So is time important in a Microsoft active directory Domain? Well we all know the answer to that. YES it is Kerberos must have time with in 5 min. most people that deal with active directory know this. And for most people when the create the Domain time just works. So we often take if for granted. So why I am blogging about time on the office communications server 2007 blog? Well because time is important to many more things then Kerberos. Now I probably will not reference OCS in this post but just realize time is important.
I tend to think that time should be one of the first parts of a corporations Active directory design. Why you ask? Well have you ever worked anywhere that the time on phone on your desktop and the time on your computer were different? how about trouble shooting. When I trouble shoot I often pull logs from many different places. I even pull logs from wireshark using my computer. and I may not have time to review them for a day or two. I am often looking for time correlation of events. but if the time is off from my router to my switch to my phone system to my pc how can I correlate that the event happened at a certain time and know what effect it had on other machines or equipment.
How about companies that bill by the minute. have you ever seen a person take a call and take notes on their computer then the time on the notes be off from the time on the phone. This could cause many problems with billing and other things. So it is critical to plan time into your entire system. This is one of those areas you will here me complain about the Separation from the network team and the Active directory team. Both teams need to be consistent and pointing to the same thing across the enterprise. but often they do not talk and often they are pointed to different time servers or in some cases not even using a reliable time source.
So how should it look? you ask well in my opinion your core router should point to a time source on Internet preferably a resource pool of time servers. Then your PDC can point to the core router or point to the same pool of time servers. either will work. all the other domain controllers should be using domain Hierarchy. Remember if you move your PDC then you need to validate that time is pointed to the right place. using w32tm /monitor on a single DC will tell you what all the DC's are looking at for time. and will tell you what the PDC is looking at for time.
I have seen many environments that use the default and because the default time server is not available for what ever reason it reverts to the LOCAL time source or BIOS clock of the PDC. I am sorry but the CMOS clock to me is unreliable I have seen to many that were not correct or the battery's were dead and every time you lost power the PDC would start changing time on the rest of the machines causing major problems.
here is a great source of time information i have included 2 links one to ntp pools which is a good ntp source. and the other is to the Microsoft Technet article. .
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/26_s3wts.mspx
http://www.pool.ntp.org/zone/us
hope this helps someone