Changing time on corporate/domain computers

the time is off by 4 minutes on all of the computers at my location (not sure about other branches) .  the reason I know this is that the correct time is showing on my Cisco office phone and my cell phone.  I also verified the time on the local time and temp call in number.  how do I figure out what source is providing the time on our corporate computers here?  when attempting to adjust it manually, I get the "some setting are hidden or managed by your organization" message.  obviously the time is being provided my a  NTP but not the same one as the one providing time to my Cisco phones (assuming that is coming from my call manager).
Keith SchroederIT DirectorAsked:
Who is Participating?
 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
so far, everyone's terminology is off. there is no pdc and there is no bdc. And unless you've done something you shouldn't have, time is not controlled by Group Policy. All domain controllers are DCs. the DC with PDC Emulator FSMO role is the DC that all systems will favor for time sync. if the DC with the PDC Emulator is a VM, you might be getting an overridden time from the host hardware. check that. otherwise, check the Windows time service settings on the PDC Emulator FSMO role holder
1
 
atlas_shudderedSr. Network EngineerCommented:
You're PC's most likely are picking time up from your AD servers via GPO configuration.  AD servers are syncing to whatever source they have been configured to poll.  Are you the AD admin?
0
 
Peter HutchisonSenior Network Systems SpecialistCommented:
Are your computers in a domain or workgroup? If a domain, then the PDC should be the main NTP source for computers in the domain, and the PDC should sync with an external NTP source.

Run either W32TM /Query /Status | /Source | /Peers
and also try NET TIME to view or set time source.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
Keith SchroederIT DirectorAuthor Commented:
yes I am the AD and these computers are on a domain.  it looks as if from running the NET TIME command on my PC that our backup domain controller is providing the time to our computers.  will adjusting the time of that server fix the issue or will that revert back to whatever time the NTP provides to it after the change is made?
0
 
Keith SchroederIT DirectorAuthor Commented:
I went to Operations masters screen (PDC tab) in AD and it stated that my primary domain controller is the operations master server.  the Windows time service was started and set to automatic.  this is not a VM server.  I changed the time on the server itself and restarted the windows time service.  within a matter of minutes, my PC's time incrementally moved back to the correct time.  any additional steps needed before I close this ticket to ensure that the time on that server does not revert back to where it was before all of this?
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Make sure you configure the Windows Time Service to sync with an internet NTP server on the DC with the PDC Emulator role.
1
 
Senior IT System EngineerIT ProfessionalCommented:
Only the Root Domain Controller of the Forest Root Domain should have W32TM configured as "NTP". All other member servers and domain controllers should be left per default, ie "NT5DS" (domain hierarchy).

Create the below PDC emulator role only Group Policy to set the NTP to NTP Pool:

Group Policy: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

WMI Filter: Select * from Win32_ComputerSystem where DomainRole = 5

Configure Windows NTP Client: Enabled (policy settings are described below)
Enable Windows NTP Client: Enabled
Enable Windows NTP Server: Enabled

Open in new window



Specify following settings in Configure Windows NTP Client policy:

NtpServer: us.pool.ntp.org.0x1, 1.us.pool.ntp.org.0x1, 2.us.pool.ntp.org.0x1, 3.us.pool.ntp.org.0x1
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
Resolve Peer BAckoffMaxTimes: 7
SpecilalPoolInterval: 3600
EventLogFlags: 0

Open in new window



The above steps have been tested and implemented as per this article: https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

Hope that helps.
0
 
Mal OsborneAlpha GeekCommented:
Lee W Claimed: "All domain controllers are DCs. the DC with PDC Emulator FSMO role is the DC that all systems will favor for time sync."

Pretty sure that is incorrect. Other DCs will try to sync from the PDC emulator, however Windows client machines will use the same algorythm to select a time source as they do to figure out which DC to authenticate against. They will select a DC in the same site over a PDC emulator on a different site.
1
 
nobusCommented:
are you in Europe?  we had a 5 min time problem here, recently. it is now being corrected
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
As Obi-wan said, it depends on your point of view.  The PDC emulator is in charge of time in the domain.  All systems will favor the PDC emulator because the PDC emulator is the master time source for the systems in the domain.

A likely better explanation than the wording I offered can be found here:
https://social.technet.microsoft.com/wiki/contents/articles/50924.active-directory-time-synchronization.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.