Feb 23, 2010

Windows 2008 - before and after DCPROMO

With a Windows Server, time and date can be very different if you are using it as an Active Directory Domain Controller (ADDC).
A typical Windows 2008 server will, by default, look very much like the Windows 7 machine in Figure 1. All the same tabs, including Internet Time, are present. You can see this in Figure 2, below.

Figure 2: Windows 2008 Server before DCPROMO
However, what happens if you make that same Windows Server a DC?
After running a DCPROMO, if you go back into the same Date and Time tool, you will find that the Internet Time tab is missing. Take a look at this in Figure 3, below.

Figure 3: Windows 2008 Server After DCPROMO
Why is this? Well, when a Windows Server becomes a domain controller the default of obtaining the date & time via NTP from time.windows.com, over the Internet, goes away. The server becomes the root time server for all computers in the domain using Windows SNTP (simple network time protocol). The w32tm service (and CLI command) is what provides this and controls this.
As you can see, on this server that is not a ADDC, the Windows Time service is set to manual and is not started.

Figure 4: Windows Time not started on default server
However, on the Windows Server in Figure 5, the Windows Time server IS started and set to Automatic because this is an Active Directory Domain Controller.

Figure 5: Windows Time running on Domain Controller

Configuring a domain controller to use NTP

By default on a domain controller, the internal BIOS clock on the server is the source for date and time in the entire infrastructure. However, how do you know it is right?
In my opinion your domain controller should use NTP to go out to the Internet and sync its date and time with the world's authoritative NTP servers. Unfortunately, you have to use the Windows registry editor and edit 6 registry entries to do this. In my opinion it should be easier to do this by having a GUI available but today you'll have to edit the registry.


Post a Comment