[1] You configure the PDCe of the forest root to become the authoritative time source for your forest. There is a (fairly) strict hierarchy that is automagically maintained with the other DCs peering up to that one, DCs in child domains peering to their respective PDCe, member servers and workstations peering up to their respective DCs. "You" don't need to "point" anything to anything other than the root PDCe. I'd respectfully submit that there is something wrong in your configuration if things are that bad.
Configure the Windows Time service on the PDC emulator ( http://go.microsoft.com/fwlink/?LinkId=91969 <http://go.microsoft.com/fwlink/?LinkId=91969> ) [2]Common issues I've seen are misconfiguration, firewall/network issues and users who have the user right to set system time. Configure a client computer for automatic domain time synchronization ( http://go.microsoft.com/fwlink/?LinkId=91376 <http://go.microsoft.com/fwlink/?LinkId=91376> ) I would have agreed with your sentiment in NT and actually ran the W32port of NTP on my DCs back than but for the vast majority of the >20K machines in my main forest w23time is sufficient. It has improved with every version of windows and the documentation is an order of magnitude better than it used to be. The biggest offset among my DCs today is +0.0128225s. We do have special use cases where we employ other methods but they are definitely the exception rather than the rule where a particular client needs millisecond accuracy.. Windows Time Service Technical Reference http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx I would start at the top and get all the DCs properly synched and work your way down from there. What version of AD are you running? From: [email protected] [mailto:[email protected]] Sent: Friday, September 18, 2009 7:37 AM To: NT System Admin Issues Subject: Why is Windows Time service crap? Greetings! I have workstations and servers in my domain whose time is all over the place! Two servers I manually sync'd with a domain controller less than 24 hours ago are now once again 3 minutes behind. Workstations are up to 5 minutes one way or the other. I know this keeps coming up here, but again, please... 1. With multiple domain controllers, does one pick one of them, sync to an outside time source, then somehow point the other DCs to this DC? If so, then one puts in the name of the selected DC in the registry settings for time services? OR, does one make sure all the DCs point to the same external NTP server? 2. Why do servers and workstations drift off, time-wise? How to stop this? -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA(r) 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 [email protected] P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org <http://www.aspca.org/> The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
