• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2243
  • Last Modified:

Domain Computers not syncing time with PDC emulator.

Environment-
Windows 2003 R2 servers with Windows XP and Vista clients
Three Domain Controllers:
PDC1 - PDC and all primary FSMO roles on primary subnet - VMware
DC2 - Secondary DC on primary subnet - VMware
DC3 - Secondary DC on small secondary subnet - Physical Server

Recent Problem-
The Time on the domain over the past month crept from 1 to 5 minutes faster
than real time.  The time on PDC1 and DC2 were correct.  The time on DC3 was
incorrect by 5 mins.  When I ran NET TIME command on PDC1, it showed the
time source to be DC3.  I manually changed the time on DC3. I ran the
command  on all PCs and servers - NET TIME /SYNC /PDC1 /YES on PDC1.  Time
on the domain computers then returned to normal.

Even though DC3 is attached to a smaller secondary subnet,
When you run the command:
NET TIME on all PCs and servers that are attached to primary subnet, the result shows
the time from DC3.

When you run the following command:
w32tm /query /source
On all Vista PCs that are attached to primary subnet, the result shows the
time from DC3.  
How do you suggest troubleshooting this problem?  I would feel better
knowing that PDC1 is the time source for the Domain.
We already had followed the suggestions in KB 816042 about a year ago and we have not had any time issues until this one.  DC3 is about 4 months old.

W32Time Background-
On the Time GPO, the following is set:
Computer Configuration
  Administrative Templates
    System
      Windows Time Service
        Time Providers
          Configure Windows NTP Client
            Listed there were the following: NtpServer - Set TO -
PDC1.Domain.com      Type - Set to - NTDS5
0
jenningsnet
Asked:
jenningsnet
  • 6
  • 4
  • 2
  • +1
1 Solution
 
debuggerauCommented:
how about setting it for the whole domain:

NET TIME /DOMAIN:<DOMNAME> /SET /y
0
 
debuggerauCommented:
and set the DC properly..
http://support.microsoft.com/kb/314054
0
 
AmericomCommented:
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
PakaCommented:
Time synchronization gets kinda weird with VMware.  Here's what I would do:

1)Remove your time group policy

2)Go to each machine (or push via script) and type:
net stop w32time
w32tm /unregister (you might have to run this twice if you get a permissions message)
w32tm /register
net start w32time

3)On your PDC Emulator and DC2:
Use the VMWare tools to synchronize time to the VMWare host - alternatively (on just the PDCE - not on DC2) type:
net time /setsntp:time.nist.gov

4)On your firewall:
Open port 123

0
 
jenningsnetAuthor Commented:
Sorry for the late update, dealing with other network issues at the time.
Americom,
Looking at the thread you provided. We thought maybe disabling the ntp server on the non-pdce DC would accomplish what we are trying to do.  We editing this registry setting
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
Enabled set to 0 from 1 - Thinking that if the other DC were not running the NtpServer they would not give out time.  This setting automatically changed back to 1.  The GPO is disabled as well.
Paka,
We are using the VMWare tools to synchronize time to the host.  
The time on all servers and workstations are all synced at this time.  We just want to make sure that the PDCe is the authoritative time server.
On a windows 2003/xp machine is there a way to determine where the machine received its time information?

0
 
AmericomCommented:
You should be able to change that 1 to 0. Not sure why you get the 1 back. I suggest you run the Group Policy Modeling Wizard or GPResult to find out what GPOs are linked to the domain controller OU. From that look through the GPOs and see if there's any configured that setting.
0
 
jenningsnetAuthor Commented:
I ran a GPResult and there are no settings that affect the time service.  It changes back to a 1 when running a w32tm /unregister then /register.  Could that cause this to return to a 1.
0
 
AmericomCommented:
Yes, i fyou ran those w32tm switches, it will delete everything of the w32tm key and recreated it and 1 is default. So, it's not from GPO. I thought you changed the 1 to 0 manually via the registry. But if you manually change it via the registry to 0, it should stay 0. But you do not need to make this change as all your clients in the domain get the time from the PDCe by default which the w32tm>Parameters>type> is set to NT5DS, which it should as that's the default.
0
 
AmericomCommented:
A slight correction of the comment I made above.
In an AD domain evnironment, DCs will automatically synchronize with the DC servicing as PDCe, domain members will synchronize with the DC authenticating them. This means all client members should eventually have the same time as PDCe.
0
 
jenningsnetAuthor Commented:
Thanks Americom, I think this has solved our problem.  One last question.  With this setup having only the PDCe as a time server.  Do you think this is an appropriate way of configuring our system?  What are the possible problems if our PDCe were to go down and no other time server is available?  Thanks again for your help with this.
0
 
AmericomCommented:
This should be appropriate. Your PDCe is expect to be up running at all time, if for whatever reason it has to be taken offline for maintenance or even a temporary crash, even with downtime for a few hours, it not going to be a problem. Afterall, client members in the domain can still sync with the other DCs and DCs or even client PCs do not usually drift the time in hours, even it did, it could be probably a drift of tens of milliseconds. Client can logon to domain as long as their time is within 5 minutes or less. Some application may be more sensitive to time sync but if the PDCe is going to be offline for a a few hours, then the PDCe role can be easily transferred to another DC before doing any maintenance. If the PDCe failed permenantly or offline for unacceptable duration, you can seize the role to another DC using ntdsutil:  http://support.microsoft.com/kb/255504
0
 
AmericomCommented:
BTW, just some more info, the loss of the PDC emulator master affects network users. Therefore, when the PDC emulator master is not available, you may need to immediately seize the role. Especially if the current PDC emulator master will be unavailable for an unacceptable length of time and if it contains Windows NT backup domain controllers, seize the PDC emulator master role to the standby operations master. When the original PDC emulator master is returned to service, you can return the role to the original domain controller.
0
 
PakaCommented:
Which VMware are you using?  If you are using ESX with HA and DRS, your PDCe should have pretty high availability.  If you're running ESXi or Server, you should be able to perform fast PDCe backups and restores so your PDCe should be recoverable in just minutes.

You will also need to ensure that your VMware host is getting time from a good NTP timesource.  See:
http://www.planetmy.com/blog/how-to-install-and-configure-ntp-on-vmware-esx-host/

(If you're running VMware server, then just make sure its host is properly configured.)

To summarize, it sounds like you are using VMware tools to synchronize PDC1 and DC2 and DC2 is your primary subnet.  If that's the case and PDC1 went down, the majority of your clients would authenticate with DC2.  Since DC2 is getting its time from VMware tools (and the VMware host is getting its time from a good NTP source), the majority of your workstations would still receive a good timesync.  In this case though, DC3 and its clients would drift until PDC1 was restored.

To cover this situation, you might consider manually configuring DC3 to sync from DC1 and then to DC2.  To do so, open a command prompt on DC2 and type:
net time /setsntp:"PDC1.domain.com dc2.domain.com"

 
0
 
jenningsnetAuthor Commented:
Thanks Americom for your help on this issue.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 6
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now