Issue with time provider in Windows network

TPBPIT
TPBPIT used Ask the Experts™
on
Our domain controllers are Windows 2008 R2 and our pc environment is a mix of XP SP3 and Windows 7 SP1.  We have 3 DCs, one with all the FSMO roles and the other 2 are GCs.  For some reason all of our workstations have changed their defauld time provider to one of the GCs instead of the FSMO role holder.  This is an issue for us because we have an timeclock program that relies on time being pulled from the DC that is the happens to be the FSMO role holder.

Any ideas on how to get the workstations pointed back at the correct DC and why all of a sudden they started pulling time from a different DC?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
are you seeing an issue with the time clock? All the DC's should sycn among themselves and all have the same time.

Author

Commented:
They have the same time, but even my FSMO role holder is pointing at one of the GCs.  Very odd.
Check this article out. Possibly you need to make the FSMO the master time keeper.

http://support.microsoft.com/kb/816042
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Top Expert 2012

Commented:
Go through this article on one of the clients to see if this makes them point to the correct DC. Plus run this on the other DCs that aren't the fsmo role holder

http://technet.microsoft.com/en-us/library/cc758905(WS.10).aspx

Author

Commented:
Ken, as I see it that would work if we were pointing to ourself for time, but we use external time providers.

dari, I tried that on a desktop, but it didn't work.  I'm a little confused as to why me FSMO roll holder is pointing to a GC or how to fix that.
Top Expert 2012

Commented:
The servers at some point have the configuration to be the time server the commands should be run on the GC as well

Author

Commented:
Dari, not sure I understand.  Can you explain?
Top Expert 2012

Commented:
Run the commands on the DCs that do not hold fsmo roles

Author

Commented:
I have more information.  When I checked the regkey that is in Ken's link, the FSMO holder has a value of 5 and the CGs have a value of 10.  10 is set for standalone server, but I have no idea what 5 is.

Author

Commented:
Ok, but if I run w32tm /config /syncfromflags:domhier /update on the GCs then what will happen to the FSMO role holder that is pointing at the GC?  And what should I be seeing when I run Net Time on the FSMO holder?  Should it point to itself or should it show the external NTP server?
Your FSMO is the "Master". In AD, all the secondary DC's pull their time from the FSMO DC. The login server of the "client" becomes its time keeper.

Basically...client1 logs in (DC1 responds to the log in request). DC1 is now handling time sync for client1. DC1 syncs itself with the FSMO (MASTER)

Top Expert 2012

Commented:
You should not use net time either.

You should be using w32tm /monitor
Commented:
Here's how time works in Active Directory:

1. All members your Active Directory forest (DC and non-DCs) who are not the PDC of the root domain should be set to use DOMHIER time, also known as NT5DS (as opposed to plain NTP).
2. This makes all members of Active Directory that are not domain controllers get their time from a local domain controller.
3. This makes all domain controllers in the forest who are not the PDC of the root domain get their time from the PDC of the root domain.  The PDC is just one of the five FSMO roles.  Use "netdom query fsmo /domain:your_forest_root_domain_here" to see who your root PDC is.
4. The PDC of the root domain of the forest needs to be configured for MANUAL (which is NTP) and configured to get time from one or more NTP server IP addresses.

Sometimes for various reasons after things are setup domain controllers can be incorrectly left in MANUAL mode, so they should be switched to NT5DS mode (/syncfromflags:DOMHIER).

Are any of your domain controllers virtual machines?  If so there is some extra work needed to make sure your DCs get time from the domain hierarchy instead of the virtual host.

Author

Commented:
tjs - funny you should say that because 2 of the 3 DC are VMs.  What should we do with them?
Top Expert 2012
Commented:
Well crap that is a easy fix you need to go to the VM settings uncheck Time Sync with Host

Author

Commented:
Thanks for all the ideas.  While it wasn't the ultimate solution they did help me fix several potential issues and clear up my understanding of time.

As for the fix, it was more than just a time issue.  We actually found a AD replication issue.  In short, Nic Teaming was the issue.  Even though we were only using Fault Tolerance nic team, it caused an issue.  Disabled it and every thing works fine.

Thanks again for your time to answer my question.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial