|
|
 |
|
|
|||||||
| Petri.co.il is happy to award auglan the title of Most Valuable Member !!! |
| Register |  Calendar |
 Search |
 Today's Posts |
Mark Forums Read |
| Notices |
|
|
 |
This server's clock is not synchronized with the primary domain controller's clockthis thread has 3 replies and has been viewed 44341 times
|
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
23rd October 2008, 13:48
|
||||||||
|
||||||||
This server's clock is not synchronized with the primary domain controller's clock
Hello,
I have a server (the server is a domain member \\server1.mydomain.com) which must be synchronized with a external source (the rest of the computer are synchronized with PDC). When the external source have more than 10 minutes of delay I cantīt access to share folders inside this sever doing \\sever1.mydomain.com (I can access using ip address) and I get the following error: This server's clock is not synchronized with the primary domain controller's clock This artcle from microsoft say: http://www.microsoft.com/technet/pro....mspx?mfr=true The internal clock for servers must be set to within 10 minutes of the domain controller's clock I want to increase this 10 minutes. Anybody know how can I do it?. Thanks Pablo |
|
#2
23rd October 2008, 14:12
|
||||||||||
|
||||||||||
|
Re: This server's clock is not synchronized with the primary domain controller's cloc
You can't. As Microsoft said: "The internal clock for servers must be set to within 10 minutes of the domain controller's clock." If the clocks are not synchronised then Kerberos authentication will fail.
Why can't you synchronise the member server with your domain controller? http://en.wikipedia.org/wiki/Kerbero...ocol#Drawbacks "Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration requires that clock times are no more than 10 minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized."
__________________
Gareth Howells BSc (Hons), MBCS, MCP, MCDST, ICCE Any advice is given in good faith and without warranty. Please give reputation points if somebody has helped you. "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb. "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three. |
|
#3
23rd October 2008, 14:25
|
||||||||
|
||||||||
|
Re: This server's clock is not synchronized with the primary domain controller's cloc
Thanks Gareth,
I need to configure a server member with another computer of electrical company and this server is a domain member too. As you say abot Kerberos: "The default configuration requires that clock times are no more than 10 minutes apart [...]" So, I changed in the domain security policy this kerberos parameter to 60 minutes as say in this article:Maximum Tolerance For Computer Clock Synchronization. http://www.microsoft.com/technet/sec.../w2kadm09.mspx Maximum Tolerance For Computer Clock Synchronization: The Maximum tolerance for computer clock synchronization is one of the few Kerberos policies that may need to be changed. By default, computers in the domain must be synchronized within five minutes of each other. If the client clock and the server clock are not synchronized closely enough, a client ticket is not issued. The default value is 5 minutes, and settings are in minutes. If there are remote users that log on to the domain without synchronizing their clock to the network timeserver, it may be necessary to adjust this value. However, changing this value to provide a wider margin can leave the system open to replay attacks. Thanks Pablo |
|
#4
23rd October 2008, 14:35
|
||||||||||
|
||||||||||
|
Re: This server's clock is not synchronized with the primary domain controller's cloc
Windows components and services depend on time synchronization. For example, the Kerberos V5 authentication protocol on a Windows Server 2003 family domain has a default time synchronization threshold of five minutes (not Ten Min'). Computers that are more than five minutes out of synchronization on the domain will fail to authenticate using the Kerberos protocol. This time value is also configurable, thus allowing for smaller thresholds. Failure to authenticate using the Kerberos protocol can prevent logons, access to Web sites, file shares, printers, and other resources or services within a domain.
* Configuring time synchronization method with the following configuration commands: w32tm.exe (Windows 2003 or XP only) To reset to use the domain hierarchy: w32tm.exe /config /syncfromflags:domhier w32tm.exe /config /update To use a specific NTP source: w32tm.exe /config /syncfromflags:manual /manualpeerlist:source1 w32tm.exe /config /update How to Configure an Authoritative Time Server in Windows Server 2003 http://support.microsoft.com/?id=816042 Please follow the link: http://www.petri.co.il/forums/showthread.php?t=28963 Last edited by Akila; 23rd October 2008 at 14:38.. |
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Clock synchronization on remote servers | ozn | Windows Server 2000 / 2003 | 6 | 13th August 2008 15:19 |
| show clock in system tray for users | avipenina | Terminal Services | 14 | 1st October 2007 01:24 |
| clock problem in win xp sp2 | system one | Windows 2000 Pro, XP Pro | 6 | 14th August 2007 14:18 |
| Looking for a Analog Clock Web Part | mulderfox | General Scripting | 5 | 13th February 2007 13:05 |
| win98 clock | meni_k1 | Windows 2000 Pro, XP Pro | 0 | 31st October 2005 15:28 |
(10)
(-10)
Linear Mode
