Windows Authoritative Time Server

Posted on 2011-10-21
Medium Priority
Last Modified: 2012-05-12
I'm having a problem "I think" with an authoritative windows time server. Let me run down what I've done.

First I needed to verify that my PDC was in fact my PDC (It's a 2008 Server.)
I ran the following command from a workstation:

C:\>netdom /query fsmo
Schema owner                DC1.
Domain role owner           DC1.
PDC role                    DC1.
RID pool manager            DC1.
Infrastructure owner        DC1.

So, clearly DC1 is my PDC. Then I stopped the w32time service on the PDC, and ran the following command:

C:\>w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"
C:\>Type: w32tm /config /reliable:yes

And restarted the w32time service.

Now it's my understanding that workstations in the domain are supposed to, "by default", get their time from the PDC. So next I rebooted a few workstations, and at first it looked like all was fine, until yesterday when I noticed one of my sites was consistently 3 minutes off from both the PDC, and the other 4 networks. So I started doing a little checking.

I again ran the "netdom /query fsmo" from a couple of machines on the problem network and got the correct results.

Here is the part I'm not sure is right. When I run "net time /querysntp" from the domain controller I get:
The current SNTP value is: 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org

But when I run the same command from "any" workstation I get:
The current SNTP value is: time.windows.com,0x1

Shouldn't I be getting the same as the PDC value, if it is in fact defaulting to it? Could this be my problem, and does anybody no how to fix it if it is indeed a problem?

Question by:bwask
LVL 59

Accepted Solution

Darius Ghassem earned 1000 total points
ID: 37006512
Don't run the on the clients.

Run w32tm /monitor

On clients having issue run through this link as well

LVL 24

Assisted Solution

Sandeshdubey earned 1000 total points
ID: 37010411
You can use w32tm /monitor /computers:localhost to check the same.

In below example it sync to DC plot29dcserver1 which is acting as PDC whcih is configured as authorative time server.
Z:\>w32tm /monitor /computers:localhost
localhost []:
    ICMP: 0ms delay.
    NTP: +0.0000000s offset from local clock
        RefID: plot29dcserver1.plot29dc.com []

Look at your System event logs. Event source is W32Time.The description should tell you which time server your workstation uses.

The net time /querysntp command merely tells you which time source would be used if the computer was configured to use a specific time source instead of the Domain's time source hierarchy. I consider the net time command "deprecated" - not sure if Microsoft has said this officially or not.

Unless someone does something deliberately, all domain computers, including Domain Controllers, will use the Domain's time source hierarchy.

If "Type" is "NT5DS", the computer is configured to use the domain time source hierarchy - the value returned by net time /querysntp is meaningless.

If the "Type" is "NTP", the computer is configured to use the specific time source specified by the "NtpServer"

All Domain Controllers, except one, should be configured to use the Domain's time sync hierarchy.
One of the Domain Controllers (often the one with the PDC Emulator FSMO role, should be configured to be a "reliable" time source using the commands:

w32tm /config /syncfromflags:manual
/manualpeerlist:-your-favorite-time-source /reliable:yes /update
w32tm /resync rediscover


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The top devops trends for 2017 are focused on improved deployment frequency, decreased lead time for change and decreased MTTR.
Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question