The Life of Brian

Must Have Group Policy Setting!

I recently blogged about time and how critical it is in a domain environment. Just this morning I read a post from the Directory Services Team that shows how to configure WMI Filtering through Group Policy to ensure that the PDC Emulator always has the right time configuration.  You need to read through this post really consider implementing a similar policy into your environment.

The only portion that is missing from that post is the location of the W32Time settings in Group Policy.  The policy you will be configuring is located under the Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client

After you enable it you will want to change the default setting from NT5DS (which means find and sync with the PDCe) to NTP.  This is because we are configuring this for our PDCe which should be pointing to a reliable time source (internal or external).  You will also configure the location to that reliable source in the NTPServer dialog box.

I haven’t seen a great tip like this in some time.  This is one of those great little finds and I hope you enjoy it.

KDC 11 Error in the System Event Log

I ran into this error awhile back after building a new root level Domain Controller (DC). My initial health checks panned out ok but after about an hour the following should up in my System Event log:
Event Type:    Error
Event Source:    KDC
Event Category:    None
Event ID:    11
User:        N/A
Computer:    DCShortName
Description:
There are multiple accounts with name cifs/DCShortName of type DS_SERVICE_PRINCIPAL_NAME.

My forest root domain has a fairly small amount of accounts with the majority of them being DCs.  I knew that the name that was added was not in conflict with the forest root.  With this name being the shortname of the DC I knew that I would have to check other child domains.  After a quick search of the directory (GC) via Active Directory Users and Computers I was able to find another computer with the same name.  Unfortunately one of the computers had to go bye-bye…and it sure wasn’t going to be my DC.  Needless to say after the computer was removed from Active Directory the errors stopped showing up.

Windows Server 2008 Server Core Default Services

Quite a few people have asked recently about services in Server Core.  They want to know what’s running and what’s not running.  Below you will find a listing that intended to help those out that need to know the status of Services on Server Core.  It is sorted by Service Name.

Another useful item to note on Server Core (or the CMD Prompt on Server) is that you can still use the SC command.  In particular you should run SC Query, this little useful command will tell you which services are running.  If you want to view the ones that are not running just run sc query state=inactive.  There is a bunch of stuff you can do with the SC command and you should really check out the help. 

A great tip for using commands is to append | more to the end of the command.  This should only display one page at a time.