Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Synchronizing Time In a Domain
I have two domain servers (2016) in a virtual environment. I would like to have one server sync to an external time server. I would also like to create a group policy that would force all servers/workstations on the network to sync their time with the primary domain controller. I have read several articles, but through many complicated steps, it doesn't appear to give me what I perceive to be a simple task.
Can anyone advise on the straight forward steps needed to complete this?
Thanks,
Can anyone advise on the straight forward steps needed to complete this?
Thanks,
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Unnecessary.
Kerberos is the authentication protocol used by Active Directory. It REQUIRES time to be close or it won't authenticate you. As such, by default the PDC emulator is the authoritative time source for the time. And all machines should automatically sync with it on a regular basis (once a week by default).
You should use w32time to set the NTP source for the PDC emulator, but you don't need a group policy to enforce the time - it's built in.
Reference:
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server
NOTE: you said a virtual environment - MAKE SURE you are not syncing the time with the host in the properties of the VM! That will override the NTP time retrieved by the PDC emulator!
Kerberos is the authentication protocol used by Active Directory. It REQUIRES time to be close or it won't authenticate you. As such, by default the PDC emulator is the authoritative time source for the time. And all machines should automatically sync with it on a regular basis (once a week by default).
You should use w32time to set the NTP source for the PDC emulator, but you don't need a group policy to enforce the time - it's built in.
Reference:
https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server
NOTE: you said a virtual environment - MAKE SURE you are not syncing the time with the host in the properties of the VM! That will override the NTP time retrieved by the PDC emulator!
That doesn't seem to be happening like you describe. I have workstations with different times as well as servers. When I query the time service on my workstation, it claims the source as "Free-Running System Clock"
Attached is what my DC currently returns on query.
Attached is what my DC currently returns on query.
Is your DNS set properly? On the workstations and the servers? Rather than trying to re-invent the wheel, I would start troubleshooting. Best place to start is the event logs on both the server and a problematic client. (DNS is the obvious issue, but if that's not it, go to the event logs!)
So when I googled "Free-running system clock" - I got what I cautioned you about - Disable time sync with the hardware. Reference:
https://blogs.vmware.com/apps/2016/01/completely-disable-time-synchronization-for-your-vm.html
https://blogs.vmware.com/apps/2016/01/completely-disable-time-synchronization-for-your-vm.html
Lee's comment about disabling time syncing with the host is appropriate, but his link assumes you are using VMWare. If you happen to be using Hyper-V, you would want to do the same thing, but slightly differently: https://support.microsoft.com/en-us/help/976924/you-receive-windows-time-service-event-ids-24-29-and-38-on-a-virtualiz
Basically, un-check Time Synchronization in Integration Services for the particular VM, then restart the VM.
Basically, un-check Time Synchronization in Integration Services for the particular VM, then restart the VM.
Thank you for your advice.
I disabled the Hyper-V integration and then re-ran the w32tm command on my DC.
After I ran command "w32tm /config /manualpeerlist:"0.time.wi
Thanks for the advice!
I disabled the Hyper-V integration and then re-ran the w32tm command on my DC.
After I ran command "w32tm /config /manualpeerlist:"0.time.wi
Thanks for the advice!
Premium Content
You need an Expert Office subscription to comment.Start Free Trial