Solved

Active Directory Time Issues, Help Explain?

Posted on 2008-10-23
2
184 Views
Last Modified: 2012-05-05
We experienced an issue this morning having to do with Active Directory and System Times.  The system clocks on several of our servers and many of our clients became off by a couple of hours, which started causing issues on their next reboots.  Everything is working now, and I think I have a handle on WHAT happened, but I am trying to understand WHY it happened and how to rpevent it in the future.  Please comment and let me know what you know and any advice you can share.

We have five domain controllers spread between four sites (A, B, C, D).  I will call the DCs A1, A2, B1, C1, D1 just to make it easy.  
The "1's" are all Global Catalogs, serve as DHCP and DNS servers for their sites.  
All of the Active Directory Roles are held by server A1 except for the PDC Emulator, which is held by server A2.

Server A2 went offline yesterday for no more than 15 minutes due to a power failure.  It dropped, and came back fine.  This happened yesterday late afternoon around 5pm.  After this happened, the clocks of a lot of the workstations shifted by an hour.  It was determined that server B2, which is at a different site in another time zone started handling time operations for the domain.  When this happened the servers, the clients, and exchange all went out of synch and no one could connect to Exchange.

So I guess I am trying to figure out why a DC in another site assumed time operations for the domain and not the other server in the same site as the failed server.  Also, how do I control who takes on the failover responsibility?  Can I point every DC to an outside time source, or should I only point the PDC Emulator to the outside?

Please elt me know your thoughts.

0
Comment
Question by:abillz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Expert Comment

by:Mikealcl
ID: 22787989
Normally you only point the PDC emulator to a NTP server and then AD takes care of the rest.

I was under the impression that AD passed the time in UTC/GMT format, then the client adjust based on its time settings locally.

http://technet.microsoft.com/en-us/library/bb727060.aspx





0
 
LVL 7

Accepted Solution

by:
maze-uk earned 250 total points
ID: 24969288
Windows Time Service Tools and Settings: http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

the PDC in your root domain must be configured to use either its own clock, either an external source.
Configure the Windows Time service on the PDC emulator: http://technet.microsoft.com/en-us/library/cc786897(WS.10).aspx

The rest of your machines (clients and DC) must be configured to use the domain hierarchy: (that is clients to PDC, PDC to root PDC)
Configure a client computer for automatic domain time synchronization: http://technet.microsoft.com/en-us/library/cc758905(WS.10).aspx

Check that no firewall prevents the connection to port UDP 123 on DCs. Check also the port if you use an external source for your PDC.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question