And we poke a hole in the firewall for the time service ...udp port 123
Almeida Pinto, Jorge de wrote:
well, yes.... but it is not needed for the time service....
By default the time sync within a forest/domain is automatically configured as
it shoud be...
Each client and server syncs time with the authenticating DC
Each DC syncs time with the PDC in the same domain or with parent DCs (from a
parent domain)
The PDC syncs time with parent DCs (from a parent domain)
The PDC in the forest root domain is the only DC you need to configure for time
sync and for that several possibilties exist:
External/Internal Time Source
Internal hardware clock
Jorge
________________________________
From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 19:18
To: [email protected]
Subject: RE: [ActiveDir] Time Service
Isn't it best practice to set the entire domain time policy at the domain level (Default Domain Policy) instead of trying to set every machine or every OU separately?
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, December 28, 2005 12:56 PM
To: [email protected]
Subject: RE: [ActiveDir] Time Service
why are you using the GPO to configure the time service on the PDC? Why not
just configure the PDC with the commands and info provided?
Jorge
________________________________
From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 18:42
To: [email protected]
Subject: RE: [ActiveDir] Time Service
OK, so then I am still not synching with an external time source. I have
followed the steps, and still I get the same thing. I can not figure out what
it causing it to not use the server I specify. I am guessing it has something
to do with some group policy setting? Do I need to block inheritance on the
default domain controller GPO and have different settings?
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, December 28, 2005 12:03 PM
To: [email protected]
Subject: RE: [ActiveDir] Time Service
To keep things simple, doing
Net time /setsntp:pool.ntp.org
then
net stop w32time& net start w32time
and
net time /querysntp
(ALL at the PDC-E) should give acceptable result. If it doesn't, then something
at the firewall may be blocking 123
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com <http://www.readymaids.com/> - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, December 28, 2005 8:49 AM
To: [email protected]
Subject: RE: [ActiveDir] Time Service
w32tm /monitor
dc1.domain.com *** PDC *** [10.100.110.12]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from dc1.domain.com
RefID: 'LOCL' [76.79.67.76] <<<<<<<<<<<<<<<<<<<<<<<<THIS IS THE TIME
SERVER THE PDC IS POINTING TO
A PDC that is not configured with an external time source:(default after
install)
C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from rootdc001.ADCORP.LAN
RefID: 'LOCL' [76.79.67.76]
A PDC that is configured with an external time source
C:\>w32tm /monitor
PDC.DOMAIN.LOCAL *** PDC *** [172.16.1.1]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from PDC.DOMAIN.LOCAL
RefID: (unknown) [internet IP]
A PDC that is configured to sync with its own internal clock
C:\>w32tm /monitor
rootdc001.ADCORP.LAN *** PDC *** [10.0.0.1]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from rootdc001.ADCORP.LAN
RefID: 'LOCL' [76.79.67.76]
In addition to what Ulf said:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/20/111.aspx
Cheers,
Jorge
________________________________
From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Wed 2005-12-28 16:30
To: [email protected]
Subject: RE: [ActiveDir] Time Service
I have Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:
"navobs1.oar.net" and also verified HKLM\System\CCS\Services\w32time\Parameters
Type=NTP is set. I stopped and started w32time, and still the PDC-E points to
itself. Or at least that is what I think it is saying. Isn't LOCL in the
following telling me that it is looking at itself instead of an external time
source?
w32tm /monitor
dc1.domain.com *** PDC *** [10.100.110.12]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from dc1.domain.com
RefID: 'LOCL' [76.79.67.76]
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Wednesday, December 28, 2005 9:58 AM
To: [email protected]
Subject: RE: [ActiveDir] Time Service
Hi Douglas,
To configure domain members and DCs to use the default behavior, either
Run w32tm /config /update /syncfromflags:DOMHIER
Or check the following registrykey
HKLM\System\CCS\Services\w32time\Parameters
Type=NT5DS
To configure a server to use a NTP-Timesource (what you want to do on the PDC-E
of the forest root):
Run w32tm /config /update /syncfromflags:MANUAL /manualpeerlist:"fqdn1 fqdn2
ip1"
Or check the following registrykeys
HKLM\System\CCS\Services\w32time\Parameters
Type=NTP
NTPServer="fqdn1 fqdn2 ip1"
To configure a server to trust his BIOS-Clock (test-environment) or which is
getting it's time from a 3rd party soft- or hardware attached locally check the
following reg-keys:
HKLM\System\CCS\Services\w32time\Parameters
Type=NoSync
ReliableTimeSource = 1 (reg_dword)
Afterwards I'd restart w32time using
net stop w32time && net start w32time
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz <http://tinyurl.com/44zcz>
Weblog: http://msmvps.org/UlfBSimonWeidner <http://msmvps.org/UlfBSimonWeidner>
Website: http://www.windowsserverfaq.org <http://www.windowsserverfaq.org>
Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D <http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D>
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, December 28, 2005 3:09 PM
To: [email protected]
Subject: [ActiveDir] Time Service
I have read the Time Service white paper from Microsoft and am still confused.
I have set the default domain GPO to use NT5DS under Configure Windows NTP
Client, and set an external time server (navobs1.oar.net,0x1) for NTPServer. I
have also set Enable Windows NTP Server to enabled. There are no other time
related GPOs set in the domain. I was under the assumption that with that
setting my PDC emulator (DC1) should be synching with navobs1.oar.net,0x1 and
the other DC synchs with the PDC emulator, and then all clients synch to the
closest DC. When I run a w32tm /monitor from the either DC or from any clients,
I get the following.
dc1.domain.com *** PDC *** [10.100.110.12]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from dc1.domain.com
RefID: 'LOCL' [76.79.67.76]
dc2.domain.com [10.100.110.13]:
ICMP: 0ms delay.
NTP: +0.0226641s offset from dc1.domain.com
RefID: dc1.domain.com [10.100.110.12]
When I run it from a client:
dc1.domain.com *** PDC *** [10.100.110.12]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from dc1.domain.com
RefID: 'LOCL' [76.79.67.76]
dc2.domain.com [10.100.110.13]:
ICMP: 8ms delay.
NTP: +0.0342476s offset from dc1.domain.com
RefID: dc1.domain.com [10.100.110.12]
What I am seeing is that everything is working except DC1 is not synching with
an external time server. Is that correct, or am I reading that wrong? If it
isn't synching with an external time source, what setting am I missing?
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
