had windows 2000 server set as time server - now want to move it to 2003

[gary]

we recently added two windows 2003 servers.

we have had a windows 2000 server set as the time server, with the whole DST
issue I would like to make one of the windows 2003 servers the time server.

since it has been several years since I set that up, how can I turn off that
ability on the 2000 server so I can set all the PCs to sync with the 2003
server?

 

[gary]

we recently added two windows 2003 servers.

we have had a windows 2000 server set as the time server, with the whole
DST issue I would like to make one of the windows 2003 servers the time
server.

since it has been several years since I set that up, how can I turn off
that ability on the 2000 server so I can set all the PCs to sync with the
2003 server?

part of the problem is that if you just time "net time" it syncs with the
windows 2000 server, but you can type "net time \\servername /set " and it
will sync up with the 2003 server.

how can I make the default the 2003 server?
gary

 

[Debo]

part of the problem is that if you just time "net time" it syncs with the
windows 2000 server, but you can type "net time \\servername /set " and it
will sync up with the 2003 server.

how can I make the default the 2003 server?
gary

move the PDC emulator role to the 2003 server

 

[Herb Martin]

we recently added two windows 2003 servers.

we have had a windows 2000 server set as the time server, with the whole
DST issue I would like to make one of the windows 2003 servers the time
server.

That's fine but you really should fix the Win2000 Server (TZEdit or registry
fixes).

And even if you don't do that the time will remain correct on the 2000
server
and the client as long as no one (i.e., human being) sets the time
incorrectly
on that server.

The "time fix" is REALLY a "TIME ZONE" fix -- it is about displaying the
time correctly under the new DST rules.

since it has been several years since I set that up, how can I turn off
that ability on the 2000 server so I can set all the PCs to sync with the
2003 server?

Domain machines are supposed to sync from the DC which authenticates
them -- it is a poor idea to ever "set" the stations to authenticate from a
specific DC or server since that means they are always dependent on that
server.

Are you sure you set this so they would only sync from a specific 2000
Server?

If so you likely followed one of the KB articles related to W32Tm.exe
and the Windows Time Service.

You can Google this at Microsoft:

[ site:microsoft.com w32tm time | registry ]

 

[Herb Martin]

move the PDC emulator role to the 2003 server

Insufficient. Stations normally sync time from the AUTHENTICATING
DC -- DCs sync time from the PDC Emulator.

 

[Gary M]

Insufficient. Stations normally sync time from the AUTHENTICATING
DC -- DCs sync time from the PDC Emulator.

but all the FSMO roles are now held by a Windows 2003 server, so shouldnt
they then sync with it?

gary

 

[Gary M]

we recently added two windows 2003 servers.

we have had a windows 2000 server set as the time server, with the whole
DST issue I would like to make one of the windows 2003 servers the time
server.

That's fine but you really should fix the Win2000 Server (TZEdit or
registry fixes).

And even if you don't do that the time will remain correct on the 2000
server
and the client as long as no one (i.e., human being) sets the time
incorrectly
on that server.

The "time fix" is REALLY a "TIME ZONE" fix -- it is about displaying the
time correctly under the new DST rules.

since it has been several years since I set that up, how can I turn off
that ability on the 2000 server so I can set all the PCs to sync with the
2003 server?

Domain machines are supposed to sync from the DC which authenticates
them -- it is a poor idea to ever "set" the stations to authenticate from
a
specific DC or server since that means they are always dependent on that
server.

Are you sure you set this so they would only sync from a specific 2000
Server?

If so you likely followed one of the KB articles related to W32Tm.exe
and the Windows Time Service.

You can Google this at Microsoft:

[ site:microsoft.com w32tm time | registry ]

well, I thought I had, but that was so long ago I may actually only been
using the net time command, as when the windows 2000 server in question was
being rebooted the PC was then syncing with the OTHER 2000 server rather
than the 2003 servers.

when working on this yesterday I applied all the necessary patches to the
windows 2000 servers, both of them.

and when we rebooted the first one (that was the one the PC was syncing
with) it would then sync up with the second 2000 server! but all the FSMO
roles are held by a windows 2003 server - I checked.
hoo boy.

 

[Herb Martin]

but all the FSMO roles are now held by a Windows 2003 server, so shouldnt
they then sync with it?

No, because stations (i.e., non-DCs) sync from the AUTHENTICATING DC,
not the PDC Emulator.

 

[Herb Martin]

we recently added two windows 2003 servers.

we have had a windows 2000 server set as the time server, with the whole
DST issue I would like to make one of the windows 2003 servers the time
server.

That's fine but you really should fix the Win2000 Server (TZEdit or
registry fixes).

And even if you don't do that the time will remain correct on the 2000
server
and the client as long as no one (i.e., human being) sets the time
incorrectly
on that server.

The "time fix" is REALLY a "TIME ZONE" fix -- it is about displaying the
time correctly under the new DST rules.

since it has been several years since I set that up, how can I turn off
that ability on the 2000 server so I can set all the PCs to sync with
the 2003 server?

Domain machines are supposed to sync from the DC which authenticates
them -- it is a poor idea to ever "set" the stations to authenticate from
a
specific DC or server since that means they are always dependent on that
server.

Are you sure you set this so they would only sync from a specific 2000
Server?

If so you likely followed one of the KB articles related to W32Tm.exe
and the Windows Time Service.

You can Google this at Microsoft:

[ site:microsoft.com w32tm time | registry ]

well, I thought I had, but that was so long ago I may actually only been
using the net time command, as when the windows 2000 server in question
was being rebooted the PC was then syncing with the OTHER 2000 server
rather than the 2003 servers.

when working on this yesterday I applied all the necessary patches to the
windows 2000 servers, both of them.

and when we rebooted the first one (that was the one the PC was syncing
with) it would then sync up with the second 2000 server! but all the FSMO
roles are held by a windows 2003 server - I checked.
hoo boy.

It actually syncs with the CURRENT DC it is using for a "secure channel" --
this would normally be the original "Authenticating DC" unless/until that
DC goes down.

If you type "set logonserver" at a command prompt then the displayed DC
is (almost always) the one it used and is using to sync time.

 

[Gary M]

we recently added two windows 2003 servers.

we have had a windows 2000 server set as the time server, with the
whole DST issue I would like to make one of the windows 2003 servers
the time server.

That's fine but you really should fix the Win2000 Server (TZEdit or
registry fixes).

And even if you don't do that the time will remain correct on the 2000
server
and the client as long as no one (i.e., human being) sets the time
incorrectly
on that server.

The "time fix" is REALLY a "TIME ZONE" fix -- it is about displaying the
time correctly under the new DST rules.

since it has been several years since I set that up, how can I turn off
that ability on the 2000 server so I can set all the PCs to sync with
the 2003 server?

Domain machines are supposed to sync from the DC which authenticates
them -- it is a poor idea to ever "set" the stations to authenticate
from a
specific DC or server since that means they are always dependent on that
server.

Are you sure you set this so they would only sync from a specific 2000
Server?

If so you likely followed one of the KB articles related to W32Tm.exe
and the Windows Time Service.

You can Google this at Microsoft:

[ site:microsoft.com w32tm time | registry ]

well, I thought I had, but that was so long ago I may actually only been
using the net time command, as when the windows 2000 server in question
was being rebooted the PC was then syncing with the OTHER 2000 server
rather than the 2003 servers.

when working on this yesterday I applied all the necessary patches to the
windows 2000 servers, both of them.

and when we rebooted the first one (that was the one the PC was syncing
with) it would then sync up with the second 2000 server! but all the
FSMO roles are held by a windows 2003 server - I checked.
hoo boy.

It actually syncs with the CURRENT DC it is using for a "secure
channel" --
this would normally be the original "Authenticating DC" unless/until that
DC goes down.

If you type "set logonserver" at a command prompt then the displayed DC
is (almost always) the one it used and is using to sync time.

thanks for all the replies Herb, I am learning some stuff here.

so how do you change the logonserver then?
when I type that command on my XP Pro PC it does list one of the windows
2000 servers.

 

[Herb Martin]

thanks for all the replies Herb, I am learning some stuff here.

so how do you change the logonserver then?

Normally "you" do not change this -- it is selected by the computer
before any user even logs onto the computer.

It is selected based on a variety of criteria including "Site" (local
is preferred), last used (the one that worked yesterday), and performance
(the one that responds to the computer fastest.)

when I type that command on my XP Pro PC it does list one of the windows
2000 servers.

Then that was the DC which was used -- and the time from there SHOULD
be just fine since it should be replicating from the PDC Emulator -- unless
it
is the PDC Emulator in which case THAT is the one computer YOU should
arrange to have the correct time (manually, radio hardware, or more commonly
from an Internet NTP server.)

Oh, if you really must change the logonServer (for this particular logon)
the
tool is NLTest. (But don't do that for the issues you are discussing here.)

 

[Gary M]

Normally "you" do not change this -- it is selected by the computer
before any user even logs onto the computer.

It is selected based on a variety of criteria including "Site" (local
is preferred), last used (the one that worked yesterday), and performance
(the one that responds to the computer fastest.)


Then that was the DC which was used -- and the time from there SHOULD
be just fine since it should be replicating from the PDC Emulator --
unless it
is the PDC Emulator in which case THAT is the one computer YOU should
arrange to have the correct time (manually, radio hardware, or more
commonly
from an Internet NTP server.)

Oh, if you really must change the logonServer (for this particular logon)
the
tool is NLTest. (But don't do that for the issues you are discussing
here.)

ah, I'm with you now.
so as long as the PDC Emulator has the right time I should be okay.

thanks!

gary

 

[Herb Martin]

ah, I'm with you now.
so as long as the PDC Emulator has the right time I should be okay.

Yes, and OTHER DCs are properly replicating time from the PDC-E.

Generally the PDC-E is set to get time from an Internet NTP.

thanks!

?Sure. My pleasure.

 

[Reynolds McClatchey]

we recently added two windows 2003 servers.

we have had a windows 2000 server set as the time server, with the whole
DST issue I would like to make one of the windows 2003 servers the time
server.
That's fine but you really should fix the Win2000 Server (TZEdit or
registry fixes).

And even if you don't do that the time will remain correct on the 2000
server
and the client as long as no one (i.e., human being) sets the time
incorrectly
on that server.

The "time fix" is REALLY a "TIME ZONE" fix -- it is about displaying the
time correctly under the new DST rules.

since it has been several years since I set that up, how can I turn off
that ability on the 2000 server so I can set all the PCs to sync with
the 2003 server?
Domain machines are supposed to sync from the DC which authenticates
them -- it is a poor idea to ever "set" the stations to authenticate from
a
specific DC or server since that means they are always dependent on that
server.

Are you sure you set this so they would only sync from a specific 2000
Server?

If so you likely followed one of the KB articles related to W32Tm.exe
and the Windows Time Service.

You can Google this at Microsoft:

[ site:microsoft.com w32tm time | registry ]

well, I thought I had, but that was so long ago I may actually only been
using the net time command, as when the windows 2000 server in question
was being rebooted the PC was then syncing with the OTHER 2000 server
rather than the 2003 servers.

when working on this yesterday I applied all the necessary patches to the
windows 2000 servers, both of them.

and when we rebooted the first one (that was the one the PC was syncing
with) it would then sync up with the second 2000 server! but all the FSMO
roles are held by a windows 2003 server - I checked.
hoo boy.

It actually syncs with the CURRENT DC it is using for a "secure channel" --
this would normally be the original "Authenticating DC" unless/until that
DC goes down.

If you type "set logonserver" at a command prompt then the displayed DC
is (almost always) the one it used and is using to sync time.

What is the result of "net time /setsntp:xxx.xxx.xxx" ?
I get the idea that a ntp server should only be put on a PDC-E.

I have set a ntp server, as above, frequently on Non PDC-E
systems. Wasting my time?
Is the resulting ntp server time ignored at all AD authenticated logins?
What if the box is not logged in? What time do the services see?
Where does a member server that is not logged in get its time?

Are these reasons to set a ntp server or will AD overide the ntp server?

Thanks for the discussion?

Reynolds

 

[Herb Martin]

we recently added two windows 2003 servers.

we have had a windows 2000 server set as the time server, with the
whole DST issue I would like to make one of the windows 2003 servers
the time server.
That's fine but you really should fix the Win2000 Server (TZEdit or
registry fixes).

And even if you don't do that the time will remain correct on the 2000
server
and the client as long as no one (i.e., human being) sets the time
incorrectly
on that server.

The "time fix" is REALLY a "TIME ZONE" fix -- it is about displaying
the
time correctly under the new DST rules.

since it has been several years since I set that up, how can I turn
off that ability on the 2000 server so I can set all the PCs to sync
with the 2003 server?
Domain machines are supposed to sync from the DC which authenticates
them -- it is a poor idea to ever "set" the stations to authenticate
from a
specific DC or server since that means they are always dependent on
that
server.

Are you sure you set this so they would only sync from a specific 2000
Server?

If so you likely followed one of the KB articles related to W32Tm.exe
and the Windows Time Service.

You can Google this at Microsoft:

[ site:microsoft.com w32tm time | registry ]

well, I thought I had, but that was so long ago I may actually only been
using the net time command, as when the windows 2000 server in question
was being rebooted the PC was then syncing with the OTHER 2000 server
rather than the 2003 servers.

when working on this yesterday I applied all the necessary patches to
the windows 2000 servers, both of them.

and when we rebooted the first one (that was the one the PC was syncing
with) it would then sync up with the second 2000 server! but all the
FSMO roles are held by a windows 2003 server - I checked.
hoo boy.

It actually syncs with the CURRENT DC it is using for a "secure
channel" --
this would normally be the original "Authenticating DC" unless/until that
DC goes down.

If you type "set logonserver" at a command prompt then the displayed DC
is (almost always) the one it used and is using to sync time.

What is the result of "net time /setsntp:xxx.xxx.xxx" ?

Tells the machine to use that (set of) SNTP server(s) for syncing time.

I get the idea that a ntp server should only be put on a PDC-E.

That is typically all that is necessary since other DCs sync from the
PDC-E, and the non-DCs sync from the authenticating DCs.

Get the PDC-Emulator correct and the whole domain should be
right -- in fact, get the root forest PDC-Emulator correct and even
a complex forest should sync up time completely as child PDC-E
sync from parent etc.

I have set a ntp server, as above, frequently on Non PDC-E
systems. Wasting my time?

Yes - usually. Unless there is some good reason for not syncing
from PDC-E (e.g., it is across a slow WAN but you have a high
speed link directly to the Internet.)

Is the resulting ntp server time ignored at all AD authenticated logins?

I don't understand the specific question here. AD authentication (i.e.,
Kerberos) requires time to be within 5 minutes by default.

What if the box is not logged in? What time do the services see?

They "see" the time of the API call they use -- either the UTC (aka GMT)
or the local time but most should be written to use UTC time since it
remains consistent even when viewed from different local times.

This is the reason that AD uses UTC internally.

Where does a member server that is not logged in get its time?

DC which authenticates that Server -- you questions imply you might
not realize that a Computer (workstation or server) authenticates ITSELF
even before any user tries to logon.

Are these reasons to set a ntp server or will AD overide the ntp server?

There are good reasons to set it on the PDC-E.