w32time - Time Server errors 4

[avputnam]

I am trying to synchronize time on all machines in the domain. I want our Domain Controller , Server 2003, get the time from the external source (tock.usno. navy.mil or even better tick.uh.edu since we are in Central Time zone).

In the registry on the domain controller under HKLM\System\CurrentControlSet\SErvices\w32time\parameters, I have set up the key NtpServer with the value 'tick.uh.edu, 0x1. On the PCs in the domain, in the same registry location, I entered the IP address of the domain Controller.

I keep getting error messages 'w32tm' 'Browser' and 'LsaSrv' after I have made the changes described above.

I will appreciate if you point me in the right direction,

 

[PScottC]

You shouldn't do that. The reason you'd start getting LSA errors and others may be due to systems having a greater than 5 minute differential. This will cause a lot of problems with the Kerberos authentication protocol. By default, Time is obtained in the following method:

1) DC holding PDC FSMO role retreives time from the internet.
2) All other DCs obtain time from the PDC role holder
3) WSs and member servers obtain time from the authenticating DC.


So... on your PDC server use this command at a cmd prompt:
net time /setsntp:tick.uh.edu

Make sure that outbound port 123UDP is open on your firewall for your PDC role holder.

Also, netiquette states that you should contact the time server operator and let them know that you're pulling time from them. They may have to open their firewall for you.

Pulling time from the US Navy may be problematic because I think they restrict who can pull time from them.

PSC

 

[avputnam]

PScottC,

Thank you for explaining this to me. If you have time, will you please answer another question at your convinience?

Right now, some of workstation in the domain have NT5DS in w32Time\Parameters\Type while others have NTP. All servers except for one have NTP in Parameters\Type. If I want all machines in the network to synchronize with authenitcating DC, do I need NTP or NT5DS in Parameters\Type on workstations?

The default NTP Server on PDC DC (and 50% of workstations) was time.microsoft.com.If I set PDC server to get time from tick.uh.edu what entry should I have in NTPServer key in the registry on the rest of the machines int he network.

THank you again for your helpm

 

[mlichstein]

ALL machines in the domain should have type set to NT5DS EXCEPT the PDCe of the forest root domain. That one server should be set to NTP.

One thing to note is that if a machine is properly set to NT5DS, the value of Ntpserver doesn't matter. If there is anything configured for that setting, it will be ignored. NT5DS ONLY uses the domain hierarchy.

One last thing. net time should not be used on 2003 or XP. For anything. All time related stuff should be done with w32tm. Configuring an external time server on the root PDCe should be done with 'w32tm /config /manualpeerlist:"server1 server2,0x2 server3,0x2" /syncfromflags:manual /update'

server1 is the FQDN or IP of a time server, and you can add as many as you want. The ,0x2 after server2 and server3 specifies that those time servers are used as fallback servers only.

To set all clients back to NT5DS, you can use a GPO, or run 'w32tm /config /syncfromflags:domhier /update'

Oh, one more thing. The location of your external time server doesn't really matter, except for maybe latency. All time servers are set to GMT. Time zones are applied by the OS. So you can have machines from around the world syncing from a time server in Washington DC, and they will all have the correct time for their zone.

Hope that makes sense.

 

[avputnam]

It makes sense. Thank you so much.

Right now the PDC is on time.microsoft.com,0x1. However, once in a while it gives me an error message in Even Viewer that there is no time source to synchronize with.

Would you recommend time.microsoft.com or some other time source that is more reliable?

Thank you again

 

[mlichstein]

I usually use time.nist.gov, tick.usno.navy.mil or tock.usno.navy.mil.

You can use all of them, including time.windows.com as I noted above.

 

[avputnam]

Thank you for your help. So far it works.if I want to have more than 1 server1 Time server, do I need comma between time.microsoft.com and time.nist.gov in command 'w32tm /config /manualpeerlist:"time.microsoft.com time.nist.gov tick.usno.navy.mil,0x2" /syncfromflags:manual /update. Do servers1 need to be followed 0x1 if i decide to use DNS name instead of IP address?

Thank you again,

 

[mlichstein]

I'm pretty sure the answer the your comma question is no. The comma is only needed if you use the 0x2 setting.

And the answer to your second question is also no, I believe.