Re: wrong time server

"RW" <RW@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:4F6734B0-0045-40C4-BFAB-AA4A3F875DDF@xxxxxxxxxxxxxxxx

I just found something that is interesting and applies to what you're seeing. Although I still suggest to setup your domain hierarchy as suggested in my blog. The net time command is weak. It is a foreground application and is not reliable. It does not query what the local machine's time service is set to use with the domain hierarchy. Net time is similar to the nslookup command, where it uses its own query methods independent of the local machine.

Also, the Windows time service, and this is according to Microsoft in their Time documentation (http://support.micorosoft.com/kb/939322), is not a reliable service that can sync up machines within a second or two and such tolerances are beyond the design of the Windows time service. If you have apps that require sensitive transactional processing with timing down to the second (possibly SEC, banking, or other reasons), it is suggested to use a third party time service.

So do not rely on what you are seeing with the net time command. It's rather useless trying to use it to find which server is the client's time service. Just know that the time server a client uses is always the logonserver.

Read more on this in the following link. Scroll down to "NET TIME with the /domain option requires the workstation to contact the PDC" for more info on what I was saying above:
http://www.greyware.com/software/DomainTime/Product/w32time.asp

As for the client, read the following quote. As long as sites are configured properly and the client logs on to a server in it's own site, you're good to go.

======
Time Convergence Hierarchy
(This section was quoted from KB224799)

All client desktops select an authenticating domain controller (the domain controller returned by DSGetDCName()) as their time source. If this domain controller becomes unavailable, the client re-issues its request for a domain controller.

All member servers follow the same process.

All domain controllers in a domain make 3 queries for a DC:
1. A reliable time service (preferred) in the parent domain,
2. A reliable time service (required) in the current domain,
3. The PDC of the current domain. It will select one of these returned DCs as a time source.

The PDC FSMO at the root of the forest is authoritative, and can be manually set to synchronize with an outside time source (such as the United States Naval Observatory).
=======

Ace



I do not see a problem with how sites are configured they are as follow:
SITE1 IPs 172.16.x.x DC1 an DC2 are in this site and have static IPs wihin
this subnet
SITE2 IPs 172.17.x.x DC3 is in this site and again static IP from this range

client phisically located in SITE1 gets IP from DHCP i.e. 172.16.10.1 but
shows DC3 as time source

what I noticed is that if I connect remotly from home via vpn and get IP
address from 172.16.x.x it shows DC2 as time source

I od not remember if I mentioned this but LOGONSERVER in both cases is DC1
so this is correct as far location where I am, if I'm in SITE1 and get IP
from 172.16.x.x range my closest DC is either DC1 or DC2 only time source is
wrong

any other ideas?

"Ace Fekay [MCT]" wrote:

"RW" <RW@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:02D6E9DD-B87E-4404-9263-74E89F98B970@xxxxxxxxxxxxxxx

> and by the way workstations are finding fine PDC when running "dsquery
> server
> -hasfsmo pdc" it is returning right server DC1
>
> any ideas?
>
> "RW" wrote:
>
>> I noticed something starange recently in our domain, we have total of >> 4
>> DCs
>> in our domain, 2 of them are in HQ and 1 in each remote location. HQ:
>> DC1,
>> DC2 remote loc 1: DC3 and remote loc 2: DC4
>> DC1 holds all FSMO roles including PDC Emulator, here is what's >> strange
>> if I
>> do "net time /domain:<our_domain_name>" I get "Current time at \\DC1 >> is
>> ..."
>> but if I do "net time" only without specifying domain name I get >> "Current
>> time at \\DC3 is ..." and next line "Local time <GMT-07:00> at \\DC3 >> is
>> ... "
>> and there 2 hours difference. This is happning regardless if I do this >> on
>> my
>> workstation, any server or PDC intself in HQ.
>> Time on workstations and servers is in synch but why would nodes from >> HQ
>> which is site in AD look for time server in different Ad site? time
>> service
>> on PDC is running, there is another DC2 server in same site so why it >> is
>> looking at DC3 which is in different AD site?

As Meinolf mentioned, your AD Sites would need to be configured properly,
with their respective IP subnet objects asssociated to their site, as well
as the servers manually (if needed) moved to their respective Sites.

Keep in mind, the authenticating DC for a client, will be it's time source.
That DC will get it's time source from the domain hierachy, meaning from the
PDC Emulator of its domain. If a child domain PDC Emulator, it gets its time
source from the forest root PDC Emulator. That's why it's imporatant to set
a reliable time source on the PDC Emulator in the forest root. Since you
have one domain, it's important to set one on your PDC Emulator.

But all in all, in summary, it appears AD Sites may not be configured
correctly that may be causing the issue you are seeing.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.




.

Relevant Pages

  • Re: Time server
    ... I'm getting a bit confused but, you have to be setting the time on the pdc ... Re-Enter external time source after port 123 is found to be open ... > and this server seems to be syncing externally fine. ... which provides the NIST Network Time service. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows Server 2003 Windows Time Sync
    ... You have to configure in the domain only the PDCEmulator for the external time source. ... a time service provider, the time service will correct itself. ... I have basically configured window time sync on each server to ...
    (microsoft.public.windows.server.general)
  • Re: system hangs- logging w32time errors
    ... Ethernet adapter Local Area Connection: ... the time service shouldn't create this kind of errors. ... The errors occur because you server has no external time ... With "peers" you can set the time source, ...
    (microsoft.public.windows.server.general)
  • Re: Windows Time Service: What if the PDC-role is moved?
    ... NTP - use the time source specified in the NtpServer Value ... I suggest using the w32tm command for modifying the time service parameters rather than directly modifying the registry entries. ... switch that takes priority and tells it to acquire NTP server info ... Doesn't he has to have the PDC DNS-name or IP-address in it? ...
    (microsoft.public.windows.group_policy)
  • Re: system hangs- logging w32time errors
    ... the time service shouldn't create this kind of errors. ... The errors occur because you server has no external time source setup. ... So if you have internet available you can choose an external time server and sync the time. ... With "peers" you can set the time source, either DNS name or an ip address from a reliable time source. ...
    (microsoft.public.windows.server.general)
Loading