Time in a domain, GPO or registry?
What method should be used to set time in a domain, GPO or registry?
Since Server 2008 has no time settings in the registry to begin with do you still need to enter anything in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
when in a domain and this is the the DC and time server for the domain or do the time keys take all settings from the GPO? Since this is for the Default Domain Controller GPO how do I specify which DC is the time source for the domain?
Thanks
October 29th, 2010 1:16pm
Hello Cjlindell,
By default, Windows-based computers use the following hierarchy:
All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative
time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
Configure a domain controller in the parent domain as a reliable time source
http://technet.microsoft.com/en-us/library/cc739801(WS.10).aspx
Configuring the Windows Time Service
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html
Windows Time Service GPO Settings
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/c9c70b7f-7493-4d1b-83aa-472ea36022fc
Setting the Authoritative Time Server on the PDC Emulator Using Group Policy
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/6f025016-bbff-43b6-bd6c-e04b76b94155
Brent
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
Free Windows Admin Tool Kit Click here and download it now
November 2nd, 2010 10:08pm
Brent,
I don't believe you have answered my questions, though you are trying to help.
I specifically asked What method should be used to set time in a domain, GPO or registry?
This is not clearly stated anywhere.
I understand Windows time hierarchy.
What I want to know is what is the preferred method of setting up time in a domain? A GPO, or manually setting the registry or making changes @ a cmd prompt.
If it is a GPO, what GPO should be edited or should a new one be created?
In my case the existing Default Domain Controllers GPO was used for the DC holding the fsmo role and the Default Domain GPO is used for the rest of the domain.
Something doesn't seem right here.
I would really appreciate a simple and direct answer rather then copying and posting more info that still doesn't specifically answer my inquiry.
Thanks
November 5th, 2010 2:04pm
Hello,
none of them, by default there is no need to configure it either way.
You should configure the DC with the PDCEmulator FSMO to another time source, internet or hardware device with the "w32tm" command from an elevated command prompt, that's it.
See my blog about details:
http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
November 6th, 2010 9:53am