Frequently Asked Questions (FAQ)
Using a Reliable Time Source
A reliable time source is especially important if you use Windows Servers with Active Directory (AD). All servers and systems in an AD environment should be running on exactly the same time.
We recommend that you use an internet time source on your first Domain Controller, otherwise known as the PDC emulator. You can also use this setting on additional domain controllers.
Sections in this article:
Run the following command from an Administrative command prompt, on your Domain Controller(s).
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"0.uk.pool.ntp.org 1.uk.pool.ntp.org"
w32tm /config /reliable:yes
net start w32time
Use the following commands:
w32tm /query /configuration - This enables you to see what NTP settings you are using.
w32tm /query /status - This enables you to see the current performance of the time service, including its connection to the NTP server.
If the w32tim /resync command faults, or the w32tm /query /status shows that the system is still using a CMOS clock, then the NTP server is likely blocked.
Untick the Time Synchronisation option under Integration Services, in the virtual machines settings.
The User Profile
In some situations it may be necessary to delete a user's network profile. This may be required when the profile has been corrupted. When roaming profiles are used, when a user logs onto a machine, their profile is downloaded from the server to the local machine. This means that when the profile needs to be deleted, it is recommended to delete the profile from the network server and the local machine. Otherwise, on the next login, the user will may be given the cached local copy of the profile and this will be copied back up to the server when the log out.
Deleting the Profile from the Server
The user profile path above shows that the profile is stored on the server "master" and the share name is profile$.
Note: If you have multiple users sharing the same profile, this is likely a mandatory profile and not a roaming profile. You should not need to delete a mandatory profile and should seek further advice if you are experiencing profile corruption.
We recommend that after deleting the profile from the server that you delete the users cached profile on their PC.
When you run Windows Update on a Microsoft Windows Server with Hyper-V - the "host" - this may update the virtual server components within Windows. This may then require that you update the virtual tools, software and drivers that run inside the Virtual machines running on that Host. These tools, software and drivers are known as the "Integration Services".
In this article:
Use the method below to push out a computer startup script via Group Policy. Computer startup scripts are a useful way of making changes that need to happen regardless of which user is logged on.
This article is intended for system administrators who are new to using group policies.
The example below deploys the LANPWR.VBS script to disable a LAN or wireless LAN adapter's power management.
Recommendation: Always test network changes on a small group of machines before deploying the improvement. Where possible, implement the change room by room or department for department and monitor the situation for any unexpected side effects.
Things to Remember
Legacy Windows XP clients run at best Internet Explorer 8. You may experience problems when trying to push out Proxy and Homepage settings through Internet Explorer Group Policy Preferences, or Internet Explorer Maintenance (Policies > Windows Settings > Internet Explorer Maintenance). The settings may not apply and an error message may not be logged in the system event log.
This can be caused by:
Reminder: The Group Policy Preferences client is an optional extra for Windows XP SP2 and Windows XP SP3. If this client is not installed on Windows XP all Group Policy preferences are automatically ignored.
A sample registry file and script is attached. Edit the registry file with Notepad to add your proxy settings and change your Homepage.
Note: Always test Policy changes against a test OU and a test user account first. When confident that the setting is working as desired, then gradually roll out the change, ensuring that you test that the setting is working as desired with no detrimental effects.
This method is designed for Windows XP however it may also work for Windows 7 clients. If attempting to use this with Windows 7, please test thoroughly and again ensure that you have only one method applied to make the change (including both user and computer settings).
If you need to use separate methods for Windows XP and Windows 7 machines for this user based method, then you will need two policies, one for Windows XP and one for Windows 7. Each policy will then need a WMI filter applied to filter the right policy to the right machines.
Libraries are a feature of Windows 7 and later which allow multiple locations to be grouped together for the user to save or find documents.
On a managed networks some of the default library locations allow users to save content to the local machine's C drive even when the Document folders have been redirected, and even when access to the local C drive has been hidden. The default library locations include the user's redirected document locations etc., and also the machines Public library locations such as C:\Users\Public.
Users could inadvertently save content to the local machine's C drive if either the network location becomes unavailable, or by selecting the incorrect library as the default save location. If the users then switches machine, the content they saved will become unavailable to them. Additionally, the content they saved may become available to other users.
How to Remove Public Libraries
To prevent users from saving to Public library folders, some system administrators have used group policy registry hacks to turn off Windows 7 library features altogether. This is not recommended as Windows needs library features to use search and indexing properly, and also turning Public libraries back on after using this method is not easy.
Instead, a better method is to use the Microsoft SHLIB utility to remove the Public library from the users profile, using a user login script deployed using group policy.
An example script is attached to this article; you will need to modify the batch file to show where you have placed a copy of SHLIB on the network.
The public library location may be available on the users first logon only, until the setting is removed from their profile. Subsequent logons shouldn’t have the public library locations.
The file is also available here.
Note: This solution has not been tested on Windows 8 / Windows 8.1
Outlook clients report a Certificate name Mismatch after an SSL Certificate is added to an Exchange Server
"The name on the security certificate is invalid or does not match the name of the site"
This message appears frequently, usually within a few moments of opening Outlook.
The cause is that Outlook clients are passed the certificate by the server, and have noted that the webmail address of the certificate does not match the internal name of the server.
Internal Server name: exchange.local
Webmail address: http://webmail.company.net/owa
Certificates are now usually not available which reference domains which companies do not own. For example, you will likely not be able to purchase a certificate that contains your webmail address (a domain which you own) and your internal addressing scheme (for example, .local) which you do not own.
One solution to this is to use an internal addressing scheme which matches the domain that you own. For many companies, this is not practical without an entire forest migration.
The solution is to modify settings within the Exchange server so that Outlook clients reach the resources that they need to using the external address.
Set-WebServicesVirtualDirectory -Identity "exchange\EWS (Default Web Site)" -InternalUrl https://webmail.company.net/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "exchange\oab (Default Web Site)" -InternalUrl https://webmail.company.net/oab
This last command is not required on Exchange 2010:
Set-UMVirtualDirectory -Identity "exchange\unifiedmessaging (Default Web Site)" -InternalUrl https://webmail.company.net/unifiedmessaging/service.asmx
Always test changes immediately, ensuring that both Outlook clients and webmail clients function correctly.
If you require additional informatin please contact Stone support. A range of support services are available to assist customers.
Operating system deployment fails with the following error:
"The Computer Restarted unexpectedly or encountered an unexpected error. Windows Installation cannot proceed. To install Windows, click "OK" to restart the computer, and then restart the installation."
On the screen with the error message above try the following steps:
Group Policy User Login Scripts
This type of login script has long been used to assign resources or settings to users which cannot easily be deployed through other group policy settings. Traditionally, group policy user login scripts are run as soon as the user logs in.
Starting with Windows 8.1 and Server 2012 R2, Group Policy login scripts run at default 5 minutes after login. This means that if your login script carries out essential user environment preparation work, the client may be unable to use their session as intended for 5 minutes.
Deploy a Group Policy Computer setting to override the delay. You will need to be running Server 2012 R2 to easily deploy this policy.
The policy is located in: Computer Configuration > Policies > Administrative Templates > System > Group Policy - Configure Login Script Delay. Set this to Disabled to eliminate the delay.