none
NTP configuration done right - with GPO

    Question

  • Hi guys.

    We have configured NTP thru GPO following this article: http://www.sysadminlab.net/windows/configuring-ntp-on-windows-using-gpo

    QUESTION1:

    For NTP server we have put: time.windows.com,0x9

    Do you suggest to put anything else?

    QUESTION2:

    When running this on PDC server (win 2008 r2): w32tm /query /source
    We get an error: The following error occurred: The specified service does not exist as an installed service. (0x80070424)

    This ain't good right?

    With best regards


    bostjanc

    Monday, January 2, 2017 8:08 AM

Answers

  • This was the final solution. You need to follow "the order"

    • You can set the service config to "own" so it uses its own svchost process and this "works", but after doing so typically you cannot use the w32tm /query commands, because you get Access Denied error messages. Not only that, but the dcdiag Domain Controller testing fails because the service is not using a type of "share".

    See https://social.technet.microsoft.com/Forums/windowsserver/en-US/9eeab977-6c94-43d1-8f2f-3cb1eb525744/w32tm-query-status-access-is-denied-0x80070005-from-elevated-prompt?forum=winserverDS for a better answer to this issue.

    The solution is not only perform w32tm /unregister & /register, but in between those commands, ALSO to execute a "regsvr32 /u w32time.dll" command. I'm guessing that the w32tm /unregister (at least in the broken state) does not unregister the DLL or fails trying.

    Do it in this order in an administratively elevated command prompt, reboot as specified - twice! (Copied from other thread above, thanks to the writer!)

    1. net stop w32time
    2. w32tm /unregister
    3. --- REBOOT ---
    4. regsvr32 /u w32time.dll
    5. w32tm /register (this will re-register the DLL, no need to do it separately)
    6. sc query w32time -- you should see that the service is set to shared mode -- if you try to start right now, you'll get the expected 1290 SID-related error
    7. --- REBOOT ---

    Follow the above instructions, and you do not need to do anything with the TapiSrv registry key or service configuration.


    bostjanc

    Monday, January 2, 2017 9:41 AM

All replies

  • GPO is not the recommended way to configure NTP. Please follow the below URL to configure NTP for your forest. Its really simple

    http://blogs.msmvps.com/acefekay/2014/04/26/configuring-the-windows-time-service/


    Regards, Nidhin.CK


    • Edited by Nidhin CK Monday, January 2, 2017 8:20 AM url hyperlink
    Monday, January 2, 2017 8:20 AM
  • Well the thing is that w32tm does not gets started on PDC DC.

    Need some additional help guys.

    I have tried with next solution:

    Opening registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv

    And changed:

    ImagePath: %SystemRoot%\System32\svchost.exe -k tapisrv
    to: %SystemRoot%\System32\svchost.exe -k NetworkService

    Rebooted server several times

    We can register w32tm service, but cannot start it:

    C:\Users\administrator>net start w32time
    System error 1290 has occurred.

    The service start failed since one or more services in the same process have an
    incompatible service SID type setting. A service with restricted service SID typ
    e can only coexist in the same process with other services with a restricted SID
     type. If the service SID type for this service was just configured, the hosting
     process must be restarted in order to start this service.

    If we change service type from shared to own: sc config w32time type= own

    Then the service gets started, but w32tm /query /status returns Access denied.

    Any other hints?


    bostjanc

    Monday, January 2, 2017 8:55 AM
  • "Then the service gets started, but w32tm /query /status returns Access denied."  - Did you try to run the command in elevated mode

    Regards, Nidhin.CK

    Monday, January 2, 2017 9:37 AM
  • Have you used w32tm /register to register the service? Please make sure you run it using an elevated prompt.

    I would advise to use GPOs for time sync configuration as I described here: https://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, January 2, 2017 9:38 AM
  • This was the final solution. You need to follow "the order"

    • You can set the service config to "own" so it uses its own svchost process and this "works", but after doing so typically you cannot use the w32tm /query commands, because you get Access Denied error messages. Not only that, but the dcdiag Domain Controller testing fails because the service is not using a type of "share".

    See https://social.technet.microsoft.com/Forums/windowsserver/en-US/9eeab977-6c94-43d1-8f2f-3cb1eb525744/w32tm-query-status-access-is-denied-0x80070005-from-elevated-prompt?forum=winserverDS for a better answer to this issue.

    The solution is not only perform w32tm /unregister & /register, but in between those commands, ALSO to execute a "regsvr32 /u w32time.dll" command. I'm guessing that the w32tm /unregister (at least in the broken state) does not unregister the DLL or fails trying.

    Do it in this order in an administratively elevated command prompt, reboot as specified - twice! (Copied from other thread above, thanks to the writer!)

    1. net stop w32time
    2. w32tm /unregister
    3. --- REBOOT ---
    4. regsvr32 /u w32time.dll
    5. w32tm /register (this will re-register the DLL, no need to do it separately)
    6. sc query w32time -- you should see that the service is set to shared mode -- if you try to start right now, you'll get the expected 1290 SID-related error
    7. --- REBOOT ---

    Follow the above instructions, and you do not need to do anything with the TapiSrv registry key or service configuration.


    bostjanc

    Monday, January 2, 2017 9:41 AM
  • Hi,

    Thanks for your kindly sharing in the forum as it would be helpful to anyone who encounters similar issues.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 3, 2017 1:49 AM
    Moderator