?
Solved

windows 2008 ntp sync issue

Posted on 2014-09-28
12
Medium Priority
?
224 Views
Last Modified: 2015-01-05
hi I am running a windows 2008 domain, but currently all machines are in the default computer container & all have internet access via my asa5505 firewall.

note: current clock time is 14:00 28 sep 2014, so I decided to change to: 13:00 28 sep 2014 - thinking that the below would correct master dc clock via asa5505 set as:

config t
ntp server 192.168.0.254 source inside - this ip address is my internal master dc

----------------------------------------------

just for the purposes of confirming I have the correct configuration I have opened my master dc/ad/dns/dhcp server via its default domain controller container and accessed the gpmc and edited & enabled the following:

computer config/admin template/system/windows time service:
global configuration settings - enabled

computer config/admin template/system/windows time service/time providers:
enable windows ntp server - enabled

step 2

ran: gpupdate & logged off and on

qns1.  I have also rebooted the master dc and the clock has not corrected itself  - why  ?
0
Comment
Question by:mikey250
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
12 Comments
 

Author Comment

by:mikey250
ID: 40348721
hi the has changed to the correct time about 30 mins ago.

In order to double check I manually changed the time back 1 hour and waited 15 mins after following the above instructions and the time has not changed back.

I then did the following but still the time has not changed back to the correct time of: 18:07 pm:

 net stop w32time
    w32tm /config /syncfromflags:manual /manualpeerlist:88.143.128.123,0x9,time.windows.com,0x9
    net start w32time
asaconfigs.TXT
0
 
LVL 12

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 2000 total points
ID: 40349143
Note: ASA can only act as an NTP client, not as a NTP server. Just point the hosts to an external NTP server and let them sync.  

In ASA:
Assuming if ASA is not syncing with the public NTP you need to check if those IP's are reachable, sometimes due to plenty of NTP sessions on public time server, it might have not sync.

In Primary domain controller :
Check the public time server is accessible from your PDC (AD).  
w32tm /? command will give you more set of  option to verify and sync.
Have you set the PDC as time source which i had mentioned in my previous threads.
Also ensure you allow specific ports on the windows firewall as well or it should be disabled.
The above mentioned command will work only on windows not on the ASA.
0
 

Accepted Solution

by:
mikey250 earned 0 total points
ID: 40361339
hi ganesh,

I have manually set my master dc, back to the correct time ie 4 oct 2014 16:55 pm

on my local switch I added:

config t

int fa0/3
description connected to asa-firewall-eth1
switchport mode trunk
speed 100
duplex full
no shut


question 1

ntp source vlan 1 - currently all my internal lan is on vlan 1.  however I did try vlan 2 but invalid input  ? ?
ntp server 88.149.128.123

sh ntp status via master dc - showing sync to 88.149.128.123 & stratum 3 successfully
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:mikey250
ID: 40361343
hi ganesh, also I have also added below:

clock timezone cst/gmt -0
clock summer-time recurring

ip default-gateway 192.168.0.1 - points to my asa internal lan
0
 
LVL 12

Expert Comment

by:Ganesh Kumar A
ID: 40366225
Is it working properly or you are facing issues?
0
 

Author Comment

by:mikey250
ID: 40374685
hi ganesh, apologies for taking a while to return.

- I  can ping the external ntp's successfully
- my asa has sync'd with external ntps successfully
- show ntp status shows this successfully but it also shows 'stratum 3' but was expecting it to be stratum 1 for eg ?
- internal master dc can ping external ntp successfully
- internal master dc clock is also set
- internal master dc is configured:

config t
clock timezone cst/gmt -0  (for the uk I think is correct )  ?
clock summer-time recurring


qns1.  (your previous comments)   -  "asa can only act as an ntp client, not as a ntp server. Just point the hosts to an external ntp server and let them sync."  - surely my asa should be ntp server as below & internal master dc should also be ntp server as below because if my asa went down/faulty then my master dc would act as the ntp server ?

ntp server 192.168.0.x/24 - the reason behind this is the client machines will be set: ntp client etc  ?
ntp server source x.x.x.x (the external ntp)

note: not added authentication at this stage as just confirming above is correct
0
 

Author Comment

by:mikey250
ID: 40525211
hi i was still trying to get a response to my 2 questions below: (??)  

- I  can ping the external ntp's successfully
- my asa has sync'd with external ntps successfully

- show ntp status shows this successfully but it also shows 'stratum 3' but was expecting it to be stratum 1 for eg  ?

- internal master dc can ping external ntp successfully
- internal master dc clock is also set
- internal master dc is configured:

config t
clock timezone cst/gmt -0  (for the uk I think is correct )   ?

clock summer-time recurring
0
 
LVL 12

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 2000 total points
ID: 40525335
If your ASA is synching and acting as a NTP server fine. You can continue. You cannot expect Stratum 1 server, it is the mostly polled server which might be return or redirected to stratum 3. There is no point in worrying about it. If you have good timesync on your environment and client you wont face issues. Check your time zone whichever it says nearest it syncs. Moreover the NTP client knows how to adjust between the time zones if any NTP client configured to be having different time zone.
0
 

Author Comment

by:mikey250
ID: 40525351
ok thanks for that i wasnt sure.
0
 

Author Closing Comment

by:mikey250
ID: 40531159
sound advice appreciated.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question