none
W32Time event ID 24 and 29 on XP SP3

    Question

  • I have noticed our XP SP3 systems in the system logs we have W32Time event ID 24 and 29 every 66 minutes. I cannot find how to get then to stop. I have seen a few other threads but not much info on what got this fixed. Win7 seems fine as do all member 08 R2 servers.

    We have this issue system wide, not sure when it started but I wan't paying attention to it. We had issues on our server. Clients were drifting and then I installed meinbergs NTP on the server, it worked! Time is syncing on the server and clients are keeping time when compared to the server and refrence clocks.

    I've run w32tm /config /syncfromflags:domhier /reliable:yes /update on the PDC and then stopped and started the w32time service. Others have run this and clients update, mine do not.

    When I run the w32tm /resync command on clients they get this error

    Sending resync command to local computer...
    The following error occurred: Access is denied. (0x80070005)

    I do not believe anyone other than the domain admin has rights to change time so how would PC's sync if this is the case? Do I need to add my computers OU group somewhere so they have rights? Users cannot change time due to security concerns.

    I have also added net stop w32time and net start w32time in everyones login script, it does run, not sure if it is working however as the errors persist.

    I should note that even with these errors the time still seems correct, what is going on? I would like to stop these errors.



    • Edited by CJlindell Saturday, October 22, 2011 4:04 PM
    Saturday, October 22, 2011 3:55 PM

All replies

  • Hi,
    Run below commands on PDC and clients that should solve your problem.
    On PDC: command to run on DC that must be a PDC emulator role owner in forest root domain.

    w32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual / reliable:yes /update

    Now stop and restart the Windows Time service using the following commands:

    net stop w32time

    net start w32time

    if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:

    w32tm /resync /rediscover

    Now on clients:
    w32tm /config /syncfromflags:domhier /update

    net stop w32time

    net start w32time

    w32tm /resync /rediscover
    How to configure the Windows Time service against a large time offset
    http://support.microsoft.com/kb/884776
    configure an authoritative time server in Windows Server
    http://support.microsoft.com/kb/816042
     
    Regards,
    Abhijit Waikar.
     -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.
     
    Sunday, October 23, 2011 7:27 AM
  • You suggest w32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual / reliable:yes /update

    I ran w32tm /config /syncfromflags:domhier /reliable:yes /update

    Do you see any reason I should run your command verses what I have already run?

    This is a client issue, it seems there may be an issue with XP.

    As my info stated I installed meinbergs NTP on the server time is syncing fine on the server, it's the XP clients that are only  having the issue. I don't want to sync to time.windows.com and suggest there are other better time sync sources. Not only that I'd like failover if that one has an issue.

    Perhaps Meinberg will respond to this?

    Monday, October 24, 2011 5:08 AM
  • If you want to completely disable time synchronization in the guest, open the virtual machine's configuration file (.vmx) in a text editor and set the following options to FALSE.

    tools.syncTime
    time.synchronize.continue
    time.synchronize.restore
    time.synchronize.resume.disk
    time.synchronize.shrink

    Refer this link for the same:http://xtravirt.com/disabling-virtual-machine-guest-host-time-synchronization-multiple-hypervisors

    Once done configure the authorative time server:http://support.microsoft.com/kb/816042

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Monday, October 24, 2011 7:16 AM
  • Hi,

    try to re-register windows time service on that faulty machine, according to Awinish' post on his blog at

    http://awinish.wordpress.com/

    This might solve your problem


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com
    Monday, October 24, 2011 7:39 AM
  • I presume Port 123 UDP is been allowed on the firewall for time service and system is updated with latest updates,patches as well as hotfix. CHeck the below article, might help you or show you the way to move.

    Windows Time Server Role in AD Forest/Domain

    http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/ 

     

    Regards


    Awinish Vishwakarma

    MY BLOG:  http://awinish.wordpress.com/


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    Monday, October 24, 2011 10:45 AM
    Moderator
  • Hi,

    CJlindell- That commands was just to verify or confirm your input, you are correct the issue is with windows XP machines.

    Along with comments I have provided you one KB884776 link above. there is good info about the access denied error and time configuration against a large time offset.

    Dont disable time synchronization in the guest, Its not recommended else it will create problems.

    Also I think Port 123 UDP is already open as others getting sync with server. Just go through the both KB links there is enough information and make sure that OS are fully updated.

    Regards,
    Abhijit Waikar.
     -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Monday, October 24, 2011 11:10 AM
  • If you want to completely disable time synchronization in the guest, open the virtual machine's configuration file (.vmx) in a text editor and set the following options to FALSE.


    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.


    I would never want to disable synchronization and this is NOT a virtual machine, what ever gave you that idea? This is in a domain and all clients should be updating from the PDC and it seems their time is on when compared to the PDC that is running Meinberg's NTP. I just want to ensure we can clear the system logs and time stays sync'd.
    • Edited by CJlindell Monday, October 24, 2011 6:16 PM
    Monday, October 24, 2011 3:44 PM
  • iSeik, this is on all XP clients, 150+ of them, it added the net stop w32time and net start w32time to our login script, it runs for everyone, but the error persists as I mentioned every 66 minutes.
    Monday, October 24, 2011 3:47 PM
  • Abhijit, I'll look at the link, I don't believe we are looking at a large time offset as I have mentioned all time seems sync'd and I'd never consider disabling time sync, to much depends on it! confirmed 123 is open and clients, XP, 7 and servers.
    Monday, October 24, 2011 3:50 PM
  • Abhijit, this seems relevant to 2000 and 2003 servers. We had them and I moved time from the 03 DC to the 08 DC and have had issues ever since!

    2003 servers had time sources defined it was easier to setup.

    We are using a DC that's 2008, please correct me if I am wrong but 2008 does not come preset with time sources and is a bit more difficult to setup. We had problems getting time to sync hence the reason to install the Meinberg NTP, are you aware of it?

    Do you have information that is relevant to a 2008 server? I don't believe I need consider max phase, that  error (*TOO BIG*) is not an error we get so I do not believe the suggestions are relevant, if it is why?

    Also if I run the command as myself a domain admin it shows this Sending resync command to local computer...
    The following error occurred: Access is denied. (0x80070005) It is the same for anyone else

    If I run it as the Domain Admin it gets this Sending resync command to local computer...
    The command completed successfully.

    This is a rights issue, what do I need to correct this?



    • Edited by CJlindell Monday, October 24, 2011 7:33 PM
    Monday, October 24, 2011 6:44 PM
  • Perhaps some others should review this thread?

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9f2e0461-9989-419a-ba63-f0a6d1303a23

    The logged in user does not have rights to synchronize. Though the user is not trying to synchronize they are logged in and time does not sync while they are logged in and in fact it fails every 15 minutes. Throwing the event errors 24 and 29 every 66 minutes due to this.

    It is noted you need to have elevated privaleges to change the time on an XP machine. We need to lock down time so only the Domain Admin and a few others can change time if necessary. The GPO under computer config/Security Settings/Local Policies/User Rights Assignment you can specify who can change time, we have done this.

    Change the system time

    This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.

    Our users are standard users and this locks them down pretty well so unwanted applications are not installed and many items cannot run and as such we are are protected against threats that need an elevated account to run from.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

    Default:
    On workstations and servers:
     Administrators
     Power Users

    On domain controllers:
     Administrators
     Server Operators

    What can I change that will allow the time to update regardless of who is logged in?



    • Edited by CJlindell Tuesday, October 25, 2011 12:05 AM
    Monday, October 24, 2011 11:53 PM
  • Hi,

    Also if I run the command as myself a domain admin it shows this Sending resync command to local computer...The following error occurred: Access is denied. (0x80070005) It is the same for anyone else
    Above error shows that you do not have permission to execute the command.

    From which server/workstation you are trying to run w32tm /resync /rediscover, Did you try to execute command using "Run as administrator"?

    Here is a same output before run as:
    C:\Users\netadmin>w32tm /resync /rediscover
    Sending resync command to local computer
    The following error occurred: Access is denied. (0x80070005)

    After run as:
    C:\Users\netadmin>w32tm /resync /rediscover
    Sending resync command to local computer...
    The command completed successfully.

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Tuesday, October 25, 2011 5:30 AM
  • Abhijit, did you not read what I had posted?

    I did indicate it is a permission issue! Let's not waste your time or effort. I have tried to clearly and concisely indicate what is occurring and what we need. We need time to update while the user is logged in and it stops the W32Time event 24 and 29 from reoccurring.

    If I run it as the Domain Admin it gets this Sending resync command to local computer...
    The command completed successfully.

    Commands run fine if the user is part of the group who have rights to change time. Everyone else gets the W32Time event 24 and 29 errors.

    What can I change that will allow the time to update regardless of who is logged in without allowing that user rights to time?



    Tuesday, October 25, 2011 3:56 PM
  • Abhijit, did you not read what I had posted?

    I did indicate it is a permission issue! Let's not waste your time or effort. I have tried to clearly and concisely indicate what is occurring and what we need. We need time to update while the user is logged in and it stops the W32Time event 24 and 29 from reoccurring.

    If I run it as the Domain Admin it gets this Sending resync command to local computer...
    The command completed successfully.

    Commands run fine if the user is part of the group who have rights to change time. Everyone else gets the W32Time event 24 and 29 errors.

    What can I change that will


    YOu want to allow the time to update regardless of permission of his/her account and who is logged in, Correct ?

    If yes, you can have a GPO option, You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:
    Configure Global Configuration Settings here.
    Computer Configuration\Administrative Templates\System\Windows Time Service

    Configure Windows NTP Client settings here.
    Computer Configuration\Administrative Templates\System\Windows Time
    Service\Time Providers

     

    Wednesday, October 26, 2011 2:19 AM
  • Abhijit,

    We had GPO settings, and had errors, it didn't seem to matter. I read in another thread to change them back to not configured. So why would anyone not use GPO settings in a domain? It seems that it should then work regardless of who is logged in which would be the suggested way to configure time so no one else can change it. This has been my goal to get time to work, and sync on all clients via GPO, yet I am still having difficulty with making it work.

    Wednesday, October 26, 2011 4:41 PM