Windows time server off by 20 min

Aaron Thorn
Aaron Thorn used Ask the Experts™
on
Windows time server is off by 20 min   We have restarted it 3 times and it will not keep correct time ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You did not mention much info about you AD DS structure.

1. PDC Emulator in your forest root domain should be a authorative time server and all other server and WS will sync with it.

you need to modify the registry keys listed in the below KB article for whichever DC is configured as your PDC Emulator in your forest root domain.

- How to configure an authoritative time server in Windows Server:
http://support.microsoft.com/kb/816042

2. If the DC hosted on VMWARE then ensure the  time sync with host option:
http://timjacobs.blogspot.com/2007/11/virtualized-domain-controllers-time.html 

Regards,

Commented:
I don't recommend setting up an authoritative time server as the PDCe is automatically an authoritative time server. Setting up as per Microsoft's article requires a set of group policies that mess with the default configurations. What usually is needed is for the PDCe to synch with an outside time server. Since most firewalls block the ports to synch with a broadcast, Symetricom (a time server manufacturer) came up with an application that will synch with a number of on line time servers including NIST time servers. (National Institute of Standards and Technology) or government time servers.

The LOCAL PDCe with the five FSMO roles is the time server that clients and other servers will synch with. So, if that's off by 20 minute the entiredomain should be off by 20 minutes as long as they are within the +/- 5 minute phase offset (meaning a five minute window).

Anyway, the application used to synch your PDCe with an outside time server is called Symmtime. I uses HTTP port 80 to connect and synch your PDCe's system clock to an outside time server. If you have an internal time server, you can also use Symmtime and manually configure your time server as an optional time server to synch to...

http://www.symmetricom.com/resources/downloads/symmtime/download-symmtime/
Robin CMSenior Security and Infrastructure Engineer

Commented:
Where does the time server get it's time from? The internal clock in most PCs and servers is not very accurate and will drift quite significantly. My time server is configured to sync from one of my bits of Cisco network kit (which provides an NTP time source), this in turn syncs from the MAN.

Commented:
Quick and easy way - the lazy tech way...

Add the following to your GPO or login script

NET TIME \\TIMESRV /SET /YES

Commented:
Configure an authoritative time server - ensure you dont synchronise this on the PDC master server

http://support.microsoft.com/kb/816042

Commented:
Once again, on the broadcast domain the PDCe is already the time server that sends out a time broadcast to all clients and servers on port 123. That is the default configuration of a domain controller with FSMO roles.

--Setting up group policies for an "authoritative time server" causes problems with the default configuration.

Most often, it's only required to synch the PDCe with an outside time server. So, symmtime is used to synch the PDCe to a NIST or government time server easiliy on an HTTP port 80. That way, you don't have to create unneeded security holes in your LAN based router for time on port 123 to synch your domain controller with an outside time server.

After that, symmetricom also offers another application that checks the broadcast domain for correct time on all clients and other servers called LMcheck.

http://www.symmetricom.com/resources/downloads/

Commented:
Time synchronization is an important aspect for all computers on the network. By default, the clients computers get their time from a Domain Controller and the Domain Controller gets his time from the domain’s PDC Operation Master. Therefore the PDC must synchronize his time from an external source. I usually use the servers listed at the NTP Pool Project website. Before you begin, don’t forget to open the default UDP 123 port (in- and outbound) on your firewall.

    First, locate your PDC Server. Open the command prompt and type: C:\>netdom /query fsmo
    Log in to your PDC Server and open the command prompt.
    Stop the W32Time service: C:\>net stop w32time
    Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
    Make your PDC a reliable time source for the clients. Type: C:\>w32tm /config /reliable:yes
    Start the w32time service: C:\>net start w32time
    The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration
    Check the Event Viewer for any errors.

Let us know if this resolves it.

Author

Commented:
We did try all the changes listed and the time if 6 min fast --  HElp help
Robin CMSenior Security and Infrastructure Engineer

Commented:
Run the following commands from an administrator command prompt and tell me what the responses are:
w32tm /query /source
w32tm /query /peers
w32tm /query /status
w32tm /query /configuration

Author

Commented:
I did do the following --   See pictures

Time synchronization is an important aspect for all computers on the network. By default, the clients computers get their time from a Domain Controller and the Domain Controller gets his time from the domain’s PDC Operation Master. Therefore the PDC must synchronize his time from an external source. I usually use the servers listed at the NTP Pool Project website. Before you begin, don’t forget to open the default UDP 123 port (in- and outbound) on your firewall.

    First, locate your PDC Server. Open the command prompt and type: C:\>netdom /query fsmo
    Log in to your PDC Server and open the command prompt.
    Stop the W32Time service: C:\>net stop w32time
    Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
    Make your PDC a reliable time source for the clients. Type: C:\>w32tm /config /reliable:yes
    Start the w32time service: C:\>net start w32time
    The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration
    Check the Event Viewer for any errors.

Let us know if this resolves it.

 pic1  pic2

Commented:
A simple question, what devices are you comparing with? What devices arent syncing and which ones are fast?
wrm-ag

we use the symmetricom (CheifIT provided the website to the dload of the utility www.symmetricom.com ) 250 which is a GPS time sync device that provides a stratum 16 authoritative source for time synchronization of the DC's. DC's will poll for the highest stratum device when looking for a NTP having the device in the environment with the DC set at 10 as we have set allows for all devices to sync to the GPS clock this alleviates the need for registry key entries. Would it be feasible to install a hardware GPS clock in your environment have the device in the DMZ and allow that device to talk to the time servers as a backup.

Regards

Commented:
@Troy

Yes, you can use a GPS clock and put it within the DMZ to talk to. Our ships (22 of them) each have a time server or two because time was of the essence for mission. That's the significance of symetricomm is you don't need reg key edits or to open up port 123 on your firewall. All you have to do is point your DC to an outside time server listed in symmetricom's software or create your own.

If you purchase a symmetricom atomic clock or GPS time server, they will help you configure it for your forest, I am sure of it.
Robin CMSenior Security and Infrastructure Engineer

Commented:
ha, yes just noticed you're on 2003 not 2008! stand by...
Robin CMSenior Security and Infrastructure Engineer

Commented:
w32tm /monitor
w32tm /dumpreg

Author

Commented:
Did run w32tm /monitor
w32tm /dumpreg



 pic1 pic2

Author

Commented:
Port 123 is closed on the firewall pdc and sdc   for you info    --  What we have is a server that gets its time from s1 server -- s1 time keeps  changing all the time --   I did run     First, locate your PDC Server. Open the command prompt and type: C:\>netdom /query fsmo
    Log in to your PDC Server and open the command prompt.
    Stop the W32Time service: C:\>net stop w32time
    Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
    Make your PDC a reliable time source for the clients. Type: C:\>w32tm /config /reliable:yes
    Start the w32time service: C:\>net start w32time
    The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration
    Check the Event Viewer for any errors.

and the time was correct for about 10 min than changed again

Author

Commented:
So  s1 is getting its time from 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org

the other  server that the time clocks are on is getting its time from s1 -- All other computers in the office get time from s1
Robin CMSenior Security and Infrastructure Engineer

Commented:
so which server was the screenshopts above taken from?
can you run the same two commands on the other server please?

Author

Commented:
S1 was the screen shots


New screen shots from s2



 pic 1

Author

Commented:
I did run the following on s2

Open the command prompt and type: C:\>netdom /query fsmo
    Log in to your PDC Server and open the command prompt.
    Stop the W32Time service: C:\>net stop w32time
    Configure the external time sources, type: C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org”
    Make your PDC a reliable time source for the clients. Type: C:\>w32tm /config /reliable:yes
    Start the w32time service: C:\>net start w32time
    The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: C:\>w32tm /query /configuration
    Check the Event Viewer for any errors.
Robin CMSenior Security and Infrastructure Engineer

Commented:
What is 76.79.67.76?
When I do an nslookup I get rrcs-76-79-67-76.west.biz.rr.com
Why would that be referenced with regards to the time configuration on your servers?

Can you do:
w32tm /dumpreg /subkey:parameters
w32tm /dumpreg /subkey:timeproviders\ntpserver
on each server please.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial