Solved

The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time

Posted on 2016-07-19
7
79 Views
Last Modified: 2016-08-04
Hi All,
Can anyone help me with tis error message? Its from a windows server 2008 r2 server  & we found in the event logs

thank you in advance
0
Comment
Question by:MarK PercY
7 Comments
 
LVL 8

Expert Comment

by:Stolsie
ID: 41719297
Hello

the error messages says you are not getting useable information from what you have set.
what have you got set on the server for time keeping?
0
 
LVL 29

Accepted Solution

by:
ScottCha earned 500 total points
ID: 41719332
Here are my notes on time synchronization:

From MS with my own customizations in it.

How to configure an authoritative time server in Windows Server

Wednesday, July 13, 2016
8:01 AM

INTRODUCTION
Windows Server includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The Windows Time service makes sure that all computers in an organization that are running the Microsoft Windows 2000 Server operating system or later versions use a common time.

To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not allow for loops. By default, Windows-based computers use the following hierarchy:
• All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
• All member servers follow the same process that client desktop computers follow.
• All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
• All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.

Configuring the Windows Time service to use an external time source

To configure an internal time server to synchronize with an external time source, follow these steps:
1. Change the server type to NTP. To do this, follow these steps:
            a. Click Start, click Run, type regedit, and then click OK.
            b. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
            c. In the pane on the right, right-click Type, and then click Modify.
            d. In Edit Value, type NTP in the Value data box, and then click OK.
2. Set AnnounceFlags to 0xA. To do this, follow these steps:
            a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
            b. In the pane on the right, right-click AnnounceFlags, and then click Modify.
            c. In Edit DWORD Value, type 5 in the Value data box, and then click OK.

      
      Notes
      • If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 does not synchronize with an upstream time server, a client server may not correctly synchronize with the authoritative time server when the time synchronization between the authoritative time server and the upstream time server resumes. Therefore, if you have a poor network connection or other concerns that may cause time synchronization failure of the authoritative server to an upstream server, set the AnnounceFlag value to 0xA instead of to 0x5.
      • If an authoritative time server that is configured to use an AnnounceFlag value of 0x5 and to synchronize with an upstream time server at a fixed interval that is specified in SpecialPollInterval, a client server may not correctly synchronize with the authoritative time server after the authoritative time server restarts. Therefore, if you configure your authoritative time server to synchronize with an upstream NTP server at a fixed interval that is specified in SpecialPollInterval, set the AnnounceFlag value to 0xA instead of 0x5.
3. Enable NTPServer. To do this, follow these steps:
            a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
            b. In the pane on the right, right-click Enabled, and then click Modify.
            c. In Edit DWORD Value, type 1 in the Value data box, and then click OK.
4. Specify the time sources. To do this, follow these steps:
            a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
            b. In the pane on the right, right-click NtpServer, and then click Modify.
            c. In Edit Value, type ‘time.nist.gov,0x1’ (no quotes, 0x1 must be there) in the Value data box, and then click OK.

Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes that you make in step 5 will not take effect.
5. Select the poll interval. To do this, follow these steps:
            a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval
            b. In the pane on the right, right-click SpecialPollInterval, and then click Modify.
            c. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
            d. 900 (decimal)

Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 (decimal). This value configures the Time Server to poll every 15 minutes.
6. Configure the time correction settings. To do this, follow these steps:
            a. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
            b. In the pane on the right, right-click MaxPosPhaseCorrection, and then click Modify.
            c. In Edit DWORD Value, click to select Decimal in the Base box.
            d. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
            e. 3600 (decimal)
      
      Note
      • TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend on the poll interval, network condition, and external time source. 
      • The default value of MaxPosPhaseCorrection is 48 hours in Windows Server 2008 R2 or later.
            e. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection
            f. In the pane on the right, right-click MaxNegPhaseCorrection, and then click Modify.
            g. In Edit DWORD Value, click to select Decimal in the Base box.
            h. In Edit DWORD Value, type TimeInSeconds in the Value data box, and then click OK.
            i. 3600 (decimal)

Note
      • TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend on the poll interval, network condition, and external time source. 
      • The default value of MaxNegPhaseCorrection is 48 hours in Windows Server 2008 R2 or later.
7. Close Registry Editor.
8. At the command prompt, type the following command to restart the Windows Time service, and then press Enter:
net stop w32time && net start w32time
check using:
 
w32tm /query /configuration
w32tm /query /status
w32tm /query /peers
w32tm /monitor

All domain controllers should be set to the same NTP time source.  All other servers should be set using:
 
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time
 
Which will set the device to get time from the domain.


Note For a list of available time servers, see Microsoft Knowledge Base article 262680: A list of the Simple Network Time Protocol (SNTP) time servers that are available on the Internet

Troubleshooting
For the Windows Time service to function correctly, the networking infrastructure must function correctly. The most common problems that affect the Windows Time service include the following:
• There is a problem with TCP/IP connectivity, such as a dead gateway.
• The Name Resolution service is not working correctly.
• The network is experiencing high volume delays, especially when synchronization occurs over high-latency wide area network (WAN) links.
• The Windows Time service is trying to synchronize with inaccurate time sources.
We recommend that you use the Netdiag.exe utility to troubleshoot network-related issues. Netdiag.exe is part of the Windows Server 2003 Support Tools package. See Tools Help for a complete list of command-line parameters that you can use with Netdiag.exe. If your problem is still not solved, you can turn on the Windows Time service debug log. Because the debug log can contain very detailed information, we recommend that you contact Microsoft Customer Support Services when you turn on the Windows Time service debug log.


From <https://support.microsoft.com/en-us/kb/816042>
0
 
LVL 8

Expert Comment

by:Stolsie
ID: 41719350
lol ask a question get a book thrown at you.... I'm out
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 

Author Comment

by:MarK PercY
ID: 41719424
Thank you so much for your response & your notes
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 41719693
Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

For a mature timekeeping service with well documented behaviour, I'd recommend this:

Use a Windows port of the classic *ix NTP service on your DC VMs, and sync 'em with NTP time sources from pool.ntp.org. Ensure to disable the time sync features of VMware (to timekeeping services on one clock will cause time chaos). The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See my article on NTP basics for the "How To".

The "classic" NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.

If securtity is an issue, you might as well use local radio controlled clock appliances (see the article for that, too) in your LAN who serve times very reliable and precise.
0
 
LVL 9

Expert Comment

by:Scott Silva
ID: 41719939
I would manually have a look at the date and time on the server to make sure it is somewhere close.... It is common for older servers to have a dead CMOS battery and after reboot the clock starts from a set base in the bios. If the time is way off ( more than a few hours) the time service can error out...

Next look at firewall blocking from that server on port UDP 123 .
0
 

Author Closing Comment

by:MarK PercY
ID: 41742312
thank you
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now