INove Theme Menubar

Completely remove Symantec Antivirus and Symantec Endpoint Protection products

January 20, 2010 21 comments

NOTE: Please visit our new website at http://www.bestnetworksinc.com

 

The cleanwipe utility is used to completely remove Symantec Antivirus and Symantec Endpoint Protection products.

To obtain Cleanwipe please contact Symantec Technical support.
Once the utility has been obtained please follow these instructions:

This utility can be run on Windows 2000, Windows XP (32 and 64 bit), and Windows Server 2003 (32 and 64 bit.)

Warnings:
Do not run this utility on Windows NT, Windows 9x, or Windows Me.
Do not run this utility on systems that have Symantec AntiVirus 8.x or below installed.

You cannot select individual applications to remove.

CleanWipe may remove LiveUpdate.

CleanWipe will remove Virus Definitions if you select Yes to “Do you want to do a detailed MSI Product Code registry search?…”, even when selecting No to “If Virus Defs remain after uninstalling Symantec products do you want to uninstall the Virus Defs?”. If you have other Symantec applications that use the VirusDefs folder, it is recommended that you make backup copy of the VirusDefs folder before running the CleanWipe tool. The VirusDefs folder is located under C:\Program Files\Common Files\Symantec Shared\

When using the CleanWipe utility, please be aware that it removes the following products and components from the computer:

Alert Management Server
Firewall Administrator
Quarantine Console
Quarantine Server
Symantec AntiVirus (Version 9.x and above)
Symantec AntiVirus Corporate Edition
Symantec Client
Symantec Client Firewall
Symantec Client Security
Symantec Endpoint Protection
Symantec Endpoint Protection Manager
Symantec LiveUpdate
Symantec Network Access Control
Symantec Sygate Enterprise Protection
Symantec System Center
Symevent

If you have other Symantec applications on the computer that depend on any of the applications listed above, those applications may not function properly. The customer may need to re-install the missing applications after running CleanWipe.

Note: The zip file is password protected.
Un-Zip Password: symantec

1. Extract the file to a new folder in a convenient location, such as the Desktop, using the un-zip password provided above.
2. Browse to the new folder and execute the utility by double clicking ‘CleanWipe.exe’
3. Follow the on-screen instructions.

The utility runs in verbose mode and will ask you about the components you want uninstalled.

Note: If the CleanWipe utility fails to remove Symantec Endpoint Protection, please proceed through the manual uninstall procedure for the version of the product you have installed.

You can find the manual uninstall instructions in the following document:

Title: How to manually uninstall Symantec Endpoint Protection client from Windows 2000, XP and 2003, 32-bit Editions
Solution ID: 2007073018014248
Document URL:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007073018014248

Title: ‘Manual uninstallation documents for Symantec Client Security products’
Solution ID: 2002031914291648
Document URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002031914291648

————————————————[UPDATE]——————————————————–
You can use CLEANWIPE from Symantec to remove the AV and all other associated applications.

To download the utility, open the following web page in a browser:
https://fileshare.symantec.com
Log in with the following information:

Login ID: cleanwipeutility
Password: CL3@nw!p3

Once you have downloaded the utility, please follow these instructions.

Note: The zip file is password protected.
Un-Zip Password: symantec

1. Extract the file to a new folder in a convenient location, such as the Desktop, using the un-zip password provided above.
2. Browse to the new folder and execute the utility by double clicking ‘CleanWipe.exe’
3. Follow the on-screen instructions.

The utility runs in verbose mode and will ask you about the components you want uninstalled.

Note: If the CleanWipe utility fails to remove Symantec Endpoint Protection, please proceed through the manual uninstall procedure for the version of the product you have installed.

You can find the manual uninstall instructions in the following document:

Title: How to manually uninstall Symantec Endpoint Protection client from Windows 2000, XP and 2003, 32-bit Editions
Solution ID: 2007073018014248
Document URL:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007073018014248

Title: ‘Manual uninstallation documents for Symantec Client Security products’
Solution ID: 2002031914291648
Document URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002031914291648

Categories: Symantec - CleanWipe Utility Tags: , ,

Windows Server 2003 R2 and Windows XP Time Synch Notes

November 21, 2009 Leave a comment

Time Synch: Windows Server 2003 R2 and Windows XP Pro in an Active Directory Domain

Some of you out there perhaps are having time synching problems – May of my clients did – here are some notes that can help you fix the problem.  Warning, these changes could prevent workstations from being able to log back into the server – please read carefully, if you have any questions please call us.

The problem:  The Primary Domain Controller PDC/ Server is off by minutes from the actual time.   Workstations synch with the PDC Server and perhaps users use applications that require the correct time – Time-sheets, etc.

Traditionally, the LAN Administrator would log onto the server and correct the time manually.  The server would be fine for few months and eventually someone would alert the LAN Administrator the time is off again. 

This is an issue with old servers that rely on their internal time clock.  The internal time clock is powered by a battery just like you watch and once this battery no longer recharges then the time it constantly needs to be set manually – as part of the solution – You could also change the internal CMOS battery.  However, nowadays almost everyone has access to the internet and there are other solutions to this problem.   One solution is presented here – I use this solution internally in our Network and it works great.

The traditional method to synch the workstation clock with the server also needs to be recognized as part of the problem as this is a manual command that needs to be automated.

C:\Users\ENDUSERNAME.BESTNETWORKS>net time \\server /SETCurrent time at \\server is 11/21/2009 3:41:00 PMThe current local clock is 11/21/2009 3:41:00 PMDo you want to set the local computer’s time to match thetime at \\server? (Y/N) [Y]: YThe command completed successfully.

This command allows the workstation to synch its time against the file server.  I have implemented this command as part of the logon script many times.  I would like to find a better solution. Perhaps – Visual basic scripting or as part of a Group/Domain Policy.

[Microsoft Article ]

Synching to an Internal Time Source

The simplest solution to time synchronization in an Active Directory environment is to let the PDC Emulator in the forest root domain use its own CMOS clock as the source of reliable time for the forest. To do this, you can simply take no action. The only annoying result is that you will occasionally see the following event logged to the System log in Event Viewer:

Event ID: 12

Event source: W32Time

Event description: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Basically, what this event means is that the PDC Emulator in the forest root domain has not been configured to synchronize its clock with an external stratum 1 time source, and as a result the clocks on all machines in your forest cannot be considered reliable. Now this may be an issue if employees rely upon their workstations’ CMOS clocks for signing in and out, but as far as Kerberos is concerned it’s a non-issue because Kerberos only requires that clocks on clients and authenticators agree with each other, not that they display accurate time. So if every machine’s clock in the forest is one hour late, Kerberos will still work fine and replay attacks will be prevented, which is the purpose of W32Time anyway.

Synching to an External Time Source

If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you can sync the PDC Emulator in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts. The procedure for doing this on a PDC Emulator running Windows Server 2003 in the forest root domain is as follows. Open Registry Editor (regedit.exe) and configure the following registry entries:

1   HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

This registry entry determines which peers W32Time will accept synchronization from. Change this REG_SZ value from NT5DS to NTP so the PDC Emulator synchronizes from the list of reliable time servers specified in the NtpServer registry entry described below.

2   HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

This registry entry controls whether the local computer is marked as a reliable time server (which is only possible if the previous registry entry is set to NTP as described above). Change this REG_DWORD value from 10 to 5 here.

3   HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 192.5.41.209 instead.

  • NOTE:  I’m not sure but…  if I’m working on a workstation (say windows XP-PRO or Vista) will it work if I change the name of the external server to the name of the Internal Domain controller Server? After all,  the PDC is already synchronizing against the external server per the steps above.  I will test this on a vista computer and later on an XP computer!!!  The problem I have with this is that this is a manual change and I will like it best to be an automated change – specially if I have to do it on a client site with 100s of computers.  Alternatively I would use the net time \\server /set < [mapped-drive path]\yes.txt comand.

Now stop and restart the Windows Time service using the following commands:

4    net stop w32time  && net start w32time

It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.

Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:

5    w32tm /resync /rediscover

Tip
There are additional registry settings you can configure to ensure external time synchronization operates effectively, see this article in the Microsoft Knowledge Base for details.

All available synchronization mechanisms

The “all available synchronization mechanisms” option is the most valuable synchronization method for users who are on a network. This method enables synchronization with the domain hierarchy and may also provide an alternative time source if the domain hierarchy becomes unavailable, depending on the configuration. If the client cannot synchronize time with the domain hierarchy, the time source automatically falls back to the time source that is specified by the NtpServer setting. This method of synchronization is most likely to provide accurate time to clients.

Windows Time service registry entries

The following registry entries are located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\

Collapse this tableExpand this table

Registry Entry MaxPosPhaseCorrection
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event. Special case: 0xFFFFFFFF means always make time correction. The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hours).
Registry Entry MaxNegPhaseCorrection
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the largest negative time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead. Special case: -1 means always make time correction, The default value for domain members is 0xFFFFFFFF. The default value for stand-alone clients and servers is 54,000 (15 hours).
Registry Entry MaxPollInterval
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the largest interval, in log seconds, allowed for the system polling interval. Note that while a system must poll according to the scheduled interval, a provider can refuse to produce samples when requested. The default value for domain members is 10. The default value for stand-alone clients and servers is 15.
Registry Entry SpecialPollInterval
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Notes This entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determine by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.
Registry Entry MaxAllowedPhaseOffset
Path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Notes This entry specifies the maximum offset, in seconds, for which W32Time attempts to adjust the computer clock by using the clock rate. When the offset exceeds this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1.
         

Other links:

http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html?printversion

Categories: Uncategorized Tags: ,

Sony AIT drive units are Out !???

November 10, 2009 Leave a comment

Acording to a Sony Sales person Sony will no longer market or sell AIT tape units as of March 2010. For the price, these units were of the best in the market with a great proven functional record. I hope there is a Sony replacement for this great product

[Sony Letter]

Sony Electronics Inc.

1 Sony Drive, Park Ridge, New Jersey 07656

October 2009

Dear Valued Sony AIT Tape Drive Customer:

This letter serves as a soft reminder to our channel partners that, as of March 2010, Sony Electronics Inc. will no longer be offering AIT drives or AIT library/automation systems. This difficult decision was made after careful review and consideration.

As stated in our previous letter issued in April 2009, Sony will continue to accept purchase orders for delivery through March 2010 subject to product availability, however, due to stronger than expected sales demand, we are already running out of inventory on some product lines, specifically AIT-2T, AIT-3 and AIT-5 tape drives.

As a result of this, we are compelled to inform you of the models which are still available for sales as of this date, as shown below;

Currently Available Models Single drive Library / Autoloader E-mail archiving
AITI100S AITI390S LIB81A3XBB OEASW500B1
AITI100AS AITE390S LIB81A3XBRBB OEABF1000B1
AITI100ST LIB162A3XBB CV1UE2000B1
AITE100S AITI520S LIB81A4BB
AITE100UL AITE520S LIB81A4BRBB
LIB162A4BB

Easier Maintenance of Sony AIT-3 WORM Tape

Categories: Uncategorized Tags: ,

Outlook attached documents and how it works – clarification

November 1, 2009 1 comment

Outlook attached documents and how it works – clarification
Outlook by default saves all attached documents in a hidden (very well hidden) temporary folder.  The folder’s name varies…

The main intension of this folder is to have an area in the computer where “safe” attachments could be open in temporary bases.  This area is located inside the “Temporary Internet Files” this folder, itself is a hidden folder located inside the “Local Settings” folder which is also a hidden folder located inside the “user’s profile” folder (not hidden) located inside the “Documents and settings” off the root directory.

The Problem:  Here is the problem many users are having.  First, this is a TEMPORARY folder and not a place to save any files as this area is meant to be clear after you exit outlook. 

Proper Steps: if you only need to read the attached file and no changes are made to the document. Then the process works as follows: you receive an e-mail message containing an excel file “report.xls”, you double click on the file, this opens the file placing a copy of the file automatically in the temporary area – if all you do is read the file, then close it, the file is automatically remove from this temporary folder after you close the e-mail message that contains the attached file.

That is great for some messages however businesses are much more dynamic.  The user often opens the file and makes changes to it. This is ok, as long as you save it in a different location (My documents\folder name\[Report.xls] ) make a note that this is no longer the same file  attached to the e-mail message.  You are not making changes to the original file attached to the e-mail message but to a different file.  If all you do is click on save then another version of the file is stored in the TEMPORARY LOCATION in this case it would be named report(1).xls.  Lets say that now you close excel and the email containing the message but open the same e-mail message and again click on save without changing the file location to a different folder then report(2).xls will appear and so on.

The first time that you open an attached document (word, excel, power point etc.) Outlook creates a new subdirectory under your Temporary Internet Files directory, and places the temporary file in the new subdirectory.

The name of the new subdirectory is unknown and is randomly generated before it is created.

The following paths are examples from three different operating systems.

  • Microsoft Windows 98
    C:\Windows\Temporary Internet Files\OLKC320
  • Microsoft Windows NT 4.0
    C:\WINNT\Profiles\”username”\Temporary Internet Files\OLK2
  • Microsoft Windows 2000
    C:\Documents and Settings\”username”\Local Settings\Temporary Internet Files\OLKCE
  • Microsoft Windows XP
    C:\Documents and Settings\”username”\Local Settings\Temporary Internet Files\OLK849\

I hope this notes help
Cesar

Categories: Uncategorized Tags: ,

Windows Time Service and Internet Communication

November 1, 2009 Leave a comment

©2009 Microsoft Corporation. All rights reserved.
Windows Time Service and Internet Communication

This section provides information about the following:

  • The benefits of Windows Time Service
  • How Windows Time Service communicates with sites on the Internet
  • How to control Windows Time Service to limit the flow of information to and from the Internet
  • How to monitor and troubleshoot Windows Time Service after configuration is complete

Benefits and Purposes of Windows Time Service

Many components of Microsoft Windows Server 2003 rely on accurate and synchronized time to function correctly. For example, without clocks that are synchronized to the correct time on all computers, Windows Server 2003 authentication might falsely interpret logon requests as intrusion attempts and consequently deny access to users.

With time synchronization, you can correlate events on different computers in an enterprise. With synchronized clocks on all of your computers, you ensure that you can correctly analyze events that happen in sequence on multiple computers. Windows Time Service automatically synchronizes a local computer’s time with other computers on a network to improve security and performance in your organization.

Overview: Using Windows Time Service in a Managed Environment

Computers keep the time on their internal clocks, which allows them to perform any function that requires the date or time. For scheduling purposes, however, the clocks must be set to the correct date and time, and they must be synchronized with the other clocks in the network. Without some other method in place, these clocks must be set manually.

With time synchronization, computers set their clocks automatically to match another computer’s clock. One computer maintains very accurate time, and then all other computers set their clocks to match that computer. In this way, you can set accurate time on all computers.

Windows Time Service is installed by default on all computers running Windows Server 2003 and Windows XP. Windows Time Service uses Coordinated Universal Time (UTC), which is independent of time zone. Time zone information is stored in the computer’s registry and is added to the system time just before it is displayed to the user.

By default, Windows Time Service starts automatically on computers running Windows XP. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running. In the default configuration, the Net Logon service looks for a domain controller that can authenticate and synchronize time with the client. When a domain controller is found, the client sends a request for time and waits for a reply from the domain controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and round-trip delay between the two computers.

Note that computers running Windows Server 2003 use the Network Time Protocol (NTP), while computers running Windows 2000 use the Simple Network Time Protocol (SNTP).

How Windows Time Service Communicates with Sites on the Internet

In Windows Server 2003, Windows Time Service automatically synchronizes the local computer’s time with other computers on the network. The time source for this synchronization varies, depending on whether the computer is joined to a domain in the Active Directory directory service or to a workgroup.

When a Server Running Windows Server 2003 is Part of a Workgroup

In this scenario, the default setting for the time synchronization frequency is set to “once per week,” and this default setting uses the time.windows.com site as the trusted time synchronization source. This setting will remain until you manually set it otherwise. One or more computers might be identified as a locally reliable time source by configuring Windows Time Service on those computers to use a known accurate time source, either by using special hardware or a time source available on the Internet. All other workgroup computers can be configured manually to synchronize their time with these local time sources.

When a Server Running Windows Server 2003 is a Member of a Domain

In this scenario, Windows Time Service configures itself automatically, using the Windows Time Service that is available on the domain controllers.

Windows Time Service on a domain controller can be configured as either a reliable or an unreliable time source. Windows Time Service running on a client will attempt to synchronize its time source with servers that are indicated as reliable. Windows Time Service can configure a domain controller within its domain as a reliable time source, and it synchronizes itself periodically with this source. These settings can be modified or overwritten, depending on specific needs.

Communication Between Windows Time Service and the Internet

The following list describes various aspects of Windows Time Service data that is sent to and from the Internet and how the exchange of information takes place.

  • Specific information sent or received: The service sends information in the form of a Network Time Protocol (NTP) packet. For more information about Windows Time Service and NTP packets, see the references listed in “Related Links,” later in this section.
  • Default and recommended settings: Computers that are members of an Active Directory domain synchronize time with domain controllers by default. Domain controllers synchronize time with their parent domain controller. By default, the root parent domain controller will not synchronize to a time source. The root parent domain controller can be set to either synchronize to a known and trusted Internet-based time source, or a hardware time device that provides an NTP or SNTP interface. Its time accuracy can also be maintained manually.We recommend that you configure the authoritative time server to synchronize to a hardware source, not an Internet time source. For more information, see article 884776, “Configuring the Windows Time service against a large time offset” in the Microsoft Knowledge Base at:http://go.microsoft.com/fwlink/?LinkId=46021 [ http://go.microsoft.com/fwlink/?LinkId=46021 ]
  • Triggers and user notification: Windows Time Service is started when the computer starts. Additionally, the service will continue to synchronize time with the designated network time source and adjust the computer time of the local computer when necessary. Notification is not sent to the user.
  • Logging: Information related to the service is stored in the Windows System event log. The time and network address of the time synchronization source is contained in the Windows event log entries. Additionally, warning or error condition information related to the service is stored in the Windows System event log.
  • Encryption: Encryption is not used in the network time synchronization for domain peers. (Authentication, however, is used.)
  • Information storage: The service does not store information, as all information that results from the time synchronization process is lost when the time synchronization service request is completed.
  • Port: NTP and SNTP use User Datagram Protocol (UDP) port 123 on time servers. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP or NTP servers.
  • Protocol: The service on Windows Server 2003 implements NTP to communicate with other computers on the network.
  • Ability to disable: Disabling the service might have indirect effects on applications or other services. Applications and services that depend on time synchronization, such as Kerberos V5 authentication protocol, may fail, or they may yield undesirable results if there is a significant time discrepancy among computers. Because most computers’ hardware-based clocks are imprecise, the difference between computer clocks on the network usually increases over time.

Controlling Windows Time Service to Limit the Flow of Information to and from the Internet

Group Policy can be used to control Windows Time Service for computers that are running Windows Server 2003 to limit the flow of information to and from the Internet.

The synchronization type and NTP time server information can be managed and controlled through Group Policy. The Windows Time Service Group Policy object (GPO) contains configuration settings that specify the synchronization type. When the synchronization type is set to NT5DS, Windows Time Service synchronizes its time resource with the network domain controller. Alternatively, setting the type attribute to NTP configures Windows Time Service to synchronize with a specified NTP time server. The NTP server is specified by either its Domain Name System (DNS) name or its IP address when you select NTP as the synchronization type.

For more information about configuring Windows Time Service during deployment of products in the Windows Server 2003 family, see Designing and Deploying Directory and Security Services and Designing a Managed Environment in the Microsoft Windows Server 2003 Deployment Kit at:

http://go.microsoft.com/fwlink/?linkid=44319 [ http://go.microsoft.com/fwlink/?linkid=44319 ]

Clients on a managed network can be configured to synchronize computer clock settings to an NTP server on the network to minimize traffic out to the Internet and to ensure that the clients synchronize to a single reliable time source. If you choose to do so, you can disable time synchronization for both non-domain and domain computers running Windows Server 2003 by using Group Policy. The procedures for configuring Windows Time Service are given at the end of this section of the white paper.

How Windows Time Service Can Affect Users and Applications

Windows components and services depend on time synchronization. For example, the Kerberos V5 authentication protocol on a Windows Server 2003 family domain has a default time synchronization threshold of five minutes. Computers that are more than five minutes out of synchronization on the domain will fail to authenticate using the Kerberos protocol. This time value is also configurable, allowing for greater or lesser thresholds. Failure to authenticate using the Kerberos protocol can prevent logons and access to Web sites, file shares, printers, and other resources or services within a domain.

When the local clock offset has been determined, the following adjustments are made to the time:

  • If the local clock time of the client differs from the time on the server by more than the threshold amount, Windows Time Service will change the local clock time immediately. The threshold is five minutes if the computer is part of a domain. For more information about Windows Time Service settings in a domain, see “Related Links” later in this section.The threshold is one second if the computer is part of a workgroup. However, if a computer is part of a workgroup and the time differs from the time source by more than 15 hours, the time is not synchronized, as described later in this list.
  • If the local clock time of the client differs from the server by less than the threshold amount, the service will gradually synchronize the client with the correct time.
  • In a workgroup, if the local clock time of the client differs from the time on a time source by more than 15 hours, a workstation running Windows Time Service and using default settings will not synchronize with the time source. Such occurrences are rare, and are often caused by configuration setting errors. For example, if a user sets the date on the computer incorrectly, the time does not synchronize. Under these circumstances, most often the time is off by a day or more. Be sure to check the computer’s calendar and ensure that the correct date has been set.

Configuration Settings for Windows Time Service

You can set the global configuration settings for Windows Time Service by using Group Policy. The settings that might be relevant to communication between Windows Time Service and the Internet are described in this subsection.

In Computer Configuration\Administrative Templates\System\Windows Time Service\Global Configuration Settings, there is only one setting that might, in certain scenarios, affect the way that Windows Time Service communicates when the computer is in a domain. This setting is AnnounceFlags, which controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server. The settings are as follows:

  • 0 Not a time server
  • 1 Always a time server
  • 2 Automatic time server, meaning the role is decided by Windows Time Service
  • 4 Always a reliable time server
  • Automatic reliable time server, meaning the role is decided by Windows Time Service

The default is 10, meaning that Windows Time Service decides the role.

In the Group Policy settings located in Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers, there are a number of settings that might affect the way that Windows Time Service communicates across the Internet. The following table describes some of these policy settings.

noteNote
The table lists the settings that most directly affect the way Windows Time Service communicates with time sources, but the table does not list all settings. For example, it does not list the setting that specifies the location of the Windows Time Service DLL or the setting that controls the logging of events for Windows Time Service.

Selected Group Policy Settings for Configuring the Windows Time Service NTP Client for Computers Running Windows Server 2003

Policy Setting Effect of Setting Default Setting
NtpServer Establishes a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line. Computers connected to a domain must synchronize with a more reliable time source, such as the official U.S. time clock. This setting is used only when Type is set to NTP or AllSync.0x01 SpecialInterval0x02 UseAsFallbackOnly0x04 SymmetricActive

0x08 NTP request in Client mode

 time.windows.com, 0x1
Type Indicates which peers to accept synchronization from:NoSync. The time service does not synchronize with other sources.NTP. The time service synchronizes from the servers specified in the NtpServer registry entry.NT5DS. The time service synchronizes from the domain hierarchy.

AllSync. The time service uses all the available synchronization mechanisms.

 Default optionsNTP. Use on computers that are not joined to a domain.NT5DS. Use on computers that are joined to a domain.
CrossSiteSyncFlags Determines whether the service chooses synchronization partners outside the domain of the computer.None 0PdcOnly 1All 2

This value is ignored if the NT5DS value is not set.

 2
ResolvePeerBackoffMinutes Specifies the initial interval to wait, in minutes, before attempting to locate a peer to synchronize with. If the Windows Time Service cannot successfully synchronize with a time source, it will keep retrying, using the settings specified in ResolvePeerBackOffMinutes and ResolvePeerBackoffMaxTimes. 15
ResolvePeerBackoffMaxTimes Specifies the maximum number of times to double the wait interval when repeated attempts fail to locate a peer to synchronize with. A value of zero means that the wait interval is always the initial interval in ResolvePeerBackoffMinutes. 7
SpecialPollInterval Specifies the special poll interval in seconds for peers that have been configured manually. When a special poll is enabled, Windows Time Service will use this poll interval instead of a dynamic one that is determined by synchronization algorithms built into Windows Time Service. 604800 (workgroup)3600 (domain)

For other sources of information about Group Policy, see Appendix B: Resources for Learning About Group Policy [ http://technet.microsoft.com/en-us/library/cc759176(WS.10).aspx ] .

For information about configuring the authoritative time server in a domain, see article 884776, “Configuring the Windows Time service against a large time offset” in the Microsoft Knowledge Base at:

http://go.microsoft.com/fwlink/?LinkId=46021 [ http://go.microsoft.com/fwlink/?LinkId=46021 ]

Procedures for Configuring Windows Time Service

The following procedures explain how to set some of the Windows Time Service configuration settings available in Group Policy. For details about other Group Policy settings for Windows Time Service, see the table earlier in this section.

To Set Group Policy for Windows Time Service Global Configuration Settings

  1. See Appendix B: Resources for Learning About Group Policy [ http://technet.microsoft.com/en-us/library/cc759176(WS.10).aspx ] , for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.
  2. Click Computer Configuration, click Administrative Templates, click System, and then click Windows Time Service.
  3. In the details pane, double-click Global Configuration Settings, and then click Enabled. Configure settings as appropriate for your environment.

To Configure the Group Policy Setting to Prevent Your Computer from Servicing Time Synchronization Requests from Other Computers on the Network

  1. See Appendix B: Resources for Learning About Group Policy [ http://technet.microsoft.com/en-us/library/cc759176(WS.10).aspx ] , for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.
  2. Click Computer Configuration, click Administrative Templates, click System, click Windows Time Service, and then click Time Providers.
  3. In the details pane, double-click Enable Windows NTP Server, and then select Disabled.

Starting and Stopping Windows Time Service

By default, Windows Time Service starts automatically at system startup. You can, however, start or stop the service manually by accessing services in Administrative Tools or by using the net command.

To Manually Start Windows Time Service Using the Graphical Interface

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Services.
  3. Select Windows Time from the list of services.
  4. On the Action menu, click Start to begin the service.

To Manually Stop Windows Time Service Using the Graphical Interface

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.
  2. Double-click Administrative Tools, and then double-click Services.
  3. Select Windows Time from the list of services.
  4. On the Action menu, click Stop to discontinue the service.

To Manually Start Windows Time Service Using the Net Command

  1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type net start w32time, and then press ENTER.

To Manually Stop Windows Time Service Using the Net Command

  1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type net stop w32time, and then press ENTER.

Synchronizing Computers with Time Sources

Use the following procedures to synchronize the internal time server with an external time source, and to synchronize the client time with a time server.

To Synchronize an Internal Time Server with an External Time Source

  1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following, where PeerList is a comma-separated list of Domain Name System (DNS) names or Internet protocol (IP) addresses of the desired time sources:w32tm /config /syncfromflags:manual /manualpeerlist:PeerListand then press ENTER.
  3. Type w32tm /config /update and then press ENTER.
    noteNote
    The most common use of this procedure is to synchronize the internal network’s authoritative time source with precise external time source. This procedure can be run on any computer running Windows 2000, Windows XP, or Windows Server 2003.
    noteNote
    If the computer cannot reach the servers, the procedure fails and an entry is written to the Windows System event log.

To Synchronize the Client Time with a Time Server

  1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type w32tm /resync, and then press ENTER.
    noteNote
    The W32tm command-line tool is used for diagnosing problems that can occur with Windows Time Service.

Monitoring and Troubleshooting Windows Time Service

In many cases, problems with Windows Time Service can be attributed to network configuration. If the network is not configured correctly, computers might not be able to communicate to send time samples back and forth. Viewing the contents of NTP packets can help you to identify exactly where a packet is blocked on a network. An error associated with Windows Time Service might occur when a computer is unable to synchronize with an authoritative source. You can use the W32tm command-line tool to assist you in troubleshooting this and other types of errors associated with Windows Time Service.

The W32tm command-line tool is the preferred command-line tool for configuring, monitoring, and troubleshooting Windows Time Service. For more information, search for “W32tm” in Help and Support Center.

Procedure to Follow When a Computer Is Unable to Synchronize

By default, a computer running Windows Time Service will not synchronize with a time source if the computer’s time is more than 15 hours off. For information about scenarios in which this can occur, see “How Windows Time Service Can Affect Users and Applications,” earlier in this section.

To Resynchronize the Client Time with a Time Server

  1. To open a Command Prompt window, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type w32tm /resync /rediscover and then press ENTER.
noteNote
When you run the preceding command, it redetects the network configuration and rediscovers network resources, causing resynchronization. You can then view the event log for more information about why the time service does not synchronize.

Related Links

For more information about configuring Windows Time Service during deployment of products in the Windows Server 2003 family, see Designing and Deploying Directory and Security Services and Designing a Managed Environment in the Microsoft Windows Server 2003 Deployment Kit at:

http://go.microsoft.com/fwlink/?LinkId=44319 [ http://go.microsoft.com/fwlink/?LinkId=44319 ]

For information about configuring the authoritative time server in a domain, see article 884776, “Configuring the Windows Time service against a large time offset” in the Microsoft Knowledge Base at:

http://go.microsoft.com/fwlink/?LinkId=46021 [ http://go.microsoft.com/fwlink/?LinkId=46021 ]

Tags: 
Community Content
Categories: Uncategorized Tags: ,

Data De-duplication

October 28, 2009 Leave a comment

Data De-duplication.  In an effort to learn more about this technology and help our clients make sense of it all,  I will be blogging my findings.

I predict Data De-duplication will be a common occurrence in all types of data storage systems.  At this point the industry – so it appears – is rushing to be more Green conscience, however IT Management Staff is also concern in storage cost reduction, reduction of bandwidth utilization and Transfer Speed.  I will focus my findings in these areas and ask for help from you and other industry leaders to add notes and comments.

Like always, I want to find and recommend the right solution (product).  The products I have review thus far are all over the map.  Some of them have their own proprietary technology and others make claims to be faster or better in some way.

I started this project trying to find an answer to a backup problem.  According to some experts Corporate data storage requirements is increasing at an alarming 60% annual rate.  As a consulting company we have seen this first hand in a number of clients.  Data Storage requirements has increase for a number of reasons;

  • Scan Images  are very common in small to large companies.  Technically, the storage of scan documents  is simpler and more cost effective then traditional paper storage.  With the proper solution Images could be  catalogue or index  to make them searchable and easy to find.  However, this solution adds to the total backup storage requirements.
  • Everyone for one reason or another is reducing the use of paper either because they want to be more IT Green or just because it is much easier to store  everything onto some type of a data storage device like a Hard Drive.  Traditionally people would write a document,  print it and then mailed it.  With the introduction of electronic mail there is no need to print,  stuff the envelope, spent money on the stamp or spent  time going to the post office; now, you simply write your document and emailed it.  You may want to email this document to group of co-workers, again the process is simple – However after years of doing this process the same document may be stored in multiple locations throughout your Internal Computer Network.  Likewise, other duplicated large-in-size data of all kinds – Pictures, Music, Videos and Movies are now  increasing backup storage requirements.

The practice of storing all corporate data and keeping it for historic or legal reasons is now more complex and harder to manage.  You have Database Servers managing production, inventory, sales  and accounting data.  You also have email servers with years worth of history.  Other Application Servers equally important may contain Electronic Data Exchange (EDI) transactions,  client information or patient medical records.  All these data is important to secure and keep.  Not all critical data is stored in servers in some cases critical data sits on local users computers and in some cases it is never backup! –  Users tend to store data onto their local Desktop not being aware that it points to the local Hard Drive.

The problem

Tape Backup Systems are no longer able to meet the challenging  demanded from the up sized data increased.

Solution

The answer lies in a mix environment where backups happen automatically from any source and onto any storage media.  The solution has to be reliable, it should be easy to manage,  it has to be fast – specially when it comes to restoring, it also has to have low bandwidth utilization and finally it should be economically feasible so companies of any size can utilize it.

Data De-duplication technology – no matter what flavor of implementation – offers  huge number of advantages over traditional tape backups.  The best advantage, from my point of view,  is automation as no matter how good of a tape backup system you have it all requires human intervention and  this intervention always fails – not if it happens but when it happen it is at an unfortunately crucial time. File-and block-level de-duplication eliminates backup copies of the same data and delivers substantial storage cost savings.

For mid to large companies,  the leading comercial vendor for Data Deduplication Systems is Data Domain (part of EMC).   Other vendors like Computer Associates, Symantec and Barracuda have solutions suited for smaller, midsize or even  departments of large companies.

Categories: Uncategorized Tags: ,

Comcast Installation: Private Business

October 2, 2009 Leave a comment

 

After weeks of planning here we are … Waiting for the cable man!

Oh, but this time he is arriving to a business site – not my house. The good thing… he did called and said he was running late.  An hour later two men  are here, tools on waist and ready to install  new phone service and new Internet Access.  This service will be replacing a traditional Cimco Communications T1 circuit and a tradition POT analog phone service from ATT.  The coax-cables were ran prior to this visit.

The price and the Technology – Broadband – all too familiar to home users is now available to the business sector!  Several questions are in the back of my mind at this point – While the price and the promised  speed-gain (1.5Mb 20Mb download!) are great,  can’t help but to ask myself will it be reliable?  We will have to wait and see.  I love Comcast speed at home but outages are all to comon in my area .   Too common and too frequent…

While waiting for the green light to do my part; Router configuration, firewall configuration, and Remote Desktop Access configuration – I do other things…  My goal is to configure a Cisco Router pass their access point (gateway / Modem).  Traditionally the use of Cisco Access List  is one way to protect intruders from accessing the private network.  In this case the Router I will be using is the existing Cimco Router. ( At this point My understanding is that this is an Ethernet to Ethernet Router – Right? So I charge on and work on the script to add to this router … NAT table configuration, Allow Access List, Deny list… 

I mapped the LAN and now I have all my internal MAC and IP Addresses for each of the computers I need to access remotely… I am also waiting on Cimco to contact me back with the user ID and the Password for the existing Cisco Router (My client is buying this router ) so I can change the internal script code … all alone users are using the Internet to send and receive email messages – or perhaps using the internet to viewing their favorite fantasy team who knows?

An hour later one of the men – The one with all the cool tools on the waist – is here and ready to hand out the IP addresses I need to configure the Cisco Router.  Ready? Yes… Local IP Address on the modem is such and the Public IP Addresses are such and the DNS are… and so on.  I get all the information … Meanwhile the other man is on the phone calling Comcast, testing the phone lines while at the same time helping a team member solve other problems (using a two way radio) at another site with another client – Fun stuff ! 

I can’t connect at this point he needs to get the phone lines punch down and active.    … another 40 minutes later,   They are ready and walking out the door.  “Oh, here is the user ID and the Password to the SMC modem… Just in case you need to do changes!”  Ok, I said… I take the information, shake hands and wave good bye.

First things first… Do I have access to the existing Cisco Router?  No, Cimco has not called back… Ok, Lets use my laptop to test the Comcast Circuit? – (or Connection).  Wow,  this SMC Modem, has a DHCP Built in!… lets look deeper … while they are calling this a modem I found it is much more than that.  Features like Firewall and NAT are also built into this modem – ….   I got a call from Cimco,  I ask  for the user ID and password to the existing router- they do not want to give it to me – they have to change it first…    I explain to the Tech at Cimco that the client is buying the Cisco router from them after the contract is over -5 days from now.  So I’m put on hold … 

He is now back… I continue to explain what I need to do to the router.  I will be assigning a public IP Address to one of the Ethernet ports and a Private Ethernet address ( 192.168.1.1) to the Local Ethernet Segment.  Great, one problem !!! This Cisco Router is a T1 Router and it only has one Ethernet port and a WIC card for their T1 service.

Plan number 2? ok, it way my first plan. To purchase a new Cisco 800 modem router with Ethernet to Ethernet Router firewall and NAT features – about $400 to $500.   So here we are…

I have my laptop connected to the Comcast SMC modem and “speedtest.net” is showing 37mg download and 1.5Mb upload — this is too cool, I can’t deprived my client from the benefit of this download speed – right?  so Idigg into the features of these SMC Router and found that it has a DHCP Server built in, it also has a port redirector built in, Plus a NAT 1-to-1 function – This feature to be used if I wanted to connect the Cisco router to it and assign a public IP Address… However in the absence of the Cisco Router ….

I tested and play with the settings and found that I could in fact use this modem – now I think that this is more than a traditional modem – this is a router with lots of cool features built in.  Did I mention that it also has a Firewall feature, plus the ability to block access to web sites?  All too cool.

So, I change the Local Ethernet segment IP Address to match the IP address of the old Cisco Router turn off the DHCP Function since we are using the Local MS 2003 server to do this.  Now I disconnect the old router and connect the ethernet cable to the switch port.  Bingo!  It all works.  Some local computers have to be restarted but most of them are able to access the internet right away.  Lets do some more testing,  …connect to www.thewb.com  – for testing purpose only- and started playing a movie at several computers at the same time – wow it works!

Finish the remote access list using the port redirection feature in the SCM modem configuration. Found that he public IP Address used on the modem/router is working and as it needs to be static it should not change.  I also have 5 extra public IP addresses to be redirect via a 1-to-1 NAT or via direct connection to the SMC extra Ethernet ports.   However,  in this case all I need is the IP address already assign to the SMC Router!   This is a static public IP Address.   I now call the DNS Manager and ask for the A record to be change to the new public IP address and Bingo!  few minutes later it is propagated and available to be use.

I Did some testing using  Windows XP’s  “Remote Desktop”   connected to an external computer and from that external computer  remote access  into the local computers – It all works.

So, No need to purchase a new Cisco Router!  with the build in NAT port redirector in the SMC modem the day was saved!

Speed during the initial testing was great…. some sites appear faster than others  … but keep in mind that the speed is at the least common denominator.  If the site you are connecting  is set for 1Mb upstream access that’s all you will get but, there is the potential for higher download bandwidth.

Cesar Lopez

Best Networks Inc

(773) 908-7378

Categories: Uncategorized Tags: ,