Wednesday, March 05, 2014

Time Synchronization in Active Directory



Excuse me, do you have the time?  Well you better if you are a Active Directory administrator.  Next to DNS, time synchronization is one of the most important dependency of Active Directory.  By default, Active Directory will tolerate a plus or minus of five minutes between the clocks of your network.  If the time exceeds five minutes, clients will be unable to authenticate, and replication will not occur between domain controllers.
Since time is so vital, Active Directory implements a time synchronization system based on Network Time (NTP).  NTP ensures that every machine in the forest has a synchronized clock.  In addition, each Windows 2000 or newer machine uses the w32time service to implement synchronize of their clocks.
Below is a outline of how Time Synchronization works.
  1. The forest root domain PDC emulator synchronizes its clock with a reliable outside time source.
  2. Every child domain PDC emulator  synchronizes its clock with the PDC emulator of its parent domain.
  3. Each domain controller  synchronizes its clock with the PDC emulator of its domain.
  4. Each domain computer synchronizes its clock with the domain controller it authenticates
    to.

You shouldn’t need to configure the w32time service on any server other than your root domain PDC emulator.  From my experience, companies that elected to use a different time sync hierarchy then the one outlined above, later ended up suffering from Kerberos issues.  
Out in the field, I have also noticed when companies transfer the PDC emulator FSMO role to another server, they forget to reconfigure the w32time service. 
Reconfiguring your PDC emulator is fairly simple.  First find a dedicated (reliable) external time source.  In this example we will be using the NTP Pool Project.
First open up your command prompt. (Start>Run>CMD)
Next enter the following commands:
C:\> w32tm /config /manualpeerlist:"0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org" /syncfromflags:manual
C:\> w32tm /config /update
C:\> w32tm /resync
For more information about configuring your time source see the following articles.
http://support.microsoft.com/kb/262680
http://support.microsoft.com/?id=816042
For troubleshooting time sync issues, the w32time service will log events to the System
event log. The w32tm /monitor and w32tm /stripchart /computer:TargetMachineName
commands are often useful for troubleshooting as well.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Explaining DNS Concepts - DNS Servers-DNS Queries-DNS Records

3 types of DNS queries— recursive, iterative, and non-recursive 3 types of DNS servers— DNS Resolver, DNS Root Server and Authoritative Name...