Thursday, May 26, 2011

Windows Server 2008 Boot Process!!!

Here’s the brief description of Windows Server 2008 Boot process.
  1. System is powered on
  2. The CMOS loads the BIOS and then runs POST
  3. Looks for the MBR on the bootable device
  4. Through the MBR the boot sector is located and the BOOTMGR is loaded
  5. BOOTMGR looks for active partition
  6. BOOTMGR reads the BCD file from the \boot directory on the active partition
  7. The BCD (boot configuration database) contains various configuration parameters( this information was previously stored in the boot.ini)
  8. BOOTMGR transfer control to the Windows Loader (winload.exe) or winresume.exe in case the system was hibernated.
  9. Winloader loads drivers that are set to start at boot and then transfers the control to the windows kernel.
Here’re some articles for your reference.
Boot Process and BCDEdit
http://technet.microsoft.com/en-us/library/ee221031(WS.10).aspx
Server 2008 Boot Process – Making a boot disk
http://www.slickit.ca/2009/03/server-2008-boot-process-making-boot.html
Windows Server 2008: Startup Processes and Delayed Automatic Start
http://www.ditii.com/2008/02/02/windows-server-2008-startup-processes-and-delayed-automatic-start/

Remote Server Administration Tools for Windows 7 with SP1

I tried installing Remote Server Administration Tools for Windows 7 on my freshly installed Windows 7 with integrated SP1 when I got “update is not applicable to your computer” error message.

Here’s what Microsoft has to say about that

**Remote Server Administration Tools for Windows 7 can be installed ONLY on computers that are running the Enterprise, Professional, or Ultimate editions of Windows 7. This software CANNOT BE INSTALLED on computers that are running Windows 7 with Service Pack 1 (SP1). To run Remote Server Administration Tools for Windows 7 on a computer on which you want to run Windows 7 with SP1, first install Remote Server Administration Tools, and then upgrade to Service Pack 1.**

Nice, I have Windows 7 Professional with Integrated SP1… I found a workaround on Microsoft TechNet

  1. Create RSAT folder on C drive and copy amd64fre_GRMRSATX_MSU.msu (x64 version)
  2. Run CMD with administrator privileges
  3. Run this
    CD C:\RSAT expand -f:* "C:\RSAT\amd64fre_GRMRSATX_MSU.msu" C:\RSAT 
  4. Open and edit C:\RSAT>Windows6.1-KB958830-x64.xml
  5. Run this

    MD EXPAND expand -f:* "C:\RSAT\Windows6.1-KB958830-x64.cab" "C:\RSAT\expand" CD EXPAND DISM.exe /Online /NoRestart /Add-Package /PackagePath:"microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum" /PackagePath:"microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~amd64~en-us~6.1.7600.16385.mum" /PackagePath:"microsoft-windows-remoteserveradministrationtools-package-minilp~31bf3856ad364e35~amd64~en-us~6.1.7600.16385.mum" /PackagePath:"microsoft-windows-remoteserveradministrationtools-package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum"


Credit goes to http://sharepoint.tejic.com/?p=185

Configuring Windows Time for Active Directory

Special Thanks to tigermatt

I’ve had a few requests recently from people who were confused regarding how to configure time in their Active Directory domains – and some were playing with settings on servers and workstations to try to make things work. In this article, I’ll briefly explain how the time service works in Active Directory networks and general information on how you should go about configuring it.

For anyone not aware, all machines in an Active Directory environment automaticallyfind a time server to sync time with. Workstations use their authenticating Domain Controller, and the DCs sync with the server holding the PDC Emulator FSMO role. In a multi-domain forest, the PDC Emulator in each child domain synchronises with a DC or the PDCe in the forest root domain. To ensure the time remains reliable across the forest, only the PDC Emulator in the forest root domain should ever sync with an external time source – this leads to only one source of time being used across the forest. The Windows Time Service blog have a great post entitled Keeping the domain on time which explains this in more detail, including a great graphic.

The Windows Time Settings

You can find the settings for the Time Service in the registry, underHKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters. The most important value to note is the ‘Type’ string – on any domain machine other than the PDC Emulator in the forest root, this should be set to NT5DS. That name isn’t particularly descriptive; if it is set, it means the machine is finding a time server in the Active Directory hierarchy.

If it isn’t set to that, you should think about resetting the time service on that machine. To do that, run a Command Prompt as an Administrator and execute the following commands:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Check the registry again, and the Type should now be in domain sync mode (NT5DS).

Sometimes, you may find an NTPServer key in the registry despite the Type being set to NT5DS. NT5DS doesn’t use an NTP Server, so what gives? This setting is simply left over from prior to the machine being joined to the domain, when it was in a workgroup. Provided the Type value is set correctly, the NTPServer entry can be completely ignored or even deleted. Running the above commands on a domain-joined machine will delete it automatically.

The Group Policy Settings

There are also a number of Group Policy settings for the time service. These can be found in Computer Configuration\Administrative Templates\System\Windows Time Service.

I do not encourage you to change these settings; if you have done so, you probably want to revert the policies to ‘Not Configured’. There are reasons why you may make the odd change, but in general, no changes are required and you can actually break the time sync if you do make them.

If you are interested in reading further about what they do, the Windows Time Service blog has another great page going through them: Group Policy Settings Explained.

The Forest Root PDC Emulator Settings

After a bit of a configuration reset, all your DCs, member servers and workstations should now be set to sync from the domain hierarchy. But what about the PDC Emulator in the forest root?

The fact of the matter is the PDCe doesn’t actually need to synchronise with anything. It automatically designates itself the most reliable time server in the domain and it can run quite happily like that, without ever talking to an external time server. My earlier blog post entitled Time: Reliable or accurate? describes why.

However, to have an easy life and keep your users from complaining, it is almost always a good idea to have some form of external time sync on the forest root PDC Emulator. There are a number of ways to do this – for example, an external hardware clock which syncs with GPS. However, the most common (and cheapest – free) solution is synchronising with another NTP server on the Internet. I often use the servers closest to me which participate in possibly the largest time service, the NTP Project (list of time servers). Be aware that if you are bound by SLAs (my company certainly is), by its very nature, the NTP project most probably isn’t the resource for you.

To configure the time sync on the PDCe, you need to execute the following commands. I’d strongly suggest you get a level playing field by resetting the time service using the instructions above before you start.

w32tm /config /manualpeerlist:”uk.pool.ntp.org,0×8 europe.pool.ntp.org,0×8″ /syncfromflags:MANUAL /reliable:yes /update

What’s that command doing?

That command is a rather hefty command, so you may like to know exactly what it is doing to your server. All the changes are taking place in the registry at the key I posted above; using the w32tm tool to make the configuration changes is simply much easier than doing it manually yourself.

/config causes the tool to enter configuration mode. There are a number of other modes it supports which you can find by running w32tm /?.

/manualpeerlist allows you to specify the NTP server or servers you wish to synchronise time with. In this instance, each server’s DNS name or IP address should have a comma followed by the string 0×8. This instructs Windows to send requests to this external server in client mode. If you enter multiple servers, which I suggest, put the servers in quotation marks and separate each entry with a space. The value you specify here is written back to the NTPServer value in the time service’s registry key.

/syncfromflags tells the time service where it should sync time from. You can specify two entries for this – either DOMHIER or MANUAL. The former causes the time service to synchronise with the Domain Hierarchy (sets NT5DS in the Type key in the registry) whereas the latter tells the time service to sync with the server(s) you specified in the Manual Peer List. MANUAL sets Type to NTP.

/reliable sets the server to be a reliable source of time for the domain. Strictly it isn’t required, because the PDC Emulator in the forest root is always the most reliable time server, but I like to include it anyway.

Finally, /update notifies the time service the values have changed, so the new settings are used with immediate effect. If this isn’t included, the registry is updated but the new values will only be used by the time service when its service or the server itself is restarted.

After you’ve run that command, you might want to take a look in the registry to see what changes have been made, and whether they are as you expected.

Check Time Synchronisation

You may be intrigued to know whether the time sync is working correctly. You can do this in one of two ways.

The safest is to wait for a scheduled time sync to take place, or restart the machine. Either will trigger Event ID 35 to be logged in the System log. This event’s description shows the time server the machine is synchronising with. This will be logged on both the PDC Emulator and all DCs, member servers and workstations. You can check for this on member machines to ensure a DC in the domain hierarchy is being found and used correctly – and to ensure your custom NTP servers configured on the PDC Emulator are being used as intended.

Alternatively, putting your cowboy hat on, you can force a time synchronisation. Set the time a minute or two out from what it should be, then return to the command prompt and run w32tm /resync /rediscover. After a few moments, the above event should be logged, and a healthy time service should cause the time on the system to be set back to normal.

As a note, no time synchronisation will take place if the difference between the current system time and the new time provided by the time server is too great. A minute or two is fine, but I would not set the difference to be any more than that. The system checks this difference at each sync, and will reject the new time provided by the time server if it is too large.

Conclusion

You should now have an understanding of how the time service works and where it stores its settings in the registry. While time isn’t one of the most fun services an Active Directory administrator will work with, it is important you ensure the forest stays in sync if you want to avoid major problems with time skew, Kerberos and Active Directory in general.