Solved

Domain Controller Time Sync

Posted on 2014-02-09
6
5,162 Views
Last Modified: 2014-02-14
I have a network with 6 DC’s. Two are in a central location four are in off-site locations. They are connected through VPN tunnels. These tunnels do not filter traffic. I have setup time sync through the policies Computer Configuation\Policies\Administrative Templates\System\Windows Time Service.

A server in the central location synchronizes its time with pool.ntp.org. The domain controllers (and every other server) sync their time with this server. The domain controllers in the central location sync their time according to the policy settings. The DC’s in the off-site locations do not. Computers and other servers in the remote sites do sync their clocks.

All of the remote DCs are physical machines.

Running this command on DC2.Contoso.local (off-site server): w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 59 (Policy)

FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)

[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 1800 (Policy)
Type: NTP (Policy)
NtpServer: Time-Srv01.Contoso.local,0x8 (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

These settings are what I entered into the policy.

However when you ask for the status:

w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0000000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: unspecified
Source: Local CMOS Clock
Poll Interval: 10 (1024s)

Or ask for the source:

w32tm /query /computer:localhost /source
Local CMOS Clock

The off-site servers keep coming back with ‘Local CMOS Clock’.

I’ve tried:
W32tm /unregister
[reboot]
W32tm /register

…changing the NTP target to a different server.
…manually changing the w32tm settings: w32tm /config/computer:<name of DC>/manualpeerlist: Time-Srv01.Contoso.local /syncfromflags:manual /update

If anyone has a good suggestion, I’d love to hear it.
0
Comment
Question by:computication
  • 3
  • 2
6 Comments
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 39846283
To configure a client computer or a member server to sync time from the domain, run the following command:

w32tm /config /syncfromflags:domhier /update
And then stop and restart the time service by running:

net stop w32time && net start w32time
This should be all you need to do.
0
 
LVL 3

Author Comment

by:computication
ID: 39846339
Hallo Greg,

Thank you for your comment. I tried it, no result. The source remains the Local CMOS Clock.

Kind regards,

Martijn
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 39846374
Here are the registry keys:  

1. Change Windows to use the NTP protocol for time synchronization:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Value: Type
Data: NTP

2. Configure the AnnounceFlags value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: AnnounceFlags
Data: 5

3. Enable the NTP server value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Value: Enabled
Data: 1

4. Specify the NTP server to use:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Value: NtpServer
Data: pool.ntp.org,0×1

5. Select the NTP polling interval:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Value: SpecialPollInterval
Data: 900

6. Configure the time correction settings:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: MaxPosPhaseCorrection
Radix: Decimal
Data: 3600

Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Radix: Decimal
Data: 3600

After this, stopping and restarting the NTP service should get you working.

If this is a VM make sure the host/guest NTP Services are setup correctly.

stop start ntp after making changes.

regards,

Greg
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Accepted Solution

by:
computication earned 0 total points
ID: 39846378
Hallo Greg,

I fixed it. I changed the server type in the policy to NT5DS. Thanks for your suggestions, much appreciated.

Kind regards,

M
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 39846752
Just a basic comment anyhow .... W32time, the timekeeping service in Windows. I experienced more than enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

My recommendation:

Use a Windows port of the classic *ix NTP service. The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See this article for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
0
 
LVL 3

Author Closing Comment

by:computication
ID: 39858552
It worked.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question