Configure the Time Service
You must configure your DCs so that they synchronize their clocks with one another. The AD installation wizard makes no mention of this requirement, but it's a vital post-installation task. The good news is that you have to perform this step only once per AD forest; the bad news is that if you don't do it, you'll probably find within a week that none of your users can log on.
Time matters because of Kerberos, the protocol that AD uses for authentication. Kerberos won't issue credentials if the time on the Key Distribution Center (KDC—all AD DCs are KDCs) and on the client requesting authentication differs by more than 5 minutes. Furthermore, if two DCs' clocks are out of sync, replication between them will fail. Because most computers' internal clocks are woefully inaccurate, this discrepancy isn't hard to achieve. (If your company has offices located in several states or countries, don't worry; Kerberos takes time zone differences into account.)
To prevent this problem, you must configure the PDC emulator in the forest root domain to synchronize its clock with an external time source. If you're not sure which machine is the PDC emulator, follow the steps in the previous section as if you're going to transfer the role, but merely look it up instead.
To set the external time source, open a command prompt on the PDC emulator, then type
net time /setsntp: <timeserver>
Your ISP should be able to provide you with either the name or IP address of a Network Time Protocol (NTP) or Simple Network Time Protocol (SNTP) server. In a pinch, you can use one of the US Navy's time servers at tick.usno.navy.mil or tock.usno.navy.mil, but it's better to use a server that's geographically close to your server and to avoid overloading the navy's servers.
After you establish the external time source, the other DCs will automatically synchronize their clocks with the PDC emulator's clock, and time will synchronize in a cascading fashion throughout the forest. The member servers and Win2K Pro machines will synchronize their clocks with a DC in their domain. Also, PDC emulators in child domains will synchronize their clocks with the PDC emulator in their parent domain. Then, the DCs in that domain will synchronize with their domain's PDC emulator. The member servers and workstations sync with the DCs, and so on down through the hierarchy of domains, until all clocks on all Win2K machines are in sync.
Checking Out
AD is big, new, and complex. You'll have your hands full just getting the user accounts working. The last thing you need is a mysterious problem with a new DC that could slow or even halt your AD rollout. By completing a simple checklist to make sure your DCs are properly installed and configured from the first day, you can substantially reduce the amount of AD troubleshooting you'll have to do—both initially and for the lifespan of the directory's implementation in your company.
End of Article
Prev. page
1
2
3
[4]
next page -->
