W32Time. What is the correct time synchronization configuration for a Windows Server 2003 AD Domain?
Currently we have 2 domain controllers (with Exchange in Cluster configuration) at our headquarters. We have 5 additional domain controllers one in each of our satellite offices and all of our offices are interconnected with an MPLS network.
This is the configuration I think we should have for the time synchronization:
- All of the DCs should sync with the PDCe
- The PDCe should sync with time.windows.com
While I was reviewing our current configuration I noticed that the Default Domain Controllers Policy has 2 Windows Time Service parameters configured, namely:
Enable Windows NTP Client (Enable)
Configure Windows NTP Client (to a server that is not even in the domain)
Since this clearly is wrong I proceed to change the Configure Windows NTP Client to point to our PDCe.
Now my questions:
From all that I have read it looks like these two paramentes in the Default Domain Controllers Policy should be disable, should they? If not, what should be the correct configuration?
How can I change my configuration so that all my DCs sync their time with my PDCe?
How can I change my PDCe configuration so that it syncs with time.windows.com?
This is the configuration I think we should have for the time synchronization:
- All of the DCs should sync with the PDCe
- The PDCe should sync with time.windows.com
While I was reviewing our current configuration I noticed that the Default Domain Controllers Policy has 2 Windows Time Service parameters configured, namely:
Enable Windows NTP Client (Enable)
Configure Windows NTP Client (to a server that is not even in the domain)
Since this clearly is wrong I proceed to change the Configure Windows NTP Client to point to our PDCe.
Now my questions:
From all that I have read it looks like these two paramentes in the Default Domain Controllers Policy should be disable, should they? If not, what should be the correct configuration?
How can I change my configuration so that all my DCs sync their time with my PDCe?
How can I change my PDCe configuration so that it syncs with time.windows.com?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
What about this question:
From all that I have read it looks like these two paramentes in the Default Domain Controllers Policy should be disable, should they?
Since this GPO is applying to all my DCs this is overriding any other configuration, what should I do with this ?
What about this question:
From all that I have read it looks like these two paramentes in the Default Domain Controllers Policy should be disable, should they?
Since this GPO is applying to all my DCs this is overriding any other configuration, what should I do with this ?
ASKER
Also,
Is the W32Time service when configured to sync with an external source (i.e. time.windows.com) trying to use port 123 ?
My PDCe is behind a firewall.
Is the W32Time service when configured to sync with an external source (i.e. time.windows.com) trying to use port 123 ?
My PDCe is behind a firewall.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yes, that must be opened from your internal network.
ASKER
Hi Americom,
Let me get this straight. Your recommendation is:
1. Disable the following parameters from the "Default Domain Controllers Policy"
- Enable Windows NTP Client
- Configure Windows NTP Client
2. run the following command in my PDCe
w32tm /config /syncfromflags:manual /manualpeerlist: time.windows.com
3. To reset time servcies back to it's default of my other DCs:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
Is that it?
Let me get this straight. Your recommendation is:
1. Disable the following parameters from the "Default Domain Controllers Policy"
- Enable Windows NTP Client
- Configure Windows NTP Client
2. run the following command in my PDCe
w32tm /config /syncfromflags:manual /manualpeerlist: time.windows.com
3. To reset time servcies back to it's default of my other DCs:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
Is that it?
You can also go into the registry and enter in the info
http://www.windowsnetworki
...see the section Synching to an External Time Source
KB816042 referenced above also has that info.
Thanks
Mike
http://www.windowsnetworki
...see the section Synching to an External Time Source
KB816042 referenced above also has that info.
Thanks
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Americom.
First let's get this straight, I DO NOT WANT TO USE A GPO for this, I'm bringing up the subjet because I see that two of the paramenters you mention are enabled in my current configuration (I do not know how this was enabled but it is), namely:
- Enable Windows NTP Client
- Configure Windows NTP Client
The third one is set to "not configured" (Enable Winows NTP Srver)
Now according to your advice, since I do not want to use a GPO this is what I'm going to do
1. Disable the following parameters from the "Default Domain Controllers Policy"
- Enable Windows NTP Client
- Configure Windows NTP Client
2. run the following command in my PDCe
w32tm /config /syncfromflags:manual /manualpeerlist: time.windows.com
3. To reset time servcies back to it's default of my other DCs:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
Please let me know if you agree with these steps, so that I can proceed, this is my production environment so that is why I'm double checking everything, I don't want to rush and then get into a bigger problem with these configuration.
Thanks.
First let's get this straight, I DO NOT WANT TO USE A GPO for this, I'm bringing up the subjet because I see that two of the paramenters you mention are enabled in my current configuration (I do not know how this was enabled but it is), namely:
- Enable Windows NTP Client
- Configure Windows NTP Client
The third one is set to "not configured" (Enable Winows NTP Srver)
Now according to your advice, since I do not want to use a GPO this is what I'm going to do
1. Disable the following parameters from the "Default Domain Controllers Policy"
- Enable Windows NTP Client
- Configure Windows NTP Client
2. run the following command in my PDCe
w32tm /config /syncfromflags:manual /manualpeerlist: time.windows.com
3. To reset time servcies back to it's default of my other DCs:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
Please let me know if you agree with these steps, so that I can proceed, this is my production environment so that is why I'm double checking everything, I don't want to rush and then get into a bigger problem with these configuration.
Thanks.
I agree with the above steps.
Also, the 3rd one which was not configure for a reason as it is manually configured for the PDCe only. Make sure this is enabled for the NTPServer.
ASKER
Hi Americom,
When you say the third one, I guess you mean the paramenter "Enable Winows NTP Srver" that is currently set to "not configure".
Please confirm if what you mean is that I have to enable this parameter on the PDCe only and what should be the value of this parameter.
When you say the third one, I guess you mean the paramenter "Enable Winows NTP Srver" that is currently set to "not configure".
Please confirm if what you mean is that I have to enable this parameter on the PDCe only and what should be the value of this parameter.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, it's for PDCe to enable the NTPServer.
Also, you may consider what ChiefIT suggest above as well.
Also, you may consider what ChiefIT suggest above as well.
ASKER
Americom,
Thank you very much for yor accurate and timely answers.
Thank you very much for yor accurate and timely answers.
http://support.microsoft.com/kb/816042
this article will help you setup the desktops to point to the time server
http://technet.microsoft.com/en-us/library/cc758905.aspx