Time configuration in workstations still pointing to the old domain controller not the PDC emulator

Hi,

I’m confused with how does workstation with DHCP gets the time synchronization from DHCP.

Why is it still pointing to the old server (OLDDC01) which no longer hold the PDC emulator role even when I have changed the DHCP scope option 004 to point to the new PDC emulator IP address ?

Background:
Single domain AD forest.
I’ve successfully build new Win2012 R2 server (NEWDC01) as Domain Controller (PDC, RID pool manager, Infrastructure master roles) which also run as the primary DNS server.
I’m in the process of decommissioning the Win2003 server (OLDDC01) as the domain controller and the DNS server for my head office.

What I did:
I’ve already configured the DHCP scope in the old Windows Server 2003 (OLDDC01) Scope Options 004 to point to the PDC role (NEWDC01)

I’ve verified that the DHCP scope options for the DNS server has been updated to the new DNS server on NEWDC01.

All domain joined servers is now pointing to the domain controllers in the Data Center AD site which each of them is pointing to the PDC Emulator role in the Head Office AD site.

I’ve executed the following script in my workstations:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover
net stop w32time
net start w32time

Open in new window

     
But the result of “w32tm /query /source” and also the "echo %LOGONSERVER%” is still pointing to the old Windows Server 2003 (OLDDC01)
LVL 10
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jmcgOwnerCommented:
The workstations can't guess your intentions regarding OLDDC01, so as far as they are concerned it's still a valid place to be getting their time from. When OLDDC01 is no longer available, they'll have to change.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
@jmcg: So how to change it to the NEWDC01 ?

I'm in the process of demoting OLDDC01 today.
0
jmcgOwnerCommented:
Sorry, I should have been more re-assuring. They'll figure out the new domain hierarchy when OLDDC01 goes away. Should be completely automatic.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah ok, according to Windows Server 2003 (OLDDC01) System Event ID 35 and 37, it is pointing to the NEWDC01 for the time server.
0
jmcgOwnerCommented:
Secondary DCs aren't just hot standbys. There are lots of tasks they can do for domain members and the goal is to spread the load. Time service is just one example.
0
albatros99Commented:
The AD time hierarchy ensures that the client will contact one DC in the closest site and not necessarily the PDC. If the PDC happens to be in the same site it might or might not be used by the client. For example if you have a site with 200 clients and two domain controllers (one of them being the PDC) then half of the clients will use DC 1 and the other DC2. You can override this behaviour with group policy but I would not recommend it.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, I was just worried that if I decommission the OLDDC01 it may break the time configuration for that client.

So I guess it is fine then.
0
tigermattCommented:
So I guess it is fine then.
Yes, this is expected behavior as the others have noted. The time hierarchy in a single Active Directory domain has three tiers:

1. Workstations and Member Servers
query time from
2. A Domain Controller (technically, any, although locality to a DC etc will play a role in this selection)
which query their time from
3. The DC holding the PDC Emulator operations role.

The Windows Time Service have an excellent blog post describing this, including a good graphic to visualize how it works (particularly among a multi-domain forest).

I would strongly recommend not configuring any special settings in DHCP or Group Policy to provide time server information, as more often than not these simply cause the time service to break through misconfiguration. They are not required for a healthy time service to be discovered and time propagated automatically down the domain hierarchy.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Matt,

so in this case the DHCP scope option 004 can be safely removed for the domain joined workstations ?
or I just configure it to point to the PDC emulator which is happen to be the same AD site as the workstations.
0
tigermattCommented:
so in this case the DHCP scope option 004 can be safely removed for the domain joined workstations ?
Yes. No need for it. It is added complexity, which I generally frown upon. The machines will ignore it anyway and rely on obtaining a reliable source of time through the domain hierarchy, using one of the Domain Controllers (the one they picked at boot-up at random in their local site from the DNS and are using as a logon server, I believe).

By all means configure those types of settings for non-domain joined subnets, and it probably doesn't hurt to have it configured on subnets of domain-joined machines, but time in AD is a complex web to deal with; having the DHCP option enabled is one extra thing to update, one extra setting to cause problems later down the line, and one extra setting to get forgotten about. That's the primary reason why I don't configure it; if there's non-domain-joined boxes out there, I just don't care what time they have because I don't manage them. :-)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.