0

We have an interesting scenario at my workplace. Our primary domain controller started to fail, so we installed a secondary domain controller to allow people to login when the primary would fail. Eventually the primary died completely (motherboard). I replaced the motherboard with the same model, and the operating system works 99%. However, when I plug the original primary domain controller back into the network, some users experience strange behaviors, such as randomly having no domain permissions, etc.

Anyway, we currently have the primary domain controller off of the network, and the backup is working fine for the most part. I have been noticing that the time isn't synchronizing though. Now when I try to force it by running from a client machine:

>w32tm /resync

I get the following message:

Sending resync command to local computer
The computer did not resync because no time data was available.

From what I have read, it seems that by default in a domain configuration, the time server is set to the primary domain controller. Is there a way that I can set the secondary/backup domain controller to function as a time server so that the client machines will be able to sync with the domain?

If that is not possible, is there an easy way (either command-line, or through GPO) to configure the clients to just use a global time server such as time.windows.com to synchronize?

dub stylee
  • 113
  • 2
  • 8
  • Run nltest /dsgetdc:yourdomain.com. Does the current DC have the TIMESERV flag? Also, in AD Users and Computers, right-click on your domain and select Operations Masters. Is your current DC confiugred as the PDC Emulator Operations Master? – Greg Askew Apr 23 '15 at 13:05
  • @GregAskew the current DC does have the TIMESERV flag, but when I go to Operations Masters, I get: Operations master: ERROR The current operations master is offline. The role cannot be transferred. – dub stylee Apr 23 '15 at 17:38
  • There is a "Change" button, when I click it says `"Are you sure you want to transfer the operations master role?"` I clicked cancel, but it sounds like that might be what I need to do since the current one is offline? – dub stylee Apr 23 '15 at 17:41
  • I found yesterday that the primary DNS server was set to the **old** domain controller via DHCP, so even though the client machines were able to resolve domain names for web browsing, etc. apparently the time service only uses the primary DNS server. I changed the DNS server to use the **new** domain controller, and it appears that now the time is synchronizing properly. Now I just need to try to take care of the larger issue of the FSMO roles. – dub stylee Apr 23 '15 at 18:16

2 Answers2

1

There is no primary or secondary domain controller, these are old, old, concepts that no longer exist, and a lot of people will get a bit huffy if you carry on referring to a primary and secondary domain controller.

In a Windows domain the domain hierarchy time sync has the PDC Emulator domain controller syncing from an internet time source (eg. pool.ntp.org, time.windows.com). Other DCs sync from the PDC emulator, and the clients sync from any DC.

Is the DC that you have removed holding FSMO roles including PDC Emulator? If so you have borked it. Either re-introduce the DC you have removed, or seize the FSMO roles to the new DC you have created.

It's not good practice to set domain clients to sync from an internet time source, so I'll not provide instructions for that. 10 seconds with Google would get you that anyway.

Refer to this technet document for information about the windows time service: https://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx

BlueCompute
  • 2,954
  • 2
  • 19
  • 28
  • You are correct, it looks like the removed domain controller is holding the FSMO roles. I got the time sync issue resolved, but in order to get the domain fully functional, I will have to either re-add the old domain controller or seize the roles, as you suggested. I think that will have to be an after-hours project, since joining the old DC back on the network usually causes random issues. Do you think if I seize the FSMO roles with the new domain controller, that I might be able to safely leave the old domain controller on the domain as a second domain controller? – dub stylee Apr 23 '15 at 18:19
  • Maybe. DCdiag is your new friend. Personally I would transfer the roles, seize if necessary, demote, remove and rebuild the 'suspect' DC. – BlueCompute Apr 23 '15 at 23:01
1

Your biggest problem at the moment is you need to seize the FSMO roles and assign them to your remaining domain controller.

Seize the Operations Master Role
https://technet.microsoft.com/en-us/library/cc816779(v=ws.10).aspx

Probably a good idea to install a second domain controller.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • That sounds like a good plan. Is using `ntdsutil.exe` the same as clicking the "Change" button from the Operations Masters window? Also, would I want to add a second domain controller *before* seizing the operations master role? – dub stylee Apr 23 '15 at 17:57
  • Yes, and I don't think you will be able to add a new domain controller if you don't have the FSMO roles available. – Greg Askew Apr 23 '15 at 18:06
  • I originally had tried to remove the old domain controller from the domain so I could re-add it, but it would let me. Probably because it was the operations master. Perhaps I will have to come in after hours one of these weekends and put the old one back on the domain and try to transfer the roles. Would that be sufficient for a second domain controller? Hopefully if I add the old one back on the network, then transfer the roles, maybe the random issues that arise with the old domain controller on the network will no longer occur. – dub stylee Apr 23 '15 at 18:11
  • I have a side question that may be related - sometimes when people change their password, the next time they try to login they get a "can't establish trust relationship with the domain" error, and I have to remove the computer and rejoin the domain. Could that be related to the FSMO roles? – dub stylee Apr 24 '15 at 15:49