Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

NTP issues

Posted on 2011-03-15
11
Medium Priority
?
944 Views
Last Modified: 2012-08-14
I have 2 domain controllers (DC1 and DC2) located in corporate office. DC1 is configured to be NTP server which sync with tick.usno.navy.mil server. We have several offices throughout United States. All client (windows XP) machines use DC1 or DC2 for authentication.

After users change their time on their computers, it'll sync with our NTP server and change it back to incorrect time. Where's in NTP server that control the timezone settings?

Other questions:
How should my NTP server be setup in this situation when we have multiple locations?
Should I allow client machines to use its own timeclock?
0
Comment
Question by:ithawaii
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 200 total points
ID: 35141022
Time  is stored as Greenwich Mean Time (GMT) in AD so the zone shouldn't be a problem.  Sounds like you setup time ok and tick from the navy is a good source.

Can you double check your settings per Matt's excellent article   http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

Thanks

Mike
0
 
LVL 11

Assisted Solution

by:RickSheikh
RickSheikh earned 200 total points
ID: 35141152
Adding to what Mike stated :

AD's internal time clock is based on UTC and the time zones are irrelevant and cosmetic. The clients machine's local zone settings should reflect their physical time zone.

The time syncs work like this :

Client gets its time sync with authenticating DC-
That DC gets it time from the PDCe- (if its a child/parent domain, then the child's PDCe gets its time from the root PDCe)
PDCe is set to sync NTP with an external source such as tick in your case.
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35141591
Thanks for pointing me to a great article. All is setup properly on my side. However, when i run "NET TIME" on client machines, it shows my DC2 (not my NTP server DC1) as their NTP server. I've tried following commands:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover

I also checked and my DC1 is showing under "PDC" tab.

What else should I check?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 31

Expert Comment

by:Justin Owens
ID: 35141856
On those servers which show DC2, type, at a command prompt SET LOGONSERVER.  I will bet it is DC2.  In AD, whatever server authenticates your logon will be your time server.
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35142406
you're correct..it uses DC2 for authentication on those machines.

What's causing these computers to use DC2 to authenticate?
How do i force all computers to use DC1 as primary domain controller?
is there any settings in AD that I'm missing here?

my DC1 is RID, PDC, Infrastructure and Global Catalog.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35142464
Presumably both DCs are part of same site and the subnet that users are on associated to that site under AD Sites and Services. In which case users will authenticate against either DC.

Why would you want to enforce the logons against DC1 ? All DCs are equal irrespective of FSMO roles they hold.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35142498
You don't want to force all authentication to one DC.  All computers will authenticate to which ever DC responds first to them.  This is to facilitate fastest logins possible.  If you have multiple subnets, you can move a DC to one of the other subnets in AD Sites and Services and have all computers in those subnets authenticate against specific DCs.  This is really the only time you will want to do this.

DrUltima
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35142523
with the current setup, my DC2 should get the time from DC1 (my only PDC on my domain). Both DC1 and DC2 show correct date and time. I guess it goes back to my original question. All my client computers which are located in a different timezone don't show correct windows time. How do I fix this issue?
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 1600 total points
ID: 35142552
Make sure the Time Zones are correct.  Make sure you have the correct DST patches installed, as it has changed...

http://support.microsoft.com/gp/dst_it1

If a computer is more than 5 minutes off it will not allow authentication (broken trust), so my hunch is that a time zone setting is wrong somewhere.

DrUltima
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35142660
The DST took place last Sunday. So, all of client computers that I mentioned are all 1 hour behind the correct time. For example, computers in New York are only 5 hours ahead of us (instead 6 hours).

When you said "a time zone setting is wrong somewhere", are you referring to client computers or servers?

Thanks!
0
 
LVL 1

Author Closing Comment

by:ithawaii
ID: 35143568
Dr Ultima pointed me to windows patch which fix this issue.  I downloaded the patch and deployed it to all client machines. Thank you all for the tips.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question