Solved

windows 2008 ntp sync issue

Posted on 2014-09-28
12
208 Views
Last Modified: 2015-01-05
hi I am running a windows 2008 domain, but currently all machines are in the default computer container & all have internet access via my asa5505 firewall.

note: current clock time is 14:00 28 sep 2014, so I decided to change to: 13:00 28 sep 2014 - thinking that the below would correct master dc clock via asa5505 set as:

config t
ntp server 192.168.0.254 source inside - this ip address is my internal master dc

----------------------------------------------

just for the purposes of confirming I have the correct configuration I have opened my master dc/ad/dns/dhcp server via its default domain controller container and accessed the gpmc and edited & enabled the following:

computer config/admin template/system/windows time service:
global configuration settings - enabled

computer config/admin template/system/windows time service/time providers:
enable windows ntp server - enabled

step 2

ran: gpupdate & logged off and on

qns1.  I have also rebooted the master dc and the clock has not corrected itself  - why  ?
0
Comment
Question by:mikey250
  • 7
  • 3
12 Comments
 

Author Comment

by:mikey250
Comment Utility
hi the has changed to the correct time about 30 mins ago.

In order to double check I manually changed the time back 1 hour and waited 15 mins after following the above instructions and the time has not changed back.

I then did the following but still the time has not changed back to the correct time of: 18:07 pm:

 net stop w32time
    w32tm /config /syncfromflags:manual /manualpeerlist:88.143.128.123,0x9,time.windows.com,0x9
    net start w32time
asaconfigs.TXT
0
 
LVL 10

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 500 total points
Comment Utility
Note: ASA can only act as an NTP client, not as a NTP server. Just point the hosts to an external NTP server and let them sync.  

In ASA:
Assuming if ASA is not syncing with the public NTP you need to check if those IP's are reachable, sometimes due to plenty of NTP sessions on public time server, it might have not sync.

In Primary domain controller :
Check the public time server is accessible from your PDC (AD).  
w32tm /? command will give you more set of  option to verify and sync.
Have you set the PDC as time source which i had mentioned in my previous threads.
Also ensure you allow specific ports on the windows firewall as well or it should be disabled.
The above mentioned command will work only on windows not on the ASA.
0
 

Accepted Solution

by:
mikey250 earned 0 total points
Comment Utility
hi ganesh,

I have manually set my master dc, back to the correct time ie 4 oct 2014 16:55 pm

on my local switch I added:

config t

int fa0/3
description connected to asa-firewall-eth1
switchport mode trunk
speed 100
duplex full
no shut


question 1

ntp source vlan 1 - currently all my internal lan is on vlan 1.  however I did try vlan 2 but invalid input  ? ?
ntp server 88.149.128.123

sh ntp status via master dc - showing sync to 88.149.128.123 & stratum 3 successfully
0
 

Author Comment

by:mikey250
Comment Utility
hi ganesh, also I have also added below:

clock timezone cst/gmt -0
clock summer-time recurring

ip default-gateway 192.168.0.1 - points to my asa internal lan
0
 
LVL 10

Expert Comment

by:Ganesh Kumar A
Comment Utility
Is it working properly or you are facing issues?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:mikey250
Comment Utility
hi ganesh, apologies for taking a while to return.

- I  can ping the external ntp's successfully
- my asa has sync'd with external ntps successfully
- show ntp status shows this successfully but it also shows 'stratum 3' but was expecting it to be stratum 1 for eg ?
- internal master dc can ping external ntp successfully
- internal master dc clock is also set
- internal master dc is configured:

config t
clock timezone cst/gmt -0  (for the uk I think is correct )  ?
clock summer-time recurring


qns1.  (your previous comments)   -  "asa can only act as an ntp client, not as a ntp server. Just point the hosts to an external ntp server and let them sync."  - surely my asa should be ntp server as below & internal master dc should also be ntp server as below because if my asa went down/faulty then my master dc would act as the ntp server ?

ntp server 192.168.0.x/24 - the reason behind this is the client machines will be set: ntp client etc  ?
ntp server source x.x.x.x (the external ntp)

note: not added authentication at this stage as just confirming above is correct
0
 

Author Comment

by:mikey250
Comment Utility
hi i was still trying to get a response to my 2 questions below: (??)  

- I  can ping the external ntp's successfully
- my asa has sync'd with external ntps successfully

- show ntp status shows this successfully but it also shows 'stratum 3' but was expecting it to be stratum 1 for eg  ?

- internal master dc can ping external ntp successfully
- internal master dc clock is also set
- internal master dc is configured:

config t
clock timezone cst/gmt -0  (for the uk I think is correct )   ?

clock summer-time recurring
0
 
LVL 10

Assisted Solution

by:Ganesh Kumar A
Ganesh Kumar A earned 500 total points
Comment Utility
If your ASA is synching and acting as a NTP server fine. You can continue. You cannot expect Stratum 1 server, it is the mostly polled server which might be return or redirected to stratum 3. There is no point in worrying about it. If you have good timesync on your environment and client you wont face issues. Check your time zone whichever it says nearest it syncs. Moreover the NTP client knows how to adjust between the time zones if any NTP client configured to be having different time zone.
0
 

Author Comment

by:mikey250
Comment Utility
ok thanks for that i wasnt sure.
0
 

Author Closing Comment

by:mikey250
Comment Utility
sound advice appreciated.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now