Re: Time Server Question - Please Help
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Fri, 2 May 2008 09:06:19 -0400
Both your forests should, as much as possible, have their PDCe machines use
the same time source.
Trust issues aside, your foreests, routers, switches, and other networking
equipment should have the same time whereever possible to ensure that time
skew is kept to a minimum. To accomplish that, often it is useful to
visualize your time sync process as a waterfall. The authoritative source
for the network is often external to the network (be sure it is reliable).
Once you have established that time synch process and made it reliable, your
devices should then use that to get their time synchronization. Everything
then "flows" down to the clients of those devices and so on until everyone
is in synch.
Active Directory makes this easier for you because much of that is built
into the domain model - the PDCe acts as the authoritative time source on
your network for Active Directory hosts. Non-PDCe domain controllers are
also clients of the PDCe using the NT5DS time protocol (Microsoft specific.)
Active Directory member computers are all clients of the time synch - it is
that important to them. Note that the hosts will not use the PDCe as their
preferred time source in all cases. They will use a DC in their site where
possible, and as I explained earlier that is exactly what you want to have
happen. You want the clients to be in synch with the DC to be in synch with
the PDCe to be in synch with a reliable time source. Network devices outside
of Active Directory would benefit from being synchronized as well and it is
very helpful to your apps and general network well being that you have
reliable time sources and synchronization for your networked equipment.
Makes reporting much easier too.
In your case, I think you should have the PDCe from forest/domains A and B
synch time from the same source. That should alleviate your time concerns
else highlight machines that are broken and need a closer look.
Al
"Darren King" <darren.king@xxxxxxxxxxxxxxxxxxx> wrote in message
news:uwwfM7DrIHA.4788@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the advice Al that makes sense.
To Al and Everyone,
The reason this has arisen is we have two 2003 Forest Domain's with a two
way Trust between them. A lot of the Trusted functionality is not working
we suspect this to be because there is a 3-4 minute time difference
between the two forests.
The scenario below applies to one of the Forests in this example I will
refer to it as Forest A. This Forest receives it's time from an external
server from the Forest so we do not use the native time mechanism in
Active Directory.
Forest B is far more complex with two DCs at the primary site (one being
the PDC Emulator) and several remote periphery sites with local DC's over
slow 10MB links. We would like Forest B to use the same external server
as Forest A to synchronise the time between the Forests. My concern is
unlike ForestA if you run a DCDIAG on one of the periphery domain
controllers they seem to be advertising as a time server themselves but
also using themselves as the preferred time server.
So I am concerned if we change the PDC Emulator to point at this external
server as Forest A is. Will this replicate to the other DCs and the hosts
if they are not using the PDC Emulator as their preferred time source?
Admittedly there is no time skew between the remote DC's and the PDC
Emulator.
If not what would I need to do to ensure this happens? I am worried at
making this change incase it does not replicate to the rest of the domain
and causes logon problems. We planned to make the change tonight which
coincides with a Bank Holiday in which the domain is completely unused by
users for three days.
Any advice is greatly received.
Darren
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:u0d3J69qIHA.420@xxxxxxxxxxxxxxxxxxxxxxx
If you're using the native time mechanisms in Active Directory, you
*want* all domain controllers to advertise as a time server.
Consider it like this: if you place a DC in each of your lan sites, you
don't want you authentication AND your time traffic to traverse the WAN.
The clients should get everything they possibly can from the same DC,
preferrably the one in their high-speed connected site.
Al
"Darren King" <darren.king@xxxxxxxxxxxxxxxxxxx> wrote in message
news:OcPGLO6qIHA.5940@xxxxxxxxxxxxxxxxxxxxxxx
Dear All,
I have a Windows 2003 Native domain with three domain controllers. In
this example I will simply refer to them as DC1, DC2 and DC3.
DC1 was originally the PDC Emulator for the domain after some rejuggling
of the FSMO roles the PDC Emulator role was transferred to DC2. After
running a DCDIAG I noticed that DC1 was still the preferred time server.
I have since changed time server related registry changes on DC2 to
match DC1 and stopped and started the time service on DC2 to reflect the
changes.
I have since run w32tm on DC1 to change the configuration on this
original PDC Emulator. Now when I run DCDIAG on any of the three DC's I
find DC2 is the preferred Time Server which is what I required.
My question is though DC1 and DC3 still advertise as Time Servers is
this desirable??? They do list DC2 as the preferred Time Server but it
would appear they advertise as Time Servers themselves still. Can this
cause issues? Or is it beneficial? If it isn't desirable can you
explain how I remove this feature from them so DC2 is the only Time
Server.
Regards,
Darren
.
- References:
- Time Server Question - Please Help
- From: Darren King
- Re: Time Server Question - Please Help
- From: Al Mulnick
- Re: Time Server Question - Please Help
- From: Darren King
- Time Server Question - Please Help
- Prev by Date: Re: Time Server Question - Please Help
- Next by Date: Re: Licensing Computer for each site?
- Previous by thread: Re: Time Server Question - Please Help
- Next by thread: Re: Time Server Question - Please Help
- Index(es):
Relevant Pages
|
