none
PDC not advertising time service to other DCs RRS feed

  • Question

  • Have noticed that non-PDC domain controllers are not synchronising with DC which holds FSMO roles (inc PDC). How can I check that it is advertising the time service? My non-PDC domain controllers cannot find the new authoritative time server and this is causing group policy problems.

    On the non-PDC domain controller (Server2012R2), it can "not locate a time-server". Despite the following settings, I cannot enable this DC to sync its time with the PDC.

    PS C:\Windows\system32> w32tm -query -source
    Local CMOS Clock
    PS C:\Windows\system32> net time
    Could not locate a time-server.

    On this non-PDC domain controller are the following registry entries

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\ParametersType=NT5DS
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer\Enabled=0

    This article usefully describes how to configure a DC which is no longer the PDC (after the FSMO roles have been transferred - which is my scenario)... https://social.technet.microsoft.com/wiki/contents/articles/8863.time-service-configuration-on-dc-with-pdc-emulator-fsmo-role.aspx and I have run the command followed by a restart:

    w32tm /config /syncfromflags:domhier /reliable:no /update


    On the new PDC (Server2016), I have configured it to use external NTP servers and it seems to be synchronising successfully with these external NTP sources. 

    w32tm /config /manualpeerlist:"0.uk.pool.ntp.org,0x1 1.uk.pool.ntp.org,0x1 2.uk.pool.ntp.org,0x1 3.uk.pool.ntp.org,0x1"
    w32tm /config /reliable:yes
    net stop w32time && net start w32time

    The AnnounceFlags registry entry has been configured according to the Microsoft article above.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags=5

    If anyone has a solution to this, it would be appreciated! Thanks.

    jeudi 26 septembre 2019 17:35

Toutes les réponses

  • Hello,
    Thank you for posting in our TechNet forum.

    According to our description, we can configure time sync in AD as below:

    ===PDC===

    1.
    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
    Key Name: AnnounceFlags
    Type: REG_DWORD (DWORD Value )
    Data: 0x5

    2.
    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
    Key Name: Type
    Type: REG_SZ(String Value)
    Data: NTP 

    3.
    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters 
    Key Name: NtpServer
    Type: REG_SZ(String Value)
    Data: Peers  (time.windows.com,0x9)

    4.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
    Key Name: Enabled
    Type: REG_DWORD
    Data: 1


    5.
    HLM\SYSTEM\CurrentControlSet\services\w32time\TimeProviders\VMICTimeProvider
    Name: Enabled
    Type: REG_DWORD
    Data:0

    We set 1-4 registry key and value when our PDC is a physical machine. We set the fifth registry key only if the PDC is a virtual machine.


    ===other DC & Client===

    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
    Key Name: Type
    Type: REG_SZ(String Value)
    Data: NT5DS
     
    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
    Key Name: AnnounceFlags
    Type: REG_DWORD (DWORD Value )
    Data: 0xa
     



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    vendredi 27 septembre 2019 02:25
  • Thank you Daisy. That's exactly the information I was looking for.

    (1) AnnounceFlags on PDC - existing data value: 5

    

    (2) Type on PDC - existing data value: NTP

    (3) NtpServer on PDC - existing data value: 2.uk.pool.ntp.org 1.uk.pool.ntp.org 0.uk.pool.ntp.org 0.uk.pool.ntp.org 
    I didn't have the ",0x9" suffix for each external NTP source. This is now corrected.

    (4) Enabled (NtpServer) on PDC - existing value: 1

    (5) Enabled (VMICTimeProvider) on PDC - existing value: 1
    This has now been corrected to: 0

    And on the other non-PDC domain controller (physical server)....

    Type (NtpServer) - existing value: NT5DS

    AnnounceFlag - existing value: 5
    This has been changed to 0.


    • Modifié mfever lundi 30 septembre 2019 10:49 remove typo
    vendredi 27 septembre 2019 17:12
  • But the problem persists. NET TIME does not produce a result.

    PDC now has the following results

    PS C:\Windows\system32> net time
    Could not locate a time-server.
    PS C:\Windows\system32> w32tm /query /source
    1.uk.pool.ntp.org,0x9

    Other domain controllers show this

    PS C:\Windows\system32> net time
    Could not locate a time-server.
    
    PS C:\Windows\system32> w32tm /query /source
    Local CMOS Clock

    What am I missing here?

    DNS on each server has the other IP address for the other DC, and itslef as the secondary DNS.

    vendredi 27 septembre 2019 17:18
  • Have reverted registry entry for non-PDC Parameters/Type to: NT5DS

    (I misread Daisy's post)

    vendredi 27 septembre 2019 17:37
  • Hi,
    Is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    lundi 30 septembre 2019 07:35
  • No, the problem still persists.

    The non-PDC domain controllers show these errors:

    PS C:\Windows\system32> w32tm /query /source Free-running System Clock

    PS C:\Windows\system32> net time
    Could not locate a time-server.




    • Modifié mfever lundi 30 septembre 2019 10:51 update code results
    lundi 30 septembre 2019 10:47
  • Hi,

    Can we configure as below:

    ===other DC & Client===

    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
    Key Name: Type
    Type: REG_SZ(String Value)
    Data: NT5DS
     
    Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
    Key Name: AnnounceFlags
    Type: REG_DWORD (DWORD Value )
    Data: 0xa




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    mardi 1 octobre 2019 07:55
  • Yes, this is done.

    It isn't possible to type the "x" character in the data field (hex or decimal) - see picture. How else can I enter the data you have given?

    Thanks for your help, Daisy.

    mardi 1 octobre 2019 09:33
  • Export of whole w32time registry section (non-PDC)

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time]
    "Type"=dword:00000020
    "Start"=dword:00000002
    "ErrorControl"=dword:00000001
    "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
      74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
      00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
      6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
      00,65,00,00,00
    "DisplayName"="@%SystemRoot%\\system32\\w32time.dll,-200"
    "ObjectName"="NT AUTHORITY\\LocalService"
    "Description"="@%SystemRoot%\\system32\\w32time.dll,-201"
    "FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
      00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00
    "ServiceSidType"=dword:00000001
    "RequiredPrivileges"=hex(7):53,00,65,00,41,00,75,00,64,00,69,00,74,00,50,00,72,\
      00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,\
      61,00,6e,00,67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,\
      00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,\
      61,00,74,00,65,00,47,00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,\
      00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,53,00,79,00,73,00,74,00,\
      65,00,6d,00,54,00,69,00,6d,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
      00,67,00,65,00,00,00,00,00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Config]
    "FrequencyCorrectRate"=dword:00000004
    "PollAdjustFactor"=dword:00000005
    "LargePhaseOffset"=dword:02faf080
    "SpikeWatchPeriod"=dword:00000384
    "HoldPeriod"=dword:00000005
    "LocalClockDispersion"=dword:0000000a
    "EventLogFlags"=dword:00000002
    "TimeJumpAuditOffset"=dword:00007080
    "PhaseCorrectRate"=dword:00000007
    "MinPollInterval"=dword:00000006
    "MaxPollInterval"=dword:0000000a
    "MaxNegPhaseCorrection"=dword:0002a300
    "MaxPosPhaseCorrection"=dword:0002a300
    "UpdateInterval"=dword:00000064
    "AnnounceFlags"=dword:0000000a
    "MaxAllowedPhaseOffset"=dword:0000012c
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Parameters]
    "ServiceDllUnloadOnStop"=dword:00000001
    "ServiceMain"="SvchostEntry_W32Time"
    "ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\
      00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,33,00,\
      32,00,74,00,69,00,6d,00,65,00,2e,00,44,00,4c,00,4c,00,00,00
    "Type"="NT5DS"
    "NtpServer"="time.windows.com,0x9"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpClient]
    "Enabled"=dword:00000001
    "InputProvider"=dword:00000001
    "AllowNonstandardModeCombinations"=dword:00000001
    "CrossSiteSyncFlags"=dword:00000002
    "ResolvePeerBackoffMinutes"=dword:0000000f
    "ResolvePeerBackoffMaxTimes"=dword:00000007
    "CompatibilityFlags"=dword:80000000
    "EventLogFlags"=dword:00000001
    "LargeSampleSkew"=dword:00000003
    "SignatureAuthAllowed"=dword:00000001
    "RunOnVirtualOnly"=dword:00000000
    "DllName"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,\
      5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,33,00,32,\
      00,74,00,69,00,6d,00,65,00,2e,00,44,00,4c,00,4c,00,00,00
    "SpecialPollTimeRemaining"=hex(7):00,00
    "SpecialPollInterval"=dword:00000e10
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer]
    "InputProvider"=dword:00000000
    "AllowNonstandardModeCombinations"=dword:00000001
    "EventLogFlags"=dword:00000000
    "ChainEntryTimeout"=dword:00000010
    "ChainMaxEntries"=dword:00000080
    "ChainMaxHostEntries"=dword:00000004
    "ChainDisable"=dword:00000000
    "ChainLoggingRate"=dword:0000001e
    "RequireSecureTimeSyncRequests"=dword:00000000
    "RunOnVirtualOnly"=dword:00000000
    "DllName"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,\
      5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,33,00,32,\
      00,74,00,69,00,6d,00,65,00,2e,00,44,00,4c,00,4c,00,00,00
    "Enabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\VMICTimeProvider]
    "Enabled"=dword:00000001
    "InputProvider"=dword:00000001
    "RunOnVirtualOnly"=dword:00000001
    "DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
      74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,76,\
      00,6d,00,69,00,63,00,74,00,69,00,6d,00,65,00,70,00,72,00,6f,00,76,00,69,00,\
      64,00,65,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\VMICTimeProvider\Parameters]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TriggerInfo]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TriggerInfo\0]
    "Type"=dword:00000003
    "Action"=dword:00000001
    "Guid"=hex:ba,0a,e2,1c,51,98,21,44,94,30,1d,de,b7,66,e8,09
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TriggerInfo\1]
    "Type"=dword:00000003
    "Action"=dword:00000002
    "Guid"=hex:6e,51,af,dd,c2,58,66,48,95,74,c3,b6,15,d4,2e,a1
    

    • Modifié mfever mardi 1 octobre 2019 11:00 updating registry export
    mardi 1 octobre 2019 10:55
  • Hi Daisy

    I have just joined a new server to the domain and it cannot "locate a time-server" either. Is this a problem with my PDC?

    ==MEMBER SERVER==

    C:\Windows\system32>net time
    Could not locate a time-server.
    
    More help is available by typing NET HELPMSG 3912.
    

    mardi 1 octobre 2019 16:40
  • Hi,

    We type the value a.




    Close Registry Editor. At the command prompt, type the following command to restart the Windows Time service, and then press Enter:  net stop w32time && net start w32time



    If it does not work, then we should check the following two points:
    1. Make sure port 123 is open. Check port 123 is open or not with command: w32tm /stripchart /computer:ntp1.aliyun.com
    2. Make sure we can ping the IP address of PDC server on DC.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    mercredi 2 octobre 2019 08:13
  • AnnounceFlags registry entry is already configured as you describe.

    PS C:\Windows\system32> w32tm /stripchart /computer:ntp1.aliyun.com
    Tracking ntp1.aliyun.com [120.25.115.20:123].
    The current time is 02/10/2019 13:14:18.
    13:14:18 d:+00.2965923s o:+09.3618435s  [                           |                         * ]
    13:14:20 d:+00.2187341s o:+09.3888923s  [                           |                         * ]
    13:14:22 d:+00.2187466s o:+09.3890624s  [                           |                         * ]
    13:14:24 d:+00.2339370s o:+09.3809712s  [                           |                         * ]
    13:14:27 d:+00.2187130s o:+09.3886903s  [                           |                         * ]

    This is good connectivity between the servers (ping) and both are able to sync the DNS zone file for example.

    When running DCDIAG, I get these results:

    PS C:\Windows\system32> dcdiag
    
    Directory Server Diagnosis
    
    Performing initial setup:
       Trying to find home server...
       Home Server = DC4
       * Identified AD Forest.
       Done gathering initial info.
    
    Doing initial required tests
    
       Testing server: DefaultSite\DC4
          Starting test: Connectivity
             ......................... DC4 passed test Connectivity
    
    Doing primary tests
    
       Testing server: DefaultSite\DC4
          Starting test: Advertising
             Warning: DC4 is not advertising as a time server.
             ......................... DC4 failed test Advertising
          Starting test: FrsEvent
             ......................... DC4 passed test FrsEvent
          Starting test: DFSREvent
             There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
             replication problems may cause Group Policy problems.
             ......................... DC4 failed test DFSREvent
          Starting test: SysVolCheck
             ......................... DC4 passed test SysVolCheck
          Starting test: KccEvent
             ......................... DC4 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... DC4 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... DC4 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... DC4 passed test NCSecDesc
          Starting test: NetLogons
             ......................... DC4 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... DC4 passed test ObjectsReplicated
          Starting test: Replications
             ......................... DC4 passed test Replications
          Starting test: RidManager
             ......................... DC4 passed test RidManager
          Starting test: Services
             ......................... DC4 passed test Services
          Starting test: SystemLog
             A warning event occurred.  EventID: 0x00000024
                Time Generated: 10/02/2019   12:40:32
                Event String:
                The time service has not synchronized the system time for 86400 seconds because none of the time service pro
    viders provided a usable time stamp. The time service will not update the local system time until it is able to synchron
    ize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising
    as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system e
    vent log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.
             A warning event occurred.  EventID: 0x00000081
                Time Generated: 10/02/2019   13:12:29
                Event String:
                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will
     try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E
    1)
             A warning event occurred.  EventID: 0x00000081
                Time Generated: 10/02/2019   13:12:30
                Event String:
                NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will
     try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E
    1)
             ......................... DC4 failed test SystemLog
          Starting test: VerifyReferences
             ......................... DC4 passed test VerifyReferences
    
    
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test CrossRefValidation
    
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test CrossRefValidation
    
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
    
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
    
       Running partition tests on : idl
          Starting test: CheckSDRefDom
             ......................... idl passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... mydomain passed test CrossRefValidation
    
       Running enterprise tests on : mydomain.local
          Starting test: LocatorCheck
             Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
             A Primary Domain Controller could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
             A Time Server could not be located.
             The server holding the PDC role is down.
             Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355
             A Good Time Server could not be located.
             ......................... mydomain.local failed test LocatorCheck
          Starting test: Intersite
             ......................... mydomain.local passed test Intersite

    mercredi 2 octobre 2019 12:21
  • Hello,
    1. According to "A Primary Domain Controller could not be located. The server holding the PDC role is down.", which one is our PDC? we can run netdom query FSMO to check.

    2. Is our PDC online and working fine? We can run DCdiag /v on PDC to check.



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    jeudi 3 octobre 2019 09:57
  • Hi Daisy

    This issue is solved after raising a case with MS support. The 'net time' problem was the symptom and not the cause. Thank you for your input.

    Just for the record, the problem was cuased by DFRS which was synchronising from the DC4 (the original DC in the domain). Here are the steps taken to resolve the issue:

    Thanks again for your help.

    vendredi 4 octobre 2019 10:01
  • Hi,
    Thank you for your update and sharing. I am so glad that the problem has been resolved.

    have  a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    lundi 7 octobre 2019 06:45