question

Coopie-6364 avatar image
Coopie-6364 asked ·

Windows 2008 R2 DC Time Drift - Windows 2019 DC promotion

Hi all

Just started at new company, they've got an isolated Forest\Domain setup for a specific client with 1 very old Physical Windows 2008 R2 server in it, acting as DC\File and Print.
It's 15 mins drifted from the real world because it was never synced with an external time source and has no external internet, and very little other access to the Corporate setup. Sensitive work.

This server is completely isolated aside from very few open ports like smb, print and some rdp.
There are then 3 separate, collaborating companies with holes poked in various firewalls to get file and print access, mapped with batch files and remembered passwords.

I've sent 2 new Physical servers up to the site for this environment, Windows 2019, and have added them as members to the domain for now. They've synced up with the Windows 2008 R2 PDC, no issues there, but as expected are 15 mins out from the real world.

Can I just manually change the time on the current Windows 2008 PDC, via the OS tools like time or the gui clock, and then resync the 2 members...or do I need to change the clock time in a more intelligent way?

This time drift issue hasn't caused any problems for end users, because they do not directly log into this domain, they just map drives and printers, and far as I can tell the password auth hasn't been affected for years.

BUT, next week I want to promote one of those Windows 2019 Servers to a DC as a first step to adding redundancy up there....and I don't want any strange occurrences due to the time drift. Once I get the 2 new servers standing up as DC's i'll be working on setting up an external trust design here to improve this environment.

I don't "expect" any issues with AD when I promote the new DC because the time drift within the isolated Forest\Domain is not subject to any external influence...but even so....I'd rather have it set correctly.

Any thoughts folks?
Coop

windows-serverwindows-active-directorywindows-server-2019
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

HannahXiong-MSFT avatar image
HannahXiong-MSFT answered ·

Hello,

Thank you so much for posting here.

PDC emulators in separate, independent forests need to be synchronized with the same globally correct time in order to provide for accurate time stamping on e-mail, log files, etc.

Since it is an isolated domain and not synced with an external time source and has no external internet, we could manually change the time via OS tools like time or the gui clock and then resync the member servers.

But it is hard to guarantee that the time drift won't happen again. If possible, it is suggested that we could set it to sync with external time source.

Thanks. For any question, please feel free to contact us.


Best regards,
Hannah Xiong

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.