Announcement

Collapse
No announcement yet.

Create authoritative time server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Create authoritative time server

    Hi Folks

    I am trying to get my W2k3 PDC (titan) to synchronise its time with an external time source and act as an authoritative time source for the domain. I have a single domain with two DC's. I tried setting this some time ago but had no luck with it. I could not get the PDC to sync with an external Internet time source.

    All the clients (XP and W2k) were contacting and syncing with the 'secondary' DC (restored). I have gone through the registry settings on the PDC and changed them according to the recommendations contained in How to configure an authoritative time server in Windows Server 2003. I then discovered this information about maxposphasecorrection et al, and made the recommended adjustments.

    I also looked at the GPO settings for the Default Domain Controllers Policy and saw they were different to the registry edits I had made. So, although I think they are now OK, I'm a little confused.

    The good news is that the clients are now synchronising with the PDC 'titan' rather than 'restored':

    Event Type: Information
    Event Source: W32Time
    Event Category: None
    Event ID: 35
    Date: 19/06/2009
    Time: 11:39:28
    User: N/A
    Computer: MY-PC
    Description:
    The time service is now synchronizing the system time with the time source titan.htlincs.local (ntp.d|192.168.0.121:123->192.168.0.2:123).

    The bad news is that I am still getting Event ID 12 on the PDC so the Internet time source synchronisation settings must be wrong.

    Here is the registry branch from W32Time on the PDC:

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
    "Description"="Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
    "DisplayName"="Windows Time"
    "ErrorControl"=dword:00000001
    "FailureActions"=hex:05,00,00,00,00,00,00,00,00,00,00,00,02,00,00,00,64,00,20,\
      00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00
    "Group"=""
    "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
      74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
      00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
      6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
      00,65,00,00,00
    "Objectname"="NT AUTHORITY\\LocalService"
    "Start"=dword:00000002
    "Type"=dword:00000020
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
    "LastClockRate"=dword:0002625a
    "MinClockRate"=dword:000260d4
    "MaxClockRate"=dword:000263e0
    "FrequencyCorrectRate"=dword:00000004
    "PollAdjustFactor"=dword:00000005
    "LargePhaseOffset"=dword:02faf080
    "SpikeWatchPeriod"=dword:00000384
    "HoldPeriod"=dword:00000005
    "LocalClockDispersion"=dword:0000000a
    "EventLogFlags"=dword:00000002
    "PhaseCorrectRate"=dword:00000007
    "MinPollInterval"=dword:00000006
    "MaxPollInterval"=dword:0000000a
    "UpdateInterval"=dword:00000064
    "MaxNegPhaseCorrection"=dword:0002a300
    "MaxPosPhaseCorrection"=dword:0002a300
    "AnnounceFlags"=dword:00000005
    "MaxAllowedPhaseOffset"=dword:0000012c
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
    "ServiceMain"="SvchostEntry_W32Time"
    "ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
      00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,33,00,\
      32,00,74,00,69,00,6d,00,65,00,2e,00,64,00,6c,00,6c,00,00,00
    "NtpServer"="0.uk.pool.ntp.org,0x1 1.uk.pool.ntp.org,0x1 2.uk.pool.ntp.org,0x1 3.uk.pool.ntp.org,0x1"
    "Type"="NTP"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security]
    "Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,48,00,03,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,\
      05,20,00,00,00,20,02,00,00,00,00,14,00,ff,01,0f,00,01,01,00,00,00,00,00,05,\
      12,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,01,\
      01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
    "Enabled"=dword:00000001
    "InputProvider"=dword:00000001
    "AllowNonstandardModeCombinations"=dword:00000001
    "CrossSiteSyncFlags"=dword:00000002
    "ResolvePeerBackoffMinutes"=dword:0000000f
    "ResolvePeerBackoffMaxTimes"=dword:00000007
    "CompatibilityFlags"=dword:80000000
    "EventLogFlags"=dword:00000001
    "LargeSampleSkew"=dword:00000003
    "DllName"="C:\\WINDOWS\\system32\\w32time.dll"
    "SpecialPollTimeRemaining"=hex(7):00,00
    "SpecialPollInterval"=dword:00000e10
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
    "InputProvider"=dword:00000000
    "AllowNonstandardModeCombinations"=dword:00000001
    "DllName"="C:\\WINDOWS\\system32\\w32time.dll"
    "Enabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Enum]
    "0"="Root\\LEGACY_W32TIME\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001
    This is what the Windows Time Service GPO settings in the Default Domain Controllers Policy are set to:

    Code:
    Policy Setting 
    Global Configuration Settings Enabled 
    Clock Discipline Parameters 
    FrequencyCorrectRate 4 
    HoldPeriod 5 
    LargePhaseOffset 50000000 
    MaxAllowedPhaseOffset 300 
    MaxNegPhaseCorrection 172800 
    MaxPosPhaseCorrection 172800 
    PhaseCorrectRate 7 
    PollAdjustFactor 5 
    SpikeWatchPeriod 900 
    UpdateInterval 100 
    General Parameters 
    AnnounceFlags 5 
    EventLogFlags 2 
    LocalClockDispersion 10 
    MaxPollInterval 15 
    MinPollInterval 10

    What I don't understand is that the Default Domain Policy GPO Time Provider settings have the NtpServer set to time.windows.com,0x1:

    Code:
    Policy Setting 
    Configure Windows NTP Client Enabled 
    NtpServer time.windows.com,0x1 
    Type NT5DS 
    CrossSiteSyncFlags 2 
    ResolvePeerBackoffMinutes 15 
    ResolvePeerBackoffMaxTimes 7 
    SpecialPollInterval 3600 
    EventLogFlags 0
    But the clients are still syncing with titan.htlincs.local. Also, both 'Enable Windows NTP Client' and Enable Windows NTP Server' are both 'Enabled'.

    I have stopped and restarted W32Time on the PDC, but Event 12 is still recorded in the System Log:

    Event Type: Warning
    Event Source: W32Time
    Event Category: None
    Event ID: 12
    Date: 19/06/2009
    Time: 09:37:32
    User: N/A
    Computer: TITAN
    Description:
    Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

    Can anyone tell me where I am going wrong, please?

    Thanks!
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: Create authoritative time server

    Hi,

    You could try w32tm /resync /rediscover on the root PDC emulator to try and resync with the external source to see if that makes any difference.

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Create authoritative time server

      Originally posted by L4ndy View Post
      Hi,

      You could try w32tm /resync /rediscover on the root PDC emulator to try and resync with the external source to see if that makes any difference.

      Ta

      Thank you.

      Unfortunately, this is the message that was returned:

      Microsoft Windows [Version 5.2.3790]
      (C) Copyright 1985-2003 Microsoft Corp.

      C:\Documents and Settings\administrator.HTLINCS>w32tm /resync /rediscover
      Sending resync command to local computer...
      The computer did not resync because no time data was available.

      C:\Documents and Settings\administrator.HTLINCS>
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: Create authoritative time server

        Try reverting GPO settings you mentioned in the previous post to not configured and see if it makes a difference.

        http://support.microsoft.com/kb/929276

        Ta
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: Create authoritative time server

          Originally posted by L4ndy View Post
          Try reverting GPO settings you mentioned in the previous post to not configured and see if it makes a difference.

          http://support.microsoft.com/kb/929276

          Ta
          Thanks

          The Time Providers in the domain controllers policy were already set to Not Configured. I changed the global settings to not configured. Forced a GPO update, declined the option to reboot, ran net stop w32time && net start w32time and Event ID 12 appeared again.

          I will reboot the server tonight when no one is using it and try again and see if that helps.

          Cheers!
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment


          • #6
            Re: Create authoritative time server

            Just rebooted and Event ID 12 was logged again. Also tried the resync commands but received the same error message.

            If anyone else has any ideas, please post.

            Thanks!
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: Create authoritative time server

              Well, I've managed to make some headway with this.

              I read through several troubleshooting guides for fixing this and had no joy with any of them. They all said my system should get the time from the external time source. I tested the connection to the uk server using portqry and it was fine, I also tried changing the peer list suffix from ,0x1 to ,0x8.

              What I had to do was to unregister the service then register it again. But even this did not go smoothly. Typing 'w32tm /unregister' returned an access denied message. Subsequent attempts to work with the w32tm command resulted in messages saying that the service was either marked for deletion or that the service name did not exist.

              I had to reboot the server, then register the service again - 'w32tm /register', followed by 'net start w32time'

              Next I typed 'w32tm /manualpeerlist:0.uk.pool.ntp.org,0x1 /syncfromflags:MANUAL', followed by 'net stop w32tm && net start w32tm' then 'w32tm /resync' and the server contacted the ntp server and synchconised the time. I checked the registry entries and changed the announceflags entry from 10 to 5.

              However, when I checked my XP client, I discovered that it is now getting the time not from the PDCe but from an external time source... I have no idea what has happened here. I'm going to leave it for a while and see what happens. In the meantime, if anyone does understand what has happened, I would appreciate it if they would take the time to enlighten me.

              Thanks.
              A recent poll suggests that 6 out of 7 dwarfs are not happy

              Comment


              • #8
                Re: Create authoritative time server

                It's all working now.

                This is what has worked for me using W2k3 Standard Ed with XP and 2k clients in a single AD domain:

                As said earlier in the thread by L4ndy - make sure ALL time entries in both the default domain and domain controllers GPO's are set to Not Configured.

                I had to configure the time service from scratch so:

                On the PDCe type the following

                w32tm /unregister - you may get an access denied message - rebooting sorts it out. This removes the time service.

                w32tm /register - this installs the time service and sets the registry entries to their default

                net start w32time - this starts the time service

                w32tm /config /manualpeerlist:0.uk.pool.ntp.org,0x1 /syncfromflags:manual - this tells the PDCe it should get the time from 0.uk.pool.ntp.org. The ,0x1 suffix is required if using a web address. If you use an IP address you can leave it off.

                net stop w32time && net start w32time - this stops and then immediately restarts the time service. This allows the time service to update itself with the entries specified.

                w32tm /resync /rediscover - this will force the time service to synchronise the PDCe's time with the time source specified. You can check the System Event Log to make sure the synchronisation was successful.

                If you use DHCP you can configure DHCP scope options 004 and 042 to specify the address that the clients should contact for time synchronisation. The address should be the IP address of the PDCe. 004 is used for older 'time' protocol clients and 042 is used for NTP clients. Once specified either reboot the clients or release/renew the IP address for the new scope options to take effect. Next time they synchronise their time they should contact the PDCe

                If you do not use DHCP you can use the following command on the clients

                w32tm /config /syncfromflags:domhier /update - this tells the clients they should use the domain hierarchy to find the authenticated time source which should be the PDCe.
                A recent poll suggests that 6 out of 7 dwarfs are not happy

                Comment


                • #9
                  Re: Create authoritative time server

                  Thanks for posting back with that Blood. It is greatly appreciated. Points added.
                  1 1 was a racehorse.
                  2 2 was 1 2.
                  1 1 1 1 race 1 day,
                  2 2 1 1 2

                  Comment

                  Working...
                  X