Applies to Server 2003/2008. Not for Windows 2000.
Time is crucial in an Active Directory domain. If there are i.e. more than 5 minutes offset between a DC and a client computer, the Kerberos protocol used for authentication will fail.
You may also see problems with AD replication if two DCs are out of time sync, since attributes that are changed are time stamped when the change occurred. The time stamp is one of three functions to prevent replication/attribute conflicts.
When a user logs on to his/her workstation and authenticates, the computer will synchronize its time with the authenticating DC.
This DC, if it’s not the PDC role holder, synchronizes its time with the domain’s PDCe role holder.
The PDCe holder should synchronize its time with a reliable time source. You could find a NTP server close to you HER.
If the DC holding the PDC dies, the role is transferred or siezed you have to configure the time source on the new PDCe.
Configuring the external time source can be a mess, and maintaining it might be even more messy
The MS DS team made a blog entry about this some time ago and I must say it’s a really elegant approach!!
In short terms they create a GPO, sets an external time source, configures a WMI filter so the GPO only applies to the domains PDCe role holder, and link the GPO to the Domain Controller container.
Open the GPMC and create a new WMI filter:
Query: Select * from Win32_ComputerSystem where DomainRole = 5
Create a new GPO and set the external time source:
Computer Configuration/Administrative Templates/System/Windows Time Service/Time Providers/Configure Windows NTP Client
You set the NtpServer you prefer and change the type to NTP.
Activate the WMI filter to this GPO:
and link the GPO to the Domain Controllers container:
To see how the DCs is synchronizing their time, run: w32tm / monitor
Here dc01test.spurs.local (the PDCe holder) uses its HW clock while dc4test.spurs.local is synchronizing with dc01test.
Restart the time service (net stop w32time && net start w32time) and force a Group Policy update (gpupdate /force or wait 5 minutes)
Now the newly created GPO is applied and now dc01test is synchronizing with the external time source.
You can also see this in the System Event log:
So what happens if I transfer the PDCe role from dc01test to dc4test?
I wait for 5 minutes (and run w32tm /monitor just to check):
As you can see dc4test is now synchronizing with the external time source, while dc01test is synchronizing with dc4test.
You don’t have to think of configure the time source if your PDCe is transferred.
You even don’t have to clean the old PDCe holder as the registry don’t gets tattooed by this!!!
If you configure the time with a GPO, the registry settings will be located here:
If you don’t use a GPO, the settings will be set here:
The first one takes precedence over the second one.