Configure the time

Add a comment June 23rd, 2010

Applies to Server 2003/2008. Not for Windows 2000.

Time is crucial in an Active Directory domain. If there are i.e. more than 5 minutes offset between a DC and a client computer, the Kerberos protocol used for authentication will fail.

You may also see problems with AD replication if two DCs are out of time sync, since attributes that are changed are time stamped when the change occurred. The time stamp is one of three functions to prevent replication/attribute conflicts.

When a user logs on to his/her workstation and authenticates, the computer will synchronize its time with the authenticating DC.

This DC, if it’s not the PDC role holder, synchronizes its time with the domain’s PDCe role holder.

The PDCe holder should synchronize its time with a reliable time source. You could find a NTP server close to you HER.
If the DC holding the PDC dies, the role is transferred or siezed you have to configure the time source on the new PDCe.
Configuring the external time source can be a mess, and maintaining it might be even more messy

The MS DS team made a blog entry about this some time ago and I must say it’s a really elegant approach!!

In short terms they create a GPO, sets an external time source, configures a WMI filter so the GPO only applies to the domains PDCe role holder, and link the GPO to the Domain Controller container.

Open the GPMC and create a new WMI filter:

Query: Select * from Win32_ComputerSystem where DomainRole = 5

Create a new GPO and set the external time source:

Computer Configuration/Administrative Templates/System/Windows Time Service/Time Providers/Configure Windows NTP Client

You set the NtpServer you prefer and change the type to NTP.



Activate the WMI filter to this GPO:


and link the GPO to the Domain Controllers container:


To see how the DCs is synchronizing their time, run: w32tm / monitor


Here dc01test.spurs.local (the PDCe holder) uses its HW clock while dc4test.spurs.local is synchronizing with dc01test.

Restart the time service (net stop w32time && net start w32time) and force a Group Policy update (gpupdate /force or wait 5 minutes)

Now the newly created GPO is applied and now dc01test is synchronizing with the external time source.

You can also see this in the System Event log:

So what happens if I transfer the PDCe role from dc01test to dc4test?

I wait for 5 minutes (and run w32tm /monitor just to check):

As you can see dc4test is now synchronizing with the external time source, while dc01test is synchronizing with dc4test.

You don’t have to think of configure the time source if your PDCe is transferred.
You even don’t have to clean the old PDCe holder as the registry don’t gets tattooed by this!!!
If you configure the time with a GPO, the registry settings will be located here:

HKLM/Software/Policies/Microsoft/Windows/W32time

If you don’t use a GPO, the settings will be set here:

HKLM/System/CurrentControlSet/Services/W32time

The first one takes precedence over the second one.

References:

http://www.pool.ntp.org/en/

http://support.microsoft.com/kb/816042

http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

  1. November 24th, 2010 at 15:56 | #1

    You, Sir, are AWESOME! Thank you for your great example.

  2. November 25th, 2010 at 14:37 | #2

    These instructions are easy to follow, and right on target. It was easy for me to set this up, and it works like a charm.

    Thank you for providing such a detailed and informative article on this subject!!! You have helped me learn a ton of concepts all with one post.

  3. January 24th, 2012 at 13:19 | #3

    Works and easy to implment.
    Thanks.

  1. No trackbacks yet.
Comments feed


four + = 13