NTP problem

I have 3 DCs, 2 are VMs and 1 is a physical.  I have 4 Host servers running hyper V.
I have tried everything under the sun to get the NTP working, but I still can't get it to work.

All my Host servers and DCs are running win2012R2.

I have followed these guides:
http://www.sysadminlab.net/windows/configuring-ntp-on-windows-server-2012
http://www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo

And have ran the commands on all of my DCs, but it's still not working, the time is still off.

Any ideas what I'm missing?
DanNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
1) What NTP server are you using?
2) Are the packets actually making it through the outgoing firewall?
3) If so, are the return packets making it through the incoming firewall?

0.us.pool.ntp.org is a good one, as that DNS rotates through many different servers.  If a server is down, the next time the request will be going to a different one.

NTP servers
I personally don't like having one local time server that all systems depend on.  This means if the master is off, everybody is off.  Better imo to let each system enquire of one of the ntp.org servers individually.  The maximum drift between systems should then be no more that a couple hundred milliseconds, less if the updates are done multiple times a day.

If nothing emerges, you might want to look at the Meinberg NTP software instead.  It's been around for a long time.
0
AntzsInfrastructure ServicesCommented:
In a Domain environment, you will only need to configure the Domain Controller with NTP that is synchronizing with a reliable time source.  As for the other member servers, once they are joined to the domain it will automatically sync with the time from the DC.

You can follow the below to configure your DC to sync with an external time source.
https://community.spiceworks.com/how_to/65413-configure-dc-to-synchronize-time-with-external-ntp-server
0
Cliff GaliherCommented:
Isn't this the same question you've already asked and have mot closed here?

https://www.experts-exchange.com/questions/29006344/configuring-windows-time-via-Group-Policy.html
3
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

MaheshArchitectCommented:
if you could explain what exactly you have run / configured so far from server side and client side, we can help
0
Satish AutiSenior System AdministratorCommented:
Please let us know current NTP configuration.

Normally when you promote the DC it has the capability to act as NTP server. It is recommended to have this role installed on PDC role holder server.

Also if you have VM in place you should disable the time sync with esxi server  as there are some issues with time synchronization.
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2075424

Then you can configure the authoritative time server in your environment. Please follw steps under "Configuring the Windows Time service to use an external time source" as your NTP server must sync time with external time source and update in domain accordingly. Need to configure NTP valure in registry.

https://support.microsoft.com/en-in/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server.

for other domain servers in your network you can configure nt5ds value which will get sync time with your NTP server.
0
Satish AutiSenior System AdministratorCommented:
1
frankhelkCommented:
Even while here's a lot of hints and links already, I'll try to throw in my article on NTP, too. It's on NTP basics mainly, but it contains a lot of trouble evasion hints, too.

You don't have stated what you're using to sync to the NTP time source, but
And have ran the commands on all of my DCs (...)
implies to me that you're wrestling around with W32time, the Windows on-board timekeeper service. I've had enough hassle with that piece of crap in NTP mode to avoid it whenever I have a chance to.

I'd recommend to switch over to something stable and mature: Use a Windows port of the classic *ux NTP client.
0
DanNetwork EngineerAuthor Commented:
I think my issue might be that my 3 DCs are trying to be the internal NTP server.
 I just used the pool.ntp.org

I ran these on all my DCs. These are all the different commands I ran.
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
w32tm /resync
w32tm.exe /resync /rediscover /nowait
w32tm /query /peers
w32tm /query /source
w32tm /query /status


Should I just run this command on 2 of my servers:
w32tm /unregister

And then just run this command on only one of my DCs?:
w32tm /config /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org” /syncfromflags:MANUAL


This question is not exactly the same as my other question, as after I can figure out the NTP problem on my server, then I do want all my PCs to get the time from my internal NTP server, so I'm guessing it's a different question.

On my firewall, I did open up the port NTP uses, so that should be good.
I guess I should check the windows server firewall to see if that port is open as well?

Dr Klahn, how did you get to that screen, as i'm on windows 10 and I can't get to that screen?

I ran this command:
C:\Windows\System32>w32tm /query /source
DC2.mydomain.org

Is there a way to see all of the NTP configured servers in my domain?

Here's the configuration for all my 3 DCs.

DC1

C:\Windows\system32>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)

FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 0 (Local)
InputProvider: 1 (Local)


DC2

C:\Users\exec>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)

FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)


DC3

C:\Windows\System32>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)

FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
0
frankhelkCommented:
OK - I've been right: W32time.

So I repeat my advice: Kick W32time out and use a classic NTP client. Follow the guidlines in my article on NTP. Use all the 4 NTP server pointers from pool.ntp.org (preferably some in your region ... see http://www.pool.ntp.org for details on regional servers; klick on the region name on the right of the gage for directions).
0
MaheshArchitectCommented:
You have miss configured time service, you have configured all servers to be time servers which should not be the case

PDC is the only server who should sync with internet time servers and other servers should pickup time form PDC

Run below command on current PDC:
w32tm /config /manualpeerlist:"1.in.pool.ntp.org,0x8 1.asia.pool.ntp.org,0x8 3.asia.pool.ntp.org,0x8" /syncfromflags:manual /reliable:yes /update
w32tm /config /update
net stop w32time && net start w32time
w32tm /query /status
w32tm /query /source

Open in new window

Check for event ID 37 on PDC server, choose pool.org servers for your location

Then on all other DCs run below command:
w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time && net start w32time

Open in new window


The same command above can be run on all client computers

Last thing:
what about hyper-v VM time sync, you should uncheck time synchronization service from all VM properties, otherwise if there is time skew between hyper-v host and guest, it will create issues


Mahesh.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DanNetwork EngineerAuthor Commented:
But I have 3 PDCs   So I have 3 domain controllers.  From what you're saying, I need to only configure one of them to be the time keeper.

How do I know if I have other servers that are configured to be the NTP server?
You had referenced asia.pool.etc...  I'm in the US, so wouldn't I want to use servers in the US?
0
MaheshArchitectCommented:
You don't have 3 PDCs, you are running how many domains?

Single domain single forest right?

U have only one server acting as PDC

Run "netdom query fsmo" on any one server and you will come to know which is the PDC

But obvious, you need to find pool.org servers at your location, that is what I told earlier
0
DanNetwork EngineerAuthor Commented:
yes, thanks, I figured out which DC is my PDC.

So my DCs are virtualized, will that be a problem?  I'm running a scale SAN.
0
DanNetwork EngineerAuthor Commented:
some places have 0x1, you list 0x8, whats the difference?
0
MaheshArchitectCommented:
Use this switch:
0x08 Automatic reliable time server

other switch meaning
0x01 - always time server

read below articles to clear the concept
https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings
0
DanNetwork EngineerAuthor Commented:
thanks, I had googled it after I wrote the comment.

So I did the status and source and this is strange, is this correct?

time
0
DanNetwork EngineerAuthor Commented:
Then I checked the source on one of my servers, and it's not syncing to the DC, it looks like it's syncing with the local CMOS clock.
Isnt this wrong?  How do I get all the servers and PCs to sync with the PDC now?

time2
0
MaheshArchitectCommented:
its clearly seen that VM is getting time form hyper-v host
have you got PDC working correctly?
have you verified that?
0
DanNetwork EngineerAuthor Commented:
looks like even my PDC is not working.  How do I overcome this problem?

time3
0
DanNetwork EngineerAuthor Commented:
some is wrong.
 here's everything I did and still not working.  It's still getting the time from the cmos clock

time4
0
DanNetwork EngineerAuthor Commented:
I stopped the hyperV integration syservices, so it's not getting the time from the HyperV host anymore, but now I can't get to sync with the correct online servers, it still says local CMOS clock
0
DanNetwork EngineerAuthor Commented:
I even configured GP as well with the same settings, nothing.
0
frankhelkCommented:
I hate to repeat myself, but here's my advice again.

Kick W32time out and use a classic NTP client Windows port. Follow the guidlines in my article on NTP. See my prevoius comments, too.

The classic NTP client is mature like my grandma (first published 1985 and actively developed ever since) has the ressource footprint of a newborn girl, is easier to troubleshoot than W32time, works like a charm and is stable as a rock.

You could get decent port i.e. from the Meinberg web site.

Give it a try. Installing is easy, as the configuration is, too. And uninstalling it is like removing any other software.
0
DanNetwork EngineerAuthor Commented:
Thanks everyone, got it figured out.  I had some GPs enabled that was over writing what I had configured.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.