Ads by Google

How to synchronize computer time with domain controller

 

Introduction

This article covers various ways to keep your workstations synchronized with your domain (primary domain controller), so all the clocks are automatically adjusted within the network.

When it comes to time synchronization, there is corresponding hierarchy of synchronization, where a workstation synchronizes with its local domain, and local domains synchronize with corresponding PDC emulators; at the top of the hierarchy lies the root PDC emulator, that’s connected with an authoritative time source (external hardware clock, router with NTP server, connected to GPS, online NTP server or other). Hierarchy diagram is presented below: (picture source: [1], where you can find more information about update mechanism):

DomainSyncForest

It’s important to have a computer that’s time authority to other computers in your network, because if that’s not the case, various errors in the Kerberos system may occur, as well as the unsuccessful user login to domain.

My network has these properties:

  • network with multiple domains
  • Windows Server 2008 operating system
  • the server with a PDC role, that’s connected to the external time source (NTP server is configured on the router, which collects information from GPS provider).

In this article are described various ways to configure your server properly (with an export of the configuration that works) as well as workstations. My way of configuring wasn’t easy, so I created the troubleshooting section that gives solutions to common problems (I had one of those).

In the very end, I created section Further reading for you guys that want to deepen your knowledge.

What is a PDC emulator?

PDC Emulator is a computer with the specific FSMO role. In fact, there are five FSMO (Flexible Single Master Operations) that can be assigned to a domain (note: rough description is provided below; for more information, see the reference [2] in the further reading section):

  1. The Domain Naming Master – adds new subdomains (child domains),
  2. Infrastructure Master – responsible for user management across various sections of the forest,
  3. Schema Master – responsible for formal definitions how active directory stores its objects, which attributes are available on that objects, and other.
  4. RID Master (Relative Identifier Master) – stores relative identifiers; SID related.
  5. PDC Emulator – this is the role relevant for this article that focuses on time synchronization. Let’s take a look at hierarchy diagram; note that PDC emulator exists in the root of the forest, and child domains. The prior purpose of a PDC emulator was to enable backward-compatibility with older NT systems (these systems had PDC and BDC, and only PDC could make changes. Today, every DC can modify/update active directory).

Domain controller that sits in the root of the forest and has PDC emulator role assigned to it, represents the time authority to all other members of the forest.

To make sure that time is reliable within the forest, set only PDC Emulator in the root of the forest to synchronize with an external time source. Other trees in the forest synchronize with that time.

Following this logic of time synchronization, every computer in Active Directory will automatically find a corresponding server to synchronize with, according to time synchronization hierarchy. In my case, every workstation synchronizes with corresponding domain controller, and domain controllers synchronize with the server, in the root of the forest, with the PDC Emulator role enabled.

Configuration

You can create your configuration via:

  • console tool: w32tm,
  • modifying relevant registry keys

First, check out which server holds the PDC emulator role. Type the following command: netdom query fsmo

ViewWhereIsPDCemulator

If the PDC role is listed, the current server is the one we’re looking for.

Alternatively, for those who like GUI approach, in Run dialog (Win key + R) type: dsa.msc

Right click on the domain name, select Operations Masters…, and click on tab PDC; you can see which server has that role.

The command below:

w32tm /config /manualpeerlist:192.168.x.x,0×8 /syncfromflags:MANUAL /reliable:yes /update

… denotes:

/config – enters the configuration mod

/manualpeerlist – specifies server(s) via DNS name or IP address; if there are more than one, put them under the quotes (e.g. /manualpeerlist:”time-a.timefreq.bldrdoc.gov time-b.timefreq.bldrdoc.gov time-c.timefreq.bldrdoc.gov”). List of NTP servers can be found here.

Note this part: ,0x8 that follows the IP address; you can use these, as well:

0x01 – use special poll interval SpecialInterval

0x02 – UseAsFallbackOnly

0x04 – send request as SymmetricActive mode

0x08 – send request as Client mode

This setting ,0x8 specifies that requests are sent in client mode, because there are also “non Windows” NTP servers that work with these requests exclusively in this mode.

/syncfromflags:MANUAL – writes NTP value to the registry (instead of using MANUAL, you can use  DOMHIER, which denotes domain sync mode and NT5DS value is written to the registry; this is explained later in the article).

/reliable:yes – flags the source as reliable

/update – performs update

 

OK, that was the first way. The second way is writing proper values to the registry. Open Registry Editor and follow this path:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

The most important setting here is type:

  • PDC Emulator in the forest root has this value: NTP
  • every other computer in the domain has this value: NT5DS (NT5DS is domain sync mode which sets computer to search for the local PDC emulator to perform time synchronization).

This is the export of my settings:

C:\Users\administrator>W32tm /query /configuration

[Configuration]

EventLogFlags: 2 (Local)

AnnounceFlags: 5 (Local)

TimeJumpAuditOffset: 28800 (Local)

MinPollInterval: 6 (Local)

MaxPollInterval: 10 (Local)

MaxNegPhaseCorrection: 172800 (Local)

MaxPosPhaseCorrection: 172800 (Local)

MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)

PollAdjustFactor: 5 (Local)

LargePhaseOffset: 50000000 (Local)

SpikeWatchPeriod: 900 (Local)

LocalClockDispersion: 10 (Local)

HoldPeriod: 5 (Local)

PhaseCorrectRate: 7 (Local)

UpdateInterval: 100 (Local)

[TimeProviders]

NtpClient (Local)

DllName: C:\Windows\system32\w32time.dll (Local)

Enabled: 1 (Local)

InputProvider: 1 (Local)

AllowNonstandardModeCombinations: 1 (Local)

ResolvePeerBackoffMinutes: 15 (Local)

ResolvePeerBackoffMaxTimes: 7 (Local)

CompatibilityFlags: 2147483648 (Local)

EventLogFlags: 1 (Local)

LargeSampleSkew: 3 (Local)

SpecialPollInterval: 3600 (Local)

Type: NTP (Local)

NtpServer: 192.168.x.x,0x8 (Local) //note, put here a valid IP address

NtpServer (Local)

DllName: C:\Windows\system32\w32time.dll (Local)

Enabled: 1 (Local)

InputProvider: 0 (Local)

AllowNonstandardModeCombinations: 1 (Local)

When you set these values, according to your needs, restart time service and perform synchronization with these commands:

net stop w32time

net start w32time

w32tm /resync

See [6] if you want all these parameters and relevant reg keys explained in depth.

Note: take into account the alternative value for AnnounceFlags; you can set a as DWORD value (default is 5, or 0x5). This setting is used when you may have the connectivity issues, e.g. synchronization problems due to poor connection to NTP server. This ensures that our PDC is still flagged as reliable time source even if the NTP server is temporarily unavailable. If you use SpecialPollInterval for synchronization in fixed intervals, it’s recommended to use this setting: 0xa (source). Finally, Flags can be combined, so 0xa is therefore a combination of flags 0×08 (Client) and 0×02 (UseAsFallbackOnly).

 

BONUS & Troubleshooting

This section is written to help you if you have problems while applying your configuration. Carefully look at solutions and troubleshoot your problems time synchronization.

A) Check out Group Policy settings (Computer Configuration\Administrative Templates\System\Windows Time Service)

You shouldn’t change these settings in domain controller in order to maintain sync (source)

B) Configuration Reset:

If a workstation has problems synchronizing with server, try resetting its configuration:

net stop w32time

w32tm /unregister

w32tm /register

net start w32time

One of the settings that are modified using this command is reset to the default NT5DS value in the registry if the computer is connected to a domain. After you reset the configuration, check the synchronization status.

C) Review your firewall settings; UDP (User Datagram Protocol) port 123 should be opened.

D) Check the policy configuration on your domain. They should be set to not configured; In some cases (bug or somethin’ ?) set them to Disabled, apply this change; afterwards set them to Not configured, apply the setting, and finally – check your synchronization status.

In practice: Windows Key + R and type: gpedit.msc. Find Windows Time Service, then select Global Configuration Settings and set it to Not Configured. Also set Time Providers to Not Configured :

Group Policy Editor

(another tool for the policy configuration is gpmc.mscgroup policy management).

E) If you migrated from Windows 2003, check your registry for possible leftovers (old settings). Delete them, if you find any of them.

F) If you use 3rd party software for time synchronization, such as NetTime, uninstall it or disable its service.

G) OK, you tried all presented tips, you’re sure you did everything right, but you get this error:

The computer did not resync because no time data was available,
Sending resync command to local computer,
The computer did not resync because no time data was available.

One possible solution is applying this Hotfix (download), restart your server, and see if this error reoccurs when you type this command: W32tm /resync.

Note: If your server is not R2 edition, install the hotfix named “Windows Vista” – download [x32].

H) Check the Time Zone settings. Did you set right Time Zone?

I) Try Microsoft FixIt (for more info see [3], further reading section)

J) Check the permissions assigned to win32tm; Follow this procedure:

  • Win Key + R and type: regedit
  • Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time.
  • Right click on this key, choose Config and select Permissions.
  • On the Security tab, under Group or user names must be W32Time tool, as well.
  • Click on Advanced to see permissions; click on W32Time and then on Edit.
  • Tool must have the following permissions (see the Allow column): Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Delete, i ReadControl.
  • If any of the listed permissions is missing, fix them, then restart Time service and see the synchronization status.

K) Is your server with the PDC role a virtual machine (Hyper-V, VMware, …)? If that’s the case, check the settings related to the synchronization with the physical host. If you use Hyper-V, for instance, check integration services settings for that virtual machine (if you use VMWare, check VMware Tools). Set the appropriate synchronization source.

 

Useful commands

w32tm /stripchart /computer:192.168.x.x /samples:5 /dataonly
– checks the time difference between the current computer and the target computer.

net time /querysntp
– shows the location of the NTP server (outdated)

W32tm /query /configuration
– gives an overview of Windows Time service parameters

W32tm /resync (or W32tm /resync /rediscover)
– orders the current computer to synchronize its clock as soon as possible. Use rediscover switch to redetect all network settings, rediscover time sources, and try to synchronize with the server.

w32tm /monitor
– monitors the current domain

See the section [6] for other useful commands.

 

Events

You can use Event Viewer for debugging; note the following events:

Event ID 12: Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Event ID 36: The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run ‘w32tm /resync’ to force an instant time synchronization.

Event ID 144: The time service has stopped advertising as a good time source.

Event ID 131: NtpClient was unable to set a domain peer to use as a time source because of DNS resolution error on ”. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC).

Event ID 24: Time Provider NtpClient: No valid response has been received from domain controller DC-DNS.domain.org [this is our primary DC] after 8 attempts to contact it. This domain controller will be discarded as a time source and NtpClient will attempt to discover a new domain controller from which to synchronize. The error was: The peer is unreachable.

Event ID 142: The time service has stopped advertising as a time source because the local clock is not synchronized.

Event ID 50: The time service detected a time difference of greater than 5000 milliseconds for 900 seconds. The time difference might be caused by synchronization with low-accuracy time sources or by suboptimal network conditions. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. When a valid time stamp is received from a time service provider, the time service will correct itself.

Event ID 129: NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 3145779 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

Event ID 12 (W32time) – if the PDC emulator is not set to reference a reliable time source, you will see W32time events in the system log every few hours. Correcting this error requires that you configure an authoritative active directory time source.

 

And what about the computers that are out of the domain?

If there are computers in your network that are not on a domain and you want to synchronize them as well (or you have a home computer), these are some ways to synchronize with a time source  :

  • Change the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers , and input the internal NTP server,
  • Use Scheduled task : LINK
  • You can use 3rd party software, for example NetTime (open source software, already mentioned in this article).
  • type this command (open elevated command prompt in order to work correctly): Net time \\192.168.x.x /Set /y ; you can open Notepad, paste this command, save this text file as batch file, and put this batch file in the startup folder, so the time synchronizes every time the computer starts.

Other:

Debug logging for Windows Time ServiceLINK

– Transfer FSMO roles from one server to another – LINK

 

Further reading

[1] Keeping the Domain On Time

[2] Demystifying the Active Directory FSMO roles, Wiki, FSMO

[3] How to configure an authoritative time server in Windows Server (including Microsoft FixIt)

[4] Windows Time Service Tools and Settings

[5] Operations master roles

[6] Windows Time Service Tools and Settings

[7] All PDC emulator functions

 

Summary
How to synchronize computer time with domain controller
Article Name
How to synchronize computer time with domain controller
Description
This article covers various ways to keep your workstations synchronized with your domain (primary domain controller), so all the clocks are automatically adjusted within the network.
Author
www.CreativForm.com