Link to home
Create AccountLog in
Avatar of bergquistcompany

asked on

NTP server that uses yet all internal servers get time from gone down

We had an issue where the time service on our vm host stopped and thus our domain controller that is acting as our NTP server getting it's time from .gov and all on premise machines getting their time go to were getting bad time given the server wasn't updating.  

I am wondering if there is a way to setup a secondary NTP server that in cases where the primary were to be off the secondary would sync with it or take over.  I'm not sure this would work as the clients didn't know the server's time was wrong so adjusted to the wrong time accordingly but had it not been a simple service restart wanted to see what others do so we have a solid backup plan going forward.  

Servers and Clients --------> DC1 NTP -------------------------->
DC2 backup to DC1 for DNS only no DHCP on this as this is an empty root.
Avatar of userPrincipalName

I'm not sure I understand the scenario completely.  Are you using Hyper-V?  I know in Hyper-V when you install integration services on the children, the vmictimesync service is installed.  This service can cause all sorts of problems with Virtual DCs and I would recommend uninstalling the service entirely (Not just disabling it).  If your DC comes online after a restart and cannot contact an authoritative time source, it will sync with the Hyper-V parent.

If you have been having problems with w32time and have been using w32tm with the "/reliable" parameter to fix it,  you are setting yourself up for a failure.  This switch governs what the "AnnounceFlags" value is.  Check the registry on each of your DCs and make sure your "AnnounceFlags" are set to 10 on ALL dcs except the PDCe (which should be set to 5).  You should be controlling this via group policy.  

In any event, you should point your PDCe to a trusted time source such as and then let all other DCs in your AD look to the PDCe.  I would shy away from pointing individual DCs to external time server - it will work, but its contrary to best practice.

This is the policy I use for non-PDCe DCs:
System/Windows Time Service
Policy				Setting
Global Configuration Settings	Enabled  
Clock Discipline Parameters 
  FrequencyCorrectRate 		4 
  HoldPeriod 			5 
  LargePhaseOffset 		50000000 
  MaxAllowedPhaseOffset 	300 
  MaxNegPhaseCorrection 	172788 
  MaxPosPhaseCorrection 	172800 
  PhaseCorrectRate 		7 
  PollAdjustFactor 		5 
  SpikeWatchPeriod 		900 
  UpdateInterval 		100 
General Parameters 
  AnnounceFlags 		10 
  EventLogFlags 		2 
  LocalClockDispersion 		10 
  MaxPollInterval 		10 
  MinPollInterval 		6 
  ChainEntryTimeout 		16 
  ChainMaxEntries 		128 
  ChainMaxHostEntries 		4 
  ChainDisable 			0 
  ChainLoggingRate 		30 

System/Windows Time Service/Time Providershide
Policy 				Setting
  Configure Windows NTP Client 	Enabled  
  Type 				NT5DS
  CrossSiteSyncFlags 		2 
  ResolvePeerBackoffMinutes 	15 
  ResolvePeerBackoffMaxTimes 	7 
  SpecialPollInterval 		3600 
  EventLogFlags 		0 
Policy Setting Comment 
  Enable Windows NTP Client Enabled 

Open in new window

For the PDCe I change the value of the "AnnounceFlags" to 5 and "Type" to NTP.  I target the PDCe with a WMI FIlter.
Avatar of Frank Helk
To the question part about redundancy in the time sources:

You can add possiby as many time sources to the NTP config file (ntp.conf) as  you like.

NTP communicates with all of them and does statistics checking all the time to find out which server is the most reliable time source at the moment. That server is used, the others are "reserve".

I would recommend to make use of the public ntp pool service at

Here's an example of a ntp.conf with several server entries from the "worldwide" ntp pool:
server iburst
server iburst
server iburst
server iburst

driftfile %windir%\\ntp.drift
logfile C:\temp\ntp.log

Open in new window

There are regional (roughly "continental") groups of servers, too.
Avatar of bergquistcompany


i'm sorry let me clarify the scenario

External time source - Domain Controller - All other servers/Desktops

Currently all internal machines point to this one DC for time via NTP and that machine in turn gets it's time from externally.  The external part isn't an issue but we had an issue with the DC where the time service stopped and it thus wasn't serving time and when machines couldn't be logged in we noticed the 30 min delay and fixed the DC and all worked again.

I am trying to avoid that by having a secondary DC in sync with the current one so if one stops providing time the other can pick up?
I am trying to avoid that by having a secondary DC in sync with the current one so if one stops providing time the other can pick up?

All domain controllers are time servers...  Your PDCe is the authoritative time server and should sync with either a hardware clock if you have one on your network or some external time source which is trustworthy.  All your domain controllers will sync with the PDCe and your member servers will will choose a time domain controller as a time source using an algorith that weights domain controllers by AD site proximity, time server settings (announctFlags) and what FSMO role it holds (specifically whether its a PDCe or not).  If you leave windows time to do what its supposed to, it will just work.  Once you start messing with the configurations without truly understanding what those settings impact, you are opening a can of worms...

Again, I would urge you to manage time services via GPO.

Recommended reading:
If your client machines have internet access (at least for NTP), I would recommend to let 'em sync themselves (and the DC itself) with the external time sources. That would keep most of your domain in sync, provides more stable time and circumvents the DC as stability bottleneck. If the DC itself gets unsynced, it could drift away, anyhow.

If you point your NTP clients to more than one NTP time source, they will figure out the best of 'em and sync to it. If it fails or degrades, the shift over to another. That's one part of the magic within NTP.

And last, but not least: There are simple ways to monitor NTP servers and clients (which ist mostly the same - any NTP client is a server, too). Just try NTPMonitor. Another way - very nice to use on *UX machines with some grep/sed/awk magic - is
ntpq -p [remoteserver]


ntpq -p

Open in new window

With that you can qurey the state of the remote machine and interpret the results. RTFM of ntpq for details or ask fore more if that doesn't help.
Based on the responses and what I read in the links we currently have an empty root domain from 2003 setup days and 2 DCs in that domain that back each other up.  One gets it's time from an external source and is the NTP server all clients point to.  

However it sounds like it doesn't work well across domains so I should have a secondary NTP server on the client domain pointing externally and all the clients on that domain point to that server?

@frankhelk - How can I point the clients to multiple NTP time sources as this is exactly what I need so if my DC goes down they aren't all out of sync rather they shift to another?

I will also check NTP monitor.
You really need to thoroughly read this article:
How the Windows Time Service Works

The ONLY server in the forest that needs to be configured for time is the PDCe in the Forest Root Domain.  Every other computer in the Forest should use the built-in Windows Time Hierarchy.

I also recommend using, for the USA, as my external time server,0x1,  That gives you a pool of hundreds of highly reliable external time servers.

If you are having to manually configure any other computer in your environment other than the root forest domain's PDCe, you are doing it wrong.
Also, do NOT use the top level time-gov in the first place.  There are plenty of time servers that are not only closer to you geographically, but also they are going to be inherently more accurate due to the latency/drift inconsistency.

Also what CarlWebster touched on, but didn't emphasize, is that the reason MSFT did it this way is because this is how you want it to be.   You want every system in your domain to have exactly the same time.  So that is why the one system that gets time from the outside world must be the time server for everybody else in your domain. This is the only way to insure consistency, especially when they add leap seconds or if a machine isn't allowed to talk to the outside world for security reasons or just misconfiguration issues.
You can set up any server on the domain, including another DC, to synchronize with an outside time source. However, due to the way a Windows domain is configured, the clients will all automatically synch with the server that has the PDC emulator role.  So, in order to have the clients synch with a different DC, you'd have to move the PDC emulator role to that DC.  If the DC you have now acting as the PDC emulator has a wonky time service that won't run reliably, then the only way to resolve this would be to move the PDC emulator role to another domain controller.

However, I'm a little confused about your reference to an "empty" Windows 2003 domain and a separate "client" domain.  Could you please explain this configuration further?

BTW, you should be using, which uses a round-robin method of synchronization with numerous time servers belonging to NIST. This provides the safest and most reliable method of synchronizing, as you don't have to worry about whether a specific server is responding properly or not.  Here's a link about this:
hypercat, Microsoft, in years past, recommended an empty root forest domain and then child domains.  You could have account child domains and resource child domains.  None of this really made much sense from a security viewpoint so Microsoft did away with those recommendations.

If you read Microsoft's current recommendations, they recommend a much simpler design.
Thank you for the tip about the nist servers being redone.  Last time I looked at that was maybe 10 years ago, and had issues with them timing out.  Hence I always found several public time servers geographically located near me and set them manually.

I have to say I don't remember that being any type of "standard," and I've been working with Microsoft networking since the early 90's. Could be my oldtimer's disease kicking in, or maybe I forgot it on I tend to do with many dysfunctional Microsoft recommendations of the past.
Sorry ... I've been a little bit off line from this question.
@frankhelk - How can I point the clients to multiple NTP time sources as this is exactly what I need so if my DC goes down they aren't all out of sync rather they shift to another?

Just as in the example I've pointed out above for using servers from Just include them into your ntp.conf file:
mypdc iburst prefer
mybdc iburst

driftfile %windir%\\ntp.drift
logfile C:\temp\ntp.log

Open in new window

Note: The use of ntp.conf for configuration issues is limited to the classic NTP client (*ux) and its descendants for other OS's (Windows, Apple's OS, etc.). Since I had hassle with the Windows timekeeping crap (W32time) whenever I used it in NTP mode, I would recommend to kick W32time out and use the classic client (see my article on this).

If you insist on using W32time, it could use multiple NTP sources either. Depending on your windows version, one of these commands should work:
w32tm /config /syncfromflags:manual /manualpeerlist:mypdc,mybdc

net time /setsntp:"mypdc,mybdc"

Open in new window

Besides of my experiences about it being unstable, the diagnostic of NTP performance & problems is more cryptic (by far) with W32time.

Last but not least, the use of the classic NTP client would separate the role "time server" from the role "domain controller" - if you like it that way, you might even set up a separate appliance solely for timekeeping ... there's explicit hardware around for that. And you might kick the concept of a local NTP server completely and let all clients sync to an external NTP server pool (see the article or my post about above)
@dlethe: You should have a look at That would save you from the task of perpetual checking the availability of your configured time servers. The pool of supplied servers is provided granular down to countries, i.e.

Open in new window

would give servers only in Germany.
Three things to consider while configuring time service in domain env


1) Guest DC should not sync with Host time service
to achieve this Run this if host is Hyper V  referred from
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0 

Open in new window

2) PDC should sync with external time source
to achive this run below

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
net time /setsntp: 
net stop w32time & net start w32time
w32tm /config / /syncfromflags:manual /reliable:yes /update
w32tm /resync /rediscover
net stop w32time & net start w32time

Open in new window

3) All DC should sync with PDC
to achive this run below

net stop w32time 
w32tm /unregister 
w32tm /register 
net start w32time 
net time /setsntp: 
Net stop w32time & net start w32time 
w32tm /config /syncfromflags:domhier /update 
W32tm /resync /rediscover 
net stop w32time & net start w32time

Open in new window

Let me know if you are using VMWare
Thanks I'll review all the suggestions
Just a small  comment at the end: If you use W32time to sync time in a domain, the "time master" role is automatically combined with the DC role and cannot separated from it. If the BDC replaces a failing DC, it gets its time server role, too.

The only way to circumvent this - only weakly (if anyhow) required - intermix of roles is to do time sync separtely with classic NTP (just repeating the reference: my article about NTP)
@ userPrincipalName - So you have the GPO you showed applied to ALL systems or just all DCs that are not the PDCe?  Then you have a secondary GPO for the PDCe?

We have all our servers in the same OU so I'm thinking if I created a policy at the OU level then it would hit the PDCe also so would apply the secondary to the PDCe so it would override?

Thus if my time service stopped on my VM host where my PDCe resides it should still work as it isn't pointing to the VM host for time?
@ CarlWebster and @diethe - so if I only configure the PDCe is it in the registry still that you are doing this or GPO on that machine only?
@ sarang_tinguria yes using VMWare and given my PDCe is a VM it gets it's time from the host even though I have it setup in the registry to go to NTPServer .gov.

Thus when the host time service went down my PDCe VM had wrong time and served it.  Shouldn't having set the NTP override the PDCe from using the host time?
Avatar of Sarang Tinguria
Sarang Tinguria
Flag of India image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
this is exactly my issue