Re: NTP in Win 2003 domains (awaiting response of my previous post)
- From: Meinolf Weber
- Date: Thu, 21 Feb 2008 09:21:26 +0000 (UTC)
Hello DD,
Even if the PDCEmulator is the highest instance for the time in a domain, this does not mean that all machines synchronize only with it.
Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the Windows Time service is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an organization use a common time.
To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not permit loops. By default, Windows-based computers use the following hierarchy: . All client desktop computers nominate the authenticating domain controller as their in-bound time partner. .. All member servers follow the same process that client desktop computers follow. .. All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner. .. All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner. In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
PDCEmulator
http://technet2.microsoft.com/WindowsServer/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true
Member/Client
http://technet2.microsoft.com/WindowsServer/f/?en/library/8990703a-a197-4717-b6e5-b7406d9f91f01033.mspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hi,
Domain hier means First Parent DC, than ADC. and in my case all
the 5
FSMO roles are with server A and server B has no roles with it.
This means that all menbers shall be taking their time from ServerA
being a
PDC which doesen't happen . Also configured the server options in DHCP
|
time server as server A but still all members of the domain shows time
source as Server B. After removing ADS from server B all the client,
members
shows
correct time source as Server A but after adding a new serverC as an
ADC all
the clients take their time from ServerC despite it has not been
configured
anywhere to be a time source of my domain.Why is it so.
Regards
darshan
"Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx> wrote in message
news:F1E42160-9273-4186-8EBE-AD1CC73A2603@xxxxxxxxxxxxxxxx
The default for domain members and Domain Controllers is to sync time
with the "Domain Hierarchy", not the Domain Controller with the PDC
Role. The page referenced by Marcin tells you how to set up the
default and the PDC emulator to use an external time source.
Which Domain Controller is used by clients is not usually important
because all of the Domain Controller routinely syncronize their time
amongst themselves, using the DC with the PDC emulator role as the
ultimate source of true time. With just two Domain Controllers, DC B
will sync time from DC A - the one with the PDC emulator role.
Just as which Domain Controller a particular computer uses for user
credential authentication is not deterministic, so is which Domain
Controller will be used as the source of time.
As long as:
1. the PDC emulator is configured to syncronize time from an
"external
source"
(e.g. using the command w32tm /config /syncfromflags:manual
/manualpeerlist:time.nist.com /reliable:yes /update)
2.. the other Domain Controllers are configured to syncronize with
the
"Domain Hierarchy" - which is the default
(can be set using the command w32tm /config /syncfromflags:domhier
/update)
3. the other member computers are configured to syncronize with the
-
which is the default (same command as for 2.)
Your time syncronization should be in good shape. Except for doing
1. normally there is no need to adjust the Windows Time Service
configuration - it just works - when a computer joins the domain, it
is configured to syncronize with the Domain Controllers ("Domain
Hierarchy").
If you really want (or need for some special reason) to force all
your domain members to specifically syncronize time with a particular
Domain Controller, you can do this using a GPO:
Computer Configuration
Administrative Templates
System
Windows Time Service
Enable Windows NTP Client
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong
question.
"DD" <darshan.diora@xxxxxxxxxxxxxxxxx> wrote in message
news:OvS$q$KcIHA.1212@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Tried all the possibilities as posted in the link but no success.
Whenever i shut down the server B which is an ADC the net time on
any
clients shows correct
source as server A which is the parent DC but as soon i start the
ADC(serverB) it automatically shows the time source as ServerB. How
can i
resolve this
as time source is actually Server A on which the time sync with
external
program is running.
Regards
darshan
"Marcin" <marcin@xxxxxxxxxxxxxxxx> wrote in message
news:B57D1346-FE4F-4D76-A4A5-9DC1C2103DC7@xxxxxxxxxxxxxxxx
Darshan,
try steps outlined in the
http://technet2.microsoft.com/windowsserver/en/library/f1d8b85d-2b4
f-4acd-8c2e-259167b95e481033.mspx?mfr=true
hth
Marcin
.
- References:
- Prev by Date: Re: File permissions
- Next by Date: RE: dc in site and services after a demote
- Previous by thread: NTP in Win 2003 domains (awaiting response of my previous post)
- Next by thread: Re: Add multiple 2003 Active directory to 2000 Domain
- Index(es):
Relevant Pages
|
