NTP Windows 2003 not working.
ok, have a weird one.
have set the GPO to look at our time server, all servers are supposed to look at ntp.us.edu
But I started getting lots of these id:50 errors on all our servers (below).
Turns out they are all looking at time.windows.com, the default!
So I checked with rsop.msc and gpresult, and the servers ARE getting and applying the GPO.
Looking online, everything I see says that the registry needs to be modified at HKLM\services\w32time. But my adm file is modifying HKLM\software\Policies\W32
So I thought my adm file was corrupted and wrong, but when I loaded a bran new test domain and looked at the adm files, they also look at HKLM\software\Policies\W32
I am so confused, and google is not helping, can anyone help me out?
have set the GPO to look at our time server, all servers are supposed to look at ntp.us.edu
But I started getting lots of these id:50 errors on all our servers (below).
Turns out they are all looking at time.windows.com, the default!
So I checked with rsop.msc and gpresult, and the servers ARE getting and applying the GPO.
Looking online, everything I see says that the registry needs to be modified at HKLM\services\w32time. But my adm file is modifying HKLM\software\Policies\W32
So I thought my adm file was corrupted and wrong, but when I loaded a bran new test domain and looked at the adm files, they also look at HKLM\software\Policies\W32
I am so confused, and google is not helping, can anyone help me out?
Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 50
Date: 4/13/2009
Time: 10:31:25 AM
User: N/A
Computer: SERVER
Description:
The time service detected a time difference of greater than 128 milliseconds for 90 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER
It was a management decision. I am trying to change minds, but I will see.
Why is the GPO not updating the correct keys?
I will try to reset it to defualt and see if it will at least look at the PDC
Why is the GPO not updating the correct keys?
I will try to reset it to defualt and see if it will at least look at the PDC
ASKER
what is the command to see what server it is looking at for the current time?
I used net time /querysntp before, and it returned time.windows.com,0x1
now I have reset it to defaults using the commands above, but not sure how to validate it is looking at the right place, the old command says;
This computer is not currently configured to use a specific SNTP server.
I used net time /querysntp before, and it returned time.windows.com,0x1
now I have reset it to defaults using the commands above, but not sure how to validate it is looking at the right place, the old command says;
This computer is not currently configured to use a specific SNTP server.
The keys are configured correctly; the time service will simply give the entries in the "Policies" key priority if they are configured.
It's designed like that so that the policies can be set and revoked without having to change the default values of the restricted object.
If the machine is configured to use the domain hierarchy, the manually configured time server will NOT be used.
Enter
w32tm /dumpreg /subkey:parameters
and check the value for "Type"; this should be "NT5DS" for the domain hierarchy; NTP would be manual sync (assuming that the GPO doesn't apply anymore, because the policies have priority.
It's designed like that so that the policies can be set and revoked without having to change the default values of the restricted object.
If the machine is configured to use the domain hierarchy, the manually configured time server will NOT be used.
Enter
w32tm /dumpreg /subkey:parameters
and check the value for "Type"; this should be "NT5DS" for the domain hierarchy; NTP would be manual sync (assuming that the GPO doesn't apply anymore, because the policies have priority.
ASKER
So I am more confused now. I can make the gpo, but it is ignored until I run a command? Is there another GPO I can use to say "follow what I set in the GPO"
My fixed (now using hierarchy, not external source as my final goal) server has NT5DS
While an unfixed server also has NT5DS;
C:\Documents and Settings>w32tm /dumpreg /subkey:parameters
Value Name Value Type Value Data
--------------------------
ServiceMain REG_SZ SvchostEntry_W32Time
ServiceDll REG_EXPAND_SZ C:\WINDOWS\system32\w32tim
NtpServer REG_SZ time.windows.com,0x1
Type REG_SZ NT5DS
C:\Documents and Settings>net time /querysntp
The current SNTP value is: time.windows.com,0x1
My fixed (now using hierarchy, not external source as my final goal) server has NT5DS
While an unfixed server also has NT5DS;
C:\Documents and Settings>w32tm /dumpreg /subkey:parameters
Value Name Value Type Value Data
--------------------------
ServiceMain REG_SZ SvchostEntry_W32Time
ServiceDll REG_EXPAND_SZ C:\WINDOWS\system32\w32tim
NtpServer REG_SZ time.windows.com,0x1
Type REG_SZ NT5DS
C:\Documents and Settings>net time /querysntp
The current SNTP value is: time.windows.com,0x1
Again: if the NTP service finds settings in the policies key, then those will override the default settings in HKLM\...\services\w32time\
And whatever you get with "net time querysntp" is *ONLY* valid if the time service is *NOT* using the domain hierarchy. With a type of NT5DS, the NtpServer will be *ignored*.
And whatever you get with "net time querysntp" is *ONLY* valid if the time service is *NOT* using the domain hierarchy. With a type of NT5DS, the NtpServer will be *ignored*.
ASKER
oBdA, Thank you for your continued effort on this, I am grateful.
I understand, but perhaps I am not expressing the problem correctly.
There *are* (GPO applied correctly) registry entries for HKLM\software\policies\Mic
NtpServer ntp.us.edu
Type NTP
*BUT*
The net time command is still returning time.windows.com *and* the type is still reported as NT5DS.
I understand, but perhaps I am not expressing the problem correctly.
There *are* (GPO applied correctly) registry entries for HKLM\software\policies\Mic
NtpServer ntp.us.edu
Type NTP
*BUT*
The net time command is still returning time.windows.com *and* the type is still reported as NT5DS.
"net time" dates back to NT and will not look for the policy entries; and the type found in the \services\ key (as reported by /dumpreg) will be overridden with policy value. All the usual commands will only return the default values, not the ones from the policy.
ASKER
I ran the w32tm /dumpreg /subkey:parameters command on the problem server and it retuned this;
Value Name Value Type Value Data--------------------------
This is the same server that has the proper reg values;
(GPO applied correctly) registry entries for HKLM\software\policies\Mic
NtpServer ntp.us.edu
Type NTP
Value Name Value Type Value Data--------------------------
This is the same server that has the proper reg values;
(GPO applied correctly) registry entries for HKLM\software\policies\Mic
NtpServer ntp.us.edu
Type NTP
That means that this server will manually update and contact ntp.us.edu to sync its time.
Note that if ntp.us.edu (can you actually resolve that name?) isn't a Windows time server, you might have to add ,0x8 at the end of the name, making it ntp.us.edu,0x8; the 0x8 tells the time service to access the time server in client mode.
Note that if ntp.us.edu (can you actually resolve that name?) isn't a Windows time server, you might have to add ,0x8 at the end of the name, making it ntp.us.edu,0x8; the 0x8 tells the time service to access the time server in client mode.
ASKER
It is not a windows time source, it's linux. I will add the 0x8 and get back to you tomorrow (HR work sucks :(
ASKER
Ok, I changed the gpo to look at ntp.server.us,0x8
Still not working :(
I get this;
**************************
C:\Documents and Settings\>net time /querysntp
The current SNTP value is: time.windows.com,0x1
The command completed successfully.
**************************
C:\Documents and Settings\>w32tm /dumpreg /subkey:parameters
Value Name Value Type Value Data
--------------------------
ServiceMain REG_SZ SvchostEntry_W32Time
ServiceDll REG_EXPAND_SZ C:\WINDOWS\system32\w32tim
NtpServer REG_SZ time.windows.com,0x1
Type REG_SZ NT5DS
**************************
And the reg keys are HKLM\Software\polices\Micr
**************************
NtpServer ntp.server.edu,0x8
Type NTP
**************************
Still not working :(
I get this;
**************************
C:\Documents and Settings\>net time /querysntp
The current SNTP value is: time.windows.com,0x1
The command completed successfully.
**************************
C:\Documents and Settings\>w32tm /dumpreg /subkey:parameters
Value Name Value Type Value Data
--------------------------
ServiceMain REG_SZ SvchostEntry_W32Time
ServiceDll REG_EXPAND_SZ C:\WINDOWS\system32\w32tim
NtpServer REG_SZ time.windows.com,0x1
Type REG_SZ NT5DS
**************************
And the reg keys are HKLM\Software\polices\Micr
**************************
NtpServer ntp.server.edu,0x8
Type NTP
**************************
Again: if you're using policies to configure the NTP server, the service settings ("/querysntp", "/dumpreg") have no meaning at all.
You either have a problem with your GPOs, or you're trying to obfuscate the server you're using, and doing so inconsistently.
> "Ok, I changed the gpo to look at ntp.server.us,0x8"
> "reg keys are HKLM\Software\polices\Micr
And I ask again: can you actually resolve ntp.server.edu / ntp.server.us to an IP address?
What happens when you run
w32tm /resync
Why don't you try the way Microsoft is implementing time sync by default, which guarantees that the domain members have the same time as the DCs, and leaves you with only one server to manually configured one single time?
You either have a problem with your GPOs, or you're trying to obfuscate the server you're using, and doing so inconsistently.
> "Ok, I changed the gpo to look at ntp.server.us,0x8"
> "reg keys are HKLM\Software\polices\Micr
And I ask again: can you actually resolve ntp.server.edu / ntp.server.us to an IP address?
What happens when you run
w32tm /resync
Why don't you try the way Microsoft is implementing time sync by default, which guarantees that the domain members have the same time as the DCs, and leaves you with only one server to manually configured one single time?
ASKER
Again: if you're using policies to configure the NTP server, the service settings ("/querysntp", "/dumpreg") have no meaning at all.
I understand, let me explain why I am using it. /querysntp will tell me if it is using a time server at all or the default Hierarchy, I tested this on another server.
I used /dumpreg as I thought you had said this is how you check to see NTP is set to, as the /querysntp is unreliable. If this is not the case, How do I check if the server is using NTP, and what that NTP server is??
You either have a problem with your GPOs, or you're trying to obfuscate the server you're using, and doing so inconsistently.
DOH! yes, I was trying to obfuscate, and not doing such a good job :)
> "Ok, I changed the gpo to look at ntp.server.us,0x8"
> "reg keys are HKLM\Software\polices\Micr
And I ask again: can you actually resolve ntp.server.edu / ntp.server.us to an IP address?
Yes, ntp.server.edu does resolve, and I am able to ping it with no issues.
What happens when you run
w32tm /resync
"Sending resync command to local computer..."
"The command completed successfully"
Why don't you try the way Microsoft is implementing time sync by default, which guarantees that the domain members have the same time as the DCs, and leaves you with only one server to manually configured one single time?
Management and buercracy. My manager found it this way and does not want to change it, although, I am pushing to do this, as a best practice. I hope I can, but at this point, I am being directed to "make it go".
I understand, let me explain why I am using it. /querysntp will tell me if it is using a time server at all or the default Hierarchy, I tested this on another server.
I used /dumpreg as I thought you had said this is how you check to see NTP is set to, as the /querysntp is unreliable. If this is not the case, How do I check if the server is using NTP, and what that NTP server is??
You either have a problem with your GPOs, or you're trying to obfuscate the server you're using, and doing so inconsistently.
DOH! yes, I was trying to obfuscate, and not doing such a good job :)
> "Ok, I changed the gpo to look at ntp.server.us,0x8"
> "reg keys are HKLM\Software\polices\Micr
And I ask again: can you actually resolve ntp.server.edu / ntp.server.us to an IP address?
Yes, ntp.server.edu does resolve, and I am able to ping it with no issues.
What happens when you run
w32tm /resync
"Sending resync command to local computer..."
"The command completed successfully"
Why don't you try the way Microsoft is implementing time sync by default, which guarantees that the domain members have the same time as the DCs, and leaves you with only one server to manually configured one single time?
Management and buercracy. My manager found it this way and does not want to change it, although, I am pushing to do this, as a best practice. I hope I can, but at this point, I am being directed to "make it go".
Let me reiterate:
"net time /querysntp" will ONLY return a useful value IF AND ONLY IF
- the machine is NOT using the domain hierarchy
- the time settings are NOT configured through a GPO
"net time" is deprecated; don't use unless you know what to expect.
If "w32tm /resync" comes back clean, then the time service is configured, well, "correctly" in that it is able to set the time to something resembling the time on the ntp server. The actual results differ from how well the clients can access this server and are able to determine the lag caused by the network connection. These issues are drastically reduced when using a time server (namely the PDCe) that's in your LAN for the majority of your clients, and only sync this single server with an external source.
"net time /querysntp" will ONLY return a useful value IF AND ONLY IF
- the machine is NOT using the domain hierarchy
- the time settings are NOT configured through a GPO
"net time" is deprecated; don't use unless you know what to expect.
If "w32tm /resync" comes back clean, then the time service is configured, well, "correctly" in that it is able to set the time to something resembling the time on the ntp server. The actual results differ from how well the clients can access this server and are able to determine the lag caused by the network connection. These issues are drastically reduced when using a time server (namely the PDCe) that's in your LAN for the majority of your clients, and only sync this single server with an external source.
ASKER
Are you saying that;
because the Reg Key has a correct value, and the w32tm /resync worked, that the server is syncing with the configured time server? How do I know what server it is syncing with?
because the Reg Key has a correct value, and the w32tm /resync worked, that the server is syncing with the configured time server? How do I know what server it is syncing with?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, not sure how to work this one out, but my great thanks to oBdA for patience and time.
My question was how to get my time to sync with an NTP server, of which I was not able to get to work, BUT I did find the best practice for the domain is to set servers to look at the DC's and I was able to push a new GPO the reset all the servers. In addition, the commands I was using during my testing were not telling me the whole truth, and to find out the current server you are syncing with, look in the event viewer after restarting the time service.
Thanks again to oBdA for all the hard work!
My question was how to get my time to sync with an NTP server, of which I was not able to get to work, BUT I did find the best practice for the domain is to set servers to look at the DC's and I was able to push a new GPO the reset all the servers. In addition, the commands I was using during my testing were not telling me the whole truth, and to find out the current server you are syncing with, look in the event viewer after restarting the time service.
Thanks again to oBdA for all the hard work!
AD already has a default time sync hierarchy in place, there is usually no need to change anything except letting the PDC emulator sync with an outside source. DCs will sync with the PDCe, members will sync with the DC authenticating them.
Undo the time service GPO for a test machine, and check if the normal time sync is working.
You can force a sync using
w32tm /resync
If the client has problems syncing, run the following commands on it to reset the time service to its default values:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync
You can configure the PDCe using
w32tm /config /update /manualpeerlist:<ntp-serve
w32tm /resync