Solved

Time Loss on Server and Workstations in Domain

Posted on 2011-09-09
23
491 Views
Last Modified: 2012-05-12
The domain controller and workstations are continually losing time on a small network (about 30 computers). I know this is a common issue but I want to look at different solutions before dedciding on the best one.   The Server OS is Windows Server 2008 R2.  
I know you can install a free time sync program or even edit the registry to sync time correctly but the issue in this case may be more complex.  Currently,  the server is losing about 5 minutes per week.  However, if the server is powered off for a bit it tends to lose time more quickly (like 10 minutes per week or more).  I am being told that the CMOS battery being dead could cause this but it was recently replaced and the problem is still occuring.  I read where if you have a bad capacitor on the motherboard - the problem will continue even with a new battery. If that is the case, will installing a time program or other option fix this?  Any feedback on this topic is greatly appreciated
.
0
Comment
Question by:fjkaykr11
  • 10
  • 8
  • 4
  • +1
23 Comments
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 36513597
Just setup NTP on the PDC.

Check this link out
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36513918
This supports Windows 2008 Domain Controllers

http://technet.microsoft.com/en-us/library/cc816633(WS.10).aspx
0
 
LVL 3

Author Comment

by:fjkaykr11
ID: 36514336
@Papertrip, it already looks like NTP (W32Time) is already setup on the PDC.
Services > Windows Time
I think this was working on one time but the stopped working and someone mentioned a CMOS battery issue.   Any ideas?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36514339
Yeah but is it using a valid external time source?  In the comments of that link there are some other notes, including how clear the current config if you want to redo it.

Internal clocks skew for a variety of reasons, that is what NTP is for :)
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36514342
@fjkaykr11, You mentioned that the server clock is too slow, so it is unusable at this point. The Microsoft document at the link below explains how to setup an external time source, this should be your best solution.

http://technet.microsoft.com/en-us/library/cc816633(WS.10).aspx
 
0
 
LVL 6

Expert Comment

by:K_Wilke
ID: 36514360
Look at the motherboard on the server and look at the capacitors to see if they are blown or bulging.  If so replace the motherboard.
Thanks,
Kelly W.
0
 
LVL 3

Author Comment

by:fjkaykr11
ID: 36514379
@joeyfaz.  Is there a way of verifying if the W32Time service  is already setup to sync to NTP ?
0
 
LVL 6

Expert Comment

by:joeyfaz
ID: 36514400
w32tm /query /status
0
 
LVL 3

Author Comment

by:fjkaykr11
ID: 36514966
when I run that command here are the results:
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name:  "LOCL")
Last Successful Sync Time: 9/9/2011 7:55:43 PM
Source: Local CMOS Clock
Poll Interval: 6 (64s)

0
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 500 total points
ID: 36514968
Here is your problem:

Source: Local CMOS Clock

Open in new window


Follow the instructions in the link I provided to query from an external time source and should be resolved.
0
 
LVL 3

Author Comment

by:fjkaykr11
ID: 36515012
@Papertrip, when I tried the steps in the link I get an error in step 4:
The following arguments were uexpected:  1.pool.ntp.org, 2.pool.ntp.org
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 6

Expert Comment

by:joeyfaz
ID: 36515040
Run this command on the domain controller:
 w32tm /config /computer:time-nw.nist.gov /update /reliable:YES

then run w32tm /query /status
0
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 500 total points
ID: 36515060
@Papertrip, when I tried the steps in the link I get an error in step 4:
The following arguments were uexpected:  1.pool.ntp.org, 2.pool.ntp.org

Hmm yeah my bad, that syntax is mangled.  Try this instead:

C:\> w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org”

Open in new window


It's always best practices to have more than 1 source.  There are many reasons why, if you only have 1 ntp source setup, that it could become unavailable.  This applies to pretty much anything that could be a single point of failure.
0
 
LVL 3

Author Comment

by:fjkaykr11
ID: 36515260
If I set up this method to get an external source for time do I need to open ports on the firewall?
I read somewhere where you have to have port 123 for UDP both inbound and outbound open.
I am not that familiar with my firewall interface so I might want to have this sorted out first before I change the time source.  Any ideas if that is the case?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36517266
Yes, UDP/123 for NTP ingress and egress.
0
 
LVL 3

Author Comment

by:fjkaykr11
ID: 36517597
Does the UDP port 123 need to be NATTED to the server that is running the W32 time service?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36517618
You don't NAT ports.

What you need to do depends on how your firewall and/or router are setup.  All you need is for traffic to be able to reach the internet from the PDC over UDP/123, and be able to get the return traffic NAT'd back.  

If for example right now your PDC can browse the web over HTTP, then port TCP/80 is open.  You need to make your policy the same for that computer to be able to access UDP/123 over the internet.

If you meant would a NAT need to be setup somewhere in that flow, then yes unless your PDC has a public IP.

Just talk to whoever admins your firewall, this is a very basic and common firewalling concept, just allowing access in and out of a specific port.
0
 
LVL 3

Author Comment

by:fjkaykr11
ID: 36517784
Now I am more confused. I thought you said ", UDP/123 for NTP ingress and egress."
But now you are saying only open port 123 UDP egress?  Am I reading this incorrectly?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36517790
It all depends on how your router and/or firewall are setup.

I don't mean to be rude here but the concept is pretty simple, I think you are over-complicating it.  All that needs to happen is traffic can get to and from the internet for your PDC over UDP/123.

Just talk to whoever manages your firewall and tell them you need UDP/123 open for NTP, they should know what you are talking about.



0
 
LVL 3

Author Comment

by:fjkaykr11
ID: 36518110
Look I understand you may FEEL that I am over-complicating things.  I am hear to learn as well as teach others who may come across this post.  I have a paid account with Experts-Exchange and I have helped other people on this board without judging them. If you don't want to help me learn the entire process to get this working then just move on. It's not like you even mentioned the firewall issue in your original post
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36518115
OK so.  I said that "I don't mean to be rude", because I didn't, but apparently you skipped over that part.

I didn't mention the firewall issue in the original post because you didn't mention anything about a firewall until recently, after which I tried to help as I had been all along.  We didn't even know until recently that you weren't using an external time source but rather the local CMOS clock.

Do you admin the firewall?  If not have you talked to the person who does?  This is the next step in the entire process which you are referring, but you haven't answered that question yet although I mentioned it twice.

If I didn't want to help, why would I keep replying?  Have I said something like "you are stupid" or just a plain "no" or anything of that sort?  No, I have posted relevant and accurate information to help with this.  If you don't want to follow the advice I am giving and answer the questions I am only asking to help you, then so be it.
0
 
LVL 3

Author Comment

by:fjkaykr11
ID: 36519300
You said "Just talk to whoever admins your firewall, this is a very basic and common firewalling concept"   Why would I need Experts-Exchange if I had a firewall admin?
0
 
LVL 3

Author Closing Comment

by:fjkaykr11
ID: 36533730
It looks like it worked without having to make changes to ports on the firewall.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now