Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 700
  • Last Modified:

NTP Windows 2003 not working.

ok,  have a weird one.
 have set the GPO to look at our time server, all servers are supposed to look at ntp.us.edu
But I started getting lots of these id:50 errors on all our servers (below).
Turns out they are all looking at time.windows.com, the default!
So I checked with rsop.msc and gpresult, and the servers ARE getting and applying the GPO.
Looking online, everything I see says that the registry needs to be modified at HKLM\services\w32time.  But my adm file is modifying HKLM\software\Policies\W32time.

So I thought my adm file was corrupted and wrong, but when I loaded a bran new test domain and looked at the adm files, they also look at HKLM\software\Policies\W32time.

I am so confused, and google is not helping, can anyone help me out?
Event Type:	Warning
Event Source:	W32Time
Event Category:	None
Event ID:	50
Date:		4/13/2009
Time:		10:31:25 AM
User:		N/A
Computer:	SERVER
Description:
The time service detected a time difference of greater than 128 milliseconds  for 90 seconds. The time difference might be caused by synchronization with  low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update  the system clock. When a valid time stamp is received from a time service  provider, the time service will correct itself.   
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
loftyworm
Asked:
loftyworm
  • 10
  • 8
1 Solution
 
oBdACommented:
May I ask why you configured all your clients to use an outside time source anyway?
AD already has a default time sync hierarchy in place, there is usually no need to change anything except letting the PDC emulator sync with an outside source. DCs will sync with the PDCe, members will sync with the DC authenticating them.
Undo the time service GPO for a test machine, and check if the normal time sync is working.
You can force a sync using
w32tm /resync
If the client has problems syncing, run the following commands on it to reset the time service to its default values:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync

You can configure the PDCe using
w32tm /config /update /manualpeerlist:<ntp-server>,0x8 /syncfromflags:MANUAL
w32tm /resync
0
 
loftywormAuthor Commented:
It was a management decision.  I am trying to change minds, but I will see.

Why is the GPO not updating the correct keys?

I will try to reset it to defualt and see if it will at least look at the PDC
0
 
loftywormAuthor Commented:
what is the command to see what server it is looking at for the current time?
I used net time /querysntp before, and it returned time.windows.com,0x1

now I have reset it to defaults using the commands above, but not sure how to validate it is looking at the right place, the old command says;
This computer is not currently configured to use a specific SNTP server.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
oBdACommented:
The keys are configured correctly; the time service will simply give the entries in the "Policies" key priority if they are configured.
It's designed like that so that the policies can be set and revoked without having to change the default values of the restricted object.

If the machine is configured to use the domain hierarchy, the manually configured time server will NOT be used.
Enter
w32tm /dumpreg /subkey:parameters
and check the value for "Type"; this should be "NT5DS" for the domain hierarchy; NTP would be manual sync (assuming that the GPO doesn't apply anymore, because the policies have priority.
0
 
loftywormAuthor Commented:
So I am more confused now.  I can make the gpo, but it is ignored until I run a command?  Is there another GPO I can use to say "follow what I set in the GPO"

My fixed (now using hierarchy, not external source as my final goal) server has NT5DS

While an unfixed server also has NT5DS;
C:\Documents and Settings>w32tm /dumpreg /subkey:parameters

Value Name      Value Type          Value Data
-------------------------------------------------

ServiceMain     REG_SZ              SvchostEntry_W32Time
ServiceDll      REG_EXPAND_SZ       C:\WINDOWS\system32\w32time.dll
NtpServer       REG_SZ              time.windows.com,0x1
Type            REG_SZ              NT5DS


C:\Documents and Settings>net time /querysntp
The current SNTP value is: time.windows.com,0x1


0
 
oBdACommented:
Again: if the NTP service finds settings in the policies key, then those will override the default settings in HKLM\...\services\w32time\...
And whatever you get with "net time querysntp" is *ONLY* valid if the time service is *NOT* using the domain hierarchy. With a type of NT5DS, the NtpServer will be *ignored*.
0
 
loftywormAuthor Commented:
oBdA, Thank you for your continued effort on this, I am grateful.

I understand, but perhaps I am not expressing the problem correctly.

There *are* (GPO applied correctly) registry entries for HKLM\software\policies\Microsoft\W32time\Parameters
NtpServer        ntp.us.edu
Type                    NTP

*BUT*
The net time command is still returning time.windows.com *and* the type is still reported as NT5DS.
0
 
oBdACommented:
"net time" dates back to NT and will not look for the policy entries; and the type found in the \services\ key (as reported by /dumpreg) will be overridden with policy value. All the usual commands will only return the default values, not the ones from the policy.
0
 
loftywormAuthor Commented:
I ran the w32tm /dumpreg /subkey:parameters command on the problem server and it retuned this;
Value Name      Value Type          Value Data-------------------------------------------------ServiceMain     REG_SZ              SvchostEntry_W32TimeServiceDll      REG_EXPAND_SZ       C:\WINDOWS\system32\w32time.dllNtpServer       REG_SZ              time.windows.com,0x1Type            REG_SZ              NT5DS

This is the same server that has the proper reg values;
(GPO applied correctly) registry entries for HKLM\software\policies\Microsoft\W32time\Parameters
NtpServer        ntp.us.edu
Type                    NTP

0
 
oBdACommented:
That means that this server will manually update and contact ntp.us.edu to sync its time.
Note that if ntp.us.edu (can you actually resolve that name?) isn't a Windows time server, you might have to add ,0x8 at the end of the name, making it ntp.us.edu,0x8; the 0x8 tells the time service to access the time server in client mode.
0
 
loftywormAuthor Commented:
It is not a windows time source, it's linux.  I will add the 0x8 and get back to you tomorrow (HR work sucks :(  
0
 
loftywormAuthor Commented:
Ok, I changed the gpo to look at ntp.server.us,0x8
Still not working :(
I get this;
*******************************
C:\Documents and Settings\>net time /querysntp
The current SNTP value is: time.windows.com,0x1

The command completed successfully.
************************************
C:\Documents and Settings\>w32tm /dumpreg /subkey:parameters

Value Name      Value Type          Value Data
-------------------------------------------------

ServiceMain     REG_SZ              SvchostEntry_W32Time
ServiceDll      REG_EXPAND_SZ       C:\WINDOWS\system32\w32time.dll
NtpServer       REG_SZ              time.windows.com,0x1
Type            REG_SZ              NT5DS
***************************************
And the reg keys are HKLM\Software\polices\Microsoft\W32time\Parameters
************************************
NtpServer          ntp.server.edu,0x8
Type                   NTP
***********************************
0
 
oBdACommented:
Again: if you're using policies to configure the NTP server, the service settings ("/querysntp", "/dumpreg") have no meaning at all.
You either have a problem with your GPOs, or you're trying to obfuscate the server you're using, and doing so inconsistently.
> "Ok, I changed the gpo to look at ntp.server.us,0x8"
> "reg keys are HKLM\Software\polices\Microsoft\W32time\Parameters [...] ntp.server.edu,0x8
And I ask again: can you actually resolve ntp.server.edu / ntp.server.us to an IP address?
What happens when you run
w32tm /resync
Why don't you try the way Microsoft is implementing time sync by default, which guarantees that the domain members have the same time as the DCs, and leaves you with only one server to manually configured one single time?
0
 
loftywormAuthor Commented:
Again: if you're using policies to configure the NTP server, the service settings ("/querysntp", "/dumpreg") have no meaning at all.
I understand, let me explain why I am using it.  /querysntp will tell me if it is using a time server at all or the default Hierarchy, I tested this on another server.
I used /dumpreg as I thought you had said this is how you check to see NTP is set to, as the /querysntp is unreliable.  If this is not the case, How do I check if the server is using NTP, and what that NTP server is??
You either have a problem with your GPOs, or you're trying to obfuscate the server you're using, and doing so inconsistently.
DOH! yes, I was trying to obfuscate, and not doing such a  good job :)

> "Ok, I changed the gpo to look at ntp.server.us,0x8"
> "reg keys are HKLM\Software\polices\Microsoft\W32time\Parameters [...] ntp.server.edu,0x8
And I ask again: can you actually resolve ntp.server.edu / ntp.server.us to an IP address?
Yes, ntp.server.edu does resolve, and I am able to ping it with no issues.
What happens when you run
w32tm /resync
"Sending resync command to local computer..."
"The command completed successfully"
Why don't you try the way Microsoft is implementing time sync by default, which guarantees that the domain members have the same time as the DCs, and leaves you with only one server to manually configured one single time?
Management and buercracy.  My manager found it this way and does not want to change it, although, I am pushing to do this, as a best practice.  I hope I can, but at this point, I am being directed to "make it go".
0
 
oBdACommented:
Let me reiterate:
"net time /querysntp" will ONLY return a useful value IF AND ONLY IF
- the machine is NOT using the domain hierarchy
- the time settings are NOT configured through a GPO
"net time" is deprecated; don't use unless you know what to expect.

If "w32tm /resync" comes back clean, then the time service is configured, well, "correctly" in that it is able to set the time to something resembling the time on the ntp server. The actual results differ from how well the clients can access this server and are able to determine the lag caused by the network connection. These issues are drastically reduced when using a time server (namely the PDCe) that's in your LAN for the majority of your clients, and only sync this single server with an external source.
0
 
loftywormAuthor Commented:
Are you saying that;
because the Reg Key has a correct value, and the w32tm /resync worked, that the server is syncing with the configured time server?  How do I know what server it is syncing with?
0
 
oBdACommented:
You can check the System event log for source W32Time.
0
 
loftywormAuthor Commented:
OK, not sure how to work this one out, but my great thanks to oBdA for patience and time.
My question was how to get my time to sync with an NTP server, of which I was not able to get to work, BUT I did find the best practice for the domain is to set servers to look at the DC's and I was able to push a new GPO the reset all the servers.  In addition, the commands I was using during my testing were not telling me the whole truth, and to find out the current server you are syncing with, look in the event viewer after restarting the time service.

Thanks again to oBdA for all the hard work!
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now