Keith Schroeder
asked on
Changing time on corporate/domain computers
the time is off by 4 minutes on all of the computers at my location (not sure about other branches) . the reason I know this is that the correct time is showing on my Cisco office phone and my cell phone. I also verified the time on the local time and temp call in number. how do I figure out what source is providing the time on our corporate computers here? when attempting to adjust it manually, I get the "some setting are hidden or managed by your organization" message. obviously the time is being provided my a NTP but not the same one as the one providing time to my Cisco phones (assuming that is coming from my call manager).
atlas_shuddered
You're PC's most likely are picking time up from your AD servers via GPO configuration. AD servers are syncing to whatever source they have been configured to poll. Are you the AD admin?
Are your computers in a domain or workgroup? If a domain, then the PDC should be the main NTP source for computers in the domain, and the PDC should sync with an external NTP source.
Run either W32TM /Query /Status | /Source | /Peers
and also try NET TIME to view or set time source.
Run either W32TM /Query /Status | /Source | /Peers
and also try NET TIME to view or set time source.
ASKER
yes I am the AD and these computers are on a domain. it looks as if from running the NET TIME command on my PC that our backup domain controller is providing the time to our computers. will adjusting the time of that server fix the issue or will that revert back to whatever time the NTP provides to it after the change is made?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I went to Operations masters screen (PDC tab) in AD and it stated that my primary domain controller is the operations master server. the Windows time service was started and set to automatic. this is not a VM server. I changed the time on the server itself and restarted the windows time service. within a matter of minutes, my PC's time incrementally moved back to the correct time. any additional steps needed before I close this ticket to ensure that the time on that server does not revert back to where it was before all of this?
Make sure you configure the Windows Time Service to sync with an internet NTP server on the DC with the PDC Emulator role.
Only the Root Domain Controller of the Forest Root Domain should have W32TM configured as "NTP". All other member servers and domain controllers should be left per default, ie "NT5DS" (domain hierarchy).
Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:
Group Policy: Computer Configuration->Administrat
WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5
Specify following settings in Configure Windows NTP Client policy:
The above steps have been tested and implemented as per this article: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
Hope that helps.
Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:
Group Policy: Computer Configuration->Administrat
WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5
Configure Windows NTP Client: Enabled (policy settings are described below)
Enable Windows NTP Client: Enabled
Enable Windows NTP Server: EnabledSpecify following settings in Configure Windows NTP Client policy:
NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
Resolve Peer BAckoffMaxTimes: 7
SpecilalPoolInterval: 3600
EventLogFlags: 0The above steps have been tested and implemented as per this article: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/
Hope that helps.
Lee W Claimed: "All domain controllers are DCs. the DC with PDC Emulator FSMO role is the DC that all systems will favor for time sync."
Pretty sure that is incorrect. Other DCs will try to sync from the PDC emulator, however Windows client machines will use the same algorythm to select a time source as they do to figure out which DC to authenticate against. They will select a DC in the same site over a PDC emulator on a different site.
Pretty sure that is incorrect. Other DCs will try to sync from the PDC emulator, however Windows client machines will use the same algorythm to select a time source as they do to figure out which DC to authenticate against. They will select a DC in the same site over a PDC emulator on a different site.
are you in Europe? we had a 5 min time problem here, recently. it is now being corrected
As Obi-wan said, it depends on your point of view. The PDC emulator is in charge of time in the domain. All systems will favor the PDC emulator because the PDC emulator is the master time source for the systems in the domain.
A likely better explanation than the wording I offered can be found here:
https://social.technet.microsoft.com/wiki/contents/articles/50924.active-directory-time-synchronization.aspx
A likely better explanation than the wording I offered can be found here:
https://social.technet.microsoft.com/wiki/contents/articles/50924.active-directory-time-synchronization.aspx