Active Directory Time Question (close thread-answer found)

My understanding is that time is replicated in AD, as time sync is crucial for replication to run properly. In your experiences, how is this time managed? It would seem that at least one DC would sync with an authoritative time server, and replicate that standard throughout AD. I was told that our network at work doesn't use a time server. If this is the case, how does AD (W32Time) manage the time? If one DC serves as the template, what happens if that DC's time is off?

I ask this because I noticed a DC at work running about 15 minutes behind. I confirmed my suspicion that the Replication Service was out of of wack. After some thought, I wondered how AD managed time without a time server to which to sync itself.

Thanks in advance for your input.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

vsmith3rd

Nevermind, I just remembered the PDC Emulator.

For those wondering, a single DC will serve as a PDC emulator, and set the time standard for AD throughout the forest. The PDC Emulator is synced with an external source. Usually an atomic clock or Internet Time Server. At least that's my understanding.

I wonder why my LAN engineers didn't educate me to this? (I'm only Tier 2)

Claymoore

The DC with the PDC emulator role is the authoritative time server for the domain:

http://www.techexams.net/forums/viewtopic.php?t=41088

The PDC emulator can sync to an external source - I believe time.windows.com by default - or it can keep its own time. The computers in the domain must have the same time for Kerberos to work (the time is part of the hash used for authentication), but that doesn't mean it has to be the correct time. By default Kerberos will only tolerate 5 minutes of time skew before failing authentication.

vsmith3rd

Thanks for confirming my suspicions, Claymoore. Sorry I missed that previous post. I searched the forums, but I missed that somehow.