[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Changing the Time on the PDC Emulator in Windows 2003

Posted on 2008-11-13
4
Medium Priority
?
286 Views
Last Modified: 2013-12-23
Hi,

Simple question, we run 2 Domains A & B, they have 2 way trusts to link them together.

The time on Domain A is 7 minutes out of wack with the rest of the world and the time on Domain B is about 10 minutes out and I want to correct it.  Not to fussed about having to set up an external time clock and am quite happy to every now and then manually update it.

Everything I read seems to be basically 'change the time on the PDC Emulator) and everything will be A OK.  However I am a bit wary of this as I did a time change a few years back on network running Windows 2003 Domain (sigle Domain, no forest) last thing in the evening and the next day came back to authentication problems (users couldn't access folders) and replication problems (sysvol etc...).  Wound up rebooting every Domain Controller on the Network.  May have been a conincidence but...

Has anyone actually changed the Time on the PDC Emulator, particularly in an environment with 2 Domains Trusting each other?

Thanks.
0
Comment
Question by:duncanjhamill
4 Comments
 
LVL 7

Assisted Solution

by:knightfox
knightfox earned 180 total points
ID: 22949103
yepp..

you need to hook your PDC emulator up to an external time source, or.. run an internal time server which gets its time from an external time source, time.windows.com theere are lots or them.. its important that all your DC's are looking at the same especially in a trust enviroment, kerberos is a time sensitive protocol.  

This article should give you a little backround

http://support.microsoft.com/kb/816042

Personally I would allow your firewall for NTP outbound on port 123 UDP, or configure an internal time server

http://nts.softros.com/server.html

either way you will need to allow 123.

/Fox
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 195 total points
ID: 22950367
Don't just change the time on the PDCe manually - use the 816042 KB article to allow the PDCe to change its time gracefully in order to avoid authentication problems. I.e., if your PDCe is 7 minutes "off", the instructions in the KB will allow the PDCe to -gradually- correct its time to be in sync with an external provider or an internal time clock in order to allow the rest of the domain to remain in sync. If the PDCe suddenly goes more than 5 minutes skewed from the rest of the domain, no-one will be able to authenticate.
0
 

Author Comment

by:duncanjhamill
ID: 22960370
Thanks, will refer to the article and let you know when I have made the changes.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22962990
I found a little free utility that will synch your PDCe with an outside Time server without openning up port 123 on your firewall. It uses the HTTP port.

It is a little program called Symmtime. This program is already configured with a number of time sources to choose from and will synch your PDCe system clock with an outside time source. Some sources are .gov time servers.

Symmtime was created by a group called Symmetricom. They manufacture time servers for huge domains and government services. I use their software to synch up to my time servers and it keeps my time right on target.

Symmetricom has two FREE utilities that are VERY easy to install and setup. One is called LMcheck and the other is Symmtime. There is a third utility, that encorporates all these functions into one, called Domain Time II. It get's a little spendy though.  

Symmtime: (Free)
http://www.symmetricom.com/resources/downloads/symmtime/

LMcheck:
http://www.symmetricom.com/resources/downloads/lmcheck-software/

Domain Time II: (Overview)
http://dtdocs.ntp-systems.com/software/domaintime/instructions/tools/utils.asp
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question