Monday, February 22, 2010

How Time Synchronization Works in Active Directory


By default, all computers in the domain would sync their clock with their authenticating domain controllers. All domain controllers would, in turn, sync with the PDC operation master (See diagram for overview). Hence, it is important to sync your PDC with a reliable time source. To find out which DC is the PDC, run this command "netdom query fsmo".

To configure the PDC to sync with an external NTP server, log in domain administrator mode. Enable UDP port 123 on both inbound and outbound host firewall and execute the following command:

w32tm /config /manualpeerlist: peers /syncfromflags:manual /reliable:yes /update

net stop w32time && net start w32time

where peers specifies the list of DNS names and/or IP addresses of the NTP time source that the PDC emulator synchronizes from. For example, you can specify time.windows.com. When specifying multiple peers, use a space as the delimiter and enclose them in quotation marks e.g. /manualpeerlist:"ntp1.time1.com,0x8 ntp2.time2.com,0x8". Use the 0x8 flag to force W32time to send normal client requests instead of symmetric active mode packets. The NTP server replies to these normal client requests as usual.

To verify: w32tm /query /peers and read the event viewer under system. Or better, create a custom event view from log source "time service" for longer term viewing.

No comments:

Post a Comment