Solved

NTP issues

Posted on 2011-03-15
11
936 Views
Last Modified: 2012-08-14
I have 2 domain controllers (DC1 and DC2) located in corporate office. DC1 is configured to be NTP server which sync with tick.usno.navy.mil server. We have several offices throughout United States. All client (windows XP) machines use DC1 or DC2 for authentication.

After users change their time on their computers, it'll sync with our NTP server and change it back to incorrect time. Where's in NTP server that control the timezone settings?

Other questions:
How should my NTP server be setup in this situation when we have multiple locations?
Should I allow client machines to use its own timeclock?
0
Comment
Question by:ithawaii
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 50 total points
ID: 35141022
Time  is stored as Greenwich Mean Time (GMT) in AD so the zone shouldn't be a problem.  Sounds like you setup time ok and tick from the navy is a good source.

Can you double check your settings per Matt's excellent article   http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

Thanks

Mike
0
 
LVL 11

Assisted Solution

by:RickSheikh
RickSheikh earned 50 total points
ID: 35141152
Adding to what Mike stated :

AD's internal time clock is based on UTC and the time zones are irrelevant and cosmetic. The clients machine's local zone settings should reflect their physical time zone.

The time syncs work like this :

Client gets its time sync with authenticating DC-
That DC gets it time from the PDCe- (if its a child/parent domain, then the child's PDCe gets its time from the root PDCe)
PDCe is set to sync NTP with an external source such as tick in your case.
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35141591
Thanks for pointing me to a great article. All is setup properly on my side. However, when i run "NET TIME" on client machines, it shows my DC2 (not my NTP server DC1) as their NTP server. I've tried following commands:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover

I also checked and my DC1 is showing under "PDC" tab.

What else should I check?
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 35141856
On those servers which show DC2, type, at a command prompt SET LOGONSERVER.  I will bet it is DC2.  In AD, whatever server authenticates your logon will be your time server.
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35142406
you're correct..it uses DC2 for authentication on those machines.

What's causing these computers to use DC2 to authenticate?
How do i force all computers to use DC1 as primary domain controller?
is there any settings in AD that I'm missing here?

my DC1 is RID, PDC, Infrastructure and Global Catalog.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 11

Expert Comment

by:RickSheikh
ID: 35142464
Presumably both DCs are part of same site and the subnet that users are on associated to that site under AD Sites and Services. In which case users will authenticate against either DC.

Why would you want to enforce the logons against DC1 ? All DCs are equal irrespective of FSMO roles they hold.
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 35142498
You don't want to force all authentication to one DC.  All computers will authenticate to which ever DC responds first to them.  This is to facilitate fastest logins possible.  If you have multiple subnets, you can move a DC to one of the other subnets in AD Sites and Services and have all computers in those subnets authenticate against specific DCs.  This is really the only time you will want to do this.

DrUltima
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35142523
with the current setup, my DC2 should get the time from DC1 (my only PDC on my domain). Both DC1 and DC2 show correct date and time. I guess it goes back to my original question. All my client computers which are located in a different timezone don't show correct windows time. How do I fix this issue?
0
 
LVL 31

Accepted Solution

by:
DrUltima earned 400 total points
ID: 35142552
Make sure the Time Zones are correct.  Make sure you have the correct DST patches installed, as it has changed...

http://support.microsoft.com/gp/dst_it1

If a computer is more than 5 minutes off it will not allow authentication (broken trust), so my hunch is that a time zone setting is wrong somewhere.

DrUltima
0
 
LVL 1

Author Comment

by:ithawaii
ID: 35142660
The DST took place last Sunday. So, all of client computers that I mentioned are all 1 hour behind the correct time. For example, computers in New York are only 5 hours ahead of us (instead 6 hours).

When you said "a time zone setting is wrong somewhere", are you referring to client computers or servers?

Thanks!
0
 
LVL 1

Author Closing Comment

by:ithawaii
ID: 35143568
Dr Ultima pointed me to windows patch which fix this issue.  I downloaded the patch and deployed it to all client machines. Thank you all for the tips.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now