Introduction In an Active Directory domain, it is very important for all clocks to be within 5 minutes of each other (by default) due to the implementation of the Kerberos protocol for authentication. Also, Active Directory uses multi-master replication model between Domain Controllers. So it is important that changes made at a later actual time on one DC don’t get overwritten by similar changes on another DC, whose time is set wrong thus making it look like the most recent change. In this article, we would discuss the AD Time Synchronization architecture, how to configure an external time source and various other aspects of the Windows Time Service. We also recommend checking this TechNet article, which gives a very good insight of the Windows Time Service: Network Time Protocol (NTP) Network Time Protocol (NTP) is the default time synchronization protocol used by the Windows Time Service (WTS) in Windows servers and workstations. NTP is implemented via UDP over port 123 and can operate in broadcast and multicast modes, or by direct queries.
Active Directory (AD) Sync Manager enables one-way synchronization of AD user passwords and attributes from a Customer / Organization / Enterprise on-premises AD (remote) to the Service Providers Hosted AD (local) or other Enterprise.Based on your configuration in AD Sync Manager, the user account can be automatically inactive or disabled from control panel. The Microsoft Directory Synchronization Tool replicates certain objects and attributes from the local AD with Windows Azure Active Directory. Windows Azure AD is the cloud back-end that provides. DirSync (Directory Synchronization) is a tool for making copies of a local directory in a hybrid cloud deployment of Microsoft Exchange.
Active Directory Time Synchronization Architecture In Active Directory deployment, the only computer configured with a time server explicitly should be computer holding the PDC Emulator FSMO role in the forest root domain. This is because the Forest root domain PDC emulator is the one and only one-time source for all the Domain Controllers, member servers and windows based workstations for the entire forest. It is possible to override this configuration and bypass PDC emulator, but the default (and recommend) configuration is that all domain members should sync time with forest PDC emulator, directly or indirectly. • All domain controllers in the forest root domain synchronize time with the PDC Emulator FSMO role-holder. • All Domain Controllers in child Domains synchronize time with any Domain Controller with Parent Domain or with PDC Emulator of its own Domain. • All PDC Emulator FSMO role-holders in child domains synchronize their time with domain controllers in their parent domain (including, potentially, the PDC Emulator FSMO role-holder in the forest root domain). • All domain member computers (Servers / Workstations/ any other devices) synchronize time with domain controller computers in their respective domains.
How to check the configuration from client side To determine if a domain member is configured for domain time sync, examine the REG_SZ value at HKLM System CurrentControlSet Services W32Time Parameters Type. • If it is set to 'Nt5DS' then the computer is synchronizing time with the Active Directory time hierarchy. • If it's configured with the value 'NTP' then the computer is synchronizing time with the NTP server specified in the NtpServer REG_SZ value in the same registry key. External Time Source Since PDC Emulator of the forest root domain is the main time source of the entire forest, it is important that the system clock of this computer is accurate. To maintain the accuracy, the forest root domain PDC emulator must be configured to synchronize its time with an external time source which is reliable. Example: Windows Time Server or Google Time Server. Stratum Value The degree to which a computer’s time is accurate is called a stratum.
• The most accurate time source on a network (such as a hardware clock) occupies the lowest stratum level, or stratum one. This accurate time source is called a reference clock. • An NTP server that acquires its time directly from a reference clock occupies a stratum that is one level higher than that of the reference clock. • Resources that acquire time from the NTP server are two steps away from the reference clock, and therefore occupy a stratum that is two higher than the most accurate time source, and so on.
As a computer’s stratum number increases, the time on its system clock may become less accurate. Therefore, the stratum level of any computer is an indicator of how closely that computer is synchronized with the most accurate time source. So when you configure a new PDC emulator or move existing PDC emulator role to a different domain controller, please follow below steps for external time source configuration. Old PDC Emulator: DC1.subhro.com New PDC Emulator: DC2.subhro.com External Time Sources: 1) time.windows.com 2) time.google.com Configure a reliable external time source for the Forest Root Domain PDC Emulator Note: If Forest PDC Emulator is a VM, make sure it is not configured to Sync time with its host. On the PDC Emulator, run the following command from command prompt (Admin Mode) w32tm /config /manualpeerlist:'0.time.windows.com,0x1 1.
0 kommentar(er)
