Jared Heinrichs

You are here: Home / Archives for Operating System / Windows 2008

By Leave a Comment

How to Configure the Windows Time Service in an Active Directory Forest

Original blog post reference:
Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan
http://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/

Windows Server Time Sync Configuration

The following steps can be used to configure DCs the default Windows time service hierarchy in an AD forest.  The procedure will also remove any errors in the Event Viewer, if any existed.

Do not use if you are using a third party stratum service and refer to the vendor’s documentation for further instructions

Check and Document the Current Time Configuration on the PDC Emulator

  1. First check and document the current configuration:
    1. All Windows Server domain operating systems – run the following on the forest root domain PDC Emulator.
      1. Note: In some cases you must wait a little time for the service to instantiate.
      2. If you do not see expected results immediately, wait 10 min and re-run the following steps
  2. W32tm /query /configuration   
    1. This command confirms the PDC Emulator shows the current source in the [TimeProviders] section, Look for “Type:” You will see one of the following:
      1. Type: NT5DS (Local)   -This means that it’s not synced externally.
      2. Type: NTP (Local)  –This command it is syncing externally.
                 NtpServer: time.windows.com [65.55.56.206] (Local)
    2. For all other DCs, use the command, w32tm /monitor (step 4 below)
  3. w32tm /query /source
    1. On the PDC Emulator, this shows the actual source. One of two possibilities:
      1. CMOS clock                    -Signifies not synced to an external source                                                  (Not what you want to see)
      2. time.windows.com  –The NTP source IPaddress/FQDN  This is correct.
  4. w32tm /monitor or w32tm /monitor /computers:DCNAME
    1. On the PDC Emulator, this command shows the outside time source.
      1. Good example:
        dc01.contoso.com *** PDC ***[10.10.10.200:123]:
        ICMP: 0ms delay
        NTP: +0.0000000s offset from dc02.contoso.com
        RefID: time.windows.com [65.55.56.206]
        Stratum: 4
    2. On all other DCs, this command shows the current time source DC for this DC.
      1. You will see an “offset for the PDC from its configured NTP source.
      2. Good example result showing the DC02 is syncing with dc01.contoso.com:
        dc02.contoso.com 10.10.10.210]:
        ICMP: 0ms delay
        NTP: +0.0000000s offset from dc01.contoso.com
        RefID: dc01.contoso.com [10.10.10.200]
        Stratum: 4
  5. w32tm /tz
    1. This shows the current time zone to make sure it’s correct.
  6. w32tm /stripchart /computer: target /samples: n /dataonly
    1. This command will show you the time difference between the local computer and a target computer and is helpful in determining if there is an offset. The “n” value is the number of time samples that will be returned from the target to test basic NTP communications.
  7. w32tm /dumpreg
    1. This command dumps the current registry settings found in:
      HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
      You can see the current time service configuration entries, such as:
      Type:  NTPNTPServer:

*

Configure time sync to a reliable source on the forest rood domain PDC Emulator ONLY.

Do not perform on any other DC in any domain in the forest. PDC in the forest root only.

  1. Windows 2003 and all newer:
    1. Open an Administrator Command Prompt.
      1. Note that the examples below use either time.windows.com or the pool.ntp.org servers. You can get a full list of reliable time services at:
        A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet: http://support.microsoft.com/kb/262680
    2. w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
      OR – if you want to use the pool.ntp.org time source servers:
    3. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,0x1 /syncfromflags:manual /reliable:yes /update
    4. w32tm /resync /rediscover
    5. net stop w32time && net start w32time
    6. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below.
  2. Windows 2000:
    Generally speaking, the w32tm command is similar to Windows 2003 and newer operating systems.  However, Windows 2000 uses the net time /setsntp method, which was removed in later versions.  There are also some differences between Windows 2000 RTM and various service packs. Therefore, if any issues arise from the commands not setting, it’s recommended to follow the instructions using the registry to configure the time service in Windows 2000:
    How to configure an authoritative time server in Windows 2000:
    http://support.microsoft.com/kb/216734

    1. Open an Administrator Command Prompt.
    2. net time /setsntp:174.140.19.7    – Windows 2000 uses this command to configure an outside source.
    3. net stop w32time
    4. w32tm -once      W32tm performs numerous commands. Their results are displayed on the screen.
    5. net start w32time
    6. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
  3. Use the procedure in Step #1 to check and document the new configuration.
  4. Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Configure all other DCs to sync using the forest time hierarchy

This includes all other DCs in the forest root domain that are not holding the PDC Emulator role, and any DC in any other domains and trees, including the PDC in those domains.

Do NOT run the following on the PDC Emulator in the forest root domain.

  1. First check and document the current configuration: See Section #3 above.
  2. Windows Server 2003 and all newer server operating systems:
    1. Open an Administrator Command Prompt
    2. w32tm /config /syncfromflags:domhier /update /reliable:no
    3. w32tm /resync /rediscover
    4. net stop w32time && net start w32time
    5. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
  3. Windows 2000:
    For reference with Windows 2000, see the following link for more info:
    How to configure an authoritative time server in Windows 2000
    http://support.microsoft.com/kb/216734

    1. Open an Administrator Command Prompt.
    2. w32tm –s
    3. Net stop w32time && net start w32time
    4. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
  4. Use the procedure in Step #1 to check and DOCUMENT the new configuration.
  5. Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Time configuration on FSMO transferred or seized DCs

  1. On the new forest root domain PDC Emulator, run the following:
    1. Open an Administrator command prompt:
    2. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org /syncfromflags:manual /reliable:yes /update
      1. Note: time.windows.com is a working time source, however you choose any reliable time services in your locale.
    3. W32tm /resync /rediscover
    4. net stop w32time && net start w32time
    5. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
  2. On the server formerly holding the PDC Emulator role, run the following:
    1. Open an Administrator command prompt.
    2. w32tm /config /syncfromflags:domhier /update
    3. w32tm /resync /rediscover
    4. net stop w32time && net start w32time
    5. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in theContingency section below
  3. Follow the procedure in Step #1 to check and DOCUMENT the new configuration.
  4. Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Corrupted Time Service Resolution Section (Contingency)

If any of the procedures did not work or event log errors indicate any issues, you can reset the time service registry entries back to default. The procedure should be done on the DC that you are experiencing issues with and not necessarily on each DC.  Note: This procedure can also be used as a contingency to return a DC (PDC and non-PDCs) back to local CMOS time sync.

  1. On the DC that you’re experiencing issues with, run the following:
    1. Open an Administrator command prompt.
    2. net stop w32time
    3. w32tm /unregister
    4. w32tm /register
    5. net start w32time
    6. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.
  2. The next command is ONLY for Windows 2000 to 2008 DCs. It does not apply to 2008 R2 or newer and will be ignored if you try it.
    1. “net time /setsntp: ”      – Do not use the quotes. Note that there’s a blank space prior to the closing quote.
      This command tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.
    2. net stop w32time && net start w32time
    3. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.

*

W32Time Service Accuracy

Please bear in mind that the Windows W32Time service is not a full featured, accurate service for time sensitive application requirements, nor will Microsoft support it as such. You must use a third party time service that will support this requirement.

For more information, please visit the following link:

Support boundary to configure the Windows Time service for high-accuracy environments
http://support.microsoft.com/kb/939322

==================================================================

References

How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/71e76587-28f4-4272-a3d7-7f44ca50c018

Windows Time Service Technical Reference
http://technet.microsoft.com/en-us/library/a0fcd250-e5f7-41b3-b0e8-240f8236e210

Windows Time Service Tools and Settings
Includes specific w32tm command switches and registry entries.
http://technet.microsoft.com/en-us/library/cc773263

=================================================================

Summary

I hope this helped you to easily configure your time service and what to do if it didn’t work.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

By Leave a Comment

How to stop a Windows Server Backup using the command line

This how-to will go over how to stop a Windows Server backup using the command line. Really it is very easy to stop a Windows Server Backup. There is a single command that will stop Windows Server Backup. The command is:

wbadmin stop job

Yup. That’s it. Now the next time someone asks you how to stop a Windows Server backup you can respond like a champ 😉

By Leave a Comment

Windows IPv6 EUI-64 Fix

Windows by default comes up with a randomly picked IPv6 Link Local address instead of using the EUI-64 version. In a home network it doesn’t make sense to apply this fix. This is done just for lab or business setup where you need a static address for authentication.

So, here’s how to make Windows behave as per every other OS…

1. Open up a Command Prompt in Administrator mode (right-click, run as administrator)

2. Run the following commands.  Each one should respond “Ok”.  If you didn’t do step 1 correctly, it will say the command required elevation.

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

3. Exit the command prompt, and reboot.

Hope this helps you fix IPv6 EUI-64 in Windows.

By Leave a Comment

Windows 2008 DNS issue resolving top level domains

I normally get servers to use Root DNS servers as I have never trusted Shaw’s or (especially) MTS’s DNS servers here in Winnipeg.

We’ve been seeing more and more issue regarding DNS with Server 2008. It seemed like if you restarted the cache/ or restarted the DNS service everything would start working right away. I later found that if you pinged the domain you were having trouble with on the client machines directly from the DNS server, that too would correct the connection issues for that one domain.

I later figured I would use forwarders for all external DNS requests as the company wasn’t having any issue before I setup their SBS. I hadn’t heard back from them.

After some investigation I found the cause of the problem to be a bug in the DNS cache information, where the Time To Live (TTL) on certain top level domains is incompatible with the minimum TTL allowed by Windows Server 2008 DNS, the information would expire but not be removed from the cache, making the information unusable by the DNS server, but not make it fetch new information, because it was still in the cache.

Basically there is two fixes. Either use DNS forwarders or edit a registry setting.

  1. Start Registry Editor (regedit.exe).
  2. Locate the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
  3. On the Edit menu, click New, click DWORD (32-bit) Value, and then add the following value:
  4. value: MaxCacheTTL
  5. Data Type: DWORD
  6. Data value: 0x2A300 (172800 seconds in decimal, or 2 days)
  7. Click OK.
  8. Quit Registry Editor.
  9. Restart the DNS Server service.

By 63 Comments

MMC error 18ea3f92-d6aa–41d9-a205-2023400c8fbb

The other day about 1/2 way into the day I get a call from a client saying “we haven’t received any emails all day”. I automatically go to the exchange server to look at the services. I noticed most of the exchange services were running. IIS and two Exchange services weren’t running however. What made this a bit tricky was all the client computers said that exchange was up and running. They just couldn’t send or receive emails.

The next thing I did was to go look in the Error Event Log on the server. When I went to open the MMC for the server manager it came back with the error: 18ea3f92-d6aa–41d9-a205-2023400c8fbb. I tried a few other things that used MMC’s and almost all of them came back with that same error: 18ea3f92-d6aa–41d9-a205-2023400c8fbb.

After doing some searches most people gave up and redid their servers if they got this error. Some of the things they had suggested I tried. Still nothing.

I thought, I wonder if I remotely opened up the event viewer. I entered the server name.Voila! I could see all the errors.

After further inspections I found what seemed to be the error that started them all. It was Event 5173 – WAS. The error read:

  • The Windows Process Activation Service encountered an error trying to read configuration data for config section ‘system.applicationHost/webLimits’ from file ‘\\?\C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config’, line number ‘146’.  The error message is: ‘The configuration section ‘system.serviceModel’ cannot be read because it is missing a section declaration
    ‘.  The data field contains the error number.

I went to that folder and opened the machine.config file. It’s an XML file that contains a bunch of configuration information about the machine for .net. When I saw that file I figured that there was going to be some crazy ASCII characters in it. Everything seemed to be fine.

According to this Microsoft KB the server supposedly backs up files in another location. Don’t even bother. No dice.

I did notice in the C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG folder that there was a machine.config.default file. It was from several years ago and it was 2kb smaller then the current file which was 22kb. I renamed the current machine.config file  and called it machine.config.old and made a copy of the “default” file. I renamed it to machine.config.

I went into services and started World Wide Web service. It took a few seconds but it started! I then proceeded to go and start the rest of the services that should have auto started with the machine. They all started! I went and checked my Outlook client. The emails in the outbox had already left. Within about 20 minutes the mail was flowing again like it should have been.

Hopefully this helps anyone who had the same issues I had.

Try searching this site!