Sounds like you may have more than one DC advertising as reliable. Probably not
a recommended configuration :-)
I suspect you have the GTIMESERV (always reliable) flag set on the old DC and
now on the new one.
NetLogon provides two flags that are created specifically for w32time's use,
TIMESERV flag indicates that the machine is currently synchronized and can
provide time sync responses.
The GTIMESERV flag means that a machine is "special" because it is a "good"
source of time and gives it the highest criteria in the hierarchy used by a
client DC when selecting a source.
Look to see if the old DC is advertising that flag with nltest or check it's
registry.
nltest /dsgetdc:mydomain /server:mydc
/snip
Flags: PDC GC DS LDAP KDC *GTIMESERV* WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE FULL_SECRET
They might work it out by themselves when you demote the old one by my
experience tells me there's a good chance you will have to do a /rediscover if
you don't compensate for it first.
--gory details
The source of that info is the AnnounceFlags registry key that allows an
administrator to control (or mess up) a bit of the peer selection process. This
key is a bitwise mask, with the following flags:
0x00 will cause the service to not advertise at all (via NetLogon) as a time
service. It will still respond to NTP requests (both NTP and NT5DS types), but
other peers will not be able to discover it as a time source
0x01 will cause the service to always advertise as a time server, regardless of
its own status
0x02 will cause the service to only advertise as a time source when it is
receiving reliable time from another peer, either via NTP or NT5DS
0x04 will cause the service to **always** advertise as a reliable time source.
This is actually the bit that gets set when you use the w32tm command with the
Reliable:YES option
0x08 will cause the service to automatically advertise as reliable when the DC
is a) the PDC in the root domain of the forest, and b) when it is unable to
locate a time source. The reason for this flag is to allow the root domain PDC
to self-elect as the authoritative time source for the forest, allowing all
other DCs to use it for time.
Some people do set the DC tied to the external clock to be authoritative
(reliable) and subsequently compensate for changes to PDCe role with a GPO that
automagically takes care of config changes.
It can be a religious discussion but MS has advocated its use on more than one
occasion and the traditional answer applies- "It depends"
/aside
Depending on how much "thinkering" [1] was done by your boss you may want to
check them all and either reset to default or thoroughly understand any
anomalies. I recommend the former
[1] Thinkering-
Adjustments made by the well-intentioned but not necessarily well-informed
because they *think* they know what they are doing.
Such adjustments are often made to test things and never put back to their
original state when the desired effect was not achieved.
Historically the realm of complex electro-mechanical systems but equally
applicable to computer systems.
Multiple such *adjustments* can aggregate to cause immense grief.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael Leone
Sent: Thursday, June 04, 2015 6:52 AM
To: [email protected]
Subject: [spam] [dkim-failure] [NTSysADM] Domain time question
I have a parent-child domain structure (Win 2008 R2). I am in the process of
demoting and retiring DCs, as we upgrade the domain to
Win2012 R2. And my time settings seem to be kind of funky (we had some time
issues in the past, and my boss "tinkered" with the settings ..)
Here's where I am now:
Parent domain PDCe is now a Win2012 R2 DC. This DC is set to get it's time from
https://urldefense.proofpoint.com/v2/url?u=http-3A__pool.ntp.org&d=AwIBaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=qcVAnXQNXPw9JXkioN3Cw2llgAEnHzDlRysGv_hNLpQ&s=_8zf--TxhW1WESxWbMbkjvo8AG3c-qmkNwio2OC7sq8&e=
(w32tm /config /manualpeerlist: peers /syncfromflags:manual /reliable:yes
/update - where the peers are "0.us.pool.ntp.org
https://urldefense.proofpoint.com/v2/url?u=http-3A__1.us.pool.ntp.org&d=AwIBaQ&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=qcVAnXQNXPw9JXkioN3Cw2llgAEnHzDlRysGv_hNLpQ&s=1hy1pRPoXS3XQuaWOCeK5afRhbOhWt4GVNIw1C0RwN0&e=
" etc)
So that should be OK, I think.
But: the other DCs in the parent domain - "w32tm /query /configuration" is
showing me "[Time Providers]" as "Type: NT5DS".
That's "domain hierarchy", and is the default (I believe). But here's the
problem:
w32tm /query /status is showing me a "Source" of previous PDCe. And I am about
to demote and retire that old PDCe.
So I am not sure why it is showing this (the child domain DCs show the same
"Source"). And how do I fix this? Shouldn't the source be the
(current) PDCe?
My boss thinks that he may have set a registry entry on the old PDCe that told
it to advertise itself as a "master time server". I am having a hard time
finding out what registry setting he is referring to (and if he is right about
that). Anyone have any ideas?
PG&E is committed to protecting our customers' privacy.
To learn more, please visit http://www.pge.com/about/company/privacy/customer/
