Avatar of Dan
Dan
Flag for United States of America asked on

NTP problem

I have 3 DCs, 2 are VMs and 1 is a physical.  I have 4 Host servers running hyper V.
I have tried everything under the sun to get the NTP working, but I still can't get it to work.

All my Host servers and DCs are running win2012R2.

I have followed these guides:
http://www.sysadminlab.net/windows/configuring-ntp-on-windows-server-2012
http://www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo

And have ran the commands on all of my DCs, but it's still not working, the time is still off.

Any ideas what I'm missing?
Windows Server 2012Active DirectoryWindows Server 2008

Avatar of undefined
Last Comment
Dan

8/22/2022 - Mon
SOLUTION
Dr. Klahn

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Antzs

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Cliff Galiher

Isn't this the same question you've already asked and have mot closed here?

https://www.experts-exchange.com/questions/29006344/configuring-windows-time-via-Group-Policy.html
Mahesh

if you could explain what exactly you have run / configured so far from server side and client side, we can help
Satish Auti

Please let us know current NTP configuration.

Normally when you promote the DC it has the capability to act as NTP server. It is recommended to have this role installed on PDC role holder server.

Also if you have VM in place you should disable the time sync with esxi server  as there are some issues with time synchronization.
https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2075424

Then you can configure the authoritative time server in your environment. Please follw steps under "Configuring the Windows Time service to use an external time source" as your NTP server must sync time with external time source and update in domain accordingly. Need to configure NTP valure in registry.

https://support.microsoft.com/en-in/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server.

for other domain servers in your network you can configure nt5ds value which will get sync time with your NTP server.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Frank Helk

Even while here's a lot of hints and links already, I'll try to throw in my article on NTP, too. It's on NTP basics mainly, but it contains a lot of trouble evasion hints, too.

You don't have stated what you're using to sync to the NTP time source, but
And have ran the commands on all of my DCs (...)
implies to me that you're wrestling around with W32time, the Windows on-board timekeeper service. I've had enough hassle with that piece of crap in NTP mode to avoid it whenever I have a chance to.

I'd recommend to switch over to something stable and mature: Use a Windows port of the classic *ux NTP client.
Dan

ASKER
I think my issue might be that my 3 DCs are trying to be the internal NTP server.
 I just used the pool.ntp.org

I ran these on all my DCs. These are all the different commands I ran.
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
w32tm /resync
w32tm.exe /resync /rediscover /nowait
w32tm /query /peers
w32tm /query /source
w32tm /query /status


Should I just run this command on 2 of my servers:
w32tm /unregister

And then just run this command on only one of my DCs?:
w32tm /config /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org” /syncfromflags:MANUAL


This question is not exactly the same as my other question, as after I can figure out the NTP problem on my server, then I do want all my PCs to get the time from my internal NTP server, so I'm guessing it's a different question.

On my firewall, I did open up the port NTP uses, so that should be good.
I guess I should check the windows server firewall to see if that port is open as well?

Dr Klahn, how did you get to that screen, as i'm on windows 10 and I can't get to that screen?

I ran this command:
C:\Windows\System32>w32tm /query /source
DC2.mydomain.org

Is there a way to see all of the NTP configured servers in my domain?

Here's the configuration for all my 3 DCs.

DC1

C:\Windows\system32>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)

FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 0 (Local)
InputProvider: 1 (Local)


DC2

C:\Users\exec>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)

FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)


DC3

C:\Windows\System32>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Policy)
AnnounceFlags: 10 (Policy)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Policy)
MaxPollInterval: 15 (Policy)
MaxNegPhaseCorrection: 54000 (Policy)
MaxPosPhaseCorrection: 54000 (Policy)
MaxAllowedPhaseOffset: 300 (Policy)

FrequencyCorrectRate: 4 (Policy)
PollAdjustFactor: 5 (Policy)
LargePhaseOffset: 1280000 (Policy)
SpikeWatchPeriod: 90 (Policy)
LocalClockDispersion: 10 (Policy)
HoldPeriod: 5 (Policy)
PhaseCorrectRate: 1 (Policy)
UpdateInterval: 30000 (Policy)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Policy)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Policy)
ResolvePeerBackoffMaxTimes: 7 (Policy)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 3 (Policy)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Policy)
Type: NT5DS (Policy)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
Frank Helk

OK - I've been right: W32time.

So I repeat my advice: Kick W32time out and use a classic NTP client. Follow the guidlines in my article on NTP. Use all the 4 NTP server pointers from pool.ntp.org (preferably some in your region ... see http://www.pool.ntp.org for details on regional servers; klick on the region name on the right of the gage for directions).
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dan

ASKER
But I have 3 PDCs   So I have 3 domain controllers.  From what you're saying, I need to only configure one of them to be the time keeper.

How do I know if I have other servers that are configured to be the NTP server?
You had referenced asia.pool.etc...  I'm in the US, so wouldn't I want to use servers in the US?
Mahesh

You don't have 3 PDCs, you are running how many domains?

Single domain single forest right?

U have only one server acting as PDC

Run "netdom query fsmo" on any one server and you will come to know which is the PDC

But obvious, you need to find pool.org servers at your location, that is what I told earlier
Dan

ASKER
yes, thanks, I figured out which DC is my PDC.

So my DCs are virtualized, will that be a problem?  I'm running a scale SAN.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Dan

ASKER
some places have 0x1, you list 0x8, whats the difference?
Mahesh

Use this switch:
0x08 Automatic reliable time server

other switch meaning
0x01 - always time server

read below articles to clear the concept
https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings
Dan

ASKER
thanks, I had googled it after I wrote the comment.

So I did the status and source and this is strange, is this correct?

time
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dan

ASKER
Then I checked the source on one of my servers, and it's not syncing to the DC, it looks like it's syncing with the local CMOS clock.
Isnt this wrong?  How do I get all the servers and PCs to sync with the PDC now?

time2
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dan

ASKER
looks like even my PDC is not working.  How do I overcome this problem?

time3
Dan

ASKER
some is wrong.
 here's everything I did and still not working.  It's still getting the time from the cmos clock

time4
Your help has saved me hundreds of hours of internet surfing.
fblack61
Dan

ASKER
I stopped the hyperV integration syservices, so it's not getting the time from the HyperV host anymore, but now I can't get to sync with the correct online servers, it still says local CMOS clock
Dan

ASKER
I even configured GP as well with the same settings, nothing.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Dan

ASKER
Thanks everyone, got it figured out.  I had some GPs enabled that was over writing what I had configured.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.