Windows Time Configuration - 2 Domain Controllers
I have 2 Domain Controllers. One is 2012 and the other is 2003. I recently added the 2012 server and configured it to be the authoritative time server by following this article...
https://support.microsoft.com/kb/816042
I see events on some clients that indicate they got their time from the older 2003 server. Should both DCs be configured this way or do I need to do something on the 2003 server so it is no longer authoritative?
Dang it, I knew I left something out! Thanks for reminding me.
On the 2003 server check HKEY_Local_MACHINE\SYSTEM\CurrentControlSet\service\W32Time\Parameters
If the Type key is NT5DS then it should be adhering to the default hierarchy, ie: pulling time from the PDCE.
If instead it reads "NTP" then the 2003 DC still thinks it is authoritative. You can manually change it back to NT5DS and restart the Windows Time service.
Another option is to run "w32tm /query /source" on the 2003 system to see what it is using as the current time source.
If the time source is not the PDCE, you can run the commands from the following technet:
http://technet.microsoft.com/en-us/library/cc738042(v=ws.10)
Similar Messages
-
Windows 2012 R2 default domain controllers policy set to enforced
Hi Guys,
So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
previously setup by someone else.
I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
it up at this stage.
One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
Any advise you guys have on this would be greatly appreciated.
David> So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
> and so far everything is running ok.
This does NOT touch any GPOs, so your GPOs are not "migrated" or
something like that - they are still what they were before.
> enforced on my newly migrated domain. At home on my test server i see it
> is not enforced by default and am wondering why this is?
"A sever misunderstanding of how group policy inheritance and link order
works" is the closest reason I see for this. The DDCP is linked to
"Domain Controllers", and as long as you do not create subordinate OUs
there (which I've never seen) and block inheritance on them, there's no
reason to enforce.
To add my experience from the field: When I see enforced GPOs, in most
cases this enforcement is not required. People simply use it because
they do not understand "link order".
> One thing that i did find odd is when i first opened up the GPO's, i was
> prompted with a message which stated that the policies in the sysvol
> folder where not consistent with the ones in AD so i followed its
> recommendation to update.
That's fairly ok and nothing to hassle about.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Windows 2008 (Not R2) Domain controllers Kerberos Errors
We know the replication of the AD structure is working using repadmin /showREPL *
Which I ran again this morning and all is fine.
All 3 Domain Controllers are having Kerberos errors ?
I tried to reset the Kerberos key but the problem still persists.
This is exactly what I tried yesterday is there something I'm doing wrong ?
We have 3 Domain controllers
ch-dc1-2k8 (PDC)
ch-dc2-2k8
na-dc1-2k8
1) I stopped the Kerberos Key Distribution Center service on all 3 servers and set them to manual
2) I restarted ch-dc2-2k8 and na-dc1-2k8
3) Then I did the KLIST PURGEon
ch-dc2-2k8 and na-dc1-2k8
4) Then on ch-dc1-2k8 (PDC) I did the
netdom resetpwd /s:ch-dc1-2k8 /ud:companyname\administrator /pd:*
5) Set Kerberos Key Distribution Center service to Automatic on ch-dc1-2k8 (PDC)
6) Restarted ch-dc1-2k8 (PDC)
7) After it restarted I logged in and let it settle for 5 Minutes
8) Then I started the kerberos service on ch-dc2-2k8 and na-dc1-2k8
Am I missing something ?Hi,
I think I have already answer this in separate case you have raised in forum. -
Configuring group policy for user profiles in Windows Server 2012 R2 Domain
Requesting some experts advise on configuring group policy for user profiles.
We will be building new Windows Server 2012 R2 Domain Controllers (Domain of 400 users).
The settings which I am concerned:
1. Folder Redirection: Desktop, Documents, Favorites.
2. Quota for Folder Redirection - 1 GB per user.
3. Map a networked drive - 1 GB per user.
4. Roaming profile - (Will ignore if it does not suit our requirement).
The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
FYI, E-mails hosted on MS Office365 and OST file size of few users more than 25GB. So, in case the user moves from one computer to other, the entire mailbox will be downloaded via internet. This consumes high bandwidth if more than 3-4 users shift per day.
Thanks a lot for your valuable time and efforts.Hi,
>>The question is how outlook profile will be retained / automatically moved if the users move from once computer to other?
This depends on where our outlook data files are stored. If these data files are stored under
drive:\Users\<username>\AppData\Local, then these files can’t be redirected, for folder redirection can’t redirect appdata local or locallow.
However, regarding your question, we can refer to the following thread to find the solution.
Roam outlook profiles without roaming profiles
http://social.technet.microsoft.com/Forums/office/en-US/3908b8e0-8f44-4a34-8eb5-5a024df3463e/roam-outlook-profiles-without-roaming-profiles
In addition, regarding how to configure folder redirection, the following article can be referred to for more information.
Configuring Folder Redirection
http://technet.microsoft.com/library/cc786749.aspx
Hope it helps.
Best regards,
Frank Shen -
Virtual Domain Controllers in 2012 Failover Cluster. Time Skew
Hi All,
Not sure if this is the correct space for this topic, however i'll give it a go anyway.
We have a 2 Hosts (HP DL385) Windows Server 2012 Failover Cluster.
Storage is provided by a 12 Bay NAS with iSCSI connections (This is catering for CSV's and Quorum)
We are running 2 Virtual domain controllers (2008R2)
The issue we experience is that if the cluster goes down, and when it comes back online the time on the domain controllers (one or the other or both) skews by any where up to 3 days which causes havoc for our office until we can resync clocks with the PDCe.
Time Synchronisation Integration Service is disabled on both Domain Contollers
A few days back we need to reboot the storage on the cluster, and the tasks performed were as follows:
-Power off all virtual machines (Graceful Shutdown)
-Put all CSV's into maintenance mode
-Offline Disk Witness to Quorum
-Rebooted Storage (Waited until it came back online)
-Online Quorum Storage (Successful)
-Bring CSV's out of maintenance mode (Successful & Browsable)
-Power on all Virtual Machines (Successful)
This is where the time Skewed and caused headaches. The time for some reason went to 2 days 11hrs in the past on 1 domain controller.
With this DNS lookups failed to work, Cluster services failed, Cluster Aware Updating Failed, RDP to VM's (and Virtual Hosts) by DNS Name failed (Date time error)
There doesn't seem to be anything in the EventLog except for date/time stamp on events being 2 days in the past.
Now this is why i'm not sure if the issue is cause by fail over clustering, or is an issue with the domain controllers.
Any advice regarding this or if anyone has seen this behaviour before any info would be great
Thanks
RobHi Rob,
Does both this two DCs on your cluster VM and there have not others DCs? Microsoft recommends that files for virtualized domain controllers be placed on non-CSV
disks, Non-CSV disks can be brought online without authentication. Because non-CSV disks can be brought online more easily.
For virtual machines that are configured as domain controllers, it is recommended that you disable time synchronization between the host system and guest operating
system acting as a domain controller. This enables your guest domain controller to synchronize time from the domain hierarchy, please confirm your PDC time is always correct.
The related KB:
Running Domain Controllers in Hyper-V
https://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#deployment_considerations_for_virtualized_domain_controllers
Things to consider when you host Active Directory domain controllers in virtual hosting environments
http://support.microsoft.com/kb/888794?wa=wsignin1.0
I’m glad to be of help to you!
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Add Windows Server 2012 R2 domain controller to Windows 2008 R2 domain
Hi,
Have today 2 x Windows Server 2008 R2 domain controllers, and domain and functional level 2008 R2.
We now want to replace these DC`s with Windows Server 2012 R2.
My plan is as follow
- Install and promote a Windows Server 2012 R2 as a 3 DC`s with a temporary hostname and IP as DC3
- Install and promote a second Windows Server 2012 R2 as a 4 DC`s with a temporary hostname and IP as DC4
- Decomiss DC1 and remove this host. Change the IP and hostname of the new DC3 to DC1
- Move FSMO roles from DC2 to DC1 and decomiss DC2
- Change the IP and hostname of the new DC4 to DC2
Will this be a ok progress ? I will offcours to have the DC`s replicate information between them before doing each task.
/Regards AndreasHi,
Only error i got running dcdiag was the following
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domain,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domain,DC=local
......................... DC1 failed test NCSecDesc
Is this a problem ?
I would guess not since im not implementing a RODC ? Ref:
https://support.microsoft.com/en-us/kb/967482?wa=wsignin1.0
You can ignore it.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Using Windows 8.1 With Older Domain Controllers
Is there any document that would specify types of incompatibility we might expect when using Windows 8.1 with older domain controllers, either Windows 2000 or Windows 2003?
I assume at minimum that these older domain controllers would not have group policies that are able to support the full security policy feature set of Windows 8.1? For such cases, how do we configure security policy on those 8.1 domain member
computers? Would we use LocalGPO.wsf to import a local security policy, then join the computer to the domain to override just the settings that are supported by the domain controller and windows 8.1 in common?
WillHi,
You could refer to below guide to complete your migration process:
Step-By-Step: Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2
http://blogs.technet.com/b/canitpro/archive/2014/04/02/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
Meanwhile, about the details how to migrate the doamin controller, I would like to suggest you consult Windows Server Forum for more professional help:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
Karen Hu
TechNet Community Support -
Setting up Time Sync when all domain controllers are virtual machines?
We have 2 existing server 2008 domain controllers on 2008 Hyper-V. We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
PDC role DC is on one of the DCs in the original site.
How should time syncing be set?
From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
What happens with this process during a PDC reboot or if that PDC role domain controller becomes unavailable for any other reason? Does one of the other DCs then take over the role of domain time source even through they don't have access to the external
time source?
Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain (since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?We have 2 existing server 2008 domain controllers on 2008 Hyper-V. We plan to set up a third domain controller in a new AD site at a remote site that will be Server 2012 R2 on 2012R2 Hyper-V.
PDC role DC is on one of the DCs in the original site.
How should time syncing be set?
Simply make sure that time sync is disabled on your Hyper-V VM. For time configuration in AD domain, I have documented that here: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
From what I've read, all Hyper-V time synchronization between the virtual domain controllers and their Hyper-V host should be disabled.
So, do we set up the PDC virtual machine to sync to an external site source and then expect the other 3 domain controllers to automatically sync with the time of the PDC?
They don't take over the role of PDC. The downtime of your PDC should not take a long time. That is why it is important to regularly monitor the health status of your DCs using SCOM or third party tools. The one I usually recommend is
Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html. The solution allows you also to trackchanges
in your AD domain.
Should we also turn off Hyper-V time syncing for every Hyper-V guest that is a member of our domain
(since they should also be getting their time from a domain controller) or only turn off the Hyper-V time sync for the domain controllers alone?
I would recommend turning off the Hyper-V time sync on all your Hyper-V VMs that are domain-joined.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Windows 8.1 Pro Cannot Connect to Domain Controllers through Wi-Fi
I have a domain joined Surface 2 Pro running 8.1 Pro Update that is suddenly unable to connect to the domain controllers on the local network. The machine is fully patched. I'm guessing that it is some network level security issue because the wi-fi is working:
It has no trouble connecting to my Wi-Fi hotspot on my phone.
It has no trouble connecting to other Wi-Fi at coffee shops etc.
It is connecting to my home Wi-Fi and gets an address from DHCP on the domain controllers, but can't ping the DCs, access the DCs through remote desktop even using their IP address.
It can ping the router and ping systems on the internet using their IP address rather than hostname.
I can fully access internet systems if I point it at DNS on the router but still cannot access internal systems by name or IP address.
The Wi-Fi network shows as a public network rather than a domain.
It will work fine when it is docked and using the dock's ethernet adapter.
If I use VPN to loop back through my router then I am able to fully access local systems.
None of the other systems on the network are experiencing the same issue.
I have tried the following which didn't work:
Switched off the Windows Firewall on the Windows 8.1 system and a domain controller.
Network Troubleshooting - which told me that the network seems OK but the DNS servers are not responding.
Uninstalling the Wi-Fi device and restarting the system to re-install it.
Resetting TCP/IP.
I am not aware of any changes, but the system did install System Hardware Update 8/07/2014 (again!) but I can't recall if that was when the problem started or was just a coincidence.
Any suggestions?
Thanks,
Richard
Richard-FHi Richard,
Apologize for my slow understanding.
I thought as it could obtain IP address from the DC, it should have connections between them.
For the current situation, you may take a try to disable the firewall on the DC, then check the port that used by AD environment is all available,
Active Directory and Active Directory Domain Services Port Requirements, you could take use of this tool:
PortQryUI - User Interface for the PortQry Command Line Port Scanner
If all available and issue still insists, then issue here seems to be restricted with the wireless router. You may try to contact the router side and see if they could offer any further useful information regarding this situation.
Best regards
Michael Shao
TechNet Community Support -
Can't edit default domain controllers policy on windows 8 or server 2012
I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine. I can edit and save changes fine from a Windows 7 machine. The domain controllers are running Windows 2012 Standard upgraded
from Windows 2008 R2. Is there a security setting I am missing?Posting the resolution from the other thread. Hope it helps!
I just accidentally resolved this issue today. I added the GPMC to a 2008 R2 server so I could make a needed firewall
change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile). About an hour later, I forgot I was using my Windows 8 machine and I went
to edit the Default Domain Controllers GPO and opened for edit without a problem. I can now edit it from Windows 8 and from Windows Server 2012. Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
editing the GPO once from a 2008 R2 machine. -
In Windows Server Essentials 2012 R2, all of our online services integration features, including Azure Active Directory and Office 365, are supported only in environments that
have a single domain controller. In environments with more than one domain controller, integration of these services is blocked due limitations in the user account and password synchronization mechanism in Windows Server Essentials.
I am happy to announce that with the recent Windows August Update released on (8/12/2014, PST), this limitation has been removed. This update adds support for both Azure
Active Directory integration and Office 365 integration features in domain environments consisting of a single domain controller, multiple domain controllers, or Windows Server Essentials as a domain member server.
For more information, please go to
http://support.microsoft.com/kb/2974308Hi JoeBeck,
Thanks for the comment. Could you please tell which link you clicked to download?
Please go to PinPoint check details and start download
http://pinpoint.microsoft.com/en-US/applications/Dynamics-CRM-Online-Add-in-12884966386
Thanks,
Shanghai Wicresoft -
Hi
Anyone knows whether Windows 2008 R2 domain controllers with Windows 2003 forest functional level will still be Supported after Windows 2003 support ends in July 2015 ?
ThanksWhen Windows Server 2003 support ends, you should not have a Windows Server 2003 Domain Controller running if you would like to be supported by Microsoft. This means that there will be no reason to have a DFL or FFL that is lower than Windows Server 2008.
So, if you are keeping Windows Server 2003 FFL to keep DCs running Windows Server 2003 then this is not supported.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Exchange 2007 with windows 2012 R2 domain controllers environment.
Hello,
I am planning to upgrade to AD windows 2012 R2 from 2008 in 2003 on funtional level for domain and forrest, my question is, is 2007 exchange (Version build: 08.03.0245.001) supported on 2012 R2 domain environment on 2008 funtional level?
I am planning to upgrade exchange later in december to exchange 2013 but not now.
Thanks in advanceHello,
At present, there is no official article to verify whether exchange 2007 is supported on windows server 2012 R2 domain.
But I agree with damird's suggestion.
And you don't install exchange 2007 on windows server 2012 r2.
If you have any feedback on our support, please click
here
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Clustering Configuration with Primary & Secondary Domain Controllers
Hello.
I am trying to configure Failover Clustering on my Server 2012 computers.
I have a primary domain, as well as a secondary domain.
We will call them dc1.domain.com and dc2.domain.com.
I have Failover Clustering Manager installed on both servers.
Upon adding them both to the Create A Cluster Wizard, I receive the following error message on my report.
(My account is fairly new, so it will not let me attach an image, but I assure you, it is safe)
s14.postimg.org/lssjm2vu9/Screenshot_1.pngMore that trying to avoid clustering domain controllers, you simply cannot do it. Active Directory has high availability built into it. It is known as multimaster, meaning there is no primary and secondary domain controllers. All are 'masters',
meaning you can make changes on any domain controller and the change will be replicated to the other DCs.
If you only have two physical servers and you want to cluster them, you will first need to install the Hyper-V role on the servers (it is not recommended to install both Hyper-V and Domain Controller on the same box, so we will get this fixed). Once
you have Hyper-V installed, build a VM on each server, join them to the domain, and promote them to domain controllers. On one of the VMs, seize the FSMO roles from the FSMO master. Then demote the physical hosts from being domain controllers.
You can now form a cluster of the two physical servers.
. : | : . : | : . tim -
We have a program called Audit Wizard that we used with Windows 2003 that monitored all clients and alerted my department when a program was installed/uininstalled. since upgrading to windows server 2008R2, the program no longer works correctly.
So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
If so, How?
Thanks in advance for your help!
Pete MaciasHi Pete,
>>So we are wondering if it is possible for Windows 2008R2 Domain Controllers, running at a 2008R2 forest and domain level) to be able to audit when a programs are installed/uninstalled on clients and send alerts to our Admins?
As far as I know, group policy can't help us do this. If you are interested, we can take a look at System Center Operation Manager and ask for suggestions in the following SCOM forum.
Operations Guide for System Center 2012 - Operations Manager
https://technet.microsoft.com/en-us/library/hh212887.aspx
System Center Operation Manager
https://social.technet.microsoft.com/Forums/systemcenter/en-US/home?category=systemcenteroperationsmanager
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Maybe you are looking for
-
Creating a link in a PDF form to open into a new window
I have created the PDF form and every thing seems to be working fine. But I would like to set a link in the form that would open into a separate page. I have tried target="_blank" and onclick="window.open(this.href, 'child', 'scrollbars,width=650,hei
-
Acrobat 9 trial PDF Active X browser control seems to be missing
Hi, I've downloaded Acrobat 9 SDK and the trial version of Acrobat 9. I can see the AcroPDF and all the interfaces / classes the doc is refering to but not the reader 9 viewer compliant Active X. It's neither in the toolbox of Visual Studio nor in th
-
Grouped library objects changing position
When my grouped library objects is pulled from the library and placed in a new form (snap to grid turned off), the spacing between the objects slightly change by few points. Thanks for any insights.
-
Can we default the Saved Search in SEARCH GUIBB
Dear All, I implemented Search GUIBB and the Saved Search also appears perfectly. I wanted additionaly to default one of the saved search for my user-ID. Is it possible? Thanks, Sandeep
-
How to identify iphone 3gs if factory unlocked
how do i identify my iphone 3gs is factory unlocked