I cannot begin to tell you how this has hounded me through my career, but I am happy to make this post, that I think has 99% of the answers.

#1 thing that has caused me issues, not my trouble shooting order or the GPO settings. The GPO on the PDC MUST be removed, all the way.  That includes

  • RSOP.MSC to find the policy name if there is one that needs to be turned off in the domain
  • gpresult /z | findstr /i “time”
  • Search the registry for the old time source, I found 3 entries in (there are probably more)
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time
    • and the HKCU key

That being said, here are the following steps that did help a lot

  • The PDC should be the only externally set time keeper, and if this changes for any length of time, you will need to reset it, and put the time on the new PDC. (if just moving to reboot, or rebuild, time will be fine for a short while, days or maybe even weeks)
  • Next is to check the time source, in these examples the correct one is 192.168.1.1
    1. First telnet to port 123, telnet 192.168.1.1 123  <– this should open a blank window, you can end by hitting ctrl+]
      • If it returns an error is unable to connect, the time source is bad.
    2. Then this command will verify it is working (this is a working example)

w32tm /stripchart /computer:192.168.1.1 /samples:3 /dataonly


Tracking 192.168.1.1 [192.168.1.1:123].
Collecting 3 samples.
The current time is 5/3/2019 11:49:43 AM.
11:49:43, -00.0783370s
11:49:45, -00.0780109s
11:49:47, -00.0777189s

A side note here, if you exclude the /dataonly, you will get this type of result

Tracking 192.168.1.1 [192.168.1.1:123].
Collecting 3 samples.
The current time is 3/4/2019 3:31:25 PM.
15:31:25, d:+00.0032008s o:+03.2388658s [ | * ]
15:31:27, d:+00.0029793s o:+03.2386209s [ | * ]
15:31:29, d:+00.0039963s o:+03.2392749s [ | * ]

The d: means Delay, and the o: means Offset.

The bold numbers need to be small, less then .1

  • To check the current settings, you can use these two commands, and this is what you should see;

 w32tm /query /status

Leap Indicator: 0(no warning)
Stratum: 3 (secondary reference – syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1079526s
Root Dispersion: 1.8005066s
ReferenceId: 0xC0A80101 (source IP: 192.168.1.1)
Last Successful Sync Time: 2/28/2019 1:42:05 PM
Source: DNS_NAME,0x8
Poll Interval: 7 (128s)

Additionally

w32tm /query /configuration

[Configuration]
EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)
FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)

[TimeProviders]
NtpClient (Local)
DllName: C:\Windows\SYSTEM32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NTP (Local)
NtpServer: DNS_NAME,0x8 (Local)  <– This may say POLICY, meaning it is coming from a GPO

  • So we have confirmed there is no GPO, the time source is good, and we know what our server should look like.  Now lets make it happen

A critical note I determined was, USE A DNS NAME!  I know the documentation says it will take an IP, but I could never get it to work.  This single point caused a great deal of headache for me.  Once I watched debug logs, and saw w32tm trying to resolve a number, I was tipped off.  So with a proper DNS name, You can set the external time source with these commands;

    • w32tm /config /manualpeerlist:DNS_NAME,0x8 /syncfromflags:MANUAL /reliable:yes
    • w32tm /config /update 
      • At this point it is good to run the w32tm /query /configuration command, to make sure the setting took.
    • net stop w32time && net start w32time
    • w32tm /resync

You should now be able to run the check commands above, and they should show correctly.

  • Additional Notes
  1. If you get totally flummoxed, you can wipe the time settings and start over from scratch with these commands.  Be aware though, that they can screw up the service, and may require a couple of reboots.  Also, this may NOT reset the GPO stuff

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

  1. For those REALLY difficult problems, you can look at debug log with these commands 

w32tm /debug /enable /file:C:\windows\temp\w32time.log /size:10000000 /entries:0-116

w32tm /debug /disable

The /entries are from low to high, 0 being little detail, 300 being max. The best I found is 116

  1. Common Registry keys for time and GPO policy(ies)
    • HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider\Enabled = 0
      • Research for VM systems.  There is a known issue with VM Host time over writing the server
    • HKLM\SYSTEM\CurrentControlSet\Services\W32Time\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time

References:

Good list of command basics

http://blogs.microsoft.co.il/skepper/2016/02/23/w32tm-windows-time-service-useful-commands/

https://www.ryanwill.com/2017/12/12/w32tm-commands/

Detailed review, including setting up a WMI filter to move the time to the PDC by GPO

https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

https://profadmins.com/2018/04/01/configure-source-of-time-on-domain/

Debug logging

https://blogs.msdn.microsoft.com/w32time/2008/02/28/configuring-the-time-service-enabling-the-debug-log/

 


Leave Your Comment

Your email address will not be published. Required fields are marked *

8 + ten =