Changing time on corporate/domain computers

the time is off by 4 minutes on all of the computers at my location (not sure about other branches) .  the reason I know this is that the correct time is showing on my Cisco office phone and my cell phone.  I also verified the time on the local time and temp call in number.  how do I figure out what source is providing the time on our corporate computers here?  when attempting to adjust it manually, I get the "some setting are hidden or managed by your organization" message.  obviously the time is being provided my a  NTP but not the same one as the one providing time to my Cisco phones (assuming that is coming from my call manager).
Keith SchroederIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
You're PC's most likely are picking time up from your AD servers via GPO configuration.  AD servers are syncing to whatever source they have been configured to poll.  Are you the AD admin?
0
Peter HutchisonSenior Network Systems SpecialistCommented:
Are your computers in a domain or workgroup? If a domain, then the PDC should be the main NTP source for computers in the domain, and the PDC should sync with an external NTP source.

Run either W32TM /Query /Status | /Source | /Peers
and also try NET TIME to view or set time source.
0
Keith SchroederIT DirectorAuthor Commented:
yes I am the AD and these computers are on a domain.  it looks as if from running the NET TIME command on my PC that our backup domain controller is providing the time to our computers.  will adjusting the time of that server fix the issue or will that revert back to whatever time the NTP provides to it after the change is made?
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Lee W, MVPTechnology and Business Process AdvisorCommented:
so far, everyone's terminology is off. there is no pdc and there is no bdc. And unless you've done something you shouldn't have, time is not controlled by Group Policy. All domain controllers are DCs. the DC with PDC Emulator FSMO role is the DC that all systems will favor for time sync. if the DC with the PDC Emulator is a VM, you might be getting an overridden time from the host hardware. check that. otherwise, check the Windows time service settings on the PDC Emulator FSMO role holder
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith SchroederIT DirectorAuthor Commented:
I went to Operations masters screen (PDC tab) in AD and it stated that my primary domain controller is the operations master server.  the Windows time service was started and set to automatic.  this is not a VM server.  I changed the time on the server itself and restarted the windows time service.  within a matter of minutes, my PC's time incrementally moved back to the correct time.  any additional steps needed before I close this ticket to ensure that the time on that server does not revert back to where it was before all of this?
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Make sure you configure the Windows Time Service to sync with an internet NTP server on the DC with the PDC Emulator role.
1
Senior IT System EngineerIT ProfessionalCommented:
Only the Root Domain Controller of the Forest Root Domain should have W32TM configured as "NTP". All other member servers and domain controllers should be left per default, ie "NT5DS" (domain hierarchy).

Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:

Group Policy: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5

Configure Windows NTP Client: Enabled (policy settings are described below)
Enable Windows NTP Client: Enabled
Enable Windows NTP Server: Enabled

Open in new window



Specify following settings in Configure Windows NTP Client policy:

NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
Resolve Peer BAckoffMaxTimes: 7
SpecilalPoolInterval: 3600
EventLogFlags: 0

Open in new window



The above steps have been tested and implemented as per this article: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

Hope that helps.
0
Mal OsborneAlpha GeekCommented:
Lee W Claimed: "All domain controllers are DCs. the DC with PDC Emulator FSMO role is the DC that all systems will favor for time sync."

Pretty sure that is incorrect. Other DCs will try to sync from the PDC emulator, however Windows client machines will use the same algorythm to select a time source as they do to figure out which DC to authenticate against. They will select a DC in the same site over a PDC emulator on a different site.
1
nobusCommented:
are you in Europe?  we had a 5 min time problem here, recently. it is now being corrected
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
As Obi-wan said, it depends on your point of view.  The PDC emulator is in charge of time in the domain.  All systems will favor the PDC emulator because the PDC emulator is the master time source for the systems in the domain.

A likely better explanation than the wording I offered can be found here:
https://social.technet.microsoft.com/wiki/contents/articles/50924.active-directory-time-synchronization.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.