{"id":37,"date":"2012-02-16T13:35:19","date_gmt":"2012-02-16T13:35:19","guid":{"rendered":"http:\/\/test2.djblond.cz\/index.php\/2012\/02\/16\/synchronizace-asu-v-domen\/"},"modified":"2012-02-16T13:35:19","modified_gmt":"2012-02-16T13:35:19","slug":"synchronizace-asu-v-domen","status":"publish","type":"post","link":"https:\/\/www.djblond.cz\/index.php\/2012\/02\/16\/synchronizace-asu-v-domen\/","title":{"rendered":"Synchronizace \u010dasu v dom\u00e9n\u011b"},"content":{"rendered":"

Synchronizace \u010dasu v dom\u00e9n\u011b<\/b><\/span><\/p>\n

za\u010dneme samoz\u0159ejm\u011b s jemn\u00fdm pr\u016fnikem do cel\u00e9 synchroniza\u010dn\u00ed technologie kterou d\u011bl\u00e1 Windows Time Service.\u00a0<\/b>Tato slu\u017eba b\u011b\u017e\u00ed na ka\u017ed\u00e9m DC i stanici. Tedy alespo\u0148 by m\u011bla. A prost\u011b p\u0159enastavuje \u010das podle n\u011bjak\u00e9ho d\u016fv\u011bryhodn\u00e9ho zdroje.<\/p>\n

Primary Domain Controller Emulator (PDC Emulator)<\/b><\/span><\/p>\n

Ka\u017ed\u00e1 dom\u00e9na, kterou m\u00e1te, mus\u00ed m\u00edt jedno DC vyhrazeno jako PDC Emulator<\/b>. Kter\u00e9 DC ve va\u0161\u00ed dom\u00e9n\u011b to je, zjist\u00edte jednodu\u0161e nap\u0159\u00edklad z p\u0159\u00edkazov\u00e9 \u0159\u00e1dky:<\/p>\n

DSQUERY server -hasfsmo PDC<\/em><\/p>\n

Zjednodu\u0161en\u011b \u0159e\u010deno, Windows Time Service<\/b> v dom\u00e9nov\u00e9m prost\u0159ed\u00ed p\u0159edpokl\u00e1d\u00e1, \u017ee \u010dasovou autoritou je pr\u00e1v\u011b PDC Emulator<\/b>. Ka\u017ed\u00e9 DC se sna\u017e\u00ed synchronizovat sv\u016fj \u010das s t\u00edmto PDC. Ka\u017ed\u00fd klient si potom synchronizuje \u010das se sv\u00fdm p\u0159ihla\u0161ovac\u00edm DC.
\u00a0<\/p>\n

klient —–
…………….. <\/span>|–DC ——–
klient —– ……………….. <\/span> <\/span>| –PDC
…………….. <\/span>|–DC ——–
klient —–<\/p>\n

To je velmi zjednodu\u0161en\u011b \u0159e\u010deno, proto\u017ee ve v\u011bt\u0161\u00edm prost\u0159ed\u00ed do toho samoz\u0159ejm\u011b vstupuj\u00ed AD site<\/b>, poddom\u00e9ny, forest root dom\u00e9na apod.<\/p>\n

PDC je autorita. M\u011bla by m\u00edt tedy spr\u00e1vn\u00fd \u010das. M\u016f\u017eete se spolehnout bu\u010f na hodiny dan\u00e9ho po\u010d\u00edta\u010de. Ale lep\u0161\u00ed je nechat PDC synchronizovat s n\u011bjak\u00fdm internetov\u00fdm zdrojem. Tohle byste m\u011bli na PDC nastavit ru\u010dn\u011b z p\u0159\u00edkazov\u00e9 \u0159\u00e1dky (detaily syntaxe d\u00e1le):<\/p>\n

w32tm \/config \/syncfromflags:ALL \/manualpeerlist:time.windows.com<\/em><\/p>\n

Pot\u00e9 by jste m\u011bli restartovat slu\u017ebu w32time<\/p>\n

Net stop w32time && net start w32time<\/em><\/p>\n

Po restartu by jste v eventlogu m\u011bl vid\u011bt p\u0159i startu slu\u017eby event o tom \u017ee se server synchronizuje s V\u00e1mi zadan\u00fdm extern\u00edm zdrojem<\/p>\n

Ostan\u00edtn\u00ed DC a klienti<\/b><\/span><\/p>\n

V\u0161echny ostatn\u00ed stroje, jak DC tak i klienti konfiguraci vlastn\u011b nepot\u0159ebuj\u00ed. Pokud maj\u00ed v\u00fdchoz\u00ed nastaven\u00ed, Windows Time<\/b> si automaticky najde nejvhodn\u011bj\u0161\u00ed DC a z toho se synchronizuje.<\/p>\n

N\u011bkdy ale m\u00e1te probl\u00e9m, proto\u017ee jste v\u00fdchoz\u00ed nastaven\u00ed zm\u011bnili ru\u010dn\u011b. T\u0159eba je\u0161t\u011b p\u0159edt\u00edm, ne\u017e jste dan\u00fd po\u010d\u00edta\u010d p\u0159ipojili do dom\u00e9ny. Pokud to chcete zm\u011bnit, pou\u017eijte n\u00e1sleduj\u00edc\u00ed p\u0159\u00edkaz:<\/p>\n

w32tm \/config \/syncfromflags:NT5DS<\/em><\/p>\n

Parametry w32tm<\/b><\/span><\/p>\n

Jen pro po\u0159\u00e1dek (tohle nebudete pou\u017e\u00edvat). Program w32tm m\u00e1 vlastn\u011b 3 parametry pro typ synchronizace \u2013 syncfromflags<\/b>. Bu\u010f nastav\u00edte NT5DS<\/b>, co\u017e \u0159\u00edk\u00e1 synchronizovat automaticky z n\u011bjak\u00e9ho DC, nebo PDC.<\/p>\n

Nebo pou\u017eijete MANUAL<\/b>. V tom p\u0159\u00edpad\u011b se Windows Time<\/b> synchronizuje z n\u011bjak\u00e9ho manu\u00e1ln\u011b zadan\u00e9ho NTP serveru \u2013 parametr manualpeerlist<\/b>.<\/p>\n

w32tm \/config \/syncfromflags:MANUAL \/manualpeerlist:time.windows.com<\/p>\n

Pro na\u0161e PDC jsme pou\u017eili ALL<\/b>, co\u017e \u0159\u00edk\u00e1, aby se pou\u017eily ob\u011b mo\u017enosti. Je to lep\u0161\u00ed, ne\u017e pou\u017e\u00edt MANUAL<\/b>. Co kdy\u017e pozd\u011bji zm\u011bn\u00edte PDC.<\/p>\n

Nastaven\u00ed klient\u016f pomoc\u00ed Group Policy<\/b><\/span><\/p>\n

PDC je nejjednodu\u0161\u0161\u00ed nastavit ru\u010dn\u011b. Zat\u00edmco klienty a ostatn\u00ed DC je vhodn\u00e9 spravovat pomoc\u00ed Group Policy<\/b>. Jak? Ide\u00e1ln\u011b ud\u011bl\u00e1me dv\u011b v\u011bci:<\/p>\n

a) vynut\u00edme automatick\u00e9 startov\u00e1n\u00ed slu\u017eby Windows Time<\/b>
b) nastav\u00edme centr\u00e1ln\u011b hodnotu NT5DS<\/b><\/p>\n

Vytvo\u0159it novou politiku a v sekci<\/p>\n

\n

Computer settings -> Administrative templates -> System -> Windows Time Service<\/em><\/p>\n<\/blockquote>\n

Zapnout Enable Windows NTP client
A v Configure Windows NTP client nastavit TYPE na NT5DS (NT5DS \u0159\u00edk\u00e1 klientovi, \u017ee m\u00e1 pou\u017e\u00edt k synchronizaci dom\u00e9novou hierarchii).<\/p>\n

Tuto GPO je nutn\u00e9 aplikovat na v\u0161echny klienty mimo PDC. To zajist\u00edme vytvo\u0159en\u00edm WMI filtru (SELECT * FROM Win32_ComputerSystem WHERE DomainRole 5)<\/p>\n

Nebo m\u016f\u017eeme politiku aplikovat na OU, kde m\u00e1me nap\u0159\u00edklad jenom klienty a na serverech nastavit synchronizaci \u010dasu ru\u010dn\u011b.<\/p>\n

http:\/\/e-light-security.jp<\/a><\/div>\n
SM \u30dd\u30eb\u30ce – un-mei.info<\/a><\/div>\n
http:\/\/www.rikon-ya.com<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"

Synchronizace \u010dasu v dom\u00e9n\u011b za\u010dneme samoz\u0159ejm\u011b s jemn\u00fdm pr\u016fnikem do cel\u00e9 synchroniza\u010dn\u00ed technologie kterou d\u011bl\u00e1 Windows Time Service.\u00a0Tato slu\u017eba b\u011b\u017e\u00ed na ka\u017ed\u00e9m DC i stanici. Tedy alespo\u0148 by m\u011bla. A prost\u011b p\u0159enastavuje… Read more »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/posts\/37"}],"collection":[{"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/comments?post=37"}],"version-history":[{"count":0,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/posts\/37\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/media?parent=37"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/categories?post=37"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/tags?post=37"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}