1. Never give me work in the morning. Always wait until 4:00 and then bring it to me. The challenge of a deadline is refreshing.
2. If it's really a rush job, run in and interrupt me every 10 minutes to inquire how it's going. That helps. Or even better, hover behind me, advising me at every keystroke.
3. Always leave without telling anyone where you're going. It gives me a chance to be creative when someone asks where you are.
4. If my arms are full of papers, boxes, books, or supplies, don't open the door for me. I need to learn how to function as a paraplegic and opening doors with no arms is good training in case I should ever be injured and lose all use of my limbs.
5. If you give me more than one job to do, don't tell me which is priority. I am psychic.
6. Do your best to keep me late. I adore this office and really have nowhere to go or anything to do. I have no life beyond work.
7. If a job I do pleases you, keep it a secret. If that gets out, it could mean a promotion.
8. If you don't like my work, tell everyone. I like my name to be popular in conversations. I was born to be whipped.
9. If you have special instructions for a job, don't write them down. In fact, save them until the job is almost done. No use confusing me with useful information.
10. Never introduce me to the people you're with. I have no right to know anything. In the corporate food chain, I am plankton. When you refer to them later, my shrewd deductions will identify them.
11. Be nice to me only when the job I'm doing for you could really change your life and send you straight to managers' hell.
12. Tell me all your little problems. No one else has any and it's nice to know someone is less fortunate. I especially like the story about having to pay so much taxes on the bonus check you received for being such a good manager.
13. Wait until my yearly review and THEN tell me what my goals SHOULD have been. Give me a mediocre performance rating with a cost of living increase. I'm not here for the money anyway.

When using Windows XP SP3 with remote desktop on a Windows Vista or Server 2008 computer that requires NLA or Network Level Authentication you might run into the following error:

"The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support."

The problem arises because the Security Provider in Windows XP designed to handle NLA is turned off by default. Don't ask me why. The provider is called "CredSSP" and according to Microsoft here is what it does:

"CredSSP is a new Security Service Provider (SSP) that is available in Windows XP SP3 by using the Security Service Provider Interface (SSPI). CredSSP enables a program to use client-side SSP to delegate user credentials from the client computer to the target server. (The target server is accessed by using server-side SSP). Windows XP SP3 involves only the client-side SSP implementation. The client-side SSP implementation is currently being used by Remote Desktop Protocol (RDP) 6.1 Terminal Services (TS). However, the client-side SSP implementation can be used by any third-party program that is willing to use the client-side SSP to interact with programs that are running server-side SSP implementations in Windows Vista or in Windows Server 2008."

However, the good news is Microsoft also provides a very detailed process on how to turn on CredSSP. I have provided a link to the KB article that describes how to turn on CredSSP. Follow the process under "How to Turn on CredSSP" and the message should be resolved.

http://support.microsoft.com/kb/951608

-Brent

NOTE: When referring to the PDC or Primary Domain Controller I am referring to the PDC Emulator Master that is a member of the FSMO Roles. The original concept of a PDC was discontinued prior to Windows 2000's release

I ran across this problem at home, where I have a Hyper-V server that runs all of my other servers, one of which is our home Domain Controller. It is also the Primary Domain Controller which means that by default it provides NTP and Time Synchronization services for the rest of the Domain, and in some cases the network. By default when you setup a new domain the NTP Service is installed and configured. If for some reason this is not the case see the following TechNet article:

http://technet.microsoft.com/en-us/library/cc786897.aspx

If you are not familiar with Hyper-V you should know that Hyper-V just like VMWare installed "Integration" or "Client" tools, which is really just a fancy term for Drivers and Services that enhance the client-to-host communications. Typically as part of these tools the time service for the Client Server will synchronize itself with the host machine, primarily because the host machine has the Motherboard which has the CMOS Battery that allow the computer to keep time. Again, this is a great idea; otherwise your clients might get out of whack.

The problem comes in when your Primary Domain Controller (PDC) which is providing time service to client machines is on the same domain as the host computer that is not a domain controller. The problem is that the time service continues to synchronize the host machine with the client, but in reality the host should be getting its time information from the PDC. The PDC in turn should synchronize with an external NTP Server or Pool. (Read: http://en.wikipedia.org/wiki/Primary_Domain_Controller).

So, over time the clock of both machines either speeds up or slows down, but either way does not keep proper time. Eventually this causes major problems, especially for laptops that travel and instead try to sync with another time server as a last resort, because once you bring it back on the domain and it is outside of the 10 minute difference window it stops all communication.

My Fix:

I actually have two. The first tells the host machine to look at an NTP Pool and not talk to the Domain to get time information. The second disables the Hyper-V Time Synchronization service, there-by allowing the virtual machine to look to an external NTP pool and get the right time. See below for the steps:

NOTE: These changes all take place from the host machine and not the virtual domain controller!

Fix 1 – Change NTP Settings:

NOTE: This solution modifies the registry. Make sure you know what you're doing, as no one else can be held responsible for killing YOUR computer.

• Stop the Time Service, you can use the Service Control Manager MMC Snap-In or at the cmd prompt: "net stop w32time"
• Open the registry editor, Start, Run, "regedit"
• Browse for the following key: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
• Change the key "Type" from "NT5DS" to "NTP". If you do not have NT5DS I would stop now!
• By default Windows uses the Microsoft NTP Pool. For most this is fine. If you want to use a more open source and larger pool I suggest doing the following:
  • Change the key "NTP Server" to "north-america.pool.ntp.org" (See http://www.pool.ntp.org for other pools around the world)
  • Browse for the following key: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config"
  • Change the key "AnnounceFlags" from "10" to "5"
• Close the registry editor
• Start the Time Service, you can again use the MMC Snap-In or "net start w32time"
• Normally it can take a while for the time to update itself, but we can override this and force it to run. Do the following:
  • From the cmd prompt: "w32tm /resync /rediscover"
  • If it fails to sync the first time run it again, I have had problems where this sometimes fails the first time.

Fix 2 – Disable Integration Service Time Settings:

1. Open the Hyper-V MMC Snap-In
2. Select the Virtual Machine running your Active Directory
3. Right-Click on the machine and select "Settings"
4. Under "Management" select "Integration Services"
5. Un-Check Time Synchronization

So from the steps above the obvious choice should be Fix 2, its much simpler and you don't have to deal with the registry or the time service. Just remember that the virtual machine by default will not have a battery to keep track of the time. So if you take a DC offline for a day or two, the clock will be totally off, because you have disabled the time synchronization service. Lastly, if you have multiple virtual domain controllers on different host machines you only need to make the change to the domain controller that serves as the PDC Emulator, because everything else will flow downhill and get the proper time.

-Brent