Description
The Windows Time service by default in Windows 2000 and 2003 allows for a positive or negative time correction of any amount for domain controllers. This can cause serious problems in a forest should a dramatic time shift occur. This can even occur when synchronizing with other authoritative sources as hardware problems, software problems or human error can cause them to provide the wrong time. Some of the problems that can occur from a dramatic time change are Windows Server 2003 based domain controllers may be quarantined, deleted objects may be prematurely purged before end-to-end replication of the deletion is fully replicated (causing lingering objects), user and computer passwords may expire unexpectedly, and trust passwords becoming out of sync.
Resolution
Modify the default value on the following registry.
The registry key(s) are different depending upon the operating system version.
Windows 2003/2008
Path: HKLM\System\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: there is an accompanying MaxPosPhaseCorrection value to control positive time changes.)
Windows 2000
Path: HKLM\System\CurrentControlSet\Services\W32Time\Parameters
Value: MaxAllowedClockErrInSecs
Default data: 0xFFFFFFFF (4,294,967,295)
(Note: Windows 2000 has a single value to control both positive and negative time changes.)
Change them to a positive/negative value of 48 hours (0x2A300 or 172,800 seconds).
All about Information Technology infrastructure and system. Helpdesk & support issue, deployment guide, and daily activity in managing an information technology operation.
Search This Blog
Tuesday, May 12, 2009
Monday, May 4, 2009
Could not start DHCP Client Services
Description:
One day you discover that DHCP client services on some of your server cannot be started. It gives you “access is denied” error message. The DHCP client services already use network service account to logon. You suspect that one of the recent windows patch that causes the issue.
Resolution:
The Network Service requires permissions to open the‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters’ registry keys for the DHCP Client service to start. Some updates can remove the Network Service permissions to these registry keys. Please check and re-add them if necessary.
1) Open Regedit.
2) Navigate to ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp' and click on Parameters.
3) Click on Edit menu then go to Permissions.
4) In the 'Permissions for Parameters' window, click on Add.
5) In the 'Select Users, Computers and Groups' window, type in "Network Service" (without the quotes) and click 'Check Names'. You may need to change the Location to "System".
6) Click OK.
7) In the 'Permissions for Parameters' window, highlight the Network Service group and give it Full Control and Read permission by selecting the check boxes.
8) Click OK
Try starting the DHCP client service again.
One day you discover that DHCP client services on some of your server cannot be started. It gives you “access is denied” error message. The DHCP client services already use network service account to logon. You suspect that one of the recent windows patch that causes the issue.
Resolution:
The Network Service requires permissions to open the‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters’ registry keys for the DHCP Client service to start. Some updates can remove the Network Service permissions to these registry keys. Please check and re-add them if necessary.
1) Open Regedit.
2) Navigate to ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp' and click on Parameters.
3) Click on Edit menu then go to Permissions.
4) In the 'Permissions for Parameters' window, click on Add.
5) In the 'Select Users, Computers and Groups' window, type in "Network Service" (without the quotes) and click 'Check Names'. You may need to change the Location to "System".
6) Click OK.
7) In the 'Permissions for Parameters' window, highlight the Network Service group and give it Full Control and Read permission by selecting the check boxes.
8) Click OK
Try starting the DHCP client service again.
Cannot Upgrade from Windows 2003 Service Pack 1 to Windows 2003 Service Pack 2
Description:
You are having an issue when trying to upgrade your Windows 2003 Service Pack 1 server to Windows 2003 Service Pack 2. The upgrade process runs for a while and stops in the middle because of WMI error. You cannot do the upgrade from Add/Remove program too.
Resolution:
The issue cause by some corrupt files inside %windir%\system32\wbem\repository. Files in this folder is the database of WMI, if the files in this folder are corrupt, the WMI service will not work correctly. Delete the files in the folder %windir%\system32\wbem\repository. After restart the WMI service again, the files in this folder will be rebuilt again.
Below is the script to do it automatically:
################
sc config winmgmt start= disabled
net stop winmgmt /y
%systemdrive%
cd %windir%\system32\wbem
if exist repository.old rmdir /s/q repository.old
rename repository repository.old
for /f %%s in ('dir /b /s %windir%\system32\wbem\*.dll') do regsvr32 /s %%s
regsvr32 /s %windir%\system32\tscfgwmi.dll
wmiprvse /regserver
winmgmt /regserver
sc config winmgmt start= auto
net start winmgmt
for /f %%s in ('dir /b *.mof') do mofcomp %%s
for /f %%s in ('dir /b *.mfl') do mofcomp %%s
You are having an issue when trying to upgrade your Windows 2003 Service Pack 1 server to Windows 2003 Service Pack 2. The upgrade process runs for a while and stops in the middle because of WMI error. You cannot do the upgrade from Add/Remove program too.
Resolution:
The issue cause by some corrupt files inside %windir%\system32\wbem\repository. Files in this folder is the database of WMI, if the files in this folder are corrupt, the WMI service will not work correctly. Delete the files in the folder %windir%\system32\wbem\repository. After restart the WMI service again, the files in this folder will be rebuilt again.
Below is the script to do it automatically:
################
sc config winmgmt start= disabled
net stop winmgmt /y
%systemdrive%
cd %windir%\system32\wbem
if exist repository.old rmdir /s/q repository.old
rename repository repository.old
for /f %%s in ('dir /b /s %windir%\system32\wbem\*.dll') do regsvr32 /s %%s
regsvr32 /s %windir%\system32\tscfgwmi.dll
wmiprvse /regserver
winmgmt /regserver
sc config winmgmt start= auto
net start winmgmt
for /f %%s in ('dir /b *.mof') do mofcomp %%s
for /f %%s in ('dir /b *.mfl') do mofcomp %%s
Invalid FSMO Role Owner for Application Partition
Description:
When running the ADRAP program you found the following warning/error.
The following application partition contains an invalid FSMO role owner:
Partition: cn=infrastructure,dc=forestdnszones,dc=corp,dc=com
FSMO:CN=NTDS Settings\0ADEL:97d…,CN=Server01\0ADEL:67…,CN=Servers,CN=SITEA,CN=Sites,CN=Configuration,DC=corp,DC=com
Resolution:
Use adsiedit.msc and reset the fSMORoleOwner attribute on the infrastructure master of your root domain. Use the value from Distinguished Name (DN) attribute of the corresponding application partition as the new value. You may need to use an account which has Enterprise Admin permission.
When running the ADRAP program you found the following warning/error.
The following application partition contains an invalid FSMO role owner:
Partition: cn=infrastructure,dc=forestdnszones,dc=corp,dc=com
FSMO:CN=NTDS Settings\0ADEL:97d…,CN=Server01\0ADEL:67…,CN=Servers,CN=SITEA,CN=Sites,CN=Configuration,DC=corp,DC=com
Resolution:
Use adsiedit.msc and reset the fSMORoleOwner attribute on the infrastructure master of your root domain. Use the value from Distinguished Name (DN) attribute of the corresponding application partition as the new value. You may need to use an account which has Enterprise Admin permission.
Tuesday, April 28, 2009
Subscribe to:
Posts (Atom)