Monday, March 9, 2009

If I Could Turn Back Time

For anyone who manages an Active Directory environment, you've undoubtedly come to understand the need for keeping time in sync. In short, you won't be able to log in if the local computer time has more than 5 minutes difference than the logon server.

By default, Windows machines are configured to use NTDS5 or domain hierarchy time synchronization. The idea is that clients and servers synchronize their time with domain controllers, and the domain controllers synchronize their time with the domain controller holding the PDCE FSMO role. The idea is that administrator is supposed to configure the PDCE role holder to synchronize time with an outside NTP source.

However, you may someday find yourself in an environment where "things were changed." Unwitting administrators may have configured their environment differently, and if your luck is anything like mine, you'll eventually find yourself inheiriting or troubleshooting such an environment.

To reset a Windows Server 2003 computer back to default NTDS5 synchronization, run the following command:

w32tm /config /syncfromflags:domhier & w32tm /config /update

"But, Aaron," you say, "I have hundreds of servers!"

No worry, there's help for you as well. Grab the free PSTools from Inside you'll find the Windows Administrator's best friend--psexec. With that great tool, you can run any command against a list of servers.

In addition, you'll want to grab a copy of the Gnu32 core utilities, which has Win32 versions of the great *nix utilities. Windows prettymuch sucks at command-line text manipulation, which makes this toolset invaluable.

So, armed with the right tools, how to get that list?

From either a domain controller (or a server/workstation with the AdminPak, PSTools, and Gnu32 Core Utilities installed):

1. ldifde -f temp1.txt -d "dc=domain,dc=com" -r "(&(objectClass=computer)(operatingSystem=Windows Server*))" -l cn
2. findstr /i "cn: " temp1.txt tr -d "cn :" >> temp2.txt

The resulting file (temp2.txt) will contain all of the Windows Server 2003 and 2008 machines in your environment. Once you have that list:

psexec @temp2.txt w32tm /config /syncfromflags:domhier & w32tm /config /update

The last step is to configure the server holding the PDCE FSMO role to use an external NTP time source.

w32tm.exe /config /syncfromflags:manual / /reliable:yes & w32tm.exe /config /update

Replace with whatever NTP server you want to use. Make sure you can get to it on UDP 123.

And ... you're done.

No comments:

Post a Comment