Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 946
  • Last Modified:

NTP issues

I have 2 domain controllers (DC1 and DC2) located in corporate office. DC1 is configured to be NTP server which sync with tick.usno.navy.mil server. We have several offices throughout United States. All client (windows XP) machines use DC1 or DC2 for authentication.

After users change their time on their computers, it'll sync with our NTP server and change it back to incorrect time. Where's in NTP server that control the timezone settings?

Other questions:
How should my NTP server be setup in this situation when we have multiple locations?
Should I allow client machines to use its own timeclock?
0
ithawaii
Asked:
ithawaii
  • 5
  • 3
  • 2
  • +1
3 Solutions
 
Mike KlineCommented:
Time  is stored as Greenwich Mean Time (GMT) in AD so the zone shouldn't be a problem.  Sounds like you setup time ok and tick from the navy is a good source.

Can you double check your settings per Matt's excellent article   http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

Thanks

Mike
0
 
RickSheikhCommented:
Adding to what Mike stated :

AD's internal time clock is based on UTC and the time zones are irrelevant and cosmetic. The clients machine's local zone settings should reflect their physical time zone.

The time syncs work like this :

Client gets its time sync with authenticating DC-
That DC gets it time from the PDCe- (if its a child/parent domain, then the child's PDCe gets its time from the root PDCe)
PDCe is set to sync NTP with an external source such as tick in your case.
0
 
ithawaiiAuthor Commented:
Thanks for pointing me to a great article. All is setup properly on my side. However, when i run "NET TIME" on client machines, it shows my DC2 (not my NTP server DC1) as their NTP server. I've tried following commands:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover

I also checked and my DC1 is showing under "PDC" tab.

What else should I check?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Justin OwensITIL Problem ManagerCommented:
On those servers which show DC2, type, at a command prompt SET LOGONSERVER.  I will bet it is DC2.  In AD, whatever server authenticates your logon will be your time server.
0
 
ithawaiiAuthor Commented:
you're correct..it uses DC2 for authentication on those machines.

What's causing these computers to use DC2 to authenticate?
How do i force all computers to use DC1 as primary domain controller?
is there any settings in AD that I'm missing here?

my DC1 is RID, PDC, Infrastructure and Global Catalog.
0
 
RickSheikhCommented:
Presumably both DCs are part of same site and the subnet that users are on associated to that site under AD Sites and Services. In which case users will authenticate against either DC.

Why would you want to enforce the logons against DC1 ? All DCs are equal irrespective of FSMO roles they hold.
0
 
Justin OwensITIL Problem ManagerCommented:
You don't want to force all authentication to one DC.  All computers will authenticate to which ever DC responds first to them.  This is to facilitate fastest logins possible.  If you have multiple subnets, you can move a DC to one of the other subnets in AD Sites and Services and have all computers in those subnets authenticate against specific DCs.  This is really the only time you will want to do this.

DrUltima
0
 
ithawaiiAuthor Commented:
with the current setup, my DC2 should get the time from DC1 (my only PDC on my domain). Both DC1 and DC2 show correct date and time. I guess it goes back to my original question. All my client computers which are located in a different timezone don't show correct windows time. How do I fix this issue?
0
 
Justin OwensITIL Problem ManagerCommented:
Make sure the Time Zones are correct.  Make sure you have the correct DST patches installed, as it has changed...

http://support.microsoft.com/gp/dst_it1

If a computer is more than 5 minutes off it will not allow authentication (broken trust), so my hunch is that a time zone setting is wrong somewhere.

DrUltima
0
 
ithawaiiAuthor Commented:
The DST took place last Sunday. So, all of client computers that I mentioned are all 1 hour behind the correct time. For example, computers in New York are only 5 hours ahead of us (instead 6 hours).

When you said "a time zone setting is wrong somewhere", are you referring to client computers or servers?

Thanks!
0
 
ithawaiiAuthor Commented:
Dr Ultima pointed me to windows patch which fix this issue.  I downloaded the patch and deployed it to all client machines. Thank you all for the tips.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now