Active Directory Time Service Sync drops off in Server 2008 Domain

I have an Active Directory domain with two domain controllers running Server 2008 in Hyper-V. One of them is the PDC Emulator. On it, I have Time Synchronization disabled in the VM Settings, in Hyper-V. I have it set as a reliable time source, using the ntp time servers and normally it works fine and all of our workstations remain synced.

Issue #1 - Whenever I restart that server for updates, the time sync goes away and everyone's workstation time starts to drift. I have to go through the process below to get it back. That's for all workstations.

Issue #2 - Also, we have mostly XP workstations but a few are Windows 7. The Windows 7 workstations occasionally lose their sync even when I do not restart the Domain Controller, I have no idea why - I use some commands to get it back on them also like
w32tm /resync /rediscover, and restart the time service, etc.

So, I'm hoping that the answer to Issue #1 will help me with Issue #2, but if anyone has advice for either it is greatly appreciated! Here is what I have to do on the DC to make it work again:

1. On the PDC Emulator - To clear the current time configuration, do the following:
 
net stop w32time

w32tm /unregister

w32tm /register

net start w32time
 
unregistering will remove the whole w32tm key from the registry while registering will create a fresh key filled with the windows defaults.

2. Then on the PDC Emulator add the time service, make the server a reliable source:

w32tm /config /manualpeerlist:north-america.pool.ntp.org,0x1 /syncfromflags:MANUAL /update /reliable:yes

3. Restart the time service:
 
net stop w32time
net start w32time

Thanks!
ksoszkaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zalazarCommented:
The w32tm commands look fine.
I assume you also have Time Synchronization disabled in Hyper-V settings for the other domain controller.

Some other questions I have:
If you give the command "w32tm /resync" on the domain controller with PDC role, does it sync correctly then (check the eventlog) ?

Did you do any time configuration on the other domain controller ?
To correct:
w32tm /config /syncfromflags:DOMHIER /reliable:no /update

Did you check on the Windows XP workstations if the registry value is NT5DS for:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

Is there a firewall between the DC's and Windows XP workstations ?
Did you maybe check the System Eventlog for W32Time entries on the Windows XP workstations ?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ksoszkaAuthor Commented:
Hi Zalazar, thanks for your response.

I do have Time Synchronization disabled in Hyper-V settings for the other domain controller.

The domain controller with the PDC role does sync correctly all of the time, with the NTS - not an issue. It's the workstations that lose the sync with the DC. Sorry if I didn't state that clearly.

On the Windows XP workstations the registry value is NT5DS for:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

There is a firewall but I don't think that is causing the issue, as it was happening before that firewall existed (recently moved our servers from our offices to a data center).

Now the good stuff:

Upon checking the System Eventlog for W32Time entries on the Windows XP workstations, I saw a series of W32Time events that lead me to believe that maybe there was some time configuration done on the other domain controller. The Domain name has been edited for privacy purposes. DC1 (.59) has the PDC role and DC2 (.60) is my secondary DC:

Event Type:      Error
Event Source:      W32Time
Event Category:      None
Event ID:      29
Date:            10/15/2013
Time:            1:22:00 PM
User:            N/A
Computer:      VM-KS-XP1
Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.


Event Type:      Warning
Event Source:      W32Time
Event Category:      None
Event ID:      24
Date:            10/15/2013
Time:            1:22:00 PM
User:            N/A
Computer:      VM-KS-XP1
Description:
Time Provider NtpClient: No valid response has been received from domain controller VM-S8R2-DC2.MYDOMAIN.COM after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a  new domain controller from which to synchronize.


Event Type:      Information
Event Source:      W32Time
Event Category:      None
Event ID:      35
Date:            10/15/2013
Time:            11:56:55 AM
User:            N/A
Computer:      VM-KS-XP1
Description:
The time service is now synchronizing the system time with the time source VM-S8R2-DC2.MYDOMAIN.COM (ntp.d|192.168.200.46:123->192.168.100.60:123).


Event Type:      Information
Event Source:      W32Time
Event Category:      None
Event ID:      35
Date:            10/11/2013
Time:            2:41:04 PM
User:            N/A
Computer:      VM-KS-XP1
Description:
The time service is now synchronizing the system time with the time source VM-S8R2-DC1.MYDOMAIN.COM (ntp.d|192.168.200.46:123->192.168.100.59:123).


Event Type:      Error
Event Source:      W32Time
Event Category:      None
Event ID:      29
Date:            10/11/2013
Time:            12:40:00 PM
User:            N/A
Computer:      VM-KS-XP1
Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.


So, I am going to go ahead and run the following command on DC2 to see if that helps:

w32tm /config /syncfromflags:DOMHIER /reliable:no /update

Please let me know what you think, and thanks again!
0
ksoszkaAuthor Commented:
UPDATE: As soon as I ran w32tm /config /syncfromflags:DOMHIER /reliable:no /update on the second DC and restarted the time service, the time on that machine which had been 4 minutes off synched with the correct time from DC1.

Does that make sense? It sounds good to me.. I'll see how it goes for a couple of days and maybe do some updates and restart the servers to see if the issue is resolved. That's when It crops up usually, after I restart the DC's. Maybe because while DC1 was down, the workstations couldn't find it so they went to DC2 since it was also a reliable time source.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

zalazarCommented:
This looks indeed promising so far.
About firewalling: I also think that it's not an issue because according to the eventlog the workstation can sync the time with both domain controllers.

With an Active Directory domain setup, workstations and member servers will get their time from a domain controller. This can actually be any domain controller.
And non-PDC domain controllers will get their time from the domain controller with the PDC role.
It might be that there was a problem with the time synchronization on DC2.


What you maybe still can check is if the time configuration is all right on the Hyper-V host servers, which run the domain controllers.
During a reboot of the domain controllers the initial time, before the OS starts, will be the time of the Hyper-V host.

Because the Time Synchronization in Hyper-V settings are disabled it's also important that Hyper-V hosts servers and Hyper-V guests servers (domain controllers) do have the same timezone configuration.
0
ksoszkaAuthor Commented:
Apparently the other domain controller was also set to be a reliable time source. This fixed that:

Did you do any time configuration on the other domain controller ?
To correct:
w32tm /config /syncfromflags:DOMHIER /reliable:no /update
0
zalazarCommented:
That's good to hear and thanks for the grade !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.