How to correctly use the w32tm command when your PDC with all the FSMO roles is a Hyper-V machine running on a physical machine

I had this question after watching Windows Server 2012 – Configuring NTP Servers for Time Synchronization.

I have two physical machines and 6 VM's.   My DC's run in a Hyper-V environment.
Here is the output from the Host (physical machine)

Run from the HOST:
C:\Windows\system32>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Local)
MaxPollInterval: 15 (Local)
MaxNegPhaseCorrection: 4294967295 (Local)
MaxPosPhaseCorrection: 4294967295 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 1 (Local)
UpdateInterval: 30000 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)

Open in new window



C:\Windows\system32>w32tm /query /source
DC2.my.domain  *NOTE(on another physical Host it may say DC1.my.domain)
________________________________________________________________________________________
OUTPUT FROM DC running Hyper-V:
C:\>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)


C:\>w32tm /query /source
VM IC Time Synchronization Provider

Open in new window


_____________________________________________
My clock is running 2min 27 seconds behind GMT time.  As you can see my problem.  I have the physical machine that reads it time, then the DC with all the FSMO roles that reads the time from the HOST.  My Hyper-V DC is set to run the "VM IC Time Synchronization"

I need help to get my time corrected.  
To add I'm not currently sure if I need to simply run some w32tm commands, use group policy, or both.
I have ran the w32tm from the host as such:
w32tm /config /manualpeerlist:”time.nist.gov” /reliable:yes /update

"Yes I stop the time service and restarted, but still behind 2min 27 sec"

I saw the registry key change in the registry on the HOST from:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Original Key was: time.windows.com,0x9
Now the registry key is: "time.nist.gov”

I really don't care where I get my synced as long as it is correct.

I hope I include all vital material.
Your help is greatly appreciated.

P.S. All Operating Systems are 2012R2
grizrulesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Right now, Microsoft's most current guidance is to disable the time service for domain controllers and let them sync using domain hierarchy rules. Which also means making sure your PDCe is pointing towards a valid authoritative time source (GPS device, internet time server, etc.)  All other VMs should still have the service enabled.

https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(WS.10).aspx
Hypercat (Deb)Commented:
As far as I know (and I'm saying this based on my knowledge of how VMWare VMs synch with their host machine), the VMs synch with the hardware clock on the host machine. The server that you need to set to synchronize with time.nist.gov is the DC that has the PDC Emulator role on your domain.  This is the machine that all other servers and clients on your domain will get their time from. I assume this machine is one of your VMs, so what you need to do is remove the setting or command to synch your DC with the host machine and instead set your VM that is your PDC Emulator to synch with time.nist.gov. That way, you're not relying on the accuracy of the hardware clock on the host machine.
grizrulesAuthor Commented:
Hyper CAT and Cliff, thank you for your quick comments.
With what you stated you are telling me to turn off time sync on my two DC's that are Active Directory Hyper-V machines
and have them point to time.nist.gov ( I have read from:
http://www.tomgeraghty.co.uk/2013/01/09/virtual-domain-controllers-and-time-in-a-hyper-v-environment/ 
)
Not to turn off integrated services.

Just to add a point to this conversation:  The registry key on DC1 and DC2 both Hyper-V 2012R2 machine's with Time Sync enabled as integrated service.  

To recap the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
On the HOST1 & 2 plus Hyper-V DC1 and DC2 are set to time.nist.gov, but time sync is on through integrated services via Hyper-V.

What I'm getting from this is turn off integrated time sync on the Hyper-V DC's (DC1 has all the FSMO roles)  DC2 is a secondary.  *NOTE DC1 is the primary running of off physical HOST1 and DC2 secondary is running off of physical HOST2.

Please confirm that you are suggested to disable Integrated Services on the Hyper-V DC's and then just basically restart the w32tm service?
This is actually a bit tricky isn't it?  It almost seems I could just adjust the time on the HOST manually, but I don't want to get off topic.
Lastly how can I test that the time is not blocked through the firewall?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

tigermattCommented:
[Full disclosure: I've not watched the video you link to.]

First problem: you have too many sources claiming to be authoritative for time. Time needs to be distributed according to a hierarchy, with ONE authoritative source at the top, which synchronizes either with itself (and self-declares itself as the single authoritative source at the behest of anybody else trying to do so) OR syncs with an external source.

In an Active Directory environment, as you point out the PDC Emulator is the most authoritative time source.

First: for domain-joined member servers, you should switch off the option in Hyper-V to sync time with the host system. The VMs obtain time from a Domain Controller directly, and do not need to also receive time from the host.

Second: you should ensure ALL members are configured in the "W32Time\Parameters" registry key you referenced with the "Type" value set to "NT5DS". Both the servers you listed above report this in the /query /configuration output. NT5DS means member servers and workstations will automatically find a source of time to synchronize with from a Domain Controller, and Domain Controllers will synchronize with the server holding the PDC Emulator role.

If you are in doubt about your time configuration or have made lots of changes to try to fix this, run the following commands to re-register the time service with default settings:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Open in new window


Third: you should configure the PDC emulator FSMO role holder to sync with a suitable external source, and declare itself reliable. You have tried this, but missed a crucial step in the command (I don't know if this is an omission in the video) -- the command doesn't include the "syncfromflags" parameter to direct the machine to sync time from the remote NTP source, rather than itself. So the command to run on the PDCe should be
w32tm /config /manualpeerlist:"time.nist.gov,0x8" /syncfromflags:"MANUAL" /update
w32tm /config /reliable:yes /update

Open in new window


The first line directs the machine to sync with time.nist.gov in client mode; the second directs that the server is a reliable source of time for the enterprise.

Remember to check any NTP server you sync with satisfies any SLAs you are required to adhere to. Free NTP servers do not have any contractual obligation to you to be available or provide reliable data, and while the NTP daemon is fairly good at ignoring faulty servers, a local hardware source of time (synced up to a GPS clock for example) is often a good substitute when policy dictates you must offer a stronger guarantee than just making the users happy with correct clocks.

Fourth: if you have manually configured any registry settings or Group Policy objects related to Windows Time, in particular all the complex parameters regarding clock skew, frequency, etc., disable, delete or reverse them. They are not necessary to configure, and invariably just cause major problems.

Fifth: restart the NTP service and wait. Remember a good NTP client will NOT simply jump the clock forward or back to the time reported by the external NTP source, but will adjust the clock rate so as to smear the necessary change over a longer period of time. Computers, and in particular applications, database systems, etc. don't play well if they don't see a particular time or if they see the same time twice. The NTP daemon will instead vary the rate at which timer interrupts advance the system clock; if your system ticks at 1000 Hz, and your clock is slow, then the daemon will adjust the clock temporarily so that 1 second = < 1000 ticks so the clock gradually catches up with real time.
tigermattCommented:
turn off time sync on my two DC's that are Active Directory Hyper-V machines
and have them point to time.nist.gov
Yes, hypercat and Cliff are suggesting to modify the Hyper-V options for the VM to disable time sync; in fact, disable for all domain joined VMs. No registry modifications required; on the Hyper-V host, edit the VM settings, go to Integration Services and uncheck time synchronization.

Only ONE DC should be configured to sync to an external source -- the one with the PDC emulator role. All others should be left in their default configuration, in particular with the Type registry key set to NT5DS. See this blog post for details of how Windows time propagates: http://blogs.msdn.com/b/w32time/archive/2007/09/04/keeping-the-domain-on-time.aspx

This is actually a bit tricky isn't it?  It almost seems I could just adjust the time on the HOST manually, but I don't want to get off topic.
Is the Hyper-V host a domain member (possible with virtualised DCs in 2012 and onwards)? If so, it will sync with the domain hierarchy in the usual way when it finds a DC. If it's not, then the Hyper-V hosts are the exception to the rule, and you can manually configure their NTP clocks to sync with either an external source or one (or both) of the DCs (preferred so the DCs are still the authoritative source of time).

Lastly how can I test that the time is not blocked through the firewall?
Use the w32tm /stripchart option with /computer set to an external time server (such as time.nist.gov) and /dataonly set. If you see responses showing the offset between the local clock and the remote source, UDP port 123 is passing to that machine correctly.

(Sorry hypercat and Cliff; my slow typing walked on their responses again, but the above basically says what they already said!)
Cliff GaliherCommented:
"I have read from: http://www.tomgeraghty.co.uk/2013/01/09/virtual-domain-controllers-and-time-in-a-hyper-v-environment/ ) Not to turn off integrated services."

That's the main reason I provided a link to *OFFICIAL* Microsoft guidance. There is plenty of bad advice on the net, and advice does change as well (what worked a few years ago may not apply today.)

Disable the time sync service. Not all integration services, but yes disable the time sync service. That is current guidance from MS as evidenced by the link I posted.

"To recap the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
 On the HOST1 & 2 plus Hyper-V DC1 and DC2 are set to time.nist.gov, but time sync is on through integrated services via Hyper-V."

That's a mistake.  You should have the PDCe (by default and convention) point to an external time source.  Other DCs will sync with the DC and should *not* sync externally. Otherwise you introduce potential for more skew, not less, and potential Kerberos issues as well. Note that this has nothing to do with virtualization. The guidance here is the same if you had all physical DCs.

"This is actually a bit tricky isn't it?  It almost seems I could just adjust the time on the HOST manually, but I don't want to get off topic."

If the hosts are domain joined, you can actually cause a true race-condition loop.  Windows has a hierarchy where time is resolved. DCs resolve from the PDCe.  Member servers and clients resolve to their preferred DC (based on availability at boot, site location, latency, etc.)

If your hosts are workgroup and not domain joined, yes, you could technically just adjust the host and let time-sync force the issue. But you still introduce a jarring effect to the clock, could still end up with Kerberos issues, and should maintenance ever be required by a 3rd-party, they may not be aware you were going against best practices and could further make a disaster of things.  It is best to do the more complicated, yet still right, thing than to do the easy but wrong thing.
grizrulesAuthor Commented:
Okay so what I got from all of this is:

Disable "just time sync" on the Hyper-V Doman controllers.  Or just on DC1 with the FSMO, or disable Time synch on ALL of the VM's and run the below command on DC1 (HYPER-V machine running Win2012R2)

Run:
1. Stop the w32tm service ( on just VM DC1? and disable time sync integrated service ( on all VM's or just the VM with the FSMO roles )
2. Run w32tm /config /manualpeerlist:"time.nist.gov,0x8" /syncfromflags:"MANUAL" /update
3. Run w32tm /config /reliable:yes /update
4. Restart the w32tm service
On DC1 and DC2 (Hyper-V machine's running off of different HOST; DC1 VM, running off of host1, and DC2 running off of host2)

I appreciate all the quick feedback
tigermattCommented:
Disable "just time sync" on the Hyper-V Doman controllers.  Or just on DC1 with the FSMO, or disable Time synch on ALL of the VM's and run the below command on DC1 (HYPER-V machine running Win2012R2)
Disable on both DCs. Preferably also on any other Virtual Machines which are not DCs but are joined to the domain. They sync with the DCs, not the host.

Run [...] On DC1 and DC2
No, only on the one with the PDC emulator role. If DC1 is the PDC emulator, then DC2 will sync with it.
grizrulesAuthor Commented:
I'll give it a shoot tonight.

Disable Time sync on ALL hyper-V machine regardless whether they are DC's or members.  

1. Stop the w32tm service
2. Disable integrated time sync on ALL Hyper-V machine's
3. Run the following on DC1 (Hyper-V which holds all the FSMO roles)
-w32tm /config /manualpeerlist:"time.nist.gov,0x8" /syncfromflags:"MANUAL" /update
-w32tm /config /reliable:yes /update
4. Restart the w32tm time service on DC1 (HYPER-V with all FSMO roles)

Is there still a need to run this before or after the above?

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Thank you all for your help
tigermattCommented:
Is there still a need to run this before or after the above?
Only if you have re-configured substantially the time service in the registry or Group Policy and you don't know its configuration is in a consistent state. Try without; if it doesn't work, then you can do the reset.

Restart the w32tm time service on DC1 (HYPER-V with all FSMO roles)
It won't "jump" to the correct time immediately, but after restarting you should see an event logged in the event logs to the tune of "syncing time with remote source <IP address>:123.

You can also use the command w32tm /monitor to see who the machine is syncing with, the offset, etc.
Cliff GaliherCommented:
As an aside, right now the current official guidance is to disable time-sync on domain controllers.  I still personally recommend leaving it enabled on member servers for a variety of reasons.

The rest looks good. As for the last bit. No need to unregister and register.  Just stop and start the time service.
grizrulesAuthor Commented:
Okay I will try it tonight and let you guys know tomorrow how it goes.  Thank you and I WILL follow up
grizrulesAuthor Commented:
If I don't respond tomorrow that means things went drastically wrong and I'm fired.  LOL
grizrulesAuthor Commented:
I will add this about GROUP POLICY , the DEFAULT DOMAIN POLICY RUNS these Servers , it's a small company,
I was told to check : Computer Config\Policies\Administrative templates\ Windows components\ Windows Time *
However in my GPO I have NO Windows time* folder.  It goes from Widows System Resource Manger to Windows update.
So I guess this means there is no group policy that will get in my way correct?
it_saigeDeveloperCommented:
I agree with Cliff.  I currently have two HyperVisors with DC's, member servers and workstations on them.  Only on the DC VM's have I disabled the HyperV Time Integration Service, all of the other VM's are running with all Integration Services enabled.

-saige-
tigermattCommented:
I was told to check : Computer Config\Policies\Administrative templates\ Windows components\ Windows Time *
I believe it's actually under System\Windows Time Service (?) but I don't have the means to verify on a live system right now.

the DEFAULT DOMAIN POLICY RUNS these Servers
As a side note for future reference, it's generally recommended not to modify the Default Domain Policy, but to create a separate policy with any " "global" settings present there. 99 times out 100 it won't harm, but it can cause occasional issues in the long run if you have to re-create that policy due to corruption or similar.
it_saigeDeveloperCommented:
Time policies are located in 'Computer Configuration\Policies\Administrative Templates\System\Windows Time Service'

-saige-
it_saigeDeveloperCommented:
Capture.JPG-saige-
grizrulesAuthor Commented:
Yup I don't even have that option, as stated it goes straight from Widows System Resource Manger to Windows update.
I don't even have the Windows Time Service folder in Group policy.

Thank you
grizrulesAuthor Commented:
Sorry I do have that Folder under what you stated:
'Computer Configuration\Policies\Administrative Templates\System\Windows Time Service'

However nothing is Configured.  All is set to NOT Configured.

So final recap..Just run the commands for w32tm and don't worry about GP since it is not configured right now?

Thanks!
tigermattCommented:
Heh, interesting: it looks like the words of wisdom to disable Hyper-V time sync are no longer recommended advice as they were several years ago - I hadn't realised. This (fairly old) blog post refers (question #6):  http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

Specifically issues around saved state and first boot, although the arguments put forward for not disabling the function seem to fall down when you question why somebody wants to do an unsupported action like save state or snapshot a virtual DC in the first place. :-)
tigermattCommented:
So final recap..Just run the commands for w32tm and don't worry about GP since it is not configured right now?
If nothing is set in GP then you have nothing to worry about in that respect.
grizrulesAuthor Commented:
Thank you ALL for you help.  As I stated I will try tonight.  Wish me luck.  This is the best money I have had my company spend to get on this post!
I hope that I was clear enough on my first posting to allow everyone what exactly the problem is.
Cliff GaliherCommented:
tigermatt:  Look at the date of that blog post.  2010.

Now go back and read the link I posted under recommendations for time service.  The date is newer (2013 or 2014 if I recall) and more specifically, they added a note *specifically* saying they've changed guidance from the "partially disable" advice from that blog post and that method is no longer recommended.   The proper guidance was (and is) a moving target which is why it is important to source the material *and* the date.

Current guidance is, in fact, to disable time sync services on DCs. (and the reason for the change is, in fact, because of the argument that you shouldn't be doing anything to the DC that requires timesync...like saved state and snapshotting.)  Believe me, this has been heavily debated, but the "don't do that" argument finally (and in my opinion, logically) won out.
tigermattCommented:
Cliff, thanks. Didn't register the date of the reference, but you're right; the later guidance is 2013.
tigermattCommented:
(grizrules: you can safely ignore this chatter among us. The recommendations on this keep changing, typically to solve one edge case or another, but the advice we've given above does match what you can read in the official documentation at TechNet. For now, anyway...)
Cliff GaliherCommented:
No worries.  I happen to know because I've been involved in the debates.  Conference calls with the AD team mid-2012 were....lively.
grizrulesAuthor Commented:
I ran all the commands.
Some of the info was not lets say exact.

I shut down DC1 and DC2 and disable Time sync via integrated services.
On the VM DC1 I stopped the w32tm service but it would not let me enter the commands with the service started.

The commands you gave me did not work syntax or what not:
I used these on dc1 and dc2
w32tm /config /manualpeerlist:”time.nist.gov” /reliable:yes /update

I then checked DC1 and DC2 with the w32tm /query /source command and got back
time.nist.gov

However I checked the time on my DC's with my clock and they are good.

However all my member servers are not keeping with DC1 or DC2 time.
When I run the command w32tm /query /source
They come back with DC1 however, they are still two minutes behind.
I have shut down one of my memebers and disable Time sync on the member VM and ran the w32tm /config /syncfromflags:domhier /update
However, time on all members are still 2min 27 sec behind.
Client machine appear to have taken the new time, but my members servers are off still even though they show source from the w32tm command displays:
dc1.mydomain.local
I'm screwed tomorrow.  Hope not, maybe I'm not waiting long enough for the member to sync up?
grizrulesAuthor Commented:
Alright I have been monitoring, I did this remotely.
So far so good.  what was stated was not exactly what I had to do.

step 1.  Disable ALL VM's integrated time services for Hyper-V DC and members.
Started with DC's.
Ran the
w32tm /config /manualpeerlist:”time.nist.gov” /reliable:yes /update
then stop and started w32tm
Ran w32tm /config /manualpeerlist:”time.nist.gov” /reliable:yes /update again.
same on DC2
Then on all the member servers:
ran: w32tm /config /syncfromflags:domhier /update
stopped the w32tm service.
Ran: w32tm /config /syncfromflags:domhier /update
Time seems to be in sync

You see stated above was confusing, because you cannot run:
w32tm /config /manualpeerlist:”time.nist.gov” /reliable:yes /update
When the time service is stopped!

Primary and secondary DC's report  from the w32tm command:
time.nist.gov

members report either DC1.domain.local or DC2.domain.local
Time appears to be in sync

So I will follow up in the morning to confirm
Cliff GaliherCommented:
Setting both DCs to an external time source is bad. This has been repeated several times. There is clearly a disconnect in communicating here.
frankhelkCommented:
Just for another point of view ...

W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

My recommendation:

Use a Windows port of the classic *ix NTP service, sync a master (or two, three) with an external source (i.e. from pool.ntp.org) and sync the clients and DCs to the master. The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting. It keeps the time within a range of some 10 milliseconds from the sources, given acceptable network conditions.

See this article for the "How To".

The NTP service has a low resource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
tigermattCommented:
I'm not sure where the impression that the service had to be stopped came from. However, in the following command:
w32tm /config /manualpeerlist:”time.nist.gov” /reliable:yes /update

Open in new window

you forgot "syncfromflags" being set to MANUAL. However, also see Cliff's comment; you should only have executed this on one DC, the one holding the PDC emulator role.

frankhelk,

Useful to know, but misinformation here -- in particular the suggestion "the NTP functionality could be hooked onto existing machines or VM's". We are dealing with Active Directory-joined machines, in which there are specific requirements and stipulated guidelines on how the time service should be configured. Windows workstations and servers will automatically locate a source of time by reference to the domain hierarchy; no need to install a manual third-party sync service and most certainly no machine (with one exception) should be manually configured with sync options. This isn't a traditional shared hosting environment with a bunch of independent VMs in a DMZ, but an integrated environment where this particular service must be carefully orchestrated.
frankhelkCommented:
OK ... that's the way it's meant to be ... on the other side I've seen several cases where out-of-the-box machines in an AD environment were unable to sync, floating several minutes off of the (well sync'd) DC.

From my years experience, almost all such machines could be helped with the classic client ...

I admit that this is not the regular way teached to all the certified sysadmins, but at least worth to be remembered as workaround in complicated situations. And NTP couldn't be that bad, because MS has (crappy kind of) adopted it for its W32time  service.
grizrulesAuthor Commented:
I did not mean mis-information, I meant that what was stated did not work for me when I ran the command.  I want you all to know I REALLY APPRECIATED ALL YOUR FEEDBACK.
VERY MUCH!!

I ran this command on DC1  & DC2 which are Active Directory Hyper-V Windows 2012R2 machines:
w32tm /config /manualpeerlist:”time.nist.gov” /reliable:yes /update
Then on all member servers I ran:
Then run w32tm /config /syncfromflags:domhier /update on the other DC’s  The output is as follows:
DC1
C:\>w32tm /query /source
time.nist.gov

DC2:
C:\>w32tm /query /source
DC1.UN.local

The member servers display as such: (not actually name of the servers just their role)
store:
C:\>w32tm /query /source
DC1.mydomain.local

scan: ( I forgot to mention that this is the only Windows 2008 R2 machine )
C:\>w32tm /query /source
DC2.mydomain.local

Printer:
C:\>w32tm /query /source
DC2.mydomain.local

Store:
C:\>w32tm /query /source
DC1.mydomain.local

Database:
C:\>w32tm /query /source
DC1.mydomain.local

SQL:
C:\>w32tm /query /source
DC1.mydomain.local

Then the PHYSICAL MACHINES
HOST1:
C:\>w32tm /query /source
DC1.mydomain.local

HOST2:
C:\>w32tm /query /source
DC1.mydomain.local

On all Hyper-V machine Active Directory and member servers I have DISABLED TIME SYNC UNDER INTEGRATED SERVICES.

More INFO:
The layout is as such
HOST1 has the following VM's
-scan
-store
-DC1

HOST2:
-printer
-SQL
-DC2

All time appears to be in sync with GMT time and the clients all have the correct time.

However
CLIFF Stated:
"Setting both DCs to an external time source is bad. This has been repeated several times. There is clearly a disconnect in communicating here. "


Tigermatt stated:
"you forgot "syncfromflags" being set to MANUAL. However, also see Cliff's comment; you should only have executed this on one DC, the one holding the PDC emulator role"  ( I think I just mis-typed my command in the thread)

Anyways here I'm at this point.  What do you recommend I do to DC2 (just to note I really don't want to install a third party software)

THANK YOU ALL IN ADVANCE
It looks like only my Printer server is feeding from DC2?
Should I run the command w32tm /config /syncfromflags:domhier /update  on DC2 to fix this or is this going to be more complicated with some unregister commands?
it_saigeDeveloperCommented:
On DC2, at a minimum, you would run these commands:
w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover

Open in new window

To completely clean the slate on DC2, you would run this group of commands:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover

Open in new window

-saige-

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grizrulesAuthor Commented:
it_sagie

According to your command set.  At what point during these commands do I need to stop and restart w32tm service?

Also I'm in a live environment, so no test.  Everything I do directly affects my environment.  I was not hear when they setup the system but came 7 months later.  Good new is that next weekend I'm redoing the entire Network with new Cisco switches and firewall so I WILL have my DMZ!!!

I would just like someone to confirm what it_sagie stated.
Again ALL your help is GREATLY APPRECIATED!!!
grizrulesAuthor Commented:
Sorry IT_Sagie:
Attention to detail I see you wrote:
net stop w32time
w32tm /unregister
w32tm /register
w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover
net start w32time

---however during my experience I have found that running the w32tm command does not work when the service is not running.
I get an error stating that this service is not running?
grizrulesAuthor Commented:
As you can see:
C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.


C:\>w32tm /unregister
W32Time successfully unregistered.

C:\>w32tm /register
W32Time successfully registered.

C:\>w32tm /config /syncfromflags:domhier /update
The following error occurred: The service has not been started. (0x80070426)  ( DOES NOT WORK IF THE SERVICE IS NOT ON)
tigermattCommented:
Nowhere do you need to stop the service UNLESS you are doing the /unregister, /register switches to w32tm. However, there is a transcription error in your commands from saige's comment; if you are doing the unregister, register then you STOP the service (1), unregister (2), re-register (3), START the service (4), THEN do the w32tm /config switches as before (5). (You've muddled steps 4 and 5)
grizrulesAuthor Commented:
Yeah I just figure that one out.
So I did what you said TIGERMATT.
Just exactly like you stated.

Here is my command run from DC2:
C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.


C:\>w32tm /unregister
W32Time successfully unregistered.

C:\>w32tm /register
W32Time successfully registered.

C:\>w32tm /config /syncfromflags:domhier /update
The following error occurred: The service has not been started. (0x80070426)

C:\>net sTART w32time
The Windows Time service is starting.
The Windows Time service was started successfully.


C:\>w32tm /config /syncfromflags:domhier /update
The command completed successfully.

C:\>w32tm /resync /rediscover
Sending resync command to local computer
The command completed successfully.

C:\>net stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.


C:\>net sTART w32time
The Windows Time service is starting.
The Windows Time service was started successfully.


C:\>w32tm /query /source
Local CMOS Clock

C:\>w32tm /query /source
DC1.mydomain.local

I think I'm all good now?
tigermattCommented:
It looks like only my Printer server is feeding from DC2?
Doesn't matter; the machines which are not DCs will sync time with one of the DCs automatically; doesn't matter which one. They deal with this automatically.
it_saigeDeveloperCommented:
griz, if you reread my post you will see that I have the command to start the time service between the register and the config commands.Capture.JPGAnd as I stated, at a minimum, you only need to config and resync.  If you want to clean the slate, then you stop, re-register, restart, configure and resync.

-saige-
tigermattCommented:
I think I'm all good now?
That would appear to be the case.
grizrulesAuthor Commented:
Man, thank  you ALL for all your help!
This has been bugging me for a while.   I hope soon one day I can help assist people.

How do I select this cause as resoved? just click the GREEN "YES" button at the bottom or select an individual post as a solution?

THANK YOU, THANK YOU, THANK YOU!
grizrulesAuthor Commented:
Great Advise and very diligent at sticking with me through the entire problem.
Very much appreciate your help.
tigermattCommented:
*smile*... thanks for the points, but the other experts deserve a share of them too for their input! I'll ask the mods to drop by, re-open the question and help you figure out the closing system for the first time.
grizrulesAuthor Commented:
Yes they do, I wasn't sure how to add more people.  I did not mean to leave anyone out.  Everyone here play a part.
So if anyone feels left out I apologize, this is my first Thread.
it_saigeDeveloperCommented:
No worries griz.  Everyone starts out somewhere.  :)

-saige-
grizrulesAuthor Commented:
I want to thank everyone and I want to add step by step what worked for in my situation.

On ALL my Hyper-V machine both Domain and members I turned OFF Time sync under integrated Services:

I then ran ON DC1:

w32tm /config /manualpeerlist:”time.nist.gov” /reliable:yes /update
I then stopped and started the service w32time

Then on all of my other member servers run
w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover

I did have two machines that were still pointing towards DC2 so I went back and ran these commands:
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover

Now all point to DC1 which is pointed to time.nist.gov
All machines now point to DC1.
I checked by running w32tm /query /source and w32tm /source /configuration
it_saigeDeveloperCommented:
@griz, if I can offer one more final piece of the puzzle.  Here is the way that time services resolution work (in a nutshell):

1.  The PDCe FSMO role holder in the parent domain will syncrhonize from an external (to AD) time source.  By default this is the Local CMOS clock on the motherboard.
2.  All DC's in the parent domain will synchronize with the PDCe FSMO role holder.
3.  All clients and member servers in the parent domain will synchronize with *any* parent domain DC.
4.  If you have child domains, the PDCe FSMO role holder in each child domain will synchronize with *any* parent domain DC.
5.  All DC's in each child domain will synchronize with the child domain's PDCe FSMO role holder or *any* parent domain DC.
6.  All clients and member servers will obtain their time source from *any* child domain DC.Capture.JPGSource
-saige-
grizrulesAuthor Commented:
Great support and great follow up.  There were many people that helped me.  I appreciated everyone taking time out of their day to help a fellow techie.  Just Great Overall!!!  All of you.

-Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.