Anyone have any exp with syncing time across DC's?

[hardware_failure]

I am trying to sync time on 3x domain controllers and its driving me nuts.

2 of them are 2003 and 1 is 2008r2. The time is off on the 2x 2003 DC's, by almost the exact same amount.

The 2008r2 server appears to be the pdc and its time is spot on...
When I run:

dsquery server -hasfsmo pdc

I get:

"CN=SRVRDC08,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=
mydomain,DC=com"

When I run

w32tm /monitor

I get:

exchange.mydomain.com [10.18.12.53]:
    ICMP: 0ms delay.
    NTP: +75.9978513s offset from SRVRDC08.mydomain.com
        RefID: SRVRDC08.mydomain.com [10.18.12.120]
SRVRDC08.mydomain.com *** PDC *** [10.18.12.120]:
    ICMP: 0ms delay.
    NTP: +0.0000000s offset from SRVRDC08.mydomain.com
        RefID: ec2-54-235-96-196.compute-1.amazonaws.com [54.235.96.196]
printserver.mydomain.com [10.18.12.67]:
    ICMP: 0ms delay.
    NTP: +74.7287684s offset from SRVRDC08.mydomain.com
        RefID: SRVRDC08.mydomain.com [10.18.12.120]

I have tried the following commands on each of the 2x 2003 servers with no avail:

w32tm /unregister
w32tm /register

w32tm /config /syncfromflags:domhier /update
W32tm /resync /rediscover

w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org" /syncfromflags:manual
w32tm /config /update

If I stop the w32time and manually change the time on either of the 2 2003 servers, they almost instantly resync to being 75 seconds off.

Any suggestions would be greatly appreciated. Thanks!

 

[bigdogchris]

The DC hosting PDC Emulator role should be configured to use an external time source, otherwise everything in the domain will automatically sync with the PDC emulator without need for configuration changes.

Have you previously modified the w32time on your DCs?

If you have seized or moved the PDC Emulator role to a different DC in the past, you may have issues. SOURCE

 

[hardware_failure]

If you have seized or moved the PDC Emulator role to a different DC in the past, you may have issues. SOURCE

Yes, I believe the PDC emulator role has been moved at least 2 times over the last ~8years.
Reading the article now, thanks.

 

[hardware_failure]

I've already done everything that this article explains.

First it lists how to "Configure External Time service on DC holding PDC emulator role" (or with its own CMOS settings.) This worked no problem.

Then it explains to "Changing the time service configuration on previous DC holding PDC Emulator. ( So that it will Sync with new PDC Emulator time)"

Ive done this but no dice. I guess at this point Im not sure how to find out what these other DC's are syncing with and why they are 75 seconds off.

 

[bigdogchris]

Try this on the non-PDC Emulator DC's

http://technet.microsoft.com/en-us/library/cc738995(v=ws.10).aspx

Then reboot them.

 

[shaggy4411]

To check where your two 2k3 DC's are pointing try net time /querysntp

Can use w32tm /query /status to check the Source value on 2008 systems

Also make sure your PDC has a NTP server set at the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

 

[hardware_failure]

To check where your two 2k3 DC's are pointing try net time /querysntp

Can use w32tm /query /status to check the Source value on 2008 systems

Also make sure your PDC has a NTP server set at the following registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Ran the "fix it" on "printserver", ran fine but no change.

printserver.mydomain.com [10.18.12.67]:
    ICMP: 0ms delay.
    NTP: +77.5798545s offset from SRVRDC08.mydomain.com
        RefID: SRVRDC08.mydomain [10.18.12.120]

When I run the fix it on "exchange" I get this:

SRVRDC08 appears to be configured properly:

EXCHANGE: net time /querysntp
The current SNTP value is: 0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org

PRINTSERVER: net time /querysntp
This computer is not currently configured to use a specific SNTP server.

 

[hardware_failure]

Also If I sound grumpy its just because this is frustrating and baffling.

I really really appreciate everyone's help!

 

[shaggy4411]

Things to check on SRVRDC08:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
This value should be set to 5 to mark SRVRDC08 as a reliable time server

Also worth checking
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection
This is the max amount of positive time that can be corrected (default is 48hrs and displayed in seconds as 172800).

On your 2 other servers check:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
This value should be set to NT5DS which means they will sync time from the domain hierarchy (PDC)

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
Default value should be 10 for domain clients and member servers

Also if by chance these are virtual servers you will need to disable any integration services that try to sync time from the host.

 

[hardware_failure]

Also if by chance these are virtual servers you will need to disable any integration services that try to sync time from the host.

OMG I owe you a beer. I dunno if I should be very happy or very embarrassed.

They are both virtualized. Went to settings, integration Services, Unchecked Time Synchronization.

Then ran:
w32tm /resync /rediscover

Cha ching!

All better.

Thank you so so so much!

EDIT: extra funny tidbit if it wasnt already assumed... the VMhost was authenticated thu one of the DC's that was off. It was getting 75 sec off from the DC, and when I would temp fix the DC it would get 75 sec off from the host, and any time the host would re-sync it would stay 75 sec off from the DC. Kinda funny time loop

 

[PliotronX]

OMG I owe you a beer. I dunno if I should be very happy or very embarrassed.

They are both virtualized. Went to settings, integration Services, Unchecked Time Synchronization.

Then ran:
w32tm /resync /rediscover

Cha ching!

All better.

Thank you so so so much!

EDIT: extra funny tidbit if it wasnt already assumed... the VMhost was authenticated thu one of the DC's that was off. It was getting 75 sec off from the DC, and when I would temp fix the DC it would get 75 sec off from the host, and any time the host would re-sync it would stay 75 sec off from the DC. Kinda funny time loop

Was about to post the same as I found out about this diagnosing two offices with Kerberos issues and being off by 5-15 minutes. There are some gotchas with Hyper-V like this and leaving TCP/IP bound to virtual switches.