Solved

Can't change time on 2008 R2 DC

Posted on 2014-04-15
29
1,408 Views
Last Modified: 2014-04-19
The clock on the DC at one of our locations is fast by 5 minutes.  When I change it and hit Apply, it changes to the new time and then immediately changes back to the previous time.

What would cause this?

How do I fix it?
0
Comment
Question by:jrsitman
  • 17
  • 5
  • 2
  • +3
29 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 40002425
Is this the PDC emulator in the forest root?   Time should be following the windows time hiearchy as outlined below

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

Is this the only DC that is having issues?

Thanks

Mike
0
 
LVL 19

Expert Comment

by:helpfinder
ID: 40002450
Server which is holding PDC role is a server for syncing time in the domain. Server with PDC takes time from BIOS, external time server (ntp), router, etc all other DCs from this server and member servers and workstations from nearest available DC.

So if your server holds this FSMO role (PDC emulator) try to set some reliable time server, but if you write this is only server with time problem probably this is not a server with PDC (because then all computers in the domain should have 5 minute time lag).

On mentioned server use command net time and you will see from which source server is taking time.
Also check command w32tm /monitor for results
For set correct time do not change time manually but resync it using w32tm /resync
0
 

Author Comment

by:jrsitman
ID: 40002466
Yes it is the PDC, Yes it is the only server I can't change the time on.  In the past I was able to change it (I believe).  

I configured the server based on
http://support.microsoft.com/kb/816042

All 4 of my locations are configured the same way and for whatever reason this site always has the incorrect time after a few weeks.

Very frustrating.
0
 

Author Comment

by:jrsitman
ID: 40002473
I ran net time and it is getting it's time from itself.  I ran w23tm /monitor.  See attached
w32DCVMLB.png
0
 

Author Comment

by:jrsitman
ID: 40003044
Still need help!
0
 
LVL 19

Expert Comment

by:helpfinder
ID: 40003316
Try to register new time service (external) PDC will sybc time with using w32tm command
0
 

Author Comment

by:jrsitman
ID: 40003925
What about the registry settings I've done from the Microsoft article?  Should those be deleted?
0
 

Author Comment

by:jrsitman
ID: 40004133
I changed my time provider to time.nist.gov. Then did the net stop w32time & net start w32time.  Then did w32tm /resync /force.  I get the message that no time data was available.
0
 

Author Comment

by:jrsitman
ID: 40005692
I changed the PDC to another server and set that server to sync with time.nist.gov.  That worked until I rebooted the server that I couldn't change the time on.  As soon as that server was back up the new PDC changed it;s time to that server.  I even verified that there were no GPO controlling time.  I also verified the registry settings for the new PDC and there are exactly what they should be for the PDC to get it's time from time.nist.gov, but it's not.  
HELP!
0
 

Author Comment

by:jrsitman
ID: 40008621
Here is some more details

The Hyper-V host is getting it's time from a DC that is not the PDC

2 of the Hyper-V servers are getting their time from VM IC Time Synchronization provider

The Hyper-V that is the DC (not PDC but was previously the PDC) is getting it's time from Free Running System clock

The physical PDC is getting it's time from the Hyper-V DC. Even though the registry settings for NTPServer is time.nist.gov

The 3rd physical DC is also getting it's time from the Hyper-V DC, even though it's registry setting for NTPServer is set to time.windows.com,0x9

Hope this helps
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40008886
Don't let the virtual DCs sync their time with the Hyper-V host.  Turn off time synchronization in Hyper-V for each of the DC guest machines.
0
 

Author Comment

by:jrsitman
ID: 40008907
How?  

Even with that done the question remains, why is the PDC syncing with a Virtual DC and not it's external source?  And why is the 3rd physical DC also syncing with the Virtual DC?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 40009030
Have you checked the BIOS clock on the server?
0
 

Author Comment

by:jrsitman
ID: 40009039
Which server.  There are 6.  3 physical, 3 virtual.  Do Virtual have a Bios clock?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40009088
DCs should only sync with the PDC - the PDC shouldn't be syncing with one of the other DCs.  If it is you've probably configured W32Time incorrectly.

The Hyper-V host(s) can use the Time Synchronization feature to force the guest VM to set its time to whatever the host is set to.  See this...

http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

Have you also seen this...?

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
0
 

Author Comment

by:jrsitman
ID: 40009200
I agree something is wrong.  yep I have the second article.  I'll go through it "again" step by step and post later.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40009421
1st of all remove NTP time synchronization setting from previous PDC server if it is pointing to external time source
All you need to do is change registry for announceflags to a (hexadecimal ) and value of TYPE to NT5DS instead of NTP under HKLM\System\CurrentControlSet\Services\W32tm\Parameters
Then restart windows time service

Then remove hyper-v time synchronization from all virtual domain controllers

For time being you can set new PDC to synchronize with its own hardware CMOS clock until you get proper external time server IP address \ name by following up KB article you mentioned earlier and also ensure that PDC server CMOS battery is not faulty
Run below commands on PDC
w32tm /query /status
w32tm /query /source

Then run below command on all domain controllers except PDC
net time \\PDC_IP /set /y

However note that any DC can get \ sync time between peer DCs except PDC

Mahesh.
0
 

Author Comment

by:jrsitman
ID: 40009437
Please send instructions on how to remove hyper-v time sync.  Thanks
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40009448
0
 

Author Comment

by:jrsitman
ID: 40009456
Thanks.  I'll begin working on this soon.
0
 

Author Comment

by:jrsitman
ID: 40009479
Announceflags were set to 5.  I changed type to NT5DS.  What should the NtpServer be?  See attached.  This is current setting.  This is on the server that was previously the PDC and it is also the Virtual DC.
ntpserver.png
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40009531
Announceflags should be set to a, it should not be 5

Also you can enter time.windows.com,0x9 for NTPServer value
0
 

Author Comment

by:jrsitman
ID: 40009536
Thx
0
 

Author Comment

by:jrsitman
ID: 40009768
What should the NtpServer and Advancedflags settings be for all servers other than the PDC?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40009877
By default domain computers,and member servers get there time from ADCs \ PDC depending upon there reporting  AD sites site ADC \ PDC
For this to work no explicit setting is required on them
This default behaviour

In a given AD forest root domain PDC master server will sync its time from external time source \ itself from its own hardware clock depending on how you set it
By default All PDC servers in every child domain \ tree root domain will get there time sync with PDC of forest root domain Controller (PDC).
All client computers \member servers in each domain will get sync there time from respective domain PDC master server
All ADCs in each domain get sync there time from there respective PDC aster servers \ peer domain controllers in same domain

I would suggest you to not alter default factory setting on those computers and servers.

However if you wanted you can set those setting through GPO, but its not required in reality

Mahesh.
0
 

Author Comment

by:jrsitman
ID: 40009887
The problem is I already edited TT he registry.  The PDC is now getting the correct time but the other servers are not syncing to it.  I did have a GPO that I forgot about and I now have it disabled.  Do you think a reboot of all servers might fix it?
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40009930
You can do TWO things in order to repair incorrect registry on client computers

1st of all on PDC server, open GPO where you set client NTP settings, Probably at below path.
Computer configuration\administrative templates\system\Windows Time service\Time Providers
Here make settings to not configured for "Configure Windows NTP client" and "Enable Windows NTP server"
Also enable "Windows NTP client" setting

Under Computer configuration\administrative templates\system\Windows Time service, you will find "Global Configuration Settings"
Change it to not configured

Now close the GPO and run Gpupdate /force on PDC server and reboot it once. Then allow clients to reboot and then check if they are syncing properly with local domain controllers \ PDC

If still you are facing errors just put below lines in .bat script and add it as a computer startup script to another GPO \ same GPO as above so that it will apply to computers
Same batch file you need to run on other domain controllers as well other than PDC master server

w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time

Open in new window


The above command will reset the wrong configuration on client computers and other DCs if any

Check below article for more information
http://technet.microsoft.com/en-us/library/cc758905(v=ws.10).aspx

Mahesh
0
 

Author Closing Comment

by:jrsitman
ID: 40010536
Thanks very much for all The help everyThing is working perfectly
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now