• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1485
  • Last Modified:

Cisco NTP not proving timely updates to windows domain controllers


I have two Win2003 domain controllers. They are receiving the same NTP error. The error from the Windows DC's is shown in the attached image. The NTP router is

Below is my NTP router configuration for NTP along with the sh status from NTP. My two DC's are shown as and

Could someone tell me what I'm doing wrong?

MPLS#sh ntp status
Clock is synchronized, stratum 2, reference is
nominal freq is 250.0000 Hz, actual freq is 249.9934 Hz, precision is 2**24
reference time is D1482B4B.01228D79 (08:23:39.004 EST Thu Apr 7 2011)
clock offset is 1.2403 msec, root delay is 16.77 msec
root dispersion is 40.38 msec, peer dispersion is 18.68 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000026287 s/s
system poll interval is 1024, last update was 1609 sec ago.
MPLS-HQ#sh ntp associations

  address         ref clock       st   when   poll reach  delay  offset   disp      3  76524  32768    14  0.000 -190.28 17.254     .INIT.          16 605566  32768     0  0.000   0.000 15937.
*~    .ACTS.           1    591   1024   377 16.779   1.240 18.680    .INIT.          16      -   1024     0  0.000   0.000 15937.    .INIT.          16      -   1024     0  0.000   0.000 15937.    .INIT.          16      -   1024     0  0.000   0.000 15937.
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

MPLS-HQ#sh run | include ntp
ntp update-calendar
ntp server

First Last
First Last
2 Solutions
Marius GunnerudSenior Systems EngineerCommented:
Have a look at this link, perhaps there is something that can help you: http://etherealmind.com/ios-configure-windows-2003-xp-use-ntp-server-sync-time-clock-router/
First LastAuthor Commented:
That didn't help very much, but from there I did find this article. It seems to have cleared things up in my event log.

Does anyone know how to remove the duplicate unconfigured addresses in bold from the list below?

MPLS-HQ#show ntp association

  address         ref clock       st   when   poll reach  delay  offset   disp
 ~     .LOCL.           7      3     16   377  0.000   0.000  0.238
 ~     .INIT.          16      -   1024     0  0.000   0.000 15937.      3  84421  32768    14  0.000 -190.28 17.254
 ~     .INIT.          16      -   1024     0  0.000   0.000 15937.     .INIT.          16 613463  32768     0  0.000   0.000 15937.
*~    .ACTS.           1    100    256   377 15.336  56.714 11.373
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
The star (*) displayed next to the configured (~) peer indicates the router is synchronized with that IP, which is incorrect in your instance, I think
But for some reason you have a bunch of other NTP associations.  They are configured as indicated by the ~
You might want to no that server out.  no ntp server

Configuring NTP Associations
An NTP association can be a peer association (meaning that this system is willing to either synchronize to the other system or to allow the other system to synchronize to it), or it can be a server association (meaning that only this system will synchronize to the other system, and not the other way around). If you want to form an NTP association with another system, use one of the following commands in global configuration mode:

 Command  Purpose  
ntp peer ip-address [normal-sync][version number] [key keyid] [source interface] [prefer]
 Forms a peer association with another system.
ntp server ip-address [version number] [key keyid] [source interface] [prefer]
 Forms a server association with another system.

I'm confused what you want to do - if your NTP server is supposed to be your two DC's then you need to remove all the other stuff out of there.  
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

actually, I think you can delete all NTP programing by doing
(config)#clear ntp

First LastAuthor Commented:
atrevido, is where I'm trying to get my time. It is a NIST Internet Time Service. and are my two Windows DC's. I want those two DC's to go to my router to retrieve their time. From there I use Group Policy to push the time out to the computers.
First LastAuthor Commented:
I'm not having any luck removing the two last associations:

MPLS-HQ(config)#do show ntp association

  address         ref clock       st   when   poll reach  delay  offset   disp      3  92689  32768    14  0.000 -190.28 17.254     .INIT.          16 621731  32768     0  0.000   0.000 15937.
 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
To stop the router from picking up stray time sources, use the prefer option:
ntp server prefer
#clear ntp
#ntp server prefer
#ntp master

Wait a couple minutes and then do show ntp status and show ntp association
You should now see the  * beside the 64.90.782.55 address, this means its synced and good
Then you should see your DC's come in.
THey will only have ~ by them because they are associated or peers, not the master

You can also do show clock and show calendar, then shoudl be the same.
show calendar is the hardware clock, show clock is software clock on router.
if they are not same, then issue #ntp update-calendar

If for some reason those DC's don't come online then try
#debug ntp ?  

First LastAuthor Commented:
Thank you.

On my router the command to remove ntp was "no ntp".

From there I did:

#ntp server prefer
#ntp master

I waited a few minutes. Now my sh ntp associations doesn't show all those old ip addresses.

My DC's are reviewing updates. The event log errors went away.

Thank you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now