It is important to have the Windows Time Service on a DC on the network pointing to an external NTP source to keep time in sync.
There is an article here which tells you how:
I’ve condensed it here to a reg file you can create and run.
Copy the following code into a text document, name it time.reg and run it on a DC.
Then restart the time service with the command:
net stop w32time && net start w32time
Give it a few seconds and the clock should correct itself.
If it is a virtual machine make sure that the Hyper Visor isn’t pushing time out to it, as the server will take that as priority. For example on Hyper-V go to the VM Settings, and Integration Services and un-tick Time synchronization.
The registry file
Windows Registry Editor Version 5.00
DFSR replication of sysvol is much more reliable, and NTFRS is being deprecated after Windows Server 2016.
This is how to migrate to DFSR. The information here is gleamed from :
and the long version:
Check forest functional level using domain.msc and raise if below 2008.
Force a replication with:
Repadmin /syncall /force /APed
this is optional, but will speed things up, and you can use this replication to check for errors.
Check event log for errors, especially the File Replication Service logs.
Check that replication is working.
Dcdiag /e /test:sysvolcheck /test:advertising
Fix any errors.
Next the migration.
dfsrmig /setglobalstate 1
Do not proceed further until it tells you that “All domain controllers have migrated successfully to the Global state.”
dfsrmig /setglobalstate 2
Again check it with
And make sure all DCs have migrated.
dfsrmig /setglobalstate 3
And it is finished when
tells you that all DCs have migrated successfully.
You can apparently go straight to state 3, but it doesn’t take long to go the full route, so better taking a little time.
We’ve had a spate of PCs filling up their disks recently, and it seems to stem from a bug in Windows update.
The issue occurs because an accumulated update log file grows, and generates a series of CAB files “cab_xxx_x” in the temp folder (normally c:\windows\temp).
The issue isn’t new, I found references to it dating back to 2012. It seems to be a bug with Windows Update on Windows 7 and Windows Server 2008 R2.
If you just delete the CAB files they will come back. The solution seems to be to do the run the following commands:
net stop wuauserv
net stop trustedinstaller
rmdir /s c:\windows\softwaredistribution
del c:\windows\temp\*.* /s /f /q
net start wuauserv
net start trustedinstaller
If you don’t stop the services first you may not be able to delete the files.
Next step is to run Windows update. Windows 7 and 2008 R2 have a huge number of updates to do from a fresh install, which is why this log file builds up. Deleting the files resets the log, but if there are still too many to do the issue may come back.
I set up a monitor on SolarWinds N-Central to check all our clients temp folder sizes and to run the above as a script if it was over 15GB. That should prevent any space issues on-going.
Alternatively just upgrade to Windows 10 and Server 2016 – they don’t have this problem.
When Azure Connect is setup the quickest way to fire off a manual sync is through powershell.
For a full sync (new accounts etc):
Start-ADSyncSyncCycle -PolicyType Initial
For a incremental sync (faster but not as thorough):
Start-ADSyncSyncCycle -PolicyType delta
I normally save these as .ps1 files on the desktop of the server to I can quickly run them.
Another article about a command that I can never remember the syntax when I need it.
The information here is from: https://social.technet.microsoft.com/wiki/contents/articles/6736.move-transfering-or-seizing-fsmo-roles-with-ad-powershell-command-to-another-domain-controller.aspx
To transfer all roles use:
Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator
To seize the roles append -Force.
You can also substitute the role names with numbers, making a more manageable:
Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole 0,1,2,3,4 -Force
Much easier to remember than trying to remember which bit of the gui does which role.
Older servers use ntdsutil.exe:
I needed to copy only missing files from a volume shadow copy back to a clients share after clearing out crypto malware encrypted files, and I found a new favourite command:
subst drive1: drive2:path
Substitutes a path for a drive letter, for example:
subst x: c:\users\adam\desktop
maps x: to my desktop in my profile.
Where this came in particular handy for me we using robocopy to restore files an folders out of a volume shadow copy (previous version).
I wanted to run robocopy a: b: /xc /xn /xo /s which only copies missing files, and does not copy existing files – regardless of age or difference, to extract missing files from the shadow copy.
So first I found the path to the file by right clicking on a file in the shadow copy and copying the location then running subst:
subst x: "\\localhost\C$\@GMT-2016.10.24-14.01.30\Server Shares\Company"
I could then run my robocopy from the x: drive.
Finished off with
subst x: /d to remove the drive mapping.
Useful write up here:
And subst technet article here:
I’m always having to look this up, for some reason the registry location just doesn’t stick in my head.
User Shell Folders (i.e. My Documents, Desktop, Favorites):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Useful if you want to know if Folder Redirection is working.