NTP issues

I have 2 domain controllers (DC1 and DC2) located in corporate office. DC1 is configured to be NTP server which sync with tick.usno.navy.mil server. We have several offices throughout United States. All client (windows XP) machines use DC1 or DC2 for authentication.

After users change their time on their computers, it'll sync with our NTP server and change it back to incorrect time. Where's in NTP server that control the timezone settings?

Other questions:
How should my NTP server be setup in this situation when we have multiple locations?
Should I allow client machines to use its own timeclock?
Who is Participating?
Justin OwensConnect With a Mentor ITIL Problem ManagerCommented:
Make sure the Time Zones are correct.  Make sure you have the correct DST patches installed, as it has changed...


If a computer is more than 5 minutes off it will not allow authentication (broken trust), so my hunch is that a time zone setting is wrong somewhere.

Mike KlineConnect With a Mentor Commented:
Time  is stored as Greenwich Mean Time (GMT) in AD so the zone shouldn't be a problem.  Sounds like you setup time ok and tick from the navy is a good source.

Can you double check your settings per Matt's excellent article   http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/


RickSheikhConnect With a Mentor Commented:
Adding to what Mike stated :

AD's internal time clock is based on UTC and the time zones are irrelevant and cosmetic. The clients machine's local zone settings should reflect their physical time zone.

The time syncs work like this :

Client gets its time sync with authenticating DC-
That DC gets it time from the PDCe- (if its a child/parent domain, then the child's PDCe gets its time from the root PDCe)
PDCe is set to sync NTP with an external source such as tick in your case.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

ithawaiiAuthor Commented:
Thanks for pointing me to a great article. All is setup properly on my side. However, when i run "NET TIME" on client machines, it shows my DC2 (not my NTP server DC1) as their NTP server. I've tried following commands:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover

I also checked and my DC1 is showing under "PDC" tab.

What else should I check?
Justin OwensITIL Problem ManagerCommented:
On those servers which show DC2, type, at a command prompt SET LOGONSERVER.  I will bet it is DC2.  In AD, whatever server authenticates your logon will be your time server.
ithawaiiAuthor Commented:
you're correct..it uses DC2 for authentication on those machines.

What's causing these computers to use DC2 to authenticate?
How do i force all computers to use DC1 as primary domain controller?
is there any settings in AD that I'm missing here?

my DC1 is RID, PDC, Infrastructure and Global Catalog.
Presumably both DCs are part of same site and the subnet that users are on associated to that site under AD Sites and Services. In which case users will authenticate against either DC.

Why would you want to enforce the logons against DC1 ? All DCs are equal irrespective of FSMO roles they hold.
Justin OwensITIL Problem ManagerCommented:
You don't want to force all authentication to one DC.  All computers will authenticate to which ever DC responds first to them.  This is to facilitate fastest logins possible.  If you have multiple subnets, you can move a DC to one of the other subnets in AD Sites and Services and have all computers in those subnets authenticate against specific DCs.  This is really the only time you will want to do this.

ithawaiiAuthor Commented:
with the current setup, my DC2 should get the time from DC1 (my only PDC on my domain). Both DC1 and DC2 show correct date and time. I guess it goes back to my original question. All my client computers which are located in a different timezone don't show correct windows time. How do I fix this issue?
ithawaiiAuthor Commented:
The DST took place last Sunday. So, all of client computers that I mentioned are all 1 hour behind the correct time. For example, computers in New York are only 5 hours ahead of us (instead 6 hours).

When you said "a time zone setting is wrong somewhere", are you referring to client computers or servers?

ithawaiiAuthor Commented:
Dr Ultima pointed me to windows patch which fix this issue.  I downloaded the patch and deployed it to all client machines. Thank you all for the tips.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.