I learnt a mistake by virtualizing my Primary Domain Controller (PDC) emulator, which is the default master NTP clock on the Windows domain. PDC emulator is one for the five essential FSMO roles in maintaining the Microsoft Active Directory. Despite its misleading name PDC emulator for NT4.0, it is still used to support several AD operations, including being the default master NTP clock, password replication & DFS namespace meta data within the domain.
To find out which DC is the PDC emulator, run this on any DC: netdom query fsmo
The virtualized PDC seems to always "trust" Hyper-V time synchronization (part of Hyper-V integration service) more than the external NTP server (a Linux box), which I manually configured using w32tm (see this). Although the time was in-sync within the domain, it was out-of-sync with the real world.
Frustrated, I have to set aside a R200 1-U DELL server, run "dcpromo" and take over the PDC role. Finally, the clock is in sync. To sync the rest of domain controllers on VM, you've got to shutdown the VMs, turn off the time synchronization service on the Hyper-V integration setting and boot them up one-by-one.
Showing posts with label ntp. Show all posts
Showing posts with label ntp. Show all posts
Wednesday, March 10, 2010
Monday, February 22, 2010
How Time Synchronization Works in Active Directory
By default, all computers in the domain would sync their clock with their authenticating domain controllers. All domain controllers would, in turn, sync with the PDC operation master (See diagram for overview). Hence, it is important to sync your PDC with a reliable time source. To find out which DC is the PDC, run this command "netdom query fsmo".
To configure the PDC to sync with an external NTP server, log in domain administrator mode. Enable UDP port 123 on both inbound and outbound host firewall and execute the following command:
w32tm /config /manualpeerlist:sg.pool.ntp.org /reliable:yes /update /syncfromflags:manual net stop w32time && net start w32time
where peers specifies the list of DNS names and/or IP addresses of the NTP time source that the PDC emulator synchronizes from. For example, you can specify time.windows.com. When specifying multiple peers, use a space as the delimiter and enclose them in quotation marks e.g. /manualpeerlist:"ntp1.time1.com,0x8 ntp2.time2.com,0x8". Use the 0x8 flag to force W32time to send normal client requests instead of symmetric active mode packets. The NTP server replies to these normal client requests as usual.
To verify: w32tm /query /peers and read the event viewer under system. Or better, create a custom event view from log source "time service" for longer term viewing.
Tuesday, December 29, 2009
Command to change Computer Time Zone
I was searching for the GPO setting to change the multiple computer time zone and I found none - not even in Administrative Template settings that supposed to set system registry.
I searched the Internet and found this "hidden command" - tzutil.
tzutil /g (To know current time zone)
tzutil /l (To get a list of all available time zones)
tzutil /s time_zone_ID (To change time zone)
To set to SG time: tzutil /s "Singapore Standard Time". Deploy it on startup script. It works on Win7 and W2K8 computers.
I searched the Internet and found this "hidden command" - tzutil.
tzutil /g (To know current time zone)
tzutil /l (To get a list of all available time zones)
tzutil /s time_zone_ID (To change time zone)
To set to SG time: tzutil /s "Singapore Standard Time". Deploy it on startup script. It works on Win7 and W2K8 computers.
Subscribe to:
Posts (Atom)