Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan

Published 4/2014

Original blog post reference:
Configuring the Windows Time Service in an Active Directory Forest – A step by step with a Contingency Plan
https://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/

As many of you that follow my blog know that I have blogged about the Time Service in the past. The original blog can be found here. However, the blog has so much information in it, you may have got lost trying to figure out exactly what to do. In this blog, I’ve condensed it and made it much easier to read by offering the steps as a pseudo flowchart. I hope you find it useful.

Windows Server Time Sync Configuration

The following steps can be used to configure DCs the default Windows time service hierarchy in an AD forest.  The procedure will also remove any errors in the Event Viewer, if any existed.

Do not use if you are using a third party stratum service and refer to the vendor’s documentation for further instructions

Check and Document the Current Time Configuration on the PDC Emulator

  1. First check and document the current configuration:
    1. All Windows Server domain operating systems – run the following on the forest root domain PDC Emulator.
      1. Note: In some cases you must wait a little time for the service to instantiate.
      2. If you do not see expected results immediately, wait 10 min and re-run the following steps
  2. W32tm /query /configuration   
    1. This command confirms the PDC Emulator shows the current source in the [TimeProviders] section, Look for “Type:” You will see one of the following:
      1. Type: NT5DS (Local)   -This means that it’s not synced externally.
      2. Type: NTP (Local)  –This command it is syncing externally.
                 NtpServer: time.windows.com [65.55.56.206] (Local)
    2. For all other DCs, use the command, w32tm /monitor (step 4 below)
  3. w32tm /query /source
    1. On the PDC Emulator, this shows the actual source. One of two possibilities:
      1. CMOS clock                    -Signifies not synced to an external source                                                  (Not what you want to see)
      2. time.windows.com  –The NTP source IPaddress/FQDN  This is correct.
  4. w32tm /monitor or w32tm /monitor /computers:DCNAME
    1. On the PDC Emulator, this command shows the outside time source.
      1. Good example:
        dc01.contoso.com *** PDC ***[10.10.10.200:123]:
        ICMP: 0ms delay
        NTP: +0.0000000s offset from dc02.contoso.com
        RefID: time.windows.com [65.55.56.206]
        Stratum: 4
    2. On all other DCs, this command shows the current time source DC for this DC.
      1. You will see an “offset for the PDC from its configured NTP source.
      2. Good example result showing the DC02 is syncing with dc01.contoso.com:
        dc02.contoso.com 10.10.10.210]:
        ICMP: 0ms delay
        NTP: +0.0000000s offset from dc01.contoso.com
        RefID: dc01.contoso.com [10.10.10.200]
        Stratum: 4
  5. w32tm /tz
    1. This shows the current time zone to make sure it’s correct.
  6. w32tm /stripchart /computer: target /samples: n /dataonly
    1. This command will show you the time difference between the local computer and a target computer and is helpful in determining if there is an offset. The “n” value is the number of time samples that will be returned from the target to test basic NTP communications.
  7. w32tm /dumpreg
    1. This command dumps the current registry settings found in:
      HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
      You can see the current time service configuration entries, such as:
      Type:  NTP

      NTPServer:

*

Configure time sync to a reliable source on the forest rood domain PDC Emulator ONLY.

Do not perform on any other DC in any domain in the forest. PDC in the forest root only.

  1. Windows 2003 and all newer:
    1. Open an Administrator Command Prompt.
      1. Note that the examples below use either time.windows.com or the pool.ntp.org servers. You can get a full list of reliable time services at:
        A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet: http://support.microsoft.com/kb/262680
    2. w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update
      OR – if you want to use the pool.ntp.org time source servers:
    3. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,0x1 /syncfromflags:manual /reliable:yes /update
    4. w32tm /resync /rediscover
    5. net stop w32time && net start w32time
    6. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below.
  2. Windows 2000:
    Generally speaking, the w32tm command is similar to Windows 2003 and newer operating systems.  However, Windows 2000 uses the net time /setsntp method, which was removed in later versions.  There are also some differences between Windows 2000 RTM and various service packs. Therefore, if any issues arise from the commands not setting, it’s recommended to follow the instructions using the registry to configure the time service in Windows 2000:
    How to configure an authoritative time server in Windows 2000:
    http://support.microsoft.com/kb/216734
    1. Open an Administrator Command Prompt.
    2. net time /setsntp:174.140.19.7    – Windows 2000 uses this command to configure an outside source.
    3. net stop w32time
    4. w32tm -once      W32tm performs numerous commands. Their results are displayed on the screen.
    5. net start w32time
    6. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  3. Use the procedure in Step #1 to check and document the new configuration.
  4. Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Configure all other DCs to sync using the forest time hierarchy

This includes all other DCs in the forest root domain that are not holding the PDC Emulator role, and any DC in any other domains and trees, including the PDC in those domains.

Do NOT run the following on the PDC Emulator in the forest root domain.

  1. First check and document the current configuration: See Section #3 above.
  2. Windows Server 2003 and all newer server operating systems: 
    1. Open an Administrator Command Prompt
    2. w32tm /config /syncfromflags:domhier /update /reliable:no
    3. w32tm /resync /rediscover
    4. net stop w32time && net start w32time
    5. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  3. Windows 2000:
    For reference with Windows 2000, see the following link for more info:
    How to configure an authoritative time server in Windows 2000
    http://support.microsoft.com/kb/216734
    1. Open an Administrator Command Prompt.
    2. w32tm –s
    3. Net stop w32time && net start w32time
    4. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  4. Use the procedure in Step #1 to check and DOCUMENT the new configuration.
  5. Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Time configuration on FSMO transferred or seized DCs

  1. On the new forest root domain PDC Emulator, run the following:
    1. Open an Administrator command prompt:
    2. W32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org /syncfromflags:manual /reliable:yes /update
      1. Note: time.windows.com is a working time source, however you choose any reliable time services in your locale.
    3. W32tm /resync /rediscover
    4. net stop w32time && net start w32time
    5. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  2. On the server formerly holding the PDC Emulator role, run the following:
    1. Open an Administrator command prompt.
    2. w32tm /config /syncfromflags:domhier /update
    3. w32tm /resync /rediscover
    4. net stop w32time && net start w32time
    5. Check it with W32tm /query /configuration   
      1. You may have to repeatedly run it a few times until you see it change from the CMOS clock to the time server you set it to. If it doesn’t change after a few minutes, you may have to reset the time service in the Contingency section below
  3. Follow the procedure in Step #1 to check and DOCUMENT the new configuration.
  4. Contingency: Perform the steps in the Corrupted Time Service Resolution Section to return the settings back to Windows defaults.

*

Corrupted Time Service Resolution Section (Contingency)

If any of the procedures did not work or event log errors indicate any issues, you can reset the time service registry entries back to default. The procedure should be done on the DC that you are experiencing issues with and not necessarily on each DC.  Note: This procedure can also be used as a contingency to return a DC (PDC and non-PDCs) back to local CMOS time sync.

  1. On the DC that you’re experiencing issues with, run the following:
    1. Open an Administrator command prompt.
    2. net stop w32time
    3. w32tm /unregister
    4. w32tm /register
    5. net start w32time
    6. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.
  2. The next command is ONLY for Windows 2000 to 2008 DCs. It does not apply to 2008 R2 or newer and will be ignored if you try it.
    1. “net time /setsntp: ”      – Do not use the quotes. Note that there’s a blank space prior to the closing quote.
      This command tells the client (whether a DC or workstation) to delete the current registry settings for time and use default settings.
    2. net stop w32time && net start w32time
    3. Configure the DC according to the configuration sections above depending on if it’s a PDC Emulator or non-PDC Emulator.

*

W32Time Service Accuracy

Please bear in mind that the Windows W32Time service is not a full featured, accurate service for time sensitive application requirements, nor will Microsoft support it as such. You must use a third party time service that will support this requirement.

For more information, please visit the following link:

Support boundary to configure the Windows Time service for high-accuracy environments
http://support.microsoft.com/kb/939322

==================================================================

References

How the Windows Time Service Works
http://technet.microsoft.com/en-us/library/71e76587-28f4-4272-a3d7-7f44ca50c018

Windows Time Service Technical Reference
http://technet.microsoft.com/en-us/library/a0fcd250-e5f7-41b3-b0e8-240f8236e210

Windows Time Service Tools and Settings
Includes specific w32tm command switches and registry entries.
http://technet.microsoft.com/en-us/library/cc773263

=================================================================

Summary

I hope this helped you to easily configure your time service and what to do if it didn’t work.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image002[6] clip_image004[6] clip_image006[6] clip_image008[6] clip_image010[6] clip_image012[6] clip_image014[6]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

Active Directory FSMO Roles Explained

Original Publication 1/16/2011
Updated 11/20/2014
by Ace Fekay

Ace here again. I’ve updated this blog to just clean it up a bit, but as for the technical information about FSMOs, not much as changed. If you see anything that you feel is inaccurate, by all means please contact me.

Source:

This blog contains some quoted material from the Microsoft Official Curriculum (MOC) 6425B Course

Course 6425C: Configuring and Troubleshooting Windows Server 2008 R2 Active Directory Domain Services
http://www.microsoft.com/learning/en/us/Course.aspx?ID=6425B

If interested in taking this course, please see the following link to find a training center near you:

Find Microsoft Training
http://www.microsoft.com/learning/en/us/classlocator.aspx

Key Points

In any replicated database, some changes must be performed by one and only one replica because they are impractical to perform in a multimaster fashion.

Active Directory is no exception. A limited number of operations are not permitted to
occur at different places at the same time and must be the responsibility of only
one domain controller in a domain or forest. These operations, and the domain
controllers that perform them, are referred to by a variety of terms:

• Operations masters
• Operations master roles
• Single master roles
• Operations tokens
• Flexible single master operations (FSMOs)

Regardless of the term used, the idea is the same. One domain controller performs
a function, and while it does, no other domain controller performs that function.

All Active Directory domain controllers are capable of performing single master
operations. The domain controller that actually performs a single master operation is the
domain controller that currently holds the operation’s token, or the “role holder.”.

An operation token, and thus the role, can be transferred easily to another domain
controller without a reboot.

To reduce the risk of single points of failure, the operations tokens can be
distributed among multiple DCs.

AD DS contains five operations master roles. Two roles are performed for the
entire forest, and two roles are performed by three roles for each domain.

Forest Roles (two roles):

  • Domain naming
  • Schema

Domain Roles (three roles):

  • Relative identifier (RID)
  • Infrastructure
  • PDC Emulator

In a forest with a single domain, there are, therefore, five operations masters. In a forest with two domains, there are eight operations masters because the three domain master roles are implemented separately in each of the two domains.

Forest-Wide Operations Master Roles

The schema master and the domain naming master must be unique in the forest.
Each role is performed by only one domain controller in the entire forest.

Domain Naming Master Role:

The domain naming role is used when adding or removing domains in the forest. When you add or remove a domain, the domain naming master must beaccessible, or the operation will fail.

Schema Master Role:

The domain controller holding the schema master role is responsible for making any changes to the forest’s schema. All other DCs hold read-only replicas of the schema. If you want to modify the schema or install an application that modifies the schema, it is recommended you do so on the domain controller holding the schema master role. Otherwise, changes you request must be sent to the schema master to be written into the schema.

Domain-Wide Operations Master Roles

Each domain maintains three single master operations: RID, Infrastructure, and PDC Emulator. Each role is performed by only one domain controller in the domain.

RID Master Role

The RID master plays an integral part in the generation of security identifiers
(SIDs) for security principals such as users, groups, and computers. The SID of a
security principal must be unique. Because any domain controller can create
accounts, and therefore, SIDs, a mechanism is necessary to ensure that the SIDs
generated by a DC are unique. Active Directory domain controllers generate SIDs
by assigning a unique RID to the domain SID. The RID master for the domain
allocates pools of unique RIDs to each domain controller in the domain. Thus,
each domain controller can be confident that the SIDs it generates are unique.

Note:

The RID master role is like DHCP for SIDs. If you are familiar with the concept that
you allocate a scope of IP addresses for the Dynamic Host Configuration Protocol (DHCP) server to assign to clients, you can draw a parallel to the RID master, which allocates pools of RIDs to domain controllers for the creation of SIDs.

Infrastructure Master Role

In a multidomain environment, it’s common for an object to reference objects in other domains. For example, a group can include members from another domain.

Its multivalued member attribute contains the distinguished names of each
member. If the member in the other domain is moved or renamed, the infrastructure master of the group’s domain updates the group’s member attribute accordingly.

Note: The infrastructure master. You can think of the infrastructure master as a tracking device for group members from other domains. When those members are renamed or moved in the other domain, the infrastructure master identifies the change and makes appropriate changes to group memberships so that the memberships are kept up to date.

Also note: This role only pertains in a multi-domain forest. The infrastructure master if running on the same DC as a GC, will conflict and cause the infrastructure master role to fail its intended purpose. One way to eliminate any issues with the Infrastructure Master Role & GC conflict is to simply make all DCs a GC. More info on this can be found in the following link:

Global Catalog and FSMO Infrastructure Master Relationship
http://msmvps.com/blogs/acefekay/archive/2010/10/01/global-catalog-and-fsmo-infrastructure-master-relationship.aspx

PDC Emulator Role

The PDC Emulator role performs multiple, crucial functions for a domain:

• Emulates a Primary Domain Controller (PDC) for backward compatibility
In the days of Windows NT® 4.0 domains, only the PDC could make changes
to the directory. Previous tools, utilities, and clients written to support
Windows NT 4.0 are unaware that all Active Directory domain controllers can
write to the directory, so such tools request a connection to the PDC. The
domain controller with the PDC emulator role registers itself as a PDC so that
down-level applications can locate a writable domain controller. Such
applications are less common now that Active Directory is nearly 10 years old,
and if your enterprise includes such applications, work to upgrade them for
full Active Directory compatibility.

• Participates in special password update handling for the domain
When a user’s password is reset or changed, the domain controller that makes
the change replicates the change immediately to the PDC emulator. This
special replication ensures that the domain controllers know about the new
password as quickly as possible. If a user attempts to log on immediately after
changing passwords, the domain controller responding to the user’s logon
request might not know about the new password. Before it rejects the logon
attempt, that domain controller forwards the authentication request to a PDC
emulator, which verifies that the new password is correct and instructs the
domain controller to accept the logon request. This function means that any
time a user enters an incorrect password, the authentication is forwarded to
the PDC emulator for a second opinion. The PDC emulator, therefore, should
be highly accessible to all clients in the domain. It should be a well-connected,
high-performance DC.

• Manages Group Policy updates within a domain
If a Group Policy object (GPO) is modified on two DCs at approximately the
same time, there could be conflicts between the two versions that could not be
reconciled as the GPO replicates. To avoid this situation, the PDC emulator
acts as the focal point for all Group Policy changes. When you open a GPO in
the Group Policy Management Editor (GPME), the GPME binds to the domain
controller performing the PDC emulator role. Therefore, all changes to GPOs
are made on the PDC emulator by default.

• Provides a master time source for the domain
Active Directory, Kerberos, File Replication Service (FRS), and DFS-R each rely
on timestamps, so synchronizing the time across all systems in a domain is
crucial. The PDC emulator in the forest root domain is the time master for the
entire forest, by default. The PDC emulator in each domain synchronizes its
time with the forest root PDC emulator. Other domain controllers in the
domain synchronize their clocks against that domain’s PDC emulator. All
other domain members synchronize their time with their preferred domain
controller. This hierarchical structure of time synchronization, all implemented
through the Win32Time service, ensures consistency of time. Universal
Coordinated Time (UTC) is synchronized, and the time displayed to users is
adjusted based on the time zone setting of the computer.

Note: Change the time service only one way. It is highly recommended to allow Windows to maintain its native, default time synchronization mechanisms. The only change you should make is to configure the PDC emulator of the forest root domain to synchronize with an extra time source. If you do not specify a time source for the PDC emulator, the System event log will contain errors reminding you to do so. See the following link and the articles it refers to, for more information.

Configure the Windows Time service on the PDC emulator in the Forest Root Domain
http://go.microsoft.com/fwlink/?LinkId=91969

Configuring the Windows Time Service – A step by step with a Contingency Plan – This is a procedure I put together for an enterprise.
https://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/

Configuring the Windows Time Service for Windows Server, explanation of the time service hierarchy, and more
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

Acts as the domain master browser
When you open Network in Windows, you see a list of workgroups and
domains, and when you open a workgroup or domain, you see a list of
computers. These two lists, called browse lists, are created by the Browser
service. In each network segment, a master browser creates the browse list: the
lists of workgroups, domains, and servers in that segment. The domain master
browser serves to merge the lists of each master browser so that browse clients
can retrieve a comprehensive browse list.

What happens when a FSMO Role Fails

PDC Emulator failure

The PDC Emulator is the operations master that will have the most immediate
impact on normal operations and on users if it becomes unavailable. Fortunately,
the PDC Emulator role can be seized to another domain controller and then
transferred back to the original role holder when the system comes back online.

Infrastructure master failure

A failure of the infrastructure master will be noticeable to administrators but not to users. Because the master is responsible for updating the names of group members from other domains, it can appear as if group membership is incorrect although, as mentioned earlier in this lesson, membership is not actually affected. You can seize the infrastructure master role to another domain controller and then transfer it back to the previous role holder when that system comes online.

RID master failure

A failed RID master will eventually prevent domain controllers from creating new
SIDs and, therefore, will prevent you from creating new accounts for users, groups,
or computers. However, domain controllers receive a sizable pool of RIDs from the
RID master, so unless you are generating numerous new accounts, you can often
go for some time without the RID master online while it is being repaired. Seizing
this role to another domain controller is a significant action. After the RID master
role has been seized, the domain controller that had been performing the role
cannot be brought back online.

Schema master failure

The schema master role is necessary only when schema modifications are being
made, either directly by an administrator or by installing an Active Directory
integrated application that changes the schema. At other times, the role is not
necessary. It can remain offline indefinitely until schema changes are necessary.
Seizing this role to another domain controller is a significant action. After the
schema master role has been seized, the domain controller that had been
performing the role cannot be brought back online.

Domain naming master failure

The domain naming master role is necessary only when you add a domain to the
forest or remove a domain from a forest. Until such changes are required to your
domain infrastructure, the domain naming master role can remain offline for an
indefinite period of time. Seizing this role to another domain controller is a
significant action. After the domain naming master role has been seized, the
domain controller that had been performing the role cannot be brought back
online.

Recovering from FSMO Role Failures

There are a number of steps that must be performed if any of the FSMO roles fail, and keep in mind, it’s not just based
on the FSMO role failure itself, rather you must also take into account the DC, too, because it usually means the DC itself
has failed, therefore the DC failure must be addressed.

If a DC fails, then you must address the DC failure as a whole, and not just the FSMO roles. This is because the DC’s account is referenced in the AD database by other DCs, and it expects it to be there to contribute and work with replication, among other AD functions. Therefore you must clean out the DC’s reference from the AD database, which also includes seizing the roles it held to other DCs.

This also includes the services a specific FSMO role held, such as the Time Service. This service runs on the PDC Emulator and must be moved to the new PDC Emulator you are seizing the role to.

For more information, with a complete and specific step by step, including any services the DC held which was FSMO role specific, please see the following article for more information:

Complete Step by Step to Remove an Orphaned Domain controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

Monitoring DCs for failures

Microsoft Monitoring Products

There are a number of tools to monitor your domain controllers from native Windows event logs, to using SCOM.

System Center Operations Manager 2007 (SCOM) – Platform MonitoringOct 6, 2010 … Take advantage of System Center Operations Manager 2007 for cross-platform monitoring, beta software and management packs.
http://www.microsoft.com/systemcenter/en/us/operations-manager.aspx

To learn how to use SCOM, Microsoft has a specific course just for this product. For more information on the course, please see:

Microsoft Official Curriculum Course 50028B:
Installing and Configuring System Center Operations Manager 2007
http://www.microsoft.com/learning/en/us/course.aspx?ID=50028B&locale=en-us

Third Party Monitoring Tools

There are also numerous third party monitoring utilities available such as the following list:

Quest – Windows Management Solutions – Trust the Experts for Simplified Windows Management
http://www.quest.com/windows-management/

Network Monitor Software and Windows Development ToolsNetwork Monitor Tool site – Network Monitoring Tools for Windows, Linux, Unix and Novell.
http://www.monitortools.com/

NetVision Audit for Active Directory – Monitoring Active Directory – Active Directory Reports – Easy Audit Reporting and Real-Time Monitoring
http://auditforad.netvision.com/monitor/activedirectory.html?gclid=CIf8oeuPv6YCFcfe4AodFnI3JA

Windows Monitoring, Windows Server Monitoring, Windows Application …Download Windows monitoring tool for Windows server monitoring, IIS Server, . … Monitor Windows CPU, disk, process monitoring, memory and ensure high …
http://www.manageengine.com/products/applications_manager/windows-monitoring.html

Windows Server Monitoring and Windows Event Log Management SoftwareDevelopers of Windows administration tools that monitor in real-time system performance, security logs, and event logs, and send automated, user-defined …
http://www.tntsoftware.com/

Nagios Core – Monitoring Windows Machines:
http://nagios.sourceforge.net/docs/3_0/monitoring-windows.html

Network Management Software | Server Monitoring | WhatsUp GoldWhatsUp Gold is an award-winning network monitoring software, managing over 100000 networks worldwide. Download trials & free tools now!
http://www.whatsupgold.com/

Comments, suggestions and corrections are welcomed!

==================================================================

Summary

I hope this helps!

Original Publication Date: 11/1/2011
Updated 11/4/2014

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262[2] clip_image00462[2] clip_image00662[2] clip_image00862[2] clip_image01062[2] clip_image01262[2] clip_image01462[2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.