Time Sync not working

By default the DCs should be getting there time from time.windows.com

Go into the registry to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer and make sure your servers are pointing to a valid time source. If you are pointing to an external time source by name make sure a ,0x1 follows the DNS name.

When clients authenticate they will get the same time as the DC that authenticates them.

All in all, your problem lies within the registry path I indicated above. After you make changes make sure you stop & restart the windows time services in the services applet.

on the DC when i go to HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\ i DO NOT see NtpServer.  The only items that exist are as follows:
(Default)        REG_SZ                   (value not set)
ServiceDll      REG_SZ                   C:\WINDOWS\system32\w32time.dll
ServiceMain  REG_EXPAND_SZ    SvchostEntry_W32Time
Type              REG_SZ                   NT5DS

Since it was missing I added the following, is that correct??:
NtpServer      REG_SZ                   time.nist.gov,0x1

I restarted the Windows Time service.  I went to data and time properties, waited for the Internet Time tab to show up.  Checked to Automatically sync with Internet Time server and chose the server time.nist.gov and it gives the same 'An error occured while Windows was synchronizing with time.nist.gov.'  Is this the way i test if its working?

I compared the above with the server that i consider my backup DC.  There are 2 differences, the backup DC shows:
NtpServer       REG_SZ                   nist-1.glassey.com,0x1
Type               REG_SZ                   NTP

Could the problem be that the Type key on the main DC is set to NT5DS?  Should it be NTP?

thanks

update:  

I just noticed that yesterday at 12:20pm I got a W32Time EventID:35 that states
The time service is now synchronizing the System time with the time source time.windows.com (ntp.m(0x1)192.168.1.24->207.46.232.182:123).

The last time i received this event was a year ago on 9/25/08.  This indicates that one of my changes from yesterday worked?  However, today i see W32Time Event ID 50 that detected a time difference of greater than 128ms for 90sec.  Is there a way to force a sync so I can monitor and see what happens instead of waiting for it to occur automatically at a set interval?
thanks...

I just finished up helping someone with your question: (this will tell you how the time service works)

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24656684.html

I have read the posted articles and links...  So i mentioned that time sync appeared to be working but now again it appears to have stopped syncing with an external source on the primary DC.  The current error message comes up once or twice a day however some days do not log an message.  The Warning Reads: Source: W32Time, Event ID: 50.  The time service detected a time difference of greateer than 128ms for 90 seconds... time service is no longer syncronized and cannot provide the time to other clients or update the system clock... when a valid time stamp is received from a time service provider, the time service will correct itself".  

My Workstations are not syncing time with the DC either.  For example mine shows Source: W32Time Event ID: 36, "The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized."  All the W32Time warning messages show the same amount of seconds.

I'm guessing i should get the DC syncing consistently with an outside source and then troubleshoot the workstation issue.

I've looked at numerous articles but can seem to figure out that the cause is.  Any other ideas??

I honestly think that is your problem..to fix do the following but first I'll answer a very IMPORTANT question you ask, the difference between the NT5DS & NTP regitry setting is NTP is used on computers that are NOT joined to a domain & NT5DS is used for computer/servers that are joined to a domain.

Now here is what you need to do, or what I'd do:

1. Log into each domain controller & go to the registry setting location mentioned above
2. Change the setting from NTP to NT5DS all ALL the servers
3. Change the NtpServer key to point to time.windows.com,0x1
4. Now, restart the time services already mentioned above.

Give it a minute & your should be able to see all your DCs on the same time which means any workstations that authenticate against the DCs will also have the same time...

Now...once your servers & clients are on the same page, if you want to set your DCs to use a different time source or use NTP, re-post another question & I'll be glad to help.

I forgot to mention in my last post...make sure you do this on ALL your DCs.

ok, so on both DC's, for the registry key below the following is set:
HKLM\SYSTEM\CurrentControlSet\Services\w32time\parameters

(Default)        REG_SZ                   (value not set)
NtpServer      REG_SZ                   time.nist.gov,0x1
ServiceDll      REG_SZ                   C:\WINDOWS\system32\w32time.dll
ServiceMain  REG_EXPAND_SZ    SvchostEntry_W32Time
Type              REG_SZ                   NT5DS

Event ID 35 was logged on the Main DC that the time service is again synchronzing time with time.windows.com.  However, the time between the 2 DC's is still off.  I purposely put it off by a few minutes.  I have waited more than 15 min and the time is not correcting.  I cannot get the 2nd DC to display any W32Time information in event log so I don't know if its actually typing to sync up or not.

From everything I read this should be so easy to configure and should work.  Its almost like I'm missing one step to tie it all together.  Would running in a mixed mode NT/2000/2003 environment cause these issues?

UPDATE: this morning the primary DC Logged the W32Time Event ID 50 Warning: The time service detected a time difference of greater than 128 milliseconds for 90 seconds. The time difference might be caused by synchronization with  low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update  the system clock. When a valid time stamp is received from a time service  provider, the time service will correct itself.  

The secondary DC logged the following 2 System Events:
W32Time Event ID 29 Error: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 30 minutes. NtpClient has no source of accurate time.

W32Time Event ID 47 Warning: Time Provider NtpClient: No valid response has been received from  manually configured peer 192.168.1.24,0x1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name.  

Workstations are still not getting accurate time from the DC.

In the above registry setting change the NtpServer setting to:

NtpServer   REG_SZ      time.windows.com,0x1


Are your DCs Win 2003 servers? Do you just have two DCs on the domain? What SP are they on & arr they fully patched?

I know 100% sure time.windows.com works because that is what I use on all of my over 200 DCs... I remember in the past having issues with time.nist.gov.

Have you configured this as a GPO. If so, then reset the settings back to "not configured".

By default the DC will synchronize with the clients, but you have to prevent the DC from synchronizing with itself, first. GPO's override the default configuration of the time services. In doing so, if you created a Domain GPO to synch with the server, the server is looking to itself for time and causing your errors.

Remove the GPO.

Now, you can download a simple utility that will synchronize your domain controller's time using 80, instead of port 123. Blocking the default time is not common but does happen with some firewalls.

The utility that will synch your system clock with an outside time provider (NIST servers, .Gov servers ect...) is called symmtime. You can download it from symmetricom's web site.

http://www.symmetricom.com/resources/downloads/symmtime/

another cool utility, so you don't have to run from one computer to another to check time, is called LMcheck.

Both are freeware.

If you want to go to the expense of keeping perfect time, then download DomainTimeII from symmetricom.

So, symmtime on your PDCe, LMcheck on your admin computer, and DomainTime II for overall control.

By the way, symmtime was created by symmetricom. They manufacture time servers. They will ask for you mail address to see if you want to purchase a time server once in a great while, but will not share that out to anyone.

I use symmtime on my government DC's.

Wantabe:  I had time.windows.com,0x1 already set for NTPServer on both DCs.  I accidentally cut and pasted from an earlier post and forgot to modify.  The DCs are Windows 2003 servers SP2 and Fully patched.

ChiefIT:  I don't believe i have any GPO running.  Haven't really used GPO on the domain.  How can i be sure??  I usually just do local Policy settings using gpedit.msc and making a change on the local machine.  On the Primary DC under Local Computer Policy\Administrative Templates\System\Windows Time Server the setting Global Configuration Settings = Not Configured.  Under Local Computer Policy\Administrative Templates\System\Windows Time Server\Time Providers the following 3 are all ENABLED:  Enable Windows NTP Client, Configure Windows NTP Client and Enable Windows NTP Server.  Does this mean i should change these three settings to Not Configured??
On the 2nd DC all the above settings are set to Not Configured.

I downloaded and installed the Symmtime app on the Primary DC so that Server is sync'd with the outside.
I downloaded and ran LMCheck using my PC but first I manually sync'd with SymmTime.  The Worst Variance is greater than 9min.  The average variance is greater than 7sec.

Please advise.

OK, now the GPOs will override these settings. You will want to reset those to "not configured" and allow the default configuration of Time do its thing.

Also, this is something you should know:

If the domain computers are not greater than +/- 5 minutes of the PDCe, they will not synch. There is a flag in the PDCe's registry keys that is called a phase offset. This means that any clients who see those flags will not have to synch if they are not out of that phase offset. The default value of the phase offset is +/- 5 minutes.

Now that you have your PDCe getting time from an external time source, you might want to set that phase offset on the PDCe.

Here is your phase offset flag:
"Registry Entry      MaxAllowedPhaseOffset
Path      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Note       This entry specifies the maximum offset, in seconds, for which W32Time tries to adjust the computer clock by using the clock rate. When the offset is greater than this rate, W32Time sets the computer clock directly. The default value for domain members is 300. The default value for stand-alone clients and servers is 1."

Found on this thread: (NOTE: you are using the authoritative method by default)
http://support.microsoft.com/kb/816042

ChiefIT:  I reset the settings on both DCs to "not configured".  The Primary DC is still in sync using Symmtime.  I also changed the MaxAllowedPhaseOffset to 60 but machines still don't appear to be syncing with the primary DC.

On both DCs and most servers i now get the folllowing:
W32Time Error, Event ID 29: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 60 minutes. NtpClient has no source of accurate time.
W32Time Warning, Event ID 47: Time Provider NtpClient: No valid response has been received from  manually configured peer 192.168.1.24,0x1 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name.

Since the primary DC gets Event ID 47 as well it appears to be syncing with itself.

Please advise.

It sounds like port 123 is blocked;

check your software firewalls.

Also try:
w32tm /resync /rediscover
at the command prompt of troubled machines.

Yes, you are correct, the PDCe is still trying to synch with itself.

You know what, did you run GPupdate /force to make sure the policy cahnges are updated?

Also, check this out:
http://support.microsoft.com/kb/929276

I checked a few servers.  3 of them do not have Windows Firewall service enabled and there is no other software firewall.  A couple of others have the  Windows Firewall service enabled but it is turned off.  Could port 123 be blocked some other way?  How can i verify if port 123 is working?  Since its UDP i cannot telnet to port 123.

When i try w32tm /resync /rediscover i get the following on all servers and my workstation:  
Sending resync command to local computer...
The computer did not resync because no time data was available.

You can check this port with Port query. I think port query is a stand alone tool, so you might have to download it.

http://www.microsoft.com/downloadS/details.aspx?familyid=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en

syntax:
portqry -n (IPaddress) -o 123 -p both

-where IPaddress of the computer you are querying.
-123 is the time port, you can query multiple ports by separating the ports by commas. example: 123,445,127,128.
-Where "both" is, you can define whether you want to see if the TCP side or UDP side or both sides to the port are listening.  

I ran gpupdate /force on the Primary DC.  the policy appears to have applied successfully as per the event log message.

i went to the other DC and tried w32tm /resync /rediscover and still get the following message:
Sending resync command to local computer...
The computer did not resync because no time data was available.

I also see that on the 2nd DC the following Warning came up W32Time Event ID 36: The time service has not been able to synchronize the system time for 86400 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

On a troubled client, go to the comamnd prompt and type:

w32tm /monitor

i ran the command on my workstation and the secondary DC.  Both get the same response:

DC01.cherrylane.local  ***  PDC  ***   [192.168.1.24]:
     ICMP: 0ms delay.
     NTP: error ERROR_TIMEOUT - no response from server in 1000ms
DC02.cherryland.local  [192.168.1.25]:
     ICMP: 0ms delay
     NTP: error ERROR_TIMEOUT - no response from server in 1000ms

I ran PortQry command as you stated from the 2nd DC querying the IP address of the Primary DC and get the following:
TCP port 123 <unknown service>: NOT LISTENING
UDP port 123 <ntp service>: LISTENING or FILTERED

Hmmmm......just for giggles...is the TCP Offload Engine (TOE) turned on on the NICs on the DCs? If so, turn it off or disable it in the NIC advanced properties. I've seen TOE cause ALL sorts of wierd issues.

wantabe2:  on the DCs I disabled 2 NIC settings that were labeled with offload.  w32tm /monitor still brings up the same ERROR_TIMEOUT

Reading another post I ran DCDIAG on the 2 DCs.  Everything passes except 2 on both the DC's:
Starting test: Advertising
Warning: DC01 is not advertising as a time server.
DC01 failed test Advertising

Starting test: FsmoCheck
Warning: DcGetDcName<TIME_SERVER> call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName<GOOD_TIME_SERVER_PREFERRED> call failed, error 1355
A Good Time Server could not be located
...................... cherrylane.local failed test FsmoCheck.

Does this shed any light on the issue??

Which one of the two DCs holds the PDC enumerator role for the domain?

Adding to my last comment.... which ever DC that holds the PDC enumerator is the DC that you need to make DOUBLE sure the time registry entries are correct. The PDC enumerator controls the time sync for the entire domain. When you ran the DCDIAG cmd above & got those errors, that tells me no one knows where the PDC enumerator is. That is why when you joina workstation to the domain it can't sync the time or does not do it correctly. Also, have you made a server upgrade or took ANY domain controllers out of commision in the past few weeks or months? At this point you need to find out which servers hold the 5 FSMO roles & we can go fro there. The fix may be as simple as find who has the FSMO roles & transfering them to the other DC because it sounds like there is either no PDC enumerator on the domain or if there is one, it is not doing its job. Also, in troubleshooting this, have you done a DCPROMO at any time? YOU DON"T NEED TO at this point but thought I'd ask to try to figure this out.

Wantabe:  I have not done a server upgrade or taken any Domain Controllers offline in the past few weeks.  There was a problem with the original NT4 PDC server, which is still up and acting as a backup in the Mixed Mode environment.  I rebooted that server and its running fine now.  I have not done a DCPROMO at any time in the recent past or ever to my recollection. However, I'm not sure if it was part of the procedures to transition to a NT4/2003 Active Directory mixed mode environment years back.

Is there 1 document I can follow to make DOUBLE sure the time registy entries are correct on the Primary DC?  I have been through so many docs and articles in troubleshooting this that I want to be sure my settings are correct.

I 'm also looking into the PDC enumerator and FSMO roles and will post back my findings or any questions.

thanks....

Wantabe:  I believe you mistyped and meant the PDC Emulator role.  

I have verified that DC01 is the the master for all 5 FSMO roles.

Once again, what is the proper document i should follow to make DOUBLE sure that my primary PDC is acting as the appropriate time source for AD and that my workstations and servers will sync up to it.

I believe all settings are correct but perhaps something somewhere is still not right.

I am not experiencing an issue except that I know my workstations and server times are not in sync and I see the event log messages which i've posted throughout this article.  I want to get this sync'd up and working correctly.  I've tried to solve this numerous times in the past but can never figure it out, which is completely frustating.  I would love to get this working once and for all.  

Any further help is greatly appreciated.

Here's the best one I can recomend:
http://www.windowsnetworking.com/articles_tutorials/Configuring-Windows-Time-Service.html

I had to look this up:

It appears like the registry settings are pretty common, because this happened to a couple people.

According to this article, the phase offset keys need to be corrected:
http://office-outlook.com/outlook-forum/index.php?t=msg&th=157754/

The default values of these keys can be found on this web page:
http://support.microsoft.com/kb/816042

I've been through that article many times.  Just to confirm from whats been done with this case and the article above.

1) I'm syncing my PDC with outside time Source using Symmtime.
2) HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type is set to NT5DS on both DCs.
3) HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags is set to 10 on the PDC
4) HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer is set to time.windows.com, 0x1 on the PDC but this doesn't matter since its set to use Symmtime to sync the PDC, correct?
5) I try w32tm /resync /rediscover but get the following error:
The computer did not resync because no time data was available.
6) i go into Start Run and type gpedit.msc on the PDC.  I go under Computer Configuration, Administrative Templates, System, Windows Time Server and Time Providers, everything is set to Not Configured.  I've done gpupdate /force to update the policy with no errors.
6) I do DCDIAG /v on the PDC emulator and get 'DC01 is NOT advertising as a time server'.  All Other advertising is OK.
7) I also get:
Starting test: FsmoCheck
Warning: DcGetDcName<TIME_SERVER> call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName<GOOD_TIME_SERVER_PREFERRED> call failed, error 1355
A Good Time Server could not be located
...................... cherrylane.local failed test FsmoCheck.
All other tests pass.

I am constantly looping around the same settings.  Could it be another policy somewhere which is preventing this.  I haven't used group or global policies so I'm not sure what to look for there.  I'm out of ideas.

Hmmm.....tell me more about Symmtime. Is this installed on every PC or just the DC or just one DC?

If I were you, just to get everything on the same page, I'd uninstall Symmtime from everything & use time.windows.com to get everything back on the same time before you start having really bad replication or active directory issues. You ask in #4 if it mattered if on the PDC it is using time.windows.com if it mattered. The answer is YES. Technically speaking, if the PDC is using Symmtime with the registry setting you listed above, it sounds like is fighting over where to get the time from. It would be interesting to install Ethereal or wireshark on this server & monitor ALL incoming & outbound traffic. You'd probably see it getting time from two sources; time.windows.com & what ever Symmtime uses.

Help me out experts! I'm 99.9% sure I'm correct on this.

You cause may be that you are unable to connect to Windows time. So, the announcement flags are disabled.

Symmtime doesn't mess with registry keys, it just synchs your system clock up to an outside source.

The inability to synch to the oustide source may be the problem with the synch flags.

My advice is to make sure, on that 2003 article;

your synch flags are set to the default values and make sure there are no local, group, or domain policies that are messing with you.

ChiefIT
I ran the Resultant Set of Policys on the PDC and see that the Default Domain Policy has the following under Computer Configuration\Administrative Templates\System\Windows Time Service : Global Configuration Settings are Enabled.
under Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers:
Enable Windows NTP Client = Enabled
Configure Windows NTP Client = Enabled
Enable Windows NTP Server = Disabled.

Is this Default Domain Policy my problem?  Should these settings be changed or will it affect the entire domain?  What should these be set to for the PDC and the rest of the computers on the network?

Thanks...

So i couldn't wait for an answer.  In Domain Policies under Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers i changed the setting for Enable Windows NTP Server to ENABLED.  This has enabled the setting on my entire network, correct?  

DCDIAG runs on the PDC shows no failures, everything passes.  It verified that it now shows 'The DC DC01 is advertising as a time server'

w32tm /monitor from the second DC shows the following:
DC01.cherrylane.local *** PDC *** [192.168.1.24]
     ICMP: 0ms delay
     NTP: +0.0000000s offset from DC01.cherrylane.local
           RefID: 'LOCL' [76.79.67.76]
DC02.cherrylane.com [192.168.1.25]
     ICMP: 0ms Delay
     NTP: -236.7343750s offset from DC01.cherrylane.local
           RefID: unspecified / unsynchronized [0.0.0.0]

On the secondary DC (DC02), which is about 4 min off from the PDC, if i type w32tm /resync /rediscover I get the following almost immediately:
Sending resync command to local computer...
The computer did not resync because only stale time data was available.

If I type net time /domain from DC02 it shows me the time from itself.  It appears DC02 is syncing to itself and this is why it says only stale time data is available.

If i type net time /domain from my Workstation it shows me the time on the PDC.

The LMCHECK app now shows Worst Variance >10 mins and Avg Variance >1 min

The PDC is now advertising as a time server which is good.  However, in changing the default domain policy setting and applying that setting to all machines on the domain, is that the way things are suppose to be?  Thanks...

Network time is now syncing.  DC02 is in sync with DC01.  I guess it just needed time for it to sync up.  Except for the old NT4 machines, which i have to set manually, all workstations are within a few seconds of DC01.  LMCheck shows average variance of < 1/2 sec.

Changing the default domain policy was the answer to my problem.  But before I accept that as a solution are there any other implications to the change i descibe above made to the default domain policy.

thanks...

I am sorry, I ended up working on a patch that Microsoft Sent out and was rebooting Domain controllers for many folks in EE.

I don't know what you mean by asking if there are any implications to changing the policies. You just reverted back to unconfigured. This is the default method for the system. For time, this is how it is suppose to work. So, you are where you need to be with that policy. It will not effect other machines.

Your workstations and other servers should be synching up to your PDCe now, (EXCEPT, your NT4 machines as you noticed).

Those NT4 machines can also use Symmtime. Symmtime works for them as well.

Hi ChiefIT

I'm confused by your comment "you just reverted back to unconfigured".  See my posts above from 9/21 where I ran the resultant set of policies.  What i did was In Default Domain Policy under Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers i changed the setting for Enable Windows NTP Server to ENABLED.  This was the only thing set to DISABLED.  Hence, the Default Domain Policy setting was changed for all computers on the network not just the PDC.  When i rerun Resultant Set of Policies it now shows all settings enabled under \computer configuration\Administrative Templates\System\Windows Time Service.  

Everything is working I'm just not sure if these are the correct setting for the Default Domain Policy.  

I hope my confusion is clear??

Oh, that's correct.

NTP is the synchronization protocol for time. Enabling it allows clients and servers to synch. However, NTP is an older protocol. You might want to read this article.

http://www.ntp.org/

As well as SNTP RFCs. (request for Comments).
http://www.eecis.udel.edu/~mills/database/rfc/rfc2030.txt

I think you want SNTP enabled on all clients and servers. By default that should be enabled. That's why I think NTP was disabled.

In other words, you are using an older protocol to do the same thing you wanted to do.