<

Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x

Windows Server PDC Emulator Sync Issue with Manually Configured NTP Server

Published on
10,459 Points
5,859 Views
6 Endorsements
Last Modified:
The Need
In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more than five minutes, network login and authentication fails. I am not sure if anyone has ran into this problem or not. There seems to be various reasons for time sync problems, but I found this an odd problem\solution. Recently, as part of the move off of Windows Server 2003 domain controllers, I had to move the FSMO roles from our 2003 DC’s to 2008. The 2003 server was set to sync its time, and therefore the domain, against a Cisco switch. I made a screen capture of the current settings as shown below:

NTP1.jpgAs per a number of Microsoft Knowledge Base articles, I manually configured the new time servers via the command line with the following command:
 
W32tm /config /manualpeerlist: /syncfromflags:manual /reliable:yes /update
Net stop w32time
Net start w32time

Open in new window


However, two days later, I receive a call about authentication problems. It seems the time on all of the systems was off by 20 minutes, even the time on the new PDC Emulator. When running the command:
 
w32tm /query /status

Open in new window

 the server indicated it was performing its synchronization from the local CMOS clock.

ntp2.jpgSince this server was running in a virtual environment, my first thought was to verify it was not syncing against the host, which is was not. Next, I checked the configuration via the command line, which also indicated it was receiving the information from the local CMOS clock. 

ntp3.jpgntp4.jpgThe Solution
Pretty much the entire company had now been down for nearly three hours while we tried to resolve this problem. Myself and my co-workers had probably read every article on setting the NTP time server on a PDC emulator, reviewed various other articles on sync problems, yet nothing we tried seemed to force the server to sync with our NTP server. I decided to open a Microsoft support case. Once connected via a web session, he reviewed the settings on both servers. There was one attributed that he noted needed to be changed. In the registry setting located at HKLM-SYSTEM-CurrentControlSet-Services-W32Time-Parameters there is a setting called “Type”. By default, this is set to NT5DS. He referred me to the Microsoft KB 816042 “How to configure an authoritative time server in Windows Server” (https://support.microsoft.com/en-us/kb/816042 ). This article explains that the setting NT5DS needs to be change to NTP, which was a setting in the previous 2003 server, but since nothing I had read indicated this needing to be change, I left it with the default value. I changed the registry key, stopped and started the W32time service, then checked the status. Now, the status showed the IP address of the NTP server in the “ReferenceID” line. I have blacked it out in the screen shot below. However, if you refer to the first query screen shot shown previously, you will see it showed the source as “LOCL”. 

ntp5.jpgThe Analysis
The question is why did we not find any reference to changing the default NT5DS. A coworker started to look deeper into that setting. He did locate Microsoft KB 223184, which was for Windows Server 2000 (https://support.microsoft.com/en-us/kb/223184 ). This provides the following information on this registry entry:

Type : REG_SZ
Used to control how a computer synchronizes.
Nt5DS = synchronize to domain hierarchy [default]
NTP = synchronize to manually configured source
NoSync = do not synchronize time 

Also, you may have notices in the first screen shot that besides the IP address for the NTP server there was an entry of “0x8”. This needs to be added to have the server send the request as a client. This is explained in Microsoft KB 875424 (https://support.microsoft.com/en-us/kb/875424 ). The settings are as follows:

  • 0x1 – use special poll interval SpecialInterval
  • 0x2 – UseAsFallBackOnly
  • 0x4 – send request as SymmetricActive mode
  • 0x8 – send request as Client Mode
Basically, in order to make the PDC emulator sync with a non-Windows, outside source, the registry entry should look like the screen shot below (real address blacked out). This will help avoid any potential domain problems due to authentication and time synchronization. 

ntp6.jpgThank you for reading my article. I hope you find it useful and that it either helps you avoide a potential time synchronization problem or helps you resovle an issue with your environment. If you found it helpful, please indicate so with the button below this article. Any feedback is appreciated. 

Thank you, 
Rodney Barnhardt
 
6
Comment
2 Comments
 

Expert Comment

by:Justin Moore
Great article. Very informative.
0
 

Expert Comment

by:Jeff Yentz
Awesome article Rodney!  The 0x8 was missing on mine.  Put it in and voila!  Thanks!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Join & Write a Comment

Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month