Friday, August 28, 2009

Introduction

It’s been quite a while since I wrote anything about Windows. The reason for that is quite simple, I haven’t had any real technical challenges up until now.

Situation: A medium sized windows domain with a time synchronization issue. It had gotten so bad that clients were experiencing Kerberos issues and some applications were displaying irrational behavior.

A quick investigation revealed that due to a change a few weeks earlier the domain had no reliable time source. In addition to that the PDC emulator had been moved to VMware ESX, something my VMware expert tells me is not a good idea.

Further investigation told me that the problems started much earlier than this and that ESX was most likely not the culprit here.

Now, how does time synchronization work? Quite simple really, a client or a member server asks the domain controller serving the logon request. The domain controllers get their time from the PDC Emulator.The PDC emulator gets time either from it’s internal clock, a source on the internet or an external device such as a GPS clock. There’s a very good description of the whole process in KB 884776.

The problems start if your PDC emulator isn’t keeping good time or, and this happened to me, if it’s not advertising on the network as being a reliable time source.

Symptoms

Usually you’ll see things like these in the eventlog:

Date: 27-5-2009
Time: 20:46:32
User: N/A
Computer: DC02
Description:
The time provider NtpClient cannot reach or is currently receiving invalid time data from <ip address> (ntp.m|0x0|<ip address>:123-><ip address>:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Date: 27-5-2009
Time: 20:48:08
User: N/A
Computer: DC02
Description:
Time Provider NtpClient: No valid response has been received from manually configured peer <ip address> after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Date: 27-5-2009
Time: 20:48:08
User: N/A
Computer: DC02
Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 14
Date: 28-5-2009
Time: 1:46:47
User: N/A
Computer: DC02
Description:
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 15 minutes.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Quick fixes

Google for any of these event ids and you’ll find thousands of discussions. Common causes of this problem:

Windows time service (w32time) isn’t running.
Your system isn’t allowed to make a connection on port 123 UDP to your time source. So, check your service and firewall settings and restart the service (on the command prompt: net stop w32time && net start w32time).

If that doesn’t help…

Check if your domain controllers know and agree which server the PDC emulator is. On a command prompt:

Type ntdsutil, and then press ENTER.
1. Type domain management, and then press ENTER.
2. Type connections, and then press ENTER.
3. Type "connect to server ServerName", where ServerName is the Name of the Domain Controller you would like to view, and then press ENTER.
4. Type quit, and then press ENTER.
5. Type "select operation target", and then press ENTER.
6. Type "list roles for connected server", and then press ENTER.

Check this on at least two domain controllers. If they don’t agree you’ve got a real problem. If any of the roles are on a server that is offline you will need to seize the roles to a working server.

In my case the roles were properly distributed but on the PDC Emulator I still had the problems I mentioned earlier. In an hour I would have several Event ID 37 (currently receiving valid time) and Event ID 38 (ntp client cannot reach or is receiving invalid time data) messages. On the other DCs I had pretty much the same pattern.

So, next step was to make sure the other DCs and member servers were actually set to take their time from the domain. This is set in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters in the string Type. This string can have these values:

# NoSync. The time service does not synchronize with other sources.
# NTP. The time service synchronizes from the servers specified in the NtpServer registry entry.
# NT5DS. The time service synchronizes from the domain hierarchy.
# AllSync. The time service uses all the available synchronization mechanisms.

Now, all systems except my PDC Emulator were in fact set to NT5DS. And yet none were properly synchronizing time.

Hmmm….

Was my PDC emulator doing the proper advertising on the network? Let’s investigate.

C:\WINDOWS\system32>dcdiag

Doing primary tests

Testing server: Default-First-Site-Name\DC01
Starting test: Replications
......................... DC01 passed test Replications
Starting test: NCSecDesc
......................... DC01 passed test NCSecDesc
Starting test: NetLogons
......................... DC01 passed test NetLogons
Starting test: Advertising
Warning: DC01 is not advertising as a time server.
......................... DC01 failed test Advertising

<truncated>

Starting test: FsmoCheck
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
A Good Time Server could not be located.
......................... domainname.com failed test FsmoCheck

Now, that last sentence about the PDC role holder being down had me puzzled and send me chasing ghosts. Google it and you’ll find numerous discussions where this was true. But in my case it simply wasn’t. I double checked with NTDSutil and it simply was not down!

So… what was going wrong here? At this point I realized that the messages in the event log weren’t very helpful. They are too generic. I wanted to know what was really happening so I turned on debug logging on the Windows Time service. And that gives you information!

149258 09:35:51.3586829s - DomainHierarchy: we are now the domain root. Should be advertised as reliable
149258 09:35:51.3586829s - ClockDispln: we're a reliable time service with no time source: LS: 0, TN: 864000000000, WAIT: 86400000

Quickly followed by two successful synchronizations and a lot of failed ones after that.

At this point I was formulating the hypothesis that there’s some sort of successful/failed ratio that might influence whether or not windows considers itself a reliable source. I was also highly suspicious of my NTP source by now. I asked around and found I had a network connection to another domain that didn’t have this problem. So I decided to set the domain controller of that domain as my time source to see what would happen. I also decided to check my time settings agains the values outlined in KB 816042.

I changed:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
with the proper IP address (don’t forget to put in a ,0x1 if you enter a name instead of IP address.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
I set to 5

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
I changed from 3600 to 900.

And I restarted the time service again. Went to grab a cup of coffee and typed in dcdiag /v /test:advertising

C:\WINDOWS\system32>dcdiag /v /test:advertising

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine DC01, is a DC.
* Connecting to directory service on server DC01.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 4 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC01 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC01
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Starting test: Advertising
The DC DC01 is advertising itself as a DC and having a DS.
The DC DC01 is advertising as an LDAP server
The DC DC01 is advertising as having a writeable directory
The DC DC01 is advertising as a Key Distribution Center
The DC DC01 is advertising as a time server
The DS DC01 is advertising as a GC.
......................... DC01 passed test Advertising

Yesss!!!

I restarted the time service on the secondary domain. It immediately confirmed it was synchronising by logging and event id 35.

Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: 28-8-2009
Time: 12:33:06
User: N/A
Computer: DC02
Description:
The time service is now synchronizing the system time with the time source dc01.domain.com (ntp.d|<ip address>:123-><ip address>:123).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Lessons learned

  • A lot of people experience time problems that are related to either the service not running or a firewall blocking UDP traffic on port 123.
  • Don’t use net time anymore, use w32tm instead.
  • Check if your servers are getting time from the domain (that NT5DS key)
  • Troubleshooting starts at your PDC Emulator.
  • If your PDC Emulator isn’t advertising properly your domain will not synchronize.
  • Turn on debug logging on the Windows Time service if you’re into serious issues.
  • You need a reliable time source that’s well connected to your network.
  • You should monitor your event logs on warnings and errors generated by the w32time.

Wednesday, August 26, 2009

Well... I've put in a bit of practice. The set is portable, it straps to the outside of my lowepro flipside 300. I used it at my wife's brothers birthday for a few family snaps.

This one turned out nice but for the distraction in the background.

Square

Nothing a crop couldn't fix.


DSC_7089_DXO copy2

Someone commented on one of my earlier shots at flickr. I tried to use my secondary flash, aSB-26, to provide light in the background to make it brighter and whiter. That failed rather spectacular.


And sometimes I get it wrong

Way too much light in the background. This is still a bit of a puzzler to me. There's loads of information out there that mentions how great two flashes in full manual are but very little on how exactly you set a manual flash.

I think I'll hit the SB-26 manual, see what that says.

Saturday, August 22, 2009

Something that’s been on my list for a while now is to shoot portraits with an improvised “Strobist” style setup.

Tuesday I was in the Rotterdam area so I paid a visit to kamera-express. They did have umbrellas for a good price but to mount that on a tripod all they had was an expensive piece of manfrotto kit (the 026 lite tilt umbrealla adapter). So, I asked around and Camex in Amsterdam had a much cheaper Hama adapter (part nummer 6079).

Picked it up this morning. An SB-600 I already had and an old tripod which will do untill I can get a lightstand.

Mounted together it looks like this:

So I decided to give it a try. SInce I’m shooting a nikon D300 with a SB-600 I don’t need to use cactus triggers but can rely on Nikon’s CLS

With the first dozen of shots I found these two:

Now, I’m quite pleased with these. Not because they’re exceptional quality but because these were shot with no experience with a setup like this, with no special preparation except for getting my lighting equipment out. This was shot in my living room with nothing special, not even a backdrop.

Tuesday, August 18, 2009

Getting your whitebalance just right...

That's something often overlooked by the beginner and too many intermediate photographers. Get it just right and your pics will look that much better. Get it wrong and you'll get pics that just look "Wrong". Get it really wrong and you get nasty red or blue casts.
Many current DSLR cameras feature autowhitebalance which is mostly ok between 3500 and 6000 degrees kelvin. And they have presets which almost never match what you're doing. Get a bit of practice and you can guesstimate light color.
There's ways around this of course, the easiest is to shoot a custom whitebalance from a piece of plain white paper. Or buy a special test card. Or spend a lot of money on a special lenscap.

You can also really dive into the matter which is what Leon Goodman has done. I've not read the entire article with care yet but at a

Saturday, August 15, 2009

Birthday present 2009


new toy
Originally uploaded by j_wijnands.
A redged MT-523 monopod with, for the next few months, a simple Calumet head. Combination feels very sturdy and I think it's a good compromise between stability and easy of use.

Tuesday, August 11, 2009

Windmill


Windmill
Originally uploaded by j_wijnands.
Went for a drive in my lunchbreak. The south part of the Haarlemmermeer is a place that I seldom visit. I did today and found this windmill.

Sunday, August 09, 2009

How far can you go as a nature photographer?


tiny toad
Originally uploaded by j_wijnands.
Yesterday,I read something about a photographer who used a plant mister on a fly to get it to sit still long enough (Always a challenge with flies).

That reminded me of the, to me, despicable practice of some nature photographers. They catch an animal, freeze it to within an inch of it's live (or beyond) and then start photographing it.

This morning I found this little toad on a busy path playing death. Not a safe place to do that when a hord of joggers was about to stampede over that patch. So I picked him up and put him somewhere safe.

To me that's pretty much the limit of what I'll do to an animal to take a picture of it.

Friday, August 07, 2009

100mm tokina doubts resolved


Vanessa atalanta
Originally uploaded by j_wijnands.
Recently I've had a very low keeper ratio with the tokina 100mm 2.8 macro. So low that I was wondering if I had to go trough the trouble of using the AF fine tune on the body.

Yesterday I noticed this butterfly, Vanessa Atalanta to be specific, on a bush in my garden. I shot about a dozen frames of it. 2 where not shapr because I focussed on the wrong spot. The rest turned out as this one did. Sharp where it counts.

Looking back I think the low keeper ratio was a combination of me getting used to my new camera, poor technique and wind moving the branches on which the insects sat.

Anyway, this shot proves again that the tokina with the D300 is as good a combination as the person using it.

Now all I have to learn is how to do shots like this from a tripod.

Sunday, August 02, 2009

Exeter Cathedral 1


Exeter Cathedral 1
Originally uploaded by j_wijnands.
Or how you can make AWB to your advantage. No, this isn't shopped, just converted from NEF to JPG. The color difference is purely from the camera's whitebalance.