Really...
How far off are you seeing the clocks? I understand the
requirements for tight timing for financials, the large company I did the work
with had a financial division (actually that is the division that makes all
of the money for the whole company) but the time was also just as important for
the manufacturing, etc for distributed apps. It has been about 7 years since I
worked in the financial division of that company but I recall the really
important apps actually maintained their own time within the app logs/timestamps
based off of the application server and the clients were constantly multiple
times a minute pinging that app server for time updates so that all systems
running the app were all stamped to the same ms. That didn't have any impact on
the underlying time of the local machines though. It was entirely to get around
any hacking of local machines or vagaries of hardware.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, March 15, 2006 11:51 AM
To: [email protected]
Subject: RE: [ActiveDir] Configuring PDC Emulator for time source
You picked the word 'burden' and ran with it :)
I agree that the default should work for most but financial
institutions often have requirements for time sync which the default hierarchy
struggles to attain.
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 15 March 2006 16:29
To: [email protected]
Subject: RE: [ActiveDir] Configuring PDC Emulator for time source
The time stuff really isn't a terrible burden, a
single Exchange server at idle beats a DC more than time syncing. Probably
the hardest hit DCs would be the local DCs as all of the clients authenticating
against them are also hitting them for time and the auth is far more burdensome
than the time sync is.
One of
the larger orgs I was in (~250k users, ~400 DCs) the original dictate was that
all machines would use the cisco routers for the time because they were the
"official" time source of the company and were all supposed to be correct all of
the time for various network purposes. We found this to be incorrect and
troublesome, time could deviate from seconds to minutes and in one case a router
was misconfigured and off by exactly 24 hours some how. Obviously this
isn't an issue everyone will have but it is a possible issue because you are
taking maintenance of the time out of your own hands.
After
switching to using the internal Windows forest hierarchy time became a
non-issue. Skew was measured in seconds at the most unless there was a hardware
problem which means no time source could help. I have an app I wrote back
in about 2000 or so called ADTD which did a simple check of time deltas between
DCs via rootdse queries and would send the delta in seconds
to errorlevel (also to the screen if you wanted) so it could easily be used
in batch files and scripts. I had a script that used it and watched all of the
DCs and I believe it warned on anything outside of 3 seconds deviation from the
forest root PDC. Running that as a test is when I finally decided once and for
all we weren't going to follow the corporate time policy anymore and instead
sync everything eventually back to the forest root PDC.
All
that to say that I much prefer to use the windows forest time hierarchy than
work up something else, I have had no issues with it in the Org above as well as
when working with other smaller companies (but still Fortune 50 sized).
To the
OP: I recomend you pick a source you trust, be it routers in your corporate
datacenter or an external "national" clock or a hardware device or even some PC
you hand check the time on yourself every day and ANY machines that can become
the forest root PDC gets the same hard configuration to point at that or those
clocks.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, March 15, 2006 5:11 AM
To: [email protected]
Subject: RE: [ActiveDir] Configuring PDC Emulator for time source
FWIW: I prefer to synch *all* DCs in the forest with an
auth time source. This implies less burden and less dependency on the (root
domain) PDC. I work at larger orgs who have internal auth time sources, which
are synced from external auth time sources.
In a financial institution, this should also mean less time
skew for the clients, since the time hierarchy is flatter than it would be in
the default scenario.
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter
Sent: 15 March 2006 10:03
To: [email protected]
Subject: [ActiveDir] Configuring PDC Emulator for time source
Hi,
I have been looking into configuring with Windows Time Source on our
PDCe
http://technet2.microsoft.com/WindowsServer/en/Library/f1d8b85d-2b4f-4acd-8c2e-259167b95e481033.mspx
How does everyone else configure their corporate environment? Do you use
hardware time clocks? is there any security risks with the link provided
above?
What would the impact be if our PDCe is not already configured?
thanks
James Carter
Yahoo! Travel
Find great deals to the top 10 hottest destinations!
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
