Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Should all DCs in a domain advertise time services

Posted on 2011-02-13
7
Medium Priority
?
408 Views
Last Modified: 2012-08-14
Hello,

A couple of days ago I had some timing issues in my domain which where caused by a bad GPO.  The GPO prevented any of my DCs to advertise time services.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26808267.html

I have DC01 and DC02. DC01 is the PDC and when I run a dcdiag then it shows that it is distributing time services. Nice!
But what about the second domain controller DC02 which is running no FSMO - when I run a dcdiag then I see this:

         The DC DC02 is advertising as a Key Distribution Center
         Warning: DC02 is not advertising as a time server.

Should only the PDC advertise time services in a domain?

Thank you
Mc2102
0
Comment
Question by:Mc2102
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 39

Accepted Solution

by:
Krzysztof Pytko earned 1000 total points
ID: 34885725
Normally, all DCs provide time services. Clients synchronize their clocks with any DC in a network but all DCs synchronize clock with PDC only or with NTP specified in configuration (if it's different that default).

Regards,
Krzysztof
0
 
LVL 6

Expert Comment

by:LHT_ST
ID: 34886016
as above, from what i am aware all dc's will advertise the services but i would set the PDC to synch with NTP and the other DC to synch with the PDC, that way everyone gets the same time regardless of which dc they connect to.
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 34886720
To be sure to synchronise the PDC will a reliable time server (external NTP), you can use this link.
http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx
Else, every others computers than the PDC should sync from the domain hierarchy, ie DC sync with their PDC and workstations sync with any of the PDCs.

For a better understanding, you can refer to this technet information:
http://technet.microsoft.com/en-us/library/cc773013%28WS.10%29.aspx

To be sure DC02 sync from the PDC, you can run the following command (source here:http://technet.microsoft.com/en-us/library/cc773263%28WS.10%29.aspx):
w32tm /config /update /syncfromflags:domhier /reliable:yes
w32tm /resync /nowait /rediscover
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 15

Expert Comment

by:msmamji
ID: 34887013
My two cents..
In a forest, the domain controllers of a child domain synchronize time with domain controllers in their parent domains. When you have a parent-child model implemented then the PDC of the forest Root domain should be configured with reliable time server.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 1000 total points
ID: 34888411
Very good article from TigerMatt on time within the domaim

http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/
0
 

Author Comment

by:Mc2102
ID: 34889324
Just to make sure I do understand that correctly: So the bottom line is that all DCs in a domain should advertise time services - not only the DC which holds the PDC FSMO?
0
 

Author Comment

by:Mc2102
ID: 34890338
The answer to my question is: Yes - all DCs in a domain should advertise as a time server. I had the time service on DC02 missconfigured. It was set to 'type' = NTP. I changed the entry in the registry under HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters and after a reboot DC02 started advertising time services.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question