none
Setup DC for time sync to external NTP server.

    Question

  • I have a virtual DC that holds all 5 roles and it is currently set to sync it's time with the CMOS on the host. I am going to change it today so it syncs with pool.ntp.org. 

    So far these are the steps i have.

    net stop w32time

    w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update

    net start w32time

    Would this be correct? I have read some blogs that say you need to use commas to separate the peers. They also said to make sure each host in the vmware cluster is set to sync with an external NTP. Should i also run a resync on the FSMO DC after this also?



    • Edited by DRUSSQAC Thursday, October 22, 2015 5:08 PM edit
    Thursday, October 22, 2015 5:07 PM

Answers

All replies

  • Hi

     You could configure external Ntp on your PDC,that's correct,also you can check this article for configure ntp for your domain,

    http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

    And check this for Configuring external time source on your Primary Domain Controller

    For 2012

    http://jackstromberg.com/2013/10/configuring-external-time-source-on-your-primary-domain-controller/

    For 2008

    http://defaultreasoning.com/2009/11/16/synchronize-time-with-external-ntp-server-on-windows-server-2008-r2/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, October 22, 2015 5:15 PM
  • I ran this on a client PC and this is what I got back. so NTP is already configured for the domain?

    If I look in the registry on the FSMO role holder it has NT5DS under Type

    C:\Users\user1>w32tm /query /status
    Leap Indicator: 0(no warning)
    Stratum: 2 (secondary reference - syncd by (S)NTP)
    Precision: -6 (15.625ms per tick)
    Root Delay: 0.0312500s
    Root Dispersion: 10.1531936s
    ReferenceId: 0xAC103203 (source IP:  172.16.50.3)
    Last Successful Sync Time: 10/22/2015 1:03:10 PM
    Source: PDCSERVER
    Poll Interval: 14 (16384s)

    This is what I ran from the FSMO DC.

    C:\Users\admin>w32tm /query /configurat
    [Configuration]
    EventLogFlags: 2 (Policy)
    AnnounceFlags: 10 (Policy)
    TimeJumpAuditOffset: 28800 (Local)
    MinPollInterval: 10 (Policy)
    MaxPollInterval: 15 (Policy)
    MaxNegPhaseCorrection: 54000 (Policy)
    MaxPosPhaseCorrection: 54000 (Policy)
    MaxAllowedPhaseOffset: 300 (Policy)
    FrequencyCorrectRate: 4 (Policy)
    PollAdjustFactor: 5 (Policy)
    LargePhaseOffset: 1280000 (Policy)
    SpikeWatchPeriod: 90 (Policy)
    LocalClockDispersion: 10 (Policy)
    HoldPeriod: 5 (Policy)
    PhaseCorrectRate: 1 (Policy)
    UpdateInterval: 30000 (Policy)

    [TimeProviders]
    NtpClient (Local)
    DllName: C:\Windows\system32\w32time.dll (Lo
    Enabled: 1 (Local)
    InputProvider: 1 (Local)
    CrossSiteSyncFlags: 2 (Policy)
    AllowNonstandardModeCombinations: 1 (Local)
    ResolvePeerBackoffMinutes: 15 (Policy)
    ResolvePeerBackoffMaxTimes: 7 (Policy)
    CompatibilityFlags: 2147483648 (Local)
    EventLogFlags: 0 (Policy)
    LargeSampleSkew: 3 (Local)
    SpecialPollInterval: 3600 (Policy)
    Type: NT5DS (Policy)
    NtpServer (Local)
    DllName: C:\Windows\system32\w32time.dll (Lo
    Enabled: 1 (Local)
    InputProvider: 0 (Local)
    AllowNonstandardModeCombinations: 1 (Local)

    Thursday, October 22, 2015 5:42 PM
  • Hi

     The client side seems ok,But PDC site seems not to be OK,

    It must be like this,

    Please follow the steps on the article and check with your configuration,

    https://community.spiceworks.com/how_to/5765-configure-2008-r2-server-ntp-server


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, October 22, 2015 6:07 PM
  • So my steps outlined are correct?

    Thursday, October 22, 2015 7:34 PM
  • your syntax for the DC appears to be correct as long as it can contact the internet over NTP port 123 to pull down the time. once you start the w32time service you can check the system event logs to see if it's successful, no need to issue an update command after

    your other windows endpoints should contact the DC to get the time using domain heirarchy:

    w32tm /config /syncfromflags:domhier /update

    ensure your DC VM is not set to sync guest time through vmtools with the esxi host

    having esxi go out to the same NTP servers over the internet is also not an issue

    Thursday, October 22, 2015 7:45 PM
  • Hi

     you configured clients correctly,but PDC could not configure an external Ntp,

    your outline ,

    NtpServer (Local)
    DllName: C:\Windows\system32\w32time.dll (Lo

    But Show like that,

    NtpServer (Local)

    NtpServer: xxx.xxx.xxx (external time server which you configured)

    Also make sure UDP port(123) is open on FW for sync to external ntp source.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, October 22, 2015 7:46 PM
  • So I should set my ESXi hosts to sync with pool.ntp.org also?

    Thursday, October 22, 2015 7:48 PM
  • if they're internet facing you can, it's fine
    Thursday, October 22, 2015 7:55 PM
  • well I would open up the port for them. I had read some blogs that people recommced that if you had a virtual DC that was an FSMO role holder.


    • Edited by DRUSSQAC Thursday, October 22, 2015 8:21 PM edit
    Thursday, October 22, 2015 8:20 PM
  • do I need commas in the command?
    Thursday, October 22, 2015 9:54 PM
  • Ran the commands.

    getting event id 12 in event viewer.

    Thursday, October 22, 2015 10:10 PM
  • it's not syncing with external NTP. still shows cmos clock

    Thursday, October 22, 2015 10:22 PM
  • Thursday, October 22, 2015 10:27 PM
  • Ran the commands.

    getting event id 12 in event viewer.

    >>>Event ID: 12 Source: w32time
    Source: w32time

    Type: Warning

    Description:
    The NTP server <server> isn't synced, time not set.

    This problem is caused by HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type is set to Nt5DS (instead of NTP) on the domain controller holding the forest root PDC master role. Setting the "Type" on the PDC to NTP solves the problem.

    Best Regards,

    Jay

    Friday, October 23, 2015 7:54 AM
    Moderator
  • It is set in the registry.

    Friday, October 23, 2015 11:24 AM
  • which command did you run exactly? it needs to be done in an elevated cmd prompt

    did you restart the windows time service after?

    to ensure your connections are open through the firewall run this command first to see if the NTP is reachable:

    w32tm /stripchart /computer:<ip or hostname of NTP>

    .

    as for esxi, if you have a physical DC with the PDC role on it, yes you should point your esxi NTP to that server

    if you have a virtual DC however (such as your case) it's best to point esxi to an external time source

    Friday, October 23, 2015 12:21 PM
  • these are the steps I ran.

    net stop w32time

    w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"
    /reliable:yes /update

    net start w32time

    I ranr /stripchart and it is getting to the outside.

    Friday, October 23, 2015 12:24 PM
  • try unregistering:

    W32tm /unregister

    then reregister:

    W32tm /register

    run your config command as you did earlier and see if NT5DS changes to NTP as well as your time sources changing

    Friday, October 23, 2015 1:01 PM
  • do I need to stop the time service before I do this?
    Saturday, October 24, 2015 2:38 PM
  • do I need to stop the time service before I do this?

    also now it is showing free-running system clock as time source.

    Monday, October 26, 2015 12:40 PM
  • it wouldn't hurt if you stopped it i guess

    Monday, October 26, 2015 1:40 PM
  • Hi,

    Your problem is the policy behind of TYPE: NT5DS, this means your TimeProviders is set by policy under Computer Config, Policies, Administrative Templates, System, Windows Time Policy,Time Providers.

    Selecting NTP instead of NT5DS in the type drop-down list When you enable “config Windows NTP Client” .

    Best Regards,

    Jay


    Tuesday, October 27, 2015 7:00 AM
    Moderator
  • So I found this in our default domain policy. Chester is our PDC Emulator. Isn't this telling workstations/server that Chester is the NTP server though?


    • Edited by DRUSSQAC Tuesday, October 27, 2015 5:33 PM edit
    Tuesday, October 27, 2015 5:17 PM
  • check your default domain controller policy as well, i don't think this would be the one to apply to the DC

    or just run rsop.msc to find out the exact GPO

    that policy in your screenshot is kind of redundant

    all AD joined servers would automatically go to the PDC Emulator to get the time anyway using the domain heirarchy system, so you're just re-defining that again via GPO...

    • Marked as answer by DRUSSQAC Monday, November 2, 2015 6:07 PM
    Tuesday, October 27, 2015 5:55 PM
  • Tuesday, October 27, 2015 6:20 PM
  • not sure what exactly is going on

    u have the default domain controller policy set for NTP <<< this is what should take effect by you updating it to point to pool.ntp.org

    u also have the defalut domain policy set for NT5DS <<< this should not apply to DCs, just workstations and member servers and even that is redundant as it would do it automatically

    this is possible due to incorrect WMI filter settings on the GPOs:

    http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx

    it's important that you find out what exactly rsop.msc shows when executed from the domain controller as the winning GPO for NTP

    examine both your GPOs and ensure that the DC is only going to the NTP settings from the default domain controller policy GPO


    • Edited by armin19 Tuesday, October 27, 2015 6:44 PM
    Tuesday, October 27, 2015 6:43 PM
  • Tuesday, October 27, 2015 7:26 PM
  • it's being denied its own GPO due to a disabled link? that really shouldn't be, i think u have some major issues in AD which u should addres first

    do u see anything about NTP in the report?

    Tuesday, October 27, 2015 7:37 PM
  • nothing about NTP since the GPO didn't run. here is a screenshot of the policy scope.

    Tuesday, October 27, 2015 7:57 PM
  • Should I enable the link at the root for the default domain policy? I have settings in there that seem to apply to users/workstation though.

    Wednesday, October 28, 2015 11:03 AM
  • I ran RSOP on my workstation and it was applying the settings from the default domain policy.

    Wednesday, October 28, 2015 11:09 AM
  • enabling that could have adverse effects, especially if u don't know why it was disabled in the first place

    the default domain policy is not really the issue, it's the default domain controller policy that also appears to be unlinked at the "Domain Controllers" container

    Wednesday, October 28, 2015 12:24 PM
  • there seems to be some extra settings in the domain controller policy

    Wednesday, October 28, 2015 12:39 PM
  • I ended up removing the NTP settings from the default domain policy and it DC is now syncing with pool.ntp.org

    Monday, November 2, 2015 6:07 PM
  • good. as long as your other member servers and clients are using NT5DS then they should automatically contact chester for their time sync which is how it should be.

    Monday, November 2, 2015 7:37 PM
  • they are working. Thanks.

    Monday, November 2, 2015 9:02 PM
  • Step1: net stop w32time

    Step2: w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update

    Step3: net start w32time

    If you stop the service in step 1, you will get error when you try to run step2, so when you run Step3, you simply accomplished nothing. So how can this example work?

    Monday, January 15, 2018 10:38 AM
  • I had the same issue. It ended up being the local group policy on the PDC. I had to set the NTP Client Policy to Enabled, and then change the default Type to NTP. I then ran a gpupdate and the source showed correctly. 

    The NTP Client Policy is located in Computer Configuration->Policies->Administrative Templates->System->Windows Time Service->Time Providers

    Saturday, August 25, 2018 3:39 AM