How To: Check Your Active Directory Domains Time

Standard

win98-1-1

So far I have posted 2 blog posts on How To: Set a Macs Time Server & How To: Sync Time With NTP via Script. Well, why am I posting this?

Well, in almost all Mac environments i’ve supported the Macs have been bound to Active Directory & as the following quote from says: http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

in Kerberos V5, computers that are more than 5 minutes out of sync will not authenticate

It’s pretty simple. if your Macs clock is 5 minutes out of sync with your Active Directory Domains time it will not authenticate.. In fact, that statement is wrong.. if any CLIENTS clock is 5 minutes out of sync with your Active Directory Domains time it will not authenticate… Actually again that’s wrong but you get the idea, syncing time is a big deal.

So, how do we check what the domains time is healthy & what is the primary NTP? (for use in the posts linked at the top of the post).

From a Windows computer that is a domain member,  load up a command prompt & run:

[github file = “/macmule/dumpinggound/blob/master/contents.sh” start_line = “147” end_line = “148”]

You should get an output like:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\>w32tm /monitor
AD-DC-02.fqdn[10.2.2.38:123]:
ICMP: 225ms delay
NTP: -0.0039076s offset from AD-DC-01.fqdn
RefID: AD-DC-01.fqdn [10.1.1.2]
Stratum: 5
AD-DC-03.fqdn[10.1.12.9:123]:
ICMP: 20ms delay
NTP: +0.0045566s offset from AD-DC-01.fqdn
RefID: AD-DC-01.fqdn [10.1.1.2]
Stratum: 5
AD-DC-04.fqdn[10.1.17.30:123]:
ICMP: 10ms delay
NTP: +0.0108249s offset from AD-DC-01.fqdn
RefID: AD-DC-01.fqdn [10.1.1.2]
Stratum: 5
AD-DC-01.fqdn *** PDC ***[10.1.1.2:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from AD-DC-01.fqdn
RefID: time.shf.uk.as44574.net [91.212.90.20]
Stratum: 4

Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.

In the above example, the lines:

AD-DC-01.fqdn *** PDC ***[10.1.1.2:123]:
ICMP: 0ms delay
NTP: +0.0000000s offset from AD-DC-01.fqdn
RefID: time.shf.uk.as44574.net [91.212.90.20]
Stratum: 4

Shows that AD-DC-01 is the PDC & in this case is also the primary NTP, this can be gleaned by a couple of lines below.

One shows that the server is pointing to an external source for it’s time, & by external I mean one that is not part of the same domain.

RefID: time.shf.uk.as44574.net [91.212.90.20]

It also has the lowest stratum;

Stratum: 4

This last bit is really important for NTP, but i’ll be honest & don’t greatly understand it!

2 thoughts on “How To: Check Your Active Directory Domains Time

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.