Resetting Time Source Active Directory

Good Morning,

I am having a serious issue resetting the time source on our active directory domain.  The ip that our PDC was set to is timing out and our domain time is off by 5 minutes.  I have reset it back but am having not much luck finding a reliable time source to set it too.

I cannot ping pool.ntp.org or time1.google.com.

Please help,

Thank you,

Karen
klsphotosAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Is the PDC IP timing out internally to other clients or when it is going out to the external time source?

When you have corrected this issue with the timeout the clients time will SLOWLY speed up to the correct time. It will NOT jump from 5 minutes back to the correct time as this can skew the login timestamps.

Provide more detail on what is exactly going on with your PDC. Also check the logs as well to see if there are any underlying issues of why it would be timing out.

Will.
Seth SimmonsSr. Systems AdministratorCommented:
I cannot ping pool.ntp.org or time1.google.com.

you obviously have a network issue somewhere
if the names resolve but doesn't ping, check with your network team; perhaps icmp is not allowed?
can you access pool.ntp.org through a web browser?

...am having not much luck finding a reliable time source to set it too.

you can use these servers as your time source:

0.north-america.pool.ntp.org
1.north-america.pool.ntp.org
2.north-america.pool.ntp.org
3.north-america.pool.ntp.org
klsphotosAuthor Commented:
Hello, something very weird is going on.

So the time keeps going to the 2012dc, even though it's not the PDC and I have told the PDC to be the reliable time source.

The issue happened because as I mentioned above, the 2012dc took the time source and the time got out of sync and then the sources would no longer ping.

I just got back from vacation.  I corrected the time on the domain by forcing it back to the PDC but I can't seem to ping a reliable time source.  I did temp when I resolved the issue but it wasn't a permanent fix.  The time source I am pointing too, the PDC now says local?

Here is what I have:

It's driving me bonkers:
w32tm /monitor
REMOTEDC[192.168.10.5:123]:
    ICMP: 21ms delay
    NTP: +0.0284196s offset from PDC.OURDOMAIN.COM
        RefID: PDC.OURDOMAIN.COM [192.168.1.125]
        Stratum: 2
PDC.OURDOMAIN.COM *** PDC ***[192.168.1.125:123]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from PDC.OURDOMAIN.COM
        RefID: 'LOCL' [0x4C434F4C]
        Stratum: 1
2012DC1.OURDOMAIN.COM[192.168.1.5:123]:
    ICMP: 0ms delay
    NTP: +0.3438386s offset from PDC.OURDOMAIN.COM
        RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
        Stratum: 2
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Will SzymkowskiSenior Solution ArchitectCommented:
There are specific registry values that are set to ensure the time source. You need to make sure that these values are set correctly. I suggest that you follow the 2 below links which will outline all of the steps and also give you a good over view of how the time source works.

https://support.microsoft.com/en-us/kb/816042

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

You also need to make that the NTP protocol (port 123) is allowed through your firewall to your PDC server as well.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
footechCommented:
Easiest way to set your PDCe to sync with an external source is to run the following commands.
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /config /manualpeerlist:"0.us.pool.ntp.org,0x8 1.us.pool.ntp.org,0x8 2.us.pool.ntp.org,0x8 3.us.pool.ntp.org,0x8" /syncfromflags:MANUAL /reliable:yes /update

Open in new window


Unregistering and registering helps to clear out any potential misconfigurations so you're starting from a known good place.  The first four commands can be run on any machine in your domain to reset them (they will synchronize via the domain hierarchy by default).  You don't have to use the time sources that I included, but it's a good idea to include more than one in case there is a problem reaching one.
klsphotosAuthor Commented:
Thank you very much.  Both of these solutions helped fixed most of the problem.  The other issue was I did not know that my co-worker adjusted the ping rule on our firewall without my knowledge and had ping blocked since last week.  That is all working now and the solutions above helped me reset everything so thank you.

The thing I cannot figure out is our 2012dc keeps thinking it is the time source even though it's not the PDC nor is it being told to be.  I cannot get it to stop thinking that way.  As shown in what I posted it's pointing to the PDC but the PDC is not the one delivering time the 2012 is.
footechCommented:
Any DC can be a time source.  This is part of the normal domain hierarchy.  Will's second link diagrams this.

I'm not sure where you're seeing this or why you think it's a problem.
klsphotosAuthor Commented:
Thank you I just reread it and your right, nothing to worry about, thanks for letting me know.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.