Re: time sync from NTP in win 2003
- From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
- Date: Wed, 20 Feb 2008 22:11:35 -0800
Sorry if this post sounds like a "lecture", its intended to be informative, not condescending or arrogant. A potential problem in newsgroups is that one does not necessarily know the state of knowledge and experience that the other posters (e.g. the one asking a question) actually have, thus there is always the possibility of "insulting the intelligence" of the seeker of knowledge!
I hope the following answers your questions and helps to understand how the time synchronization functions in a Windows domain - at least my understanding of available Microsoft documentation and my own experience.
As explained in the following quote from http://technet2.microsoft.com/windowsserver/en/library/517e74d7-40e9-41bd-93aa-48b610b936321033.mspx?mfr=true
"domhier", with respect to member computers (domain controllers are different), means synchronize time with ANY domain controller.
"By default, the computers on the network obtain the time from their authenticating domain controller."
On any domain member computer, the Environment Variable called "logonserver" holds the name of the "authenticating domain controller", which is not necessarily the Domain Controller holding the PDC FSMO Role. (The ommand - set logonserver - will report the name of the current "authenticating domain controller").
Domain Controllers on the other hand, use a more complicated algorithm to synchronize their time with a "reliable time source", which is, by default, the Domain Controller with the PDC Emulator FSMO Role.
Apart from curiosity, which in itself is valuable, why are you concerned about which Domain Controller the member computers use as the time source? The default configuration on clients and Domain Controllers (except for one, as explained below) normally works just fine. Here's a quote from http://technet2.microsoft.com/windowsserver/en/library/b43a025f-cce2-4c82-b3ea-3b95d482db3a1033.mspx?mfr=true
"In most cases, it is not necessary to configure the Windows Time service. "
For a more detailed explanation, take a look at http://technet2.microsoft.com/windowsserver/en/library/b43a025f-cce2-4c82-b3ea-3b95d482db3a1033.mspx?mfr=true, particularly the section "Windows Time Service Processes and Interactions", which is about half way through the article. Here's a quote from that section:
"As part of the time convergence process, domain members attempt to synchronize time with any domain controller located in the same domain. If the computer is a domain controller, it attempts to synchronize with a more authoritative domain controller."
The diagram in the subsequent section ("Domain Hierarchy-Based Synchronization") shows what the time synchronization hierarchy is. It shows that a member server or member workstation can synchronize time with ANY domain controller in their domain and will not necessarily synchronize with the one holding the PDC Emulator FSMO role. As long as a Domain Controller is set to be a "time source" (which all are by default), a member server or workstation may synchronize time with any of them.
One Domain Controller should be configured to be the "most reliable time source", quite often by manually configuring the one with the PDC Emulator FSMO role to synchronize with an external time source and marking it as "reliable" - see http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true. If you don't do this, you will get Event Log entries stating that there is no "reliable" time source in the domain (at least on Windows Server 2008 - System Event Log - Source Time-Service, Event ID 12). As stated earlier, this does not make the Domain Controller holding the FSMO Role as the ONLY source of time for member computers.
By default, the Domain Controller that has the PDC FSMO role is considered the one with the "most reliable time source" and is thus used by other Domain Controllers as the source of time. This can be changed manually. See for example, http://technet2.microsoft.com/windowsserver/en/library/f1d8b85d-2b4f-4acd-8c2e-259167b95e481033.mspx?mfr=true, which suggests manually configuring a Domain Controller that does not hold the PDC FSMO role as the the "most reliable time source" - see http://technet2.microsoft.com/windowsserver/en/library/dd2ca576-2644-4b8c-9d3c-73802196ef9a1033.mspx?mfr=true and http://technet2.microsoft.com/windowsserver/en/library/4a63190b-c594-4d43-9195-e54e4cb89d251033.mspx?mfr=true.
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"DD" <darshan.diora@xxxxxxxxxxxxxxxxx> wrote in message news:u0j$mZgcIHA.5164@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Domain hier means First Parent DC, than ADC. and in my case all the 5 FSMO roles are with server A and server B has no roles with it.
This means that all menbers shall be taking their time from ServerA being a PDC which doesen't happen . Also configured the server options in DHCP |
time server as server A but still all members of the domain shows time source as Server B. After removing ADS from server B all the client, members shows
correct time source as Server A but after adding a new serverC as an ADC all the clients take their time from ServerC despite it has not been configured
anywhere to be a time source of my domain.Why is it so.
Regards
darshan
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message news:F1E42160-9273-4186-8EBE-AD1CC73A2603@xxxxxxxxxxxxxxxxThe default for domain members and Domain Controllers is to sync time with the "Domain Hierarchy", not the Domain Controller with the PDC Role. The page referenced by Marcin tells you how to set up the default and the PDC emulator to use an external time source.
Which Domain Controller is used by clients is not usually important because all of the Domain Controller routinely syncronize their time amongst themselves, using the DC with the PDC emulator role as the ultimate source of true time. With just two Domain Controllers, DC B will sync time from DC A - the one with the PDC emulator role.
Just as which Domain Controller a particular computer uses for user credential authentication is not deterministic, so is which Domain Controller will be used as the source of time.
As long as:
1. the PDC emulator is configured to syncronize time from an "external source"
(e.g. using the command w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.com /reliable:yes /update)
2.. the other Domain Controllers are configured to syncronize with the "Domain Hierarchy" - which is the default
(can be set using the command w32tm /config /syncfromflags:domhier /update)
3. the other member computers are configured to syncronize with the - which is the default (same command as for 2.)
Your time syncronization should be in good shape. Except for doing 1. normally there is no need to adjust the Windows Time Service configuration - it just works - when a computer joins the domain, it is configured to syncronize with the Domain Controllers ("Domain Hierarchy").
If you really want (or need for some special reason) to force all your domain members to specifically syncronize time with a particular Domain Controller, you can do this using a GPO:
Computer Configuration
Administrative Templates
System
Windows Time Service
Enable Windows NTP Client
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"DD" <darshan.diora@xxxxxxxxxxxxxxxxx> wrote in message news:OvS$q$KcIHA.1212@xxxxxxxxxxxxxxxxxxxxxxxHi,
Tried all the possibilities as posted in the link but no success. Whenever i shut down the server B which is an ADC the net time on any clients shows correct
source as server A which is the parent DC but as soon i start the ADC(serverB) it automatically shows the time source as ServerB. How can i resolve this
as time source is actually Server A on which the time sync with external program is running.
Regards
darshan
"Marcin" <marcin@xxxxxxxxxxxxxxxx> wrote in message news:B57D1346-FE4F-4D76-A4A5-9DC1C2103DC7@xxxxxxxxxxxxxxxxDarshan,
try steps outlined in the http://technet2.microsoft.com/windowsserver/en/library/f1d8b85d-2b4f-4acd-8c2e-259167b95e481033.mspx?mfr=true
hth
Marcin
.
- Follow-Ups:
- Re: time sync from NTP in win 2003
- From: DD
- Re: time sync from NTP in win 2003
- References:
- time sync from NTP in win 2003
- From: DD
- Re: time sync from NTP in win 2003
- From: Marcin
- Re: time sync from NTP in win 2003
- From: DD
- Re: time sync from NTP in win 2003
- From: Bruce Sanderson
- Re: time sync from NTP in win 2003
- From: DD
- time sync from NTP in win 2003
- Prev by Date: NTP in Win 2003 domains (awaiting response of my previous post)
- Next by Date: Re: time sync from NTP in win 2003
- Previous by thread: Re: time sync from NTP in win 2003
- Next by thread: Re: time sync from NTP in win 2003
- Index(es):
Relevant Pages
|
Loading
