Avatar of PDIS
PDIS
 asked on

DC running PDC Emulator roll not syncing with external time source

We have a physical domain controller running server 2016.  This DC has the PDC Emulator role but is not syncing time with external sources as it should be.  The firewall port is open and I verified the server can communicate to the external time sources.  I do not see where time settings are configured in any GPO.  I ran the following commands on the DC.  I tried it just as one command and also following other recommendations with reboots after certain steps.  

 

pushd %SystemRoot%\system32

.\net stop w32time

.\w32tm /unregister

.\w32tm /register

.\sc config w32time type= own

.\net start w32time

.\w32tm /config /update /manualpeerlist:”0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org”,0x8 /syncfromflags:MANUAL /reliable:yes

.\w32tm /resync

Popd

 

Now when I run query w32tm /query /source it tells me the source is the local cmos battery.  

 

I followed several items suggesting how to fix this, none of them have worked.  In one of the threads it mentioned that InputProvider in the registry key needs to be set to indicate the NTPServer Provider.  I do not have the key in my registry on the DC and the article referenced was for server 2008 and earlier so I’m not even sure this is somewhere I should be looking.   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time should be set to 1 instead of 0.  I do not have an InputProvider registry key at all.   I cannot find documentation if this should go in Config folder on that key.  

* AD DomainWindows Server 2016* domain controllerWindows 10Azure

Avatar of undefined
Last Comment
PDIS

8/22/2022 - Mon
Carl Webster

This is my Go TO article for understanding time, and Jeremy has a script to create the required GPOs and WMI filters. I use Jeremy's script on all my AD engagements.

Script to Create Group Policy Objects and WMI Filters to Manage the Time Server Hierarchy​​​
Scott Silva

I use this group policy so that no matter which DC gets the PDC role it can become the time source...

https://theitbros.com/configure-ntp-time-sync-group-policy/

Seth Simmons

Now when I run query w32tm /query /source it tells me the source is the local cmos battery.

your manualpeerlist option is incorrect
you specify 0x8 after each entry; servers are space separated, not comma
tried it on my system and worked; the line above showed my local cmos also

.\w32tm /config /update /manualpeerlist:”0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 3.pool.ntp.org,0x8” /syncfromflags:MANUAL /reliable:yes

Open in new window


I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
PDIS

ASKER
Thank you for your assistance but I'm still having the same problem.  

-Seth Simmons, I tried your correction I'm still getting local cmos clock as my source
-Carl Webster, I used your script to create the GPOs and WMI's ran a gpupdate/ force on the DC with the PDCe role, logged out, logged back in and ran the w32tm /query /source and it is still showing local cmos clock
-Scott Silva, I had tried the article you referenced quite some time ago and I did not get as far as I am now.  Unfortunately it's been too long at this point and I did not note what did not work about that process for me.  
Carl Webster

You need to run a gpresult from the DC to see if there is another GPO setting the time server entries.
Scott Silva

Also you need to make sure the firewall isn't blocking the DC from reaching the time source...
https://www.nist.gov/pml/time-and-frequency-division/time-services/internet-time-service-firewall-information
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Kaffiend

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
PDIS

ASKER
Carl - I ran gpresult and found another GPO that was applying settings, thank you for that recommendation.  I removed the settings, ran gpupdate /force, logged out of the machine and back in and now when I run w32tm /query /source I get, The following error occurred:  Access is denied. (0x80070005).  

Scott - I have verified the firewall is not blocking the DC from reaching an external time source

Kaffiend - The NTPServer is listed as time.windows.com, 0x9 and the Type is NT5DS. I had corrected these and pointed the NTP server to  0.pool.ntp.org,0x8 1.pool.ntp.org,0x8 2.pool.ntp.org,0x8 3.pool.ntp.org,0x8 and had changed the Type to NTP.  I do not see a GPO that is pointing to time.windows.com, the GPO that was pointing to a time server was pointing to this DC that has the PDCe role so I'm a little confused as to where that time server is coming from.  Should these even be set if I'm trying to use a GPO at this point?
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
PDIS

ASKER
I thought I was, apparently, I was not.  I now get Free-Running System Clock
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
PDIS

ASKER
Doing the unregister and re-register thing again did the trick.  Thank you so much to everyone for your help, this issue had really been causing me a headache!
Your help has saved me hundreds of hours of internet surfing.
fblack61