1

Our infrastructure team have bigger things to worry about right now than the network time being 2 minutes out (2 mins slower than external reliable sources). However, the time being wrong really bugs me and the more anal retentive members of our department.

Can we fix this? Yes we can! I know we can because I've done it before. My machine currently synchronizes to "time.nist.gov", i think. At least that is the value in the registry under HKLM\SYSTEM\ControlSet001\Services\W32Time. What I know for sure is that it is within a second of several reliable time servers. My colleagues machines match the network.

After I last rebuilt my machine (approx a year ago) I made some changes to get the time synching correctly but can't for the life of me remember how!

I know this is pretty similar to this question, however I have a slightly different angle on it. Maybe a little reverse engineering of the syncing machine will help us?

Background: I (and my anal-retentive colleagues) are all members of the Domain Admins group and have local admin right to our boxes We cannot change the Domain or DCs in any way. We each have unrestricted access to the internet.

So far tried: Cloning the registry HKLM\SYSTEM\ControlSet001\Services\W32Time to the other machines - this failed

G-.
  • 140
  • 9
  • When you say that the network time is two minutes out, do you mean that time in the domain as a whole is out of snyc as compared to an external time source or do you mean that the client time is out of sync with the DC? – joeqwerty Dec 09 '09 at 17:13
  • The first one. OoSync with external reliable sources. – G-. Dec 10 '09 at 10:09

3 Answers3

2

Do this and you WILL have trouble. Active Directory requires all machines on the domain to be time synced within a certain tolerance for correct functionality, so if the difference becomes too large you may find yourself not being able to log on.

If it really bothers you that much you should talk to your admins about syncing their PDC emulator with a more reliable time source, and explain to them that the time difference is causing you issues (be prepared to have to back it up with a credible case though).

If you insist on keeping your own machine to a separate time source, you can expect your admins - when they become aware of it - to refuse to provide support to you until you put it back the way it should be. You may even have a GPO that is enforcing the correct domain hierarchy time setup, thus preventing you from messing with it.

The moral of this story is "don't interfere with the way things are supposed to work".

Maximus Minimus
  • 8,987
  • 2
  • 23
  • 36
  • I do appreciate the warning and recognise the potential for trouble, however, as I have been working with a Laptop that has been synchronizing to an external source for the past year without issue I am happy to take the chance. Do you have any suggestions as to how _this_ machine is managing to sync externally? I'm part of the IT department myself, ERP Dev and WinMo support specifically, so my support requests tend to land at the very bottom of the pile anyway, we all know "the business" is far more important than IT :) – G-. Dec 10 '09 at 10:45
0

As an AD administrator I agree with the general sentiment in mh's answer. While it is true that 2 minutes will not cause a huge problem for AD (the maximum allowable time difference is 5 minutes before Kerberos breaks), I would still tend to not mess with it. 2 minutes really isn't anything to fret about unless you have OCD tendencies :-)

Community
  • 1
ThatGraemeGuy
  • 15,473
  • 12
  • 53
  • 79
-1

The windows XP NTP client is almost completely useless. The synchronization occurs at seemingly random intervals, with immeasurable delays. We run a time precision trading application on windows, and discovered (by writing a replacement NTP client) that time adjustment on windows is also a nightmare.

My suggestion to you is to use automachron (discontinued, but still useful).

matt
  • 1,152
  • 1
  • 8
  • 18