Solved

Can't change time on 2008 R2 DC

Posted on 2014-04-15
29
1,802 Views
Last Modified: 2014-04-19
The clock on the DC at one of our locations is fast by 5 minutes.  When I change it and hit Apply, it changes to the new time and then immediately changes back to the previous time.

What would cause this?

How do I fix it?
0
Comment
Question by:J.R. Sitman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 17
  • 5
  • 2
  • +3
29 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 40002425
Is this the PDC emulator in the forest root?   Time should be following the windows time hiearchy as outlined below

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

Is this the only DC that is having issues?

Thanks

Mike
0
 
LVL 19

Expert Comment

by:helpfinder
ID: 40002450
Server which is holding PDC role is a server for syncing time in the domain. Server with PDC takes time from BIOS, external time server (ntp), router, etc all other DCs from this server and member servers and workstations from nearest available DC.

So if your server holds this FSMO role (PDC emulator) try to set some reliable time server, but if you write this is only server with time problem probably this is not a server with PDC (because then all computers in the domain should have 5 minute time lag).

On mentioned server use command net time and you will see from which source server is taking time.
Also check command w32tm /monitor for results
For set correct time do not change time manually but resync it using w32tm /resync
0
 

Author Comment

by:J.R. Sitman
ID: 40002466
Yes it is the PDC, Yes it is the only server I can't change the time on.  In the past I was able to change it (I believe).  

I configured the server based on
http://support.microsoft.com/kb/816042

All 4 of my locations are configured the same way and for whatever reason this site always has the incorrect time after a few weeks.

Very frustrating.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:J.R. Sitman
ID: 40002473
I ran net time and it is getting it's time from itself.  I ran w23tm /monitor.  See attached
w32DCVMLB.png
0
 

Author Comment

by:J.R. Sitman
ID: 40003044
Still need help!
0
 
LVL 19

Expert Comment

by:helpfinder
ID: 40003316
Try to register new time service (external) PDC will sybc time with using w32tm command
0
 

Author Comment

by:J.R. Sitman
ID: 40003925
What about the registry settings I've done from the Microsoft article?  Should those be deleted?
0
 

Author Comment

by:J.R. Sitman
ID: 40004133
I changed my time provider to time.nist.gov. Then did the net stop w32time & net start w32time.  Then did w32tm /resync /force.  I get the message that no time data was available.
0
 

Author Comment

by:J.R. Sitman
ID: 40005692
I changed the PDC to another server and set that server to sync with time.nist.gov.  That worked until I rebooted the server that I couldn't change the time on.  As soon as that server was back up the new PDC changed it;s time to that server.  I even verified that there were no GPO controlling time.  I also verified the registry settings for the new PDC and there are exactly what they should be for the PDC to get it's time from time.nist.gov, but it's not.  
HELP!
0
 

Author Comment

by:J.R. Sitman
ID: 40008621
Here is some more details

The Hyper-V host is getting it's time from a DC that is not the PDC

2 of the Hyper-V servers are getting their time from VM IC Time Synchronization provider

The Hyper-V that is the DC (not PDC but was previously the PDC) is getting it's time from Free Running System clock

The physical PDC is getting it's time from the Hyper-V DC. Even though the registry settings for NTPServer is time.nist.gov

The 3rd physical DC is also getting it's time from the Hyper-V DC, even though it's registry setting for NTPServer is set to time.windows.com,0x9

Hope this helps
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40008886
Don't let the virtual DCs sync their time with the Hyper-V host.  Turn off time synchronization in Hyper-V for each of the DC guest machines.
0
 

Author Comment

by:J.R. Sitman
ID: 40008907
How?  

Even with that done the question remains, why is the PDC syncing with a Virtual DC and not it's external source?  And why is the 3rd physical DC also syncing with the Virtual DC?
0
 
LVL 30

Expert Comment

by:pgm554
ID: 40009030
Have you checked the BIOS clock on the server?
0
 

Author Comment

by:J.R. Sitman
ID: 40009039
Which server.  There are 6.  3 physical, 3 virtual.  Do Virtual have a Bios clock?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40009088
DCs should only sync with the PDC - the PDC shouldn't be syncing with one of the other DCs.  If it is you've probably configured W32Time incorrectly.

The Hyper-V host(s) can use the Time Synchronization feature to force the guest VM to set its time to whatever the host is set to.  See this...

http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

Have you also seen this...?

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx
0
 

Author Comment

by:J.R. Sitman
ID: 40009200
I agree something is wrong.  yep I have the second article.  I'll go through it "again" step by step and post later.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 40009421
1st of all remove NTP time synchronization setting from previous PDC server if it is pointing to external time source
All you need to do is change registry for announceflags to a (hexadecimal ) and value of TYPE to NT5DS instead of NTP under HKLM\System\CurrentControlSet\Services\W32tm\Parameters
Then restart windows time service

Then remove hyper-v time synchronization from all virtual domain controllers

For time being you can set new PDC to synchronize with its own hardware CMOS clock until you get proper external time server IP address \ name by following up KB article you mentioned earlier and also ensure that PDC server CMOS battery is not faulty
Run below commands on PDC
w32tm /query /status
w32tm /query /source

Then run below command on all domain controllers except PDC
net time \\PDC_IP /set /y

However note that any DC can get \ sync time between peer DCs except PDC

Mahesh.
0
 

Author Comment

by:J.R. Sitman
ID: 40009437
Please send instructions on how to remove hyper-v time sync.  Thanks
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40009448
0
 

Author Comment

by:J.R. Sitman
ID: 40009456
Thanks.  I'll begin working on this soon.
0
 

Author Comment

by:J.R. Sitman
ID: 40009479
Announceflags were set to 5.  I changed type to NT5DS.  What should the NtpServer be?  See attached.  This is current setting.  This is on the server that was previously the PDC and it is also the Virtual DC.
ntpserver.png
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40009531
Announceflags should be set to a, it should not be 5

Also you can enter time.windows.com,0x9 for NTPServer value
0
 

Author Comment

by:J.R. Sitman
ID: 40009536
Thx
0
 

Author Comment

by:J.R. Sitman
ID: 40009768
What should the NtpServer and Advancedflags settings be for all servers other than the PDC?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40009877
By default domain computers,and member servers get there time from ADCs \ PDC depending upon there reporting  AD sites site ADC \ PDC
For this to work no explicit setting is required on them
This default behaviour

In a given AD forest root domain PDC master server will sync its time from external time source \ itself from its own hardware clock depending on how you set it
By default All PDC servers in every child domain \ tree root domain will get there time sync with PDC of forest root domain Controller (PDC).
All client computers \member servers in each domain will get sync there time from respective domain PDC master server
All ADCs in each domain get sync there time from there respective PDC aster servers \ peer domain controllers in same domain

I would suggest you to not alter default factory setting on those computers and servers.

However if you wanted you can set those setting through GPO, but its not required in reality

Mahesh.
0
 

Author Comment

by:J.R. Sitman
ID: 40009887
The problem is I already edited TT he registry.  The PDC is now getting the correct time but the other servers are not syncing to it.  I did have a GPO that I forgot about and I now have it disabled.  Do you think a reboot of all servers might fix it?
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40009930
You can do TWO things in order to repair incorrect registry on client computers

1st of all on PDC server, open GPO where you set client NTP settings, Probably at below path.
Computer configuration\administrative templates\system\Windows Time service\Time Providers
Here make settings to not configured for "Configure Windows NTP client" and "Enable Windows NTP server"
Also enable "Windows NTP client" setting

Under Computer configuration\administrative templates\system\Windows Time service, you will find "Global Configuration Settings"
Change it to not configured

Now close the GPO and run Gpupdate /force on PDC server and reboot it once. Then allow clients to reboot and then check if they are syncing properly with local domain controllers \ PDC

If still you are facing errors just put below lines in .bat script and add it as a computer startup script to another GPO \ same GPO as above so that it will apply to computers
Same batch file you need to run on other domain controllers as well other than PDC master server

w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time

Open in new window


The above command will reset the wrong configuration on client computers and other DCs if any

Check below article for more information
http://technet.microsoft.com/en-us/library/cc758905(v=ws.10).aspx

Mahesh
0
 

Author Closing Comment

by:J.R. Sitman
ID: 40010536
Thanks very much for all The help everyThing is working perfectly
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question