Its time for Windows Time
I have been doing quite a bit of work in the arena of Active Directory Troubleshooting. As you are well aware Windows Time Service is a very important element to the success of a healthy Active Directory. Many Windows Components, for example the Kerberos V5 authentication protocol relies on time to be accurate and consistant. If Computers are more than five minutes out of synchronization the domain the Kerberos protocol will fail to Authenticate . This has a knock on effect, that if Kerberos Authentication fails this will prevent logons, access to printers,web servers,file shares and various other resources. The PDC(e)
Primary Domain Controller Emulator, is the server FSMO (Flexible Single Master Operation) role that is responsible for time synchronization in the Domain and the Forest. The PDC(e) of the Forest Root Domain, uses Network Time Protocol and should be pointed to a very reliable time source;typically a hardware device or trusted time source on the Internet ideally as used by scientific, government. The two main commands used to configure time synchronization are w32tm.exe (used with Windows 2000 and XP) and the Net Time command. I have discovered and Excellent article on Windows Time and the W32TM service by Nathen Winters who BTW is responsible for the Microsoft Messaging and Mobility User Group
Comments
- Anonymous
January 01, 2003
I have been visiting a few customer sites where they are virtualizing their Domain Controllers. This