Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 310
  • Last Modified:

Time synching issue

I have a Windows 2012 server serving as the PDC and about 22 clients connecting to it.   Once the clients joined the domain, the clock times were off for the clients.   Following the instruction per Microsoft Support article, ran the following commands but the client clocks are not synching with the server.

     w32tm /config /syncfromflags:domhier /update
     net stop w32time
     net start w32time

What am I missing?   Running the following command yields a message stating no information.

C:\>W32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available


Any help will be much appreciated.

Thanks.
0
wgroup
Asked:
wgroup
  • 24
  • 24
  • 8
  • +3
1 Solution
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Confirm on the Windows Domain Controllers that the Windows Time service is running and that UDP 123 is not blocked by a router, etc?  (Do you have more than one Domain Controller?)
0
 
it_saigeDeveloperCommented:
Also have you configured the server as an Authoritative Time Server?

http://support.microsoft.com/kb/816042

Do you have any group policies in place that may be affecting your time settings?  Are all of the clients off by the same amount of time and if so, is it off by an hour or hour(s) only; i.e. - Time on the server is 9:58AM; Time on all clients is 10:58AM.

-saige-
0
 
wgroupAuthor Commented:
it_saige, thank you - all the clients are exactly 3 hours ahead.   I did the 'fix it' yesterday (option to get time from external source

In the mode of fixing this issue, I might have turned on the Group Policy.   How do I verify this?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
it_saigeDeveloperCommented:
You can open up the Group Policy Management console on the server.  But to check to see what policy, if any, is causing your issue, you can run the Resultant Set of Policy on any of your workstations.  This will provide you with the policies that are in place on the workstation.  I recommend that you do not login with an administrative user.

To run the Resultant Set of Policy.  On a workstation, Start -> Run -> MMC.EXE.

In MMC.EXE; Go to File -> Add/Remove Snap-In.

Choose Resultant Set of Policy from the list, click Add and OK.

Right click on Resultant Set of Policy and choose 'Generate RSoP data'.

This will launch a wizard.  Choose all of the defaults (Logging Mode, This computer, Current user).

-saige-
0
 
wgroupAuthor Commented:
Thanks for the details.

On the client PC;
Computer Configuration - Admin Templates - System - WTS - Time Providers shows

CONFIG W NTP Client enabled
Enable W NTP Client enabled
Enable W NTP Server enabled

I changed them to disabled on the server; re-querying on the workstation, now it says disabled.  

The clock is still 3 hours off.   :-( Help :-(
0
 
Gabriel CliftonCommented:
Are you sure Time Zones are correct? We had an admin at one time that kept changing the server Time Zone to GMT, we kept having issues when he did.
0
 
wgroupAuthor Commented:
Server shows correct time; only client time is off.   The locale is set for US EST.
0
 
Gabriel CliftonCommented:
Have you tried:
Set time source to domain (set type=NT5DS) and update configuration
w32tm /config /computer:<computer> /syncfromflags:DOMHIER /Update
 
Sync with the domain time source
w32tm /resync /computer:<computer> /nowait /rediscover
0
 
wgroupAuthor Commented:
Gabriel,  I changed the type to NT5DS, ran both the commands and they were successfully executed.   I restarted the client PC, logged in but the time is still 3 hours ahead.
0
 
Gabriel CliftonCommented:
OK, let's see where we are.
You have verified the time zones on the clients and server that is distributing time are correct.
You have verified that no group policies are changing time.
You have told Windows to get its time from your server and refresh the time on the system.
None of this is producing results which should. I manually moved my time up eight hours and run the update time commands and within one minute it was correct.

Only other thing I can think of is some software changing your time. I have only seen this happen one time in eighteen years so I doubt that could be it but you never know. Look in Windows logs, event viewer, and see if you can spot your culprit. Manually set your clock, reboot, check event viewer.
0
 
it_saigeDeveloperCommented:
One other thing along those same lines, what are your registry settings on the DC in question with regards to the MaxNegPhaseCorrection and MaxPosPhaseCorrection.

Both can be found in the registry @ [HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config]

-saige-
0
 
wgroupAuthor Commented:
Here are the values for the two parameters.

MaxNegPhaseCorrection is 2a300
MaxPosPhaseCorrection is 2a300
0
 
it_saigeDeveloperCommented:
How about the MaxAllowedPhaseOffset?

-saige-
0
 
wgroupAuthor Commented:
12c
0
 
it_saigeDeveloperCommented:
In the [HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient]

SpecialPollInterval is?

-saige-
0
 
wgroupAuthor Commented:
e10
0
 
it_saigeDeveloperCommented:
As Gabriel stated, have you checked the log's on your client system?

-saige-
0
 
wgroupAuthor Commented:
The following is an event from one of the client PCs.

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

It shows "entry is not found" not sure what is missing.   Thanks for yours and Gabriel's assistance.
0
 
Gabriel CliftonCommented:
That is saying the computers cannot find any time servers on the domain. Try: http://teckadmin.wordpress.com/2013/12/04/ntp-role-in-windows-domain-controller/
0
 
hecgomrecCommented:
open a CMD as an Administrator and run:

net time \\servername /set /Y, this will force time synchronization with "servername" and answer yes to the prompt.

You may create a batch file with the command in a share drive all users can access, then run it as indicated from each machine or add it into organization's login script (if any).

Let me know
0
 
wgroupAuthor Commented:
Thanks for the suggestion to add the net time statement to the script.   I will implement it today and let you know how it goes.    Thanks again -
0
 
wgroupAuthor Commented:
Thanks to all your comments, feedback and suggestions.  Now the clients are all synched up to the correct time.   When I checked the Event Viewer on the server today, I see the following;

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Somehow I see a conflict.   Any suggestions?
0
 
it_saigeDeveloperCommented:
All this is stating is that this server should be the one that is the Authoritative Time Server, which means that it should use an external source for its time.

If this is the server that you were providing the settings from (remember MaxNegPhaseCorrection and such), then for completeness we should ensure that the remaining settings are correct.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"MaxAllowedPhaseOffset"=dword:0000012c
"MaxPosPhaseCorrection"=dword:0002a300
"AnnounceFlags"=dword:00000005
"MaxNegPhaseCorrection"=dword:0002a300

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"NtpServer"="time-a.timefreq.bldrdoc.gov,0x1 time-b.timefreq.bldrdoc.gov,0x1 time-c.timefreq.bldrdoc.gov,0x1 time-d.timefreq.bldrdoc.gov,0x1"
"Type"="NTP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
"Enabled"=dword:00000001
"SpecialPollInterval"=dword:00000e10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"Enabled"=dword:00000001

Open in new window


Don't forget to run:

'net stop w32time && net start w32time'

(or just simply restart the time service) after you make any changes.

-saige-
0
 
wgroupAuthor Commented:
I made the changes Saige suggested but clocks are still off.   I manually had the time changed on all PCs as this was causing accounting folks posting time issues.   How can I verify whether clients PCs are looking at the server as the authoritative source?
0
 
it_saigeDeveloperCommented:
Did you leave the command recommended by hecgomrec in your login script?  That command is what assisted in synchronizing the clocks on your systems.

-saige-
0
 
Gabriel CliftonCommented:
To get information about where the computer is getting time from:
w32tm /query /computer:<ComputerName> /status
0
 
wgroupAuthor Commented:
Saige - I did included the command recommended by hecgomrec but no good :-(

Gabriel - the following is the message I am getting

C:\Users\user01>w32tm /query /computer:expwin01 /status
The following error occurred: Access is denied. (0x80070005)
0
 
it_saigeDeveloperCommented:
Try just w32tm /query /status and provide those results please.

-saige-
0
 
wgroupAuthor Commented:
C:\Users\user01>w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0000000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: unspecified
Source: Local CMOS Clock
Poll Interval: 10 (1024s)
0
 
Gabriel CliftonCommented:
OK, your system is getting its time from CMOS (BIOS) instead of your server or anything else. If it was getting time from one of your servers or domain it would indicate so under Source:
0
 
Gabriel CliftonCommented:
C:\>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 5 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1105804s
Root Dispersion: 0.2236685s
ReferenceId: 0x0A64D202 (source IP:  10.100.210.2)
Last Successful Sync Time: 9/26/2014 8:38:46 AM
Source: FSISDDC02.fsisd.local
Poll Interval: 13 (8192s)
0
 
it_saigeDeveloperCommented:
Ok.

On that same client, lets try this (from an Administrative command prompt):

w32tm /config /syncfromflags:domhier /update

net stop w32time && net start w32time

w32tm /resync /rediscover

w32tm /monitor

-saige-
0
 
it_saigeDeveloperCommented:
Also, querying for additional information, are these clients images or straight installs.  Is the PDC a virtual machine?

-saige-
0
 
it_saigeDeveloperCommented:
Forgot to mention, please provide the w32tm /monitor output.

-saige-
0
 
wgroupAuthor Commented:
I ran the commands as suggested and the results are below:

C:\>w32tm /config /syncfromflags:domhier /update
The command completed successfully.

C:\>net stop w32time && net start w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

The Windows Time service is starting.
The Windows Time service was started successfully.


C:\>w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.

C:\>w32tm /monitor
EXPWIN01.exportdoc.local *** PDC ***[192.168.1.18:123]:
    ICMP: 2ms delay
    NTP: error ERROR_TIMEOUT - no response from server in 1000ms
DOCSWIN01.exportdoc.local[192.168.1.19:123]:
    ICMP: 0ms delay
    NTP: error ERROR_TIMEOUT - no response from server in 1000ms
0
 
wgroupAuthor Commented:
Clients are Dell factory installed images
PDC is not a virtual server
0
 
Gabriel CliftonCommented:
OK, you need to make sure your server is set to be the time server and your workstations are set to point to the server for the  time.
0
 
it_saigeDeveloperCommented:
Is EXPWIN01 your PDC?  How many DC's do you have?

-saige-
0
 
it_saigeDeveloperCommented:
On the PDC...

Open an administrative command prompt and type the following:

netstat -aon | find ":123"
0
 
wgroupAuthor Commented:
EXPWIN01 is the PDC, there is one other DC.
0
 
wgroupAuthor Commented:
netstat -aon | find ":123"  did not return anything.
0
 
it_saigeDeveloperCommented:
That means that the time service is either not running on your PDC or the time service is configured to use a different port.

For example, on my PDC the above command produces the following output:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat -aon | find ":123"
  UDP    0.0.0.0:123            *:*                                    980
  UDP    [::]:123               *:*                                    980

C:\Windows\system32>

Open in new window


Where 980 is the process id.

When I look for 980 in my processes list I find:

Capture.JPG-saige-
0
 
wgroupAuthor Commented:
This is what I see in the task manager.

w32time.jpg
0
 
it_saigeDeveloperCommented:
Download and run process explorer from Microsoft (if this is a 2012 Server you must run as Administrator).

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

From there, right-click on the process you just highlighted and select Properties.  Go to the TCP/IP tab and see if you can find an entry like:
Capture.JPG-saige-
0
 
wgroupAuthor Commented:
Mine is blank :-(w32time.jpg
0
 
it_saigeDeveloperCommented:
Try restarting the time service.  Also check the event log to see if you can find any errors associated with the Time Service.  One other thing, is the firewall enabled on your server?  If so, try turning the firewall off for the domain, public and privite profiles.  Then restart the time service.

If that turns out to be the culprit, you will need to open the Time Service ports on on the Firewall.

-saige-
0
 
it_saigeDeveloperCommented:
Excerpt from - http://technet.microsoft.com/en-us/library/cc794937(v=ws.10).aspx


To check UDP port status on the PDC emulator
--------------------------------------------------------------------------------

1.To check inbound UDP port 123 status on the domain controller that is the PDC emulator, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.

2.Click Inbound Rules. Check that Active Directory Domain Controller - W32Time (NTP-UDP-In) has a status of enabled (green) and is not blocked:
      ◦ If this rule is disabled (dimmed), right-click the rule, and then click Enable.
      ◦ If the rule is blocked, right-click the rule, and then click Properties. Under Action, click Allow the connections, and then click OK.
3.To check outbound UDP port status on the domain controller, click Outbound Rules.
4.Check that Active Directory Domain Controller (UDP-Out) has a status of enabled and is not blocked:
      ◦ If the rule is disabled (dimmed), right-click the rule, and then click Enable.
      ◦ If the rule is blocked, right-click the rule, and then click Properties. Under Action, click Allow the connections, and then click OK.
-Or-
To open only outbound UDP port 123, create a separate outbound rule for the specific port, as follows:
      a. In Windows Firewall with Advanced Security, right-click Outbound Rules, and then click New.
      b. In the New Outbound Rule Wizard, click Port, and then click Next.
      c. Click UDP, click Specific local ports, type 123, and then click Next.
      d. Follow the directions in the wizard to configure the security settings and name the rule, and then click Finish.
5.To ensure that the PDC emulator responds, on an NTP client, repeat the test in step 2 of the procedure “To configure the Windows Time service on the PDC emulator” earlier in this topic.
-saige-
0
 
wgroupAuthor Commented:
Inbound for W32TIME and Outbound UDP-Out, both are enabled and green.
0
 
it_saigeDeveloperCommented:
Please provide the properties for %systemroot%\system32\w32time.dll.

Also what OS and SP level is the PDC?

-saige-
0
 
wgroupAuthor Commented:
w32time.jpgWindows 2012 Server R2
0
 
it_saigeDeveloperCommented:
This is funny.  Reenable your NTP Server via Group Policy.  Perform a gpupdate and then lets restart the time service on the server and run w32tm /monitor from an Administrative command prompt.

I don't know why M$ decided that if you set the group policy to disabled that it means don't allow the service to act as a time server especially since the domain is so time sensitive.

-saige-
0
 
it_saigeDeveloperCommented:
Either that or set these policies to unconfigured.

-saige-
0
 
it_saigeDeveloperCommented:
Preferably, lets set the Time Policies back to Not configured.  And perform a GPUPDATE.

-saige-
0
 
wgroupAuthor Commented:
Saige, how do I go about implementing your suggestion about setting the Time Policies back to Not configured and perform a GPUPDATE?
0
 
it_saigeDeveloperCommented:
In this post, here, you mention:

Computer Configuration - Admin Templates - System - WTS - Time Providers shows

CONFIG W NTP Client enabled
Enable W NTP Client enabled
Enable W NTP Server enabled

I changed them to disabled on the server; re-querying on the workstation, now it says disabled.
Was this accomplished via Group Policy or Local Policy?  This can be determined by running the Resultant Set of Policy on the DC [Refer to this post].

If it is group policy then on the DC open the Group Policy Management applet:

Start -> gpmc.msc

If it is a local policy then on the DC open Local Policy Management applet:

Start -> gpedit.msc

Once open, browse to Computer Configuration - Admin Templates - System - WTS - Time Providers shows and set all three to Not Configured.Capture.JPG-saige-
0
 
andrew nycCommented:
I have signed up today for this site my clients were not syncing with server, after reading this i have the clients syncing with server. so thanks for the above help.
 the only issue i have now is getting the server to sync with external Ntp because server source still says CMOS.
should i talk here or create a new topic?
0
 
it_saigeDeveloperCommented:
@andrew_nyc You should create a new topic since you would not be able to assign any points for the resolution.

-saige-
0
 
wgroupAuthor Commented:
I broke-down and finally called Microsoft support.  Apparently something botched during installation and the W32time instance always thought that we are in PST.   What I understood is that once clients all adopted the locale from the server once it is not a straightforward task to resync.    I had to run a registry update on all PCs manually for the update to take place so that all clients would see the server IP as the time source and for the server nist.gov as the source.  

Thanks to all who participated in the discussion.   It was a good learning experience for me.   Have a great post-Halloween weekend.
0
 
wgroupAuthor Commented:
Saige, you directed to me to the right path but I did not have enough experience with the time synchronization; hence called MS Support and have them walk me through.    Thanks for all your assistance.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 24
  • 24
  • 8
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now