what is best practice of time sync between DC and client?
I have a issue with time sync that client can't sync time correctly. it always 2 to 4 minutes different.
When i run w32tm /resync /computer:mydc
"The computer did not resync because no time data was available"
What does that mean?
Thanks for any input...
April 27th, 2011 1:36pm
Hello,
are you sure that port 123 is not blocked?
Does your client computer sync time with your PDC?
Please make sure that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type is set to NT5DS?
Have a look to these Microsoft articles:
http://technet.microsoft.com/en-us/library/bb490845.aspx
http://support.microsoft.com/kb/223184
What I recommand is that your client computers sync time with the PDC and that the PDC sync time with an external NTP server.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2011 2:09pm
I am not sure wthether the port 123 is blocked or not. i tried telnet myDCname 123 and it failed to connect. I even set firewall turned off.
I can't verify whether the client is sync time with my pdc correctly or not. when i tried to manually sync as following
w32tm /resync /computer:myPDCname got same error.
however, the net time myPDCname /set /y worked fine and sync the time.
I checked the regstry and confirmed that is set to NT5DS.
I read those articles and tried few doesn't help.. Any idea?
April 27th, 2011 2:58pm
To check the port, use PortQry v2.
Please check that the PDC is reachable.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2011 3:55pm
PortQuery came with following result:
Starting portqry.exe -n myDCname -e 123 -p BOTH ...
Querying target system called: myDCname
Attempting to resolve name to IP address...
Name resolved to 10.12.2.6
querying...
TCP port 123 (unknown service): NOT LISTENING
UDP port 123 (ntp service): LISTENING or FILTERED
portqry.exe -n myDCname -e 123 -p BOTH exits with return code 0x00000002.
it seems open on udp port...
Thanks
April 27th, 2011 4:06pm
UDP port 123 (ntp service): LISTENING or FILTERED
I can not confirm that port 123 is opened.
It will be better to check manually your firewalls/routers and make sure that there is nothing blocking traffic.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2011 4:10pm
PortQuery came with following result:
Starting portqry.exe -n myDCname -e 123 -p BOTH ...
Querying target system called: myDCname
Attempting to resolve name to IP address...
Name resolved to 10.12.2.6
querying...
TCP port 123 (unknown service): NOT LISTENING
UDP port 123 (ntp service): LISTENING or FILTERED
portqry.exe -n myDCname -e 123 -p BOTH exits with return code 0x00000002.
it seems open on udp port...
Thanks
Configuring your DCs as NTP Servers
Go into your Domain Controllers GPO in GPMC
Nav Path: Computer Configuration \ Policies \ Administrative Templates \ System \ Windows Time Service \ Time Providers \
Enable "Configure NTP Client"
Time.Windows.Com defaults should be ok.
Enable "Windows NTP Client"
Enable "Windows NTP Server"
This will make your server a client of time.windows.com and provide server services for your client systems.
Now you need to setup your Client Time Policy
Then you configure Group Policy object for your client time policy. Configure the policy with
"Confiure Client Services" and "Windows NTP Client"
Configure: NTPServer to point to your primary to your domain name.
If you left round-robin enabled, it should be able to point to all the Domain Servers in your organization for reference... Alternatively, you can create a same-name A(HOST) record for each Domain Controller. Round robin will use a mild load balance to
hit the next server in line. In my example below, I'm using "dctime" as my Round-Robin DNS name. So you would put that in your Client Time policy. dctime.mydomain.local,0x9
dctime = dc1
dctime = dc2
dctime = dc3
Once completed with that, run repadmin to sync this new policy to all your domain controllers. Leave default permissions and link to the computer OU, not the DC OU.
Try that... see if it meets what you need.
The end result is...
Client maintains time from DCs which maintain time from time.windows.com which maintain time via time.gov probably.
Steve Kline
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
Microsoft Certified Product Specialist & Network Product Specialist
Red Hat Certified System Administrator
This posting is "as is" without warranties and confers no rights.
April 27th, 2011 4:49pm
Hello,
up to 5 minutes is not a problem in a domain. On the client please run in an elevated command prompt:
w32tm /config /syncfromflags:domhier /update
After that control the machines event viewer for the w32time event log entries. It should list up to 3 different ones, can take some minutes, which contains details about errors and also if the domain DCs are used, which is default in a domain.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 4:40am
Steve, I just want to clarfy this.
Is that mean i need to create two Group Policy? One for server that apply to DC and one for clients that apply for all the member station. When you state "Then you configure Group Policy object for your client time policy. Configure the policy with
"Confiure Client Services" and "Windows NTP Client""
Is that mean Configure Windows NTP Client and Windows NTP Client
under same path as this, Computer Configuration \ Policies \ Administrative Templates \ System \ Windows Time Service \ Time Providers \?
Thanks for your help.
April 28th, 2011 7:58am
Meinolf, I tried that and seems doesn't work. We have a time sensitive application that requires accurate time. Thanks
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 8:00am
Meinolf, I tried that and seems doesn't work. We have a time sensitive application that requires accurate time. Thanks
Hello,
Windows time service is NOT made for high accuracy time service, see the link
http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx, also mentioned in my article.
For high accuracy time use a stratum1 device.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
April 28th, 2011 8:29am
Steve, I just want to clarfy this.
Is that mean i need to create two Group Policy? One for server that apply to DC and one for clients that apply for all the member station. When you state "Then you configure Group Policy object for your client time policy. Configure the policy with
"Confiure Client Services" and "Windows NTP Client""
Is that mean Configure Windows NTP Client and Windows NTP Client
under same path as this, Computer Configuration \ Policies \ Administrative Templates \ System \ Windows Time Service \ Time Providers \?
Thanks for your help.
Hello,
there is no need to use GPOs to configure the time service, normally the domain time is configured complete automatically.
The DC having the PDCEmulator FSMO is the time source of the domain and should be configured to another, not domain, device or an external time server. All DCs sync with the PDCEmulator and all domain machines use an available DC.
If you transfer FSMO roles the time settings on the old/new PDCEmulator must be reconfigured.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 8:32am