Solved

NTP Windows 2003 not working.

Posted on 2009-04-14
18
674 Views
Last Modified: 2012-05-06
ok,  have a weird one.
 have set the GPO to look at our time server, all servers are supposed to look at ntp.us.edu
But I started getting lots of these id:50 errors on all our servers (below).
Turns out they are all looking at time.windows.com, the default!
So I checked with rsop.msc and gpresult, and the servers ARE getting and applying the GPO.
Looking online, everything I see says that the registry needs to be modified at HKLM\services\w32time.  But my adm file is modifying HKLM\software\Policies\W32time.

So I thought my adm file was corrupted and wrong, but when I loaded a bran new test domain and looked at the adm files, they also look at HKLM\software\Policies\W32time.

I am so confused, and google is not helping, can anyone help me out?
Event Type:	Warning

Event Source:	W32Time

Event Category:	None

Event ID:	50

Date:		4/13/2009

Time:		10:31:25 AM

User:		N/A

Computer:	SERVER

Description:

The time service detected a time difference of greater than 128 milliseconds  for 90 seconds. The time difference might be caused by synchronization with  low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update  the system clock. When a valid time stamp is received from a time service  provider, the time service will correct itself.   
 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
Comment
Question by:loftyworm
  • 10
  • 8
18 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 24141028
May I ask why you configured all your clients to use an outside time source anyway?
AD already has a default time sync hierarchy in place, there is usually no need to change anything except letting the PDC emulator sync with an outside source. DCs will sync with the PDCe, members will sync with the DC authenticating them.
Undo the time service GPO for a test machine, and check if the normal time sync is working.
You can force a sync using
w32tm /resync
If the client has problems syncing, run the following commands on it to reset the time service to its default values:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync

You can configure the PDCe using
w32tm /config /update /manualpeerlist:<ntp-server>,0x8 /syncfromflags:MANUAL
w32tm /resync
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24141108
It was a management decision.  I am trying to change minds, but I will see.

Why is the GPO not updating the correct keys?

I will try to reset it to defualt and see if it will at least look at the PDC
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24141675
what is the command to see what server it is looking at for the current time?
I used net time /querysntp before, and it returned time.windows.com,0x1

now I have reset it to defaults using the commands above, but not sure how to validate it is looking at the right place, the old command says;
This computer is not currently configured to use a specific SNTP server.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24142971
The keys are configured correctly; the time service will simply give the entries in the "Policies" key priority if they are configured.
It's designed like that so that the policies can be set and revoked without having to change the default values of the restricted object.

If the machine is configured to use the domain hierarchy, the manually configured time server will NOT be used.
Enter
w32tm /dumpreg /subkey:parameters
and check the value for "Type"; this should be "NT5DS" for the domain hierarchy; NTP would be manual sync (assuming that the GPO doesn't apply anymore, because the policies have priority.
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24150634
So I am more confused now.  I can make the gpo, but it is ignored until I run a command?  Is there another GPO I can use to say "follow what I set in the GPO"

My fixed (now using hierarchy, not external source as my final goal) server has NT5DS

While an unfixed server also has NT5DS;
C:\Documents and Settings>w32tm /dumpreg /subkey:parameters

Value Name      Value Type          Value Data
-------------------------------------------------

ServiceMain     REG_SZ              SvchostEntry_W32Time
ServiceDll      REG_EXPAND_SZ       C:\WINDOWS\system32\w32time.dll
NtpServer       REG_SZ              time.windows.com,0x1
Type            REG_SZ              NT5DS


C:\Documents and Settings>net time /querysntp
The current SNTP value is: time.windows.com,0x1


0
 
LVL 83

Expert Comment

by:oBdA
ID: 24152887
Again: if the NTP service finds settings in the policies key, then those will override the default settings in HKLM\...\services\w32time\...
And whatever you get with "net time querysntp" is *ONLY* valid if the time service is *NOT* using the domain hierarchy. With a type of NT5DS, the NtpServer will be *ignored*.
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24153068
oBdA, Thank you for your continued effort on this, I am grateful.

I understand, but perhaps I am not expressing the problem correctly.

There *are* (GPO applied correctly) registry entries for HKLM\software\policies\Microsoft\W32time\Parameters
NtpServer        ntp.us.edu
Type                    NTP

*BUT*
The net time command is still returning time.windows.com *and* the type is still reported as NT5DS.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24153185
"net time" dates back to NT and will not look for the policy entries; and the type found in the \services\ key (as reported by /dumpreg) will be overridden with policy value. All the usual commands will only return the default values, not the ones from the policy.
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24153271
I ran the w32tm /dumpreg /subkey:parameters command on the problem server and it retuned this;
Value Name      Value Type          Value Data-------------------------------------------------ServiceMain     REG_SZ              SvchostEntry_W32TimeServiceDll      REG_EXPAND_SZ       C:\WINDOWS\system32\w32time.dllNtpServer       REG_SZ              time.windows.com,0x1Type            REG_SZ              NT5DS

This is the same server that has the proper reg values;
(GPO applied correctly) registry entries for HKLM\software\policies\Microsoft\W32time\Parameters
NtpServer        ntp.us.edu
Type                    NTP

0
 
LVL 83

Expert Comment

by:oBdA
ID: 24163484
That means that this server will manually update and contact ntp.us.edu to sync its time.
Note that if ntp.us.edu (can you actually resolve that name?) isn't a Windows time server, you might have to add ,0x8 at the end of the name, making it ntp.us.edu,0x8; the 0x8 tells the time service to access the time server in client mode.
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24163793
It is not a windows time source, it's linux.  I will add the 0x8 and get back to you tomorrow (HR work sucks :(  
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24189699
Ok, I changed the gpo to look at ntp.server.us,0x8
Still not working :(
I get this;
*******************************
C:\Documents and Settings\>net time /querysntp
The current SNTP value is: time.windows.com,0x1

The command completed successfully.
************************************
C:\Documents and Settings\>w32tm /dumpreg /subkey:parameters

Value Name      Value Type          Value Data
-------------------------------------------------

ServiceMain     REG_SZ              SvchostEntry_W32Time
ServiceDll      REG_EXPAND_SZ       C:\WINDOWS\system32\w32time.dll
NtpServer       REG_SZ              time.windows.com,0x1
Type            REG_SZ              NT5DS
***************************************
And the reg keys are HKLM\Software\polices\Microsoft\W32time\Parameters
************************************
NtpServer          ntp.server.edu,0x8
Type                   NTP
***********************************
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24197210
Again: if you're using policies to configure the NTP server, the service settings ("/querysntp", "/dumpreg") have no meaning at all.
You either have a problem with your GPOs, or you're trying to obfuscate the server you're using, and doing so inconsistently.
> "Ok, I changed the gpo to look at ntp.server.us,0x8"
> "reg keys are HKLM\Software\polices\Microsoft\W32time\Parameters [...] ntp.server.edu,0x8
And I ask again: can you actually resolve ntp.server.edu / ntp.server.us to an IP address?
What happens when you run
w32tm /resync
Why don't you try the way Microsoft is implementing time sync by default, which guarantees that the domain members have the same time as the DCs, and leaves you with only one server to manually configured one single time?
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24197365
Again: if you're using policies to configure the NTP server, the service settings ("/querysntp", "/dumpreg") have no meaning at all.
I understand, let me explain why I am using it.  /querysntp will tell me if it is using a time server at all or the default Hierarchy, I tested this on another server.
I used /dumpreg as I thought you had said this is how you check to see NTP is set to, as the /querysntp is unreliable.  If this is not the case, How do I check if the server is using NTP, and what that NTP server is??
You either have a problem with your GPOs, or you're trying to obfuscate the server you're using, and doing so inconsistently.
DOH! yes, I was trying to obfuscate, and not doing such a  good job :)

> "Ok, I changed the gpo to look at ntp.server.us,0x8"
> "reg keys are HKLM\Software\polices\Microsoft\W32time\Parameters [...] ntp.server.edu,0x8
And I ask again: can you actually resolve ntp.server.edu / ntp.server.us to an IP address?
Yes, ntp.server.edu does resolve, and I am able to ping it with no issues.
What happens when you run
w32tm /resync
"Sending resync command to local computer..."
"The command completed successfully"
Why don't you try the way Microsoft is implementing time sync by default, which guarantees that the domain members have the same time as the DCs, and leaves you with only one server to manually configured one single time?
Management and buercracy.  My manager found it this way and does not want to change it, although, I am pushing to do this, as a best practice.  I hope I can, but at this point, I am being directed to "make it go".
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24197826
Let me reiterate:
"net time /querysntp" will ONLY return a useful value IF AND ONLY IF
- the machine is NOT using the domain hierarchy
- the time settings are NOT configured through a GPO
"net time" is deprecated; don't use unless you know what to expect.

If "w32tm /resync" comes back clean, then the time service is configured, well, "correctly" in that it is able to set the time to something resembling the time on the ntp server. The actual results differ from how well the clients can access this server and are able to determine the lag caused by the network connection. These issues are drastically reduced when using a time server (namely the PDCe) that's in your LAN for the majority of your clients, and only sync this single server with an external source.
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24197981
Are you saying that;
because the Reg Key has a correct value, and the w32tm /resync worked, that the server is syncing with the configured time server?  How do I know what server it is syncing with?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 24199613
You can check the System event log for source W32Time.
0
 
LVL 11

Author Comment

by:loftyworm
ID: 24229439
OK, not sure how to work this one out, but my great thanks to oBdA for patience and time.
My question was how to get my time to sync with an NTP server, of which I was not able to get to work, BUT I did find the best practice for the domain is to set servers to look at the DC's and I was able to push a new GPO the reset all the servers.  In addition, the commands I was using during my testing were not telling me the whole truth, and to find out the current server you are syncing with, look in the event viewer after restarting the time service.

Thanks again to oBdA for all the hard work!
0

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now