Solved

Help with internal NTP server

Posted on 2015-01-29
12
35 Views
Last Modified: 2016-06-18
I recently discovered that not all of our servers are in sync with our internal NTP server that resides on our Server 2012 R2 Domain Controller.  We recently moved from Server 2003 to 2012 about 4 months ago.  We have a mixed server environment including Servers 2003 R2, 2008, 2008 R2 and 2012 R2.  Everything worked fine with 2003.  All of our 2012 servers sync with no problem but only some of the 2003 and 2008 are in sync.  I also should state that these are all virtual servers.  I made sure all the VM tools were up to date and that the most current Windows updates were completed but for some reason, some of the servers won't sync.  I've tried forcing sync via CLI in command prompt and I made sure that the virtuals were in sync with their host which I resync'd in vSphere.  Does anyone have an idea how I can get this to work throughout my entire server farm?  Also, we have two RHEL4 servers that pointed to the 2003 server and stayed in sync but they don't with 2012.
0
Comment
Question by:HallsIT
  • 7
  • 3
12 Comments
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 250 total points
ID: 40578138
is the server holding the PDC emulator role configured to use an external source?
clients will automatically point to that server for time
the linux clients will then need to change to that server (if it isn't already)

How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042
0
 

Author Comment

by:HallsIT
ID: 40578146
Yes, it is holding the PDC emulator.  As for the Linux box, we kept the same IP Address for the Domain Controllers as they were for the old 2003 DC's.

Also to note, our desktops are all Windows 7 and they're in sync alone with my Windows 8.1 desktop.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40578147
on server 2003 you would use net time \\servername /querysntp to see its current settings.
If you need to change, net time \\servername /setsntp:"servers to which you want it synchronized"

note the difference in time could be a misconfiguration of the timezone. i.e. are they off by hour/s

on windows 2008 and newer, net time was replaced with w32tm /tz to see the timezone
to access a different system w32tm /computer:servername

What is different between the similar systems windows 2003, 2008 that do sync and that do not?



I believe there is a fix for VMs to sync.

Double check the 2012 advanced firewall settings allow the NTP requests to come through Work/home/domain public.  IT depends on how the client is seen on the network.
0
 

Author Comment

by:HallsIT
ID: 40578167
The time "mismatch" is only a matter of minutes.  It's ironic that all the 2003 servers that don't sync are about 2 minutes ahead of NTP and the 2008 servers are about 1 minute ahead of the NTP server so time zone is not an issue.

In terms of what's similar and different between 2003 and 2008...nothing stands out.  I spent most of yesterday and last night trying to find out this specific question but couldn't find anything that stood out.

I'm going to try the command line Arnold posted and I'll let you know the results.
0
 

Author Comment

by:HallsIT
ID: 40578169
Also, all internal Windows firewalls are turned off via group policy so the Windows firewall is not the culprit either.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 76

Expert Comment

by:arnold
ID: 40578269
strange thing I've seen even with the GPO disabling the firewall, some settings still make it an issue.
Are all systems joined into the AD, I think there is/was a vmware fix that dealt.

your issue seems to be a drift.
Are all Vmware hosts on the same vmware version? Do the Vms with these issues span multiple hosts, or are they fall under the same host/vmware version?
0
 

Author Comment

by:HallsIT
ID: 40578294
Thanks to Arnold, I figured out the difference.  Some of our servers are point to time.windows.com,0x1 and some are pointing to my domain controller 192.168.0.x,0x8.  It seems the servers point to my domain controller are correct according to NIST but, in saying that, my domain controller is wrong.

I need to configure my internet NTP to point to NIST.
0
 

Author Comment

by:HallsIT
ID: 40578296
Arnold, Yes, all VMware hosts are of the same VMware ESXi version.  Yes, the VM's with the issues span all three of my hosts.
0
 

Author Comment

by:HallsIT
ID: 40578299
The link you gave me is for me to point to the Windows time server which, I found it is actually between 1 and 2 minutes behind NIST.  It also seems Verizon uses NIST because my cell phone is in sync with NIST to the second.
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 40578300
you need to make sure your 2012 DC is synchronizing to nist  or to an ntp.org local/regional set of servers.

Public NTP <=> your 2012 DC <=> your LAN/VMs
0
 

Author Comment

by:HallsIT
ID: 40578307
I agree in light of my new findings.  Thanks for your assistance.  I'm working on it now.  I will keep you informed.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now