Time service goes to another DC instead of external TS

[Vadim Rapp]

Hello,

I'm trying to set win2k sp4 server to synchronize with external time server,
for instance time.windows.com. With a third-party time utility I synchronize
successfully, so port 123 is open.

I run

C:\WINNT\Profiles\Administrator>net time /setsntp:time.windows.com
The command completed successfully.
C:\WINNT\Profiles\Administrator>net time /querysntp
The current SNTP value is: time.windows.com
The command completed successfully.

But then when I run w32tm -test -once -v, it appears that time service still
synchronizes with another domain controller.

This is happening on both PDC and BDC : PDC goes to BDC, BDC goes to PDC.
The output from w32tm follows.

I wonder, why does it not go to time.windows.com?


thanks,

Vadim Rapp
Polyscience, Inc.


C:\WINNT\Profiles\Administrator>w32tm -test -v -once
W32Time: BEGIN:InitAdjIncr
W32Time: Adj 156243 , Incr 156250 fAdjust 0
W32Time: 156243 Adj!=Incr 156250
W32Time: END:Line 2503
W32Time: BEGIN:TsUpTheThread
W32Time: END Line 1407
W32Time: TimeMMInit()
W32Time: Kernel timer : using default maximum resolution
W32Time: MaximumTime = 156250
W32Time: CurrentTime = 156250
W32Time: Timer calibrated, looped 1 times
W32Time: BEGIN:InitTmCfg
W32Time: END:Line 807
W32Time: BEGIN:InitTmCli
W32Time: END:Line 2596
W32Time: BEGIN:InitTmData
W32Time: END:Line 2618
W32Time: AvoidTimeSyncOnWan 0
W32Time: Period given in Registry 0xfffc
W32Time: BEGIN:CMOSSynchSet
W32Time: Setting adjustment 156243 - Bool 0
W32Time: BEGIN:SetTSTimeRes
W32Time: END:Line 1295
W32Time: END:Line 864
W32Time: BEGIN:InitializeDC
W32Time: BEGIN:GetRole
W32Time: Role is 'PDC'
W32Time: END Line 672
W32Time: BEGIN:FetchParentDomainName
W32Time: NetLogonGetTimeServiceParentDomain() returned 54b with ptr 0
W32Time: END:Line 782
W32Time: END:Line 704
W32Time: Server: Binding to 1 NIC.
W32Time: Advertising that I'm a Time Service Provider
W32Time: timeBeginPeriod: setting resolution 9
W32Time: BEGIN:TimeSync
W32Time: BEGIN:FGetType
W32Time: END Line 254
W32Time: BEGIN:FDoTimeNTPType
W32Time: BEGIN:FDoNT5DSType
W32Time: BEGIN:FBuildDCList
W32Time: BEGIN:GetNT5DCAddress
W32Time: Member of an Win2K domain. Looking for DCs.
W32Time: Accepting previously discoverd DC
W32Time: BEGIN:GetRole
W32Time: Role is 'PDC'
W32Time: END Line 672
W32Time: Calling DsGetDcNameA() for a DC GTS in the same
domain

W32Time: Using in domain DC as NO parent Domain DC
W32Time: DC address is 10.49.242.7
W32Time: DC friendly name is <dc name here>
W32Time: END Line 519
W32Time: The RID...5b7
W32Time: END Line 639
W32Time: New DomainController time source is located:
W32Time: END Line 971
W32Time: BEGIN:ChooseNTPServer
W32Time: END Line 2178
W32Time: BEGIN:GetSocketForSynch
W32Time: NTP: ntpptrs[0] - 10.49.242.7
W32Time: Port Pinging to - 123
W32Time: Connecting to "<dc name here>" (<correct subnet IP here>)
W32Time: END:Line 1170
W32Time: BEGIN:GetDefaultRid
W32Time: END Line 2354
W32Time: BEGIN:ComputeDelay
W32Time: BEGIN:NTPTry -- init
W32Time: END Line 1683
W32Time: BEGIN:NTPTry -- try
W32Time: BEGIN:ComputeInterval
W32Time: END Line 2479
W32Time: Sending to server 68 bytes...
W32Time: Recv'ed from server 68 Bytes...
W32Time: BEGIN:ComputeClientDigest
W32Time: END Line 2316
W32Time: ComputeClientDigest() returned 0
W32Time: END Line 1907
W32Time: BEGIN:NTPTry -- delay
W32Time: END Line 2012
W32Time: Round trip was 15ms
W32Time: BEGIN:NTPTry -- gettime
W32Time: BEGIN:Fgmtimetonttime
W32Time: END Line 2563
W32Time: END Line 1998
W32Time: one-way delay is 7ms
W32Time: END Line 1645
W32Time: END Line 368
W32Time: BEGIN:TimeDiff
W32Time: ClockError -1229
W32Time: END Line 2542
W32Time: BEGIN:FCheckTimeSanity
W32Time: Adjusting time by 1229 ms. No eventlog messages since time
difference is 0 <1 minute
W32Time: END Line 570
W32Time: BEGIN:SetTimeNow
W32Time: Would have Skewed for backwards, badj, btime = 78122 2458
W32Time: END Line 1280
W32Time: Time was 12min 57.443s
W32Time: Time is 12min 56.214s
W32Time: Error 1229ms
W32Time: BEGIN:CheckLeapFlag
W32Time: END:Line 606
W32Time: BEGIN:ComputePostTimeData
W32Time: BEGIN:ComputeInterval
W32Time: END Line 2479
W32Time: BEGIN:ComputeSleepStuff
W32Time: Computed stagger is 0ms, bias is 0ms
W32Time: Time until next sync - 2699.960s
W32Time: END:Line 816
W32Time: END:Line 221
W32Time: END:Line 196
W32Time: BEGIN:TermTime
W32Time: BEGIN:TsUpTheThread
W32Time: END Line 1407
W32Time: NTP(S): waiting for datagram...
W32Time: NTP(S): received shutdown notification.
W32Time: TimeMMCleanup()
W32Time: BEGIN:FinishCleanup
W32Time: BEGIN:TsUpTheThread
W32Time: END Line 1407
W32Time: Inform NetLogon That you are not a TS Provider
W32Time: BEGIN:UnInitializeDC
W32Time: Ptrs 0 - 0
W32Time: END:Line 727
W32Time: Time service stopped.
W32Time: END:Line 407

 

[Lanwench [MVP - Exchange]]

Hello,

I'm trying to set win2k sp4 server to synchronize with external time
server, for instance time.windows.com. With a third-party time
utility I synchronize successfully, so port 123 is open.

I run

C:\WINNT\Profiles\Administrator>net time /setsntp:time.windows.com
The command completed successfully.
C:\WINNT\Profiles\Administrator>net time /querysntp
The current SNTP value is: time.windows.com
The command completed successfully.

But then when I run w32tm -test -once -v, it appears that time
service still synchronizes with another domain controller.

This is happening on both PDC and BDC : PDC goes to BDC, BDC goes to
PDC. The output from w32tm follows.

I wonder, why does it not go to time.windows.com?

On your "PDC" (note, there's no such thing in Active Directory) - if you
type net time /querysntp <enter> what does it return?

You don't want your DCs all to sync independently with Internet time
servers. Your PDC emulator (your first DC) should be syncing with an
external time source, and your other servers & clients should get the time
from it. What is it you're trying to accomplish?

thanks,

Vadim Rapp
Polyscience, Inc.

<snip>

 

[Vadim Rapp]

Hello Lanwench:
You wrote in conference microsoft.public.win2000.general on Thu, 23 Dec
2004 21:07:32 -0500:

LME> On your "PDC" (note, there's no such thing in Active Directory) - if
LME> you type net time /querysntp <enter> what does it return?

It returns what you quoted 5 lines higher:

C:\WINNT\Profiles\Administrator>net time /querysntp
The current SNTP value is: time.windows.com

LME> You don't want your DCs all to sync independently with Internet time
LME> servers. Your PDC emulator (your first DC) should be syncing with an
LME> external time source, and your other servers & clients should get the
LME> time from it. What is it you're trying to accomplish?

It's the very first line of my question:

I'm trying to set win2k sp4 server to synchronize with external time
server, for instance time.windows.com.

I mentioned 2 servers only to show that this is happening on more than one
machine.


Vadim

 

[Lanwench [MVP - Exchange]]

Hello Lanwench:
You wrote in conference microsoft.public.win2000.general on Thu, 23
Dec 2004 21:07:32 -0500:

It's the very first line of my question:


I mentioned 2 servers only to show that this is happening on more
than one machine.


Vadim

One of my New Years' resolutions is now going to be: learn how to read.
Sorry!

On the PDC emulator - net time /setsntp:<timeserver name> <enter>
Does that help?

 

[Enkidu]

Hello Lanwench:
You wrote in conference microsoft.public.win2000.general on Thu, 23 Dec
2004 21:07:32 -0500:

LME> On your "PDC" (note, there's no such thing in Active Directory) - if
LME> you type net time /querysntp <enter> what does it return?

It returns what you quoted 5 lines higher:


LME> You don't want your DCs all to sync independently with Internet time
LME> servers. Your PDC emulator (your first DC) should be syncing with an
LME> external time source, and your other servers & clients should get the
LME> time from it. What is it you're trying to accomplish?

It's the very first line of my question:


I mentioned 2 servers only to show that this is happening on more than one
machine.

In an AD Domain (which has DCs, not PDCs or BDCs) the DC that holds
the PDC Emulator role is the preferred time source. All DCs and other
machines on the Domain should use this machine as a time reference.

As LanWench said.

Also LanWench asked what you are trying accomplish. She didn't ask
what you are trying to do.

Specifically, why are you trying to synchronize with an external time
server? Normally this happens automatically and you don't have to do
anything special.

Cheers,

Cliff

 

[Vadim Rapp]

LME> On the PDC emulator - net time /setsntp:<timeserver name> <enter>
LME> Does that help?

see my original post - 2 lines above /querysntp


Vadim

 

[Vadim Rapp]

E> Specifically, why are you trying to synchronize with an external time
E> server?

Because external time server is based on atomic clock, unlike any of my
machines, hence it is more accurate. I thought it was obvious.

E> Normally this happens automatically and you don't have to do anything
E> special.

You mean, even if I don't specify the external time source manually for any
machine, one of the servers in the network will realize that syncing with
external time soiurce is his mission, and configure itself accordingly all
by itself?


You guys are asking strange questions. I think I posted the question very clear:
I correctly configure ts to use external time source; but time server goes
instead to another dc; why so? I posted the detailed listing. You seem to be
concerned about anything but the problem itself: why am I doing this; what
machine I am doing it at. Does it matter?


Vadim

 

[Enkidu]

E> Specifically, why are you trying to synchronize with an external time
E> server?

Because external time server is based on atomic clock, unlike any of my
machines, hence it is more accurate. I thought it was obvious.

E> Normally this happens automatically and you don't have to do anything
E> special.

You mean, even if I don't specify the external time source manually for any
machine, one of the servers in the network will realize that syncing with
external time soiurce is his mission, and configure itself accordingly all
by itself?


You guys are asking strange questions. I think I posted the question very clear:
I correctly configure ts to use external time source; but time server goes
instead to another dc; why so? I posted the detailed listing. You seem to be
concerned about anything but the problem itself: why am I doing this; what
machine I am doing it at. Does it matter?

Yes, one of your servers on the network, the one with the PDC emulator
FSMO role, will, if it has access to the Internet (UDP port 123 from
memory), automatically connect to a time source on the Internet and
set the time. All other systems on the Network, DCs and member servers
and clients will synchronise with the PDC Emulator.

The reason for the "strange" questions is that we realise that you
should not need to set the timeserver(s) if the system is working
properly. The questions are aimed at finding out why your systems are
not behaving correctly.

Something is not working properly. That is causing you to need to set
the time manually. Surely it is more important to find out what is
wrong?

Cheers,

Cliff

 

[Vadim Rapp]

E> Yes, one of your servers on the network, the one with the PDC
E> emulator FSMO role, will, if it has access to the Internet
E> (UDP port 123 from memory), automatically connect to a time
E> source on the Internet and set the time. All other systems on
E> the Network, DCs and member servers and clients will
E> synchronise with the PDC Emulator.

Thanks; but is there a way to verify it somehow? I did not see any records
in the event log about it; and from running w32tm, from the listing I
posted, it appears that the time server does not go to the internet. Is
there a record somewhere that would tell me that this server is successfully
synchronizing with that external source?

All descriptions of how to specify the exernal time source in win2k that I
have seen, say that /setsntp to the manual time source is required; I'm very
curious, is what you said described anywhere? how will pdc emulator choose
the external time server by its own?


thanks,

Vadim

 

[Enkidu]

E> Yes, one of your servers on the network, the one with the PDC
E> emulator FSMO role, will, if it has access to the Internet
E> (UDP port 123 from memory), automatically connect to a time
E> source on the Internet and set the time. All other systems on
E> the Network, DCs and member servers and clients will
E> synchronise with the PDC Emulator.

Thanks; but is there a way to verify it somehow? I did not see any records
in the event log about it; and from running w32tm, from the listing I
posted, it appears that the time server does not go to the internet. Is
there a record somewhere that would tell me that this server is successfully
synchronizing with that external source?

All descriptions of how to specify the exernal time source in win2k that I
have seen, say that /setsntp to the manual time source is required; I'm very
curious, is what you said described anywhere? how will pdc emulator choose
the external time server by its own?

Have a look at this Microsoft reference:

http://tinyurl.com/4vezu

This says, in part: "Every computer that is running the Windows Time
service uses the service to maintain the most accurate time. In most
cases, it is not necessary to configure the Windows Time service.
Computers that are members of a domain act as a time client by
default. In addition, the Windows Time Service can be configured to
request time from a designated reference time source, and can also be
configured to provide time to clients."

Also: "To establish a computer running Windows Server 2003 as
authoritative, the computer must be configured to be a reliable time
source. By default, the first domain controller that is installed on a
Windows Server 2003 domain is automatically configured to be a
reliable time source. Because it is the authoritative computer for the
domain, it must be configured to synchronize with an external time
source rather than with the domain hierarchy. Also by default, all
other Windows Server 2003 domain members are configured to synchronize
with the domain hierarchy."

I believe that a PDC Emulator is by default configured to use a
particular time server, probably time.microsoft.com, but it doesn't
say that here. I don't recall ever having to set up the PDC Emulator
to use a particular source, but I could be wrong.

In any case I would set *only* the PDC Emulator to an external source
and let the rest of the Domain sort itself out as far as possible.

Cheers,

Cliff

Cheers,

Cliff

 

[Vadim Rapp]

Hello Cliff,

I read it differently.

"By default, the first domain controller that is installed on a
Windows Server 2003 domain is automatically configured to be a
reliable time source."

That means that it becomes the authoritative time source for the domain. But
it does not say that anything is done automatically "to support the claim",
i.e. to make it precise indeed.

"Because it is the authoritative computer for the
domain, it must be configured to synchronize with an external time
source rather than with the domain hierarchy. "

Must be configured, as I understand, by me, administrator. Other computers
_are_ configured by default, this one _must be_ configured by me.

In any case I would set *only* the PDC Emulator
to an external sourceand let the rest of the
Domain sort itself out as far as possible.

And that's what I'm trying to do; but, as follows from the log I posted,
even when I do configure it to use external time source, and it says (by
/querysntp) it is so configured, it still synchronizes with another DC;
while that another DC synchronizes with him.


Vadim

 

[Enkidu]

Hello Cliff,

I read it differently.

"By default, the first domain controller that is installed on a
Windows Server 2003 domain is automatically configured to be a
reliable time source."

That means that it becomes the authoritative time source for the domain. But
it does not say that anything is done automatically "to support the claim",
i.e. to make it precise indeed.

"Because it is the authoritative computer for the
domain, it must be configured to synchronize with an external time
source rather than with the domain hierarchy. "

Must be configured, as I understand, by me, administrator. Other computers
_are_ configured by default, this one _must be_ configured by me.

I'm open to contrdiction, but I believe that if you *don't* configure
it, it will use a predefined pre-compiled default. I'm only 75% sure
of this. I don't believe that I have ever configured a time server
unless it was not the default, if there is one.

And that's what I'm trying to do; but, as follows from the log I posted,
even when I do configure it to use external time source, and it says (by
/querysntp) it is so configured, it still synchronizes with another DC;
while that another DC synchronizes with him.

OK, I've understood this all along. Are you sure that the DC is the
PDC Emulator? If you are then I am at a loss.

Cheers,

Cliff

 

[Vadim Rapp]

E> I'm open to contrdiction, but I believe that if you *don't*
E> configure it, it will use a predefined pre-compiled default.
E> I'm only 75% sure of this. I don't believe that I have ever
E> configured a time server unless it was not the default, if
E> there is one.

OK; then how do you know it synchronizes with external time source?

If you stop time server and run from command line w32tm -once -v, it will
show you all details of the synchronization. Will there be time.windows.com,
or any other external server?

Vadim

 

[Vadim Rapp]

Found it. It was overridden by a GPO.

thanks,

Vadim

 

[Enkidu]

E> I'm open to contrdiction, but I believe that if you *don't*
E> configure it, it will use a predefined pre-compiled default.
E> I'm only 75% sure of this. I don't believe that I have ever
E> configured a time server unless it was not the default, if
E> there is one.

OK; then how do you know it synchronizes with external time source?

If you stop time server and run from command line w32tm -once -v, it will
show you all details of the synchronization. Will there be time.windows.com,
or any other external server?

I believe so. But I've not known a machine drift away from
synchronisation unless it has some connectivity problems and those are
usually evident in other ways. For example, if a DC drifts more than 5
minutes away from the Domain time, it will stop communicating with
other DCs, I believe.

In my experience the Time Service is one of those that *just works*
and causes few problems. Maybe I've just been lucky!

Hence the "strange" questions. <grin>

Incidentally the problems that I've had with the Time Service have all
been to do with synchronising Unix systems to it. To put it bluntly,
it doesn't work. Or I've not been able to make it work. In those cases
I've used a parallel Unix only Time Servce.

Cheers,

Cliff

 

[Enkidu]

Found it. It was overridden by a GPO.

Hi Vadim,

So someone had over-ridden the default behaviour by a GPO? And that
was causing the problems? Cool! Can you post details?

Cheers,

Cliff

 

[Vadim Rapp]

E> And that was causing the problems? Cool! Can you post details?

In the GPO, the specification was for all computers to synchronize with the
PDC emulator. The idea, as I understand, was that PDC emulator was
synchronizing using 3rd party utility.

So, even though /querysntp was returning time.windows.com , when it was
executing, it looked in the policy, saw itself instead, then drove the
standard way - looked for another DC in the domain. However, that course
change was not reflected in the verbose listing generated by w32tm.

Once I removed all specifications from the GPO, w32tm -once -v showed
connecting to time.windows.com.


thanks,

Vadim