Re: Time Server Question - Please Help
- From: "Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 2 May 2008 08:04:16 -0500
I would set both to the same external time source -AND- reset the others to
use the PDCe as their reliable time source.
A 3 - 4 minute time skew is bad but won't break Kerberos, the magic number
is 5 minutes. Make sure the time zones are properly set and have the proper
time. I have seen situations where the time zone is correct and people then
try to get the time to say the same all over the country so they point to
themselves as the correct time when in fact it should have been hours
earlier or later. They would remote in see the difference and think that
there was an issue, so anyway look for that if you cross time zones at all.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Darren King" <darren.king@xxxxxxxxxxxxxxxxxxx> wrote in message
news:uwwfM7DrIHA.4788@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the advice Al that makes sense.
To Al and Everyone,
The reason this has arisen is we have two 2003 Forest Domain's with a two
way Trust between them. A lot of the Trusted functionality is not working
we suspect this to be because there is a 3-4 minute time difference
between the two forests.
The scenario below applies to one of the Forests in this example I will
refer to it as Forest A. This Forest receives it's time from an external
server from the Forest so we do not use the native time mechanism in
Active Directory.
Forest B is far more complex with two DCs at the primary site (one being
the PDC Emulator) and several remote periphery sites with local DC's over
slow 10MB links. We would like Forest B to use the same external server
as Forest A to synchronise the time between the Forests. My concern is
unlike ForestA if you run a DCDIAG on one of the periphery domain
controllers they seem to be advertising as a time server themselves but
also using themselves as the preferred time server.
So I am concerned if we change the PDC Emulator to point at this external
server as Forest A is. Will this replicate to the other DCs and the hosts
if they are not using the PDC Emulator as their preferred time source?
Admittedly there is no time skew between the remote DC's and the PDC
Emulator.
If not what would I need to do to ensure this happens? I am worried at
making this change incase it does not replicate to the rest of the domain
and causes logon problems. We planned to make the change tonight which
coincides with a Bank Holiday in which the domain is completely unused by
users for three days.
Any advice is greatly received.
Darren
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:u0d3J69qIHA.420@xxxxxxxxxxxxxxxxxxxxxxx
If you're using the native time mechanisms in Active Directory, you
*want* all domain controllers to advertise as a time server.
Consider it like this: if you place a DC in each of your lan sites, you
don't want you authentication AND your time traffic to traverse the WAN.
The clients should get everything they possibly can from the same DC,
preferrably the one in their high-speed connected site.
Al
"Darren King" <darren.king@xxxxxxxxxxxxxxxxxxx> wrote in message
news:OcPGLO6qIHA.5940@xxxxxxxxxxxxxxxxxxxxxxx
Dear All,
I have a Windows 2003 Native domain with three domain controllers. In
this example I will simply refer to them as DC1, DC2 and DC3.
DC1 was originally the PDC Emulator for the domain after some rejuggling
of the FSMO roles the PDC Emulator role was transferred to DC2. After
running a DCDIAG I noticed that DC1 was still the preferred time server.
I have since changed time server related registry changes on DC2 to
match DC1 and stopped and started the time service on DC2 to reflect the
changes.
I have since run w32tm on DC1 to change the configuration on this
original PDC Emulator. Now when I run DCDIAG on any of the three DC's I
find DC2 is the preferred Time Server which is what I required.
My question is though DC1 and DC3 still advertise as Time Servers is
this desirable??? They do list DC2 as the preferred Time Server but it
would appear they advertise as Time Servers themselves still. Can this
cause issues? Or is it beneficial? If it isn't desirable can you
explain how I remove this feature from them so DC2 is the only Time
Server.
Regards,
Darren
.
- References:
- Time Server Question - Please Help
- From: Darren King
- Re: Time Server Question - Please Help
- From: Al Mulnick
- Re: Time Server Question - Please Help
- From: Darren King
- Time Server Question - Please Help
- Prev by Date: Re: Locate the computer by using login ID information
- Next by Date: Re: Time Server Question - Please Help
- Previous by thread: Re: Time Server Question - Please Help
- Next by thread: Re: Time Server Question - Please Help
- Index(es):
Relevant Pages
|
Loading
