Solved

Domain Controller Time Sync

Posted on 2014-02-09
6
5,204 Views
Last Modified: 2014-02-14
I have a network with 6 DC’s. Two are in a central location four are in off-site locations. They are connected through VPN tunnels. These tunnels do not filter traffic. I have setup time sync through the policies Computer Configuation\Policies\Administrative Templates\System\Windows Time Service.

A server in the central location synchronizes its time with pool.ntp.org. The domain controllers (and every other server) sync their time with this server. The domain controllers in the central location sync their time according to the policy settings. The DC’s in the off-site locations do not. Computers and other servers in the remote sites do sync their clocks.

All of the remote DCs are physical machines.

Running this command on DC2.Contoso.local (off-site server): w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 59 (Policy)

FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)

[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 0 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 1800 (Policy)
Type: NTP (Policy)
NtpServer: Time-Srv01.Contoso.local,0x8 (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

These settings are what I entered into the policy.

However when you ask for the status:

w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0000000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: unspecified
Source: Local CMOS Clock
Poll Interval: 10 (1024s)

Or ask for the source:

w32tm /query /computer:localhost /source
Local CMOS Clock

The off-site servers keep coming back with ‘Local CMOS Clock’.

I’ve tried:
W32tm /unregister
[reboot]
W32tm /register

…changing the NTP target to a different server.
…manually changing the w32tm settings: w32tm /config/computer:<name of DC>/manualpeerlist: Time-Srv01.Contoso.local /syncfromflags:manual /update

If anyone has a good suggestion, I’d love to hear it.
0
Comment
Question by:computication
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 39846283
To configure a client computer or a member server to sync time from the domain, run the following command:

w32tm /config /syncfromflags:domhier /update
And then stop and restart the time service by running:

net stop w32time && net start w32time
This should be all you need to do.
0
 
LVL 3

Author Comment

by:computication
ID: 39846339
Hallo Greg,

Thank you for your comment. I tried it, no result. The source remains the Local CMOS Clock.

Kind regards,

Martijn
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 39846374
Here are the registry keys:  

1. Change Windows to use the NTP protocol for time synchronization:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Value: Type
Data: NTP

2. Configure the AnnounceFlags value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: AnnounceFlags
Data: 5

3. Enable the NTP server value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Value: Enabled
Data: 1

4. Specify the NTP server to use:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Value: NtpServer
Data: pool.ntp.org,0×1

5. Select the NTP polling interval:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
Value: SpecialPollInterval
Data: 900

6. Configure the time correction settings:
Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: MaxPosPhaseCorrection
Radix: Decimal
Data: 3600

Key: HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
Value: MaxNegPhaseCorrection
Radix: Decimal
Data: 3600

After this, stopping and restarting the NTP service should get you working.

If this is a VM make sure the host/guest NTP Services are setup correctly.

stop start ntp after making changes.

regards,

Greg
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 3

Accepted Solution

by:
computication earned 0 total points
ID: 39846378
Hallo Greg,

I fixed it. I changed the server type in the policy to NT5DS. Thanks for your suggestions, much appreciated.

Kind regards,

M
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 39846752
Just a basic comment anyhow .... W32time, the timekeeping service in Windows. I experienced more than enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

My recommendation:

Use a Windows port of the classic *ix NTP service. The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See this article for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
0
 
LVL 3

Author Closing Comment

by:computication
ID: 39858552
It worked.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question