Archive | December 2013

Active Directory reporting

 

Have you ever consider how to simplify an Active Directory reporting for new AD environments? I have recently played with new multi domain environment and I had to check many things manually with built-in consoles. This is nothing difficult but needs some time and when I have done the environment recognition, I decided to prepare PowerShell script. It reduces time required to get some basics information about Active Directory forest and domain(s) configuration.

Today, many Active Directory environments have at least one Windows Server 2008 R2 Domain Controller where Active Directory Web Services are running. The script is written for at least PowerShell 2.0 with Active Directory module.

You can simply run it within PowerShell console without any parameter and its start scanning currently logged on forest with all its domain. When you specify a parameter – it must be DNS forest name – the scan is performed for the specified forest.

You don’t have to worry when executing the script because this is run in read-only mode, so no changes are done in the environment.

Below you may find some screen-shots from the script execution. Unfortunately, I have only access to single forest, single domain enviropnment at this time and you will get short overview of the script. But i will try to put additional screen-shots from multi-domain environment in the nearest future.

Oh, and one more thing. The output color (red) related with scanned data does not refer to an error! This is only to emphasise the setting on which you should pay attention.

That’s all, let’s see how the results are looking.

Script executed without a parameter

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

and script execution with forest name as a parameter

Script execution screen-shot

Script execution screen-shot

unfortunatelly, the output is exactly the same as for previous execution but I will replace screen-shots as soon as I will do thet in my multi-domain test environment.

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

OK, what is scanned by the script? Just take a look at the list below

At the forest level:

  • Forest name
  • Schema version
  • Forest Functional Level
  • Active DIrectory Recycle Bin enablement
  • All domains in the forest
  • Site names
  • Global Catalog servers in the entire forest
  • UPN suffixes
  • Forest FSMO roles holders

At domain level (each domain):

  • Domain name
  • NetBIOS domain name
  • Domain Functional Level
  • List of Domain Controllers
  • List of Read-Only Domain Controllers
  • Global Catalog servers for the domain
  • Default domain computer objects location
  • Default domain user objects location
  • Total no. of Organizational Units
  • Total no. of computers
  • Total no. of users
  • Total no. of groups
  • Total no. of Domain Administrators
  • Built-in Domain Administrator account details
  • Domain FSMO roles holders
  • Default Domain Password policy details
  • Total no. of Fine-Grained Password Policies

 

UPDATE

 

It took me some time to update this post but finally, I did it. A lot of new features were added into script check.

I was in contact with Daniel Petri, he suggested a lot of new features and we added them to the script. You may also wish to visit his great blog at  http://www.petri.com/

Please take a look at new features on forest level, implemented in the new script version:

  • List of trusts
  • Check of Exchange version
  • Check of Exchange Organization name
  • Check of Lync version
  • Tombstone lifetime period
  • Enumerate all partitions
  • Site and Subnets information
  • Site link(s) configuration
  • Check members for Enterprise and Schema Administrator groups
  • Domain Controller(s) details
  • SYSVOL replication method
  • SYSVOL size for DFS-R replication method

Also new features at domain level were added:

  • SYSVOL replication method
  • Orphaned objects check
  • Lingering objects check
  • Conflict replication objects check
  • Total number of computers with particular operating system version
  • Active users
  • Inactive users
  • Locked out users
  • Users with no password required
  • Users with password never expires
  • Global, Universal and Local groups check
  • Check for existance of default domain policies

So, please take a look at the output from multi-site single domain environment below

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

Script execution screen-shot

and at this moment, that’s all. I hope in the future the script would be developed. I am going to add the results export into formatted HTML format.

Or maybe, you would like to participate with its future development? If so, please let me know and we’ll do that!

OK, and this is a script which you can download. After downloading, please remove –v2.doc extension and leave only .ps1

Active Directory Reporting v0.2 script

Author: Krzysztof Pytko

Authoritative SYSVOL restore (DFS-R)

 

In my previous article “Non-authoritative SYSVOL restore (DFS-R)” I showed you, how to do a non-authoritative restore of SYSVOL based on DFS Replication. Today it is time to do an authoritative SYSVOL restore. If you have bigger mess in your domain or you need to restore SYSVOL from backup and replicate to other Domain Controllers.

This action affects all of your Domain Controllers in the entire domain. In the first case (non-authoritative) you only touch SYSVOL on one DC at the time. The rest of your Domain Controllers are running and sharing SYSVOL for users.

The second case (authoritative) is much more visible for users. All of Domain Controllers do not run and share SYSVOL where Group Policies and logon scripts are located. When you decide to do authoritative SYSVOL restore, you need to inform all administrators to not create/modify Group Policies during that time. All other domain services are running except access to SYSVOL. So, this action should be performed out of office business hours.

How to start authoritative SYSVOL restore? What do you need to do first?

You should identify which Domain Controller is holding PDC Emulator operation master role. As you know, one of its functions is to manage and maintain GPOs. When you create or modify existing GPO, it is done directly on this Domain Controller.

If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator operation master role holder, from which you will initiate authoritative SYSVOL restore.

So, let’s see, how we can do that.

Log on to PDC Emulator FSMO role holder. If you do not know, which Domain Controller holds this role, run in command-line/elevated command-line on any of your DCs

net dom query fsmo
Finding PDC Emulator role holder

Finding PDC Emulator role holder

or type in PowerShell (Windows Server 2012/2012R2)

Import-Module ActiveDirectory
Get-ADDomain | Select PDCEmulator
Finding PDC Emulator role holder

Finding PDC Emulator role holder

and you’ll see which DC is holding this role.

When you are logged on on this Domain Controller, you need to evaluate how many DCs are in your domain. The most simple way to check that is using Microsoft DS tools on a DC. Type in command-line

dsquery server -name * -limit 0 | dsget server -dnsname | find /v "dnsname" | find /v "dsget" >c:dcslist.txt

Collecting all Domain Controllers in a domain

Collecting all Domain Controllers in a domain

or type in PowerShell (Windows Server 2012/2012R2)

Import-Module ActiveDirectory
Get-ADDomainController -Filter * | Select Name | Out-File c:dcslist.txt
Collecting all Domain Controllers in a domain

Collecting all Domain Controllers in a domain

after you ran this command, on your DC’s C-Drive, you should find a text file named dcslist.txt Check its content, there are all Domain Controllers for your domain

Full list of Domain Controllers

Full list of Domain Controllers

On all of those Domain Controllers except PDC Emulator holder, you have to perform non-authoritative SYSVOL restore. But let’s start step-by-step.

You should initiate authoritative SYSVOL restore from a DC with PDC Emulator role. If you need to restore SYSVOL from backup, do it first before you initiate restore.

First of all, stop DFS Replication service. Type in elevated command-line

net stop DFSR
Stopping DFS Replication service

Stopping DFS Replication service

or in PowerShell

Stop-Service DFSR

or

Stop-Service "DFS Replication"
Stopping DFS Replication service

Stopping DFS Replication service

Important! All services relying on DFS Replication service will be affected!

Now, run ADSI Editor (adsiedit.msc) from Domain Controller on which you want to initiate non-authoritative SYSVOL restore. Type in run box

adsiedit.msc
Running ADSI Editor

Running ADSI Editor

Connect to domain partition (Default Naming Context). Click right mouse button (RMB) on root node in the console and select “Connect to

Connecting to Default Naming Context

Connecting to Default Naming Context

select a well known Naming Context and choose “Default Naming Context

Selecting Naming Context

Selecting Naming Context

Expand below location bt clicking on each node within a console

Default Naming Context -> DC=domain,DC=local -> OU=Domain Controllers -> CN=Domain Controller name -> CN=DFSR-LocalSettings -> Domain System Volume

where DC=domain,DC=local is a distinguished name of your domain and CN=Domain Controller name is DC name of PDC Emulator role holder on which you want to initiate authoritative SYSVOL restore.

Searching SYSVOL subscription node

Searching SYSVOL subscription node

and select “CN=SYSVOL Subscription” entry by RMB in the right pane, choose “Properties

Editing SYSVOL subscription entry

Editing SYSVOL subscription entry

This time you need to change two atrributes value

  • msDFSR-Enabled
  • msDFSR-Options

Search them on the list and edit

msDFSR-Enabled attribute edition

msDFSR-Enabled attribute edition

Change its state from TRUE to FALSE and accept the change

Modification of msDFSR-Enabled attribute

Modification of msDFSR-Enabled attribute

and accept changes to be applied

Accept attributes changes

Accept attributes changes

Now, search the second attribute msDFSR-Options and edit it

msDSFR-Options attribute edition

msDSFR-Options attribute edition

Change its state from not set to 1 and accept the change

Modification of msDFSR-Options attribute

Modification of msDFSR-Options attribute

and accept changes to be applied (do not close window, you will use it later)

Accept attributes changes

Accept attributes changes

REPETITIVE TASK

Now, on each of the rest Domain Controllers you need to change msDFSR-Enabled attribute state from TRUE to FALSE to initiate replication from authoritative Domain Controller with SYSVOL. This not need to be done directly on Domain Controllers, you can use ADSI Editor on the same DC on which you changed previous attributes. But this is important to do for evry remaining DC!

Below you can find all required steps. You need to repeat them on the rest of Domain Controllers

In ADSI Editor on Domain Controller where you changed previous attributes, close “Attribute Editor” window and go back to the console. Expand each DC to set up msDFSR-Enabled attribute

Changing SYSVOL subscription of the rest of Domain Controllers

Changing SYSVOL subscription of the rest of Domain Controllers

Search for the attribute

msDFSR-Enabled attribute edition

msDFSR-Enabled attribute edition

and edit it, changing TRUE to FALSE

Modification of msDFSR-Enabled attribute

Modification of msDFSR-Enabled attribute

and click OK to accept changes

Modify attribute and accept changes

Modify attribute and accept changes

and stop DFS Replication service on remote DC. Repeat these steps for EVERY remaining Domain Controller.

END OF REPETITIVE TASK

Now, on your PDC Emulator role holder start DFS Replication service, type in elevated command-line

net start DFSR
Starting DFS Replication service on PDC Emulator role holder DC

Starting DFS Replication service on PDC Emulator role holder DC

or type in PowerShell

Start-Service DFSR

or

Start-Service "DFS Replication"
Starting DFS Replication service on PDC Emulator holder Domain Controller

Starting DFS Replication service on PDC Emulator holder Domain Controller

In event log you should see event ID 4114

Event log review

Event log review

Modify msDFSR-Enabled attribute back to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

and accept changes

Accepting attribute changes

Accepting attribute changes

Start Active Directory replication on all of your Domain Controllers. Type in elevated command-line

repadmin /syncall /AdP
Replicating Active Directory

Replicating Active Directory

On your PDC Emulator Domain Controller in elevated command-line type

dfsrdiag PollAD
Sync with the global information store

Sync with the global information store

Note! When you ran dfsrdiag command and it was not recognized, you need to install DFS Management Tools from features!

Adding DFS Management Tools feature

Adding DFS Management Tools feature

In DFS Replication event log, you should see event ID 4602 That means, your authoritative SYSVOL restore is initiated

Event ID 4602

Event ID 4602

REPETITIVE TASK

Before you will start DFS Replication service, I would suggest to remove all content from those 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Go to the another Domain Controller to which you want to replicate SYSVOL and start DFS Replication service, type in elevated command-line

net start DFSR
Starting DFS Replication service on PDC Emulator role holder DC

Starting DFS Replication service on PDC Emulator role holder DC

or in PowerShell

Start-Service DFSR

or

Start-Service "DFS Replication"
Starting DFS Replication service on PDC Emulator holder Domain Controller

Starting DFS Replication service on PDC Emulator holder Domain Controller

review DFS Replication event log and check if there is event ID 4114

Event log review

Event log review

Change back msDFSR-Enabled attribute to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

accept changes, clik “OK” button

Accepting attribute changes

Accepting attribute changes

and run dfsrdiag command to synchronize with the global information store

dfsrdiag PollAD
Sync with the global information store

Sync with the global information store

You should get SYSVOL replicated to this Domain Controller. Go to %WINDIR%SYSVOLdomainPolicies and check if data was replicated. You should see all Group Policies and scripts there

All Group Policies on DC with PDC Emulator role

All Group Policies on DC with PDC Emulator role

and go to one more location, %WINDIR%SYSVOLdomainScripts to check if scripts and other files from NETLOGON share were replicated

All scripts on DC where non-authoritative SYSVOL has been done

All scripts on DC where non-authoritative SYSVOL has been done

END OF REPETITIVE TASK

That’s all!

<<< Previous part

Author: Krzysztof Pytko

Non-authoritative SYSVOL restore (DFS-R)

 

Last time, I wrote an article about Non-authoritative SYSVOL restore (FRS) which was based on File Replication Service for SYSVOL. Now, I will show you a procedure for non-authoritative SYSVOL restore based on DFS Replication (DFS-R).

So, let’s look at the procedure for DFS-R.

When you are working in Active Directory environment you may fall into this problem, especially in case where you have many Domain Controllers. Sometimes you may figure out that one or more Domain Controllers are out of date with SYSVOL replication.

Each Domain Controller has its own folder where GPOs and scripts are saved. This folder is located under %WINDIR%SYSVOLdomain (by default, if you changed that location during DC promotion, you need to refer to your own location).

There are 2 folders:

  • Policies where Group Policies are saved (%WINDIR%SYSVOLdomainPolicies)
  • Scripts where logon scripts or other files are saved (%WINDIR%SYSVOLdomainScripts shared as NETLOGON)

If a DC does not replicate SYSVOL you can see that some Group Policies (GPOs) or scripts are not available on DC(s) in SYSVOLdomain folder on particular DC. Another symptom may be that all GPOs are in place but they are not updated.

When you notice one of these behaviors, you would need to do non-authoritative SYSVOL restore which re-deploys SYSVOL data from working Domain Controller (holding PDC Emulator operations master role).

How to be sure if you need non-authoritative SYSVOL restore? There is no simple answer because that depends on the size of your Active Directory and number of Domain Controllers.

When we can decide to start this kind of retore ?

  • one DC out of couple does not replicate SYSVOL
  • a few DCs out of many do not replicate SYSVOL
  • more than few but less than 50% of them do not replicate SYSVOL

above examples are typical scenarios for non-authoritative SYSVOL restore.

Let’s see how you to do that.

First of all, you need to find out which DC or DCs does/do not replicate SYSVOL. Then you have to start SYSVOL restore.

When you see an empty SYSVOL, this may suggest that Domain Controller initialization where not finished after server was promoted. Active Directory database was replicated but SYSVOL was not. In this case, you can simply perform non-authoritative restore and SYSVOL should be replicated.

Empty SYSVOL folder

Empty SYSVOL folder

Another case is when DC, is not up to date with SYSVOL. Some policies are missing and non-authoritative SYSVOL restore would be helpful

Missing Group Policies under SYSVOL

Missing Group Policies under SYSVOL

When you log on to Domain Controller with PDC Emulator operation master role, you should see that there are more policies than on those faulty Domain Controllers

All Group Policies on DC with PDC Emulator role

All Group Policies on DC with PDC Emulator role

So, you can see that those Domain Controllers need SYSVOL restore to have all data up-to-date.

OK, let’s start non-authoritative restore of SYSVOL. This procedure is a little bit different than for FRS, you do not set up anything in registry. All changes (which can be compared to D2 BurFlags value) are done with ADSI Editor console. You need to run adsiedit.msc from Domain Controller on which you want to initiate non-authoritative SYSVOL restore. Type in run box

adsiedit.msc
Running ADSI Editor

Running ADSI Editor

Connect to domain partition (Default Naming Context). Click right mouse button (RMB) on root node in the console and select “Connect to

Connecting to Default Naming Context

Connecting to Default Naming Context

select a well known Naming Context and choose “Default Naming Context

Selecting Naming Context

Selecting Naming Context

Expand below location bt clicking on each node within a console

Default Naming Context -> DC=domain,DC=local -> OU=Domain Controllers -> CN=Domain Controller name -> CN=DFSR-LocalSettings -> Domain System Volume

where DC=domain,DC=local is a distinguished name of your domain and CN=Domain Controller name is DC name on which you want to initiate non-authoritative SYSVOL restore.

Searching SYSVOL subscription node

Searching SYSVOL subscription node

and select “CN=SYSVOL Subscription” entry by RMB in the right pane, choose “Properties

Editing SYSVOL subscription entry

Editing SYSVOL subscription entry

In the “Attributes Editor” windows, search for msDFSR-Enable attribute and edit it

msDFSR-Enabled attribute edition

msDFSR-Enabled attribute edition

Change its state from TRUE to FALSE and accept the change

Modification of msDFSR-Enabled attribute

Modification of msDFSR-Enabled attribute

and accept changes to be applied (do not close window, you will use it later)

Accept attributes changes

Accept attributes changes

I would suggest to remove all content from SYSVOL folders before starting non-authoritative restore:

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Now, you need to start Active Directory replication in a domain. Start elevated command prompt

Running elevated command prompt

Running elevated command prompt

and type a command to initiate AD replication (you need to have at leatd domain administrator’s privileges) and wait for its end

repadmin /syncall /AdP
Replicating Active Directory

Replicating Active Directory

and run dfsrdiag command to synchronize with the global information store

dfsrdiag PollAD
Sync with the global information store

Sync with the global information store

Note! When you ran dfsrdiag command and it was not recognized, you need to install DFS Management Tools from features!

Adding DFS Management Tools feature

Adding DFS Management Tools feature

Please check DFS Replication event log, if you can see event ID 4114 which indicates that SYSVOL is no longer replicated

Event log review

Event log review

OK, let’s set up msDFSR-Enabled attribute to TRUE state and accept changes (use that previous window, you haven’t closed)

Changing msDFSR-Enabled attribute back to TRUE state

Changing msDFSR-Enabled attribute back to TRUE state

and click OK to accept changes

Accepting attribute changes

Accepting attribute changes

again, start Active Directory replication

repadmin /syncall /AdP
Replicating Active Directory

Replicating Active Directory

run dfsrdiag command one more time to synchronize with the global information store

dfsrdiag PollAD
Sync with the global information store

Sync with the global information store

go back to DFS Replication event log and check if you can see these two event IDs:

  • 4614
  • 4604
4614 event ID

4614 event ID

4604 event ID

4604 event ID

go to %WINDIR%SYSVOLdomainPolicies and check if data was replicated. You should see all Group Policies and scripts there

All Group Policies on DC with PDC Emulator role

All Group Policies on DC after non-authoritative SYSVOL restore

and go to one more location, %WINDIR%SYSVOLdomainScripts to check if scripts and other files from NETLOGON share were replicated

All scripts on DC where non-authoritative SYSVOL has been done

All scripts on DC where non-authoritative SYSVOL has been done

That’s all! Everything you need to do is to repeat all those steps on each Domain Controller which does not replicate SYSVOL volume.

Done!

Next part >>>

Author: Krzysztof Pytko

Moving Active Directory database

 

Sometimes, you may need to move Active Directory database from one location to another. This location may be a different folder or different drive. When you need to do that, you are not allowed to use standard copy/move option within Windows operating system.

This kind of action is not supported when Active Directory services/Active Directory:Domain Services are running!

You need to use a tool named: ntdsutil

This is command-line tool which allows to move Active Directory database to another location.

Important! When you are moving AD database, specified location must exists! You cannot move database to non-existing drive or folder!

To move Active Directory database, you need to evaluate on which operating system version this particular Domain Controller is running

Windows Server 2003

In Windows Server 2003 you need to restart Domain Controller into Directory Services Restore Mode which is accessible when you press F8 key, during Windows system startup. Choose this mode from the list and press “enter” to run it

DSRM mode startup

DSRM mode startup

Warning! Remember, when you do that, your Domain Controller does not support Active Directory authentication and other roles/services are unavailable for users! Be aware in locations/Sites where you have only single DC, because during this operation, DC and all its roles ( i.e. DNS, DHCP) are not working!

Wait until logon screen will appear

DSRM mode logon screen

DSRM mode logon screen

Press “CTRL+ALT+DEL” and provide Directory Services Restore Mode administrator password.

Note! This password may be different (and it should be) than standard domain administrator password! If you did not change it since DC promotion, then you need to find it in your documentation before you can proceed.

DSRM mode administrator password

DSRM mode administrator password

You will be informed that server is running in Safe mode

Safe mode warning

Safe mode warning

Now, you need to start command-line where you will execute ntdsutil tool

Running command-line

Running command-line

To run ntdsutil type in command prompt

ntdsutil
Running ntdsutil tool

Running ntdsutil tool

and check if desired folder structure is available before you will move AD database. If not, create it or attach the drive into system.When you do not create a folder, it is created by ntdsutil automatically during database move process.

Warning! You cannot use removable disk to store Active Directory database. Disk needs to be NTFS formatted partition. AD DB does not support FAT/FAT32/ReFS file systems!

Veryfying target folder for AD database

Veryfying target folder for AD database

now, you need to go into files context of ntdsutil tool where you are allowed to operate on AD database files (DB and logs)

ntdsutil - file maintenance context

ntdsutil – file maintenance context

there are few options for file maintenance but in this article only 2 options are interesting for us:

  • Move DB to Path-to-the-new-location
  • Move logs to Path-to-the-new-location
File maintenance options

File maintenance options

so, let’s move Active Directory database to the new location (in this example E:ADDB)

Put this syntax into command prompt window

move DB to E:ADDB
Moving AD database

Moving AD database

and wait some time, while AD DB is being moved to the new location

AD DB is moving

AD DB is moving

As you could see in the screen above, AD DB was move with built-in command move while Active Directory services/Active Directory:Domain Services are not running!

Let’s verify if Active Directory database was moved to specified location. Just check that using Windows Explorer and go to that location

AD database new location

AD database new location

or type in command prompt inside of ntdsutil

info
AD database new location

AD database new location

ok, Active Directory database was moved and I strongly suggest to move also its log files to the same location. For that you need to use the option

move logs to E:ADDB

where E:ADDB is a folder on your server

Moving AD logs to the new location

Moving AD logs to the new location

and wait some time, while logs are being moved to the new location

AD logs are moving

AD logs are moving

OK, let’s verify if Active Directory logs were moved to specified location. Just check that using Windows Explorer and go to that location

AD logs new location

AD logs new location

All logs are in the same location as AD database. You can also verify that within ntdsutil typing

info
AD logs new location

AD logs new location

Now, you need to schedule System State backup of your Domain Controller to have an up-to-data backup with AD database and its logs in the new location.

That’s all, you may close ntdsutil by typing quit twice and close command-line window

Leaving ntdsutil

Leaving ntdsutil

Reboot server into its regular mode and you’re done!

Windows Server 2008/2008R2

With Windows Server 2008/2008R2 this process is much more quick than with previous Microsoft OSes. Windows Server 2008 introduced for the first time Active Directory role as a service. This improvement allows you to simply stop the service without rebooting a server into Directory Services Restore Mode.

What are the main benefits of this solution?

  • You do not waste time required for server reboot
  • Other services are still available for users
  • Even DNS or DHCP servers are still runnig while at least one Domain Controller is available!

Note! Please remember, when you have single Domain Controller and you stop Active Directory Domain Services service, DC will not provide services as it was in Windows Server 2003 DSRM mode!

So, how can you do that in Windows Server 2008/2008R2? The same way as in Windows Server 2003 except server reboot into DSRM mode. Just simply stop Active Directory Domain Services service and run from elevated command-line ntdsutil tool.

First of all, you have to stop Active Directory Domain Services service, run elevated command-line

Running elevated command prompt

Running elevated command prompt

and type below command to stop Active Directory Domain Services (NTDS) service

net stop ntds
Stopping Active Directory: Domain Services service

Stopping Active Directory: Domain Services service

confirm you are sure that follwing services also will be stopped by typing Y and pressing enter

Stopping dependent services

Stopping dependent services

Now, you can start ntdsutil tool to initite Active Directory database move process. Type in command-line

ntdsutil
Executing ntdsutil tool

Executing ntdsutil tool

and check if desired folder structure is available before you will move AD database. If not, create it or attach the drive into system.When you do not create a folder, it is created by ntdsutil automatically during database move process.

Warning! You cannot use removable disk to store Active Directory database. Disk needs to be NTFS formatted partition. AD DB does not support FAT/FAT32/ReFS file systems!

Target folder verification

Target folder verification

and before you are allowed to execute files context, you have to set up active AD DB instance. To do that type

activate instance NTDS
Activating NTDS instance

Activating NTDS instance

now, you can go into files context of ntdsutil tool where you are allowed to operate on AD database files (DB and logs). Type

files
ntdsutil - files maintenance

ntdsutil – files maintenance

there are few options for file maintenance but in this article only 2 options are interesting for us:

  • Move DB to Path-to-the-new-location
  • Move logs to Path-to-the-new-location
Files maintenance options

Files maintenance options

so, let’s move Active Directory database to the new location (in this example E:ADDB)

Put this syntax into command prompt window

move DB to E:ADDB
Moving AD DB to the new location

Moving AD DB to the new location

and wait some time, while logs are being moved to the new location

AD DB moved

AD DB moved

As you could see in the screen above, AD DB was move with built-in command move while Active Directory services/Active Directory:Domain Services are not running!

Let’s verify if Active Directory database was moved to specified location. Just check that using Windows Explorer and go to that location

AD DB new location

AD DB new location

or type in command prompt inside of ntdsutil

info
Active Directory database new location

Active Directory database new location

ok, Active Directory database was moved and I strongly suggest to move also its log files to the same location. For that you need to use the option

move logs to E:ADDB

where E:ADDB is a folder on your server

Moving AD log files

Moving AD log files

and wait some time, while logs are being moved to the new location

Moving AD logs

Moving AD logs

OK, let’s verify if Active Directory logs were moved to specified location. Just check that using Windows Explorer and go to that location

Active Directory logs new location

Active Directory logs new location

All logs are in the same location as AD database. You can also verify that within ntdsutil typing

info
Active Directory logs new location

Active Directory logs new location

Now, you need to schedule System State backup of your Domain Controller to have an up-to-data backup with AD database and its logs in the new location.

That’s all, you may close ntdsutil by typing quit twice

Leaving ntdsutil

Leaving ntdsutil

and now it’s time to start Active Directory Domain Services service, type in command-line

net start NTDS
Starting AD DS service

Starting AD DS service

just verify if these services were also started with AD DS service (should be ran automatically)

  • File Replication Service (NtFRS)
  • Kerberos Key Distribution Center (KDC)
  • Intersite Messaging (IsmServ)
  • DNS Server (DNS)

if so, you’re done!

Windows Server 2012/2012R2

In Windows Server 2012/2012 R2 this procedure is exactly the same as for Windows Server 2008/2008R2. All steps described for previous Microsoft operating system version apply to these two new operating systems too.

Let’s see how this procedure looks like on Windows Server 2012/2012R2

Note! Please remember, when you have single Domain Controller and you stop Active Directory Domain Services service, DC will not provide services as it was in Windows Server 2003 DSRM mode!

So, how can you do that in Windows Server 2012/2012R2? The same way as in Windows Server 2008. Just simply stop Active Directory Domain Services (NTDS) service and run from elevated command-line ntdsutil tool.

First of all, you have to stop Active Directory Domain Services service, run elevated command prompt

Running elevated command prompt

Running elevated command prompt

and type below command to stop Active Directory Domain Services (NTDS) service

net stop ntds
Stopping NTDS service

Stopping NTDS service

confirm you are sure that follwing services also will be stopped by typing Y and pressing enter

Dependent services to be stopped

Dependent services to be stopped

Now, you can start ntdsutil tool to initite Active Directory database move process. Type in command-line

ntdsutil
Executing ntdsutil

Executing ntdsutil

and check if desired folder structure is available before you will move AD database. If not, create it or attach the drive into system.When you do not create a folder, it is created by ntdsutil automatically during database move process.

Warning! You cannot use removable disk to store Active Directory database. Disk needs to be NTFS formatted partition. AD DB does not support FAT/FAT32/ReFS file systems!

Target folder verification

Target folder verification

and before you are allowed to execute files context, you have to set up active AD DB instance. To do that type

activate instance NTDS
Setting NTDS instance

Setting NTDS instance

now, you can go into files context of ntdsutil tool where you are allowed to operate on AD database files (DB and logs). Type

files
Files maintenance context

Files maintenance context

there are few options for file maintenance but in this article only 2 options are interesting for us:

  • Move DB to Path-to-the-new-location
  • Move logs to Path-to-the-new-location
Active Directory database and logs move options

Active Directory database and logs move options

so, let’s move Active Directory database to the new location (in this example E:ADDB)

Put this syntax into command prompt window

move DB to E:ADDB
Moving Active Directory database

Moving Active Directory database

and wait some time, while logs are being moved to the new location

Moving Active Directory database

Moving Active Directory database

As you could see in the screen above, AD DB was move with built-in command move while Active Directory services/Active Directory Domain Services are not running!

Let’s verify if Active Directory database was moved to specified location. Just check that using Windows Explorer and go to that location

New Active Directory database location

New Active Directory database location

or type in command prompt inside of ntdsutil

info
New Active Directory database location

New Active Directory database location

ok, Active Directory database was moved and I strongly suggest to move also its log files to the same location. For that you need to use the option

move logs to E:ADDB

where E:ADDB is a folder on your server

Moving Active Directory logs

Moving Active Directory logs

and wait some time, while logs are being moved to the new location

Moving Active Directory logs

Moving Active Directory logs

OK, let’s verify if Active Directory logs were moved to specified location. Just check that using Windows Explorer and go to that location

New Active Directory logs location

New Active Directory logs location

All logs are in the same location as AD database. You can also verify that within ntdsutil typing

info
New Active Directory logs location

New Active Directory logs location

Now, you need to schedule System State backup of your Domain Controller to have an up-to-data backup with AD database and its logs in the new location.

That’s all, you may close ntdsutil by typing quit twice

Leaving ntdsutil

Leaving ntdsutil

and now it’s time to start Active Directory Domain Services service, type in command-line

net start NTDS
Starting Active DIrectory Domain Services service

Starting Active DIrectory Domain Services service

just verify if these services were also started with AD DS service (should be ran automatically)

  • File Replication Service (NtFRS)
  • Kerberos Key Distribution Center (KDC)
  • Intersite Messaging (IsmServ)
  • DNS Server (DNS)

if so, you’re done!

Author: Krzysztof Pytko

Authoritative SYSVOL restore (FRS)

 

In my previous article “Non-authoritative SYSVOL restore (FRS)” I showed you, how to do a non-authoritative restore of SYSVOL.

What if you have bigger mess on your Domain Controllers with SYSVOL?
What if the most of DCs do not replicate SYSVOL or its changes?

What can you do, if you want to restore SYSVOL from a backup and you prefer it as a replication source?  Then you have another option, authoritative SYSVOL restore.

Today, I will show you, how to do that.

But, first of all. What is the basic difference between non-authoritative and authoritative SYSVOL restore?

In the first case (non-authoritative) you only touch SYSVOL on one DC at the time. The rest of your Domain Controllers are running and sharing SYSVOL for users. Only this particular DC has disabled SYSVOL during non-authoritative restore procedure.

The second case (authoritative) is much more visible for users. All of Domain Controllers do not run and share SYSVOL where Group Policies and logon scripts are located. When you decide to do authoritative SYSVOL restore, you need to inform all administrators to not create/modify Group Policies during that time. All other domain services are running except access to SYSVOL. So, this action should be performed out of office business hours.

How to start authoritative SYSVOL restore? What do you need to do first?

You should identify which Domain Controller is holding PDC Emulator operation master role. As you know, one of its functions is to manage and maintain GPOs. When you create or modify existing GPO, it is done directly on this Domain Controller.

If you need to restore SYSVOL from backup, it should also be done directly on PDC Emulator operation master role holder, from which you will initiate authoritative SYSVOL restore.

So, let’s see, how we can do that.

Log on to PDC Emulator FSMO role holder. If you do not know, which Domain Controller holds this role, run in command-line/elevated command-line on any of your DCs

netdom query fsmo
Finding PDC Emulator role holder

Finding PDC Emulator role holder

and you’ll see which DC is holding this role.

When you are logged on on this Domain Controller, you need to evaluate how many DCs are in your domain. The most simple way to check that is using Microsoft DS tools on a DC. Type in command-line

dsquery server -name * -limit 0 | dsget server -dnsname | find /v "dnsname" | find /v "dsget" >c:dcslist.txt
Collecting all Domain Controllers in a domain

Collecting all Domain Controllers in a domain

after you ran this command, on your DC’s C-Drive, you should find a text file named dcslist.txt Check its content, there are all Domain Controllers for your domain

All Domain Controllers in a file

All Domain Controllers in a file

On all of those Domain Controllers, you have to stop File Replication Service before you will be able to initiate authoritative SYSVOL restore, type in command prompt

net stop ntfrs
Stopping File Replication Service

Stopping File Replication Service

When you are sure that all of Domain Controllers have stopped FRS service, you can start restore.

You need to run registry editor on your PDC Emulator operation master role holder

Executing registry editor

Executing registry editor

and go to BurFlags value location

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

to be able to modify BurFlags value, double-click on it and put D4 (hexadecimal) as a value

Setting BurFlags value

Setting BurFlags value

This sets Domain Controller as an authoritative source for SYSVOL replication. All other DCs will pull SYSVOL content from this server.

Now, you have to start File Replication Service on PDC Emulator role holder DC. Type in command-line

net start ntfrs
Running File Replication Service

Running File Replication Service

Refresh (F5 key) registry editior and you should see that BurFlags value is reset to 0

BurFlags value reset

BurFlags value reset

Check File Replication Service event log and search event IDs

  • 13566
  • 13516

If both of them are available then authoritative restore is configured.

Now, you need to log on to the rest of Domain Controllers and set up D2 BurFlags value to initialize non-authoritative restore of SYSVOL from specified server.

BurFlags value should be changed in the same location as for the previous DC, but instead od D4 value you have to specify D2

Location of this value is

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

Double-click the value and set up D2 (hexadecimal)

Changing BurFlags value

Changing BurFlags value

Before you will start FRS service, I would suggest to delete content of these 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Warning! When you set up D2 BurFlags value, you need to know that during restoration time, your DC is prevent to be a Domain Controller! So, you need to be careful in locations/Sites where you have only single DC or you are going for authentication over WAN-link!

Now, you need to run File Replication Service and wait a while for SYSVOL replication.

After you ran FRS service, you should notice that BurFlags entry was reset to 0

BurFlags value reset

BurFlags value reset

From time to time, refresh File Replication Service event log and check for event ID 13516

When you see this event ID that SYSVOL replication is finished and your Domain Controller is ready to share SYSVOL for users.

SYSVOL re-initialized

SYSVOL re-initialized

When you see event ID 13520 that means, you did not remove content of policies and scripts folders. Do not worry they were moved to another folder which may be removed after all

SYSVOL content moved

SYSVOL content moved

All you need to complete the authoritative SYSVOL restore is to log on to EVERY Domain Controller and perform D2 BurFlags set up

Information! Microsoft does not recommend doing more than 15 concurrent non-authoritative restores to prevent performance issues. Remember that when you are doing authoritative restore in bigger Active Directory environments!

And that’s all! You fixed your broken SYSVOL share.

<<< Previous part

Author: Krzysztof Pytko

Non-authoritative SYSVOL restore (FRS)

 

When you are working in Active Directory environment you may fall into this problem, especially in case where you have many Domain Controllers. Sometimes you may figure out that one or more Domain Controllers are out of date with SYSVOL replication.

Each Domain Controller has its own folder where GPOs and scripts are saved. This folder is located under %WINDIR%SYSVOLdomain (by default, if you changed that location during DC promotion, you need to refer to your own location).

There are 2 folders:

  • Policies where Group Policies are saved (%WINDIR%SYSVOLdomainPolicies)
  • Scripts where logon scripts or other files are saved (%WINDIR%SYSVOLdomainScripts shared as NETLOGON)

If a DC does not replicate SYSVOL you can see that some Group Policies (GPOs) or scripts are not available on DC(s) in SYSVOLdomain folder on particular DC. Another symptom may be that all GPOs are in place but they are not updated.

When you notice one of these behaviors, you would need to do non-authoritative SYSVOL restore which re-deploys SYSVOL data from working Domain Controller (holding PDC Emulator operations master role).

How to be sure if you need non-authoritative SYSVOL restore? There is no simple answer because that depends on the size of your Active Directory and number of Domain Controllers.

When we can decide to start this kind of retore ?

  • one DC out of couple does not replicate SYSVOL
  • a few DCs out of many do not replicate SYSVOL
  • more than few but less than 50% of them do not replicate SYSVOL

above examples are typical scenarios for non-authoritative SYSVOL restore.

Let’s see how you to do that.

First of all, you need to find out which DC or DCs does/do not replicate SYSVOL. Then you have to start SYSVOL restore.

When you see an empty SYSVOL, this may suggest that Domain Controller initialization where not finished after server was promoted. Active Directory database was replicated but SYSVOL was not. In this case, you can simply perform non-authoritative restore and SYSVOL should be replicated.

Empty SYSVOL folder

Empty SYSVOL folder

Another case is when DC, is not up to date with SYSVOL. Some policies are missing and non-authoritative SYSVOL restore would be helpful.

Missing Group Policies under SYSVOL

Missing Group Policies under SYSVOL

When you log on to Domain Controller with PDC Emulator operation master role, you should see that there are more policies than on those faulty Domain Controllers

All Group Policies on DC with PDC Emulator role

So, you can see that those Domain Controllers need SYSVOL restore to have all data up-to-date.

Now, it’s time to play with non-authoritative SYSVOL restore. Log on to the DC which is out of replication with SYSVOL and stop File Replication Service (NtFRS) from command-line/elevated command-line. Type

net stop ntfrs
Stopping File Replication Service

Stopping File Replication Service

Now, you need to change some setting in Windows registry.

Warning! Be careful, do not change other entries than showed in this artcile, you may destroy your server!

You need to open registry editor from run box

Executing registry editor

Executing registry editor

Now, you need to find below key:

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNtFrsParametersBackup/RestoreProcess at Startup
BurFlags value location

BurFlags value location

and change BurFlags value from 0 to D2 (hexadecimal) by editing it

Changing BurFlags value

Changing BurFlags value

Before you will start FRS service, I would suggest to remove all content from those 2 folders

  • %WINDIR%SYSVOLdomainPolicies
  • %WINDIR%SYSVOLdomainScripts

Note! (by default, if you changed SYSVOL location during DC promotion, you need to refer to your own location)

Warning! When you set up D2 BurFlags value, you need to know that during restoration time, your DC is prevent to be a Domain Controller! So, you need to be careful in locations/Sites where you have only single DC or you are going for authentication over WAN-link!

Now, it’s time to start File Replication Service. Type in command-line

net start ntfrs
Running File Replication Service

Running File Replication Service

When you refresh (F5 key) registry editor, you should see that BurFlgs values has changed back to 0

BurFlags value reset

BurFlags value reset

and you should also check “File Replication Service” event log. Please check if event id 13565 appeared. That means, server has initiated SYSVOL replication and you need to wait a while. You have to refresh event log from time to time and check if these event IDs appeared:

  • 13553
  • 13516

when you can see them, SYSVOL replication is over and your Domain Controller is up-to-date.

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

SYSVOL re-initialized

Verify if SYSVOL share is available on your Domain Controller, type in command-line

net share
SYSVOL share verification

SYSVOL share verification

go to %WINDIR%SYSVOLdomainPolicies and check if data is replicated

SYSVOL content verification

SYSVOL content verification

That’s all! Everything you need to do is to repeat all those steps on each Domain Controller which does not replicate SYSVOL volume.

Done!

Next part >>>

Author: Krzysztof Pytko

Advertising new time server in domain environment

 

I can see on different forums that people are asking what happens when they transfer PDC Emulator Operation Master role to another Domain Controller. This is really important question as PDC Emulator is responsible for time management in domain environment. When you do not advertise new time server you might notice some time differences between your domain controllers and domain member servers.

This article shows the procedure on Windows Server 2012 R2 how to accomplish that properly but is also suitable for all earlier operating systems.

All the time when you transfer PDC Emulator role to another Domain Controller, you need to change configuration on both servers:

  • on previous PDC Emulator role holder
  • on the new PDC Emulator role holder

this will advertise new time server in your domain environment and you will prevent future issues because of that. The most often scenario of transferring PDC Emulator FSMO role to another DC is when you are promoting new Domain Controller based on newer operating system i.e:

  • promoting new Windows Server 2008/2008R2 DC in Windows Server 2003/2008 DC environment
  • promoting new Windows Server 2012/2012R2 DC in Windows Server 2003/2008/2008R2/2012 environment

in this particular case you need to do following things:

Log on directly or over Remote Desktop connection to the new PDC Emulator FSMO role holder and run elevated command prompt

Running elevated command prompt

Running elevated command prompt

Now, you need to configure external time server source from which you will synchronize time settings. This may be another device in your network (like Cisco ACS server) or any reliable external NTP server. The list of reliable NTP servers you may find on NTP Pool website

In this example I will use external NTP pool server for my region (Poland)

You need to use IP address or DNS name of NTP server during Domain Controller configuration, so if you want to use IP address then the first step is to ping DNS name and write down an IP address of the server

  • 95.158.95.123

this is the IP address resolved from pl.pool.ntp.org

Important! Before you start reconfiguring servers, please ensure if UDP/123 port is allowed on your router/firewall because NTP is using this particular port to synchronize time settings!

Now, in elevated command-line you need to run this command

w32tm.exe /config /manualpeerlist:95.158.95.123 /syncfromflags:manual /reliable:yes /update
Configuring NTP source on new PDC Emulator FSMO role holder

Configuring NTP source on new PDC Emulator FSMO role holder

or

w32tm.exe /config /manualpeerlist:pl.pool.ntp.org /syncfromflags:manual /reliable:yes /update
Configuring NTP source on new PDC Emulator FSMO role holder

Configuring NTP source on new PDC Emulator FSMO role holder

where /manualpeerlist:IPAddress or /manualpeerlist:DNSServerName is an NTP server to use in your environment

and restart Windows Time service

net stop w32time
net start w32time
Restarting Windows Time service

Restarting Windows Time service

Now, your new PDC Emulator FSMO role holder will synchronize time with specified NTP time source.

The last step is to reconfigure the old PDC Emulator Operation Master role holder to not advertise it as time server and pull time information from new PDC Emulator. To do that log on directly or over Remote Desktop connection to the server and type in command prompt (2003)/elevated command prompt (all newer OSes)

w32tm.exe /config /syncfromflags:domhier /reliable:no /update
Reconfiguring old PDC Emulator FSMO role holder

Reconfiguring old PDC Emulator FSMO role holder

and you need to also restart Windows Time service to complete whole operation

net stop w32time
net start w32time
Restarting Windows Time service

Restarting Windows Time service

That’s all! You have reconfigured your environment and advertised new time server in a domain.

Author: Krzysztof Pytko

How to re-register time services on a server

 

This time, I would like to show you, how you can simply fix an issue with time services on your server. That method helps in 90% of cases with time issues.

Sometimes, you may notice a server is out of time in your domain environment. The first method you should follow is re-registering time services on that server. When it fails then much more deep investigation might be needed.

So, let’s check how we can re-register time services on a server.

Windows Server 2003

Log on to the server directly or over Remote Desktop connection and run command prompt by typing in run box

cmd.exe
Running command promt

Running command promt

and provide a command to stop “Windows Time services” by entering

net stop w32time
Stopping Windows Time services

Stopping Windows Time services

or stop the service from GUI console

services.msc
Running "Services" console

Running “Services” console

Now, search for “Windows Time” service which should be started

Searching "Windows Time" service

Searching “Windows Time” service

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • Path to executable file
  • Startup type (Automatic by default)
  • service status (Started)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping service

Stopping service

Service is stopping

Service is stopping

you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering time service

Unregistering time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service

Starting Windows Time service

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting Windows Time service from GUI console

Starting Windows Time service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Windows Server 2008/2008R2

The procedure required for Windows Time service re-registration is EXACTLY the same as for Windows Server 2003. The only one difference is that you need to execute command prompt in elevated mode as administrator. The rest steps are the same.

Log on to the server directly or over Remote Desktop connection and run elevated command prompt from “Start” menu. Go to “All Programs -> Accessories” and click right mouse button on “Command prompt“. Select “Run as administrator” from the context menu

Running elevated command prompt

Running elevated command prompt

provide a command to stop “Windows Time” service by entering

net stop w32time
Stopping Windows Time service in command-line

Stopping Windows Time service in command-line

or use the same GUI console for that, as it was for Windows Server 2003

services.msc
Running services GUI console

Running services GUI console

and search for “Windows Time” service on the list

Searching for Windows Time service on the list

Searching for Windows Time service on the list

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • path to executable file
  • startup type (Manual by default) -> startup type is changed in comparison to Windows Server 2003
  • service status (Started)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping Windows Time service from GUI console

Stopping Windows Time service from GUI console

Service is stopping

Service is stopping

after a while, you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering time service

Unregistering time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service from command prompt

Starting Windows Time service from command prompt

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting Windows Time service from GUI console

Starting Windows Time service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Windows Server 2012/2012R2

The procedure required for Windows Time service re-registration is EXACTLY the same as for Windows Server 2003 and Windows Server 2008/2008R2. The only one difference is that you need to execute command prompt in elevated mode as administrator. The rest steps are the same.

Log on to the server directly or over Remote Desktop connection and run elevated command prompt from “Start” tile. Move mouse cursor to the left bottom corner and wait until “Start” tile appears (Windows Server 2012) or do it directly on it (Windows Server 2012 R2). Click on it right mouse buttond and select “Command Prompt (Admin)

Running elevated command prompt

Running elevated command prompt

provide a command to stop “Windows Time” service by entering

net stop w32time
Stopping Windows Time service from command prompt

Stopping Windows Time service from command prompt

or use the same GUI console for that, as it was for Windows Server 2003/2008/2008R2

services.msc
Running services GUI console

Running services GUI console

and search for “Windows Time” service on the list

Searching Windows Time service on the list

Searching Windows Time service on the list

Double click on it and you’ll see its details, like:

  • service name (w32time)
  • display name (Windows Time)
  • description
  • path to executable file
  • startup type (Manual Trigger Start by default) -> startup type is changed in comparison to Windows Server 2003/2008/2008R2
  • service status (Running)
Service details

Service details

To stop the service, simply click on “Stop” button and wait a while

Stopping Windows Time service from GUI console

Stopping Windows Time service from GUI console

Service is stopping

Service is stopping

after a while, you should see that service is stopped

Service is stopped

Service is stopped

Now, you can start time services re-registering procedure. The command you need to use is called

w32tm.exe

It is responsible for time management in a domain or on a single server in a workgroup.

First of all, you have to unregister time service by typing

w32tm.exe /unregister
Unregistering Windows Time service

Unregistering Windows Time service

and now, register service using /register parameter

w32tm.exe /register
Registering time service

Registering time service

and the last, final step requires to start Windows Time service in command prompt

net start w32time
Starting Windows Time service from command prompt

Starting Windows Time service from command prompt

or you may do that using GUI console as well. Just click on “Start” button and wait a while for service startup

Starting service from GUI console

Starting service from GUI console

Service is starting

Service is starting

That’s all. Re-registration procedure has been done. From now, you should see that time is accurate on the server. It comes from your Domain Controller or from other NTP server (depends on network configuration).

If not then you’ll need to deeply investigate the case.

But this is not a part of this article. I’ll try to post another article on troubleshooting services.

Author: Krzysztof Pytko