had windows 2000 server set as time server - now want to move it to 2003

Discussion in 'Windows Server' started by gary, Mar 11, 2007.

  1. gary

    gary Guest

    we recently added two windows 2003 servers.

    we have had a windows 2000 server set as the time server, with the whole DST
    issue I would like to make one of the windows 2003 servers the time server.

    since it has been several years since I set that up, how can I turn off that
    ability on the 2000 server so I can set all the PCs to sync with the 2003
    gary, Mar 11, 2007
    1. Advertisements

  2. gary

    gary Guest

    part of the problem is that if you just time "net time" it syncs with the
    windows 2000 server, but you can type "net time \\servername /set " and it
    will sync up with the 2003 server.

    how can I make the default the 2003 server?
    gary, Mar 11, 2007
    1. Advertisements

  3. gary

    Herb Martin Guest

    That's fine but you really should fix the Win2000 Server (TZEdit or registry

    And even if you don't do that the time will remain correct on the 2000
    and the client as long as no one (i.e., human being) sets the time
    on that server.

    The "time fix" is REALLY a "TIME ZONE" fix -- it is about displaying the
    time correctly under the new DST rules.
    Domain machines are supposed to sync from the DC which authenticates
    them -- it is a poor idea to ever "set" the stations to authenticate from a
    specific DC or server since that means they are always dependent on that

    Are you sure you set this so they would only sync from a specific 2000

    If so you likely followed one of the KB articles related to W32Tm.exe
    and the Windows Time Service.

    You can Google this at Microsoft:

    [ site:microsoft.com w32tm time | registry ]
    Herb Martin, Mar 11, 2007
  4. gary

    Herb Martin Guest

    Insufficient. Stations normally sync time from the AUTHENTICATING
    DC -- DCs sync time from the PDC Emulator.
    Herb Martin, Mar 11, 2007
  5. gary

    Gary M Guest

    but all the FSMO roles are now held by a Windows 2003 server, so shouldnt
    they then sync with it?

    Gary M, Mar 12, 2007
  6. gary

    Gary M Guest

    well, I thought I had, but that was so long ago I may actually only been
    using the net time command, as when the windows 2000 server in question was
    being rebooted the PC was then syncing with the OTHER 2000 server rather
    than the 2003 servers.

    when working on this yesterday I applied all the necessary patches to the
    windows 2000 servers, both of them.

    and when we rebooted the first one (that was the one the PC was syncing
    with) it would then sync up with the second 2000 server! but all the FSMO
    roles are held by a windows 2003 server - I checked.
    hoo boy.
    Gary M, Mar 12, 2007
  7. gary

    Herb Martin Guest

    No, because stations (i.e., non-DCs) sync from the AUTHENTICATING DC,
    not the PDC Emulator.
    Herb Martin, Mar 12, 2007
  8. gary

    Herb Martin Guest

    It actually syncs with the CURRENT DC it is using for a "secure channel" --
    this would normally be the original "Authenticating DC" unless/until that
    DC goes down.

    If you type "set logonserver" at a command prompt then the displayed DC
    is (almost always) the one it used and is using to sync time.
    Herb Martin, Mar 12, 2007
  9. gary

    Gary M Guest

    thanks for all the replies Herb, I am learning some stuff here.

    so how do you change the logonserver then?
    when I type that command on my XP Pro PC it does list one of the windows
    2000 servers.
    Gary M, Mar 12, 2007
  10. gary

    Herb Martin Guest

    Normally "you" do not change this -- it is selected by the computer
    before any user even logs onto the computer.

    It is selected based on a variety of criteria including "Site" (local
    is preferred), last used (the one that worked yesterday), and performance
    (the one that responds to the computer fastest.)
    Then that was the DC which was used -- and the time from there SHOULD
    be just fine since it should be replicating from the PDC Emulator -- unless
    is the PDC Emulator in which case THAT is the one computer YOU should
    arrange to have the correct time (manually, radio hardware, or more commonly
    from an Internet NTP server.)

    Oh, if you really must change the logonServer (for this particular logon)
    tool is NLTest. (But don't do that for the issues you are discussing here.)
    Herb Martin, Mar 12, 2007
  11. gary

    Gary M Guest

    ah, I'm with you now.
    so as long as the PDC Emulator has the right time I should be okay.


    Gary M, Mar 12, 2007
  12. gary

    Herb Martin Guest

    Yes, and OTHER DCs are properly replicating time from the PDC-E.

    Generally the PDC-E is set to get time from an Internet NTP.
    ?Sure. My pleasure.
    Herb Martin, Mar 12, 2007
  13. What is the result of "net time /setsntp:xxx.xxx.xxx" ?
    I get the idea that a ntp server should only be put on a PDC-E.

    I have set a ntp server, as above, frequently on Non PDC-E
    systems. Wasting my time?
    Is the resulting ntp server time ignored at all AD authenticated logins?
    What if the box is not logged in? What time do the services see?
    Where does a member server that is not logged in get its time?

    Are these reasons to set a ntp server or will AD overide the ntp server?

    Thanks for the discussion?

    Reynolds McClatchey, Mar 16, 2007
  14. gary

    Herb Martin Guest

    Tells the machine to use that (set of) SNTP server(s) for syncing time.
    That is typically all that is necessary since other DCs sync from the
    PDC-E, and the non-DCs sync from the authenticating DCs.

    Get the PDC-Emulator correct and the whole domain should be
    right -- in fact, get the root forest PDC-Emulator correct and even
    a complex forest should sync up time completely as child PDC-E
    sync from parent etc.
    Yes - usually. Unless there is some good reason for not syncing
    from PDC-E (e.g., it is across a slow WAN but you have a high
    speed link directly to the Internet.)

    I don't understand the specific question here. AD authentication (i.e.,
    Kerberos) requires time to be within 5 minutes by default.
    They "see" the time of the API call they use -- either the UTC (aka GMT)
    or the local time but most should be written to use UTC time since it
    remains consistent even when viewed from different local times.

    This is the reason that AD uses UTC internally.
    DC which authenticates that Server -- you questions imply you might
    not realize that a Computer (workstation or server) authenticates ITSELF
    even before any user tries to logon.
    There are good reasons to set it on the PDC-E.
    Herb Martin, Mar 16, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.