It seems I”m always trying to remember this little command and its about time I put here where I can always access it in the future. This isn’t a new command but it is a nifty little one that will initiate replication across your environment.
Repadmin /syncall /APed
I prefer to run it from the DC (thus the reason DC_name is taken out after /syncall) and from the command line to pipe it out to a text file.
Not sure how many people modify the size of the Windows Event Logs but it is something that I like to do simply because the default sizes of most them is just not enough. For example you may remember the default for your System and Application log files was a measly 512kb. That logged all of about a day of a really busy application server.
The problem with Server 2003 was the recommended maximum size for a log file was only around 300mb and the maximum total size for all Event Log files was around 400mb. You do the math and you can see that realistically you aren’t going be able to realize the benefits of having larger Event Log file sizes.
This has to do with Windows storing the logs in memory. As you can tell a 32bit system would run into some serious memory issues if you wanted to expand the size of several of these. Thankfully in Server 2008 this has changed. Microsoft has increased the recommended maximum size of a log file up to 4gb and all of them up to 16gb. Of course you will want to make sure you’re running the x64 flavor of Server 2008 to really see this advantage.
Take a look at the following knowledgebase from Microsoft for more info.
My daughter Alyssa and I play a game…well she might not consider it a game but she is constantly asking me “What time is it without looking”. I’ve actually gotten pretty good at it and can usually get within a few minutes. Not sure why she likes to play but perhaps time is something they recently talked about at school but she seems obsessed with it. I keep telling her that at 6 she really shouldn’t worry to much about time.
Although time may not be important for my daughter, it is immensely important for Active Directory. Most AD admins know that domain controllers and clients need to be within 5 mins of each other to work correctly. If your time was out by 5 or more minutes the client would not be able to authenticate. What most AD admins might not know is that time just doesn’t affect AD, it also can affect certain time sensitive applications. I don’t know of any out of the box ones from Microsoft but organizations have plenty of custom built apps that may use time syncs. I’ve seen custom applications that need to be accurate within less than a second.
Let’s take a look at how time synchronization works in an Active Directory forest. The magic all starts in the root domain (I always wanted to use that in my blog). The PDC Emulator (PDCe) is solely responsible for time synchronization and uses the Network Time Protocol (NTP) on port UDP 123. You will want to sync the PDCe with a reliable source, either internal (perhaps a router) or external. The problem with going external is that there is less security because of the lack of authentication and verifiable authenticity.
Clients and servers in your forest root domain will sync their time with any DC in the forest root. This is all configured in the registry at the following location: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeParameters. Domain members have Nt5DS set for the TYPE key which configures them to use the domain hierarchy for time. Some people change this to NTP which means it will go to a specific time source besides the PDCe but I prefer to keep the default here because it works! If you’re crazy enough you could configure it so that it relies on the CMOS clock…I just don’t have enough faith in the batteries for that.
If you have child domains or other tree roots in your forest realize that the forest root PDCe is STILL the authority for forest wide time synchronization. The PDCe for the child domains will sync their time with the forest root PDCe or any DC in the root (but those root DCs get their time from the PDCe). The clients and servers in the child domain will always go to a DC in their domain, so they should never go up to the forest root domain. Clients poll the time every 45 minutes by default. After three successful synchronizations it will increase that polling time to 8 hours. Below is a great illustration of how time works in a multi domain forest.
To configure your forest root PDCe with a valid time source you should use the w32tm command:
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
You can and I recommend adding multiple peers but simply putting a space between them. Please don’t forget to run this command on the DC that you have designated as the DC to fail the PDCe role over to during downtime (for example, patching).
To test how close your time is synced you can use the w32tm command again, except this time we can get a really cool command prompt chart…hey its the simple things in life that get me.
w32tm /stripchart /computer:target /samples:n
Replace target target with the name of the forest root PDCe. I prefer to get 10 samples but you can go for whatever amount you like. This will tell you the difference between the clocks. More info can be found on the w32tm here.
The Microsoft Directory Services team has a great blog that talks about high accuracy in w32tm and why they don’t support it. This is a must read for all AD admins. Don’t forget to set up an RSS feed to the Windows Time Service blog as well.
I would recommend baseline the time difference in your environment so that if an issue does occur you will know what the norm state is for your time differential. You may also want to include some monitoring that can alert you of time drift using the baseline numbers you’ve collected. I would also recommend talking to your developers and ensure they understand how time works in the environment.
Hopefully this sheds some light on how time works in an Active Directory forest but also how you can control and tweak it. Oh and if you’re bored try playing the time game…its a great exercise for your mind and internal clock! :,,)
A. Locate a Win2008 Server which has DSA.MSC installed via Server Manager features/roles. The installed OS platform architecture must match your client (so use 32-bit OS server if using 32-bit OS client, and the same for 64-bit).
B. Locate the following two files:
(NOTE: If not running US English, the path would not be EN-US; it would be the language(s) running on the server)
C. Copy these two files to the Vista machine running RSAT tools and place them in the same paths.
D. Run as an administrator:
E. Start DSA.MSC on the Vista machine and look at a user”s properties – the tabs will now be there.
What Is Included in RSAT?
This is the list of Windows Server 2008 administration tools which are included in RSAT:
Role Administration Tools:
· Active Directory Certificate Services (AD CS) Tools · Active Directory Domain Services (AD DS) Tools · Active Directory Lightweight Directory Services (AD LDS) Tools · DHCP Server Service Tools · DNS Server Service Tools · Shared Folders Tools · Network Policy and Access Services Tools · Terminal Services Tools · Uniiversal Description, Discovery, and Integration (UDDI) Services Tools
Feature Administration Tools:
· BitLocker Drive Encryption Tools · Failover Clustering Tools · Group Policy Management Tools · Network Load Balancing Tools · SMTP Server Tools · Storage Manager for SANs Tools · Windows System Resource Manager Tools
The tools in the following list are fully supported managing Windows Server 2003 servers as well:
· Active Directory Domain Services (AD DS) Tools · Active Directory Lightweight Directory Services (AD LDS) Tools · Active Directory Certificate Services (AD CS) Tools · DHCP Server Tools · DNS Server Tools · Group Policy Management Tools · Network Load Balancing Tools · Terminal Services Tools · Universal Description, Discovery, and Integration (UDDI) Services Tools
I”ve always loved these spreadsheets as they allow a quick and easy way to search for Group Policies. With Server 2008 live and Vista SP1 out Microsoft has updated their reference sheet to add all the new Group Policy settings. There are now over 2700 settings you can apply in your environment…have fun!
This is been a hot topic here for a long time. Back in May I mentioned that there was going to be no AdminPak and sure enough that was confirmed. Microsoft”s decision was to create a new tool called the Remote Server Administration Tools. Back in June Microsoft said it would be released with Vista SP1.We now finally have the ability to test the Remote Server Administration Tools out by participating in the beta. Go here to get involved and PROVIDE your feedback directly to Microsoft http://connect.microsoft.com/windows/Downloads/DownloadDetails.aspx?DownloadID=9561. It appears the link is currently not working. Keep trying to ensure you get into the beta. I’ll update here when I confirm it works.
There will be a chat hosted by Microsoft on the 3rd of December so this would be another great time to let them know how it works:
Please join Microsoft for a live chat on Monday, December 3, 2007 at 12:00 – 1:00 pm PST and get all your questions about Remote Server Administration Tools answered:
I haven”t had time yet to play with this so I would love to hear what you think of the new tools. Please leave comments and let the community know.
While it”s not Service Pack 1 it these next two patches definitely contain quite a few needed fixes with Windows Vista.
This first one addresses the following issues:
The second one addresses the following issues:
I hope if you were having issues with your PC running Vista that this helps.