Time going backward

3 weeks ago my time somehow set itself backward by exactly one day. This really messed up all the the computers on the domain. I reset all computers on the the domain using net time. WHen I came to work on Monday all of them were off by 1 day again. This has happened again this past weekend. I have scanned every server and all computers on the network have anti virus protect that is kept up to date. The dc,s are windows 2003 standard sp2 all others servers except one are 2003, 2008 one 1 is 2000. Not sure if it has any bering but this seemed to have started after a MS update. Checking the logs it appears we are starting to receive errors stating the time servers are off line.
don_bruessSystem AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Are any of the DCs Virtual Machines? Have you checked there time zones to make sure they are correct?
0
don_bruessSystem AdministratorAuthor Commented:
None of the DCs are virtual but I do have 5 virtual system; however all of them are set to the correct time zone and time each time this happens.
0
Darius GhassemCommented:
Your PDC is the server that should be giving time out to your domain.

The reason why your VMs stay at the right time is because they are getting time sync from their host server which is technically wrong in a domain.
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

don_bruessSystem AdministratorAuthor Commented:
Acutally all servers on the network read their time from PDC or its backup when not working. In that seem to be the problem on PDC or the backup somehow is having the time changed. This then starts changing all the systems. At some point when the time is off enough the error messages start to show too great a time difference between the reporting server and the network time.
0
Darius GhassemCommented:
So, are you sure that the time settings are configured properly on both of these machines? Is the correct time zone set?
0
don_bruessSystem AdministratorAuthor Commented:
Both the dc's show the correct time zone and correct time. But on the days when it has gone backward they show the correct time zone but 1 day ealier. It is like somthing changes the dc by 1 day.
0
arnoldCommented:
Double check where the time shift occurs and perhaps check the CMOS battery on that system.

The problem is that a 24 hour deviation is not possible. I think the sync will not work if the time deviates by an hour or more.
Double check your timezone as well as make sure that this is not being done through an errand GPO.
Are the Domain Controllers configured to sync with external sources?
Check the event logs to see if there is a w32time event that would shed light on when the adjustment and its source are seen.
0
Darius GhassemCommented:
Where do they get there time from?

Import these reg file into your system this will configure your time settings for you.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23630502.html
0
don_bruessSystem AdministratorAuthor Commented:
If I look in the windows registry it shows time.windows.com,0x1
Type NT5DS and it is the same on both PDC and DC
0
Darius GhassemCommented:
They should be NTP
0
Darius GhassemCommented:
Your settings aren't correct import the registry file on the link provide it will setup all info for you correctly.
0
don_bruessSystem AdministratorAuthor Commented:
Which link are we talking about?
0
Darius GhassemCommented:
The EE link above.
0
DrDave242Commented:
One minor correction:  Only the PDC emulator should be set to NTP.  All other machines in the domain should be set to NT5DS.
0
don_bruessSystem AdministratorAuthor Commented:
Please excuse me for being slow. The EE at the top next to the search box does not seem to contain a link for me. It justs switches between Google and EE
0
don_bruessSystem AdministratorAuthor Commented:
Thanks for the link and I have now checked all the settings I think. But on Monday the clocks on the PDC and DC both were wrong. They read Sunday instead of Monday. I have been looking over the logs and it appears this time it happened on Friday at in the earlier morning hours. I was not here on Friday so I did not find out until I came in on Monday. This blew all the clocks out and the anything based on time was out of wack. This problem is driving me crazy and everyone else because the companys payroll clocks are on the network and it is showing people punching in on Sunday morning instead of Monday. I have verifed which DC is the PDC and set it up using the script you sent. I then went back and reduced the max/min time that it can shift to only 3 hours. I am hoping that can alert me as to what is changing the time. The BDC is set to receive its time from the PDC which is not set to to get its time from tock.usno.navy.mil with the ,0x1 at the end. Any further help would really be great.

Don
0
Darius GhassemCommented:
So, you did use the reg file?
0
don_bruessSystem AdministratorAuthor Commented:
Here is what was in the text file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Description"="Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

"
"DisplayName"="Windows Time"
"ErrorControl"=dword:00000001
"FailureActions"=hex:05,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,64,00,20,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00
"Group"=""
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
  00,65,00,00,00
"Objectname"="NT AUTHORITY\\LocalService"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"LastClockRate"=dword:0002625a
"MinClockRate"=dword:000260d4
"MaxClockRate"=dword:000263e0
"FrequencyCorrectRate"=dword:00000004
"PollAdjustFactor"=dword:00000005
"LargePhaseOffset"=dword:02faf080
"SpikeWatchPeriod"=dword:00000384
"HoldPeriod"=dword:00000005
"LocalClockDispersion"=dword:0000000a
"EventLogFlags"=dword:00000002
"PhaseCorrectRate"=dword:00000007
"MinPollInterval"=dword:00000006
"MaxPollInterval"=dword:0000000a
"UpdateInterval"=dword:00000064
"MaxNegPhaseCorrection"=dword:ffffffff
"MaxPosPhaseCorrection"=dword:ffffffff
"AnnounceFlags"=dword:00000005
"MaxAllowedPhaseOffset"=dword:0000012c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"ServiceMain"="SvchostEntry_W32Time"
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,33,00,\
  32,00,74,00,69,00,6d,00,65,00,2e,00,64,00,6c,00,6c,00,00,00
"NtpServer"="tock.usno.navy.mil,0x1"
"Type"="NTP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
  00,18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
"Enabled"=dword:00000001
"InputProvider"=dword:00000001
"AllowNonstandardModeCombinations"=dword:00000001
"CrossSiteSyncFlags"=dword:00000002
"ResolvePeerBackoffMinutes"=dword:0000000f
"ResolvePeerBackoffMaxTimes"=dword:00000007
"CompatibilityFlags"=dword:80000000
"EventLogFlags"=dword:00000001
"LargeSampleSkew"=dword:00000003
"DllName"="C:\\WINDOWS\\system32\\w32time.dll"
"SpecialPollTimeRemaining"=hex(7):00,00
"SpecialPollInterval"=dword:00000e10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"InputProvider"=dword:00000000
"AllowNonstandardModeCombinations"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\w32time.dll"
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Enum]
"0"="Root\\LEGACY_W32TIME\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

0
don_bruessSystem AdministratorAuthor Commented:
I think part of my paste of the txt file was cut off. But it is from the file tiled "SetPDCTime-To-Tok.usno.navy.mil". My only question was in the file it set the server to Tock.unso.navy.mil which differs from the title of the txt file.

DOn
0
arnoldCommented:
tock is a valid NTP, but you may want to use ntp.org to locate another suitable NTp server or pool of servers.

Double check the timezone setting on the PDC.  A shift this large does not sound right, I think the normal adjustment is limited to a difference of 15hours or less.  yours sounds as a 24 hour shift.
http://technet.microsoft.com/en-us/library/cc749145%28WS.10%29.aspx.

0
don_bruessSystem AdministratorAuthor Commented:
I checked the PDC to varify it is set to the correct time zone and auto adjust for DST. I change the maxposphasecorrection and limited it to 3600 as well as the maxnegphasecorrection. I am hoping somthing willshow up in the error logs that might give me a clue here. If this change is not a good idea let me know.
I time shift is exactly 24 hour shift, just as if daylight savings time was causing it. My PDC which is a 2003 standard fully patched. I only have 2 2000 servers left and they are doing very minor things.
0
arnoldCommented:
It sounds as though the alteration is manual.
Look through the w32time events on the PDC to see whether there is an error/warning dealing with the first time the system could not be resynced because of the large difference in the current time on the NTP server versus on the system.

How many people have admin access to the DC's directly or via rdp?
0
don_bruessSystem AdministratorAuthor Commented:
I will shutdown all remote work for this coming weekend and see if the problem is still there on Monday. I do not want to block time on the firewall since that is the sync spot so I will allow all normal traffice and just turn off remote access. Prior to my changing the max pos/neg settings they were set to  a huge number which i could not figure out in days/months what it was. I will also verify the times are correct prior to my leaving for the weekend.

0
arnoldCommented:
How many NTP servers were defined?  Sometimes the default 15hour limit deals with preventing a sync with an errand NTP server that is way out of date. I.e. someones NTP server's time was not updated for the 2000 two digit rollover or there was human entry error.
0
don_bruessSystem AdministratorAuthor Commented:
Only one is currently listed..
0
arnoldCommented:
The exact 24 hour shift suggests human intervention.
0
don_bruessSystem AdministratorAuthor Commented:
Are there any virus, trojans or what ever geared to do anything similar?  I am having trouble with thinking it might be malicious.  If it is they must know the amount of trouble it is causing. I am locking down all rpd except my Terminal Servers.
0
arnoldCommented:
This could have been inadvertent i.e. looked at the calendar and mistakenly clicked on the prior date and hit/ok.
0
don_bruessSystem AdministratorAuthor Commented:
But three weekends in a row is pushing the limit on not paying attention.
0
arnoldCommented:
see if it happens again this week.  Check whether you have a task scheduled to run on the system.
Trying to detect the issue could be difficult.  An option could be to try an narrow down when this occurs. i.e. use a windows scheduled task to run every 10 minutes that will output date and time
echo %DATE% %TIME% >> somefile.

Then should the time shift again, you will have a dataset of within which time window this change occurred which will narrow your search.  I.e. do you have SQL that might be used to inject a command that resets/adjusts the time, etc.
0
don_bruessSystem AdministratorAuthor Commented:
Good Idea on the time/date stamp. I will set it to run. As far SQL I do have a SQL running on several servers but none of them should be involved with the PDC or DC SQL is being run from other servers.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.