IT & Web Infrastructure Masterclasses

Through March 2013, I’m running a set of IT and Web infrastructure masterclasses in Nottingham (in conjunction with PCM Projects), for people who don’t necessarily work in IT, but need to know (or would benefit from knowing) some of the basics.

The intended audience is small business owners or managers, where you may have to deal with IT contractors or staff and decide IT and web strategy, but you’re not comfortable that you know enough about it to make informed decisions. For example, there are an almost infinite number of ways to keep your business data accessible, secure, backed up, and away from prying eyes, but which way is best for you? How should you manage your website – should you pay someone else to design and host it, or bring it in-house? How should you handle email, on what sort of server? How should you plan for business growth? How do you protect your business from viruses, malware, spam, and hacking attempts?

These are the sort of questions that I will help you with – you don’t need any knowledge of IT or the web already, and because the groups are small – around 6 people – you’ll be able to ask questions and find out information specific to how your business operates.

You’ll then have enough knowledge to go to your suppliers or contractors, and ask the right questions, purchase the right services, at the right price.

There are four sessions, as below, and you can book yourself on them by visiting the eventbrite page for the events. Contact me for any further information.


Technically Speaking – 4 March

Topics to include: an overview of web/IT infrastructure and how it all fits together; an update on the current climate; domain names, analytics, and connections to social technology.


Email & Communication – 11 March

Topics to include: different service providers and set-ups (e.g., using hosted email, managing it in-house) and getting it all working for PCs and on mobile devices; good email practice, transferring data and keeping it secure.


Internet Security – 18 March

Topics to include: how to stay safe and keep trading; what are the threats – viruses, hack attacks, theft, loss of confidential or valuable data; keeping your business (and family) safe on the internet; and keeping your systems up to date and secure.


Data storage – 25 March

Topics to include: managing data storage and growth in your business; internal networks and cloud storage; back-ups; access controls, speed vs. reliability vs. cost.

Snowdon in the snow

I recently took a week off work to go biking, snowboarding, climbing, and hiking and stuff. Part of the trip included a visit to Wales to stay at penmachno after riding llandegla. I was going to ride penmachno the following day, but the weather was dreadful, so I walked halfway up snowdon instead 🙂












Mountain biking in the snow – sherwood pines, Nottingham.

Sherwood pines is a nice little place to ride – the main trail is quite short, but is pretty much 100% twisty fast singletrack, and you can get a couple of loops done in two hours. I went for a ride there recently in the heavy snow, and I was so lucky to have the trail to myself. The snow was fresh – no foot prints or tyre tracks, and it was deathly silent in the woods with the snow falling heavily. Absolutely brilliant, although I couldn’t feel my feet after 15 minutes or so…








Virtual Domain Controllers and time in a hyper-V environment

In a “normal” (read: physical) domain environment, all the domain member machines such as servers and PCs use the PDC (Primary Domain Controller) as the authoritiative time source. This keeps all the machines in a domain synchronised to within a few milliseconds and avoids any problems due to time mismatch. (If you’ve ever tried to join a PC to a domain with a significantly different time setting, you’ll see how this can affect active directory operations).

However, virtual machines are slightly different. VMs use their virtual host as the authoritative time server – it’s essential that the virtual host and the guests operate on the same time. Run the below command in a command prompt on a VM:

C:\>w32tm /query /source

And it should return:

VM IC Time Synchronization Provider

If you run the same command on the host itself, it’ll just return the name of one of the domain controllers in your network (probably, but not necessarily, the PDC).

Now, what if your domain controllers are virtual? They’ll be using their host machine’s time as the source, but the hosts themselves will be using the PDC as an authoritative time source – the problem is clear: they’re using each other as authoritative time sources and network time will slowly drift away from the correct time.

You may decide to disable integration services for the guest (the PDC), and configure an authoritative external time source, but if the PDC is rebooted or goes offline and comes back online with a different time than the host (such as a restore), you’ll have problems. Granted, this should fix 90% of issues, but I wouldn’t recommend it as a solution.

Disable integration services in hyperV








In an ideal world, you’d still have at least one physical PDC, which would use an external time source, and would serve time to all other machines in the network, but if your infrastructure is such that you only have virtual domain controllers, you’ll need to do something a little different. The best way to this is to set your virtual hosts to use the same external (reliable) time source. This does of course require that your virtual hosts have access to the internet, but at least you should be able to add firewall rules to enable access to a fixed range of NTP servers, which should pose no security threat.

To do this, log on to your (windows) virtual host (in this case, I’m using Hyper-V server 2008 R2).


C:\>w32tm /query /source

And it’ll return one of the domain controllers.

Use the command prompt to open regedit, and navigate to HKLM-System-CurrentControSet-services-w32time-parameters.

It’ll probably look like this:






Change the “Type” entry to “NTP” and if you desire, change the NtpServer entry to something other than windows time, although you can leave it if you wish.

registry time settings





Now that you’ve changed the registry entries, run:

net stop w32time & net start w32time


w32tm /query /source

And it should return the new internet time servers.


w32tm /resync /force

to force a resync of the machine’s clock.

Log on to the virtual machine running on this host, and check the time. Force a resync if you want – it won’t do any harm, and at least you’ll know it’s synced.

If you now run:

W32tm /monitor

on any machine, it will display the potential time servers in your network, and the time offset between them. If all is correct in your network, the offset should be pretty small (though it will never be zero)

domaincontroller1.domain.local *** PDC ***[ipaddress:123]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from domaincontroller2.domain.local
        RefID: []
        Stratum: 2
    ICMP: 0ms delay
    NTP: -0.0827715s offset from domaincontroller1.local
        RefID: []
        Stratum: 2
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.


If you find a domain member machine (whether it’s a server or simple client) which is not set to use the proper domain NTP server, run the below command:

w32tm /config /syncfromflags:DOMHIER /update

This command instructs the machine to search for and use the best time source in a domain hierarchy.


What’s the best vehicle for mountain bikers?

Being a mountain biker means travelling a lot. Unless you happen to live in the Scottish highlands, or in North Wales, you don’t tend to have huge amounts of trails on your doorstep. And even if you do, who wants to ride the same trails all the time?

So, we drive. A lot. We get up early on a saturday morning and load bikes and kit into a car or van and set off in search of trail gold.

But what’s the best sort of vehicle to use if you’re a mountain biker? I’ve had fast cars, new cars, old cars, small cars, big cars, and vans. I also used to drive tractors, but they’re a bit slow and unless you count a trailer, don’t have much storage space.

ford focus estate with bikes and kit in

Currently, I drive a ford focus estate. It’s awesome. It’s a few years old so i don’t worry about the odd scratch and scuff, and I can get a full suspension mountain bike inside without taking the wheels off and still pile all my kit in. With the front bike wheels off, you can easily get two bikes and two people in, plus kit. It does over 50mpg because it’s a diesel.

The estate version of the focus has a flat boot, so there’s no lip to get the bikes and kit over when loading or unloading, and the rear with the boot up provides a good sheltered seat to get changed if the weather’s not too bad. There are also some handy little compartments in the boot that are useful for storing tools and/or food.

Previously, I’ve had a lovely Audi A3. Brand new, company car. Climate control, leather and incredible sound system. Bloody nightmare. Constantly worried about scratching it, and had to use a bike rack, which means you can’t leave it anywhere unattended, and your fuel economy drops pretty drastically. Gorgeous car, and great to drive, but completely impractical for someone who wants to put dirty kit and people inside it, and dirty bikes on the rack on it.

audi a3 with bike rack

On a trip to Scotland once, we hired a transit van. This was pretty awesome, to be honest. We got about 8 bikes and lots of kit in, although it took some working out, and careful arrangement of fork stanchions and blankets…

transit van with mountain bike kit in, scotland

Three people in the front, and we were sorted for a road trip (the other guys went in a car). However, you can’t get from the cab to the rear of the van because of the bulkhead, and the fuel economy isn’t great.

awesome pickup truck

Now, what about this? A pickup truck. We saw this in Wales on a recent trip to llandegla. I doubt it’s road legal. Anyhow, a pickup truck is great for biking, but do you ever actually need to drive off-road? I’ve been mountain biking for most of my life, and I’ve never actually needed to drive off-road – that’s what the mountain bike is for. Of course, it’d be amazing for shuttle runs…

beautiful vw caddy

I have to say however, there are some beautiful VW caddys around, but who could risk chucking a mountain bike in the back of this beauty?

To be honest, the best vehicle I’ve ever had was this Mercedes Vito. I genuinely loved driving it because it handled so well, and it’s perfect for short or long trips with the bike(s). With split front seats and a row of seats behind that you can also split and remove one, it means you can get from the drivers seat into the back of the van perfectly easily. I’ve had four people and four bikes, plus kit, comfortably in the vito.

Vito and mountain bike


Vito and mountain bike in the snow









If the weather is bad, it’s easy to get changed inside before the ride, and even do some pre-ride mechanical checks and lube the chain and stuff. After a ride, the rear door lifts up to provide some shelter from the rain (or sun..?), and you can chuck the bikes in before hopping in yourself to get into dry clothes without doing that ridiculous manoeuvre of trying to get changed in the seats of a car without giving yourself cramp. Also, it’s rear wheel drive, and that always means a little extra fun.

What’s your ideal mountain biking vehicle?


Fixing “the trust relationship between this workstation and the primary domain failed” without leaving the domain or restarting.

Sometimes you’ll find that for any one of a multitude of reasons, a workstation’s computer account becomes locked or somehow otherwise disconnected from the actual workstation (say, if a machine with the same name joins the network, or if it’s been offline for a very long time). When you try to log on to the domain you’ll get a message that states:


“the trust relationship between this workstation and the primary domain failed”


Now, what I would normally do in this situation is un-join and re-join the workstation to the domain, which works, but creates a new SID (Security Identifier) and can therefore break existing trusts in the domain with that machine, and of course it requires a reboot. So if you don’t want to reboot, and you don’t want to break existing trusts, do this:


Use netdom.exe in a command prompt to reset the password for the machine account, from the machine with the trust problem.


netdom.exe resetpwd /s:<server> /ud:<user> /pd:*

<server> = a domain controller in the joined domain

<user> = DOMAIN\User format with rights to change the computer password


* = the domain user password


That should do it, in *most* cases.

Troubleshooting SYSVOL replication between domain controllers, using DCDIAG

Since we had a power outage a few days ago, I’ve seen some problems with replication of the sysvol folder throughout the domain controllers, most likely due to some file corruption on one domain controller that halted replication to the remaining domain controllers. (The domain controller in question had a disk fail in the RAID 1 array, which then refused to rebuild due to disk issues on the existing live disk.)

The sysvol folder is where all group policies and logon scripts are held, and is accessible by all domain members in order to process the policies and scripts. The “original” is held on the first domain controller in the domain.

Replication of the sysvol folder is separate to Active Directory replication. Sysvol replication relies on the File Replication Service running on the domain controller, and any failures are logged in the windows event logs.

Firstly, we had to work out what was going on. This is best done by examining the event logs for these errors, and running some diagnostic tools on the servers – in this case, DCDIAG. DCDIAG is part of the Server 2003 support tools package.

The output looks like this:


Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\”DOMAIN CONTROLLER”
      Starting test: Connectivity
         ......................... “DOMAIN CONTROLLER” passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\”DOMAIN CONTROLLER”
      Starting test: Replications
         ......................... “DOMAIN CONTROLLER” passed test Replications
      Starting test: NCSecDesc
         ......................... “DOMAIN CONTROLLER” passed test NCSecDesc
      Starting test: NetLogons
         ......................... “DOMAIN CONTROLLER” passed test NetLogons
      Starting test: Advertising
         ......................... “DOMAIN CONTROLLER” passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... “DOMAIN CONTROLLER” passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... “DOMAIN CONTROLLER” passed test RidManager
      Starting test: MachineAccount
         ......................... “DOMAIN CONTROLLER” passed test MachineAccount
      Starting test: Services
         ......................... “DOMAIN CONTROLLER” passed test Services
      Starting test: ObjectsReplicated
         ......................... “DOMAIN CONTROLLER” passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... “DOMAIN CONTROLLER” passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... “DOMAIN CONTROLLER” failed test frsevent
      Starting test: kccevent
         ......................... “DOMAIN CONTROLLER” passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:48
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:50
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:51
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:52
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:52
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:52
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 08/17/2012   15:44:53
            (Event String could not be retrieved)
         ......................... “DOMAIN CONTROLLER” failed test systemlog
      Starting test: VerifyReferences
         ......................... “DOMAIN CONTROLLER” passed test VerifyReferences
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   Running partition tests on : nic
      Starting test: CrossRefValidation
         ......................... nic passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... nic passed test CheckSDRefDom
   Running enterprise tests on : nic.local
      Starting test: Intersite
         ......................... nic.local passed test Intersite
      Starting test: FsmoCheck
         ......................... nic.local passed test FsmoCheck


The failed tests above are due to past errors being in the event log from before the sysvol fix. If you’re having sysvol replication errors, you’ll see the replication tests failing, along with systemlog and frsevent failures.


To fix this, the intact sysvol folder needs to be forced to replicate across the domain. The process is as follows:

Stop the FRS service on all domain controllers.

Locate the Burflags entry under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

And change the DWORD value to D4 on the “source” domain controller (this is to flag an authoritative restore, and D2 on the child domain controllers (non-authoritative). Before doing this, take a backup of the sysvol folder, but make sure you store it on the same partition, otherwise permissions may change, and this would impact group policy if you had to restore it.

Then restart the FRS service on all domain controllers (the D4 one first) and wait for replication to occur. This can take up to a few hours, depending on the infrastructure, number of domain controllers, and size of the sysvol folder.


Afterwards, running

Net share

At a command prompt will also show you the shared folders on the domain controller – so once this replication is complete, you should see the sysvol and netlogon shares present.


Then you can also run DCDIAG tests on each domain controller to confirm.