Hello from Chattanooga,
Where my luggage got here a full day later then me. I’m here to deliver an Active Directory Risk Assessment Program or an ADRAP which does an exhaustive check of the health/risk of Active Directory. If you’ve never had one I suggest contacting your TAM it will be an eye opening experience. One area of focus is how is time configured for the AD Forest? I want to touch on a not always seen scenario quickly. Hopefully everyone has read this article http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx,. To summarize the PDC in the root domain should get it’s time from a reliable external NTP server. All DCs in the parent domain get their time from their PDC. The PDC in a child domain can get it’s time from the PDC in the root domain or any other DC in the root domain. Any child DC can get their time from the PDC in their domain or any DC in the parent. Workstations get their time from any DC in their domain. Check out the nice diagram in the previous link.
We can check this by running the W32TM /monitor. I’ll use my MSPaint skills to protect the innocent.
Let’s talk about the stratum quickly. This is ripped directly out of the previous link, I told you to read it “The degree to which a computer’s time is accurate is called a stratum. The most accurate time source on a network (such as a hardware clock) occupies the lowest stratum level, or stratum one. This accurate time source is called a reference clock. An NTP server that acquires its time directly from a reference clock occupies a stratum that is one level higher than that of the reference clock. Resources that acquire time from the NTP server are two steps away from the reference clock, and therefore occupy a stratum that is two higher than the most accurate time source, and so on. As a computer’s stratum number increases, the time on its system clock may become less accurate. Therefore, the stratum level of any computer is an indicator of how closely that computer is synchronized with the most accurate time source.”
As we can see in our picture above the PDC has a stratum of 3 and the other DCs have a stratum of 4. The PDC is closer to the most accurate time source such as a hardware clock so it’s stratum is closer to 1 than the other DCs. This exactly what we are seeing.
What if this scenario happens however, your root PDC is not configured to get from an external time source but is getting it’s time from itself and advertising itself as stratum level 1. Your other DCs now have a stratum level of 2. You realize the error of your ways you reconfigure your root PDC and now his stratum level now becomes 4 like the picture above. How do the other DCs behave? How do the other clients behave? Do they accept this stratum change? For those that say that will never happen, it happened to a customer last week. When the stratum number of a time server increases, clients will refuse to accept any new time samples from them. This is by design and in the NTP protocol. So now your clients can drift out of sync! The way around this is the time service would need to be restrated on all clients. This resets the state and the clients will then begin to work normally after. Thanks to Sarath Madakasira for this tip. That’s all for now.
Mark “can deliver ADRAPs in jeans and a mouserat tshirt” Morowczynski