Dan
asked on
NTP problem
I have 3 DCs, 2 are VMs and 1 is a physical. I have 4 Host servers running hyper V.
I have tried everything under the sun to get the NTP working, but I still can't get it to work.
All my Host servers and DCs are running win2012R2.
I have followed these guides:
http://www.sysadminlab.net/windows/configuring-ntp-on-windows-server-2012
http://www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo
And have ran the commands on all of my DCs, but it's still not working, the time is still off.
Any ideas what I'm missing?
I have tried everything under the sun to get the NTP working, but I still can't get it to work.
All my Host servers and DCs are running win2012R2.
I have followed these guides:
http://www.sysadminlab.net/windows/configuring-ntp-on-windows-server-2012
http://www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo
And have ran the commands on all of my DCs, but it's still not working, the time is still off.
Any ideas what I'm missing?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you could explain what exactly you have run / configured so far from server side and client side, we can help
Please let us know current NTP configuration.
Normally when you promote the DC it has the capability to act as NTP server. It is recommended to have this role installed on PDC role holder server.
Also if you have VM in place you should disable the time sync with esxi server as there are some issues with time synchronization.
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2075424
Then you can configure the authoritative time server in your environment. Please follw steps under "Configuring the Windows Time service to use an external time source" as your NTP server must sync time with external time source and update in domain accordingly. Need to configure NTP valure in registry.
https://support.microsoft.com/en-in/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server.
for other domain servers in your network you can configure nt5ds value which will get sync time with your NTP server.
Normally when you promote the DC it has the capability to act as NTP server. It is recommended to have this role installed on PDC role holder server.
Also if you have VM in place you should disable the time sync with esxi server as there are some issues with time synchronization.
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2075424
Then you can configure the authoritative time server in your environment. Please follw steps under "Configuring the Windows Time service to use an external time source" as your NTP server must sync time with external time source and update in domain accordingly. Need to configure NTP valure in registry.
https://support.microsoft.com/en-in/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server.
for other domain servers in your network you can configure nt5ds value which will get sync time with your NTP server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Even while here's a lot of hints and links already, I'll try to throw in my article on NTP, too. It's on NTP basics mainly, but it contains a lot of trouble evasion hints, too.
You don't have stated what you're using to sync to the NTP time source, but
I'd recommend to switch over to something stable and mature: Use a Windows port of the classic *ux NTP client.
You don't have stated what you're using to sync to the NTP time source, but
And have ran the commands on all of my DCs (...)implies to me that you're wrestling around with W32time, the Windows on-board timekeeper service. I've had enough hassle with that piece of crap in NTP mode to avoid it whenever I have a chance to.
I'd recommend to switch over to something stable and mature: Use a Windows port of the classic *ux NTP client.
ASKER
I think my issue might be that my 3 DCs are trying to be the internal NTP server.
I just used the pool.ntp.org
I ran these on all my DCs. These are all the different commands I ran.
w32tm /config /manualpeerlist:pool.ntp.o rg /syncfromflags:MANUAL
w32tm /resync
w32tm.exe /resync /rediscover /nowait
w32tm /query /peers
w32tm /query /source
w32tm /query /status
Should I just run this command on 2 of my servers:
w32tm /unregister
And then just run this command on only one of my DCs?:
w32tm /config /manualpeerlist:”0.pool.nt p.org 1.pool.ntp.org” /syncfromflags:MANUAL
This question is not exactly the same as my other question, as after I can figure out the NTP problem on my server, then I do want all my PCs to get the time from my internal NTP server, so I'm guessing it's a different question.
On my firewall, I did open up the port NTP uses, so that should be good.
I guess I should check the windows server firewall to see if that port is open as well?
Dr Klahn, how did you get to that screen, as i'm on windows 10 and I can't get to that screen?
I ran this command:
C:\Windows\System32>w32tm /query /source
DC2.mydomain.org
Is there a way to see all of the NTP configured servers in my domain?
Here's the configuration for all my 3 DCs.
DC1
C:\Windows\system32>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)
FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim e.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombin ations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes : 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32tim e.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin ations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti meprovider .dll (Local)
Enabled: 0 (Local)
InputProvider: 1 (Local)
DC2
C:\Users\exec>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)
FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim e.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombin ations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes : 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32tim e.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin ations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti meprovider .dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
DC3
C:\Windows\System32>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)
FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim e.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombin ations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes : 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32tim e.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin ations: 1 (Local)
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti meprovider .dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
I just used the pool.ntp.org
I ran these on all my DCs. These are all the different commands I ran.
w32tm /config /manualpeerlist:pool.ntp.o
w32tm /resync
w32tm.exe /resync /rediscover /nowait
w32tm /query /peers
w32tm /query /source
w32tm /query /status
Should I just run this command on 2 of my servers:
w32tm /unregister
And then just run this command on only one of my DCs?:
w32tm /config /manualpeerlist:”0.pool.nt
This question is not exactly the same as my other question, as after I can figure out the NTP problem on my server, then I do want all my PCs to get the time from my internal NTP server, so I'm guessing it's a different question.
On my firewall, I did open up the port NTP uses, so that should be good.
I guess I should check the windows server firewall to see if that port is open as well?
Dr Klahn, how did you get to that screen, as i'm on windows 10 and I can't get to that screen?
I ran this command:
C:\Windows\System32>w32tm /query /source
DC2.mydomain.org
Is there a way to see all of the NTP configured servers in my domain?
Here's the configuration for all my 3 DCs.
DC1
C:\Windows\system32>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)
FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombin
ResolvePeerBackoffMinutes:
ResolvePeerBackoffMaxTimes
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti
Enabled: 0 (Local)
InputProvider: 1 (Local)
DC2
C:\Users\exec>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)
FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombin
ResolvePeerBackoffMinutes:
ResolvePeerBackoffMaxTimes
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti
Enabled: 1 (Local)
InputProvider: 1 (Local)
DC3
C:\Windows\System32>w32tm /query /configuration
[Configuration]
EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)
FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)
[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombin
ResolvePeerBackoffMinutes:
ResolvePeerBackoffMaxTimes
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)
NtpServer (Local)
DllName: C:\Windows\system32\w32tim
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombin
VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmicti
Enabled: 1 (Local)
InputProvider: 1 (Local)
OK - I've been right: W32time.
So I repeat my advice: Kick W32time out and use a classic NTP client. Follow the guidlines in my article on NTP. Use all the 4 NTP server pointers from pool.ntp.org (preferably some in your region ... see http://www.pool.ntp.org for details on regional servers; klick on the region name on the right of the gage for directions).
So I repeat my advice: Kick W32time out and use a classic NTP client. Follow the guidlines in my article on NTP. Use all the 4 NTP server pointers from pool.ntp.org (preferably some in your region ... see http://www.pool.ntp.org for details on regional servers; klick on the region name on the right of the gage for directions).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
But I have 3 PDCs So I have 3 domain controllers. From what you're saying, I need to only configure one of them to be the time keeper.
How do I know if I have other servers that are configured to be the NTP server?
You had referenced asia.pool.etc... I'm in the US, so wouldn't I want to use servers in the US?
How do I know if I have other servers that are configured to be the NTP server?
You had referenced asia.pool.etc... I'm in the US, so wouldn't I want to use servers in the US?
You don't have 3 PDCs, you are running how many domains?
Single domain single forest right?
U have only one server acting as PDC
Run "netdom query fsmo" on any one server and you will come to know which is the PDC
But obvious, you need to find pool.org servers at your location, that is what I told earlier
Single domain single forest right?
U have only one server acting as PDC
Run "netdom query fsmo" on any one server and you will come to know which is the PDC
But obvious, you need to find pool.org servers at your location, that is what I told earlier
ASKER
yes, thanks, I figured out which DC is my PDC.
So my DCs are virtualized, will that be a problem? I'm running a scale SAN.
So my DCs are virtualized, will that be a problem? I'm running a scale SAN.
ASKER
some places have 0x1, you list 0x8, whats the difference?
Use this switch:
0x08 Automatic reliable time server
other switch meaning
0x01 - always time server
read below articles to clear the concept
https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings
0x08 Automatic reliable time server
other switch meaning
0x01 - always time server
read below articles to clear the concept
https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings
ASKER
ASKER
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ASKER
I stopped the hyperV integration syservices, so it's not getting the time from the HyperV host anymore, but now I can't get to sync with the correct online servers, it still says local CMOS clock
ASKER
I even configured GP as well with the same settings, nothing.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks everyone, got it figured out. I had some GPs enabled that was over writing what I had configured.
https://www.experts-exchange.com/questions/29006344/configuring-windows-time-via-Group-Policy.html