We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Domain joined machines sync time with wrong server

Medium Priority
65 Views
Last Modified: 2020-06-15
Domain computers are using the wrong time server. I have a three domain controllers in my domain. xxx is the PDC and is syncing time with external time servers. YYY is also a domain controller and used to be the PDC before I transferred the role to xxx. However when I run the w32tm /query /source command on my domain joined machines the responce is the yyy server. All servers and machines have been rebooted.

PDC
w32tm /query /source
0.dk.pool.ntp.org,1.dk.pool.ntp.org,2.dk.pool.ntp.org,3.dk.pool.ntp.org

There are no GPO's for these settings. How can I make sure that computers and servers are using the correct server to sync time?
Comment
Watch Question

Udara PeirisSystem Engineer
CERTIFIED EXPERT

Commented:
Run below command on your DC,
w32tm /config /syncfromflags:domhier /update

For further details, please refer below,

Configure a Client Computer for Automatic Domain Time Synchronization

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc816884(v=ws.10) 

Windows Time service tools and settings

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings 
I had already done that running these commands from the DC:

w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover
net stop w32time && net start w32time
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
You need to run it on computers!

Run this script on all clients to switch from old NTP to a new NTP:
net stop w32time 
w32tm /unregister 
w32tm /register 
net start w32time
w32tm /resync /rediscover
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time
Distribute it via startup script or use Group Policy: Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers > Enable the Configure Windows NTP Client policy and set your DC as the NTP Server.
Source is still the wrong server after running the commands on computers.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Run these commands on PDC to verify the configuration:
w32tm /query /status
w32tm /query /configuration

Then run these commands on one computer to verify the configuration:
w32tm /query /status
w32tm /query /configuration
Result from PDC:

C:\Users\administrator.POLITIFORBUNDET>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x55CC894D (source IP:  85.204.137.77)
Last Successful Sync Time: 20-05-2020 10:15:09
Source: 0.dk.pool.ntp.org,1.dk.pool.ntp.org,2.dk.pool.ntp.org,3.dk.pool.ntp.org

Poll Interval: 6 (64s)


C:\Users\administrator.POLITIFORBUNDET>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 86400 (Local)
MaxPosPhaseCorrection: 86400 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: 0.dk.pool.ntp.org,1.dk.pool.ntp.org,2.dk.pool.ntp.org,3.dk.pool.ntp.org (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

Result from PC:

C:\WINDOWS\system32>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 5 (secondary reference - syncd by (S)NTP)
Precision: -23 (119.209ns per tick)
Root Delay: 0.0338197s
Root Dispersion: 13.8969722s
ReferenceId: 0xAC100C06 (source IP:  172.16.12.6)
Last Successful Sync Time: 20-05-2020 10:51:29
Source: yyy.politiforbundet.lan
Poll Interval: 10 (1024s)


C:\WINDOWS\system32>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 10 (Local)
MaxPollInterval: 15 (Local)
MaxNegPhaseCorrection: 4294967295 (Local)
MaxPosPhaseCorrection: 4294967295 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 1 (Local)
UpdateInterval: 30000 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\WINDOWS\SYSTEM32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

NtpServer (Local)
DllName: C:\WINDOWS\SYSTEM32\w32time.DLL (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)

Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Result from PC w32tm /query /status
ReferenceId: 0xAC100C06 (source IP:  172.16.12.6)
Last Successful Sync Time: 20-05-2020 10:51:29
Source: yyy.politiforbundet.lan

Is the info above correct? I mean if 172.16.12.6yyy.politiforbundet.lan = your PDC.​​​​
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Sorry, I see it now. xxx .politiforbundet.lan is your PDC, not yyy.politiforbundet.lan .
172.16.12.6 is the yyy server and not the PDC. It's the old PDC from before I transferred the role to xxx server.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Set other DCs as unreliable servers:
w32tm /config /syncfromflags:domhier /update /reliable:no
net stop w32time && net start w32time 
Then run the script on clients again. (The one I posted earlier.)

Also, you can use Group Policy to point computers to PDC:
Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers > Enable the Configure Windows NTP Client policy and set your PDC as the NTP Server. 
I ran the unrealiable command on th yyy DC and the other commands on my pc, but the source is still the yyy server.
Udara PeirisSystem Engineer
CERTIFIED EXPERT

Commented:
I've gone through the guide. The PDC can synchronize with my external time sources. The problem is getting my other servers and pc's on the domain to sync from the right PDC. The guide didn't seem to fix that.
Udara PeirisSystem Engineer
CERTIFIED EXPERT

Commented:
Hi Ronnie,
Did you check required port communication status from Others Devices to DC?
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works 
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
What exactly did you run on clients?

Run netdom query fsmo to verify which server is the FSMO holder.
XXX server is the FSMO holder:

netdom query fsmo
Schema master               XXX.domain.lan
Domain naming master        XXX.domain.lan
PDC                         XXX.domain.lan
RID pool manager            XXX.domain.lan
Infrastructure master       XXX.domain.lan
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
What exactly did you run on clients?
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
w32tm /resync /rediscover
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time 
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Has some doofus configured time settings via GPO? That's tripped me up before TBH

This is my usual checklist and its never let me down and I've covered GPOs and time (which you should never need to do by the way!)

Windows – Setting Domain Time

</P>
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
I suggested it twice, however, GPO is not an option I guess.
I've looked through all GPO's and none of them is used for time settings.

This is the output from my local pc:

C:\WINDOWS\system32>w32tm /monitor
yyy.domain.lan[172.16.12.6:123]:
    ICMP: 0ms delay
    NTP: -0.0575760s offset from xxx.domain.lan
        RefID: DC2012R2.politiforbundet.lan [172.16.12.13]
        Stratum: 4
xxx.domain.lan *** PDC ***[172.16.12.13:123]:
    ICMP: 18ms delay
    NTP: +0.0000000s offset from xxx.domain.lan
        RefID: customer-85-204-137-77.ip4.gigabit.dk [85.204.137.77]
        Stratum: 3
zzz.domain.lan[10.100.10.11:123]:
    ICMP: 15ms delay
    NTP: +0.0629660s offset from xxx.domain.lan
        RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
        Stratum: 4
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
I meant using a GPO for configuring the NTP server for the whole domain.
GPO -> Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers > Enable the Configure Windows NTP Client policy and set your PDC as the NTP Server.  

Btw I don't see an issue here. The YYY server is synced with the XXX server, therefore, all machines are synced with the PDC.

Anyway, what did you run on the PDC? Try this:
w32tm /config /manualpeerlist:"0.dk.pool.ntp.org,1.dk.pool.ntp.org" /syncfromflags:manual /reliable:yes /update
net stop w32time && net start w32time
DrDave242Principal Support Engineer
CERTIFIED EXPERT

Commented:
I'll admit that I haven't read every word of the 22 comments posted above, but has someone already mentioned that this is the expected behavior? When time sync is properly configured in AD, domain members (workstations and member servers) are permitted to get time from any DC in the domain. Only the DCs have to sync directly with the one that holds the PDC Emulator role. This is for scalability reasons. If there are thousands of member machines in your domain, you don't want all of them synchronizing their clocks with a single source.

Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Yes, this is expected and as I mentioned in my previous post, I don't see any issue here. :-)

However, the author wants to achieve this so the solution might be to use a GPO.
Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers > Enable the Configure Windows NTP Client policy and set your PDC as the NTP Server.  
DrDave242Principal Support Engineer
CERTIFIED EXPERT

Commented:
That should work. Just make sure to filter out the PDC Emulator so that the GPO doesn't override its manual configuration and tell it to sync with itself.

Thanks a lot for all your help so far. It makes sense that the pc's can sync with the other DC as well. I'll use a GPO to specify the NTP server ig necessary. Another thing is that my PDC after I asked the first question in here has changed it time to two hours ahead of my local time. I can fix this by manually doing a resync, but it sometimes changes it back to the wrong time. I have now tried changing the manualpeerlist to 0.pool.ntp.org, 1.pool.ntp.org  and 2.pool.ntp.org. I hope this fixes the issue but have any of you experienced the same behaviour? Time zone is correct on the server.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Another thing is that my PDC after I asked the first question in here has changed it time to two hours ahead of my local time. I can fix this by manually doing a resync, but it sometimes changes it back to the wrong time.
Can you check the BIOS clock?

If this is a virtual machine, verify that the server is not getting the time from the host.
It's a VMware virtual machine and it's not getting the time from the host. Time has been correct since I changed the peerlist yesterday.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Open vSphere Web Client -> find DC01 -> Edit Settings -> VM Options tab -> expand VMware Tools -> untick Synchronize guest time with host
The servers are not syncing with the host, and again this morning the time was two hours ahead on the PDC. Any ideas on how to error check this?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Is PDC the only machine having this issue?

What is the time source for PDC? (use w32tm /query /source)

Can you change the source? I usually use the main router as the source for PDCs.
w32tm /config /manualpeerlist:"192.168.1.1,0x8 0.dk.pool.ntp.org,1.dk.pool.ntp.or" /syncfromflags:manual /reliable:yes /update
net stop w32time && net start w32time
The PDC is the only machine with the issue, and I've tried changing the source. However, a few weeks ago I've started backing up the VM with an old verson of Trilead, and I believe that's what's messing things up. Tuesday I removed the VM from the backup schedule and so far it hasn't happened again. I'll monitor it about a week and let you know, if it's been solved.
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Your original question was:
How can I make sure that computers and servers are using the correct server to sync time?
Answers were provided, therefore you should mark them as solutions. Thank you.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.