Tech Info's

Microsoft Windows, RedHat and VMware Virtualization Platform

Archive for November, 2011

Configuring Time Source on Active Directory

Posted by Prashanth P on November 16, 2011


Time Source configuration is very important and Critical for Active Directory. It has to be as close as possible for all domain machines, which is realized with the setup of the hierarchy how the domain time is prepared.

Important to know is, that Domain Controllers use with NTP the UTC (Coordinated Universal Time), as this is the universal standard for current time. UTC is independent of time zones and enables NTP to be used anywhere in the world regardless of time zone settings. You will not realize the UTC time itself, as the time zone information which is stored in the computer’s registry, is added to the system time just before it is displayed to the user.

One Domain Controller, the DC with the PDC Emulator FSMO (Flexible Single Master Operations) role, is the time master in the domain. It uses its own BIOS time but should be changed to another time source like a NTP hardware device, routers, layer3 switches or external time servers, which are able to act as a time provider.

All other Domain Controllers synchronize with this machine and all domain member servers and domain workstations synchronize with one available DC. Therefore it is needed to open the UDP port 123 for NTP on all machines. In a domain, time synchronization takes place when Windows Time Service turns on during system startup and periodically while the system is running. In the default configuration, the Net Logon service looks for a Domain Controller that can authenticate and synchronize time with the client. When a Domain Controller is found, the client sends a request for time and waits for a reply from the Domain Controller. This communication is an exchange of Network Time Protocol (NTP) packets intended to calculate the time offset and round-trip delay between the two computers.

The correct time is needed from Kerberos V5 authentication to prevent “replay attacks,” Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the Domain Controller need to be in sync as much as possible. The default maximum time tolerance is 5 minutes and defined with a Group Policy setting and should not be changed.

If you have the need for changing the default tolerance, you have to choose the following GPO setting

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> “Maximum tolerance for computer clock synchronization”

Configurations on Windows Server 2003 or higher OS

To check the Time Source Configuration execute the below mentioned command

c:\>w32tm /dumpreg /subkey:parameters /computer:DC_Name

Note: Where DC_Name is the Name of the Domain Contoller

  1. To configure the Domain Controller with the PDC Emulator FSMO to another time source, run

C:\>w32tm /config /manualpeerlist:DC_Name /syncfromflags:manual /reliable:yes /update

Please set for “DC_Name” the time source as listed above, either with its IP address or DNS name. If more than one is needed separate them with a space in between and don’t forget the quotes: “time.domain.com time1.domain.com”

2.   To configure a domain computer for automatic domain time synchronization, run

C:\>w32tm /config /syncfromflags:domhier /update

After that you have to run

C:\>net stop w32time

C:\>net start w32time

3.  To reconfigure the previous PDC Emulator, in case of transferring/seizing the FSMO to another Domain Controller, run

C:\>w32tm /config /syncfromflags:domhier /reliable:no /update

After that you have to run

C:\>net stop w32time

C:\>net start w32time

4. If you have to reconfigure a Windows 2000 Server Domain Controller, the steps are different after transferring/seizing the PDC Emulator role to another Domain Controller

You have to modify the “Type” value to “Nt5Ds” without the quotes under this registry key

HKLM\ SYSTEM\ CurrentControlSet\ Services\ W32Time\ Parameters\

Note: If you have problems with the time service configuration, because too many changes where done in the registry or you like start fresh on a computer, then you can reset the time service to a default state the following way. Make sure to use an elevated command prompt, to have full administrative permissions.

Then Execute the following commands

C:\>net stop w32time

C:\>w32tm /unregister

C:\>w32tm /register

C:\>net start w32time

Repeat the Steps mentioned in “Configurations on Windows Server 2003 or higher OS” as per the requirement.

Posted in Active Directory | Tagged: | 5 Comments »

Enabling and Disabling Active Directory Replication

Posted by Prashanth P on November 2, 2011


You want to enable or disable inbound or outbound replication on a domain controller?

Using a command-line interface

To disable outbound replication on a domain controller, enter the following:

                c:\> repadmin /options +DISABLE_OUTBOUND_REPL

To re-enable outbound replication, enter the following:

                c:\> repadmin /options DISABLE_OUTBOUND_REPL

To disable inbound replication, enter the following:

                c:\> repadmin /options +DISABLE_INBOUND_REPL

To re-enable inbound replication, enter the following:

                c:\> repadmin /options DISABLE_INBOUND_REPL

When Enabling and Disabling Replication is required?

When you are making major changes to Active Directory, particularly in cases where you are extending the schema, it is recommended that you disable outbound replication on the DC that you’re modifying. This will allow you to test any changes that you’ve made on a single DC without propagating those changes to the remainder of your directory. If you make a mistake or find that the changes you’ve made are otherwise unacceptable, you can restore a single DC rather than being faced with the prospect of performing a disaster recovery operation on your entire domain.

It’s important to note that disabling outbound replication on a domain controller will not have any effect on inbound replication; the DC will still receive updates from its other replication partners unless you disable inbound replication on them as well.

In a worst-case scenario, you can disable replication for an entire forest by issuing the following command:

                c:\> repadmin /options * +DISABLE_INBOUND_REPL

Posted in Active Directory | Tagged: | 4 Comments »