We are facing with Domain Time Service error. We were having DC holding all FSMO roles and was running Windows 2003. This server was holding NTP role as well. Recently we had to migrate this server to another Windows 2008 Server. So we have temporarily moved the roles to another DC and upgraded the server to Windows 2008 R2 Server. After the activity is completed we have moved all the roles and Time Service to Windows 2008 Server. We have followed the below commands in the Servers to move Time services. The Time server is configured to update time from external time Source
On Old Server:
w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time && net start w32time
On New Windows 2008 DC :
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update
After this when I am restarting Time service in New DC I am getting event 139 that it is advertising as Time Source and after a minute warning is logged 144 It is no more advertising as time source.
We have Tried the below steps:
- Checked the registry values for Announce Flag is 5
- Type is NTP
- NTP Server is external server ip and 0x1
- Other DC's are not able to resync time from this DC
- Moved the time source to another Windows 2008 DC
- It is working fine and all other DC's are able to sync time with this DC
- But the DC from where we have moved the Time Service is not syncing time with new time Server.
- It is still logging the event 144 It is no more advertising as time source
- Announce flag is 10 now and type is NT5D5
I am not able to understand why only this DC is having issue only in Time Synchronisation. It is not syncing time as well and giving error Access is denied. (0x80070005)
I would start by running the following commands:
- w32tm /unregister
- w32tm /register
That would re-create the registry entries for time sync.
Please also read this Wiki article about how time sync could be managed on an AD domain: http://social.technet.microsoft.com/wiki/contents/articles/18573.time-synchronization-in-active-directory-forests.aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Get Active Directory User Last Logon Create an Active Directory test domain similar to the production one Management of test accounts in an Active Directory production domain - Part I Management of test accounts in an Active Directory production domain - Part II Management of test accounts in an Active Directory production domain - Part III Reset Active Directory user password
Make sure port 123 UDP is allowed on the firewall. Secondly, you can also use netmon/wireshark to capture the traffic. It might be antivirus which might be blocking the communication.
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.comDisclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
remove the NTP server settings from the first DC which are not able to sync time from the new time source.
once settings removed check the config thorugh w32tm command in first domain Controller, make sure it is not pointing to any ntp server except new DC.
Thanks & Regards
This is to update all of you that I have checked and found that PDC Emulator role was there with the DC which was having issue. I have transferred the role to other DC where we have moved the Time services. After that Event 139 and 144 is no more coming in DC which is having problem. But when I am running W32tm /resync I am still getting Access is denied. (0x80070005) error and it is not synchronising time with NTP Server.
I have tried to unregister and re-register but no use. Even the commands like w32tm /query /status is giving Access Denied error.
I have run the command net time /set then it asks if I want to sync time with NTP server. After confirmation it had synchronised time with NTP. But the w32tm command is still not working.
I am not able to understand if the issue is with Time service in this DC or only the command is having the issue.
I have also run sfc /scannow but it didn't help.
There is another update. I have Run the w32tm /unregister and w32tm /register command after that the W32time service is not starting it is giving error :
System error 1290 has occurred.
The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.
If I run the command " sc config w32time type= own" after that the service is getting started but when I am running the command w32tm /resync it is giving error "No valid time data is available" or " Access is denied. (0x80070005)".
I don't know if running w32time service in its own space creates the issue but I am not able to run the Service if it is running as shared.