Just started at new company, they've got an isolated Forest\Domain setup for a specific client with 1 very old Physical Windows 2008 R2 server in it, acting as DC\File and Print.
It's 15 mins drifted from the real world because it was never synced with an external time source and has no external internet, and very little other access to the Corporate setup. Sensitive work.
This server is completely isolated aside from very few open ports like smb, print and some rdp.
There are then 3 separate, collaborating companies with holes poked in various firewalls to get file and print access, mapped with batch files and remembered passwords.
I've sent 2 new Physical servers up to the site for this environment, Windows 2019, and have added them as members to the domain for now. They've synced up with the Windows 2008 R2 PDC, no issues there, but as expected are 15 mins out from the real world.
Can I just manually change the time on the current Windows 2008 PDC, via the OS tools like time or the gui clock, and then resync the 2 members...or do I need to change the clock time in a more intelligent way?
This time drift issue hasn't caused any problems for end users, because they do not directly log into this domain, they just map drives and printers, and far as I can tell the password auth hasn't been affected for years.
BUT, next week I want to promote one of those Windows 2019 Servers to a DC as a first step to adding redundancy up there....and I don't want any strange occurrences due to the time drift. Once I get the 2 new servers standing up as DC's i'll be working on setting up an external trust design here to improve this environment.
I don't "expect" any issues with AD when I promote the new DC because the time drift within the isolated Forest\Domain is not subject to any external influence...but even so....I'd rather have it set correctly.
Any thoughts folks?