We help IT Professionals succeed at work.

Sync Workgroup servers to a domain controller.

CBB
CBB asked
on
I have 2 windows servers that are part of a workgroup and sitting on a VLAN behind a ferewall. I want to sync time on these 2 servers to a domain controller sitting on another VLAN on the other side of the firewall. Is this possible and if so how do I do it? Or are there better alternatives??
Comment
Watch Question

Jose Gabriel Ortega CastroCEO Faru Bonon IT /Top Rated Freelancer on Upwork / Photographer
Awarded 2018
Distinguished Expert 2018

Commented:
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Do not use "net time /set". This command is deprecated; it dates back to NT4 and earlier and should not be used on any OS more recent than NT4. That aside, it would be a one-time operation anyway.
All you need to do is point the W32Time service on your workgroup servers to the DCs (by IP or name, if DNS is available behind the firewall).
In the firewall, you need to allow UDP port 123 to the DC(s) you configured:
w32tm.exe /config /manualpeerlist:"1.2.3.4,0x9 4.3.2.1,0x9" /syncfromflags:MANUAL /update
w32tm.exe /resync /rediscover

Open in new window

Windows Time Service Tools and Settings
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings
CBBNet Admin

Author

Commented:
I tried both commands but when I want to resync it says: "The computer did not resync because no time data was available."
I tried a telnet to the IP and port 123 to see if the port is open but it fails with the message: "The computer did not resync because no time data was available."
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
You can't use Telnet to test UDP. Again: UDP port 123 needs to be open on the firewall separating the workgroup servers from the DCs, with destinations to to all DCs you have in the peer list. In addition, verify that the Windows Software Firewall on said DCs allows UDP port 123 as well (there should be a predefined active rule).
And here's a PowerShell script that queries a given NTP server that you can use to test the connection:
Get Network NTP Time with PowerShell
https://gallery.technet.microsoft.com/scriptcenter/Get-Network-NTP-Time-with-07b216ca
"dot-source" it to import the function, then
. .\Get-NtpTime.ps1
Get-NtpTime -Verbose -Server SomeDC

Open in new window

CBBNet Admin

Author

Commented:
Sorry the last message on the telnet to port 123 was incorrect and I have already open UDP port 123 on the firewall to the DC IP. I have the windows FW off on the DC and I created an outbound rule on the workgroup server to allow UDP port 123.
Still no sync.
I tried cmd w32tm /monitor /"DC IP" and get the message below:
ICMP: 2ms delay
    NTP: -3.0696162s offset from local clock
        RefID: (unspecified / unsynchronized) [0x00000000]
        Stratum: 0

Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.

The resync doesn't work:
C:\Windows\system32>w32tm /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Run the following, which will put the W32Time configuration straight into the clipboard.
Then paste it here between [code][/code] tags
w32tm /query /configuration | clip.exe

Open in new window

CBBNet Admin

Author

Commented:
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 54000 (Local)
MaxPosPhaseCorrection: 54000 (Local)
MaxAllowedPhaseOffset: 1 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 1 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\SYSTEM32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 86400 (Local)
Type: NTP (Local)
NtpServer: 172.24.0.20,0x9 (Local)

NtpServer (Local)
DllName: C:\Windows\SYSTEM32\w32time.DLL (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
The DC seems to be accessible, and the configuration looks pretty normal,
It usually helps to reset the time service.
Run this:
net.exe stop w32time
w32tm.exe /unregister
w32tm.exe /register
net.exe start w32time

Open in new window

Then the configuration again:
w32tm.exe /config /manualpeerlist:"172.24.0.20,0x9" /syncfromflags:MANUAL /update
w32tm.exe /resync /rediscover

Open in new window

CBBNet Admin

Author

Commented:
Still NO sync see below:


C:\Windows\system32>net.exe stop w32time
The Windows Time service is stopping.
The Windows Time service was stopped successfully.


C:\Windows\system32>w32tm.exe /unregister
W32Time successfully unregistered.

C:\Windows\system32>w32tm.exe /register
W32Time successfully registered.

C:\Windows\system32>net.exe start w32time
The Windows Time service is starting.
The Windows Time service was started successfully.


C:\Windows\system32>w32tm.exe /config /manualpeerlist:"172.24.0.20,0x9" /syncfromflags:MANUAL /update
The command completed successfully.

C:\Windows\system32>w32tm.exe /resync /rediscover
Sending resync command to local computer
The computer did not resync because no time data was available.
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Does the server have Internet access?
If so, please try to use 0.pool.ntp.org as time server:
w32tm.exe /config /manualpeerlist:"0.pool.ntp.org,0x9" /syncfromflags:MANUAL /update
w32tm.exe /resync /rediscover

Open in new window

CBBNet Admin

Author

Commented:
No server has no internet and CANNOT have access to the internet.
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Is the DC you're contacting the PDC Emulator, and is time sync working correctly in your AD?
Have you tried another DC?
Do you have a workgroup machine in your AD network that you can successfully configure to sync its time with the DC?
One last thing you can try is to replace the ",0x9" at the end of the name(s) with ",0x1".
w32tm.exe /config /manualpeerlist:"172.24.0.20,0x1" /syncfromflags:MANUAL /update
w32tm.exe /resync /rediscover

Open in new window

Then turn on debug logging and see if that helps:
How to turn on debug logging in the Windows Time Service
https://support.microsoft.com/en-us/help/816043/how-to-turn-on-debug-logging-in-the-windows-time-service
CBBNet Admin

Author

Commented:
No, the DC I am contacting is not the PDC emulator. Yes, time is working correctly in AD.
I have not tried anotherDC since I would have to open port on another Firewall
No, I do not have a workgroup machine in AD to  configure to sync its time with the DC.
I tried with the "0x1" and sill NO sync

Will turn in debugging.
Net Admin
Commented:
I was able to sync ntp time thru the firewall to my core switch which get time from the Internet. I did the /resync /rediscover and it was finally successful.

Thanks