Comments for Philip Flint

Comment on Senna the movie by The Review Corner

The Review Corner — Wed, 04 Apr 2012 02:48:37 +0000

The Review Corner…

[...]Senna the movie « Philip Flint[...]…

Comment on How to install SCOM 2007 R2 by Glenn

Glenn — Thu, 01 Mar 2012 22:50:39 +0000

thank you so much! I’m testing this in a lab and your writeup made my life MUCH easier

Comment on Synchronising time in an Active Directory Forest by Philip Flint

Philip Flint — Sat, 25 Feb 2012 23:44:07 +0000

Hi Bruce

In simple terms your environment will continue to work, each server and client will have a clock but they will start to drift. If you seize the PDC role then clients will start to sync back (through the other DC’s) to that new PDC. In this way all servers and clients will be using the same time. If you then allow that “new” PDC to contact a new NTP source (by opening the firewall) then that new PDC’s time will be accurate against an atomic clock.

In effect, in a DR situation there is no real rush for most people to ensure that cleocks are accurate to within a second or so. To reduce the time to revover you can set firewall rules beforehand to allow your main PDC role holder and any secondaries to transit the firewall on UDP port 123. In the event that the PDC emulator role holder fails you can then simply transfer the role to one of your designated seondary servers and everything will resolve itself.

Phil

Comment on Synchronising time in an Active Directory Forest by Philip Flint

Philip Flint — Sat, 25 Feb 2012 23:34:12 +0000

Hi Gordon,

What you say is true. By default the LargePhaseOffset is set to 5 seconds – if the clock keeps drifting for a prolonged period (SpikeWatchPeriod) then the server will be marked as an unreliable time source and the behaviour you note will be followed. The above times are set in the registry (LargePhaseOffset – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config 50000000=5 seconds, SpikeWatchPeriod – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config 900 = 900 seconds or 15 minutes).

The official Microsoft documentation for this can be found at http://technet.microsoft.com/en-us/library/cc773263.aspx.

Hope this helps you out

Phil

Comment on Synchronising time in an Active Directory Forest by Gordon

Gordon — Thu, 16 Feb 2012 21:37:28 +0000

Great information!!! You covered the topics very well. The largest problem I see in general is the misconception that time services will work out-of-the-box with Microsoft Server products. The importance of time synchronization is not respected by most sysadmins and to top it off it is not well documented by Microsoft. I have run into a problem documenting (verifying) the drift tolerance between two domain controllers running Server 2008R2 in a 2003 functional forest. I have found some sketchy information that said a Domain Controller if configured to sync with another DC (not the PDCe) will only tolerate less than a 5000ms drift for 15minute duration and then it will consider itself unreliable for time and no longer provide the NTP service to clients. To top it off it will start passing authentication requests to the PDCe unless the PDCe is unavailable on the network. In a large site that is mis-configured this will result in an eventual failure to replicate the LDAP directory. Do you know the toleration of drift between two DC? And do you know where I can find official Microsoft documentation of the range?

Comment on What is the difference between a Role and a Feature by Georg Zimmer

Georg Zimmer — Wed, 15 Feb 2012 05:53:38 +0000

Finally!!!! Nobody could answer this question.

Comment on Ports used by NetScaler by Tim Churches

Tim Churches — Fri, 10 Feb 2012 21:38:11 +0000

How do you make NetScaler 9.3 use the secure channels 3008/TCP and 3009/TCP instead of the insecure ports?

Comment on How to install SCOM 2007 R2 by Lokey

Lokey — Thu, 02 Feb 2012 14:09:12 +0000

Hi Philip,

Really greate doc, good help for learner.

Regards,
Lokey

Comment on List Active Directory sites and their associated subnets by David

David — Fri, 27 Jan 2012 10:41:20 +0000

It works very well.
Thanks for your post.

David from France.

Comment on Synchronising time in an Active Directory Forest by Bruce

Bruce — Fri, 13 Jan 2012 05:41:37 +0000

Hello great write up. I have a question, what is your suggestion please in the event that the PDC goes down say if it was located in a data centre? Obviously I would need to drag the PDC FSMO role off the downed PDC and transfer to another DC at another site, then open UDP port 123 to allow the new PDC to point to an external time source and then update the Time GPO to reflect these changes? This sounds time consuming to me. I need to implement a proper DR plan that would get my domain up and running as quickly as possible as we have had this issue happen twice in our domain and no servers can log on in the data centre. Do you know a quicker more efficient way of accomplishing this? I was thinking about having 3 NTP servers say in a pool so if the PDC goes down it won’t effect the domain, but your GPO seems like a good way to go but I’m unsure how the failover part would get things up and running quickly should the PDC go down. Thank you for your time, hope this makes sense. Bruce.