none
Windows Server 2008R2 time question

    Question

  • Hello, colleagues!

    I have one question about windows server time seetings.

    I have several DCs: PDC and several additional BDCs. After running w32tm /monitor command on PDC I have got the following:

    C:\Users\srvadmin>w32tm /monitor
    office01-dc02.domain.kg[172.20.0.4:123]:
        ICMP: 0ms delay
        NTP: -0.0281712s offset from office01-dc01.domain.kg
            RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
            Stratum: 2
    office02-dc01.domain.kg[192.168.2.4:123]:
        ICMP: 37ms delay
        NTP: +0.0003216s offset from office01-dc01.domain.kg
            RefID: office01-dc01.domain.kg [172.20.0.3]
            Stratum: 2
    office04-DC01.domain.kg[192.168.4.9:123]:
        ICMP: 24ms delay
        NTP: +0.0099751s offset from office01-dc01.domain.kg
            RefID: office01-dc01.domain.kg [172.20.0.3]
            Stratum: 2
    Office01-dc01.domain.kg *** PDC ***[[fe80::4024:6d7b:fea8:138%12]:123]:
        ICMP: error 0x8007271D
        NTP: +0.0000000s offset from office01-dc01.domain.kg
            RefID: 'LOCL' [0x4C434F4C]
            Stratum: 1
    office03-DC02.domain.kg [172.20.6.11:123]:
        ICMP: 9ms delay
        NTP: -0.0023533s offset from office01-dc01.domain.kg
            RefID: office01-dc01.domain.kg [172.20.0.3]
            Stratum: 2

    Server office01-dc01.domain.kg is PDC. As I understand BDC server gets time from source 80.84.77.86.rev.sfr.net [86.77.84.80] but PDC from itself. Or Am I wrong? What does RefID mean? Source for time sync?

    I need so that PDC will get time from external source and BDCs - from PDC. How can I do it?

    Thanks for reply!
    PS. In PDC and BDCs registers under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers are listed the following values 1-time.windows.com, 2-time.nist.gov etc.

    Thursday, May 26, 2011 4:07 AM

Answers

  • Hi,

     

    Please refer to the link below to configure Windows Time for Active Directory

     

    Configuring Windows Time for Active Directory

    http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

     

    After that, please check the System Event Log for entries from Source: Time-Service. Please check whether any error shows up.

     

    Regards,

    Cecilia Zhou

    --------------------------------------------------------------------------------

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     

    Tuesday, May 31, 2011 7:00 AM
    Moderator
  • Hello,

    maybe this one clear some questions: http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

    The sync is really easy, the DC with the PDCEmulator is the domain time source, all other DCs sync with that one and the rest of the domain machines sync with one available DC, that's the default. The PDCEmulator should be configured to a not domain time source to sync with.

    Often people mess around in the registry with time settings and this can result in problems. SO in my blog you will see the option to reset the time service, maybe you should start from scratch with resetting the PDCEmulator and then going on with the other DCs and then the rest of the domain machines.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, June 01, 2011 5:54 AM

All replies

  • Hello,

    did you ever transfer the FSMO roles to the running PDCEmulator? Anyway, on the PDCEmulator run the following commands:

    w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update

    Please set for PEERS the time source as listed above, either with it’s ip address or DNS name. If more then one is needed separate them with a space in between and don't forget the quotes: "time.domain.com time1.domain.com"

    Internet Time servers you can find here: http://www.pool.ntp.org/

    And on office01-dc02.domain.kg:

    w32tm /config /syncfromflags:domhier /update

    After that you have to run:
    net stop w32time
    net start w32time

    This should reset the DCs to the correct order.

    And please forget the term PDC/BDC, this doesn't exist anymore since the start with Active Directory within Windows 2000 Server. All Dcs are the same only difference are the FSMO roles.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, May 26, 2011 7:05 AM
  • Thank you very much!

    And on the other servers I need to execute the w32tm /config /syncfromflags:DOMHIER command for setting the time sync from the office01-dc02.domain.kg. Am I right?

    PS. I'll try to forget the PDC/BDC term :)

    Thursday, May 26, 2011 8:10 AM
  • Hello,

    yes, you can run it, no problem. This will assure that they use the new structure.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Thursday, May 26, 2011 9:10 AM
  • I have made the ServerA primary for sync from the external NTP source "pool.ntp.org". The ServerB and other servers are secondary and sync from ServerA.

    After previous actions I get the following:

    On ServerA:

    "C:\Windows\system32>w32tm /query /peers
    #Peers: 1

    Peer: pool.ntp.org
    State: Pending
    Time Remaining: 238.7656250s
    Mode: 0 (reserved)
    Stratum: 0 (unspecified)
    PeerPoll Interval: 0 (unspecified)
    HostPoll Interval: 0 (unspecified)

    C:\Windows\system32>w32tm /query /status
    Leap Indicator: 0(no warning)
    Stratum: 1 (primary reference - syncd by radio clock)
    Precision: -6 (15.625ms per tick)
    Root Delay: 0.0000000s
    Root Dispersion: 10.0000000s
    ReferenceId: 0x4C4F434C (source name:  "LOCL")
    Last Successful Sync Time: 5/27/2011 8:27:15 AM
    Source: Local CMOS Clock
    Poll Interval: 6 (64s)"

     

    Question #1: I can't understand why does the Peer equal "pool.ntp.org", but the ReferenceId equals "0x4C4F434C (source name:  "LOCL")".

     

    On ServerB:

    "C:\Users\olegsrvadmin>w32tm /query /peers
    #Peers: 1

    Peer: ServerA.kg
    State: Active
    Time Remaining: 14.0408192s
    Mode: 1 (Symmetric Active)
    Stratum: 1 (primary reference - syncd by radio clock)
    PeerPoll Interval: 6 (64s)
    HostPoll Interval: 6 (64s)

    C:\Users\srvadmin>w32tm /query /status
    Leap Indicator: 0(no warning)
    Stratum: 2 (secondary reference - syncd by (S)NTP)
    Precision: -6 (15.625ms per tick)
    Root Delay: 0.0000000s
    Root Dispersion: 0.0100000s
    ReferenceId: 0x564D5450 (source IP:  86.77.84.80)
    Last Successful Sync Time: 5/27/2011 9:09:55 AM
    Source: VM IC Time Synchronization Provider
    Poll Interval: 6 (64s)"


    Question #2: I can't understand why does the Peer equal "ServerA", but the ReferenceId equals "0x564D5450 (source IP:  86.77.84.80)".

    And as result on both servers I see the following:

    "C:\Users\srvadmin>w32tm /monitor
    ServerB.kg[[fe80::f86a:f02a:4706:59e3%2]:123]:
        ICMP: 0ms delay
        NTP: -0.0106008s offset from ServerA.kg
            RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
            Stratum: 2
    ServerC.kg[192.168.2.4:123]:
        ICMP: 8ms delay
        NTP: -0.0142678s offset from ServerA.kg
            RefID: ServerA.kg [172.20.0.3]
            Stratum: 2
    ServerD.kg[192.168.4.9:123]:
        ICMP: 15ms delay
        NTP: -0.0087781s offset from ServerA.kg
            RefID: ServerA.kg [172.20.0.3]
            Stratum: 2
    ServerA.kg *** PDC ***[172.20.0.3:123]:
        ICMP: 0ms delay
        NTP: +0.0000000s offset from ServerA.kg
            RefID: 'LOCL' [0x4C434F4C]
            Stratum: 1
    ServerE.kg[172.20.6.11:123]:
        ICMP: 8ms delay
        NTP: -0.0151379s offset from ServerA.kg
            RefID: ServerA.kg [172.20.0.3]
            Stratum: 2"


    Friday, May 27, 2011 3:38 AM
  • Hi,

     

    Please refer to the link below to configure Windows Time for Active Directory

     

    Configuring Windows Time for Active Directory

    http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

     

    After that, please check the System Event Log for entries from Source: Time-Service. Please check whether any error shows up.

     

    Regards,

    Cecilia Zhou

    --------------------------------------------------------------------------------

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

     

    Tuesday, May 31, 2011 7:00 AM
    Moderator
  • Thank you! I needed such a simple article to understand the AD time sync processes.
    Wednesday, June 01, 2011 3:37 AM
  • Hello,

    maybe this one clear some questions: http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

    The sync is really easy, the DC with the PDCEmulator is the domain time source, all other DCs sync with that one and the rest of the domain machines sync with one available DC, that's the default. The PDCEmulator should be configured to a not domain time source to sync with.

    Often people mess around in the registry with time settings and this can result in problems. SO in my blog you will see the option to reset the time service, maybe you should start from scratch with resetting the PDCEmulator and then going on with the other DCs and then the rest of the domain machines.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, June 01, 2011 5:54 AM
  • Thanks! I have actually cleared some questions. After applying the /unregister and /register keys and stopping the services I have resolved the one issue.
    But another one remains:

    C:\Windows\system32>w32tm /query /status
    Leap Indicator: 0(no warning)
    Stratum: 1 (primary reference - syncd by radio clock)
    Precision: -6 (15.625ms per tick)
    Root Delay: 0.0000000s
    Root Dispersion: 10.0000000s
    ReferenceId: 0x4C4F434C (source name:  "LOCL")
    Last Successful Sync Time: 6/1/2011 2:58:07 PM
    Source: Free-running System Clock
    Poll Interval: 6 (64s)


    C:\Windows\system32>w32tm /query /peers
    #Peers: 1

    Peer: pool.ntp.org
    State: Pending
    Time Remaining: 19203.4062500s
    Mode: 0 (reserved)
    Stratum: 0 (unspecified)
    PeerPoll Interval: 0 (unspecified)
    HostPoll Interval: 0 (unspecified)

    Why does refID remain LOCL instead of that peer equals "pool.ntp.org"?



    Thursday, June 02, 2011 3:21 AM
  • Hi,

     

    Please check the System Event Log for entries from Source: Time-Service. Are there any errors logged? If so, what is the Event ID?

     

    Regards,

    Cecilia Zhou

    --------------------------------------------------------------------------------

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, June 03, 2011 7:51 AM
    Moderator
  • Thanks for your advise. I'll check the events later. I think some rules on TMG deny NTP traffic from the server.
    Friday, June 17, 2011 2:47 AM
  • Gentlemen,

    Blame the network guys!  If you don't, then you are missing an excellent opportunity!

    I had the error where the PDUMaster was synching to an external time source then for some reason it stopped and went haywire as you mention in your post.  I could run a manual time utility and it would laborously update the local system to the correct time (meaning it would work sometimes and error out other times).  "w32tm /monitor" listed the server's NTP source as "LOCL" vs the source defined in the registry and the network time would be 10 minutes off after two days.

    To make a long story short ntp traffic was being allowed through the firewall along with icmp.  In tightening security, all icmp traffic was no longer allowed.  ICMP-echo was allowed to specific IP addresses.  Only echo-reply, unreachable, time-exceeded were being allowed in from outside in response to outgoing echo's and traceroutes.  Once "timestamp - reply" was allowed everything went back to working within a few seconds.

    Hope that helps someone.

    • Proposed as answer by LeeHerr Friday, October 28, 2011 6:35 PM
    Friday, October 28, 2011 6:32 PM