Solved

Domain Controller Time Sync

Posted on 2014-02-09
6
5,024 Views
Last Modified: 2014-02-14
I have a network with 6 DC’s. Two are in a central location four are in off-site locations. They are connected through VPN tunnels. These tunnels do not filter traffic. I have setup time sync through the policies Computer Configuation\Policies\Administrative Templates\System\Windows Time Service.

A server in the central location synchronizes its time with pool.ntp.org. The domain controllers (and every other server) sync their time with this server. The domain controllers in the central location sync their time according to the policy settings. The DC’s in the off-site locations do not. Computers and other servers in the remote sites do sync their clocks.

All of the remote DCs are physical machines.

Running this command on DC2.Contoso.local (off-site server): w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 59 (Policy)

FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)

[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 1800 (Policy)
Type: NTP (Policy)
NtpServer: Time-Srv01.Contoso.local,0x8 (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

These settings are what I entered into the policy.

However when you ask for the status:

w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0000000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: unspecified
Source: Local CMOS Clock
Poll Interval: 10 (1024s)

Or ask for the source:

w32tm /query /computer:localhost /source
Local CMOS Clock

The off-site servers keep coming back with ‘Local CMOS Clock’.

I’ve tried:
W32tm /unregister
[reboot]
W32tm /register

…changing the NTP target to a different server.
…manually changing the w32tm settings: w32tm /config/computer:<name of DC>/manualpeerlist: Time-Srv01.Contoso.local /syncfromflags:manual /update

If anyone has a good suggestion, I’d love to hear it.
0
Comment
Question by:computication
  • 3
  • 2
6 Comments
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 39846283
To configure a client computer or a member server to sync time from the domain, run the following command:

w32tm /config /syncfromflags:domhier /update
And then stop and restart the time service by running:

net stop w32time && net start w32time
This should be all you need to do.
0
 
LVL 3

Author Comment

by:computication
ID: 39846339
Hallo Greg,

Thank you for your comment. I tried it, no result. The source remains the Local CMOS Clock.

Kind regards,

Martijn
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 39846374
Here are the registry keys:  

1. Change Windows to use the NTP protocol for time synchronization:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Value: Type
Data: NTP

2. Configure the AnnounceFlags value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: AnnounceFlags
Data: 5

3. Enable the NTP server value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Value: Enabled
Data: 1

4. Specify the NTP server to use:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Value: NtpServer
Data: pool.ntp.org,0×1

5. Select the NTP polling interval:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Value: SpecialPollInterval
Data: 900

6. Configure the time correction settings:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: MaxPosPhaseCorrection
Radix: Decimal
Data: 3600

Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Radix: Decimal
Data: 3600

After this, stopping and restarting the NTP service should get you working.

If this is a VM make sure the host/guest NTP Services are setup correctly.

stop start ntp after making changes.

regards,

Greg
0
 
LVL 3

Accepted Solution

by:
computication earned 0 total points
ID: 39846378
Hallo Greg,

I fixed it. I changed the server type in the policy to NT5DS. Thanks for your suggestions, much appreciated.

Kind regards,

M
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 39846752
Just a basic comment anyhow .... W32time, the timekeeping service in Windows. I experienced more than enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

My recommendation:

Use a Windows port of the classic *ix NTP service. The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See this article for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
0
 
LVL 3

Author Closing Comment

by:computication
ID: 39858552
It worked.
0

Join & Write a Comment

Suggested Solutions

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now