Having issues synchronizing Windows 2008 PDC with external NTP pool sources

Hello,

I have recently configured my Windows Server 2008 DC and PDC Emulator to synchronize its time with pool.ntp.org sources by issuing the following command:
w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

The command completed successfully. Then i  issued the w32tm /resync command to force sync and it also completed successfully, but my server is not getting the time for some reason, I don't know if this sync takes time to complete though.

I have opened the NTP default port UDP 123 in my firewall and I have also tried by exempting my server from any firewall rule but still not synching.

Am I missing something?
LuiLui77Asked:
Who is Participating?
 
Will SzymkowskiSenior Solution ArchitectCommented:
The first link i provided "when you click Let me fix it" it will show you all of the registry settings that are required for a PDC and a DC not holding this role. Just follow those guidelines and you will be fine.

https://support.microsoft.com/en-us/kb/816042

Will.
0
 
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Here is a link on time sync within a domain

https://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

and a link with a reg key that will set all the settings for you, found on EE.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23630502.html

Zac.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
What I would recommend is checking out the official Microsoft KB to ensrue that the correct registry settings are in place on the PDC to ensure that it is configured properly.

https://support.microsoft.com/en-us/kb/816042

You will be able to see from the event logs when the DC is actually getting the time from en external source.

Will.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
LuiLui77Author Commented:
Ok, I went through the configuration steps provided on the official Microsoft site (Manual registry configuration). I had also enable w32tm logging.

I have run wt32tm /resync command and nothing appeared to happen, that was when I opened the log file to see the details. For some reason it is synchronizing with my old PDC server. I then issued the following command: "w32tm /query /peers"
and sure enough the only peer shown is my old PDC, check on the uotput of the command below:

C:\>w32tm /query /peers
#Peers: 1

Peer: oldPDC.domain.local
State: Active
Time Remaining: 139.2857245s
Mode: 1 (Symmetric Active)
Stratum: 1 (primary reference - syncd by radio clock)
PeerPoll Interval: 8 (256s)
HostPoll Interval: 8 (256s)

What is confusing me a little is that when I issue the "net time /querysntp" command, it displays the correct configured value, see below:
C:\>net time /querysntp
The current SNTP value is: time.windows.com,0x1

The command completed successfully.

What's the reason for this?
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
You need to change the Registry flags on the old PDC as well so that it is not advertising as an external time source.

Will.
0
 
LuiLui77Author Commented:
Hi Will, I can see that the NtpServer value is set to time.windows.com as well on my old PDC.

I am kind of confuse, do you mean all the rest of the registry keys with the exact values that I have provided in my new PDC?
or what flags in specific?
0
 
LuiLui77Author Commented:
Oh, forgot to tell, my old PDC is a Windows Server 2003 machine
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Hi Will, I can see that the NtpServer value is set to time.windows.com as well on my old PDC.

I am kind of confuse, do you mean all the rest of the registry keys with the exact values that I have provided in my new PDC?
or what flags in specific?

That is correct. When you change the PDC to another DC in your environment you need to also modify the old PDC settings and change them back to the values of a DC that does not hold the PDC role.

Will.
0
 
LuiLui77Author Commented:
Alright, I have made changes to the old PDC to be able to discontinue the time advertising. The command that I have issue on the old PDC is the following: "w32tm.exe /config /syncfromflags:domhier /reliable:no /update"
I have found this solution in the following website: http://kpytko.pl/active-directory-domain-services/advertising-new-time-server-in-domain-environment/

After issuing the command and restarted the Windows time service I have remoted into the New PDC and now when I type the command: "w32tm /resync /peers" the following comes up:

C:\>w32tm /query /peers
#Peers: 1

Peer:
State: Pending
Time Remaining: 776.3437500s
Mode: 0 (reserved)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 0 (unspecified)


I have tried to force replication by issuing: w32tm /resync /rediscover, and this is what I get:
"Sending resync command to local computer
The computer did not resync because no time data was available."

Then when I go into the log file the following line is showing:
"Response received from domain controller PCIAD01.surfpci.local failed to authenticate.  Using old server digest: FALSE."

Any ideas of whats happening?
0
 
LuiLui77Author Commented:
Just an observation...digging into the registry keys of my new PDC, I saw other keys that may be interfering with my changes. The hive is: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\Parameters
and the keys are: NtpServer = pool.ntp.org and Type = NT5DS

Will this avoid my changes to become effective?
0
 
LuiLui77Author Commented:
Great!
Will, I followed your advice about performing the same configuration on both DCs (new PDC and Old PDC) and as soon as I completed, the OLD PDC stopped advertising. But in my New PDC, when i issued "w32tm /query /peers" it was still saying that the peer was the Old PDC Emulator, so I kept on researching.

I found out that my Default Domain policy "Windows Time Service" settings were enabled and this policy is applying to my DCs. So I went ahead and setup these entries as "Not Configured", then I issued a GPUPDATE on my new PDC and ViOlA! now it is showing that my peer is "time.windows.com" as configured.
0
 
LuiLui77Author Commented:
Besides configuring the registry keys as Will advised, I had to disable the GPO that I found in order fro the changes in the registry be effective.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.