Menu
I had a user contact me saying that her computer clock is 8 or 9 minutes faster than her cell phone clock. That concerned me because cell phone clocks are always synced. I looked at my computer's clock, and it was the same, about 8 minutes ahead of my phone. Eight minutes is a lot of time to be off. So I looked at my two DC's. The one that serves as the AD PDC Emulator is only 1 minute faster than my phone; that seems more reasonable. But workstations aren't syncing with it. So I looked at my other DC, which has none of the master roles. It is exactly the same as the workstations, about 8 minutes fast.
So there are a couple of big problems here. First, my DC's don't have the same time. Second, my workstations have the same time as the faster DC (are they syncing to it?). I looked in the error logs of both DC's and filtered for the Time-Service. The PDC Emulator DC has Warning Event ID 144: The time service has stopped advertising as a good time source. The other DC has Warning Event ID 142: The time service has stopped advertising as a time source because the local clock is not synchronized. I am getting other Event ID warnings as well. On the primary DC: Event IDs 12, 36, 144 (mentioned above), 131. On the secondary DC: Event IDs 131, 24, 142 (mentioned above), 50, 129. I will give more info on these at the bottom.
From what I'm seeing, it looks like my PDCe is not pointing to an external source. Should I use the instructions here (http://support.microsoft.com/kb/816042) under "Configuring the time service to use an external time source" to set it up? The guy in the article (http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/) says to use a script to automate it (w32tm /config /manualpeerlist:”uk.pool.ntp.org,0×8 europe.pool.ntp.org,0×8¿ /syncfromflags:MANUAL /reliable:yes /update). But I'm not sure if they're doing the same thing. Even if they did, I'm not sure which address I use. If I look at my secondary DC, it has an NtpServer entry of time.windows.com,0x9. The PDCe had it as well, until I did the reset that the article recommended; now it does not have an NtpServer entry.
So which method is the right one to use, and what address do I use? Does it matter if I'm running Server 2008 R2?
Event ID 12: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Event ID 36: The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.
Event ID 144: The time service has stopped advertising as a good time source.
Event ID 131: NtpClient was unable to set a domain peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC).
Event ID 24: Time Provider NtpClient: No valid response has been received from domain controller DC-DNS.domain.org [this is our primary DC] after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a new domain controller from which to synchronize. The error was: The peer is unreachable.
Event ID 142: The time service has stopped advertising as a time source because the local clock is not synchronized.
Event ID 50: The time service detected a time difference of greater than 5000 milliseconds for 900 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.
Event ID 129: NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3145779 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
874
I had an issue with a small client where the only DC was running as a VM. The clock would be slow by seconds per day, over weeks or months it could be out by 20 minutes.
Following the instructions found here: http://technet.microsoft.com/en-us/library/cc794937(v=ws.10).aspx I used w32tm /stripchart /computer:time.windows.com /samples:5 /dataonly to determine how far out the clock was with the time.windows.com server (you can use any ntp server you like):
Tracking time.windows.com [64.4.10.33].
Collecting 5 samples.
The current time is 23/06/2013 8:12:34 AM (local time).
08:12:34, -53.2859637s
08:12:37, -53.4214102s
08:12:39, -53.3859342s
08:12:41, -53.2913859s
08:12:43, -53.2440682s
I then used w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update to tell the server to use time.windows.com as its external time source:
The command completed successfully.
I then used w32tm /resync to force it to re-sync with time.windows.com now:
Sending resync command to local computer...
The command completed successfully.
I then used the first command again to confirm that the difference was near enough to 0 seconds:
Tracking time.windows.com [64.4.10.33].
Collecting 5 samples.
The current time is 23/06/2013 8:13:54 AM (local time).
08:13:54, -00.1657880s
08:13:56, +00.0059062s
08:13:59, -00.0088913s
08:14:01, +00.0030319s
08:14:03, +00.0063458s
Please note that the information was for an environment with a single DC. If you have more than 1 DC, you need to perform the above steps on the DC which holds the PDC Emulator FSMO role.
Hope this helps someone.
91
The Forest root PDC Emulator (ONLY!) may sync externally. http://technet.microsoft.com/en-us/library/cc794937(v=ws.10).aspx All other Clients, Servers, and DCs should use NT5DS. POOL.NTP.ORG is a good choice.
On all other DCs use:
net stop w32Time
w32tm /unregister
w32tm /register
net start w32time
to reset the time service to use NT5DS as stated in http://technet.microsoft.com/en-us/library/cc738995(v=ws.10).aspx.
If clients or other servers are still having problems, use the same technique per GPO for example, as admin rights are required.
You also need to be very weary of VM Domain Controllers, as they may or may not keep acurate time depending on the Host's CPU utilization! Differences of several minuts are common, and deadly - as far as Kerberos is concerned.
43
One thing you need to clear up - are these DCs VMs running in Hyper-V or are they physical servers? If they're running in Hyper-V, there's a setting which passes the VM host time to the VMs. All you have to do is turn that sync off, then use the w32tm command to set your DCs to an NTP server like time.windows.com as indicated above.
I don't recall the setting off the top of my head, but I had this problem as well...5 DCs all showing different times.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
