Discussion:
Domain Time Sync'ing
(too old to reply)
Brian Edwards
2007-10-10 22:13:01 UTC
Permalink
1 domain, all Win2k3 servers
2 DC's, shared roles (1 has 4 of the 5 roles, the other has the remaining
role)

We had our PDC crash two months ago. I was able to bring it back online,
but only after a complete rebuild. Afterwards I cleaned up Active Directory
and got all of the roles straightened out. Dcdiag reports all tests pass on
both DC's. However, we've been noticing client clocks out of sync with the
servers, which are in sync with each other.

Can someone please start from scratch and tell me what I need to do to get
the clients to sync with either of the DC's, which both state that they are
successfully advertising themselves as time servers? I've read KB's and
posts all day long and have only gotten more and more confused. It's amazing
that something this simple requires more than a few clicks of a mouse to get
working properly.

Feel free to bash me, and I will answer any questions you have.

TIA

PS - I've tried the "w32tm /config /syncfromflags:domhier /update" then
stop/start net time on several different clients and although those do not
error out, the clocks are still off, even after reboots.
Mark
2007-10-10 22:41:00 UTC
Permalink
First, is the Windows Time Service started on the server that the clients
will be httting? Next, have you tried this?:

To configure the Windows Time service on the PDC emulator

1. Open a Command Prompt.

2. Type the following command to display the time difference between the
local computer and a target computer, and then press ENTER:

w32tm /stripchart /computer:target /samples:n/dataonly

Value Definition
target
Specifies the DNS name or IP address of the NTP server that you are
comparing the local computer's time against, such as time.windows.com.

n
Specifies the number of time samples that will be returned from the target
computer to test basic NTP communication.


3. Open UDP port 123 for outgoing traffic if needed.

4. Open UDP port 123 (or a different port you have selected) for incoming
NTP traffic.

5. Type the following command to configure the PDC emulator and then press
ENTER:

w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes
/update

where peers specifies the list of DNS names and/or IP addresses of the NTP
time source that the PDC emulator synchronizes from. For example, you can
specify time.windows.com. When specifying multiple peers, use a space as the
delimiter and enclose them in quotation marks.


=====================================


To configure a client computer for automatic domain time synchronization

1. Open a Command Prompt.

2. Type the following command and then press ENTER:

w32tm /config /syncfromflags:domhier /update

3. Type the following command and then press ENTER:

net stop w32time

4. Type the following command and then press ENTER:

net start w32time


=======================================
Post by Brian Edwards
1 domain, all Win2k3 servers
2 DC's, shared roles (1 has 4 of the 5 roles, the other has the remaining
role)
We had our PDC crash two months ago. I was able to bring it back online,
but only after a complete rebuild. Afterwards I cleaned up Active Directory
and got all of the roles straightened out. Dcdiag reports all tests pass on
both DC's. However, we've been noticing client clocks out of sync with the
servers, which are in sync with each other.
Can someone please start from scratch and tell me what I need to do to get
the clients to sync with either of the DC's, which both state that they are
successfully advertising themselves as time servers? I've read KB's and
posts all day long and have only gotten more and more confused. It's amazing
that something this simple requires more than a few clicks of a mouse to get
working properly.
Feel free to bash me, and I will answer any questions you have.
TIA
PS - I've tried the "w32tm /config /syncfromflags:domhier /update" then
stop/start net time on several different clients and although those do not
error out, the clocks are still off, even after reboots.
Brian Edwards
2007-10-11 15:06:04 UTC
Permalink
Thank you Mark.

Yes, the Windows Time service is started on the PDC Emulator.

Yes, I have tried those commands with a few different 2nd level public NTP
servers. The PDC Emulator is in sync with them. The clients remain off by
various amounts, some as much as 10 minutes. I've verified that port 123 is
open on our ISA server; the server commands below do not error out. When I
run "w32tm /resync" on the server I want to be the time server, the PDC
Emulator, the results are "The command completed successfully". When I run
"w32tm /resync" on the clients, after running the client commands below, the
result is always "The computer did not resync because no time data was
available".

Any thoughts as to what to try next? I am at a total loss.

Thank you again.
Post by Mark
First, is the Windows Time Service started on the server that the clients
To configure the Windows Time service on the PDC emulator
1. Open a Command Prompt.
2. Type the following command to display the time difference between the
w32tm /stripchart /computer:target /samples:n/dataonly
Value Definition
target
Specifies the DNS name or IP address of the NTP server that you are
comparing the local computer's time against, such as time.windows.com.
n
Specifies the number of time samples that will be returned from the target
computer to test basic NTP communication.
3. Open UDP port 123 for outgoing traffic if needed.
4. Open UDP port 123 (or a different port you have selected) for incoming
NTP traffic.
5. Type the following command to configure the PDC emulator and then press
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes
/update
where peers specifies the list of DNS names and/or IP addresses of the NTP
time source that the PDC emulator synchronizes from. For example, you can
specify time.windows.com. When specifying multiple peers, use a space as the
delimiter and enclose them in quotation marks.
=====================================
To configure a client computer for automatic domain time synchronization
1. Open a Command Prompt.
w32tm /config /syncfromflags:domhier /update
net stop w32time
net start w32time
=======================================
Post by Brian Edwards
1 domain, all Win2k3 servers
2 DC's, shared roles (1 has 4 of the 5 roles, the other has the remaining
role)
We had our PDC crash two months ago. I was able to bring it back online,
but only after a complete rebuild. Afterwards I cleaned up Active Directory
and got all of the roles straightened out. Dcdiag reports all tests pass on
both DC's. However, we've been noticing client clocks out of sync with the
servers, which are in sync with each other.
Can someone please start from scratch and tell me what I need to do to get
the clients to sync with either of the DC's, which both state that they are
successfully advertising themselves as time servers? I've read KB's and
posts all day long and have only gotten more and more confused. It's amazing
that something this simple requires more than a few clicks of a mouse to get
working properly.
Feel free to bash me, and I will answer any questions you have.
TIA
PS - I've tried the "w32tm /config /syncfromflags:domhier /update" then
stop/start net time on several different clients and although those do not
error out, the clocks are still off, even after reboots.
Al Mulnick
2007-10-10 22:51:58 UTC
Permalink
Event logs? What's in the event logs regarding w32time? usually, after
startup of the service you'll see entries indicating that it's successfully
sync'ing time. Or you'll see entries indicating that it is not. If you see
nothing, that's a different issue.

Can you check and let us know?
Post by Brian Edwards
1 domain, all Win2k3 servers
2 DC's, shared roles (1 has 4 of the 5 roles, the other has the remaining
role)
We had our PDC crash two months ago. I was able to bring it back online,
but only after a complete rebuild. Afterwards I cleaned up Active Directory
and got all of the roles straightened out. Dcdiag reports all tests pass on
both DC's. However, we've been noticing client clocks out of sync with the
servers, which are in sync with each other.
Can someone please start from scratch and tell me what I need to do to get
the clients to sync with either of the DC's, which both state that they are
successfully advertising themselves as time servers? I've read KB's and
posts all day long and have only gotten more and more confused. It's amazing
that something this simple requires more than a few clicks of a mouse to get
working properly.
Feel free to bash me, and I will answer any questions you have.
TIA
PS - I've tried the "w32tm /config /syncfromflags:domhier /update" then
stop/start net time on several different clients and although those do not
error out, the clocks are still off, even after reboots.
Brian Edwards
2007-10-11 15:16:02 UTC
Permalink
Thank you Al.

The System event log contains warnings averaging about twice per day, event
ID 50:

"The time service detected a time difference of greater than 128
milliseconds for 90 seconds. The time difference might be caused by
synchronization with low-accuracy time sources or by suboptimal network
conditions. The time service is no longer synchronized and cannot provide the
time to other clients or update the system clock. When a valid time stamp is
received from a time service provider, the time service will correct itself."

I'm not sure how to force the time service to attempt a sync with the public
NTP source I configured when following the commands Mark suggested. I did
stop/start the time service afterwards and no error was generated on the
server, but clients still can't sync to the server.

Thoughts?

Thank you.
Post by Al Mulnick
Event logs? What's in the event logs regarding w32time? usually, after
startup of the service you'll see entries indicating that it's successfully
sync'ing time. Or you'll see entries indicating that it is not. If you see
nothing, that's a different issue.
Can you check and let us know?
Post by Brian Edwards
1 domain, all Win2k3 servers
2 DC's, shared roles (1 has 4 of the 5 roles, the other has the remaining
role)
We had our PDC crash two months ago. I was able to bring it back online,
but only after a complete rebuild. Afterwards I cleaned up Active Directory
and got all of the roles straightened out. Dcdiag reports all tests pass on
both DC's. However, we've been noticing client clocks out of sync with the
servers, which are in sync with each other.
Can someone please start from scratch and tell me what I need to do to get
the clients to sync with either of the DC's, which both state that they are
successfully advertising themselves as time servers? I've read KB's and
posts all day long and have only gotten more and more confused. It's amazing
that something this simple requires more than a few clicks of a mouse to get
working properly.
Feel free to bash me, and I will answer any questions you have.
TIA
PS - I've tried the "w32tm /config /syncfromflags:domhier /update" then
stop/start net time on several different clients and although those do not
error out, the clocks are still off, even after reboots.
Al Mulnick
2007-10-11 15:31:02 UTC
Permalink
I think the other advice you got was good advice, but just to be sure, have
a look at the following:

http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true

http://technet2.microsoft.com/windowsserver/en/library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx?mfr=true

Also, be sure your PDCe is at least 2003 SP1 or later. There were some bugs
similar to what you describe prior to that.

Note that time is UDP and not TCP. You'll want to be sure that your time is
correctly updating.
Just for curiousity, how do you allow your other devices to sync time? Your
routers and such?

Last, let us know what you find.
Post by Brian Edwards
Thank you Al.
The System event log contains warnings averaging about twice per day, event
"The time service detected a time difference of greater than 128
milliseconds for 90 seconds. The time difference might be caused by
synchronization with low-accuracy time sources or by suboptimal network
conditions. The time service is no longer synchronized and cannot provide the
time to other clients or update the system clock. When a valid time stamp is
received from a time service provider, the time service will correct itself."
I'm not sure how to force the time service to attempt a sync with the public
NTP source I configured when following the commands Mark suggested. I did
stop/start the time service afterwards and no error was generated on the
server, but clients still can't sync to the server.
Thoughts?
Thank you.
Post by Al Mulnick
Event logs? What's in the event logs regarding w32time? usually, after
startup of the service you'll see entries indicating that it's successfully
sync'ing time. Or you'll see entries indicating that it is not. If you see
nothing, that's a different issue.
Can you check and let us know?
Post by Brian Edwards
1 domain, all Win2k3 servers
2 DC's, shared roles (1 has 4 of the 5 roles, the other has the remaining
role)
We had our PDC crash two months ago. I was able to bring it back online,
but only after a complete rebuild. Afterwards I cleaned up Active Directory
and got all of the roles straightened out. Dcdiag reports all tests
pass
on
both DC's. However, we've been noticing client clocks out of sync with the
servers, which are in sync with each other.
Can someone please start from scratch and tell me what I need to do to get
the clients to sync with either of the DC's, which both state that they are
successfully advertising themselves as time servers? I've read KB's and
posts all day long and have only gotten more and more confused. It's amazing
that something this simple requires more than a few clicks of a mouse
to
get
working properly.
Feel free to bash me, and I will answer any questions you have.
TIA
PS - I've tried the "w32tm /config /syncfromflags:domhier /update" then
stop/start net time on several different clients and although those do not
error out, the clocks are still off, even after reboots.
Brian Edwards
2007-10-11 19:10:00 UTC
Permalink
Thanks again Al.


After more research, I came across
http://www.msfn.org/board/lofiversion/index.php/t67060.html. That solved the
problem of why the server wasn't sync'ing with an outside source. It's
working fine now. There were settings in the Default Domain Controllers
Policy, which I was under the impression we no longer employed, fouling up
time sync'ing from the PDC to a public NTP server.

Now, some member servers and clients respond positively to the "w32tm
/resync /rediscover" command, while many others do not (no time data
available). I think I will wait until tomorrow morning to try them again and
see if their time will sync to the PDC. No reason it shouldn't, afaik. I
checked that no GPOs were setting this policy for clients.

Thanks for the help guys, and if you have any further thoughts, I would love
to hear them.

:)
Post by Al Mulnick
I think the other advice you got was good advice, but just to be sure, have
http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx?mfr=true
Also, be sure your PDCe is at least 2003 SP1 or later. There were some bugs
similar to what you describe prior to that.
Note that time is UDP and not TCP. You'll want to be sure that your time is
correctly updating.
Just for curiousity, how do you allow your other devices to sync time? Your
routers and such?
Last, let us know what you find.
Post by Brian Edwards
Thank you Al.
The System event log contains warnings averaging about twice per day, event
"The time service detected a time difference of greater than 128
milliseconds for 90 seconds. The time difference might be caused by
synchronization with low-accuracy time sources or by suboptimal network
conditions. The time service is no longer synchronized and cannot provide the
time to other clients or update the system clock. When a valid time stamp is
received from a time service provider, the time service will correct itself."
I'm not sure how to force the time service to attempt a sync with the public
NTP source I configured when following the commands Mark suggested. I did
stop/start the time service afterwards and no error was generated on the
server, but clients still can't sync to the server.
Thoughts?
Thank you.
Post by Al Mulnick
Event logs? What's in the event logs regarding w32time? usually, after
startup of the service you'll see entries indicating that it's successfully
sync'ing time. Or you'll see entries indicating that it is not. If you see
nothing, that's a different issue.
Can you check and let us know?
Post by Brian Edwards
1 domain, all Win2k3 servers
2 DC's, shared roles (1 has 4 of the 5 roles, the other has the remaining
role)
We had our PDC crash two months ago. I was able to bring it back online,
but only after a complete rebuild. Afterwards I cleaned up Active Directory
and got all of the roles straightened out. Dcdiag reports all tests
pass
on
both DC's. However, we've been noticing client clocks out of sync with the
servers, which are in sync with each other.
Can someone please start from scratch and tell me what I need to do to get
the clients to sync with either of the DC's, which both state that they are
successfully advertising themselves as time servers? I've read KB's and
posts all day long and have only gotten more and more confused. It's amazing
that something this simple requires more than a few clicks of a mouse
to
get
working properly.
Feel free to bash me, and I will answer any questions you have.
TIA
PS - I've tried the "w32tm /config /syncfromflags:domhier /update" then
stop/start net time on several different clients and although those do not
error out, the clocks are still off, even after reboots.
Al Mulnick
2007-10-12 15:02:57 UTC
Permalink
Interesting.

One thing to note about your situation: if some of the machines can sync and
some cannot, then it seems reasonable that the problem is client-side. You
may want to start with the event logs on the clients that don't work.

Good luck,

Al
Post by Brian Edwards
Thanks again Al.
After more research, I came across
http://www.msfn.org/board/lofiversion/index.php/t67060.html. That solved the
problem of why the server wasn't sync'ing with an outside source. It's
working fine now. There were settings in the Default Domain Controllers
Policy, which I was under the impression we no longer employed, fouling up
time sync'ing from the PDC to a public NTP server.
Now, some member servers and clients respond positively to the "w32tm
/resync /rediscover" command, while many others do not (no time data
available). I think I will wait until tomorrow morning to try them again and
see if their time will sync to the PDC. No reason it shouldn't, afaik. I
checked that no GPOs were setting this policy for clients.
Thanks for the help guys, and if you have any further thoughts, I would love
to hear them.
:)
Post by Al Mulnick
I think the other advice you got was good advice, but just to be sure, have
http://technet2.microsoft.com/windowsserver/en/library/ce8890cf-ef46-4931-8e4a-2fc5b4ddb0471033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx?mfr=true
Also, be sure your PDCe is at least 2003 SP1 or later. There were some bugs
similar to what you describe prior to that.
Note that time is UDP and not TCP. You'll want to be sure that your time is
correctly updating.
Just for curiousity, how do you allow your other devices to sync time? Your
routers and such?
Last, let us know what you find.
Post by Brian Edwards
Thank you Al.
The System event log contains warnings averaging about twice per day, event
"The time service detected a time difference of greater than 128
milliseconds for 90 seconds. The time difference might be caused by
synchronization with low-accuracy time sources or by suboptimal network
conditions. The time service is no longer synchronized and cannot
provide
the
time to other clients or update the system clock. When a valid time
stamp
is
received from a time service provider, the time service will correct itself."
I'm not sure how to force the time service to attempt a sync with the public
NTP source I configured when following the commands Mark suggested. I did
stop/start the time service afterwards and no error was generated on the
server, but clients still can't sync to the server.
Thoughts?
Thank you.
Post by Al Mulnick
Event logs? What's in the event logs regarding w32time? usually, after
startup of the service you'll see entries indicating that it's successfully
sync'ing time. Or you'll see entries indicating that it is not. If
you
see
nothing, that's a different issue.
Can you check and let us know?
Post by Brian Edwards
1 domain, all Win2k3 servers
2 DC's, shared roles (1 has 4 of the 5 roles, the other has the remaining
role)
We had our PDC crash two months ago. I was able to bring it back online,
but only after a complete rebuild. Afterwards I cleaned up Active Directory
and got all of the roles straightened out. Dcdiag reports all tests
pass
on
both DC's. However, we've been noticing client clocks out of sync
with
the
servers, which are in sync with each other.
Can someone please start from scratch and tell me what I need to do
to
get
the clients to sync with either of the DC's, which both state that
they
are
successfully advertising themselves as time servers? I've read KB's and
posts all day long and have only gotten more and more confused.
It's
amazing
that something this simple requires more than a few clicks of a mouse
to
get
working properly.
Feel free to bash me, and I will answer any questions you have.
TIA
PS - I've tried the "w32tm /config /syncfromflags:domhier /update" then
stop/start net time on several different clients and although those
do
not
error out, the clocks are still off, even after reboots.
Continue reading on narkive:
Loading...