• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 924
  • Last Modified:

Changing Domain Controller time

Hi All,

I have a single forest single domain structure with 70 domain controllers throughout different locations. There are more than 10000 clients in the domain. It has been observed that the DC's are running 6 mins late than the usual time and due to which some critical application are facing problems. I need to achieve the below mentioned things.

1. Need to explain why the time is deffered to the management
2. Need to correct the issue but I think I cannot do it in one day because kerberos time skew issue might occur as it is more than 5 mins.

Thanks and Regards
3 Solutions
Mike KlineCommented:
The first thing I'd do is go through the following blog entries on time
 http://blogs.dirteam.com/blogs/jorge/archive/2010/09/27/configuring-and-managing-the-windows-time-service-part-1.aspx  This is a four part series so the other parts are there on Jorge's blog
Check to make sure your time is setup properly.  Since it is a single forest/domain your PDCe should be set to configure with an external/reliable source and then the time hiearchy shoudl take over from there.
Darius GhassemCommented:
You would need to setup your current PDC emulator to get it's time from an external time source.

TigerMatt has a great article on this. http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

Once you have this DC running with a proper external time source then your other DCs and clients will update through the domain hierarchy.
Neo_78Author Commented:
We do not have option to sync with external time server at this time. PDC is configured to sync the time with hardware clock. I need to change the time manually in PDC but reducing 6 mins at a time might create problem.

Kindly suggest.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Darius GhassemCommented:
Could cause an issue since you are over 5 minutes. You could go to 4 minutes by changing the internal clock of the PDC server allow time to filter then you can setup a proper external time source.
What exactly is your PDCe synchronizing with? Please give us this feedback, dependent on the server OS:

For 2003: net time /querysntp
For 2008: w32tm /query /peers

The computer's time will run out of sync, when it's not synchronizing with an external clock, simply because the server's hardware (realtime) clock is not a reliable time-keeper. The clock is not of high enough quality. It gets even worse in Virtual Machines.

Setting up to sync with a reliable time source should be a priority. As noted, that should be configured on the DC holding the PDC emulator role, and, important, the NTP peer list should be maintained when the PDC emulator role moves to another server.

I know there exist serial or networked GPS devices that can supply reliable time, if you don't want to use an external (untrusted) source. Or have another Windows/Linux host, with an internet connection, to proxy the time to your PDC. I have personally used the servers from pool.ntp.org for many years and found them very reliable.

It is also best practice to make sure that the PDCe cannot make huge time leaps (when retrieving time from another NTP server) by properly configuring the parameters for the W32Time service.

These articles probably have everything you want to know about the W32Time service:
Windows Time Service Technical Reference
How the Windows Time Service Works
Windows Time Service Tools and Settings

You obviously don't want a jump back in time (not even a minute). W32Time has provisions to slowly correct time instead of making the clock jump, but that will only work when synchronizing from an external time source.

Pay special attention to other operating systems: if your time-critical apps are running on non-Windows, then you have to take care of synchronizing them as well. Your internal stratum 2 or 3 servers (domain controllers) can act as an NTP server to ntpd and the likes.
If you can't sync time to the internet (For security reasons?) you can purchase a "time server" that has an outside antennae to grab accurate time from the GPS satellites.  Then you can point the AD servers there for time.  Works for the military.

just an example

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now