Solved

how can I fix the Domain/network time

Posted on 2010-08-25
11
865 Views
Last Modified: 2012-05-10
Do you know of a secure and accurate way of fixing the time on my Domain (2003 Server AD). All Workstations (XP SP 3) are showing 7 minutes behind the actual time. Is there a trust full time source that I can point my domain to.
0
Comment
Question by:ygatica
11 Comments
 
LVL 6

Expert Comment

by:ob1_
ID: 33523856
here are some lists of internet time servers: http://support.microsoft.com/kb/262680/en-us
you can use the net time command to sync your PC's with your DC.
0
 
LVL 6

Expert Comment

by:jkratzer
ID: 33523865
You can use any number of ntp servers.

Check out http://support.ntp.org/bin/view/Servers/NTPPoolServers for a few.

I personly use  ntp.nasa.gov
0
 
LVL 3

Accepted Solution

by:
petelettin earned 250 total points
ID: 33523933
there are ntp pools on the internet that you can point your time services at.

You need to point your AD controllers at one

e.g
query the current settings
net time /querysntp

net time /setsntp:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org"

As I think you're in th US use net time /setsntp:"0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org"

You may also need to allow ntp through your firewall
ntp uses UDP port 123

Pete :-)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33523969
The first thing is to make sure time is setup properly, take a look at Matt's (tigermatt on this site) great blog entry

http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

NIST has good clocks http://tf.nist.gov/tf-cgi/servers.cgi

Navy clocks are also widely used  http://tycho.usno.navy.mil/ntp.html

You can also sync time again using   w32tm /resync /rediscover

The key is set the PDC emulator to sync and let the windows time hierarchy take over from there.

Thanks

Mike

0
 

Author Comment

by:ygatica
ID: 33523997
My current SNTP value is time.windows.com,0x1 but the firewal point seems to make sense since a got a firewall change few moths ago and no settings where made on this. Probably this is the reason why my time is off. do you think?
0
 
LVL 2

Expert Comment

by:dandickens
ID: 33524087
mkline71 is correct.  I would recommend following his instructino forst to ensure the DCs NTP is set up correctly.  I would also stress ensuring the DCs DNS is configured correctly.

I am wary about your firewall causing this issue.  If it was blocked the DC would have an incorrect time, but your Workstations would as well (since they are supposed to be syncing time from it.

I had a recent issue where my DC was not using itself as the primary DNS entry.

When y ou run w32tm /resync /rediscover on the DC do you get an error?
0
 
LVL 3

Expert Comment

by:petelettin
ID: 33524437
The workstation set there time from the windows domain servers.


the cmd above wm32tm /resync /rediscover is also a method to set the time service and is the only way with server 2008.

look in the error log for messages relating to wm32tm this will tell you if it is connecting to time server.

I don't know what you use for a firewal but if you're as a**l as me everything is blocked going out except for the services I want to use.

look in the firewall log for ntp or the ADCs ip address


Pete :-)
0
 

Author Comment

by:ygatica
ID: 33525665
Thank you for the great advice from all of you. I will take everything in consideration. My firewall is actually blocking everything out/in. I have specific rules for each service that i use but for some reason i forgot to set a rule for ntp trafic.
thanks
0
 
LVL 3

Expert Comment

by:petelettin
ID: 33526580
If you add a rule allowing your PDC ntp access the time service will sort itself out in very short time.

As it's 7 minutes out it might not jump in 1 big step but take a couple of shorter steps over an hour or so.

I'm quite over the top with Time Services here, I have a pool of 5 linux ntp time servers and a couple of apple servers which get their times from some internet servers with atomic clocks. They work together to get an average time.

My network switches and 150+ servers of differing flavours get their times from these. Likewise the workstations get their times from the servers.

Pete :-)
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 33528812
There is malicious code that looks for port 123 UDP.

Instead, you might consider a web based time service that still uses those clocks. Try Symmtime from symetricom. It uses port 80 for time. The only computer you should need it on is the PDCe of your domain. The rest should synch up to that DC.
0
 

Author Comment

by:ygatica
ID: 33639676
After trying all the suggestions I believe that this is the one that fits my issue

thanks to all for your advice
0

Join & Write a Comment

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now