Because AD is using kerberos authentication, there is a limit of 5 minutes in time difference between client and the DC (this is to prevent a certain type of authentication attacks). The time is checked during the generation of the authentication package.
Following AD design, member servers and computers will sync time with their target logon server. Use "Set Logonserver" to see the target logon server.
Domain controllers will sync time with the PDC of the domain. and the PDC of the domain will sync its time with the parent domain PDC and so on. and the forest root PDC should sync with a reliable external/internal time source.
To check PDC : netdom query fsmo
To check time sync server : w32tm /monitor
To sync with reliable time source:
w32tm /config /manualpeerlist:192.5.41.41 /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time
**Note : "net time" command is not accurate to determine the time sync server.
Ace Fekay's Active Directory, Exchange and Windows Infrastructure Services Blog gives a very detailed explanation on the time services and the command to reset some of the problems.
My discussion with Ace on the time service matter
No comments:
Post a Comment