Network Time Protocol

Today I would like talk a little about setting up NTP sync in Active Directory… as you might know time is quite important in Active Directory because Kerberos is dependant on it. If the time difference is higher than 5 minutes (default setting) you will not be able to log in

I visited a customer today who had a problem which meant that they could not set up NTP sync…

We used these commands to verify operations on the PDC emulator:

   1: w32tm /query /status

   2: w32tm /query /peers

   3: w32tm /query /configuration

Apparently it used local CMOS clock as a time source, so we set up external NTP peers

   1: w32tm /config /syncfromflags:manual /manualpeerlist:"0.se.pool.ntp.org,0×1 1.se.pool.ntp.org,0×1" /update /reliable:yes

… which did not help, we then did a reset of the time server settings on the PDC emulator:

   1: net stop w32time

   2: w32tm /unregister

   3: w32tm /register

   4: net start w32time

We the registered the new NTP peers:

   1: w32tm /config /syncfromflags:manual /manualpeerlist:"0.se.pool.ntp.org,0×1 1.se.pool.ntp.org,0×1" /update /reliable:yes

The server still reported that it synced from the local CMOS clock. After some looking around we found that there was a policy setting in the Default Domain Policy which disabled the NTP Client. You will find this setting in Computer Configuration – Administrative Templates – System – Windows Time Service – Time Providers and it is called Enable Windows NTP Client. So I changed it and refreshed the group policy and that did the trick

To set up the rest of the DCs to use the PDC emulator as a time source you use this command

   1: w32tm /config /syncfromflags:domhier /reliable:no /update

To enable and disable debugging of NTP use:

   1: w32tm /debug /enable /file:C:\Temp\w32tmdebug.log /size:10485760 /entries:0-300

   2: w32tm /debug /disable

To resync the computer with its time source use:

   1: w32tm /resync

To compare your NTP servers time with an external time source

   1: w32tm /stripchart /computer:0.pool.ntp.org /samples:5 /dataonly

Finally you also need to verify that your server is able to communicate to the timeserver using UDP port 123

Links

http://technet.microsoft.com/en-us/library/cc794937(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc816748(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc816838(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc780011(v=ws.10).aspx
http://blogs.technet.com/b/askds/archive/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering.aspx
http://kevingreeneitblog.blogspot.se/2011/01/hyper-v-time-synchronization-on-windows.html

Leave a Reply