Windows Server Time Synch Issue(s)

[mlc9]

I came aboard my job with our domain time being off by 5 minutes, and have pulled my hair out trying to fix the issue. I'll worry about my client computers as soon as I can fix the server, but just need to get to PDC server synch'ing first.

No matter what changes I make to the time settings in the registry, it continues to stay about 5 minutes behind. I've tried pointing to both internal time servers and external sources.

From a command prompt, when doing a "net time /querysntp" command, it will correctly state the NTPserver in the registry. When just doing a "net time" command, it tells me the current time at the secondary domain controller. Below are the current registry settings. Please let me know if any more info is needed to provide the much appreaciated help.
____________________________________________________________

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Description"="Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

"
"DisplayName"="Windows Time"
"ErrorControl"=dword:00000001
"FailureActions"=hex:05,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,64,00,20,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00
"Group"=""
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,00,00
"Objectname"="NT AUTHORITY\\LocalService"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"LastClockRate"=dword:0002625a
"MinClockRate"=dword:000260d4
"MaxClockRate"=dword:000263e0
"FrequencyCorrectRate"=dword:00000004
"PollAdjustFactor"=dword:00000005
"LargePhaseOffset"=dword:02faf080
"SpikeWatchPeriod"=dword:00000384
"HoldPeriod"=dword:00000005
"LocalClockDispersion"=dword:0000000a
"EventLogFlags"=dword:00000002
"PhaseCorrectRate"=dword:00000007
"MinPollInterval"=dword:00000006
"MaxPollInterval"=dword:0000000a
"UpdateInterval"=dword:00000064
"MaxNegPhaseCorrection"=dword:00000e10
"MaxPosPhaseCorrection"=dword:00000e10
"AnnounceFlags"=dword:00000005
"MaxAllowedPhaseOffset"=dword:0000012c

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"ServiceMain"="SvchostEntry_W32Time"
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,33,00,\
32,00,74,00,69,00,6d,00,65,00,2e,00,64,00,6c,00,6c,00,00,00
"Type"="NTP"
"NtpServer"="time.nist.gov,0x1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,00,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,9d,00,00,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\
00,18,00,9d,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,21,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
"Enabled"=dword:00000001
"InputProvider"=dword:00000001
"AllowNonstandardModeCombinations"=dword:00000001
"CrossSiteSyncFlags"=dword:00000002
"ResolvePeerBackoffMinutes"=dword:0000000f
"ResolvePeerBackoffMaxTimes"=dword:00000007
"CompatibilityFlags"=dword:80000000
"EventLogFlags"=dword:00000001
"LargeSampleSkew"=dword:00000003
"DllName"="C:\\WINDOWS\\system32\\w32time.dll"
"SpecialPollTimeRemaining"=hex(7):00,00
"SpecialPollInterval"=dword:00000384

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"InputProvider"=dword:00000000
"AllowNonstandardModeCombinations"=dword:00000001
"DllName"="C:\\WINDOWS\\system32\\w32time.dll"
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Enum]
"0"="Root\\LEGACY_W32TIME\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

 

[unclerico]

what do you get when you execute the following:

w32tm /monitor

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mlc9]

I get the following:

[primary DC domain computer name] ***PDC*** [IP address]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from [primary DC domain computer name]
RefID: [secondary DC domain computer name] [secondary DC IP address]

[secondary DC domain computer name] [secondary DC IP address]
ICMP: 0ms delay.
NTP: -0.0000692s offset from [primary DC domain computer name]
RefID: 'LOCL' [79.79.67.76]

 

[unclerico]

First, make sure that UDP port 123 is not being blocked by your firewall. If you can verify that then try the following:

On your DC that holds the PDC Emulator role:
1) Stop your Windows Time Service
2) Execute w32tm /unregister
3) Execute w32tm /register
4) Execute w32tm /config /update /manualpeerlist:time.nist.gov,0x1 /syncfromflags:manual /reliable:yes
5) Start your Windows Time Service
6) Execute w32tm /monitor. The entry under ***PDC*** should now say RefID: time.nist.gov [192.43.244.18]

You may not need to do step 2 or 3 but unregistering / registering the time service lets you start fresh with time configuration.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mlc9]

unclerico,
I had considered doing the unregister / register commands this morning, but feared I might break something. My concern was that doing so might mess up things like client machines/users not being able to log in, etc. Should I be thinking along those lines?

Also, per the initial /monitor command that you suggested I run, I am concerned that somehow the secondary DC is being looked at as the time server by client machines and/or other servers. It appeared that the PDC might be doing so per the /monitor command results, and if I do a "net time" command from my client machine, it tells me the current time at the secondary DC.

Perhaps your suggestion of unregistering / registering and making the PDC as reliable will fix all this? Thanks so very much!

 

[unclerico]

No unregistering and registering the time service will not break anything or cause authentication issues. It will take mere seconds for the whole process to finish. If it makes you feel any better, I have performed this process during business hours more than a few times on different networks and I have never once had any issues. With that being said, if you are still uncomfortable doing it during business hours dial in from home and do it from there.

Regarding your other DC. It will (read: should) be looked at as a time source for clients that it authenticated and it will look to the DC with the PDC Emulator for time. You might run the following on the 2nd DC:
w32tm /config /update /syncfromflags:domhier /reliable:yes
Stop and start the Windows Time Service

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mlc9]

I am going to try everything suggested either at close of business today or early tomorrow morning (least amount of employees around), and let you know.

Thanks again for all the suggestions. This is a problem I inherited nearly a year ago, and have either let it slide or not been able to figure it out.

 

[mlc9]

Well, I lied and went ahead and did everything suggested. Just anxious to get this behind me.

The difference I made is what I used as an external source. We have a separate internal time server outside of my Windows domain that we ideally want to point to. Some of our other systems/servers point to this (Linux boxes, etc). I just used the fully qualified domain name followed by the ,0x1. The command did run successfull, as I verified that the registry entries were changed. That part appears to be ok. I also can ping this other internal time server from the PDC, and we have other systems using it, so my route appears to be good.

Having said all that, everything appears to be the same. The PDC clock is still running 5 minutes fast (although if this process worked, I imagine it would take some time to tick back and correct itself).

I also ran your suggested command on the secondary DC. It appears to be same as well. The one thing I question though, looking at the registry of this secondary DC, are some of the Parameter entries of the W32Time folder. Currently, the NtpServer is pointing to this internal time server I referrenced earlier and the Type is NT5DS. I just wonder if this needs changed somehow. Still scratching my head

 

[unclerico]

what does the w32tm /monitor command tell you now?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mlc9]

w32tm /monitor responds with the very same thing as in one of the posts above.

I have learned that the final RefID that the command returns, the one for the secondary DC, is an IP address used by this interneal time server I've been referring to that we're trying to hit. Said IP (76.79.67.76) is that of an external NTP server pool. Not sure if that matters, or if you were even wondering about that.

 

[unclerico]

you don't have any group policies that have NTP information configured do you? The commands that I gave should have set you straight. Do you have any W32Time events in your System log in Event Viewer?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mlc9]

Ok, I think we are on to something, so please bear with me and help me interpret.

Before leaving yesterday, I performed the unregister/register command on the secondary DC. Once that happened, a net time command from any computer was then looking to the PDC (it was secondary before). A /monitor command also resulted in:

[primary DC domain computer name] ***PDC*** [IP address]:
ICMP: 0ms delay.
NTP: +0.0000000s offset from [primary DC domain computer name]
RefID: 'LOCL' [79.79.67.76]
[secondary DC domain computer name] [secondary DC IP address]
ICMP: 0ms delay.
NTP: -0.0249181s offset from [primary DC domain computer name]
RefID: [primary DC computer name] [PDC IP address]

Our gold mine has been in the System log files, though. After doing the unregister/register command on the secondary DC, I began getting these warnings/errors in order of appearance on the PDC:

Description:
Time Provider NTPClient: The response received from [secondary DC] has a bad signature. The response may have been tampered with and will be ignored.

Description:
Time Provider NTPClient: No valid response has been received from [secondary DC] after 8 attempts to contact it. This domain controller will be discarded as a time source and NTPClient will attempt to discover a new domain controller from which to synchronize.

Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however, none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.

Description:
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 30 minutes.

**This same message was repeated, with attempts going up to 480 minutes**

Finally, this system warning has repeated twice this morning on the PDC:

Description:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommeneded that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

If I interpret this final waring correctly, this PDC is not acting as the top level time source of the hierarchy (which I believe is our goal). Even though the w32tm commands should have made this the case. There is no Default Group Policy for Domain Controllers pertaining to Time Service. There is a Domain Group Policy, though, which enables Windows NTP Client with the following setting:

NtpServer = PDC fully qualified domain name
Type = NT5DS

Perhaps the PDC is somehow inheritting that policy? This was a lot of info, I know, but should provide clues.

 

[unclerico]

I believe the GPO settings are the culprit here. I would remove any GPO settings that reference NTP. Once you do that be sure to refresh the policy on each DC. Then you may have to restart the Windows Time Service and/or rerun the w32tm /config command posted a few posts ago.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mlc9]

Agreed. So under Default Domain Policy, do I just need to have everything Disabled or Not Configured for Windows Time Service?

Enable Windows NTP Client
Configure Windows NTP Client
Enable Windows NTP Server

 

[unclerico]

Not Configured will work.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mlc9]

Progress! After stripping GPOs down to nothing (not configured) where Time Service is concerned, my PDC is now synchronizing with an external source (actually another internal time server). The time of PDC is now where it should be.

The issue now is all other clients or servers. The secondary DC, as well as my client machine, continues to stay 5 minutes ahead in time. This is even after an group policy refreshment. Upon looking at W32tm registry entries, their type seems to be the correct value of Nt5DS.

Thoughts? Do I need to put back in a GP to point them to PDC?

 

[unclerico]

no you shouldn't need to. if you are logged in to the second DC log off and log back on. Same goes for your client machine. Once you do that look in the System log in Event viewer for the W32Time entries. I do know that it will correct itself over time.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mlc9]

Which command tells you where a computer is looking for time, and/or where it gets it from?

 

[unclerico]

the DC that authenticated you will be the one that you are recieving your time from:

From command prompt: echo %logonserver%

You should also be able to look in your local event viewer for W32Time events. It should say something about host is now receiving valid time from domain_controller_name

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[mlc9]

Well, my client machine is now looking to secondary DC for time, according to local event log.

When I go to the event log of secondary DC, I see the following two most recent Warnings / Errors:

Warning Description:
The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 30 minutes.

Error Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.