what is the time source of domain member server when ntpserverdefined
in [Windows Servers]
|
Prev: New Search Server 2008 Express
Next: ASR recovery fails - the capacity of the current system disk driveis insufficient
From: Jonathan de Boyne Pollard on 17 Jan 2010 22:05 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> <blockquote cite="mid:6cb2911dc6188cc64ad34d72e5c(a)msnews.microsoft.com" type="cite"> <p>Do not manual set another time server in a domain on member servers or DCs other then the PDCEmulator. It is important that only the PDCEmulator as domain time master is the source for time and configured to an external time source. </p> </blockquote> <p>In reviewing the messages in this newsgroup, now that my news server carries it, I've seen this received wisdom stated more than once. It's wrong. As M. Fekay said, what is <em>actually</em> important is that all of the machines' system clocks are synchronized, so that Kerberos (and various other things) work. It does <em>not</em>, in fact, matter how, exactly, one goes about achieving that goal. The usual way is to go with the default behaviour of the Windows Time Service, which implements a hierarchy where one only needs to manually configure the machine (the PDC emulator) at the top of that hierarchy, and everything else below it "just works". But as far as I am aware, as long as the <em>actual goal</em> of keeping all machines synchronized is achieved, one can use whatever complex system of (S)NTP clients and servers that one cares to set up. Ensuring that one only twiddles with the PDC emulator is <em>one means</em>, but it is not the sole means available, and it isn't the actual <em>end</em> that needs to be achieved.</p> </body> </html>
From: Meinolf Weber [MVP-DS] on 20 Jan 2010 05:23 Hello Jonathan de Boyne Pollard, You are of course right when saying the kerberos time must be in the correct time window of default 5 minutes in a domain. But when using different time sources on the servers you are out of sync more quick then you like it. That is the the reason that the DC with the PDCEmulator is the time master in the domain automatically where all other DC sync with and the other domain machines sync with one available DC. This is the ONLY way to guarantee this. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
From: Jonathan de Boyne Pollard on 20 Jan 2010 10:11 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> <blockquote cite="mid:6cb2911dc9188cc67da176da28d(a)msnews.microsoft.com" type="cite"> <blockquote type="cite"> <blockquote cite="mid:6cb2911dc6188cc64ad34d72e5c(a)msnews.microsoft.com" type="cite"> <p>Do not manual set another time server in a domain on member servers or DCs other then the PDCEmulator. It is important that only the PDCEmulator as domain time master is the source for time and configured to an external time source. </p> </blockquote> <p>In reviewing the messages in this newsgroup, now that my news server carries it, I've seen this received wisdom stated more than once. It's wrong. As M. Fekay said, what is <em>actually</em> important is that all of the machines' system clocks are synchronized, so that Kerberos (and various other things) work. It does <em>not</em>, in fact, matter how, exactly, one goes about achieving that goal. The usual way is to go with the default behaviour of the Windows Time Service, which implements a hierarchy where one only needs to manually configure the machine (the PDC emulator) at the top of that hierarchy, and everything else below it "just works". But as far as I am aware, as long as the <em>actual goal</em> of keeping all machines synchronized is achieved, one can use whatever complex system of (S)NTP clients and servers that one cares to set up. Ensuring that one only twiddles with the PDC emulator is <em>one means</em>, but it is not the sole means available, and it isn't the actual <em>end</em> that needs to be achieved.</p> </blockquote> <p>You are of course right when saying the kerberos time must be in the correct time window of default 5 minutes in a domain. But when using different time sources on the servers you are out of sync more quick then you like it. </p> <p>That is the the reason that the DC with the PDCEmulator is the time master in the domain automatically where all other DC sync with and the other domain machines sync with one available DC. This is the <em>only</em> way to guarantee this. </p> </blockquote> <p>Nonsense. There are plenty of people in the world who have achieved synchronization via other arrangements of (S)NTP clients and servers. It is far from being the only way. I repeat: The Windows Time Service default synchronization structure is but <em>one means</em> of achieving the actual goal. There are other ways of arranging for all machines to be synchronized, and as long as all machines <em>are</em> synchronized it doesn't matter which way one goes about achieving it. The means is <em>not</em> the end. Nor is it the sole guaranteed means.<br> </p> </body> </html>
From: Rich Wonneberger on 21 Jan 2010 22:45 Jonathan, Two questions Whats the easiest way to sync the time? What are you doing outside of a OS2 group?? :) Rich W. Jonathan de Boyne Pollard wrote: >> > Nonsense. There are plenty of people in the world who have achieved > synchronization via other arrangements of (S)NTP clients and servers. > It is far from being the only way. I repeat: The Windows Time Service > default synchronization structure is but /one means/ of achieving the > actual goal. There are other ways of arranging for all machines to be > synchronized, and as long as all machines /are/ synchronized it doesn't > matter which way one goes about achieving it. The means is /not/ the > end. Nor is it the sole guaranteed means. >
From: Jonathan de Boyne Pollard on 20 Jan 2010 19:40
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> <blockquote cite="mid:%20%3CD64C7507-446E-41F6-BA35-63900087BF57(a)microsoft.com%3E%20" type="cite"> <div> <blockquote style="border-left: 2px solid rgb(0, 0, 0); padding-left: 5px; padding-right: 0px; margin-left: 5px; margin-right: 0px;" dir="ltr"> <blockquote cite="mid:6cb2911dc6188cc64ad34d72e5c(a)msnews.microsoft.com" type="cite"> <p>Do not manual set another time server in a domain on member servers or DCs other then the PDCEmulator. It is important that only the PDCEmulator as domain time master is the source for time and configured to an external time source. </p> </blockquote> <p>In reviewing the messages in this newsgroup, now that my news server carries it, I've seen this received wisdom stated more than once. It's wrong. As M. Fekay said, what is <em>actually</em> important is that all of the machines' system clocks are synchronized, so that Kerberos (and various other things) work. It does <em>not</em>, in fact, matter how, exactly, one goes about achieving that goal. The usual way is to go with the default behaviour of the Windows Time Service, which implements a hierarchy where one only needs to manually configure the machine (the PDC emulator) at the top of that hierarchy, and everything else below it "just works". But as far as I am aware, as long as the <em>actual goal</em> of keeping all machines synchronized is achieved, one can use whatever complex system of (S)NTP clients and servers that one cares to set up. Ensuring that one only twiddles with the PDC emulator is <em>one means</em>, but it is not the sole means available, and it isn't the actual <em>end</em> that needs to be achieved.</p> </blockquote> <p><span style="color: black; font-size: 12pt;">[...] </span><font><font face="Calibri"><span style="color: black; font-size: 12pt;">Why the PDCe and not other DC? </span></font></font><span style="color: black; font-size: 12pt;">Time sync is important, true, but the key is to have all (workstations, DCs, member servers in sync) synchronized. The PDCe is the Authoritative time server because by default the PDCe is one of the Roles that the First DC has, additionally that server will also serve as Authoritative Time server, but that doesn't mean that you must stay with that configuration, there're many scenarios were that isn't possible.</span><span style="font-family: 'Times New Roman','serif'; color: black; font-size: 12pt;"><o:p></o:p></span><font face="Calibri"><br> </font></p> </div> </blockquote> <p>... which is pretty much the same thing as I wrote in that the text that you replied to. (-:<br> </p> <p>Now go and see how many times the mantra, that one <em>must always and only</em> configure the PDC emulator as the lowest stratum time server, has been stated in MPWSA and other newsgroups over the past few years. Here's an example, from <a href="news:B9016F88-D2E2-4CD2-96DD-5BE0618E71DE(a)microsoft.com">a post</a> by Paul Williams, Directory Services MVP, in January 2007:<br> </p> <blockquote cite="mid:B9016F88-D2E2-4CD2-96DD-5BE0618E71DE(a)microsoft.com" type="cite"> <p> The only machine that should have one or more external time servers defined is the PDCe in the forest root domain. </p> </blockquote> <p>It's received wisdom; it's oft-repeated received wisdom; and it's wrong.<br> </p> </body> </html> |