Announcement

Collapse
No announcement yet.

Server 2008R2 Time Sync

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server 2008R2 Time Sync

    Ok so this has been bothering me all week!

    We have 2 physical hyper V servers running 8 VMs between them, each physical server has a Domain controller on it running in a VM and all servers are 2008R2

    The VM PDC is set to NTP and to sync with time.microsoft.com and the rest including the physical servers are NT5DS

    when i run w32tm /query /status

    Im getting VM IC Time Synchronization Provider on both VM DCs, what is that?
    When i look at the events im getting an error 12something or 13something i cant remember right now, complaining about DNS so it looks like my PDC is not getting out?

    I have followed MS details on setting up an external time source and made all registry changes but i think the DNS is getting me....

    Any thoughts?

    What does VM IC Time Synchronization Provider mean?
    Im also assuming if i run w32tm /query /status on the PDC it should say the external time source as source?

    Cheers

  • #2
    Re: Server 2008R2 Time Sync

    Can you check the exact error message -- 12something doesn't really help

    Also ensure the VM does not get the time from the HyperV host -- go into the VM settings, -- Integration services and untick Time Sync (This is very important for the PDC emulator VM and can be enabled on others if you wish
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Server 2008R2 Time Sync

      Thanks for the info,

      I have tried a few other things like setting the PDC to manual and reliable and i get the below msg

      Apologies for not having the whole event ID

      w32tm /resync /rediscover

      I got "did not resync because no time data was available " and an event ID 134 in the logs any ideas on that?

      I also looked through the logs and have got event 144 & 12

      Comment


      • #4
        Re: Server 2008R2 Time Sync

        Any firewalls that might be blocking NTP traffic?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Server 2008R2 Time Sync

          I have checked UDP 123 and that is active, i have no experience with firewalls server side but that and group policies i was going to check up on tomorrow when back in work.
          Thanks for the help, iv managed to land a role as the only sys admin for a company and iv only 1.5 years experience!

          Everything looks like its set up when i check w32tm /query /status
          the phisical machines look at one of the VM DCs and the secondary VM DC looks at the PDC that definately holds the FSMO and is top level as only one domain.

          But when i change the time on one of the physical machines this is where the time is being set from.

          Maybe if i unregister them all and register and update and sync but im afraid il create a bigger problem!

          Comment


          • #6
            Re: Server 2008R2 Time Sync

            Do you have any perimeter firewalls that could cause the issue??

            Also try and use something other than time.microsoft.com for your server.

            Comment


            • #7
              Re: Server 2008R2 Time Sync

              On further inspection i can see an inbound rule for UDP 123,

              Active Directory Domain Controller - W32Time (NTP-UDP-In) calling %systemroot%\System32\svchost.exe

              But no outbound rule, im assuming i need both set up which i will do in work tomorrow

              For the outbound should it not be calling: %systemroot%\System32\w32tm.exe

              In specify profiles, Domain, Private, Public should i leave public unticked?

              Cheers.

              Comment


              • #8
                Re: Server 2008R2 Time Sync

                On the VM PDC I checked the Windows firewall and there was no outbound UDP 123 so I set one up to call System32\w32tm.exe, is this correct?
                On the VM which is the PDC today i ran:

                w32tm /config /manualpeerlist:“0.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes
                w32tm /config /update
                w32tm /resync
                w32tm /resync /rediscover and start and stop

                All said successful but when I ran w32tm /query /status I still had a source of “vm ic time synchronization provider”
                In the registry 0.pool.ntp.org,0x1 is now the value for NTP Server. I can ping 0.pool.ntp.org from the PDC but still cant ping time.windows.com which I thought was strange!

                The time is being set by one of the hosts I am sure of that but it is set to NT5DS and it /query /status is telling me its using the PDC, do I need to run some commands on the host to get it to resync to the VM PDC?

                I have seen the reg add
                HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Tim eProviders\
                VMICTimeProvider /v Enabled /t reg_dword /d 0and I assume this needs to be done on all DC’s?
                I am wondering does the w32tm /config /syncfromflagsOMHIER /update also need to be run on the
                PDC or just all other DC’s?
                Thanks for your time, pardon the pun!

                Comment


                • #9
                  Re: Server 2008R2 Time Sync

                  Set the Physical Server to sync their time with a Stratum 2 Time Server. It is suggested to use a Stratum 2 Time Server and NOT a Stratum 1 as the Stratum 2 sync withthe Stratum 1s and using a Stratum 2 reduces the load on the Stratum 1 Servers. Many ISP run a Stratum 2 or even a Stratum 3 Time Server. Your ISP (or another close to your location) may be able to provide the time requirement. Universities also often have Time Servers available for public use. Google can assit with availability and locations.

                  Then get your PDC Emulator VM Server to sync with the Physical Server. Time skew should disappear if that has been your issue. Of course I may have read and misunderstood your question. Won;t be the first or the last time I have done that. (I looked after a site where the tech(?) had a 13+ hour time skew due to not setting the Physical Server to get the time and the VM to sync with the Physical. Drove me nuts for hours trying to figure it out.

                  If lazy like me, then check out this link for the easy Time Server FixIT tools. Don't mix them up or you get them round the wrong way. http://support.microsoft.com/kb/816042

                  Again if I have misread your question my apologies but in my defence it has been a 16 hour day so WTF am I doing answering questions here? Helping to fill in for a very good friend who is unfortunately not able to be with us at this time. They are badly missed and will be back when the time is right for them.
                  1 1 was a racehorse.
                  2 2 was 1 2.
                  1 1 1 1 race 1 day,
                  2 2 1 1 2

                  Comment


                  • #10
                    Re: Server 2008R2 Time Sync

                    Hi Biggles,

                    Thanks for the input, what i am trying to do is get my PDC that is a VM to sync externally. I have read all the MS KB about it and made all the reg settings but it just will not do it i keep getting "vm ic time synchronization provide" when i run w32tm /query /status
                    I have listed the commands above i have ran all coming back successfully, but for some reason one of the hosts is giving the time even though when i run w32tm /query /status on the host it is looking at the PDC as source!!

                    I dont want to disable the time sync in Hyper-V as a solution i would like to do it right

                    Comment


                    • #11
                      Re: Server 2008R2 Time Sync

                      Thanks for all the advice I think I finally have it but I will leave for a few days to confirm and then I will update what I done to fix

                      Comment


                      • #12
                        Re: Server 2008R2 Time Sync

                        I would suggest that disabling the HyperV time sync is a vital part of the solution for any virtual DC, particularly one holding the PDC Emulator FSMO. If not, you will always get problems as the guest is syncing from the host BIOS clock in preference to only syncing from a proper time server.

                        Whenever I have created a virtual DC, disabling the time option in HyperV is a key step.
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: Server 2008R2 Time Sync

                          I have finally got it working!
                          The goal of this is to help people out who are starting at the beginning of setting a Domains time.

                          In this example all Servers, Primary Domain Controller (PDC), other Domain Controllers (DC) and other servers are running Windows 2008 R2 and are virtualised with Hyper-V.

                          First things first you will read to disable the 'Time Synchronization Integration Service' on any virtual machine within Hyper-V but instead you should manipulate the Windows Time Service (w32tm service) from within the virtual DC, you should not disable this because when a VM restarts this will cause problems, it should be done with w32tm.
                          http://blogs.msdn.com/b/virtual_pc_g...n-hyper-v.aspx

                          You will need to find out what server is the PDC and running FSMO roles. Run this:
                          netdom query fsmo
                          The result should be your PDC and this is where you make most of your changes.

                          Make sure in the firewall there is an “Outbound” rule on UDP123 and the program is %SystemRoot%\System32\w32tm.exe just browse to windows directory and find the exe for time

                          This is where the registry changes go down!
                          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\W32Time

                          Make sure the PDC under config in the above registry address is set to NTP for “type“and all other servers are NT5DS, this means NTP is the daddy!
                          Best practise here is to have the PDC look externally for time and everything sync to it.

                          Run this on all domain controllers (including PDC), it will partially disable windows time so it does not look at the host machine for time, important because we are virtualised.
                          reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Tim eProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

                          You can go to the ntp.org http://support.ntp.org/bin/view/Servers/WebHome
                          site to find a server closest to you to sync your external time. I recommend not using Microsoft as they are heavily used and can slip out because of this.

                          Below command will set the PDC to look externally but also check the registry settings as defined here to sync externally (you need to do both)
                          http://support.microsoft.com/kb/816042

                          Run this on PDC
                          w32tm /config /manualpeerlist:“0.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes
                          w32tm /config /update
                          w32tm /resync
                          w32tm /resync /rediscover

                          Run these 2 commands at any time on any server to see their source and when they last updated, these will be used throughout this exercise to make sure your PDC and other servers are getting time from the right place
                          w32tm /query /status
                          w32tm /query /source

                          Then run this on all DC except the PDC, it will make them look at the PDC for time and resync to it
                          w32tm /config /syncfromflagsOMHIER /update
                          net stop w32time
                          net start w32time
                          w32tm /resync /force

                          Issues:
                          When you run the Status or Source query give them a minute or 2 after changes, you should not be looking at the Local CMOS Clock and you should not be using vm ic time synchronization provider as source either.

                          If successful the PDC should read the external site you have set and the other servers should say the PDC as source

                          Hope this helps people good luck!

                          Comment

                          Working...
                          X