Solved

NTP issues

Posted on 2011-03-15
11
942 Views
Last Modified: 2012-08-14
I have 2 domain controllers (DC1 and DC2) located in corporate office. DC1 is configured to be NTP server which sync with tick.usno.navy.mil server. We have several offices throughout United States. All client (windows XP) machines use DC1 or DC2 for authentication.

After users change their time on their computers, it'll sync with our NTP server and change it back to incorrect time. Where's in NTP server that control the timezone settings?

Other questions:
How should my NTP server be setup in this situation when we have multiple locations?
Should I allow client machines to use its own timeclock?
0
Comment
Question by:ithawaii
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
ID: 35141022
Time  is stored as Greenwich Mean Time (GMT) in AD so the zone shouldn't be a problem.  Sounds like you setup time ok and tick from the navy is a good source.

Can you double check your settings per Matt's excellent article   http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

Thanks

Mike
0
 
LVL 11

Assisted Solution

by:RickSheikh
RickSheikh earned 50 total points
ID: 35141152
Adding to what Mike stated :

AD's internal time clock is based on UTC and the time zones are irrelevant and cosmetic. The clients machine's local zone settings should reflect their physical time zone.

The time syncs work like this :

Client gets its time sync with authenticating DC-
That DC gets it time from the PDCe- (if its a child/parent domain, then the child's PDCe gets its time from the root PDCe)
PDCe is set to sync NTP with an external source such as tick in your case.
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35141591
Thanks for pointing me to a great article. All is setup properly on my side. However, when i run "NET TIME" on client machines, it shows my DC2 (not my NTP server DC1) as their NTP server. I've tried following commands:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover

I also checked and my DC1 is showing under "PDC" tab.

What else should I check?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 31

Expert Comment

by:Justin Owens
ID: 35141856
On those servers which show DC2, type, at a command prompt SET LOGONSERVER.  I will bet it is DC2.  In AD, whatever server authenticates your logon will be your time server.
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35142406
you're correct..it uses DC2 for authentication on those machines.

What's causing these computers to use DC2 to authenticate?
How do i force all computers to use DC1 as primary domain controller?
is there any settings in AD that I'm missing here?

my DC1 is RID, PDC, Infrastructure and Global Catalog.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35142464
Presumably both DCs are part of same site and the subnet that users are on associated to that site under AD Sites and Services. In which case users will authenticate against either DC.

Why would you want to enforce the logons against DC1 ? All DCs are equal irrespective of FSMO roles they hold.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35142498
You don't want to force all authentication to one DC.  All computers will authenticate to which ever DC responds first to them.  This is to facilitate fastest logins possible.  If you have multiple subnets, you can move a DC to one of the other subnets in AD Sites and Services and have all computers in those subnets authenticate against specific DCs.  This is really the only time you will want to do this.

DrUltima
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35142523
with the current setup, my DC2 should get the time from DC1 (my only PDC on my domain). Both DC1 and DC2 show correct date and time. I guess it goes back to my original question. All my client computers which are located in a different timezone don't show correct windows time. How do I fix this issue?
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 400 total points
ID: 35142552
Make sure the Time Zones are correct.  Make sure you have the correct DST patches installed, as it has changed...

http://support.microsoft.com/gp/dst_it1

If a computer is more than 5 minutes off it will not allow authentication (broken trust), so my hunch is that a time zone setting is wrong somewhere.

DrUltima
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35142660
The DST took place last Sunday. So, all of client computers that I mentioned are all 1 hour behind the correct time. For example, computers in New York are only 5 hours ahead of us (instead 6 hours).

When you said "a time zone setting is wrong somewhere", are you referring to client computers or servers?

Thanks!
0
 
LVL 1

Author Closing Comment

by:ithawaii
ID: 35143568
Dr Ultima pointed me to windows patch which fix this issue.  I downloaded the patch and deployed it to all client machines. Thank you all for the tips.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question