Cisco NTP not proving timely updates to windows domain controllers


I have two Win2003 domain controllers. They are receiving the same NTP error. The error from the Windows DC's is shown in the attached image. The NTP router is

Below is my NTP router configuration for NTP along with the sh status from NTP. My two DC's are shown as and

Could someone tell me what I'm doing wrong?

MPLS#sh ntp status
Clock is synchronized, stratum 2, reference is
nominal freq is 250.0000 Hz, actual freq is 249.9934 Hz, precision is 2**24
reference time is D1482B4B.01228D79 (08:23:39.004 EST Thu Apr 7 2011)
clock offset is 1.2403 msec, root delay is 16.77 msec
root dispersion is 40.38 msec, peer dispersion is 18.68 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000026287 s/s
system poll interval is 1024, last update was 1609 sec ago.
MPLS-HQ#sh ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp      3  76524  32768    14  0.000 -190.28 17.254     .INIT.          16 605566  32768     0  0.000   0.000 15937.
*~    .ACTS.           1    591   1024   377 16.779   1.240 18.680    .INIT.          16      -   1024     0  0.000   0.000 15937.    .INIT.          16      -   1024     0  0.000   0.000 15937.    .INIT.          16      -   1024     0  0.000   0.000 15937.
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

MPLS-HQ#sh run | include ntp
ntp update-calendar
ntp server

First LastAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marius GunnerudSenior Systems EngineerCommented:
Have a look at this link, perhaps there is something that can help you:
First LastAuthor Commented:
That didn't help very much, but from there I did find this article. It seems to have cleared things up in my event log.

Does anyone know how to remove the duplicate unconfigured addresses in bold from the list below?

MPLS-HQ#show ntp association

  address         ref clock       st   when   poll reach  delay  offset   disp
 ~     .LOCL.           7      3     16   377  0.000   0.000  0.238
 ~     .INIT.          16      -   1024     0  0.000   0.000 15937.      3  84421  32768    14  0.000 -190.28 17.254
 ~     .INIT.          16      -   1024     0  0.000   0.000 15937.     .INIT.          16 613463  32768     0  0.000   0.000 15937.
*~    .ACTS.           1    100    256   377 15.336  56.714 11.373
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
The star (*) displayed next to the configured (~) peer indicates the router is synchronized with that IP, which is incorrect in your instance, I think
But for some reason you have a bunch of other NTP associations.  They are configured as indicated by the ~
You might want to no that server out.  no ntp server

Configuring NTP Associations
An NTP association can be a peer association (meaning that this system is willing to either synchronize to the other system or to allow the other system to synchronize to it), or it can be a server association (meaning that only this system will synchronize to the other system, and not the other way around). If you want to form an NTP association with another system, use one of the following commands in global configuration mode:

 Command  Purpose  
ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer]
 Forms a peer association with another system.
ntp server ip-address [version number] [key keyid] [source interface] [prefer]
 Forms a server association with another system.

I'm confused what you want to do - if your NTP server is supposed to be your two DC's then you need to remove all the other stuff out of there.  
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

actually, I think you can delete all NTP programing by doing
(config)#clear ntp

First LastAuthor Commented:
atrevido, is where I'm trying to get my time. It is a NIST Internet Time Service. and are my two Windows DC's. I want those two DC's to go to my router to retrieve their time. From there I use Group Policy to push the time out to the computers.
First LastAuthor Commented:
I'm not having any luck removing the two last associations:

MPLS-HQ(config)#do show ntp association

  address         ref clock       st   when   poll reach  delay  offset   disp      3  92689  32768    14  0.000 -190.28 17.254     .INIT.          16 621731  32768     0  0.000   0.000 15937.
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
To stop the router from picking up stray time sources, use the prefer option:
ntp server prefer
#clear ntp
#ntp server prefer
#ntp master

Wait a couple minutes and then do show ntp status and show ntp association
You should now see the  * beside the 64.90.782.55 address, this means its synced and good
Then you should see your DC's come in.
THey will only have ~ by them because they are associated or peers, not the master

You can also do show clock and show calendar, then shoudl be the same.
show calendar is the hardware clock, show clock is software clock on router.
if they are not same, then issue #ntp update-calendar

If for some reason those DC's don't come online then try
#debug ntp ?  


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
First LastAuthor Commented:
Thank you.

On my router the command to remove ntp was "no ntp".

From there I did:

#ntp server prefer
#ntp master

I waited a few minutes. Now my sh ntp associations doesn't show all those old ip addresses.

My DC's are reviewing updates. The event log errors went away.

Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.