Solved

Authoritative Time Server synchronizing to atomic clock

Posted on 2008-10-01
11
649 Views
Last Modified: 2012-05-05
I am trying to configure a time server in my domain that synchronizes to external source (NIST Internet Time Servers)  I have a Windows 2003 server environment with parent domain COMPANY.CORP and child domains countryA.COMPANY.CORP, countryB.COMPANY.CORP, and countryC.COMPANY.CORP.

I have learned from research that "the PDC operations master at the root of the forest becomes authoritative for the organization"  The PDC operations master role is my DC for COMPANY.CORP but I want to set up my DC for countryA.COMPANY.CORP as time server because I want clients in this domain ONLY to have the same time as the atomic clock in the US.  Other countries should have their own times.  The question is:

1.  Can I set up the DC for countryA.COMPANY.CORP that currently serves as PDC emulator for this child domain as the authoritative time server?

2.  If so, what would be the process to get this accomplished?
0
Comment
Question by:virtech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22616216

> Other countries should have their own times

No....

Other countries have their own "Time Zones". Other countries do not have their own times.

That means that any authoritative time source, such as your atomic clock will have time that can apply to every host in the forest.

Given that time must be synchronised across the forest for successful Kerberos authentication I strongly recommend you apply a time infrastructure in the root domain. Have that synchronise with an external source to pass accurate time to child domains.

Chris
0
 

Author Comment

by:virtech
ID: 22616900
You suggest that the only way this setup would work is to have the root forest Domain Controller become the authoritative time server, correct?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22617681

It would work the other way, but considering the time has to be synchronised throughout the forest why split up the time infrastructure into separate domains?

It means making quite a lot of effort for no gain when you consider it should work as is.

In your position I would set the PDCe in the Forest Root to sync with pool.ntp.org (a large pool of authoritative time servers), then servers within the forest will sync with the root (itself as an authoritative time-source in that scope).

Chris
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:virtech
ID: 22618228
There is a 2-way transitive trust between child domains and parent domain.  However, all domain authentication is handled by local DC's on each country.  The AD of the parent domain has no users in it.  No users log on to COMPANY.CORP, they all login to their respective countries' child domains i.e: countryA.COMPANY.CORP.  Can the top parent domain be setup as time server when the DC does not authenticate the users?  Would making the top parent domain the time server ensure time synchronization through the forrest? For now the US domain has to have synchronization with atomic clock.  Would making the top parent domain DC the time server "change" client times in other countries?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22618348

> Can the top parent domain be setup as time server when the DC does not authenticate the users?  

Yes, absolutely. That is one of the primary roles of the PDC Emulator role.

> Would making the top parent domain the time server ensure time synchronization through the forrest?

Yes. Provided all systems communicate, but this is something that can be verified with w32tm.

> Would making the top parent domain DC the time server "change" client times in other countries?

Only if it isn't correct.

Bear in mind that it will modify the time as UTC, which will be offset on the client as appropriate for the local time zone (as it would if setting from an authoritative time source in the US only).

It is, in my opinion, something that should be addressed on an enterprise level rather than each domain. Even if each child domain is effectively autonomous the DCs must still communicate across the forest.

The hierarchy is best documented here (under "Time Synchronization in an Active Directory Hierarchy"):

http://technet.microsoft.com/en-us/library/cc773013.aspx

And in my opinion that's what you should look to achieve for a properly functional forest.

You can use an authoritative time source from anywhere in the world on the domain root. As long as the time is accurate on the source it will be accurate in the forest. That doesn't need to be in the US, but it can be if that's most appropriate. ntp.org has full lists of Stratum 1 and 2 time servers, as well as the "pool", which is a continually rotated / changed list of widely dispersed authoritative time servers.

Chris
0
 

Author Comment

by:virtech
ID: 22619265
You are certainly looking like a genius...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22619300

As long as it helps ;)

Chris
0
 
LVL 4

Expert Comment

by:ThorSG1
ID: 22625992
I appologize if this is redundant I did not read the other post thoroughly.

You must be very careful when setting a time server.  If your servers time get out of sync you will begin to see permission issues and replication issues.  As they stated you should probably on do this on the PDC Emulator.

This has happend to us in the past.  Our servers time was off from our Parent Domain and we saw weird errors happen.  Like reporting server started asking for credentials when running a report.  Users could not access other exchange mailboxes sporadically.

But it is a good thing to set a server to sync with a time server.  We are using one of the NIST servers.
0
 

Author Comment

by:virtech
ID: 22626893
On parent domain COMPANY.CORP the operations master is my DC for that parent domain.  On child domains I have local DC's serving as PDC emulators on those child domains.  Most people have advised me to choose the operations master DC on PARENT domain as time server even when users are authenticated by local DC's on their respective countries.  As I understand (and this goes to Chris-Dent)

1.  Making parent domain DC time server should not mess with clients' times in their own countries.  If they are setup to country A's time they should keep their current local time, correct?

2.  Would you please point me to an article where the setup is explained ( I have read several ones but not sure yet)

Thanks.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22627336

As long as the PDCe's on each child domain sync time with the parent then all time will synchronise. The members of the child domain will be able to get time from any DC within their domain, pleasantly close to themselves.

For the time itself...

All updates are performed in UTC (Coordinated Universal Time - don't ask why it doesn't match up to the acronym). That's time before it has to think about adjustment for local time zones.

The time zone adjustment is performed on each client. That means that your computer could sync time with a server in Japan, and still have correct local time. Your computer simply takes the UTC value and applies the offset associated with your Time Zone.

Chris
0
 

Author Closing Comment

by:virtech
ID: 31502513
Very good
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS Config for External Mail 3 29
Active Directory/sub domain vs root domain 3 58
domian network access 5 32
How to use 2 separate DNS names. 5 20
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question