To follow up on what Ben and Bob have mentioned, you only want/need the DC with the PDCe role to get its time externally, and the other systems will get the time from that one.
What I do then, is to run a script that sets the time server for all other systems to be blank. (Actually, I let 2 DCs sync outside) The time for all my systems remains in sync (my logging script checks this every morning). I have not used an external NTP application for the better part of this decade. -ASB: http://XeeSM.com/AndrewBaker On Fri, Sep 18, 2009 at 11:37 AM, Free, Bob <r...@pge.com> wrote: > [1] You configure the PDCe of the forest root to become the authoritative > time source for your forest. There is a (fairly) strict hierarchy that is > automagically maintained with the other DCs peering up to that one, DCs in > child domains peering to their respective PDCe, member servers and > workstations peering up to their respective DCs. “You” don’t need to “point” > anything to anything other than the root PDCe. I’d respectfully submit that > there is something wrong in your configuration if things are that bad. > > > > Configure the Windows Time service on the PDC emulator > (http://go.microsoft.com/fwlink/?LinkId=91969 > ) > > > > [2]Common issues I’ve seen are misconfiguration, firewall/network issues > and users who have the user right to set system time. > > > > Configure a client computer for automatic domain time synchronization > (http://go.microsoft.com/fwlink/?LinkId=91376 > ) > > > > I would have agreed with your sentiment in NT and actually ran the W32port > of NTP on my DCs back than but for the vast majority of the >20K machines in > my main forest w23time is sufficient. It has improved with every version of > windows and the documentation is an order of magnitude better than it used > to be. The biggest offset among my DCs today is +0.0128225s. We do have > special use cases where we employ other methods but they are definitely the > exception rather than the rule where a particular client needs millisecond > accuracy.. > > > > Windows Time Service Technical Reference > http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx<http://technet.microsoft.com/en-us/library/cc773061%28WS.10%29.aspx> > > > > I would start at the top and get all the DCs properly synched and work > your way down from there. What version of AD are you running? > > > > > > *From:* richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] > *Sent:* Friday, September 18, 2009 7:37 AM > *To:* NT System Admin Issues > *Subject:* Why is Windows Time service crap? > > > > > Greetings! > > I have workstations and servers in my domain whose time is all over the > place! > > Two servers I manually sync'd with a domain controller less than 24 hours > ago are now once again 3 minutes behind. > > Workstations are up to 5 minutes one way or the other. > > I know this keeps coming up here, but again, please... > > 1. With multiple domain controllers, does one pick one of them, sync to an > outside time source, then somehow point the other DCs to this DC? If so, > then one puts in the name of the selected DC in the registry settings for > time services? OR, does one make sure all the DCs point to the same > external NTP server? > > 2. Why do servers and workstations drift off, time-wise? How to stop this? > -- > Richard D. McClary > Systems Administrator, Information Technology Group > > *ASPCA®* > 1717 S. Philo Rd, Ste 36 > Urbana, IL 61802 > > richardmccl...@aspca.org > > P: 217-337-9761 > C: 217-417-1182 > F: 217-337-9761 > www.aspca.org > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
