Time Syncing Issues on Servers

Hi There,

Domain is 3 2003 DCs, functional level Server 2000 (don't ask why it;s
not been upgraded). Clients are a mix of XP and Vista.

I am having problems with the time syncing on my domain member
servers. I have set my PDC emulator to point to an external source and
that is working fine. I then set a group policy that forces the
clients and member servers to look to that PDC using the NTP method. I
understand the NT5DS method is the default domain one but it was that
method that was failing me so that's why i've forced the clients to
use NTP. Now, the time seems to be syncing OK but when I do a "net
time /querysntp" on the 2003 servers it brings back "time.windows.com,
0x1" as the time source which is incorrect as that is the default MS
entry. I've done a result set of policy on the servers and they are
all picking up the time sync settings I configured in the policy.

However, if I do a "w32tm /query /source" on my Vista machine (these
switches are not available on win 2003 servers version of w32tm) I get
my PDC returned, which is what I would expect. Further, if i do a "net
time /querysntp" on my PDC emulator i receve the correct external
source.

All I can think is that "net time /querysntp" is not looking first in
the group policy "true" part of the registry and instead is going
straight to the persistent part of the registry.

I guess what I'm asking is should i trust group policy or net time?

 

Hello Broonie,

See inline

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi There,
>
> Domain is 3 2003 DCs, functional level Server 2000 (don't ask why it;s
> not been upgraded). Clients are a mix of XP and Vista.

You can change it to windows server 2003 without any problem if no older
OS DC's are there.

> I am having problems with the time syncing on my domain member
> servers. I have set my PDC emulator to point to an external source and
> that is working fine. I then set a group policy that forces the
> clients and member servers to look to that PDC using the NTP method.

Let the default setting within the domain.

> I understand the NT5DS method is the default domain one but it was that
> method that was failing me so that's why i've forced the clients to
> use NTP.

What errors did you have? You have to make sure that port 123 udp is opened
on the firewalls if in use.

> Now, the time seems to be syncing OK but when I do a "net
> time /querysntp" on the 2003 servers it brings back "time.windows.com,
> 0x1" as the time source which is incorrect as that is the default MS
> entry. I've done a result set of policy on the servers and they are
> all picking up the time sync settings I configured in the policy.

By default you don't have to configure any GPO for time sync. The PDCEmulator
is the time source in the domain and should be configured to an external
time source, as you did. That's all. All other DC's sync with that one and
member servers and workstations sync with one available DC automatic.

> However, if I do a "w32tm /query /source" on my Vista machine (these
> switches are not available on win 2003 servers version of w32tm) I get
> my PDC returned, which is what I would expect. Further, if i do a "net
> time /querysntp" on my PDC emulator i receve the correct external
> source.

Domain internal you should only have one available DC, no external time servers.

> All I can think is that "net time /querysntp" is not looking first in
> the group policy "true" part of the registry and instead is going
> straight to the persistent part of the registry.
>
> I guess what I'm asking is should i trust group policy or net time?

So i would remove the GPO and run on the additional DC's, clients and member
servers:
w32tm /config /syncfromflags:domhier /update

After that run:
net stop w32time
net start w32time

 

On May 1, 11:35 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
> Hello Broonie,
>
> See inline
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Hi There,
>
> > Domain is 3 2003 DCs, functional level Server 2000 (don't ask why it;s
> > not been upgraded). Clients are a mix of XP and Vista.
>
> You can change it to windows server 2003 without any problem if no older
> OS DC's are there.
>
> > I am having problems with the time syncing on my domain member
> > servers. I have set my PDC emulator to point to an external source and
> > that is working fine. I then set a group policy that forces the
> > clients and member servers to look to that PDC using the NTP method.
>
> Let the default setting within the domain.
>
> > I understand the NT5DS method is the default domain one but it was that
> > method that was failing me so that's why i've forced the clients to
> > use NTP.
>
> What errors did you have? You have to make sure that port 123 udp is opened
> on the firewalls if in use.
>
> > Now, the time seems to be syncing OK but when I do a "net
> > time /querysntp" on the 2003 servers it brings back "time.windows.com,
> > 0x1" as the time source which is incorrect as that is the default MS
> > entry. I've done a result set of policy on the servers and they are
> > all picking up the time sync settings I configured in the policy.
>
> By default you don't have to configure any GPO for time sync. The PDCEmulator
> is the time source in the domain and should be configured to an external
> time source, as you did. That's all. All other DC's sync with that one and
> member servers and workstations sync with one available DC automatic.
>
> > However, if I do a "w32tm /query /source" on my Vista machine (these
> > switches are not available on win 2003 servers version of w32tm) I get
> > my PDC returned, which is what I would expect. Further, if i do a "net
> > time /querysntp" on my PDC emulator i receve the correct external
> > source.
>
> Domain internal you should only have one available DC, no external time servers.
>
> > All I can think is that "net time /querysntp" is not looking first in
> > the group policy "true" part of the registry and instead is going
> > straight to the persistent part of the registry.
>
> > I guess what I'm asking is should i trust group policy or net time?
>
> So i would remove the GPO and run on the additional DC's, clients and member
> servers:
> w32tm /config /syncfromflags:domhier /update
>
> After that run:
> net stop w32time
> net start w32time

I know that the default windows behaviour is to look to the DCs for
time but it didn't seem to be doing so, that's why i created the GPO
to force the syncing.

how can I run w32tm /config /syncfromflags:domhier /update on all my
clients and then stop and start the time service (other than using a
logon script)?

 

Hello Broonie,

If your machine's aren't able to use the default you have to find the reason,
event viewer should give errors/warnings about windows time.

You can run that with script or manual. But i would use a startup script
instead of logon script (permissions can/will be to less).

Try the scripting in a test OU with test machine first.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> On May 1, 11:35 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
> wrote:
>
>> Hello Broonie,
>>
>> See inline
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi There,
>>>
>>> Domain is 3 2003 DCs, functional level Server 2000 (don't ask why
>>> it;s not been upgraded). Clients are a mix of XP and Vista.
>>>
>> You can change it to windows server 2003 without any problem if no
>> older OS DC's are there.
>>
>>> I am having problems with the time syncing on my domain member
>>> servers. I have set my PDC emulator to point to an external source
>>> and that is working fine. I then set a group policy that forces the
>>> clients and member servers to look to that PDC using the NTP method.
>>>
>> Let the default setting within the domain.
>>
>>> I understand the NT5DS method is the default domain one but it was
>>> that
>>> method that was failing me so that's why i've forced the clients to
>>> use NTP.
>> What errors did you have? You have to make sure that port 123 udp is
>> opened on the firewalls if in use.
>>
>>> Now, the time seems to be syncing OK but when I do a "net
>>> time /querysntp" on the 2003 servers it brings back
>>> "time.windows.com,
>>> 0x1" as the time source which is incorrect as that is the default MS
>>> entry. I've done a result set of policy on the servers and they are
>>> all picking up the time sync settings I configured in the policy.
>> By default you don't have to configure any GPO for time sync. The
>> PDCEmulator
>> is the time source in the domain and should be configured to an
>> external
>> time source, as you did. That's all. All other DC's sync with that
>> one and
>> member servers and workstations sync with one available DC automatic.
>>> However, if I do a "w32tm /query /source" on my Vista machine (these
>>> switches are not available on win 2003 servers version of w32tm) I
>>> get my PDC returned, which is what I would expect. Further, if i do
>>> a "net time /querysntp" on my PDC emulator i receve the correct
>>> external source.
>>>
>> Domain internal you should only have one available DC, no external
>> time servers.
>>
>>> All I can think is that "net time /querysntp" is not looking first
>>> in the group policy "true" part of the registry and instead is going
>>> straight to the persistent part of the registry.
>>>
>>> I guess what I'm asking is should i trust group policy or net time?
>>>
>> So i would remove the GPO and run on the additional DC's, clients and
>> member
>> servers:
>> w32tm /config /syncfromflags:domhier /update
>> After that run:
>> net stop w32time
>> net start w32time
> I know that the default windows behaviour is to look to the DCs for
> time but it didn't seem to be doing so, that's why i created the GPO
> to force the syncing.
>
> how can I run w32tm /config /syncfromflags:domhier /update on all my
> clients and then stop and start the time service (other than using a
> logon script)?
>

 

On May 1, 12:06 pm, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
> Hello Broonie,
>
> If your machine's aren't able to use the default you have to find the reason,
> event viewer should give errors/warnings about windows time.
>
> You can run that with script or manual. But i would use a startup script
> instead of logon script (permissions can/will be to less).
>
> Try the scripting in a test OU with test machine first.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > On May 1, 11:35 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
> > wrote:
>
> >> Hello Broonie,
>
> >> See inline
>
> >> Best regards
>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi There,
>
> >>> Domain is 3 2003 DCs, functional level Server 2000 (don't ask why
> >>> it;s not been upgraded). Clients are a mix of XP and Vista.
>
> >> You can change it to windows server 2003 without any problem if no
> >> older OS DC's are there.
>
> >>> I am having problems with the time syncing on my domain member
> >>> servers. I have set my PDC emulator to point to an external source
> >>> and that is working fine. I then set a group policy that forces the
> >>> clients and member servers to look to that PDC using the NTP method.
>
> >> Let the default setting within the domain.
>
> >>> I understand the NT5DS method is the default domain one but it was
> >>> that
> >>> method that was failing me so that's why i've forced the clients to
> >>> use NTP.
> >> What errors did you have? You have to make sure that port 123 udp is
> >> opened on the firewalls if in use.
>
> >>> Now, the time seems to be syncing OK but when I do a "net
> >>> time /querysntp" on the 2003 servers it brings back
> >>> "time.windows.com,
> >>> 0x1" as the time source which is incorrect as that is the default MS
> >>> entry. I've done a result set of policy on the servers and they are
> >>> all picking up the time sync settings I configured in the policy.
> >> By default you don't have to configure any GPO for time sync. The
> >> PDCEmulator
> >> is the time source in the domain and should be configured to an
> >> external
> >> time source, as you did. That's all. All other DC's sync with that
> >> one and
> >> member servers and workstations sync with one available DC automatic.
> >>> However, if I do a "w32tm /query /source" on my Vista machine (these
> >>> switches are not available on win 2003 servers version of w32tm) I
> >>> get my PDC returned, which is what I would expect. Further, if i do
> >>> a "net time /querysntp" on my PDC emulator i receve the correct
> >>> external source.
>
> >> Domain internal you should only have one available DC, no external
> >> time servers.
>
> >>> All I can think is that "net time /querysntp" is not looking first
> >>> in the group policy "true" part of the registry and instead is going
> >>> straight to the persistent part of the registry.
>
> >>> I guess what I'm asking is should i trust group policy or net time?
>
> >> So i would remove the GPO and run on the additional DC's, clients and
> >> member
> >> servers:
> >> w32tm /config /syncfromflags:domhier /update
> >> After that run:
> >> net stop w32time
> >> net start w32time
> > I know that the default windows behaviour is to look to the DCs for
> > time but it didn't seem to be doing so, that's why i created the GPO
> > to force the syncing.
>
> > how can I run w32tm /config /syncfromflags:domhier /update on all my
> > clients and then stop and start the time service (other than using a
> > logon script)?

Thanks,

There aren't any errors as such because my method does actually seem
to be working OK and all machines have their time sync'ed. What I was
worried about was if the member servers were picking up the right
settings or not based on what net time was returning.

 

I suggest ignoring the net time command. For time related things, use only
the w32tm command.

w32tm /? will list all the available options.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Broonie" <broonie27@hotmail.com> wrote in message
news:6f44bc96-66b0-4626-91df-f451c1bc97b5@w35g2000prg.googlegroups.com...
On May 1, 12:06 pm, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
wrote:
> Hello Broonie,
>
> If your machine's aren't able to use the default you have to find the
> reason,
> event viewer should give errors/warnings about windows time.
>
> You can run that with script or manual. But i would use a startup script
> instead of logon script (permissions can/will be to less).
>
> Try the scripting in a test OU with test machine first.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > On May 1, 11:35 am, Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
> > wrote:
>
> >> Hello Broonie,
>
> >> See inline
>
> >> Best regards
>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Hi There,
>
> >>> Domain is 3 2003 DCs, functional level Server 2000 (don't ask why
> >>> it;s not been upgraded). Clients are a mix of XP and Vista.
>
> >> You can change it to windows server 2003 without any problem if no
> >> older OS DC's are there.
>
> >>> I am having problems with the time syncing on my domain member
> >>> servers. I have set my PDC emulator to point to an external source
> >>> and that is working fine. I then set a group policy that forces the
> >>> clients and member servers to look to that PDC using the NTP method.
>
> >> Let the default setting within the domain.
>
> >>> I understand the NT5DS method is the default domain one but it was
> >>> that
> >>> method that was failing me so that's why i've forced the clients to
> >>> use NTP.
> >> What errors did you have? You have to make sure that port 123 udp is
> >> opened on the firewalls if in use.
>
> >>> Now, the time seems to be syncing OK but when I do a "net
> >>> time /querysntp" on the 2003 servers it brings back
> >>> "time.windows.com,
> >>> 0x1" as the time source which is incorrect as that is the default MS
> >>> entry. I've done a result set of policy on the servers and they are
> >>> all picking up the time sync settings I configured in the policy.
> >> By default you don't have to configure any GPO for time sync. The
> >> PDCEmulator
> >> is the time source in the domain and should be configured to an
> >> external
> >> time source, as you did. That's all. All other DC's sync with that
> >> one and
> >> member servers and workstations sync with one available DC automatic.
> >>> However, if I do a "w32tm /query /source" on my Vista machine (these
> >>> switches are not available on win 2003 servers version of w32tm) I
> >>> get my PDC returned, which is what I would expect. Further, if i do
> >>> a "net time /querysntp" on my PDC emulator i receve the correct
> >>> external source.
>
> >> Domain internal you should only have one available DC, no external
> >> time servers.
>
> >>> All I can think is that "net time /querysntp" is not looking first
> >>> in the group policy "true" part of the registry and instead is going
> >>> straight to the persistent part of the registry.
>
> >>> I guess what I'm asking is should i trust group policy or net time?
>
> >> So i would remove the GPO and run on the additional DC's, clients and
> >> member
> >> servers:
> >> w32tm /config /syncfromflags:domhier /update
> >> After that run:
> >> net stop w32time
> >> net start w32time
> > I know that the default windows behaviour is to look to the DCs for
> > time but it didn't seem to be doing so, that's why i created the GPO
> > to force the syncing.
>
> > how can I run w32tm /config /syncfromflags:domhier /update on all my
> > clients and then stop and start the time service (other than using a
> > logon script)?

Thanks,

There aren't any errors as such because my method does actually seem
to be working OK and all machines have their time sync'ed. What I was
worried about was if the member servers were picking up the right
settings or not based on what net time was returning.