Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Time synchronization for Domain Controllers

Posted on 2016-07-29
10
Medium Priority
?
56 Views
Last Modified: 2016-08-28
Hello,

I am experiencing an issue where all the clocks on our domain controllers become out of sync. We currently have 8 DCs on our network and for some reason, the clocks become out of sync, causing anomalies on our network (exchange in particular).

Is there a reason this may be happening and is there a fix for this? Perhaps a way to connect to an external clock?

Thanks in advance
0
Comment
Question by:zito2000
10 Comments
 
LVL 14

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 668 total points (awarded by participants)
ID: 41734892
I've always used the pool.ntp servers for our TIme service.  This link shows how to set them as your NTP server.
0
 
LVL 17

Assisted Solution

by:Todd Nelson
Todd Nelson earned 668 total points (awarded by participants)
ID: 41734896
If you have not configured an authoritative time server for your domain then each of the servers will attempt to set their time from Microsoft--which isn't always a reliable source.

When you configure an authoritative time server, you want to configure the PDC emulator to access a reliable external time service (http://www.pool.ntp.org/en/) from which it will set its time.  Then all other internal servers should get their time from the PDC emulator.

Utilize these two references to configure time synching for your Windows domain.

How to configure an authoritative time server in Windows Server ... https://support.microsoft.com/en-us/kb/816042

Configure a client computer for automatic domain time synchronization ... https://technet.microsoft.com/en-us/library/cc758905%28WS.10%29.aspx?f=255&MSPPError=-2147217396

Good luck.
0
 
LVL 14

Assisted Solution

by:frankhelk
frankhelk earned 664 total points (awarded by participants)
ID: 41737017
Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

For a mature timekeeping service with well documented behaviour, I'd recommend this:

Use a Windows port of the classic *ix NTP service on your DCs, and sync 'em with NTP time sources from pool.ntp.org. Sync the clients with your DCs to keep 'em in sync in case of network failure. Ensure to disable the time sync features of VMware (to timekeeping services on one clock will cause time chaos). The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See my article on NTP basics for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.

If securtity is an issue, you might as well use local radio controlled clock appliances (see the article for that, too) in your LAN who serve times very reliable and precise.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:zito2000
ID: 41737478
Thank you everyone for the help.

I prefer synchronizing with an external so I will try that solution first.

If no luck, I will explore other avenues to achieve the synchronization.

thank you
0
 

Author Comment

by:zito2000
ID: 41737481
I forgot to ask,

Dustin, do I need to do this for every DC, or just the roots?
0
 
LVL 14

Accepted Solution

by:
Dustin Saunders earned 668 total points (awarded by participants)
ID: 41737491
Microsoft states that it only needs to be done on the PDC that is the operations master.
0
 

Author Comment

by:zito2000
ID: 41737505
Ok cool,

that would be one of our roots
0
 
LVL 14

Expert Comment

by:Dustin Saunders
ID: 41748958
@Zito2000

When a question is resolved, simply select an answer(s) that most helped you lead to your resolution.  The question will be closed and points will be awarded to the expert(s) who helped you.
1
 
LVL 14

Expert Comment

by:Dustin Saunders
ID: 41773565
All three experts helped asker reach desired solution with good answers.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question