Should all DCs in a domain advertise time services
Hello,
A couple of days ago I had some timing issues in my domain which where caused by a bad GPO. The GPO prevented any of my DCs to advertise time services.
https://www.experts-exchange.com/questions/26808267/Windows-Server-2008-Domain-time-question.html
I have DC01 and DC02. DC01 is the PDC and when I run a dcdiag then it shows that it is distributing time services. Nice!
But what about the second domain controller DC02 which is running no FSMO - when I run a dcdiag then I see this:
The DC DC02 is advertising as a Key Distribution Center
Warning: DC02 is not advertising as a time server.
Should only the PDC advertise time services in a domain?
Thank you
Mc2102
A couple of days ago I had some timing issues in my domain which where caused by a bad GPO. The GPO prevented any of my DCs to advertise time services.
https://www.experts-exchange.com/questions/26808267/Windows-Server-2008-Domain-time-question.html
I have DC01 and DC02. DC01 is the PDC and when I run a dcdiag then it shows that it is distributing time services. Nice!
But what about the second domain controller DC02 which is running no FSMO - when I run a dcdiag then I see this:
The DC DC02 is advertising as a Key Distribution Center
Warning: DC02 is not advertising as a time server.
Should only the PDC advertise time services in a domain?
Thank you
Mc2102
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
as above, from what i am aware all dc's will advertise the services but i would set the PDC to synch with NTP and the other DC to synch with the PDC, that way everyone gets the same time regardless of which dc they connect to.
To be sure to synchronise the PDC will a reliable time server (external NTP), you can use this link.
http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx
Else, every others computers than the PDC should sync from the domain hierarchy, ie DC sync with their PDC and workstations sync with any of the PDCs.
For a better understanding, you can refer to this technet information:
http://technet.microsoft.com/en-us/library/cc773013%28WS.10%29.aspx
To be sure DC02 sync from the PDC, you can run the following command (source here:http://technet.microsoft.com/en-us/library/cc773263%28WS.10%29.aspx):
w32tm /config /update /syncfromflags:domhier /reliable:yes
w32tm /resync /nowait /rediscover
http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx
Else, every others computers than the PDC should sync from the domain hierarchy, ie DC sync with their PDC and workstations sync with any of the PDCs.
For a better understanding, you can refer to this technet information:
http://technet.microsoft.com/en-us/library/cc773013%28WS.10%29.aspx
To be sure DC02 sync from the PDC, you can run the following command (source here:http://technet.microsoft.com/en-us/library/cc773263%28WS.10%29.aspx):
w32tm /config /update /syncfromflags:domhier /reliable:yes
w32tm /resync /nowait /rediscover
My two cents..
In a forest, the domain controllers of a child domain synchronize time with domain controllers in their parent domains. When you have a parent-child model implemented then the PDC of the forest Root domain should be configured with reliable time server.
In a forest, the domain controllers of a child domain synchronize time with domain controllers in their parent domains. When you have a parent-child model implemented then the PDC of the forest Root domain should be configured with reliable time server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just to make sure I do understand that correctly: So the bottom line is that all DCs in a domain should advertise time services - not only the DC which holds the PDC FSMO?
ASKER
The answer to my question is: Yes - all DCs in a domain should advertise as a time server. I had the time service on DC02 missconfigured. It was set to 'type' = NTP. I changed the entry in the registry under HKLM\SYSTEM\CurrentControl