none
Network Time is off, not sure how to fix it

    Question

  • The network time on our domain is off by approximately 5-6 minutes and I'm not sure exactly how to fix it.
    Here are the details of our situation.

    On my PC, which is joined to the domain, I see the event ID 35 in event viewer that says it is now synchronizing the system time with the time source "DC2".
    DC2 is NOT the PDC Emulator on our domain. DC1 is.

    Checking the registry entry on DC1 (the PDC Emulator) for the W32Time service, the NTPServer key does not exist and the Type is set to NT5DS.
    Doing the same on DC2 (where my PC appears to be synch'ing it's time), NTPServer key is set to "time.windows.com,0x1" and the Type is set to NT5DS.
    Doing the same on my PC, the registry keys look identical to DC2.

    So as far as I can tell, none of my DC's are set to be an NTP server. So my questions are:

    1) What is telling my PC to sync with DC2?
    2) I've read that time.windows.com is not a reliable time source. If I simply change that registry key to a more reliable time server, will that fix my problem?

    Thanks,
    Erik
    Tuesday, December 01, 2009 4:41 PM

Answers

  • Great to here that everything is working.

    As far as Kurt's recommendations, lets be clear.  He states (and i agree) you should never use NET TIME to actually SET TIME.  But the "NET TIME /setsntp" command does not SET TIME.  It SETS the source Time Servers.
    Commands that SET TIME include.
    NET Time \\computername /Set
    NET Time /Domain:domainname /Set
    NET Time /RTSDomain:domainname /Set

    In my opinion both of the following commands are equal, and could be used to properly configure time sources.

    Net Time /setsntp:time.dns.com
    w32tm /config /syncfromflags:manual /manualpeerlist:time.dns.com

    • Marked as answer by Erik777 Wednesday, December 09, 2009 4:32 PM
    • Unmarked as answer by Erik777 Wednesday, December 09, 2009 4:33 PM
    • Marked as answer by Erik777 Wednesday, December 09, 2009 4:37 PM
    Wednesday, December 09, 2009 4:27 PM

All replies

  • Here is a good article that helped me.

    http://blogs.technet.com/industry_insiders/pages/w32-tm-service.aspx


    Tuesday, December 01, 2009 7:31 PM
  • Looks like all the clients are are correctly configured to use the default domain time (NT5DS).  By default a member server or workstation will use the authenticting DC at its time source.  DCs will use the PDC of the domain, the PDC of the domains will use the Forest Root PDC.

    This is a simple fix to get your time on track.

    Configure the PDC emulator of the Forest Root Domain to sync with an external time source using this command

    net time /setsntp:time.dns.com

    All the DC's will check with the PDC emulator and your time within the Domain will be corrected.  It may take several hours to a day, etc. 

    Starting and stoping the time service on every PDC, then every DC, then every member server will correct it quicker.  Have the workstations reboot affer the DC's are corrected.

    http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/How%20Active%20Directory%20Time%20Synchronization%20Works.aspx


    • Marked as answer by Erik777 Wednesday, December 09, 2009 4:33 PM
    • Unmarked as answer by Erik777 Wednesday, December 09, 2009 4:37 PM
    Tuesday, December 01, 2009 8:16 PM
  • Thanks for the reply.
    That is a very informative article, but it's almost created more questions/confusion for me.

    That article seems to imply that your PDC Emulator(DC1) is, by default, always the Master Time Server, yet my PC clearly states that it is synching with DC2 which is not the PDC Emulator. And like I mentioned above, the NTPServer registry key, where I would put an external server name in such as time.windows.com does not even exist on my PDCEmulator (DC1).

    So it does not appear that my PDC Emulator (DC1) is acting as the Master Time Server. How can I verify this? Or have I already verified it?

    Also, if I set up the PDCEmulator (DC1) to be the Master Time Server, what will tell the other DC (DC2) to stop acting as one and/or my PC to stop synching with DC2 and start synching with DC1?

    If DC2 was acting as the Master Time Server, shouldn't I expect the registry entry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type to have a value of NTP?

    Because it does not. It is set to NT5DS.
    Neither of my DC's (DC1 - the PDCEmulator or DC2) are set to NTP. They are both set to NT5DS.


    Tuesday, December 01, 2009 8:21 PM
  • Gunner999 - thank you for your reply as well.

    In my initial quesiton, I forgot to mention that I am running Windows 2003 Server R2.
    And also that we have several remote offices that have their own authenticating DC's, all are children in the same domain, but in different time zones.

    Do either of these details change your response? Will the "net time" command work for a Windows 2003 server? According to the article that WhaThe8 linked to, the w32tm commands replaced net time commands in Windows 2003 Server.

    Thanks,
    Erik
    Tuesday, December 01, 2009 8:46 PM
  • Everything i told you is for all versions of Windows 2003 (R2 included)

    For setting the time source the "Net time /setsntp" is the easiest command to use.  The w32tm command has alot of fancy feature for troubleshooting and correcting issues, etc.  But for what you need i recommend "net time"

    Nothing you told me changes my reponse.  All time is exchanged at GMT, the time zone simply added or subtracts hours from GMT (ie GMT-6hours is Central Time).  That is how local time is always provided.

    Remember to use the Net time /setsntp command on the PDC emulator of the Forest Root Domain only.

    Tuesday, December 01, 2009 9:00 PM
  • Thanks Gunner999.

    I apologize, but I'm pretty new at this and I've been kind of forced into a network admin role that I wasn't entirely prepared for so I'm learning trial by fire, but I have one last question before I pull the trigger on this.

    I did a w32tm /monitor command from my workstation and I got the following results, which appears to me to confirm that all the child DC's are in fact pulling their time from the PDCEmulator, which is PHX-DOM-01. (we only have one PDCe in the forest...forgive me if my terminology is wrong).
    The only exception is LAS-DOM-01, which is the only one that is in a different time zone. I'm not sure what it's doing, judging from these results.
    Does these results look pretty normal to you?

    H:\>w32tm /monitor

    Phx-dom-02.xxxxx.local [172.16.5.16]:

        ICMP: 0ms delay.

        NTP: -0.0156944s offset from phx-dom-01.xxxxx.local

            RefID: phx-dom-01.XXXXX.local [172.16.5.17]

    slc-dom-01.XXXXX.local [172.16.11.17]:

        ICMP: 42ms delay.

        NTP: -0.0027601s offset from phx-dom-01.XXXXX.local

            RefID: phx-dom-01.XXXXX.local [172.16.5.17]

    las-dom-01.XXXXX.local [172.16.14.10]:

        ICMP: 20ms delay.

        NTP: +330.5234378s offset from phx-dom-01.XXXXX.local

            RefID: unspecified / unsynchronized [0.0.0.0]

    phx-dom-01.XXXXX.local *** PDC *** [172.16.5.17]:

        ICMP: 0ms delay.

        NTP: +0.0000000s offset from phx-dom-01.XXXXX.local

            RefID: 'LOCL' [xx.xx.xx.xx]

    tuc-dom-01.XXXXX.local [172.16.9.10]:

        ICMP: 12ms delay.

        NTP: +0.0077482s offset from phx-dom-01.XXXXX.local

            RefID: phx-dom-01.XXXXX.local [172.16.5.17]

    chy-dom-01.XXXXX.local [172.16.15.16]:

        ICMP: 41ms delay.

        NTP: -0.0121938s offset from phx-dom-01.XXXXX.local

            RefID: phx-dom-01.XXXXX.local [172.16.5.17]

    boi-dom-01.XXXXX.local [172.16.13.16]:

        ICMP: 52ms delay.

        NTP: -0.0077478s offset from phx-dom-01.XXXXX.local

            RefID: phx-dom-01.XXXXX.local [172.16.5.17]

    slc-annex-01.XXXXX.local [172.16.12.16]:

        ICMP: 47ms delay.

        NTP: -0.0102559s offset from phx-dom-01.XXXXX.local

            RefID: phx-dom-01.XXXXX.local [172.16.5.17]

    Tuesday, December 01, 2009 9:13 PM
  • Looks good.  I would check the w32time registry settings on las-dom-01, then if all looks good move forward with setting an external time source on your PDC.

    Also check the event viewer for a w32time event message to see where (if at all) this DC is syncronizing time with.
    Something like this

    Event ID: 35

    The time service is now synchronizing the system time with the time source server.domain.com (ntp.d|10.1.1.1:123->10.2.2.2:123).

    Start and stop the time service to force this event to register in the event log if needed.

    Configure the time source to use the default NT5DS if not done so already.

    Below are some notes about the two default settings to look for in the ...\W32Time\Parameters key

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
    "NtpServer"="time.windows.com,0x1"  <- This is the default, this can be changed via "net time /setsntp"
    "Type"="NT5DS" <- NT5DS is the default value to use the Domain as the time source as described previously. This value is changed to NTP if "net time /setsntp" is issued.  If NTP is set then the NtpServer setting is used.


    See here for more explainations
    http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx

    Tuesday, December 01, 2009 9:49 PM
  • Gunner999 -

    Found something interesting on las-dom-01 -

    w32time registry settings are:
    NtpServer = time.windows.com, 0x1
    Type = NTP

    EDIT: I do not see any recent Event ID: 35's in the event viewer, however I see MANY event 29's,  36. 37, 38 all related to not being able to pull accurate time from time.windows.com, however, the time on this DC appears to be accurate. It is not off by 5-6 minutes.
    Also, when I do the w32tm /monitor /computers:time.windows.com command, it returns a normal response indicating that it had no problems communicating with time.windows.com

    Should I just go ahead and change the type from NTP to NT5DS?



    Thanks,
    Erik
    Tuesday, December 01, 2009 10:03 PM
  • While the time may be accurate, its more important that "network time" be in sync with your other servers.  

    Time on one server that is accurate, but different from all other servers is bad.  "Network time" should always be in sync will all servers.  Thus "Network time" is whatever all the servers say it is, if it is "off" from real time that is ok from a network perspective, but makes auditing and human relationships more difficult.  Thus you want "network time" and "real time" to be in sync as well...but it is not required.

    Change to NT5DS and the restart the w32time service, to get in sync.  Then configure the time source on the PDC emulater as described earlier.

    The reverse would also work.  Configure the PDC emulator as described earlier, then Change to NT5DS and the restart the w32time service this server.

    Tuesday, December 01, 2009 10:17 PM
  • Makes sense.

    I'm going to give this a try and will let you know the results, which will hopefully be uneventful other than users stop asking me why they are continually 5 minutes late to meetings.

    I appreciate your quick responses and patience with me.

    Thanks,
    Erik
    Tuesday, December 01, 2009 10:26 PM
  • How did it go?
    Wednesday, December 02, 2009 8:41 PM
  • I have not done it yet.
    A co-worker of mine is actually travelling to the site with the LAS-DOM-01 DC today. Since it is offsite, we thought it would be better if we did it when somebody was onsite, just in case. We'll be adjusting the settings on that one to pull time from the network and then let it synch with the network over the next couple of days while somebody is onsite. Once we're sure that site is good and happy, we're going to set up the PDC with the command you suggested. Probably some time early next week.

    Thanks for checking in though. I will keep you posted as to how things go.
    Thursday, December 03, 2009 5:53 PM
  • Please, do not use or recommend the use of NET TIME to actually set time in a domain environment. Please, use W32TM
    http://technet.microsoft.com/en-us/library/cc773263(WS.10).aspx
    Thursday, December 03, 2009 7:27 PM
  • When troubleshooting network time, please, use the Event Viewer events and troubleshooting information I have written up for these events in conjunction with the dev responsible for Windows Time. In Windows Server 2008 +, you can access these events through Event Log Online Help. If you are working on Windows Server 2003, the guidance is the same, but you won't see it in the event viewer. Instead, you can view the hierarchy of Windows Time events and resolutions here:
    http://technet.microsoft.com/en-us/library/cc756502(WS.10).aspx

    If this information is lacking in some way, I would like to know about it so we can look into getting it fixed.
    Thursday, December 03, 2009 7:31 PM
  • Hi Kurt,

    Are you recommending then that the equivalent w32tm command to what gunner999 suggested is:

    w32tm /config /syncfromflags:manual /manualpeerlist:time.dns.com


    Gunner999 -
    Just to follow up with where I'm at in the process, I changed the registry entry on LAS-DOM-01 from NTP to NT5DS. Let it run for a day and then ran the w32tm /monitor to check that every DC was set to sync with the PDC, which it did.
    My boss suggested that I first just try manually changing the clock on the PDC to the actual time and see if that would filter down through the network and fix the time, and it did. So our network time is sync'd with actual time, but the PDC is not yet set up to sync with an external source, which I'll do today.

    Thanks again for everybody's help.

    Erik
    Wednesday, December 09, 2009 4:16 PM
  • Great to here that everything is working.

    As far as Kurt's recommendations, lets be clear.  He states (and i agree) you should never use NET TIME to actually SET TIME.  But the "NET TIME /setsntp" command does not SET TIME.  It SETS the source Time Servers.
    Commands that SET TIME include.
    NET Time \\computername /Set
    NET Time /Domain:domainname /Set
    NET Time /RTSDomain:domainname /Set

    In my opinion both of the following commands are equal, and could be used to properly configure time sources.

    Net Time /setsntp:time.dns.com
    w32tm /config /syncfromflags:manual /manualpeerlist:time.dns.com

    • Marked as answer by Erik777 Wednesday, December 09, 2009 4:32 PM
    • Unmarked as answer by Erik777 Wednesday, December 09, 2009 4:33 PM
    • Marked as answer by Erik777 Wednesday, December 09, 2009 4:37 PM
    Wednesday, December 09, 2009 4:27 PM
  • I know numerous things were covered in this thread, and I'm glad to hear that you've got it working, Erik. I just wanted to provide my blog as an additional resource regading configuring time in a domain. I hope you as well as anyone else that may read it, find it helpful for future needs.

    Configuring the Windows Time Service for Windows Server
    http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

    Ace Fekay, MCT, MCTS Windows 2008, MCTS Exchange 2007, MCSE 2003 and 2000, MCSA 2003 Messaging. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Thursday, December 10, 2009 5:21 AM
  • One final follow up....

    In all the reading I did on this subject, I ready in several places that if you are going to use a DNS name rather than IP address in the NTP Server key value, that the DNS server name must be followed by ,0x1

    After I ran the command on our PDC Emulator to properly set the time source, it did not append this value to the key value so I went in and manually appended it.

    This was the right thing to do, yes?

    I just want the resolution to be as thorough as possible for anybody else that might happen to come across this problem and need a resolution.

    **EDIT** After a day of running like this, in the System Event Viewer, I noticed I was getting Event ID 38 from W32Time, which basically says that time.windows.com either could not be reached or is providing invalid data so I changed the external time source to tock.usno.navy.mil, stopped and restarted the time service and immediately saw Event ID 37 and 35 which said that the W32Time service is successfully communicating with the external time source and that it is now synching with the time source, respectively.
    So it looks like I'm all set.
    **EDIT**

    Thanks,
    Erik
    Friday, December 11, 2009 3:45 PM
  • Hi all,

    I've found that time.windows.com has become unreliable as of late, as well as the typical government time source.
    About a year ago, I came across a time collaboration project where a bunch of servers throughout the world would collectively provide accurate time, using multiple A record FQDNs.  My favorite that has been quite succesfull is 'us.pool.ntp.org'.  Check out the website 'www.ntp.org'.  They have a humorous analogy as to why many timeservers become unreliable, and why the project came to exist.

    Although I've come across an article indicating that you should suffix the FQDN with ',0x1', I found that this may be causing problems at least on a 2008 SBS.  I've had no trouble having 2003 servers sync to the provided FQDN without it, so I took it out of the SBS.  Now to see if it manages to keep time.  After a server reboot last Friday, it was way off time today.
    If it does drift off again, I'll have to figure out why, since stopping and starting w32time seems to get it back on track.
    Monday, January 18, 2010 9:11 PM