Solved

Time synching issue

Posted on 2014-09-22
59
269 Views
Last Modified: 2014-11-01
I have a Windows 2012 server serving as the PDC and about 22 clients connecting to it.   Once the clients joined the domain, the clock times were off for the clients.   Following the instruction per Microsoft Support article, ran the following commands but the client clocks are not synching with the server.

     w32tm /config /syncfromflags:domhier /update
     net stop w32time
     net start w32time

What am I missing?   Running the following command yields a message stating no information.

C:\>W32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available


Any help will be much appreciated.

Thanks.
0
Comment
Question by:wgroup
  • 24
  • 24
  • 8
  • +3
59 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40336700
Confirm on the Windows Domain Controllers that the Windows Time service is running and that UDP 123 is not blocked by a router, etc?  (Do you have more than one Domain Controller?)
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40336746
Also have you configured the server as an Authoritative Time Server?

http://support.microsoft.com/kb/816042

Do you have any group policies in place that may be affecting your time settings?  Are all of the clients off by the same amount of time and if so, is it off by an hour or hour(s) only; i.e. - Time on the server is 9:58AM; Time on all clients is 10:58AM.

-saige-
0
 

Author Comment

by:wgroup
ID: 40336782
it_saige, thank you - all the clients are exactly 3 hours ahead.   I did the 'fix it' yesterday (option to get time from external source

In the mode of fixing this issue, I might have turned on the Group Policy.   How do I verify this?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40336812
You can open up the Group Policy Management console on the server.  But to check to see what policy, if any, is causing your issue, you can run the Resultant Set of Policy on any of your workstations.  This will provide you with the policies that are in place on the workstation.  I recommend that you do not login with an administrative user.

To run the Resultant Set of Policy.  On a workstation, Start -> Run -> MMC.EXE.

In MMC.EXE; Go to File -> Add/Remove Snap-In.

Choose Resultant Set of Policy from the list, click Add and OK.

Right click on Resultant Set of Policy and choose 'Generate RSoP data'.

This will launch a wizard.  Choose all of the defaults (Logging Mode, This computer, Current user).

-saige-
0
 

Author Comment

by:wgroup
ID: 40336929
Thanks for the details.

On the client PC;
Computer Configuration - Admin Templates - System - WTS - Time Providers shows

CONFIG W NTP Client enabled
Enable W NTP Client enabled
Enable W NTP Server enabled

I changed them to disabled on the server; re-querying on the workstation, now it says disabled.  

The clock is still 3 hours off.   :-( Help :-(
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40337410
Are you sure Time Zones are correct? We had an admin at one time that kept changing the server Time Zone to GMT, we kept having issues when he did.
0
 

Author Comment

by:wgroup
ID: 40337423
Server shows correct time; only client time is off.   The locale is set for US EST.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40337441
Have you tried:
Set time source to domain (set type=NT5DS) and update configuration
w32tm /config /computer:<computer> /syncfromflags:DOMHIER /Update
 
Sync with the domain time source
w32tm /resync /computer:<computer> /nowait /rediscover
0
 

Author Comment

by:wgroup
ID: 40337589
Gabriel,  I changed the type to NT5DS, ran both the commands and they were successfully executed.   I restarted the client PC, logged in but the time is still 3 hours ahead.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40337648
OK, let's see where we are.
You have verified the time zones on the clients and server that is distributing time are correct.
You have verified that no group policies are changing time.
You have told Windows to get its time from your server and refresh the time on the system.
None of this is producing results which should. I manually moved my time up eight hours and run the update time commands and within one minute it was correct.

Only other thing I can think of is some software changing your time. I have only seen this happen one time in eighteen years so I doubt that could be it but you never know. Look in Windows logs, event viewer, and see if you can spot your culprit. Manually set your clock, reboot, check event viewer.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40337687
One other thing along those same lines, what are your registry settings on the DC in question with regards to the MaxNegPhaseCorrection and MaxPosPhaseCorrection.

Both can be found in the registry @ [HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config]

-saige-
0
 

Author Comment

by:wgroup
ID: 40337698
Here are the values for the two parameters.

MaxNegPhaseCorrection is 2a300
MaxPosPhaseCorrection is 2a300
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40337717
How about the MaxAllowedPhaseOffset?

-saige-
0
 

Author Comment

by:wgroup
ID: 40337724
12c
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40337731
In the [HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient]

SpecialPollInterval is?

-saige-
0
 

Author Comment

by:wgroup
ID: 40337740
e10
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40337779
As Gabriel stated, have you checked the log's on your client system?

-saige-
0
 

Author Comment

by:wgroup
ID: 40337973
The following is an event from one of the client PCs.

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

It shows "entry is not found" not sure what is missing.   Thanks for yours and Gabriel's assistance.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40337995
That is saying the computers cannot find any time servers on the domain. Try: http://teckadmin.wordpress.com/2013/12/04/ntp-role-in-windows-domain-controller/
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 40339014
open a CMD as an Administrator and run:

net time \\servername /set /Y, this will force time synchronization with "servername" and answer yes to the prompt.

You may create a batch file with the command in a share drive all users can access, then run it as indicated from each machine or add it into organization's login script (if any).

Let me know
0
 

Author Comment

by:wgroup
ID: 40339453
Thanks for the suggestion to add the net time statement to the script.   I will implement it today and let you know how it goes.    Thanks again -
0
 

Author Comment

by:wgroup
ID: 40341414
Thanks to all your comments, feedback and suggestions.  Now the clients are all synched up to the correct time.   When I checked the Event Viewer on the server today, I see the following;

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Somehow I see a conflict.   Any suggestions?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40341627
All this is stating is that this server should be the one that is the Authoritative Time Server, which means that it should use an external source for its time.

If this is the server that you were providing the settings from (remember MaxNegPhaseCorrection and such), then for completeness we should ensure that the remaining settings are correct.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"MaxAllowedPhaseOffset"=dword:0000012c
"MaxPosPhaseCorrection"=dword:0002a300
"AnnounceFlags"=dword:00000005
"MaxNegPhaseCorrection"=dword:0002a300

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"NtpServer"="time-a.timefreq.bldrdoc.gov,0x1 time-b.timefreq.bldrdoc.gov,0x1 time-c.timefreq.bldrdoc.gov,0x1 time-d.timefreq.bldrdoc.gov,0x1"
"Type"="NTP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
"Enabled"=dword:00000001
"SpecialPollInterval"=dword:00000e10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"Enabled"=dword:00000001

Open in new window


Don't forget to run:

'net stop w32time && net start w32time'

(or just simply restart the time service) after you make any changes.

-saige-
0
 

Author Comment

by:wgroup
ID: 40345762
I made the changes Saige suggested but clocks are still off.   I manually had the time changed on all PCs as this was causing accounting folks posting time issues.   How can I verify whether clients PCs are looking at the server as the authoritative source?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40345977
Did you leave the command recommended by hecgomrec in your login script?  That command is what assisted in synchronizing the clocks on your systems.

-saige-
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40346007
To get information about where the computer is getting time from:
w32tm /query /computer:<ComputerName> /status
0
 

Author Comment

by:wgroup
ID: 40346061
Saige - I did included the command recommended by hecgomrec but no good :-(

Gabriel - the following is the message I am getting

C:\Users\user01>w32tm /query /computer:expwin01 /status
The following error occurred: Access is denied. (0x80070005)
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346072
Try just w32tm /query /status and provide those results please.

-saige-
0
 

Author Comment

by:wgroup
ID: 40346087
C:\Users\user01>w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0000000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: unspecified
Source: Local CMOS Clock
Poll Interval: 10 (1024s)
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40346185
OK, your system is getting its time from CMOS (BIOS) instead of your server or anything else. If it was getting time from one of your servers or domain it would indicate so under Source:
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40346190
C:\>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 5 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1105804s
Root Dispersion: 0.2236685s
ReferenceId: 0x0A64D202 (source IP:  10.100.210.2)
Last Successful Sync Time: 9/26/2014 8:38:46 AM
Source: FSISDDC02.fsisd.local
Poll Interval: 13 (8192s)
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346194
Ok.

On that same client, lets try this (from an Administrative command prompt):

w32tm /config /syncfromflags:domhier /update

net stop w32time && net start w32time

w32tm /resync /rediscover

w32tm /monitor

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346203
Also, querying for additional information, are these clients images or straight installs.  Is the PDC a virtual machine?

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346205
Forgot to mention, please provide the w32tm /monitor output.

-saige-
0
 

Author Comment

by:wgroup
ID: 40346355
I ran the commands as suggested and the results are below:

C:\>w32tm /config /syncfromflags:domhier /update
The command completed successfully.

C:\>net stop w32time && net start w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

The Windows Time service is starting.
The Windows Time service was started successfully.


C:\>w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.

C:\>w32tm /monitor
EXPWIN01.exportdoc.local *** PDC ***[192.168.1.18:123]:
    ICMP: 2ms delay
    NTP: error ERROR_TIMEOUT - no response from server in 1000ms
DOCSWIN01.exportdoc.local[192.168.1.19:123]:
    ICMP: 0ms delay
    NTP: error ERROR_TIMEOUT - no response from server in 1000ms
0
 

Author Comment

by:wgroup
ID: 40346358
Clients are Dell factory installed images
PDC is not a virtual server
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40346399
OK, you need to make sure your server is set to be the time server and your workstations are set to point to the server for the  time.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346478
Is EXPWIN01 your PDC?  How many DC's do you have?

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346480
On the PDC...

Open an administrative command prompt and type the following:

netstat -aon | find ":123"
0
 

Author Comment

by:wgroup
ID: 40346481
EXPWIN01 is the PDC, there is one other DC.
0
 

Author Comment

by:wgroup
ID: 40346488
netstat -aon | find ":123"  did not return anything.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346509
That means that the time service is either not running on your PDC or the time service is configured to use a different port.

For example, on my PDC the above command produces the following output:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat -aon | find ":123"
  UDP    0.0.0.0:123            *:*                                    980
  UDP    [::]:123               *:*                                    980

C:\Windows\system32>

Open in new window


Where 980 is the process id.

When I look for 980 in my processes list I find:

Capture.JPG-saige-
0
 

Author Comment

by:wgroup
ID: 40346547
This is what I see in the task manager.

w32time.jpg
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346559
Download and run process explorer from Microsoft (if this is a 2012 Server you must run as Administrator).

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

From there, right-click on the process you just highlighted and select Properties.  Go to the TCP/IP tab and see if you can find an entry like:
Capture.JPG-saige-
0
 

Author Comment

by:wgroup
ID: 40346584
Mine is blank :-(w32time.jpg
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346608
Try restarting the time service.  Also check the event log to see if you can find any errors associated with the Time Service.  One other thing, is the firewall enabled on your server?  If so, try turning the firewall off for the domain, public and privite profiles.  Then restart the time service.

If that turns out to be the culprit, you will need to open the Time Service ports on on the Firewall.

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346651
Excerpt from - http://technet.microsoft.com/en-us/library/cc794937(v=ws.10).aspx


To check UDP port status on the PDC emulator
--------------------------------------------------------------------------------

1.To check inbound UDP port 123 status on the domain controller that is the PDC emulator, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.

2.Click Inbound Rules. Check that Active Directory Domain Controller - W32Time (NTP-UDP-In) has a status of enabled (green) and is not blocked:
      ◦ If this rule is disabled (dimmed), right-click the rule, and then click Enable.
      ◦ If the rule is blocked, right-click the rule, and then click Properties. Under Action, click Allow the connections, and then click OK.
3.To check outbound UDP port status on the domain controller, click Outbound Rules.
4.Check that Active Directory Domain Controller (UDP-Out) has a status of enabled and is not blocked:
      ◦ If the rule is disabled (dimmed), right-click the rule, and then click Enable.
      ◦ If the rule is blocked, right-click the rule, and then click Properties. Under Action, click Allow the connections, and then click OK.
-Or-
To open only outbound UDP port 123, create a separate outbound rule for the specific port, as follows:
      a. In Windows Firewall with Advanced Security, right-click Outbound Rules, and then click New.
      b. In the New Outbound Rule Wizard, click Port, and then click Next.
      c. Click UDP, click Specific local ports, type 123, and then click Next.
      d. Follow the directions in the wizard to configure the security settings and name the rule, and then click Finish.
5.To ensure that the PDC emulator responds, on an NTP client, repeat the test in step 2 of the procedure “To configure the Windows Time service on the PDC emulator” earlier in this topic.
-saige-
0
 

Author Comment

by:wgroup
ID: 40346758
Inbound for W32TIME and Outbound UDP-Out, both are enabled and green.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346764
Please provide the properties for %systemroot%\system32\w32time.dll.

Also what OS and SP level is the PDC?

-saige-
0
 

Author Comment

by:wgroup
ID: 40346769
w32time.jpgWindows 2012 Server R2
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346778
This is funny.  Reenable your NTP Server via Group Policy.  Perform a gpupdate and then lets restart the time service on the server and run w32tm /monitor from an Administrative command prompt.

I don't know why M$ decided that if you set the group policy to disabled that it means don't allow the service to act as a time server especially since the domain is so time sensitive.

-saige-
0
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
ID: 40346791
Either that or set these policies to unconfigured.

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40346794
Preferably, lets set the Time Policies back to Not configured.  And perform a GPUPDATE.

-saige-
0
 

Author Comment

by:wgroup
ID: 40354740
Saige, how do I go about implementing your suggestion about setting the Time Policies back to Not configured and perform a GPUPDATE?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40354858
In this post, here, you mention:

Computer Configuration - Admin Templates - System - WTS - Time Providers shows

CONFIG W NTP Client enabled
Enable W NTP Client enabled
Enable W NTP Server enabled

I changed them to disabled on the server; re-querying on the workstation, now it says disabled.
Was this accomplished via Group Policy or Local Policy?  This can be determined by running the Resultant Set of Policy on the DC [Refer to this post].

If it is group policy then on the DC open the Group Policy Management applet:

Start -> gpmc.msc

If it is a local policy then on the DC open Local Policy Management applet:

Start -> gpedit.msc

Once open, browse to Computer Configuration - Admin Templates - System - WTS - Time Providers shows and set all three to Not Configured.Capture.JPG-saige-
0
 

Expert Comment

by:andrew nyc
ID: 40354955
I have signed up today for this site my clients were not syncing with server, after reading this i have the clients syncing with server. so thanks for the above help.
 the only issue i have now is getting the server to sync with external Ntp because server source still says CMOS.
should i talk here or create a new topic?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40354965
@andrew_nyc You should create a new topic since you would not be able to assign any points for the resolution.

-saige-
0
 

Author Comment

by:wgroup
ID: 40417164
I broke-down and finally called Microsoft support.  Apparently something botched during installation and the W32time instance always thought that we are in PST.   What I understood is that once clients all adopted the locale from the server once it is not a straightforward task to resync.    I had to run a registry update on all PCs manually for the update to take place so that all clients would see the server IP as the time source and for the server nist.gov as the source.  

Thanks to all who participated in the discussion.   It was a good learning experience for me.   Have a great post-Halloween weekend.
0
 

Author Closing Comment

by:wgroup
ID: 40417166
Saige, you directed to me to the right path but I did not have enough experience with the time synchronization; hence called MS Support and have them walk me through.    Thanks for all your assistance.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability t…
This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now