Time Issue

[Adam Raff]

Good Morning,

I have a problem with Time.

Background:

We are running Windows 2000 Advanced Server with SP4 with all the latest
Critical updates that came down up till now. This server is a DC (HSMain)
with two other server (HSsql and HSMail). HSsql is also a Windows 2000
server running SQL 2000 it is also a DC. HSMail is running Windows 2003 and
it is set up as a Member server running Exchange 2003. All servers have the
latest Critical updates. HSMain gets it's time from an outside source. The
HSSql gets it's time for HSMain and HSMail gets it's time also from HSMain.

A few week or so I noticed a problem with one of the PC (XP Pro SP1)
connected to our network. It stated that it could not get the time from
HSMain and it went to HSSql

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Date: 2/24/2005
Time: 11:57:58 AM
User: N/A
Computer: ADAMXP2
Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes. NtpClient has
no source of accurate time.

Right after that error another message appeared as follows:

Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: 2/24/2005
Time: 12:12:58 PM
User: N/A
Computer: ADAMXP2
Description:
The time service is now synchronizing the system time with the time source
hssql.hspop.net

After seeing these errors I looked around and found that I was getting the
following errors on HSMain:

Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 11
Date: 3/6/2005
Time: 8:38:27 PM
User: N/A
Computer: HSMAIN
Description:
The NTP server didn't respond
Data:
0000: 00 00 00 00 ....

After looking at these I noticed some other issues with HSsql and HSMail.
All the servers are up and running and are Replicating with no issues.

I tried the following things on HSMain.

I ran net time /querysntp and the results were as follows time.nist.gov. I
was told by my consultants to try the following

net time /setsntp:tock.usno.navy.mil. I then stopped and then restarted the
time service.

I waited a day and still see the error poping up in the log.

I then tried the following command

W32tm -once -test -V which came back with the following error

End line 1951
Time source failed to produce usable timestamp.
begin: ntptry - - fail
end line 1682
Time out eccured in sockets
Begin: ntptry - - try
Begin:coputerinterval
end line 2479
sending to server 48 bytes
recv'ed from server 48 bytes
End line 1885
Begin:ntptry -- delay
end line 2012
round trip was 172ms
etc etc etc

Time source failed to produce usable timestamp
Would have skewed forbackwards, jadj, btime - 78125 332

Rejecting logging event 0x8000000B. 888 sec until this event is allowed

I hope I gave enough info on this.

Thanks
Adam Raff

 

[Guest]

Try a different NTP server. I use the one from NIST and they work fine:

http://www.boulder.nist.gov/timefreq/service/time-servers.html

 

[Guest]

Also, if you have a firewall make sure it allows for external time server, I
beleive it's port 123

 

[Adam Raff]

Hi Nester,

I did try a different time server as you can see.
time.nist.gov, I changed it to the following - tock.usno.navy.mil, with no
luck.

Also since this was working for some time and all of a sudden it stopped
working, I don't think its a firewall issue and I did check for port 123 to
make sure that it was not set to off or deigned.

The only thing that changed on the server were the updates that I did for it
on Patch Tuesday.

Adam

 

[Guest]

Which update was it exactly?

Hi Nester,

I did try a different time server as you can see.
time.nist.gov, I changed it to the following - tock.usno.navy.mil, with no
luck.

Also since this was working for some time and all of a sudden it stopped
working, I don't think its a firewall issue and I did check for port 123 to
make sure that it was not set to off or deigned.

The only thing that changed on the server were the updates that I did for it
on Patch Tuesday.

Adam

 

[Adam Raff]

Here are the updates that I did that Tuesday from Microsoft.

287282: IE Update
891781: Active X Control
885250: Server Message Block
888113: Hyperlink Object Library
890047: Windows Shell
873333: Drag and Drop
885834: License logging

thanks
Adam

 

[Frances [MSFT]]

Hello Adam,

Good to hear from you.

According to your post, I understand you meet a time issue. Because HSMain
plays an important role in your configuration regarding time, I suggest
that we focus on HSMain, and resolve the event 11 first.

By the way, what is the result when you run net time /querysntp?

Now you can try the following steps:

1. Open up UDP ports 1024 and above on the firewall.

2. Run "w32tm -v -once" again.
What is the result?

If the issue persists, please help me gather the following information:
Dump the W32Time registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate and then click to select the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
4. Right click the key and export it to a .reg file.
5. Compress it and send to (e-mail address removed) for further research.


I look forward to your reply!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Adam Raff]

Hi Frances,

net time /querysntp - The current sntp value is North-America.pool.ntp.org
(I just changed to this today via a suggestion from our consultants)

Question on your request, why am I opening all my UDP ports of 1024 and
above?
Can you give me some time of range?

My understanding is that ntp works off of port 123 not sure of it's UDP or
TCP?

Also I noticed that in your command that you want me to run "W32tm -v -once"
you did not put -test in the command. If I am correct this will then write
information to my server?

Please understand that I have no clue what I am doing here so I am asking
questions before I do it. Please have a little patience. What I have done
so far is by reading and working with our consultants.

Thanks for your help and patience in this matter

Adam

 

[Frances [MSFT]]

Hello Adam,

Thank you for your feedback.

As for your concern, the reason to open up UDP ports 1024 and above on the
firewall temporarily is as follows:

According to my experience, when the client attempts to open a session with
the NTP server the Destination port is 123 by default but the Source port
could be any port including and above port 1024. Therefore when the NTP
server tried to respond back to the port specified by the Windows 2000
server the response was blocked by the firewall.

As for "W32tm -v -once", this command is common when troubleshooting time
issues. It is used to show the w32time related output. Don't worry about it.

If the issue persists, please help to dump the W32Time registry key for
further research.

I understand your situation. Please go ahead. I am waiting for your reply!
Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Adam Raff]

Hi Frances,

If I am understanding you right

The Source Port being 1024 or above is the port that comes from HSMain, that
is the time service asking for the time (LAN to WAN)

The Destination port being 123 is the port that receives the information
from the Time server to the Time service on HSMain. (WAN to LAN)

If I am understanding this correctly, then all I should have to do is open
port 123 since all ports are open from the LAN to the WAN but not the other
way around.

If I have this confused and mixed up then my problem is that once I open up
1024 and above is there a way to figure out what port it's using and to lock
it to that port. Otherwise I am open to a lot of stuff.

Adam

 

[Frances [MSFT]]

Hello Adam,

I think it is just opposite to what you understand.

Generally speaking, when the connection is made to the NTP server the
destination port is normally UDP port 123 but the source port can be a
random UDP port above 1024. Therefore on the firewall please make sure
that UDP ports above 1024 are open for the NTP Servers response.

I have fixed a similar issue for a previous customer by opening UDP ports
above 1024 on his Firewall and things are working great since then.

Regarding your concern, please use Network monitor to monitor the network.
You can refer to the following KB to get more idea about netmon.

About Network Monitor 2.0
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmon/netm
on/about_network_monitor_2_0.asp

148942 How to Capture Network Traffic with Network Monitor
http://support.microsoft.com/?id=148942

You can download netmon from the link below. It is a time-bombed version of
Network Monitor:
ftp://ftp.microsoft.com/PSS/Tools/NetMon/NETMON2.ZIP


If you have any further questions, don't hesitate to get in touch!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Adam Raff]

Hi Frances,

I am getting stuck on the lingo here can you please give me an example like
I did for you on my previous email. You can use HSMain as the server. Such
as the following

I am getting very confused between the Source and Destination what starts it
and what finishes it. In my earlier example I stated the following

The Source Port being 1024 or above is the port that comes from HSMain,
that
is the time service asking for the time (LAN to WAN)

The Destination port being 123 is the port that receives the information
from the Time server to the Time service on HSMain. (WAN to LAN)


From what you are saying it should be as follows:

The Source Port being 123 is the port on my firewall that HSMain uses to
allow the Time Services call to get out. In essences, HSMain asking for
the correct time so it sends out to North-America.pool.ntp.org. (LAN to WAN)

The Destination Port 1024 or above, being the response from
North-America.pool.ntp.org, and uses port 1024 or above on my firewall to
allow the response back into our network so that HSMain Time Services can
update HSMain clock. (WAN to LAN)

Is this correct?

 

[Frances [MSFT]]

Hello Adam,

It seems that we dwell on the firewall, which is not the original main
concern. I suggest that you use netmon to capture the network packets and
send the related file to me. After analyzing the file, I can make sure
whether it is useful to open up ports on the firewall according to your
real environment.

Please follow the steps below.

Step 1: Install a Network Monitor:
=======================

1. To obtain a time-bombed version of Network Monitor, visit the following
Microsoft Web site:
ftp://ftp.microsoft.com/PSS/Tools/NetMon/NETMON2.ZIP

2. Download the netmon2.zip file. The password for that zip is "trace" (no
quotation marks).

3. Run the qfesetup.exe file to install Network Monitor on HSMain.

Step 2: Use the Network Monitor:
========================

1. Stop Windows Time service.

2. Run Network Monitor.
You will see the Select a network window. (If not, please select
Capture->Networks from the menu). In the popup box, expand "Local Computer"
and you'll see several entries. If the computer has more than one NIC
equipped, use "ipconfig /all" command under Command Prompt to check the MAC
address and then select the correct one in that window.

3. Click Start on the Capture menu.

4. Start Windows Time service.

5. Click Stop on the Capture menu.

6. Click File->Save as to save the capture.

7. Compress the file and send it to (e-mail address removed) for further
research.

I am looking forward to your reply!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Adam Raff]

Hi Frances,

The link that you provided is no good.

Also we may have fixed the problem at this time but I would still like to
verify what you are saying just in case.

Thanks
Adam

 

[Frances [MSFT]]

Hello Adam,

I have tried the link for you and it seemed to work properly.

Please recheck it to make sure all the addresses appear in the address box.
The link may have breaks which could be influencing your inability to find
the proper website.

Test it out again and let me know if there are still some issues.

I strongly suggest that you use netmon to check the port in your scenario.

About Win32 Network Time Synchronization Service, you can see the w32time
white paper from the Microsoft FTP site at:
ftp://ftp.microsoft.com/reskit/y2kfix/x86/w32time/w32time.doc

If you have any further questions, don't hesitate to get in touch!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Adam Raff]

Hi Frances,

I get the following message The page can not be displayed.

I will try this from home and see what I can do from there.

Adam

 

[Frances [MSFT]]

Hello Adam,

If you cannot download the netmon2.zip and the white paper I offered,
please send an email to (e-mail address removed). I can send them directly to
you if you want.

If you have any other concern, please feel free to let us know.

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Frances [MSFT]]

Hello Adam,

We haven't heard from you. How is it going? Please feel free to respond to
the
newsgroups if you need additional help.

Have a great day!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.