Sometimes it is the little things that can cause problems. Sometimes the little things can stop Kerberos authentication, active directory replication, client logons, and can make Exchange generally unhappy. Yes, misconfigured time within an Active Directory environment can bring your business to its knees! Specifically, time drift between client machines, servers and domain controllers. It is always interesting to see when relatively easy and well-known configuration settings are ignored and snowball into business impacting problems. Sigh.
Microsoft has clearly documented that the time skew within a domain and all members should not exceed 5 minutes. This variance is based on Kerberos defaults. In order to keep the time skew within acceptable levels, the Windows Time Service (w32tm) is used. All member servers within a child domain will synchronize their time with any domain controller that they can communicate with. All domain controllers will in turn synchronize their time with the PDC emulator for the domain. The PDC emulator for each child domain will try and synchronize with the PDC emulator (or any other domain controller) in the root. This means that the PDC emulator in the root domain effectively becomes the single source of time for all down level clients. The PDC emulator in the root will need to synchronize time with an external NTP server to ensure accuracy within the Active Directory environment. A properly configured PDC emulator in the root allows for the proper time to be synchronized to all down level clients.
In smaller environments, this is a configuration that clients can easily overlook. In my case, I was recently called about Exchange problems that stemmed from an improper Windows Time Service configuration. Simply, the client was not sure how to set the time from a command-line without the GUI and the skew between machines was large.
In order to set the PDC emulator in the root to an external time source, the following commands should be run from that server:
net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"time.nist.gov"
w32tm /config /reliable:yes
net start w32time
These commands will tell the Windows Time Service on the root PDC Emulator to synchronize with time.nist.gov. Other NTP servers can be used instead of time.nist.gov. The ‘reliable:yes’ flag indicates to domain clients that this server can safely be used to synchronize with.
In order to verify the change and view the NTP configuration, the following command can be used.
w32tm /query /configuration
Sometimes, it really is that easy…