Announcement

Collapse
No announcement yet.

Time Sync Nightmare!

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Time Sync Nightmare!

    So I have been battling the time sync issue for a few days and I am at a loss. I have looked at every article, blog, etc and still have skewed time throught clients and servers on the domain.

    I walked into this network, so lets say someone setup an NTP server somewhere on the network, I don't what or where, how can I make sure the one I am configuring is more important on the network?

    I configured NTP on the PDC. I used this command:

    w32tm /config /manualpeerlist:"nist1-la.WiTime.net utcnist2.colorado.edu time-b.nist.gov time.microsoft.akadns.net ntp.glb.nist.gov" /syncfromflags:manual /reliable:yes /update


    I also configured logging. Now this seems to be accurate, but my clients not so much. How do I know where my Windows clients are going for NTP? They should be going to the PDC correct?

  • #2
    Re: Time Sync Nightmare!

    Your command line for setting the PDC looks Ok.

    Normally any domain member syncs to the server holding the PDC role. Check clients to see what their W32Time service settings are: HLKM\System\CurrentControlSet\Services\W32Time\Par ameters. The 'Type' subkey should show 'NT5DS' if the domain settings are right. The 'NtpServer' subkey may or may not show the default 'time.windows.com,0x1' value, and can be ignored if the 'Type' is correct. If this isn't right, you should be able to reset it through your default domain policy and nowhere else. If you do have to change that, remember to make a change to your Domain Controller policy to set the ntp server values you loaded with the cmd line, or whatever policy pushes down will overwrite your manual settings.

    Look at the System logs for the PDC role holder. Check any W32Time entries for errors. If the PDC isn't updating it's time, you'll see errors here. If there aren't any entries for the service at all, simply restart the Windows Time service and refresh the log view--you should see one appear. As long as it's updating without errors, it should be reliable.

    Are the clients showing any errors in the System logs for time not updating, esp. at startups? If so, check firewalls and networking for traffic blocks, esp. if servers or PCs on the same subnet as the PDC aren't having issues. I seem to recall seeing somewhere that turning on the NTP server role/feature doesn't necessarily guarantee that the correct port on the PDC firewall is actually opened.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Time Sync Nightmare!

      If your PDC emulator role is syncing the correct time from an external source then the rest of the computers in the domain should look to the PDC emulator for their time.

      Follow the instructions here to make sure your clients are configured correctly.
      http://technet.microsoft.com/en-us/l...(v=ws.10).aspx

      How off is the time skew between clients and server? Are there any clients with the correct time?
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Time Sync Nightmare!

        Check the time service parameters on the other domain controllers first. With this command:
        w32tm /dumpreg /subkey:Parameters

        For every windows computer in the domain the 'Type' should show 'NT5DS'. Only on the one authoritative time server the 'Type' should show 'NTP'.

        The clients and member servers sync time with any of the Domain Controlers. Domain Controlers sync time with the authoritative time server in the domain (by default that is the dc that holds the pdc-emulator roll).

        Is there a GPO that configures the time service? Or DHCP option?
        Are the domain controlers virtual machines?
        Check if the time zone is configured correctly on each computer.

        /Rems

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Time Sync Nightmare!

          I have multiple sites with DC's and they are all different. I have the PDC set correctly and all my time is correct at my local site of the PDC, but other locations are off by like 4 minutes here, 5 minutes there...

          One of the DC's in another location says NT5DS, but ntp server is listed as time.windows.com, 0x9

          I have a GP that automatically starts the windows time service on all clients and servers. Nothing in DHCP. Zones are correct.
          Last edited by Stevenjwilliams83; 10th December 2012, 17:13.

          Comment


          • #6
            Re: Time Sync Nightmare!

            SHould all DC's in the domain be NTP servers? The default domain controller policy says enabled...

            Comment


            • #7
              Re: Time Sync Nightmare!

              Originally posted by Stevenjwilliams83 View Post
              I have multiple sites with DC's and they are all different. I have the PDC set correctly and all my time is correct at my local site of the PDC, but other locations are off by like 4 minutes here, 5 minutes there...
              Make sure UDP port 123 is allowed in the firewall.
              And added to the list of exceptions in the local firewalls.


              Originally posted by Stevenjwilliams83 View Post
              One of the DC's in another location says NT5DS, but ntp server is listed as time.windows.com, 0x9
              If 'Type' is NT5DS then it is using time synchronization in an AD DS hierarchy, and the ntp servers listed in the parameters key are not used.


              /Rems
              Last edited by Rems; 10th December 2012, 19:12.

              This posting is provided "AS IS" with no warranties, and confers no rights.

              __________________

              ** Remember to give credit where credit's due **
              and leave Reputation Points for meaningful posts

              Comment


              • #8
                Re: Time Sync Nightmare!

                Private layer 3 mpls, no firewalls between sites. If I run this command on my servers:

                nltest /dsgetdc:MyDomain.com /timeserv

                Should the results be my PDC server name?

                Comment


                • #9
                  Re: Time Sync Nightmare!

                  Originally posted by Stevenjwilliams83 View Post
                  If I run this command on my servers:

                  nltest /dsgetdc:MyDomain.com /timeserv

                  Should the results be my PDC server name?
                  If would run the command on any domain controler in a single domain design, from any site then Yes.
                  If you run the command on a member server or client computer then the result shows a domain controller in the domain.

                  /Rems
                  Last edited by Rems; 10th December 2012, 19:47.

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: Time Sync Nightmare!

                    Originally posted by Stevenjwilliams83 View Post
                    SHould all DC's in the domain be NTP servers? The default domain controller policy says enabled...
                    From an Administrator command prompt on a DC, one that is not showing the correct time, run the folowing commands,

                    w32tm.exe /resync /nowait /rediscover

                    w32tm.exe /query /configuration

                    w32tm.exe /query /status

                    w32tm.exe /monitor

                    check the results.
                    Also check the eventviewer

                    /Rems
                    Last edited by Rems; 10th December 2012, 21:39.

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment

                    Working...
                    X