NTP time is off on PDC

We have been noticing that the time for our PDC has been keeping incorrect time and I attempted to correct this with the following commands:

net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

w32tm /unregister
W32Time successfully unregistered.

w32tm /register
W32Time successfully registered.

net start w32time
The Windows Time service is starting..
The Windows Time service was started successfully.

w32tm /config /manualpeerlist:<LOCAL>0x1 /syncfromflags:manual /reliable:yes /update
The command completed successfully.

w32tm /config /update
The command completed successfully.

w32tm /resync /rediscover
The computer did not resync because no time data was available.

After this I looked into the situation a little more and see an warning in the server logs that may explain more:

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

I then looked into the GPO to see the ntp server is time.windows.com,0x1 and the type is NR5DS.

I am now just looking from a method to update our NTP to a local NTP and an public backup if possible.

Any assistance would be great.
nextechexchadminAsked:
Who is Participating?
 
nextechexchadminConnect With a Mentor Author Commented:
I figured it out.  There was a default GPO that was being applied to the PDC.  The policy stated to look to the PDC for time and so the PDC looked to himself for it and thus got slowly off.

I edited the GPO to exclude a container of DCs and then locally edited the GPO on the PDC to look to a global NTP server and then the other DCs to once again look to the PDC.

Thanks for all the attempts.
0
 
Mike RoeCommented:
Great website to do this with an external source

http://support.microsoft.com/kb/816042/en-us
0
 
David Johnson, CD, MVPOwnerCommented:
is port 123 blocked?

This fixit has some good tips.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
frankhelkCommented:
In your command
w32tm /config /manualpeerlist:<LOCAL>0x1 /syncfromflags:manual /reliable:yes /update

Open in new window

you've set the W32time client to sync to it's own local clock, havn't you ? That looks a bit crazy.

I would recommend to use the service at pool.ntp.org for a selection of time servers. So your command should read
w32tm /config /manualpeerlist:0,pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org /syncfromflags:manual /reliable:yes /update

Open in new window


Besides of this "worldwide" set of servers there are regional ( "continental", or even more fine grained: "per country") sets of servers, too.

A more basic tip: I've had hassle with W32time in NTP mode whenever I used it. My recommendation would be to just disable W32time and use "the real thing" - a Windows port of the standard NTP implementation. See here for a list.

In that case you should add the servers to your ntp.conf file in this way:
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

Open in new window

0
 
nextechexchadminAuthor Commented:
Fredbear891:
I had to wait for a service window to test this.  I downloaded the "Fix-It" and typed in the IP for a local NTP server and then after about a minute of a bar going across it would respond it failed, but with no explaination.

ve3ofa:
I used PortQryUI and the port is not blocked.

frankhelk:
The reference in my code <LOCAL> was to represent a network local NTP server IP, not the local PDC.

Thanks for the help so far, but...anymore ideas?
0
 
frankhelkCommented:
My recommendation for the original NTP software applies to local applications, too.

Since NTP bandwidth usage is not an issue in local networks, a simple ntp.conf would look like this:
server <LOCAL> minpoll 6 maxpoll 6 iburst

driftfile %windir%\\ntp.drift
logfile C:\temp\ntp.log

Open in new window


The minpoll/maxpoll options fix the polling interval to "once every 64 seconds" (2^6).
0
 
Mike RoeCommented:
make sure port 123 is open on your firewall/router like stated above
0
 
nextechexchadminAuthor Commented:
frankhelk:
I apologize for mis-understanding you.  I plan to attempt that in another maintenance window.

Fredbear891:
This server and the NTP server is both local and no router in between.

I am also looking into excluding the PDC from the GPO that the client machines get their NTP from and either editing the GPO locally or just issuing the commands I previously stated.
0
 
frankhelkCommented:
Anyhow - if you want to give a standard NTP service a try, please take a look at this article.
0
 
nextechexchadminAuthor Commented:
The issue was more GPO and I had seen this in other post, but no one seemed to look towards in my post here.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.