Hello everybody,

I've already found a lot of articles regarding this topic but no solution for me - how ever here is the problem:

1. Alternate DC was snapshotted and Snapshot was reverted (I know, I will never do it again)

2. USN Rollback was done (workaround with deleting Registry entry DSA Not writeable = 4, etc..)

3. DC Replication was running again

4. In Exchange 2010 a distribution group was created (successfully) - while trying to add group members the first error appeared

5. Group cannot be deleted with the following error: Failed to delete <AD-Group>. The requested object has a non-unique identifier and cannot be retrieved.

6. Demote of the alternate DC and metadata cleanup was done - the DC was promoted again - replication works fine

7. Still cannot delete group

8. While browsing the attributes of this group the following error appears:

Windows could not load values for all attributes.
Operation failed. Error Code: 0x2121
The search failed to retrieve attributes from the database.
00002121: SvcErr: DSID-03120493, Problem 5012(DIR_ERROR), data

Any help appreciated!

We are implementing some self-service password reset software.  After a user authenticates with an existing password or security questions, a service account handles the password reset in Active Directory.  All of the users using this software are a part of the same OU that the service account targets to perform the reset.

Some of the users in that OU can reset their passwords fine via the service account.  Others get an "access denied" error message.  I am trying to figure out why this is.  I have reviewed the logs and see that the service account is targeting the user accounts in the same OU for successful resets and failed resets.

How can I determine why some password resets work for this service account and others fail for individuals who are in the same OU?  The service account has permissions to perform resets on the OU because it works for some people.

Any help is appreciated.

Hi All,

We have a Windows 2008 R2 Standard server running as a virtual on a Windows 2012 R2 Standard host.

The customer lost a mirror on the old server and didn't notice.  The remaining system drive corrupted and couldn't be brought back on-line.  The old server was rebuilt as a virtual server on a host and the data restored and brought on-line..

Points that may contribute:
1. The server was rebuilt using a slightly different name for the server.
2. The Active Directory was recreated using the same domain name as before EXCEPT the original domain
    was DM.local and now it is DM.US, both show as just DM.
3. Windows 7 PCs joined the domain effortlessly.
4. All Windows 8.1 PCs give a #53 DNS error and fail to join the domain.

I have recreated the DNS structure by deleting it and restarting the related services.  It made no difference. 
The DNS works as expected.

Does anyone know what may be causing this?

Thanx,
Mel

M

I have a Forest DC "A"(Head of the tree) and 2 other Domains which are head of two trees "B" and "C"(By choosing "Add a new domain to an existing forest"). All of them DNS and GC.

All replications are fine and I can create whatever I want and see the replication in the other domains.

When I run this command in the Forest DC "A" Repadmin /syncall, I got all fine

     When I run Repadmin /syncall in the Domain "B" I got this:

  When I run Repadmin /syncall in the Domain "C" I got this:

The DNS configuration in the head Forest DNS

And I added the other Domains as a secondary domains in the head forest DNS but when I check them I got them as these settings "Active Directory Integrated"

Although all of them can connect each other by ping and no firewall between them and all of them can see the other. All the following services are running and automatically (upnp, netlogin, SSDP discovery)

Please can you check and tell me where is the problem ??

Hello,

First of all I'd like to thank whoever is reading this and beg please of an answer.

So we want to join all computers to our Active Directory server. Problem is we have 5000 of them scattered in groups of 100 all over the world, so we'd like to send out CD's or some script via email to execute on each computer so that it joins %computername% to the domain after restart.

the problem is  I'm no expert. I have no idea how to make one script join all computers with all different names.

Plus I'd have to add that computer manually to the active directory. Can it detect a connection attempt from an unknown computer automatically and then join it?? 

And if my reasoning is all wrong. Is there a precedent to doing is? I mean an easy way to join computers??

Thank you in advance, I fear you are facepalming right now :)

Good Evening,

I am wondering how to merge my users previous domain accounts with their new domain accounts? We are transferring from one domain to another and I would like to make this transition as seamless as possible for my users.

Thanks

-Jacob

we are getting the following error continuously in our window server 2008 r2 server.

event id - 7050

error massage - 

The DNS server recv() function failed. The event data contains the error.

Please help to restore the above issue.

Hello,

Can someone please help me out fix the issue? I tried restoring system state data to a server running a fresh copy of windows server 2012 and restore went through without errors; still sysvol and netlogon shares are not availble.

My network topology is very simple since it does contain only one domain controller holds all FSMO roles.

The dsa.msc snap in ends up a pop up message "Naming Information cannot be located because:
The server is not operational.
Contact your system administrator to verify that your domain is properly configured and is currently online."

The dcdiag /test:dns passed all the tests and Dcdiag returns the below error message.

C:\Users\TEMP>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MBILL
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MBILL
      Starting test: Connectivity
         ......................... MBILL passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MBILL
      Starting test: Advertising
         Fatal Error:DsGetDcName (MBILL) call failed, error 1355
         The Locator could not find the server.
         ......................... MBILL failed test Advertising
      Starting test: FrsEvent
         ......................... MBILL passed test FrsEvent
      Starting test: DFSREvent
         ......................... MBILL passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MBILL passed test SysVolCheck
      Starting test: KccEvent
         A warning event occurred.  EventID: 0x80000B46
            Time Generated: 01/23/2016   04:40:24
            Event String:
            The security of this directory server can be significantly enhanced
by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest)
 LDAP binds that do not request signing (integrity verification) and LDAP simple
 binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  E
ven if no clients are using such binds, configuring the server to reject them wi
ll improve the security of this server.
         ......................... MBILL passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MBILL passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MBILL passed test MachineAccount
      Starting test: NCSecDesc
         ......................... MBILL passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\MBILL\netlogon)
         [MBILL] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... MBILL failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MBILL passed test ObjectsReplicated
      Starting test: Replications
         ......................... MBILL passed test Replications
      Starting test: RidManager
         ......................... MBILL passed test RidManager
      Starting test: Services
         ......................... MBILL passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 01/23/2016   03:56:53
            Event String:
            Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'VEE1BILL.COM.' failed.  These records are used by other comp
uters to locate this server as a domain controller (if the specified domain is a
n Active Directory domain) or as an LDAP server (if the specified domain is an a
pplication partition).
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 01/23/2016   04:00:30
            Event String:
            Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'ForestDnsZones.VEE1BILL.COM.' failed.  These records are use
d by other computers to locate this server as a domain controller (if the specif
ied domain is an Active Directory domain) or as an LDAP server (if the specified
 domain is an application partition).
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 01/23/2016   04:00:54
            Event String:
            Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'DomainDnsZones.VEE1BILL.COM.' failed.  These records are use
d by other computers to locate this server as a domain controller (if the specif
ied domain is an Active Directory domain) or as an LDAP server (if the specified
 domain is an application partition).
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 01/23/2016   04:44:20
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 01/23/2016   05:44:32
            Event String:
            The DFS Namespace service could not initialize cross forest trust in
formation on this domain controller, but it will periodically retry the operatio
n. The return code is in the record data.
         An error event occurred.  EventID: 0xC00038D6
            Time Generated: 01/23/2016   06:44:44
            Event String:

The processing of Group Policy failed because of lack of network con
nectivity to a domain controller. This may be a transient condition. A success m
essage would be generated once the machine gets connected to the domain controll
er and Group Policy has successfully processed. If you do not see a success mess
age for several hours, then contact your administrator.
         ......................... MBILL failed test SystemLog
      Starting test: VerifyReferences
         ......................... MBILL passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : VEE1BILL
      Starting test: CheckSDRefDom
         ......................... VEE1BILL passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... VEE1BILL passed test CrossRefValidation

   Running enterprise tests on : VEE1BILL.COM
      Starting test: LocatorCheck
         Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
         A Global Catalog Server could not be located - All GC's are down.
         Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
         A Time Server could not be located.
         The server holding the PDC role is down.
         Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error
         1355
         A Good Time Server could not be located.
         Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
         A KDC could not be located - All the KDCs are down.
         ......................... VEE1BILL.COM failed test LocatorCheck
      Starting test: Intersite
         ......................... VEE1BILL.COM passed test Intersite

We want to create two separate admin roles; security admin and system admin. 

Security admin should only be able to configure logging and read the security log (using gpo or directly configuring each member server). 

System admin should be able to to more or less everything else except for configure logging and reading security logs. For example: install software, configure various aspects of windows etc.

Is this even at all possible to accomplish? How? 

Hi,

we currently have a scenario with two sites (the live office and a redundancy office (for disaster recovery). We replicate all important VMs and data daily to the offsite office so in case something happens, we can easily be up and running again.

Now we are planning to move to O365, using also SSO so users will not be asked for their credentials every time the need to log in. The challenge we are facing is, how will O365 work with such scenario. I mean if we cutoff the live office and turn on the recovery office, the AD will be the one of the previous day. How will O365 tell that the second AD is genuine?

Because of license costs, we cannot afford to have two sites running at the same time. We only can have the main office working and switch on the recovery office only for testing and disaster recovery.

Any help will be appreciated!

I'm installing a 2008R2 DC on my network with 2 other existing 2003 servers.  I set up AD on the 2008 server and ran DCDIAG /v /c /d /e on one of the 2003 machines.

The 2008 server only did the AUTH part of the DNS and it returned:

Warning: no DNS RPC connectivity (error or non Microsoft DNS server is running)

                  [Error details: 5 (Type: Win32 - Description: Access is denied.)]

               Total query time:0 min. 0 sec.. Total RPC connection time:0 min. 0 sec.

               Total WMI connection time:0 min. 0 sec. Total Netuse connection time:0 min. 0 sec.

We are not running BIND , the firewall is disabled on the 2008 server, there is no AV on the 2008 server but there is AV one of the 2003 servers but not the one that I ran the DCDIAG on.

Hi !

I am going to define and use some accounts in a 2008 domain which are used for some sql proxy accounts (running xp_cmdshell)

to say briefly, these accounts should not be able to login locally or remotely to domain computers

they should have log on as a batch job and as a service permission on SQL servers (which they have)

i do not want to define a GPO just for this (or change default domain policy) and add this 1 or 2 users to that (disabling logon locally)

is there any property for a user or a less dangerous with little side effects to prevent these users to log on locally or interactively ?

Hi All.

i have successfully build the forest trust b/w two forest root domain abc and xyz, and now when i try to search the users (Uabc) of domain abc in xyz root domain, no success. In Acitve User and computers of xyz i am able to find abc domain in drop down but not able to find the user Uabc . similarly with goes with opposite search, check by selecting entire directory as well

Please advise, what i am missing

Thanks

Aamir

NA

I created a LAB for testing.

I have two domains on the same network subnet. There is no trust relantionship between them.

I created file share on one domain and give share privileges to SYSTEM, Administrator and Domain Administrator.

Now I can access this file share from this second domain.

How is that possible ?

Hi,

The company i work for is currently in the process of migrating our regions of users from Exchange on Prem (a mix of 2007 and 2013).

One of the questions asked was if we were able to upload additional UPN suffixes that didn't match our DNS Domain name for our AD Forest and Child Domains, but were being used as primarySMTP addresses for some users. This to assist with the logon experience for users being the same for everyone.

Currently we do not have additional UPN Suffixes added into our Production AD Forest. The reasons for this I do not know.

The people who would have had this historical knowledge are no longer with the company, so I'm trying to identify any technical reason or impact as to why I WOULD NOT add these additional UPN Suffixes to our forest?

For the most part, I cannot see issues other than applications that would only be able to utilise a DNS Domain name of one of our child/forest default UPN Suffixes.

Does anyone else have any other insight as to why this should not be done?

Hopefully I have clarified the issue well enough. Happy to give more detail if required.

Thanks in advance.
Simon

Our computer objects are created in a specific OU by virtue of the redircmp command. This works well for workstations but not so for servers. Although the number of "workstation" objects created is far greater than "server" objects, I still would like the latter to not end up in the same OU because it mostly applies workstation-specific GPOs.

I expect my server "builders" to be more responsible and move their respective objects or pre-enter them in their specific OUs but nonetheless I would like computer objects with server roles to be move automatically to a "Servers" OU. Can this be done with a GPO? Also open to another solution. Please advise. THX

Good day,

We have a few users that are being locked out a few times a day.  The domain controller logs show the account tries to authenticate 5 times and then locks out.  Through the day, the account is authenticated unsuccessfully and most of the time does not reach 5 attempts before the 30 minute counter resets.   The 4740 MS Windows Security logs on the domain controller point to our ADFS server as the Caller Computer Name.  We turned on the extranet security feature last night and set the threshold to 4.  Our internal lockout policy is 5.  With a combination of 4 external and 5 internal attempts with a bad password, users are still being locked out.  I have gather logs for a particular case I am working on today. Name, domain, servers names have all been.  We have Account Management, and Event logging turned on.  I also have turned on AD FS tracing to see if I can gather more logs for this user.  Any help or insight anyone can provide would be greatly appreciated.  My goal is to-

1. Find the source of the lockouts.

2. Prevent user's from being locked out without compromising our security be increasing the lockout thresholds

Domain controller log

Event ID 4740
Source Microsoft Windows security
Log name Security
Task Catergory User Account Management
Computer COMPANYDC
1/26/2015 - 6:15 AM

A user account was locked out.

Subject:
 Security ID:  SYSTEM
 Account Name:  COMPANYDC$
 Account Domain:  COMPANY
 Logon ID:  0x3E7

Account That Was Locked Out:
 Security ID:  COMPANY\johndoe
 Account Name:  johndoe

Additional Information:
 Caller Computer Name: ADFSSERVER

~~~~~~~~~

Event log from ADFSSERVER

EVENT ID 516
Source AD FS Auditing
Log name Security
Task Category 3
Computer ADFSSERVER
1/26/2016 - 6:07 AM

The following user account has been locked out due to too many bad password attempts.

Additional Data

Activity ID: 00000000-0000-0000-0000-000000000000

User:
johndoe@company.com

Client IP:
190.115.180.232,157.56.238.252
nBad Password Count:
4
nLast Bad Password Attempt:
1/26/2016
~~~~~~~~~
Other Event ID 512/516 since 6:15 AM

Client IP:
190.115.179.140,157.56.238.252

Client IP:
206.16.109.48,132.245.38.237

~~~~~~~~~

Event ID 411
Source AD FS Auditing
Log name Security
Computer ADFSSERVER
1/26/2015

Token validation failed. See inner exception for more details.

Additional Data

Activity ID: 00000000-0000-0000-0000-000000000000

Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName 

Error message:
johndoe@company.com-The user name or password is incorrect

Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: johndoe@company.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

~~~~~~~~~

EVENT ID 4625
Source Microsoft Windows Security
Log name Security
Task Category Logon
Computer ADFSSERVER
1/26/2015 - 6:15 AM

An account failed to log on.

Subject:
 Security ID:  COMPANY\adfs
 Account Name:  adfs
 Account Domain:  COMPANY
 Logon ID:  0x95292

Logon Type:   3

Account For Which Logon Failed:
 Security ID:  NULL SID
 Account Name:  johndoe@company.com
 Account Domain:  

Failure Information:
 Failure Reason:  Unknown user name or bad password.
 Status:   0xC000006D
 Sub Status:  0xC000006A

Process Information:
 Caller Process ID: 0xe08
 Caller Process Name: C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe

Network Information:
 Workstation Name: ADFSSERVER
 Source Network Address: -
 Source Port:  -

Detailed Authentication Information:
 Logon Process:  W
 Authentication Package: Negotiate
 Transited Services: -
 Package Name (NTLM only): -
 Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
 - Transited services indicate which intermediate services have participated in this logon request.
 - Package name indicates which sub-protocol was used among the NTLM protocols.
 - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

~~~~~~~~~

EVENT ID 342
Source AD FS
Log name AD FS/Admin
Task Category Logon
Computer ADFSSERVER
1/26/2015 - 6:15 AM

Token validation failed. 

Additional Data

Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
johndoe@company.com-The user name or password is incorrect

Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: johndoe@company.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

Hi,

I have a question about the Net Time program. Can this program be used to synchronize times on 2 or more pc's over a local area lan network without connecting to the internet? I would designate one computer as the master time server and the others would be slaves to it. Can Net Time be used in this way and how would it be set up?

Thank you,

Mike