Solved

Time synchronization for Domain Controllers

Posted on 2016-07-29
10
37 Views
Last Modified: 2016-08-28
Hello,

I am experiencing an issue where all the clocks on our domain controllers become out of sync. We currently have 8 DCs on our network and for some reason, the clocks become out of sync, causing anomalies on our network (exchange in particular).

Is there a reason this may be happening and is there a fix for this? Perhaps a way to connect to an external clock?

Thanks in advance
0
Comment
Question by:zito2000
10 Comments
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 167 total points (awarded by participants)
ID: 41734892
I've always used the pool.ntp servers for our TIme service.  This link shows how to set them as your NTP server.
0
 
LVL 14

Assisted Solution

by:Todd Nelson
Todd Nelson earned 167 total points (awarded by participants)
ID: 41734896
If you have not configured an authoritative time server for your domain then each of the servers will attempt to set their time from Microsoft--which isn't always a reliable source.

When you configure an authoritative time server, you want to configure the PDC emulator to access a reliable external time service (http://www.pool.ntp.org/en/) from which it will set its time.  Then all other internal servers should get their time from the PDC emulator.

Utilize these two references to configure time synching for your Windows domain.

How to configure an authoritative time server in Windows Server ... https://support.microsoft.com/en-us/kb/816042

Configure a client computer for automatic domain time synchronization ... https://technet.microsoft.com/en-us/library/cc758905%28WS.10%29.aspx?f=255&MSPPError=-2147217396

Good luck.
0
 
LVL 13

Assisted Solution

by:frankhelk
frankhelk earned 166 total points (awarded by participants)
ID: 41737017
Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

For a mature timekeeping service with well documented behaviour, I'd recommend this:

Use a Windows port of the classic *ix NTP service on your DCs, and sync 'em with NTP time sources from pool.ntp.org. Sync the clients with your DCs to keep 'em in sync in case of network failure. Ensure to disable the time sync features of VMware (to timekeeping services on one clock will cause time chaos). The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See my article on NTP basics for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.

If securtity is an issue, you might as well use local radio controlled clock appliances (see the article for that, too) in your LAN who serve times very reliable and precise.
0
 

Author Comment

by:zito2000
ID: 41737478
Thank you everyone for the help.

I prefer synchronizing with an external so I will try that solution first.

If no luck, I will explore other avenues to achieve the synchronization.

thank you
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:zito2000
ID: 41737481
I forgot to ask,

Dustin, do I need to do this for every DC, or just the roots?
0
 
LVL 12

Accepted Solution

by:
Dustin Saunders earned 167 total points (awarded by participants)
ID: 41737491
Microsoft states that it only needs to be done on the PDC that is the operations master.
0
 

Author Comment

by:zito2000
ID: 41737505
Ok cool,

that would be one of our roots
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41748958
@Zito2000

When a question is resolved, simply select an answer(s) that most helped you lead to your resolution.  The question will be closed and points will be awarded to the expert(s) who helped you.
1
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41773565
All three experts helped asker reach desired solution with good answers.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now