An RODC Does Not Advertise As a Time Source

  • Article

Applies To: Windows Server 2008

If you are deploying a read-only domain controller (RODC) in an existing Windows Server 2003 forest, the RODC might not properly advertise as a time source for client computers. If you want client computers to synchronize their time from their local RODC, either one of the following configurations must be in place so that the Windows Time service (W32time) can advertise properly on the RODC:

  • The primary domain controller (PDC) emulator operations master in the domain must be running Windows Server 2008.

Note

This is not a prerequisite for installing the RODC role on a server running Windows Server 2008. 

Or

  • A writable domain controller that runs Windows Server 2008 in the domain must be configured as a GTIMESERV server for the domain. A GTIMESERV server is a member server (or domain controller) in the domain that is configured to be the authoritative source for time in the domain, which means that other computers in the domain use it as a primary time reference source. A computer in the domain picks a GTIMESERV server for a time source if it can find one.

    If the domain is the forest root domain, the server that you configure as a GTIMESERV server will be the authoritative time source for the forest. Therefore, you should configure it to synchronize time from an external time source and configure the PDC emulator in the forest root domain to synchronize from the server that you configure as a GTIMESERV server.

    If the domain is not the forest root domain, the server that you configure as a GTIMESERV server can synchronize time from the PDC emulator or from a GTIMESERV server further up in the domain hierarchy. The GTIMESERV server can also synchronize time from the same external time source that you configure for the forest root domain.

Impact

If the RODC does not advertise properly as a time source, client computers in the branch office will not synchronize their time with it. The difference that can develop between the client's time and the time on the RODC is known as clock skew. If the clock skew exceeds five minutes, the client computers will not be able to get new Kerberos tickets. This can prevent the clients from accessing resources.

Solution

You can install a server running Windows Server 2008 and then either transfer the PDC emulator role to it or configure it as a GTIMESERV server for the domain.

In a forest root domain, the writable Windows Server 2008 domain controller that you configure as a GTIMESERV server must synchronize time from an external time source. In a child domain, the writable Windows Server 2008 domain controller that you configure as a GTIMESERV server can synchronize time from the domain hierarchy or from the same external time source that you configured for the forest root domain.

On a writable Windows Server 2008 domain controller in the forest root domain, run the following command:

W32tm /config /manualpeerlist:time_source/syncfromflags:MANUAL /reliable:YES /update

Where time_source is the name of an external time source.

On a writable Windows Server 2008 domain controller in a child domain, run the following command:

W32tm /config /syncfromflags:DOMHIER /reliable:YES /update

Then, run the following commands on the RODC to synchronize it with its time source and check its status:

w32tm /resync

w32tm /query /status /verbose