Link to home
Start Free TrialLog in
Avatar of wgroup
wgroup

asked on

Time synching issue

I have a Windows 2012 server serving as the PDC and about 22 clients connecting to it.   Once the clients joined the domain, the clock times were off for the clients.   Following the instruction per Microsoft Support article, ran the following commands but the client clocks are not synching with the server.

     w32tm /config /syncfromflags:domhier /update
     net stop w32time
     net start w32time

What am I missing?   Running the following command yields a message stating no information.

C:\>W32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available


Any help will be much appreciated.

Thanks.
Avatar of Rich Weissler
Rich Weissler

Confirm on the Windows Domain Controllers that the Windows Time service is running and that UDP 123 is not blocked by a router, etc?  (Do you have more than one Domain Controller?)
Also have you configured the server as an Authoritative Time Server?

http://support.microsoft.com/kb/816042

Do you have any group policies in place that may be affecting your time settings?  Are all of the clients off by the same amount of time and if so, is it off by an hour or hour(s) only; i.e. - Time on the server is 9:58AM; Time on all clients is 10:58AM.

-saige-
Avatar of wgroup

ASKER

it_saige, thank you - all the clients are exactly 3 hours ahead.   I did the 'fix it' yesterday (option to get time from external source

In the mode of fixing this issue, I might have turned on the Group Policy.   How do I verify this?
You can open up the Group Policy Management console on the server.  But to check to see what policy, if any, is causing your issue, you can run the Resultant Set of Policy on any of your workstations.  This will provide you with the policies that are in place on the workstation.  I recommend that you do not login with an administrative user.

To run the Resultant Set of Policy.  On a workstation, Start -> Run -> MMC.EXE.

In MMC.EXE; Go to File -> Add/Remove Snap-In.

Choose Resultant Set of Policy from the list, click Add and OK.

Right click on Resultant Set of Policy and choose 'Generate RSoP data'.

This will launch a wizard.  Choose all of the defaults (Logging Mode, This computer, Current user).

-saige-
Avatar of wgroup

ASKER

Thanks for the details.

On the client PC;
Computer Configuration - Admin Templates - System - WTS - Time Providers shows

CONFIG W NTP Client enabled
Enable W NTP Client enabled
Enable W NTP Server enabled

I changed them to disabled on the server; re-querying on the workstation, now it says disabled.  

The clock is still 3 hours off.   :-( Help :-(
Are you sure Time Zones are correct? We had an admin at one time that kept changing the server Time Zone to GMT, we kept having issues when he did.
Avatar of wgroup

ASKER

Server shows correct time; only client time is off.   The locale is set for US EST.
Have you tried:
Set time source to domain (set type=NT5DS) and update configuration
w32tm /config /computer:<computer> /syncfromflags:DOMHIER /Update
 
Sync with the domain time source
w32tm /resync /computer:<computer> /nowait /rediscover
Avatar of wgroup

ASKER

Gabriel,  I changed the type to NT5DS, ran both the commands and they were successfully executed.   I restarted the client PC, logged in but the time is still 3 hours ahead.
OK, let's see where we are.
You have verified the time zones on the clients and server that is distributing time are correct.
You have verified that no group policies are changing time.
You have told Windows to get its time from your server and refresh the time on the system.
None of this is producing results which should. I manually moved my time up eight hours and run the update time commands and within one minute it was correct.

Only other thing I can think of is some software changing your time. I have only seen this happen one time in eighteen years so I doubt that could be it but you never know. Look in Windows logs, event viewer, and see if you can spot your culprit. Manually set your clock, reboot, check event viewer.
One other thing along those same lines, what are your registry settings on the DC in question with regards to the MaxNegPhaseCorrection and MaxPosPhaseCorrection.

Both can be found in the registry @ [HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config]

-saige-
Avatar of wgroup

ASKER

Here are the values for the two parameters.

MaxNegPhaseCorrection is 2a300
MaxPosPhaseCorrection is 2a300
How about the MaxAllowedPhaseOffset?

-saige-
Avatar of wgroup

ASKER

12c
In the [HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient]

SpecialPollInterval is?

-saige-
Avatar of wgroup

ASKER

e10
As Gabriel stated, have you checked the log's on your client system?

-saige-
Avatar of wgroup

ASKER

The following is an event from one of the client PCs.

NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

It shows "entry is not found" not sure what is missing.   Thanks for yours and Gabriel's assistance.
That is saying the computers cannot find any time servers on the domain. Try: http://teckadmin.wordpress.com/2013/12/04/ntp-role-in-windows-domain-controller/
open a CMD as an Administrator and run:

net time \\servername /set /Y, this will force time synchronization with "servername" and answer yes to the prompt.

You may create a batch file with the command in a share drive all users can access, then run it as indicated from each machine or add it into organization's login script (if any).

Let me know
Avatar of wgroup

ASKER

Thanks for the suggestion to add the net time statement to the script.   I will implement it today and let you know how it goes.    Thanks again -
Avatar of wgroup

ASKER

Thanks to all your comments, feedback and suggestions.  Now the clients are all synched up to the correct time.   When I checked the Event Viewer on the server today, I see the following;

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Somehow I see a conflict.   Any suggestions?
All this is stating is that this server should be the one that is the Authoritative Time Server, which means that it should use an external source for its time.

If this is the server that you were providing the settings from (remember MaxNegPhaseCorrection and such), then for completeness we should ensure that the remaining settings are correct.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"MaxAllowedPhaseOffset"=dword:0000012c
"MaxPosPhaseCorrection"=dword:0002a300
"AnnounceFlags"=dword:00000005
"MaxNegPhaseCorrection"=dword:0002a300

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"NtpServer"="time-a.timefreq.bldrdoc.gov,0x1 time-b.timefreq.bldrdoc.gov,0x1 time-c.timefreq.bldrdoc.gov,0x1 time-d.timefreq.bldrdoc.gov,0x1"
"Type"="NTP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
"Enabled"=dword:00000001
"SpecialPollInterval"=dword:00000e10

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"Enabled"=dword:00000001

Open in new window


Don't forget to run:

'net stop w32time && net start w32time'

(or just simply restart the time service) after you make any changes.

-saige-
Avatar of wgroup

ASKER

I made the changes Saige suggested but clocks are still off.   I manually had the time changed on all PCs as this was causing accounting folks posting time issues.   How can I verify whether clients PCs are looking at the server as the authoritative source?
Did you leave the command recommended by hecgomrec in your login script?  That command is what assisted in synchronizing the clocks on your systems.

-saige-
To get information about where the computer is getting time from:
w32tm /query /computer:<ComputerName> /status
Avatar of wgroup

ASKER

Saige - I did included the command recommended by hecgomrec but no good :-(

Gabriel - the following is the message I am getting

C:\Users\user01>w32tm /query /computer:expwin01 /status
The following error occurred: Access is denied. (0x80070005)
Try just w32tm /query /status and provide those results please.

-saige-
Avatar of wgroup

ASKER

C:\Users\user01>w32tm /query /status
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 0 (unspecified)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0000000s
ReferenceId: 0x00000000 (unspecified)
Last Successful Sync Time: unspecified
Source: Local CMOS Clock
Poll Interval: 10 (1024s)
OK, your system is getting its time from CMOS (BIOS) instead of your server or anything else. If it was getting time from one of your servers or domain it would indicate so under Source:
C:\>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 5 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1105804s
Root Dispersion: 0.2236685s
ReferenceId: 0x0A64D202 (source IP:  10.100.210.2)
Last Successful Sync Time: 9/26/2014 8:38:46 AM
Source: FSISDDC02.fsisd.local
Poll Interval: 13 (8192s)
Ok.

On that same client, lets try this (from an Administrative command prompt):

w32tm /config /syncfromflags:domhier /update

net stop w32time && net start w32time

w32tm /resync /rediscover

w32tm /monitor

-saige-
Also, querying for additional information, are these clients images or straight installs.  Is the PDC a virtual machine?

-saige-
Forgot to mention, please provide the w32tm /monitor output.

-saige-
Avatar of wgroup

ASKER

I ran the commands as suggested and the results are below:

C:\>w32tm /config /syncfromflags:domhier /update
The command completed successfully.

C:\>net stop w32time && net start w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.

The Windows Time service is starting.
The Windows Time service was started successfully.


C:\>w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.

C:\>w32tm /monitor
EXPWIN01.exportdoc.local *** PDC ***[192.168.1.18:123]:
    ICMP: 2ms delay
    NTP: error ERROR_TIMEOUT - no response from server in 1000ms
DOCSWIN01.exportdoc.local[192.168.1.19:123]:
    ICMP: 0ms delay
    NTP: error ERROR_TIMEOUT - no response from server in 1000ms
Avatar of wgroup

ASKER

Clients are Dell factory installed images
PDC is not a virtual server
OK, you need to make sure your server is set to be the time server and your workstations are set to point to the server for the  time.
Is EXPWIN01 your PDC?  How many DC's do you have?

-saige-
On the PDC...

Open an administrative command prompt and type the following:

netstat -aon | find ":123"
Avatar of wgroup

ASKER

EXPWIN01 is the PDC, there is one other DC.
Avatar of wgroup

ASKER

netstat -aon | find ":123"  did not return anything.
That means that the time service is either not running on your PDC or the time service is configured to use a different port.

For example, on my PDC the above command produces the following output:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>netstat -aon | find ":123"
  UDP    0.0.0.0:123            *:*                                    980
  UDP    [::]:123               *:*                                    980

C:\Windows\system32>

Open in new window


Where 980 is the process id.

When I look for 980 in my processes list I find:

User generated image-saige-
Avatar of wgroup

ASKER

This is what I see in the task manager.

User generated image
Download and run process explorer from Microsoft (if this is a 2012 Server you must run as Administrator).

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

From there, right-click on the process you just highlighted and select Properties.  Go to the TCP/IP tab and see if you can find an entry like:
User generated image-saige-
Avatar of wgroup

ASKER

Mine is blank :-(User generated image
Try restarting the time service.  Also check the event log to see if you can find any errors associated with the Time Service.  One other thing, is the firewall enabled on your server?  If so, try turning the firewall off for the domain, public and privite profiles.  Then restart the time service.

If that turns out to be the culprit, you will need to open the Time Service ports on on the Firewall.

-saige-
Excerpt from - http://technet.microsoft.com/en-us/library/cc794937(v=ws.10).aspx


To check UDP port status on the PDC emulator
--------------------------------------------------------------------------------

1.To check inbound UDP port 123 status on the domain controller that is the PDC emulator, click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.

2.Click Inbound Rules. Check that Active Directory Domain Controller - W32Time (NTP-UDP-In) has a status of enabled (green) and is not blocked:
      ◦ If this rule is disabled (dimmed), right-click the rule, and then click Enable.
      ◦ If the rule is blocked, right-click the rule, and then click Properties. Under Action, click Allow the connections, and then click OK.
3.To check outbound UDP port status on the domain controller, click Outbound Rules.
4.Check that Active Directory Domain Controller (UDP-Out) has a status of enabled and is not blocked:
      ◦ If the rule is disabled (dimmed), right-click the rule, and then click Enable.
      ◦ If the rule is blocked, right-click the rule, and then click Properties. Under Action, click Allow the connections, and then click OK.
-Or-
To open only outbound UDP port 123, create a separate outbound rule for the specific port, as follows:
      a. In Windows Firewall with Advanced Security, right-click Outbound Rules, and then click New.
      b. In the New Outbound Rule Wizard, click Port, and then click Next.
      c. Click UDP, click Specific local ports, type 123, and then click Next.
      d. Follow the directions in the wizard to configure the security settings and name the rule, and then click Finish.
5.To ensure that the PDC emulator responds, on an NTP client, repeat the test in step 2 of the procedure “To configure the Windows Time service on the PDC emulator” earlier in this topic.
-saige-
Avatar of wgroup

ASKER

Inbound for W32TIME and Outbound UDP-Out, both are enabled and green.
Please provide the properties for %systemroot%\system32\w32time.dll.

Also what OS and SP level is the PDC?

-saige-
Avatar of wgroup

ASKER

User generated imageWindows 2012 Server R2
This is funny.  Reenable your NTP Server via Group Policy.  Perform a gpupdate and then lets restart the time service on the server and run w32tm /monitor from an Administrative command prompt.

I don't know why M$ decided that if you set the group policy to disabled that it means don't allow the service to act as a time server especially since the domain is so time sensitive.

-saige-
ASKER CERTIFIED SOLUTION
Avatar of it_saige
it_saige
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Preferably, lets set the Time Policies back to Not configured.  And perform a GPUPDATE.

-saige-
Avatar of wgroup

ASKER

Saige, how do I go about implementing your suggestion about setting the Time Policies back to Not configured and perform a GPUPDATE?
In this post, here, you mention:

Computer Configuration - Admin Templates - System - WTS - Time Providers shows

CONFIG W NTP Client enabled
Enable W NTP Client enabled
Enable W NTP Server enabled

I changed them to disabled on the server; re-querying on the workstation, now it says disabled.
Was this accomplished via Group Policy or Local Policy?  This can be determined by running the Resultant Set of Policy on the DC [Refer to this post].

If it is group policy then on the DC open the Group Policy Management applet:

Start -> gpmc.msc

If it is a local policy then on the DC open Local Policy Management applet:

Start -> gpedit.msc

Once open, browse to Computer Configuration - Admin Templates - System - WTS - Time Providers shows and set all three to Not Configured.User generated image-saige-
I have signed up today for this site my clients were not syncing with server, after reading this i have the clients syncing with server. so thanks for the above help.
 the only issue i have now is getting the server to sync with external Ntp because server source still says CMOS.
should i talk here or create a new topic?
@andrew_nyc You should create a new topic since you would not be able to assign any points for the resolution.

-saige-
Avatar of wgroup

ASKER

I broke-down and finally called Microsoft support.  Apparently something botched during installation and the W32time instance always thought that we are in PST.   What I understood is that once clients all adopted the locale from the server once it is not a straightforward task to resync.    I had to run a registry update on all PCs manually for the update to take place so that all clients would see the server IP as the time source and for the server nist.gov as the source.  

Thanks to all who participated in the discussion.   It was a good learning experience for me.   Have a great post-Halloween weekend.
Avatar of wgroup

ASKER

Saige, you directed to me to the right path but I did not have enough experience with the time synchronization; hence called MS Support and have them walk me through.    Thanks for all your assistance.