How to Set Clock Time on AD domain Controller and Sync Windows Clients

How to find your Active Directory Network Time Server

If someone complains that the time on a Windows 7 /Windows 10 PC is off, we can first sync the Domain Controller to an External Time Source, then sync their PC to the DC. How do you sync the computer to the same time as the cell phone/NIST/External Time Source, and make sure that all computers on your network have the same time as the domain controller?

First, determine from a client computer which computer is the authority for your time server. This is usually your Primary Domain Controller. To do so, on the client PC, open a command prompt and run the command:

net time

This should return something similar to the following:

This shows “Current time at \\NETTIMESERVER.domain.com” which is your net time authority.

How to check your domain controller time against a global time provider:

On the server that net time identified (NETTIMESERVER / primary domain controller,) right-click on your PowerShell icon and choose Run as Administrator.

Run the following command to only check how much time your server is off from the global time authority. This command doesn’t do the sync, it just displays how much time your server is off. The result will display plus or minus hours/minutes/seconds/fractions of seconds.

w32tm /stripchart /computer:time.windows.com /dataonly

The results should display something similar to the following (hit CTRL+C to stop the data stream):

So we can see our DC is ahead by 39 seconds.

Sync Domain Controllers Time Against Global Time Authority

So now we want to manually configure our server to use a certain global time provider: time.windows.com – to do this run the following command:

w32tm /config /manualpeerlist:time.windows.com /syncfromflags:MANUAL

The terminal should return “The command completed successfully.”

Next type:

w32tm /config /update

Again you should receive a message “The command completed successfully.”

Now to immediately synchronize the time use the following command:

w32tm /resync

We can now check again how much the time is off from the global provider by issuing the stripchart/dataonly command and check the results. You can see here that our time is now off by less than a second:

Sync Windows 7 or Windows 10 with Domain Controller

PC’s on the network that authenticate against our domain controller should automatically pick up the new time from the time server after a reboot. However if we want we can manually sync the time on the client with the net time domain controller. To do so, issue the command:

net time \\NETTIMESERVER.DOMAIN.com /set /y

This command should return the message “The command completed successfully.”

Our time on our PC is now synced with the domain controller, and the domain controller is now synced with time.windows.com.

 

 

Hits: 126

Amazon Workspaces – Overview, Proof of Concept, and Pricing

Overview and Whitepaper:

Using the AWS Management Console, you can deploy high-quality cloud desktops for any number of users.

Strategies and Challenges for IT who deploy desktops (whitepaper):

Strategy challenges:

  • Timely employee request fulfillment
  • Supporting contractors and temporary staff with a productive workspace
  • Merger and acquisition assistance
  • Increased application development and engineering activity
  • Provide and manage temporary desktops

Greatest Challenges:

  • Security of endpoints
  • Threat Detection/Prevention
  • Corporate file access and protection
  • Improve collaboration
  • Maintain compliance
  • Complexity of technology
  • Managing a heterogeneous device environment
  • SSO to corporate apps
  • Rogue employee devices
  • Rogue applications housing corporate data
  • Supporting LOBs and executive devices and apps

On Premises Virtual Desktop Infrastructure (For example building Terminal Server VDI’s or Citrix)

Upsides to On Premises Virtual Desktop Infrastructure:

  • Simplified management, centralized, hosted, managed, executed
  • Efficient provisioning and de-provisioning with standardized images allowing quick revoking of access
  • Centralized image management, proactive detection, rapid quarantine of suspicious behavior

Downsides to VDI:

  • Complex infrastructure that is difficult for IT to plan, configure, manage, and maintain.
  • Unfavorable economics that tip ROI equation in the wrong direction with un-utilized capacity, heavy upfront costs and cumbersome ops.
  • Unpredictable global access based on proximity of users due to low network bandwidth and unacceptable latency
  • Time-consuming implementations that involve multiple IT disciplines and months of planning, testing, and staging of infrastructure.
  • Difficult root cause analysis among multiple IT teams.

Amazon Workspaces Desktop as a Service a Viable alternative to VDI (Hosted Desktop Service)

Employee Benefits:

  • Employees not tethered to traditional desktops or laptops.
  • No cumbersome VPN connections
  • Increased collaboration and communication with simplified virtual workspaces

Business Benefits:

  • Rapid scale up or down; new employees, mergers and acquisitions, global growth
  • Integrate, consolidate, and deliver services and apps
  • Reduce capital expenditures, operational costs and streamline IT maintenance and infrastructure management

IT Benefits

  • Ability to meet security policy requirements and compliance standards by using protocols to compress, encrypt, and encode data so only images are transmitted and data no longer resides on local devices.
  • Enables creation of developer-style environments, granting developers quick an secure access to end-user environments for seamless dev testing, without impeding user productivity.
  • Allows devs to move fast and fail fast with access to desktop resources when they need them.
  • Keeps business data secure, centrally managed, and accessible to users.
  • Places productive workspace in the hands of end-users near instantaneously, while supporting secure access from multiple device types.
  • Manages apps centrally with the ability to securely package, deploy, and maintain a productive user environment.
  • Deliver a productive environment for users without the task of configuring a desktop asset.

Proof of Concept 

*Note, our org already has a VPN connection between Amazon AWS and our On-Prem domain and domain controllers. This allows me to find our domain with Amazon’s connector. Review the Architectural Diagram below to ensure you’re comfortable with how Workspaces can fit into your AWS presence and VPC’s.

  1. Log into AWS, > Workspaces > Get started
  2. Create AD connector (use Administrator account to connect) – also add WorkDocs Sync feature
  3. Create New Workspace > Choose Directory (local.domain.com) > search for user > jcoltrin (username: domain\jcoltrin) > add selected > Next > Select: Standard with Windows 7 (later I will add MS volume license for Office and other applications and then create an image.)
  4. I choose Performance: 2 vCPU, 7.5 GiB Memory – Hourly
  5. Download the Workspaces client here: https://clients.amazonworkspaces.com/

I sent myself the connection email which looks like the following:

————————-

Dear Jason,

A new Amazon WorkSpace has been provided for you. Follow the steps below to quickly get up and running with your WorkSpace:

1. Download and install a WorkSpaces Client for your favorite devices:

https://clients.amazonworkspaces.com/

2. Launch the client and enter the following registration code: XXxxXX+xxXXxx

3. Login with your Network/Domain password. Your username is jcoltrin

If you have any issues connecting to your WorkSpace, please contact your administrator.

Sincerely,

Amazon WorkSpaces

————————–

After verifying the registration code, log into the new virtual workspace with your domain credentials:

After logging in you may receive the following notice if resuming the workspace:

After logging in I received the following desktop:

Notice the following in the desktop image:

  • Network Drives mapped
  • Local and Remote Printers are created
  • Corporate desktop background
  • The computer is now a member of the domain with the computer name IP-AC1F5261
  • Icons available for AWS applications and Directory Sync (share files with my local workstation)

Finalizing for Production and Production Notes:

  • Finalize image with all necessary applications and test. Build your gold Images
  • Enlist a user to test running the workspace in production and adjust applications/workspace as necessary
  • Deploy to a set of users.
  • Rent before buy, buy before build.
  • Aligned with cloud technology
  • Builds on existing AWS infrastructure
  • Straightforward architecture
  • Give it to users and see how they like it
  • Multi-Region vs Single Region – within each region are availability zones. One workspace is not available in all regions. When building VPC, figure out which subnets support workspaces.
  • Subnets are fixed, build to allow for growth.
  • Workspaces are attached to AD connectors. You cannot move an old Workspace between AD Connectors. If availability zone becomes unavailable, then workspaces are unavailable. Use multiple availability zones to allow for this.
  • Only allow windows devices with certificates to connect. Etc. You’re going to have several AD connectors. Have a production AD connector and a testing AD Connector. Setup pure sandbox somewhere else for testing.
  • Each AD connector drops the computer into single OU, options are separate AD connector per department. Eg. Only accounting can connect from a certain dept. Or you cannot auth from outside, only on-prem. Create AD connector for consultants which drop them into separate subnet, monitoring.
  • Workspaces IP addresses stay there forever. IP addresses persist on rebuild etc. Cannot assign IP’s.
  • One VPC for workspaces.
  • Better segregation between work and personal side of things. BYOD is nice – pane of glass. Devs have good separation.
  • This gets Windows on Mac better than bootcamp
  • Reduced operational overhead, light-weight devices, drop them in mail ready to go. Send the registration code. People are lining up to get onboard. Tougher to please users are ecstatic about workspaces. Once implemented, IT itself will not go back to before.
  • Run pilots.
  • Replace end-of-life desktops
  • Great for Mergers and acquisitions
  • Users could connect with Zero client at the office and Home computer at home
  • Allow deployment of Zero clients in all facilities and retrofits
  • Hoteling/shared workspace areas. Smaller sites only need internet connectivity, not a WAN-enabled site.
  • Scalable and global
  • No upfront CapEx
  • Capacity-on-demand
  • Rate of innovation – customers drive features at Amazon
  • Instrumentation and controls – complexity and cost of on-prem is daunting
  • Cost savings – financial benefits – get out of the business of providing physical PC’s, building and configuring VDI service is complicated and costly, focus on service not infrastructure.
  • Workspaces API & CLI integration
  • Same image/applications leverage multiple Geos, ability to grow into other areas
  • Having desktop in cloud allows patch compliant capacities
  • Enabling support staff opportunities – support users all over world, help desk reps
  • Enable end users – automate the whole thing & allow user to migrate their data.

Pricing:

https://aws.amazon.com/workspaces/pricing/

https://aws.amazon.com/directoryservice/pricing/

There are two main options for Workspaces, Monthly pricing and Hourly Pricing.

At 160 hours per month, a “Performance-grade” workspace under the Hourly Pricing model would cost $7.25 + $0.57/hour = $98.45.

The same “Performance-Grade” workspace under the “Monthly” pricing would cost $55.

$55 x 12 months = $660

A new Dell 7050 PC typically costs $800

So it would take approximately 1 1/2 years of monthly payments to reach the cost of a normal desktop PC.

Hardware Options

Value Root Volume User Volume Monthly Pricing Hourly Pricing
1 vCPU, 2 GiB Memory 80 GB 10 GB $25 $7.25/month + $0.22/hour
1 vCPU, 2 GiB Memory 80 GB 50 GB $28 $9.75/month + $0.22/hour
1 vCPU, 2 GiB Memory 80 GB 100 GB $31 $13/month + $0.22/hour
1 vCPU, 2 GiB Memory 175 GB 100 GB $36 $19/month + $0.22/hour
Standard Root Volume User Volume Monthly Pricing Hourly Pricing
2 vCPU, 4 GiB Memory 80 GB 10 GB $33 $7.25/month + $0.30/hour
2 vCPU, 4 GiB Memory 80 GB 50 GB $35 $9.75/month + $0.30/hour
2 vCPU, 4 GiB Memory 80 GB 100 GB $38 $13/month + $0.30/hour
2 vCPU, 4 GiB Memory 175 GB 100 GB $44 $19/month + $0.30/hour
Performance Root Volume User Volume Monthly Pricing Hourly Pricing
2 vCPU, 7.5 GiB Memory 80 GB 10 GB $55 $7.25/month + $0.57/hour
2 vCPU, 7.5 GiB Memory 80 GB 50 GB $57 $9.75/month + $0.57/hour
2 vCPU, 7.5 GiB Memory 80 GB 100 GB $60 $13/month + $0.57/hour
2 vCPU, 7.5 GiB Memory 175 GB 100 GB $66 $19/month + $0.57/hour
Power Root Volume User Volume Monthly Pricing Hourly Pricing
4 vCPU, 16 GiB Memory 80 GB 10 GB $70 $7.25/month + $0.68/hour
4 vCPU, 16 GiB Memory 80 GB 50 GB $72 $9.75/month + $0.68/hour
4 vCPU, 16 GiB Memory 80 GB 100 GB $74 $13/month + $0.68/hour
4 vCPU, 16 GiB Memory 175 GB 100 GB $78 $19/month + $0.68/hour
Graphics Root Volume User Volume Monthly Pricing Hourly Pricing
8 vCPU, 15 GiB Memory, 1 GPU, 4 GiB Video Memory 100 GB 100 GB $22/month + $1.75/hour
Additional Storage $0.10/GB

Conclusion

Overall, I really like Workspaces, it was simple to setup and run. I believe the remote workspace from AWS can work very well for the enterprise and provides a flexibility to expand, create different images for different users easily and keep  data safe at AWS by only sending graphics/pixels over the wire. People can use their own BYOD devices such as Chromebooks etc. to perform their jobs.

The only drawback I’ve encountered is workspaces does not provide a pass-through video / camera devices for Skype video calls. If a user needs to use Skype or other video conferencing, they will have to start their call “outside” of Workspaces.

Let me know what you think about the product and this write-up.

 

Hits: 1357

Cannot connect to Server 2008 R2 with RDP broken – Interactive Logon Initialization Process has Failed

ESXi 5.5 – recently I tried to RDP into my Server 2008 R2 machine without success. Looking at the console, I get the message: ” Interactive logon process initialization has failed. Please consult the event log for more details. ” My first reboot of the machine did an automatic check disk. I can no longer log into the machine either via RDP or on the console. I’d like to not have to rebuild this system as it is my only stand-alone DC in my home lab. I’m going to bring up a separate DC, then do a DCPROMO, however, below are the steps I took to resolve the issue, albeit unsuccessfully – some of these steps may work for you. I was hoping I could mark this process as “Solved” but I haven’t gotten there yet…

Event log says:

  • Event 4005 Winlogon – The windows logon process has unexpectedly quit
  • Event 33 SideBySide – Activation context generation failed for “C:\Windows\system32\LogonUI.exe”. Dependent Assembly Microsoft.Windows.Common-controls.Resources,language=”*”,processorArchitecture=”amd64″,publicKeyToken=”6595b64144ccf1df”,type=”win32,version=”6.0.0.0″ could not be found. Please use sxstrace.exe for detailed diagnosis.

These errors all seem to have started on 8/8/16 when the following events occurred:

Error: 36888 – Schannel – The following fatal alert was generated: 10. The internal error state is 1203

Event 56 – The terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 223.x.x.x which is a Hong Kong IP. Prior to that are many Event 1012 – Remote session from client name a exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.

I pulled the machine off the internet and the network in case it’s been compromised. On second thought I should probably kill this machine with fire!

Things I have tried that did not resolve the problem:

  • Boot into safe mode
  • Edited RDP settings on my workstation to use less resolution and video bit depth
  • Increased Virtual Machine’s system memory size as suggested, went from 3GB to 7GB
  • Booted to SystemRescueCD and replaced c:\windows\system32\LogonUI.exe – did this by booting the VM to a SystemRescueCD.iso (startx) and then mount the NTFS file system with the instructions here. Next I changed the root password with passwd and then connected to the VM with Filezilla on port 22 and renamed/moved the files.
  • Hotfix 437977 – Windows6.1-KB2615701-v2-x64.msu – because I cannot get into the system to run this, I started Task Scheduler on the remote server from my workstation, and attempted to have the .msu run but get error: the application has failed to start because its side-by-side config is incorrect.
  • Booted the VM to a Server2008R2.iso, Repair your Computer > command prompt,
    sfc /scannow /offbootdir=c:\ /offwindir=c:\windows

    didn’t work. Then tried command prompt > “cd sources” > StartRep.exe didn’t help.

Any suggestions? Has anyone gotten past this error? I can still connect to the machine via any means (mmc terminals such as event viewer, and task scheduler) other than a GUI console.

Edit: I gave up on trying to fix the issue – this is the reason we backup our VM’s and in this case I’m glad I had a good working backup. If you find a way to resolve, please drop a note – otherwise, make sure you have good backups of your DC’s: The VM as a bare metal backup and the System State (Separately.)

Hits: 460