How To Configure The PDC FSMO In The Forest Root Domain To Sync Time

-
The time service on the forest root domain PDC emulator FSMO holder can be configured to point to an external NTP time source or it can be configured to use its own internal hardware clock. 
(1) configuring the forest root domain PDC FSMO to use an another time source (internal or external) 
To configure the PDC FSMO in the forest root domain with one or more time servers: 
* W32tm /config /manualpeerlist:"<time server 1> <time server 2> <time server n>",<option> /syncfromflags:manual 
* Time servers can be specified as FQDN or IP address of the time server 
To update the "Windows Time Service" configuration: 
* W32tm /config /update OR 
* Net stop w32time & net start w32time 
To resync time with a source 
* W32tm /resync 
To query for specified NTP server(s): 
* Net time /querysntp 
* The answer must be something like: "The current SNTP value is: <timeserver>,<option>" 
REMARK: possible values of <option> are: 
* 0x1 use special poll interval SpecialInterval 
* 0x2 UseAsFallbackOnly 
* 0x4 send request as SymmatricActive mode (the host configured in "symmatric active mode" uses another NTP hosts to sync time, but also gives those other NTP hotes to sync time with the local host) 
* 0x8 send request as Client mode (the localhost configured in "client mode" uses the other remote NTP host to sync time) 
MORE INFO: 
"Configure the Windows Time service on the PDC emulator" 
(2) configuring the forest root domain PDC FSMO to use its own internal hardware clock 
If the forest root domain PDC FSMO is not synchronized to an external time source, the system log will have a warning of event ID 12. To prevent these events from appearing, that DC needs to be configured with an adjustment in the registry. Copy and paste the following into a REG file and import the REG FILE 
#################################################### 
Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"AnnounceFlags"=dword:00000005 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
"Enabled"=dword:00000000 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"NtpServer"=""
"Type"="NT5DS" 
#################################################### 
event ID 12:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.  It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source.  Otherwise, this machine will  function as the authoritative time source in the domain hierarchy.  If an external  time source is not configured or used for this computer, you may choose to disable  the NtpClient. 
MORE INFO: 
"Configure the PDC emulator to synchronize from its internal hardware clock" 
In both situations the following points of attention exist: 
(A) If the PDC Emulator FSMO is transfered OR seized the time service configuration is NOT transfered/seized with it and needs to be reconfigured on the new FSMO role owner. If the old FSMO roles owner still is alive, restoring the default configuration is a very good idea! 
MORE INFO: 
"Change the Windows Time service configuration on the previous PDC emulator" 
(B) Don’t configure the time service to use cyclic time configuration. This means "don’t configure the time service on the PDC FSMO to use a server in the domain that already syncs with the PDC FSMO" 
Additional information in: 
* MS-KBQ816042_How to configure an authoritative time server in Windows Server 2003 (http://support.microsoft.com/?id=816042
* MS-KBQ224799_Basic Operation of the Windows Time Service (http://support.microsoft.com/?id=224799
* MS-KBQ875424_Time synchronization may not succeed when you try to synchronize with a non-Windows NTP server in Windows Server 2003 (http://support.microsoft.com/?kbid=875424
* Windows Time Service in Windows Server 2003 (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/71e76587-28f4-4272-a3d7-7f44ca50c018.mspx)
* Managing the Windows Time Service 

Comments

Post a Comment

Popular posts from this blog

Troubleshooting Netlogon Error Codes

-
Image
Quick Reference: Troubleshooting Netlogon Error Codes ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ January 28, 2013   by  Mark Morowczynski [MSFT]   //   24 Comments 0 0 Hi this is Brandon Wilson and today I will be providing you with a quick reference for troubleshooting Netlogon error codes. I say “quick reference” very loosely here, because this is one of those sticky subjects that can easily expand into many more areas and become a very long discussion. So, I’m going to do my best to focus on just the codes and possible solutions for the error codes that are more common to see. Anyone who has dealt with some of these issues knows that some of these outlined areas can lead to huge revenue loss for a business, or at the very least an annoying authentication prompt J I welcome you to leave comments and questions, or suggestions for articles that you as the reader would be interested in seeing us do on AskPFE Platforms ( http://blogs.tech...
Read more

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

-
Image
Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe) Table of Contents SPN Purpose SPN Format SetSPN Viewing or Checking SPN Registrations SPN Registration Errors Related to SPN Registration or Configuration Manually Registering SPNs Troubleshooting SPN Issues Resolving SPN Registration Issues SPN Lookup Errors Delegation External Articles SPN Purpose A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. ↑  Return to T...
Read more

Troubleshooting AD Active Directory Replication Error 8456 or 8457: "The source | destination server is currently rejecting replication requests"

-
Symptoms  This article describes the symptoms, cause, and resolution steps for situations where Active Directory operations fail with error 8456 or 8457: "The source | destination server is currently rejecting replication requests" The DCPROMO promotion of a new domain controller in an existing forest fails with the error "The source server is currently rejecting replication requests."  Dialog title text:    Active Directory Installation Wizard   Dialog message text:   The operation failed because:   Active Directory could not transfer the remaining data in directory partition   to domain controller .  "The source server is currently rejecting replication requests." DCDIAG reports the error "The source server is currently rejecting replication requests" or "The destination server is currently rejecting replication requests." Testing server: Default-First-Site-Name\     ...
Read more