Incorrect Time Source on DCs Server 2008 Domain

time-synchronizationwindows-server-2008

So we had a user complain about the clocks being a minute out on her desktop and how she always misses her train as a result. Despite my incredulous reaction to such a thing it did prompt me to investigate the time sync in our domain and it has highlight a lack of understanding on my part I think.

At present the results of my "w32tm /monitor" command produces this:

C:\Users\TAlexander>w32tm /monitor
NCCDC1.xxxxxx.xx.xx[10.168.50.32:123]:
    ICMP: 0ms delay
    NTP: +2.4042293s offset from RHDC1.xxxxxx.xx.xx
        RefID: firewall.xxxxxx.xx.xx [10.168.xxx.xxx]
        Stratum: 4
NCCDC3.xxxxxx.xx.xx[10.168.50.36:123]:
    ICMP: 0ms delay
    NTP: +2.4122098s offset from RHDC1.xxxxxx.xx.xx
        RefID: firewall.xxxxxx.xx.xx [10.168.xxx.xxx]
        Stratum: 4
NCCDC.xxxxxx.xx.xx[[fe80::d1e0:8675:36c1:acba%14]:123]:
    ICMP: 0ms delay
    NTP: -0.0916479s offset from RHDC1.xxxxxx.xx.xx
        RefID: RHDC1.xxxxxx.xx.xx [10.168.50.35]
        Stratum: 2
RHDC1.xxxxxx.xx.xx *** PDC ***[10.168.50.35:123]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from RHDC1.xxxxxx.xx.xx
        RefID: 'LOCL' [0x4C434F4C]
        Stratum: 1
ICMDC1.xxxxxx.xx.xx[10.168.50.31:123]:
    ICMP: 0ms delay
    NTP: +2.4229719s offset from RHDC1.xxxxxx.xx.xx
        RefID: wwwco1test12.microsoft.com [65.55.21.20]
        Stratum: 3
ICMDC2.xxxxxx.xx.xx[10.168.50.33:123]:
    ICMP: 0ms delay
    NTP: +0.1387203s offset from RHDC1.xxxxxx.xx.xx
        RefID: RHDC1.xxxxxx.xx.xx [10.168.50.35]
        Stratum: 2

RHDC1 is our PDC so my thinking from what I have read is that RHDC1 should have RefID of a different time source (in this case it would be our firewall) and that other DCs should then look to the PDC for their time and as a result show RHDC1 in the RefID. The clients (servers and workstations) should then sync at the running of the NETLOGON process.

As it is we have a bit of a mishmash of different sources and configs. Am I correct in my assumption that our DCs are not syncing in the traditional Domain Hierarchy fashion? And if so is there a GP or command that can force them to return to this state?

Best Answer

It does look like things are out of whack regarding the time source some of the non-PDC emulator DC's are using. I would suggest running the following on all DC's, with the exception of the PDC emulator:

w32tm /config /syncfromflags:domhier /update. Then restart w32time.

As far as syncing the PDC emulator to an external source, such as the firewall, my question would be is it neccessary? Time is relative. It's perfectly acceptable to have a "closed system", unless you need true, accurate time from an external source for auding, legal, etc. reasons. If you do, then you probably need to sync to something other than the firewall.

Related Topic