? and any issue may arise if we don't have separate doamin controller?
Is it really required to have separate Domain controller ?
Early replies would be appretiated..
Thanks & Regards,
SamHello hanspjacobsen,
1. According to the subjects System Requrements - Windows 2008 R2 Domain Controllers do support
Windows 8.1/2012 R2 admx deployment with some limitations regarding down-level server version of course. So yes - you can download and use it. Doubtfully the GPO presence in AD could
harm Exchange in any way.
2. With the course of updates for Exchange 2010 and Windows Server - I'm pretty sure we can expect Exchange 2010 supporting W2012 R2 DCs with close upcoming updates. So the full interoperability for those two is just a matter of little time.
▲ Vote if Helpful / Mark if Answer
MCSE: Messaging 2013 Charter / Private Cloud / Server Infrastructure
MaximumExchange.ru -
How to Reset Windows 2008/R2 Domain Administrator Password
How to Reset Windows Server 2008/R2 Domain Administrator password if forgot or lost it?
It is annoying and bad to forget a Windows Server 2008/r2 Domain administrator login password. It is troublesome unless you have that Windows Server 2008/r2 password reset disk. We can still find several tricks to reset Windows Server Domain password but they require a mass of operations and waste a lot of time. For example, you can reset Windows Server 2008/R2 domain administrator password with an installation disk but it requires you to type a mass of command line. So today I want to share everyone an omnipotent method to reset Windows Server 2008/R2 Domain/local administrator password. You need the following 3 things.
An accessible PC.
A USB/CD/DVD flash drive.
The Windows password reset tool Daossoft Windows Password Rescuer.
Then it requires 4 steps as below:
Step 1: Download and install Daossoft Windows Password Rescuer into that accessible computer.
Step 2: Burn it to the flash drive.
Step 3: Boot your Windows Server computer from the flash drive.
Step 4: Follow its instruction and click “Reset Password” button to reset your Windows 2008/R2 Domain/Local administrator password.
More details in this video: Windows Server 2008 R2 Password Reset - Reset Domain or Local Password.It wasn't difficult to reset the domain password and I think Microsoft's policy of not providing an easy forward way is to create an
illusion of security which is not there. Linux systems that are much more secure that MSFT software allow easy password reset when physical access is there so why not include the same tools in System Repair tools or using F8?
Anyhow, this guide helped me reset the password in 5 minutes. Read the bottom of it to find the scripted / automatic version of the process:
http://www.petri.co.il/reset_domain_admin_password_in_windows_server_2003_ad.htm
Thanks,
Maybe you are looking for
-
If 3 Real servers in a non-load balancing environmet are setting session cookies with diffrenet cookie names e.g. server1 response set-Cookie: SESSIDSAAAAAA=DMNNNELCECNCKDIIDCPOIMGG Server2 response set-Cookie: SESSIDSBBBBBB=DAAMMNELCECNCKPYTWPOIPOP
-
IPad Playlist Problem with Movies
On my iPhone, I was able to setup a playlist of movies and videos so that they would play continually based on my list or in shuffle. On my iPad, after playing the first video, the iPad reverts to the Video application and stops. I then have to manua
-
Character Mode Reports On Winxp/2000
I am developer character mode report in oracle developer 6i. when i am running it on winxp or win2000 then its om in preview but it takes double space while printing. Please send me any sample character mode on scott schema which can't take double sp
-
Can you call external code from XE?
Hi, I have an application that uses external code, called via extproc. During a standard Oracle installation, I need to modify the listener configuration to allow it to do so. This is done by modifying listener.ora like follows: SID_LIST_LISTENER = (
-
RMI server object getting garbage collected
Hi all, I have seen a number of posts regarding the ConnectException and found that this can occur in a number of situations. I am having a problem here. I am having an RMI server that is always up and running. And the server object gets requests fro