The Windows Time Service does not require you to point any of your DCs to
the root as an authoritative time server. The default W32Time Type setting
of Nt5DS will cause each domain member to use its authenticating domain
controller as the time server and the domain controllers will use a stratum
algorithm to determine their status within the hierarchy. The PDC Emulator
at the root of the forest is the authoritative time server and is the only
DC that you should configure manually. It's not critical that you
configure your time to be accurate with an outside source - as long as all
your machines agree on the time (even if their actual time is incorrect)
then they will be able to communicate with one another.
The following documents should prove useful regarding Windows Time:
Windows Time Service Whitepaper
http://www.microsoft.com/windows2000/techinfo/howitworks/security/wintimeser
v.asp
216734 How to Configure an Authoritative Time Server in Windows 2000
http://support.microsoft.com/?id=216734
224799 Basic Operation of the Windows Time Service
http://support.microsoft.com/?id=224799
223184 Registry Entries for the W32Time Service
http://support.microsoft.com/?id=223184
262680 A List of the Simple Network Time Protocol Time Servers That Are
http://support.microsoft.com/?id=262680
As far as the accounts that are not being authenticated, the problem may
lie elsewhere.
What exact error do they get when they attempt to login?
Does the problem happen for the same set of user accounts, are they all on
the same subnets, anything in common about these users?
Is the problem consistently reproduceable?
David Pharr, (e-mail address removed)
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Replication Problems with Win2k AD and W32time
| thread-index: AcRtowfT8DfFM6klRoOc35MUDQer6g==
| X-WBNR-Posting-Host: 66.99.92.22
| From: =?Utf-8?B?TWljaGFlbCBwcml6YW50?=
<
[email protected]>
| Subject: Replication Problems with Win2k AD and W32time
| Date: Mon, 19 Jul 2004 08:14:05 -0700
| Lines: 5
| Message-ID: <
[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:81855
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| I have a client with a very basic 7 site Windows 2000 SP4 Network running
Active Directory. There is one DC in each Site, and each one is running
Win2k SP4. The problem is that there are times when certain accounts cannot
be authenticated by AD. I have run DCDIAG and for the most part the results
are clean, with the exception that I'm getting an Error 64 and 54 on the
Root DC. I have manually setup the Root DC as the Authoritative Time
Server, and gone to each DC and pointed them to the Root DC as the ATS. The
error that I get back is that the Authoratative Time server is not
responding, and that the DC cannot find a DC to sync with. The connections
are full point to point T1s, and I'm not showing any problems with network
connectivity. I'm able to browse to and ping the Root DC from each site
just fine.
|
| Any ideas? I'm at a total loss here.
|
| Michael Prizant
|