Today I would like talk a little about setting up NTP sync in Active Directory… as you might know time is quite important in Active Directory because Kerberos is dependant on it. If the time difference is higher than 5 minutes (default setting) you will not be able to log in
I visited a customer today who had a problem which meant that they could not set up NTP sync…
We used these commands to verify operations on the PDC emulator:
1: w32tm /query /status
2: w32tm /query /peers
3: w32tm /query /configuration
Apparently it used local CMOS clock as a time source, so we set up external NTP peers
1: w32tm /config /syncfromflags:manual /manualpeerlist:"0.se.pool.ntp.org,0×1 1.se.pool.ntp.org,0×1" /update /reliable:yes
… which did not help, we then did a reset of the time server settings on the PDC emulator:
1: net stop w32time
2: w32tm /unregister
3: w32tm /register
4: net start w32time
We the registered the new NTP peers:
1: w32tm /config /syncfromflags:manual /manualpeerlist:"0.se.pool.ntp.org,0×1 1.se.pool.ntp.org,0×1" /update /reliable:yes
The server still reported that it synced from the local CMOS clock. After some looking around we found that there was a policy setting in the Default Domain Policy which disabled the NTP Client. You will find this setting in Computer Configuration – Administrative Templates – System – Windows Time Service – Time Providers and it is called Enable Windows NTP Client. So I changed it and refreshed the group policy and that did the trick
To set up the rest of the DCs to use the PDC emulator as a time source you use this command
1: w32tm /config /syncfromflags:domhier /reliable:no /update
To enable and disable debugging of NTP use:
1: w32tm /debug /enable /file:C:\Temp\w32tmdebug.log /size:10485760 /entries:0-300
2: w32tm /debug /disable
To resync the computer with its time source use:
1: w32tm /resync
To compare your NTP servers time with an external time source
1: w32tm /stripchart /computer:0.pool.ntp.org /samples:5 /dataonly
Finally you also need to verify that your server is able to communicate to the timeserver using UDP port 123
Links
http://technet.microsoft.com/en-us/library/cc794937(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc816748(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc816838(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc780011(v=ws.10).aspx
http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx
http://kevingreeneitblog.blogspot.se/2011/01/hyper-v-time-synchronization-on-windows.html