[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2091
  • Last Modified:

Configure time service in Server 2008/03 domain

We have a Server 2008 pdc with two virtual servers installed running Server 2003; all our clients are XPPro/SP3. The time for our domain servers and clients is off about 4 minutes. Here is the result of a net time /querysntp cmd on the pdc: time.windows.com,0x9. The same cmd on the other two servers returns this on both:  time.windows.com,0x1. What I thought interesting was that when I run that command on my client, it returns the ip address of our firewall router; but, the time on the router is correct where the time on my client is not.

I know messing around with time settings on servers can cause problems in a domain. Can someone help with the proper way to configure our domain time services so everything is on the correct time? Also, can anyone tell me what the 0x1 & 0x9 represent? Just curious.

Thx!
0
ipsbend
Asked:
ipsbend
  • 19
  • 12
2 Solutions
 
oBdACommented:
The only machine you need to correct this on should be the PDC emulator. This is the only machine on which "net time /querysntp" should return something useful, because the clients should be using the domain hierarchy to sync with the DC authenticating them, in which case they'll ignore a manually configured time server (and DCs will sync with the PDCe).
Check the value "Type" in HKLM\System\CurrentControlSet\Services\W32Time\Parameters. This should be NT5DS on all members and DC except the PDCe, on which it should be NTP.
To configure the PDCe to use your router as time server, open a command prompt and enter
w32tm /config /manualpeerlist:1.2.3.4,0x8
(obviously replacing 1.2.3.4 with your router's IP).
The 0x9 in your current configuration would tell the time service to send requests in client mode, and use SpecialInterval
Check this article for the different values (it's a bitmask, you have to add the values of the features you need):
Time synchronization may not succeed when you try to synchronize with a non-Windows NTP server in Windows Server 2003
http://support.microsoft.com/kb/875424
0
 
ipsbendAuthor Commented:
Thank you oBdA. Quick question, our pdc's reg key shows NT5DS as the type. how do I know that our pdc is the emulator in our domain? when i log into the server 2008 machine and look at roles, I do not PDCe specifically. I see these roles: AD/DS, DHCP server, DNS server, File Services, Hyper-V, Network Policy and Access Services, & Web Server (IIS). thx!
0
 
oBdACommented:
There is no "PDC" in an AD domain, there are only the 5 FSMO roles, one of which being PDC Emulator.
In the GUI, you can use ADUC to find the PDCe; start the ADUC MMC, and in the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master:
How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801

From the command line, run
netdom query fsmo
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
ipsbendAuthor Commented:
The netdom command on the 2008 server returns this:

Schema master               servername.domainname.local
Domain naming master        servername.domainname.local
PDC                        servername.domainname.local
RID pool manager            servername.domainname.local
Infrastructure master      servername.domainname.local

run on the other two, i get this error: 'netdom' is not recognized as an internal or external command,
operable program or batch file.
0
 
oBdACommented:
netdom.exe for W2k3 is part of the Support Tools, but this information is AD wide, so it's enough to run it on one DC (unless you have replication problems ...)
Windows Server 2003 Service Pack 2 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90

Anyway, your "main" time server is the one behind "PDC". If the "Type" entry on this machine is still NT5DS, it wasn't updated during the transfer of the role (that happens).
Open a command prompt on this machine, enter

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

This will reset the time service to its default values (it recognizes if the machine is the PDCe); this helps with most time service related problems, btw. The "Type" entry on servername.domainname.local should now be NTP.
Then run the command from above again, and finally start a sync to check if it works okay:
w32tm /config /manualpeerlist:1.2.3.4,0x8
w32tm /resync
0
 
ipsbendAuthor Commented:
Thanks! Before I run this, you had mentioned previously that to use router as time service I would use this command:w32tm /config /manualpeerlist:1.2.3.4,0x8, where 1.2.3.4 is the ip for our router.  Is it good practice to use our firewall router for our time server?
0
 
oBdACommented:
If your router has the correct time and/or is syncing itself with a hardware clock or an external ntp server, and if it offers NTP, then you can certainly use it.
Otherwise check this article and pick a time server near you:
A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet
http://support.microsoft.com/kb/262680
Or this:
NTP Pool Project > How do I use pool.ntp.org?
http://www.pool.ntp.org/en/use.html

If you're syncing with an external time server, note that the sync uses UDP port 123, your firewall needs to allow outbound connections to the ntp server on this port.
0
 
ipsbendAuthor Commented:
we have a sonic wall router, TZ190 Wireless Enhanced. Off-hand, do you know where I go to allow that outbound connection? I've gone to the system help manual but can't find instructions. Would it be under "Access Rules"? No worries if you're not familiar with this system; I can research it.
0
 
oBdACommented:
Nope, but you can just try if the sync works without further configuration; most routers allow all outbound connections by default.
0
 
oBdACommented:
Oh, and I forgot a parameter for the /config commands, sorry; add an /update at the end to inform the time service that the configuration has changed.
w32tm /config /manualpeerlist:1.2.3.4,0x8 /update
For the commands you may already have run, a simply
w32tm /update
should do it.
0
 
ipsbendAuthor Commented:
thanks! caught me just in time before running those commands. After running these:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

The type still shows as NT5DS. Does it take a bit to refresh? I refreshed the view and also closed the registry and reopened it.
0
 
oBdACommented:
Is that your only DC, or is one or both of the others a DC as well?
0
 
ipsbendAuthor Commented:
We just got this new server and I think the old dc is still online. I did check the type for that one as well and it was NT5DS. I've been on all the servers all morning running these time commands so maybe I'm getting that wrong. I'll log in to it again and re-check.
0
 
ipsbendAuthor Commented:
So, I was wrong. The type on the old server is NTP. I don't want this to be the time server. I haven't demoted it because I don't know how yet.
0
 
ipsbendAuthor Commented:
but when I ran the netdom query fsmo command on the old dc (server1), it showed the PDC as being the new server (server4), which is as it should be.
0
 
ipsbendAuthor Commented:
I've never removed a dc from a domain. Do I follow the instructions here: http://technet.microsoft.com/en-us/library/cc771844.aspx#BKMK_remove_domain_interface, to remove it? server1 does not hold any roles but I need it available to access old files.
0
 
oBdACommented:
If you're sure that the new machine is the PDC emualtor, run
w32tm /config /syncfromflags:MANUAL /update
on the machine, that will change it to manual.
Then run a
w32tm /resync
to check if it's syncing correctly.
Accordingly, you could force the W2k3 machine to use the domain hierarchy:
w32tm /config /syncfromflags:DOMHIER /update

The article is for Server 2008;if I understood you correctly, you want to demote a Server 2003:
Demote a domain controller
http://technet.microsoft.com/en-us/library/cc740017.aspx
0
 
ipsbendAuthor Commented:
Server1 does not hold any roles and yes, demoting is what I want to do. I don't need it as a dc but need it available for me to access. I've been waiting to remove it as a dc because I didn't know how to do it.

This is the error I received when running the resync command on server4:

Sending resync command to local computer
The computer did not resync because no time data was available.
0
 
ipsbendAuthor Commented:
Sorry, ignore my previous post; I missed a step.
0
 
ipsbendAuthor Commented:
I ran this command successfully: w32tm /config /syncfromflags:MANUAL /update

but still got this error message when running w32tm /resync:

"Sending resync command to local computer
The computer did not resync because no time data was available."
0
 
ipsbendAuthor Commented:
I demoted the old server (server1) and tried running these commands again on the pdc (server4):

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

the type on server4 is still listed as NT5DS. Can I change this manually in the registery or is there a command that will change it?
0
 
oBdACommented:
The command from above should have done this:
w32tm /config /syncfromflags:MANUAL /update
You can try to change it manually to NTP, then restart the time service:
net stop w32time & net start w32time
Additionally, run a GPO report in the GPMC and check if there is a policy configuring all machines to use NT5DS (it's in Administrative Templates\System\Windows Time Service\Time Providers).
0
 
ipsbendAuthor Commented:
It appears I was successful at manually changing type to NTP and I restarted the time service. The GPO policies for those keys are not configured. So, I should be set now to run these, correct?:

w32tm /config /manualpeerlist:1.2.3.4,0x8
w32tm /resync
0
 
oBdACommented:
Exactly.
0
 
ipsbendAuthor Commented:
The first command ran successfully but I'm still getting the same resync error. These are the steps I did today, did I miss something?:

1. Demoted old server
2. On new server, manually changed the type from NT5DS to NTP
3. Ran these commands successfully:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
4. Ran this command successfully: w32tm /config /manualpeerlist:pool.ntp.org,0x8
5. got an error when I ran this command: w32tm /resync
error:
Sending resync command to local computer
The computer did not resync because no time data was available.
0
 
ipsbendAuthor Commented:
One other thing that occurred to me; I downloaded and installed Microsoft updates yesterday morning before starting all this but haven't had a chance to restart the server. Could that be the problem?
0
 
ipsbendAuthor Commented:
Hi oBdA, I ran the time set up instructions found in this EE post: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_23499409.html?sfQueryTermInfo=1+10+2008+avail+becaus+comput+data+did+resync+server+time. Almost identical to what you told me to do, the exception was this command: net time /setsntp:time.windows.com (I used time.nist.gov instead as suggested in referred post).

I was able to run the resync command with no errors. The server is now on the correct time. Anyway, I don't know if it was changing the time server or the additional command that fixed it; doesn't matter it's working now :-).

Another question: I had to resync my client manually to get it to match the server time. will the other clients resync at some point automatically or will I have to run a command on them at the station?
0
 
oBdACommented:
"net time /setsntp" should do the same thing as "w32tm /config /manualpeerlist" (that is, write the "ntpserver" value in the Parameters key), but seeing as the type couldn't be changed with w32tm either, there might be a slight problem with w32tm and/or its communication with the time service, for whatever reason.
Anyway, your clients should be syncing automatically (if they're set to NT5DS), just give them a bit of time; the time service only checks periodically.
0
 
ipsbendAuthor Commented:
I just noticed that I left out the /update config parameter when I ran the w32tm /config commands. Maybe that's what I was doing wrong?
0
 
oBdACommented:
Yes, that would be a reason, too; without the /update, the time service isn't notified that w32tm changed the configuration and that it should be reloaded. The time service restart, without the "net time /setsntp", would then probably have done it as well.
0
 
ipsbendAuthor Commented:
You were terrific and your patience was greatly appreciated. Thanks so much for your help!
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 19
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now