Preventing a service to run during machine startup if DC not available

Hope to get some help on this:

My objective is to prevent a in-house developed service to run if Windows cannot connect to the domain controller during startup. The reason for this is that some old machines may have hardware time wrong and when they started up, if they are not able to communicate with the DC, their times will be wrong. Some down-level clients (devices using embedded os) get the time from these machines (Windows XP, Windows 7 professional)  and if the time is wrong and the service is running, wrong time will be propagated, that can create havoc.

So, if it is possible to only allow the service to run if I am sure that the time is correct (that the machine has synchronized with a DC), then I can prevent down-level machines to synchronize time with these Windows workstations. 

Is it possible? For example, if machine authentication with DC fails during startup the service shall not start. Is there any Windows service that is dependent on machine authentication with DC (that can only run if machine authentication is successful)?

August 17th, 2015 4:39am

This is impossible or not that easy on the machine/ directory side, I think. You might need to accomplish this with some scripts which run at the startup and detect the authentication then control the service.

Try to post in the scripting forum, some might be able to help with this over there:

https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG

Free Windows Admin Tool Kit Click here and download it now
August 18th, 2015 8:43am

Hi,
 
Just checking in to see if above information was helpful. 
 

Regards,

Eth

August 20th, 2015 10:00pm

Not helpful.

It simply says to post it at the programming/scripting forum.

If it can be achieved through Group Policy or a settings in Windows, it is a desirable solution. It is not desirable to play with scripts or programming to achieve that.

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 2:04am

Sorry that it doesn't "helpful". Point it out that i's impossible to achieve without any code actually is helpful :)

anyway, I'm afraid this really cannot be accomplished with any group policy or a simple setting in Windows, this definitely need some script to achieve it.

Will take a further look/have some test later, and update if there is any worth.. :)


August 21st, 2015 3:29am

Hi SingChung,

                        Your request is to check whether the client is able to communicate or resolve the domain and if and only if the domain is connected, the in-house service to start.

This check has to be initiated from the client system and not from the domain controller or any other server. The script can be published to all the clients to run through group policy, but that does not serve if the domain fails.

So, the scripts can be run with a "if" to check whether the LDAP and DNS is connecting and then start the service, the service can be kept in stopped start upon start up.

Or

U can write a simple script to check whether the time is correct and then start the service.

Thanks

Eric

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 3:35am

I think you'll need PowerShell for this, so I am hoping your server OS is 2008R2 or later

Step 1 discover whether your DC is alive - you could run remote powershell to sse if the AD web service is alive... 

$domaincred = new-object -typename System.Management.Automation.PSCredential -argumentlist "Contoso\administrator", (ConvertTo-SecureString "Passw0rd!" -AsPlainText -Force  )

do {Start-Sleep -seconds 10}
     until (Invoke-Command -ComputerName <<MyDC>> {get-service | where name -EQ adws | where status -EQ running} -Credential $domaincred -ErrorAction SilentlyContinue)
write-host "DC is alive"

Start-process -FilePath <<AD dependant service >> -ArgumentList <<switches as required>>

save this script as say start-<<Service>>.ps1

And then readup on how to get a powershell script to run on start up by the scripting guy .. 

http://blogs.technet.com/b/heyscriptingguy/archive/2014/05/14/use-powershell-to-create-job-that-runs-at-startup.aspx

Hopefully this gets you started , remember PowerShell is the new DevOps thing for us IT Pros so if you haven't played with it before now is the time.  Also do mark this as an answer if it helps

@deepfat

August 21st, 2015 3:43am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics