Moving The PDC Role And Testing NTP Server Connectivity
Hello from Chicago,
I am actually at home here in Chicago here for a hot minute while I'm on critsit duty. I look forward to getting a call tonight while I'm at my good friend Dave Hazekamp's house watching the Bulls playoff game. Lately I've been helping a few customers go through an Active Directory upgrade to 2008 R2 of their production systems. One of the processes we go through is transfering the FSMO roles to the new 2008 R2 DC. One of the most overlooked aspects when transfering the PDC role is setting up this new PDC to sync with an external time source http://support.microsoft.com/kb/816042. I highly recommend everyone read How Windows Time Works if you are not familar with this, http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx. Time keeping is one of the most crucial aspects of an Active Directory domain. If time is more than 5 minutes off many things will start to fail, specifically kerberos. Large time jumps forward or backward can also cause major issues.
No problem so we go to verify connectivity to make sure the firewall team has updated the IP address to allow outbound connectivity of our new PDC server using our new favorite tool Port Query.
So is it working or not? It says both listening and filtered. Portquery is unable to tell us the answer I believe since it is a UDP packet (Connectionless) vs TCP packet (Connection) that is being sent and this protocol is not defined in the config.xml so it does not know how to properly display it. Let's use another tool for this.
By running the W32tm /stripchart /computer:IP we can query that NTP server to see what the offset time is. So here we can clearly see that yes NTP connectivity is working on our new PDC server.
Mark "my other car is a DeLorean" Morowczynski