Feb 15, 2016 By Jared Heinrichs Leave a Comment

How to backup to backup a system state of a server to a network Share

The backup program is crap. When you do have to use it, it is nice to know how to script with it.

As most people know backing up the system state will backup the most important parts of the server. Here is a listing of the items it backs up.

Registry
COM+ Class Registration database
Boot files
Active Directory Certificate Services (AD CS) database
Active Directory database
SYSVOL directory
Cluster service information
Microsoft Internet Information Services (IIS) metadirectory
System files that are under Windows Resource Protection
Active Directory Federation Service

Example Command

Open the command prompt and type:

wbadmin start systemstatebackup -backupTarget:”\\SERVER\SHARE\FOLDER_Name_of_server\systemstate\”

Feb 2, 2016 By Jared Heinrichs Leave a Comment

How to Configure the Windows Time Service in an Active Directory Forest

Original blog post reference:
Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan
http://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/

Windows Server Time Sync Configuration

The following steps can be used to configure DCs the default Windows time service hierarchy in an AD forest. The procedure will also remove any errors in the Event Viewer, if any existed.

Do not use if you are using a third party stratum service and refer to the vendor’s documentation for further instructions

Check and Document the Current Time Configuration on the PDC Emulator

First check and document the current configuration:
1. All Windows Server domain operating systems – run the following on the forest root domain PDC Emulator.
  1. Note: In some cases you must wait a little time for the service to instantiate.
  2. If you do not see expected results immediately, wait 10 min and re-run the following steps
W32tm /query /configuration
1. This command confirms the PDC Emulator shows the current source in the [TimeProviders] section, Look for “Type:” You will see one of the following:
  1. Type: NT5DS (Local) -This means that it’s not synced externally.
  2. Type: NTP (Local) –This command it is syncing externally.
    NtpServer: time.windows.com [65.55.56.206] (Local)
2. For all other DCs, use the command, w32tm /monitor (step 4 below)
w32tm /query /source
1. On the PDC Emulator, this shows the actual source. One of two possibilities:
  1. CMOS clock -Signifies not synced to an external source (Not what you want to see)
  2. time.windows.com –The NTP source IPaddress/FQDN This is correct.
w32tm /monitor or w32tm /monitor /computers:DCNAME
1. On the PDC Emulator, this command shows the outside time source.
  1. Good example:
    dc01.contoso.com *** PDC ***[10.10.10.200:123]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from dc02.contoso.com
    RefID: time.windows.com [65.55.56.206]
    Stratum: 4
2. On all other DCs, this command shows the current time source DC for this DC.
  1. You will see an “offset for the PDC from its configured NTP source.
  2. Good example result showing the DC02 is syncing with dc01.contoso.com:
    dc02.contoso.com 10.10.10.210]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from dc01.contoso.com
    RefID: dc01.contoso.com [10.10.10.200]
    Stratum: 4
w32tm /tz
1. This shows the current time zone to make sure it’s correct.
w32tm /stripchart /computer: target /samples: n /dataonly
1. This command will show you the time difference between the local computer and a target computer and is helpful in determining if there is an offset. The “n” value is the number of time samples that will be returned from the target to test basic NTP communications.
w32tm /dumpreg
1. This command dumps the current registry settings found in:
  HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
  You can see the current time service configuration entries, such as:
  Type: NTPNTPServer:

*

Configure time sync to a reliable source on the forest rood domain PDC Emulator ONLY.

Do not perform on any other DC in any domain in the forest. PDC in the forest root only.

Windows 2003 and all newer:
1. Open an Administrator Command Prompt.
  1. Note that the examples below use either time.windows.com or the pool.ntp.org servers. You can get a full list of reliable time services at:
    A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet: http://support.microsoft.com/kb/262680
2. w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
  OR – if you want to use the pool.ntp.org time source servers:
3. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,0x1 /syncfromflags:manual /reliable:yes /update
4. w32tm /resync /rediscover
5. net stop w32time && net start w32time
6. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below.
Windows 2000:
Generally speaking, the w32tm command is similar to Windows 2003 and newer operating systems. However, Windows 2000 uses the net time /setsntp method, which was removed in later versions. There are also some differences between Windows 2000 RTM and various service packs. Therefore, if any issues arise from the commands not setting, it’s recommended to follow the instructions using the registry to configure the time service in Windows 2000:
How to configure an authoritative time server in Windows 2000:
http://support.microsoft.com/kb/216734
1. Open an Administrator Command Prompt.
2. net time /setsntp:174.140.19.7 – Windows 2000 uses this command to configure an outside source.
3. net stop w32time
4. w32tm -once W32tm performs numerous commands. Their results are displayed on the screen.
5. net start w32time
6. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
Use the procedure in Step #1 to check and document the new configuration.
Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Configure all other DCs to sync using the forest time hierarchy

This includes all other DCs in the forest root domain that are not holding the PDC Emulator role, and any DC in any other domains and trees, including the PDC in those domains.

Do NOT run the following on the PDC Emulator in the forest root domain.

First check and document the current configuration: See Section #3 above.
Windows Server 2003 and all newer server operating systems:
1. Open an Administrator Command Prompt
2. w32tm /config /syncfromflags:domhier /update /reliable:no
3. w32tm /resync /rediscover
4. net stop w32time && net start w32time
5. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
Windows 2000:
For reference with Windows 2000, see the following link for more info:
How to configure an authoritative time server in Windows 2000
http://support.microsoft.com/kb/216734
1. Open an Administrator Command Prompt.
2. w32tm –s
3. Net stop w32time && net start w32time
4. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
Use the procedure in Step #1 to check and DOCUMENT the new configuration.
Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Time configuration on FSMO transferred or seized DCs

On the new forest root domain PDC Emulator, run the following:
1. Open an Administrator command prompt:
2. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org /syncfromflags:manual /reliable:yes /update
  1. Note: time.windows.com is a working time source, however you choose any reliable time services in your locale.
3. W32tm /resync /rediscover
4. net stop w32time && net start w32time
5. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
On the server formerly holding the PDC Emulator role, run the following:
1. Open an Administrator command prompt.
2. w32tm /config /syncfromflags:domhier /update
3. w32tm /resync /rediscover
4. net stop w32time && net start w32time
5. Check it with W32tm /query /configuration
  1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
Follow the procedure in Step #1 to check and DOCUMENT the new configuration.
Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Corrupted Time Service Resolution Section (Contingency)

If any of the procedures did not work or event log errors indicate any issues, you can reset the time service registry entries back to default. The procedure should be done on the DC that you are experiencing issues with and not necessarily on each DC. Note: This procedure can also be used as a contingency to return a DC (PDC and non-PDCs) back to local CMOS time sync.

On the DC that you’re experiencing issues with, run the following:
1. Open an Administrator command prompt.
2. net stop w32time
3. w32tm /unregister
4. w32tm /register
5. net start w32time
6. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.
The next command is ONLY for Windows 2000 to 2008 DCs. It does not apply to 2008 R2 or newer and will be ignored if you try it.
1. “net time /setsntp: ” – Do not use the quotes. Note that there’s a blank space prior to the closing quote.
  This command tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.
2. net stop w32time && net start w32time
3. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.

*

W32Time Service Accuracy

Please bear in mind that the Windows W32Time service is not a full featured, accurate service for time sensitive application requirements, nor will Microsoft support it as such. You must use a third party time service that will support this requirement.

For more information, please visit the following link:

Support boundary to configure the Windows Time service for high-accuracy environments
http://support.microsoft.com/kb/939322

==================================================================

References

How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/71e76587-28f4-4272-a3d7-7f44ca50c018

Windows Time Service Technical Reference
http://technet.microsoft.com/en-us/library/a0fcd250-e5f7-41b3-b0e8-240f8236e210

Windows Time Service Tools and Settings
Includes specific w32tm command switches and registry entries.
http://technet.microsoft.com/en-us/library/cc773263

=================================================================

Summary

I hope this helped you to easily configure your time service and what to do if it didn’t work.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

May 2, 2012 By Jared Heinrichs 4 Comments

This Active Directory Domain Controller is NOT the last AD DC in the domain

Did you get the following error: “The operation failed because: This Active Directory Controller is not the last AD DC in the domain. The server is unwilling to process the request.” when you typed in dcpromo?

If you really want to remove the domain controller from the domain you will need to issue the command:

dcpromo /forceremoval

Hope this helps you get rid of the error: “The operation failed because: This Active Directory Controller is not the last AD DC in the domain. The server is unwilling to process the request.”

PS – Remember to uninstall the AD Binaries by using Server Manager.

Sep 13, 2010 By Jared Heinrichs Leave a Comment

How to give a tune-up to your Active Directory Database

This post will go over tuning up your Active Directory Database. I will specifically going over Active Directory in a Windows 2008 Server environment.

Why would you want to do this?

Running regular maintenance on the Active Directory Database recaptures disk space, makes the database file more efficient (faster) and checks for any weirdness.
When stuff gets deleted out of your active directory database, the file does not get any smaller.

*NOTE* – These items will be done using “NTDSUTIL” under the “Files” context. Three items this post will go over will be “Compact”, “Integrity” as well as “Semantic" Database Analysis”.

Getting ready to type the commands

Go and Open command prompt.

Type. “ntdsutil”.
Type “Activate Instance NTDS”

How to Defrag / Compact the Active Directory Database

* NOTE * You can’t compact the actual Active Directory Database! You will have to compact it to another location. Then copy the new file over the old version manually. This is the #1 concept issue I see people have. Most of the time they think just by running the command the database is defragged. Unfortunately this is not the case.

You need to “STOP” the “NTDS Service” before binding to the Active Directory database".
Go to “Administrator Tools” and select “Services”.
Right click “Active Directory Domain Services” and tell it to “Stop”. Windows will prompt you to tell you there are other services that will be stopped as well.
Go back to the command prompt that you opened at the beginning of the how to video. You might get an error about not being able to stop it. This is because replication is going on. You will just have to try stopping it again in a few seconds until it stops.
Type “Files”. IF you didn’t stop the NTDS Service in step 3 you will be alerted here with an error.
Type “compact to C:\” or where ever you want to create a copy of the compacted Active Directory Database.
Verify that a copy copy of the Active Directory Database file has been created @ “C:\ntds.dit”
Type “Quit” and “Quit”. This will get you back to the command prompt.
Type: copy “C:\ntds.dit” “C:\Windows\NTDS\ntds.dit”
Type: del “C:\Windows\NTDS\*.log”

How to Check the Active Directory Database Integrity

* NOTE * – After compacting the database you should always check the Integrity of the database. If you don’t still have the command prompt window go back to “Getting ready to type the commands section”.

Type “Files”
Type “Integrity”
This will make sure there is no issues with the with the compacting of the Active Directory Database
Once this command completes there will be a message recommending to you to run the “Semantic database consistency” check as well.

How to run the Semantic Database Consistency util

Still in the NTDS util run:

Type "quit” to go up one level in the NTDSutil instance structure.
Type “semantic database analysis”
Type “Verbose on”
Type “Go Fixup”

Remember to restart “Active Directory Domain Services”. All those services that were also stopped during the process of stopping the service will also be started.

Sep 13, 2010 By Jared Heinrichs Leave a Comment

How to setup Active Directory auditing

There are many reasons to setup Active Directory Auditing. The most common reason is to track changes to user/computer accounts in Active Directory. There are two things you have to do in order to setup Active Directory auditing.

You have to enable Auditing Policy (specifically Audit Directory Service) on either the domain Controller Policy or the Default Domain Policy. I recommend the Domain Controller Policy.
You have to turn on Auditing component on the Object(s) you want to audit.

How to setup/Enable Audit Directory Service

Here are the steps to Enable the Audit Directory Service.

Right click the Domain Controller Policy. Select. “Edit…”
Go to “Computer Configuration” – “Windows Settings” – “Security Settings” – “Local Policies” – “Audit Policy”
Double click “Audit Directory Service Access”
All the boxes should be selected. ie. “Define these policy settins”. Audit These attempts “Success” & “Failure”.

How to turn on Auditing on specific Active Directory Objects

Here are the steps to turn on Auditing on AD obejcts:

Open Active Directory Users and Computers
Go to View and make sure “Show advance features” is enabled.
Right click “Base OU” where you want to audit and hit Properties.
Click on Security Tab”. (If you don’t see this go back to step #2)
Click “Advanced” button near the bottom of the Window.
Click on “Auditing” tab in the new Window.
Click on “Add..” button
Select “Authenticated Users” group
Check off Successful and Failed for the Write all Properties. Make sure that “This object and all descendant objects” is selected.
Click “Ok”
Click “Ok”

How to View Active Directory Auditing Logs

Now that you’ve set this up you might be wondering “Where do I go to see all this auditing now? If you did you would have asked a really good question.

To view the Active Directory Auditing logs you need to open “Server Manager” – “Diagnostics” – “Windows Logs” – “Security”

4726 Message – This code is for deleting a user account. The user who did it will also be logged.
4720 Message – This code is for creating a user account. The user who did it will also be logged.

You might want to try and filter the events based on these messages.