Time synchronization in Active Directory – PDC configuration

Blog entry under construction

Clock synchronization hierarchy in Active directory:

Local Workstation > Domain Controller > Child Domain PDC > Forest Root PDC

Screenshot from my lab:

w32tm /monitor

w32tm_monitor_local

We can see that the DC2-2008 domain controller synchronizes with the PDC emulator as it should.

The problem is that in a default installation, the forest root PDC synchronizes the clock with itself RefID: ‘LOCL’

The solution is to sync the forest root PDC with one or more NTP servers.

Option 1 – sync directly with an internet time server

Option 2 – sync with a dedicated time server on your internal network (Microsoft recommendation to avoid linking a PDC to a internet server)

For the purpose of this article we’ll use a self built Linux NTP server. To create your own :

https://sysadminemporium.wordpress.com/2012/12/03/installing-and-configuring-a-linux-ntp-server/

———————————

Configuring the root PDC emulator

Add an inbound firewall exception to the PDC server for UDP 123.

Windows Firewall with Advanced Security > Inbound Rules > New Rule > Port

firewall_udp123

Configure the PDC to switch to NTP updates:

w32tm /config /syncfromflags:manual /manualpeerlist:”NTPserver1 NTPserver2” /reliable:yes /update

set_ntp_source

Note. manual peer list can contain a list of servers (local or internet) for time synchronization. Separate server names with spaces.

Initiate a resync

w32tm /resync

Final result should look like this:

w32tm_monitor_ntp

Notice the difference with the first picture! The RefID now shows the NTP server used for sync.

————————–

PS Registry modifications and fine tuning:

Modified registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
Parameters\Type=NTP
Parameters\NtpServer="name of the NTP server(s)"
Config\AnnounceFlags=5
TimeProviders\NtpServer\Enabled=1

You can also do a lot of fine tuning in the regstry. For example

Config\MaxPosPhaseCorrection=172800
 Config\MaxNegPhaseCorrection=172800

Changing their values will alter the maximum allowable clock correction

For more details please visit:
http://blogs.msdn.com/b/w32time/archive/2009/02/02/group-policy-settings-explained.aspx

Advertisements

One thought on “Time synchronization in Active Directory – PDC configuration

  1. Pingback: Installing and configuring a Linux NTP server | Sys Admin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s