Windows Time in a domain

Understanding time synchronization in a domain.
The domain controller that is the pdc emulator is the “primary time server” for the domain.
All other domain controllers get their time from the pdc emulator, and the workstations and member servers get their time from any domain controller. So think of the structure like a pyramid with the pdc emulator dc on top, other dcs at the second level, and workstations and member servers at the third level.
This server should be getting it’s time from an external time source.
The best one these days is the multi-server (520 servers), round robin, “us.pool.ntp.org”.
A little side note, don’t use time.windows.com, it sucks, don’t use military sites or university sites as they have turned off external traffic to their time servers. I used to point to the time.cs.wisc.edu server, but that was 6 or 7 years ago. I suggest if you want to know more, go to http://www.pool.ntp.org
So, on the cmd prompt on the pdc emulator domain controller, run this command.
W32tm /config /manualpeerlist:us.pool.ntp.org /syncfromflags:manual /reliable:yes /update
It should spit back “command completed successfully”
Then stop and start the w32 time service, either in the services control applet or the cmd line like this:
Net stop w32time & Net start w32time
(the & sign means if the first line complete successfully, then run the second line…. That was new for me too when I first saw it… I didn’t know you could throw Boolean logic at the cmd prompt) You could also do a two liner by typing “Net Stop w32time”, hit enter, then type “net start w32time”.
Then look in event viewer, you should see this:
clip_image002
That’s good.
Then at the other domain controllers and member servers and workstation, if you restart the time service (not necessary but a way to check it) you should see this:
clip_image002[5]
What if it’s messed up? And you see something like this?
clip_image002[1]
Or this?
clip_image002[7]
Well, to fix all other servers, I issue this command:
w32tm /config /update /syncfromflags:DOMHIER
Similar to the other one, but this one says use the DOMAIN HEIRARCHY….
Then restart the time service
Net stop w32time & Net start w32time
Check the event viewer and all should be good.
I did see some ODD and incorrect things setup in Group Policy at PIC.
I saw this in the “General Client Policy” for the workstations:
clip_image002[9]
Oh no…. I said…. And then I changed this setting to “Not Configured”
There is no need to modify this setting and you should use the normal domain hierarchy process.
This is why all the client machines time was different than the server.
I also saw the time service stopped on two server…. That’s a big no no.
Kerberos is a time sensitive authentication protocol, if the clocks are askew by more than 5 mins, the workstation /user can’t authenticate.
Advertisements

About Mike

owner of blog
This entry was posted in Active Directory. Bookmark the permalink.

2 Responses to Windows Time in a domain

  1. Great blog right here! Additionally your web site loads up fast!
    What host are you the usage of? Can I am getting your associate link in your
    host? I want my website loaded up as quickly as yours
    lol

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s