Changing the Time on the PDC Emulator in Windows 2003

Posted on 2008-11-13
Last Modified: 2013-12-23

Simple question, we run 2 Domains A & B, they have 2 way trusts to link them together.

The time on Domain A is 7 minutes out of wack with the rest of the world and the time on Domain B is about 10 minutes out and I want to correct it.  Not to fussed about having to set up an external time clock and am quite happy to every now and then manually update it.

Everything I read seems to be basically 'change the time on the PDC Emulator) and everything will be A OK.  However I am a bit wary of this as I did a time change a few years back on network running Windows 2003 Domain (sigle Domain, no forest) last thing in the evening and the next day came back to authentication problems (users couldn't access folders) and replication problems (sysvol etc...).  Wound up rebooting every Domain Controller on the Network.  May have been a conincidence but...

Has anyone actually changed the Time on the PDC Emulator, particularly in an environment with 2 Domains Trusting each other?

Question by:duncanjhamill
    LVL 7

    Assisted Solution


    you need to hook your PDC emulator up to an external time source, or.. run an internal time server which gets its time from an external time source, theere are lots or them.. its important that all your DC's are looking at the same especially in a trust enviroment, kerberos is a time sensitive protocol.  

    This article should give you a little backround

    Personally I would allow your firewall for NTP outbound on port 123 UDP, or configure an internal time server

    either way you will need to allow 123.

    LVL 30

    Accepted Solution

    Don't just change the time on the PDCe manually - use the 816042 KB article to allow the PDCe to change its time gracefully in order to avoid authentication problems. I.e., if your PDCe is 7 minutes "off", the instructions in the KB will allow the PDCe to -gradually- correct its time to be in sync with an external provider or an internal time clock in order to allow the rest of the domain to remain in sync. If the PDCe suddenly goes more than 5 minutes skewed from the rest of the domain, no-one will be able to authenticate.

    Author Comment

    Thanks, will refer to the article and let you know when I have made the changes.
    LVL 38

    Expert Comment

    I found a little free utility that will synch your PDCe with an outside Time server without openning up port 123 on your firewall. It uses the HTTP port.

    It is a little program called Symmtime. This program is already configured with a number of time sources to choose from and will synch your PDCe system clock with an outside time source. Some sources are .gov time servers.

    Symmtime was created by a group called Symmetricom. They manufacture time servers for huge domains and government services. I use their software to synch up to my time servers and it keeps my time right on target.

    Symmetricom has two FREE utilities that are VERY easy to install and setup. One is called LMcheck and the other is Symmtime. There is a third utility, that encorporates all these functions into one, called Domain Time II. It get's a little spendy though.  

    Symmtime: (Free)


    Domain Time II: (Overview)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
    I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now