• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2604
  • Last Modified:

W32Time. What is the correct time synchronization configuration for a Windows Server 2003 AD Domain?

Currently we have 2 domain controllers (with Exchange in Cluster configuration) at our headquarters. We have 5 additional domain controllers one in each of our satellite offices and all of our offices are interconnected with an MPLS network.

This is the configuration I think we should have for the time synchronization:
-      All of the DCs should sync with the PDCe
-      The PDCe should sync with time.windows.com

While I was reviewing our current configuration I noticed that the Default Domain Controllers Policy has 2 Windows Time Service parameters configured, namely:

Enable Windows NTP Client (Enable)
Configure Windows NTP Client (to a server that is not even in the domain)

Since this clearly is wrong I proceed to change the  Configure Windows NTP Client to point to our PDCe.

Now my questions:

From all that I have read it looks like these two paramentes in the Default Domain Controllers Policy should be disable, should they? If not, what should be the correct configuration?

How can I change my configuration so that all my DCs sync their time with my PDCe?

How can I change my PDCe configuration so that it syncs with time.windows.com?
0
AQNSYS
Asked:
AQNSYS
4 Solutions
 
AmericomCommented:
To configure your DC(PDCe) to get time from reliable sources time.windows.com:
w32tm /config /syncfromflags:manual /manualpeerlist: time.windows.com

To reset time servcies back to it's default of your other DCs:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
0
 
Forrest BurrisCommented:
this article will help u make your pdc an authoritative time server on your domain

http://support.microsoft.com/kb/816042

this article will help you setup the desktops to point to the time server

http://technet.microsoft.com/en-us/library/cc758905.aspx


0
 
AQNSYSAuthor Commented:
Hello,
What about this question:
From all that I have read it looks like these two paramentes in the Default Domain Controllers Policy should be disable, should they?

Since this GPO is applying to all my DCs this is overriding any other configuration, what should I do with this ?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
AQNSYSAuthor Commented:
Also,
Is the W32Time service when configured to sync with an external source (i.e. time.windows.com) trying to use port 123 ?
My PDCe is behind a firewall.
0
 
AmericomCommented:
You only need to enable the NTPServer on your PDCe as it will get time from an external source.
For the rest of the systems, it will get time from your PDCe and by default the parameter type is NT5DS and by default, the NTPServer is disabled and NTPClient is enabled and as it should be.
0
 
AmericomCommented:
yes, that must be opened from your internal network.
0
 
AQNSYSAuthor Commented:
Hi Americom,
Let me get this straight. Your recommendation is:

1. Disable the following parameters from the "Default Domain Controllers Policy"
      - Enable Windows NTP Client
      - Configure Windows NTP Client

2. run the following command in my PDCe
w32tm /config /syncfromflags:manual /manualpeerlist: time.windows.com

3. To reset time servcies back to it's default of my other DCs:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Is that it?
0
 
Mike KlineCommented:
You can also go into the registry and enter in the info
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html
...see the section Synching to an External Time Source
KB816042 referenced above also has that info.
 
Thanks
Mike
0
 
AmericomCommented:
I think the confusing part is that you are using GPO. There is no need to use GPO unless if your enviornment is using non-windows time server internally. If you want to use GPO, it should be:
Enable Windows NTP Client should be Enabled
Configure Windows NTP Client should be Not Configured.
There is a 3rd one for NTPServer, this one is for your PDCe only. PDCe also a DC in the Domain Controller OU which recieve the GPO and could cause problem if you use GPO.
So, I suggest you try to disable and unlink your GPO then make sure the two followings are done:
I-- run the following command in my PDCe
w32tm /config /syncfromflags:manual /manualpeerlist: time.windows.com

II--To reset time servcies back to it's default of my other DCs:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Note: the second steps usually not needed and can be configured by just running these two commands:
w32tm /config /syncfromflags:DOMHIER /update
w32tm /resync

But if you want to be sure nothing else is configured as not expected, you can to the /unregister to trash the w32time key and created it by default by /register.
0
 
AQNSYSAuthor Commented:
Thanks Americom.

First let's get this straight, I DO NOT WANT TO USE A GPO for this, I'm bringing up the subjet because I see that two of the paramenters you mention are enabled in my current configuration (I do not know how this was enabled but it is), namely:
      - Enable Windows NTP Client
      - Configure Windows NTP Client

The third one is set to "not configured" (Enable Winows NTP Srver)

Now according to your advice, since I do not want to use a GPO this is what I'm going to do

1. Disable the following parameters from the "Default Domain Controllers Policy"
      - Enable Windows NTP Client
      - Configure Windows NTP Client

2. run the following command in my PDCe
w32tm /config /syncfromflags:manual /manualpeerlist: time.windows.com

3. To reset time servcies back to it's default of my other DCs:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Please let me know if you agree with these steps, so that I can proceed, this is my production environment so that is why I'm double checking everything, I don't want to rush and then get into a bigger problem with these configuration.

Thanks.
0
 
AmericomCommented:
I agree with the above steps.
0
 
AmericomCommented:
Also, the 3rd one which was not configure for a reason as it is manually configured for the PDCe only. Make sure this is enabled for the NTPServer.
0
 
AQNSYSAuthor Commented:
Hi Americom,
When you say the third one, I guess you mean the paramenter "Enable Winows NTP Srver" that is currently set to "not configure".

Please confirm if what you mean is that I have to enable this parameter on the PDCe only and what should be the value of this parameter.

0
 
ChiefITCommented:
I just wanted to add an easy way to syncrhonize your PDCe to an outside time source. You can use a little program called symmtime, (designed and made free by symmetricom who makes time servers), to synchronize to an outside time source very easy.

Other than that little extra tidbit, I totally agree with what Americom has to say.
0
 
AmericomCommented:
Yes, it's for PDCe to enable the NTPServer.
Also, you may consider what ChiefIT suggest above as well.
0
 
AQNSYSAuthor Commented:
Americom,
Thank you very much for yor accurate and timely answers.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now