Solved

NET TIME - how do I find where my DC is getting it's time from?

Posted on 2004-10-05
10
300 Views
Last Modified: 2010-08-05
Just while examining some domain time settings, the question came up "where does the DC get it's time from?"

net time /querysntp
shows no sntp servers available

does this mean that we're running in our own little time bubble?

0
Comment
Question by:DanCh99
  • 6
  • 4
10 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 12228521
DanCh99

If your DC is also the PDCEmulator for your domain then it is getting it from nowhere and the Application event log will be logging W32Time errors occasionally (yellow ones!)

If your DC is NOT the PDCE then it will be getting it's time from the PDCE for your domain.

See my next (rather long) post about diagnosing and fixing timesync issues if you have a problem with it

Cheers

JamesDS
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 250 total points
ID: 12228527
DanCh99
Fixing timesync is different according to the machine type...

If it's a Member Server, standard Domain Controller (not a PDCEmulator) or standard workstation then behave as if its a member server (below)
If it's a PDCEmulator then make sure you allow port 123TCP/UDP outbound on your firewall and configure the external microsoft time service by entering this at the command line
NET TIME /SETSNTP:time.windows.com

If it's a workstation, member server or a standard Domain Controller:

Members of the Active Directory sync with their local DC (local as in local AD site). The DCs then sync with the PDCEmulator, so the PDCE is the root of all time - as it were!

Diagnosis of timesync errors is difficult, but do not be tempted to use NET TIME /SETSNTP: on all machines in the domain (as suggested to many questions like this one, unless it's a PDCE), as it specifically overrides the natural internal operation of the time service within Active Directory.

These commands are written for Windows 2003 and Windows XP. There are some equivalents for windows 2000, use W32tm /? or W32Time /? from the command line to look for alternatives on older OSs.

Use NET TIME /SETSNTP:
to clear any entry and return to the default settings

Use NET TIME /SET /YES
to synch NOW with your authenticating DC and begin the diagnosis:

Start by verifying your domain is synching AD by using REPLMON.EXE in the support tools pack on the Windows installation CD.

If this is OK then run this from the command line:
W32TM /monitor

to ensure that each member server/workstation is actually pointing to a DC.

If this is OK then run this from the command line:
W32TM /resync /rediscover

followed by:
W32TM /resync /nowait

and check the system eventlog for W32TIME errors. This process does a full reset and recheck of the time system as it relates to one member machine on your AD.

Post any errors here

Explanation of why it doesn't always instantly set the right time:
Timesync works as follows:

If the local clock time of the time client is behind the current time received from the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is more than three minutes ahead of the time on the time server, W32Time will change the local clock time immediately.
If the local clock time of the time client is less than three minutes ahead of the time on the server, W32Time will quarter or halve the clock frequency for long enough to bring the clocks into sync. If the client is less that 15 seconds ahead, it will halve the frequency; otherwise, it will quarter the frequency. The amount of time the clock spends running at an unusual frequency depends on the size of the offset that is being corrected.

W32Time will periodically check its local time with the current time by connecting to the time source. This process starts as soon as the service turns on during system start-up. W32Time attempts synchronization every 45 minutes until the clocks have successfully synchronized three times. When the clocks are correctly synchronized, W32Time then synchronizes at eight-hour intervals, unless there is a failure to obtain a timestamp, or a validation failure. If there is a failure, the process starts over from the beginning.

Set it by hand (or with the command NET TIME /SET /YES) as close as you can and then simply leave it to sort itself out.


Cheers

JamesDS
0
 
LVL 23

Author Comment

by:DanCh99
ID: 12235917
James, thanks for the comprehensive info
yep, the DC is also the PDCE.  Replication seems ok.  

I applied the NET TIME /SETSNTP:time.windows.com command, and that seemed ok, and then to test, I used W32TM -s but this gave the error
RPC to local server returned 0x0

and I also saw event log error:

Event Type:      Warning
Event Source:      w32time
Event Category:      None
Event ID:      54
Date:            06/10/2004
Time:            10:56:26
User:            N/A
Computer:      LGLONA01
Description:
The Windows Time Service was not able to find a Domain Controller. A time and date update was not possible.

This is the same error that we've seen earlier on in the logs.  I think the firewall may need opening up as you stated, so that's what I'll do next.  
btw, w32tm /monitor didn't produce any response on my w2k boxes (just showed the available switches) - I guess what we're looking for is the name of the time source that each server is using.  
So, I used w32tm -v on different servers, and once you wade through the dross, it shows that the DC is trying to get to time.microsoft.com, and that other servers are looking to the DC.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12236070
DanCh99
It sounds ok, but I don't like the look of that event log message. I would have expected it to say "The Windows Time Service was not able to find an accurate Time Source. A time and date update was not possible" if it was the firewall, but I could be wrong there!

Download DUMPFSMOS from here and just confirm that the DC you are working on is the PDCE
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos-o.asp

The W32tm swithes I provided are mostly for XP and 2003, some of them have equivalents on 2000, but not all.

Cheers

JamesDS
0
 
LVL 23

Author Comment

by:DanCh99
ID: 12258926
I've done dumpfsmos, and it's def the PDCE.  
I'm getting a bit of flak from the security folk here about opening up 2 firewalls, so I may do an alternative tack and set it to synch with our proxy server, which is in the dmz, and already synching to an external source.  That way I only have to go thru 1 firewall.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 16

Expert Comment

by:JamesDS
ID: 12265583
DanCh99
Opening up your firewall to allow port 123 outbound only for one server only is hardly a security risk. Tell your security folks to read up on the NTP protocol and see if they can find any exploits!

Syncing to the Proxy server is fine, so long as you have configured it as a time server. DCs are the only things that configure themselves as time servers by default so you will probably need additional software to do it.

Cheers

JamesDS
0
 
LVL 23

Author Comment

by:DanCh99
ID: 12297775
yep, you were right, my workaround won't work.  I'll see about this second firewall now.  
just in case it helps anyone else peeking through here, the time settings are all stored here:

http://www.jsiinc.com/SUBE/tip2200/rh2273.htm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

btw, our kix login script runs
settime @lserver
but as AD keeps on top of time synching, I guess this is unnecessary for all 2k clients.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12298145
DanCh99

yup, you should let the service do it's own timesyncing. Any Windows 2000, 2003, XP machine on the domain will sync automatically.

Cheers

JamesDS
0
 
LVL 23

Author Comment

by:DanCh99
ID: 12379499
James, ta for all the info.  Really useful.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 12380069
DanCh99

Welcome, glad to help
Cheers

JamesDS
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now