Time Skew Monitoring

  • Article

Applies To: Operations Manager 2007, Windows Server 2012

The authentication that the Active Directory application uses is built on the Kerberos authentication protocol, which assumes that all computers that participate in authentication are kept within five minutes of one another. Because all computers will have some amount of time skew between them, the ADMP continually verifies that all computers are within an acceptable time skew.

The management pack will generate a warning or an error depending on the amount of time skew. If the time skew is above the warning threshold, the time skew monitor for the domain controller is in a warning state. If the time skew is above the error threshold, the time skew monitor for this domain controller is in an error state.

For every domain controller that uses the management pack, the time skew monitor will automatically choose a time source for time comparison purposes. The time source that is chosen is determined by a simple algorithm. This algorithm works as follows:

  • If the computer being monitored is not a primary domain controller (PDC), the PDC for that computer’s domain will be chosen as a time source.

  • If the computer being monitored is a PDC for the non-root domain, the PDC for the root domain will be chosen as a time source.

  • If the computer being monitored is the PDC of the root domain, no time skew detection is done.

Note

The time source that the management pack uses is not the same time source that the Windows Time service (W32time) uses. This is because the management pack must be able to determine the time skew even when W32time is not running.

The time on a domain controller is determined by connecting to the rootDSE object using Lightweight Directory Access Protocol (LDAP). This is the most succinct and error-free way to determine the time. This method for determining the time requires that the remote computer is also a domain controller. Computers that are not domain controllers and Network Time Protocol (NTP) time sources are not allowed to be manual time sources.

The time source that is chosen for comparison is determined automatically when a manual time source is not specified. If a manual time source is specified (using an override), the automatic time source selection will be ignored and the manually specified time source will be used. Refer to the configuration section for specifying a manual time source.

Configuration

To perform the procedures in this section, you must be a member of the Operations Manager Administrators group in the Operations console. For more information, see Account Information for Operations Manager 2007 (https://go.microsoft.com/fwlink/?LinkId=165736).

To specify a manual time source

  1. Open the Operations console, and click Authoring.

  2. Expand Management Pack Objects, and then click Monitors.

  3. In the Monitor pane, expand Active Directory Domain Controller Server 2000 Computer Role.

  4. Expand Entity Health, and then expand Configuration.

  5. Right-click AD Time Skew Monitor, click Overrides, click Override this Monitor, and then click For all objects of class: Active Directory Domain Controller Server 2000 Computer.

  6. Select the box that corresponds to TimeSource in the Parameter Name column, and enter the fully qualified domain name (FQDN) of a domain controller as the new time source.

  7. In Select destination management pack, select the management pack that you created for ADMP Customizations, as described in Create a New Management Pack for Customizations. If you have not yet created a management pack for your overrides, you can click New to create one now. Click OK.

  8. Repeat steps 3 through 7 for the following roles:

    • Active Directory Domain Controller Server 2003 Computer Role

    • Active Directory Domain Controller Server 2008 Computer Role