Windows Server 2003 DC is 32 minutes slow

Question

I have a Windows Server 2003 DC SP2 that is precisely 32 minutes slow. It is the only DC in the domain. The server is set to query tock.usno.navy.mil.

My google fu sadly has failed.

Any suggestions?

Update: Adding output from tests:

C:\WINDOWS>w32tm /query /peers
The command /query is unknown.

C:\WINDOWS>w32tm /query /status
The command /query is unknown.

C:\WINDOWS>w32tm /stripchart /computer:tock.usno.navy.mil
Tracking tock.usno.navy.mil [192.5.41.41].
The current time is 11/2/2014 9:27:04 AM (local time).
09:27:04 d:+00.1201609s o:+1856.8128875s  [                           |                          @]
09:27:06 d:+00.1401901s o:+1856.8143015s  [                           |                          @]
09:27:08 d:+00.1201612s o:+1856.8126128s  [                           |                          @]
09:27:10 d:+00.1201614s o:+1856.8096675s  [                           |                          @]
09:27:12 d:+00.1101425s o:+1856.8103257s  [                           |                          @]
09:27:14 d:+00.1101442s o:+1856.8155087s  [                           |                          @]
09:27:17 d:+00.1301757s o:+1856.8126955s  [                           |                          @]
09:27:19 d:+00.1201612s o:+1856.8113168s  [                           |                          @]
09:27:21 d:+00.1201602s o:+1856.8119927s  [                           |                          @]
09:27:23 d:+00.1201614s o:+1856.8190763s  [                           |                          @]
09:27:25 d:+00.1201567s o:+1856.8129546s  [                           |                          @]
09:27:27 d:+00.1201604s o:+1856.8101324s  [                           |                          @]
09:27:29 d:+00.1101463s o:+1856.8159978s  [                           |                          @]
09:27:32 d:+00.1301746s o:+1856.8195720s  [                           |                          @]

Update #2: A) The VM Host of the DC, a VM, clock was behind the same amount. B)

C:\WINDOWS>w32tm /resync
Sending resync command to local computer...
The computer did not resync because no time data was available.

Answer 1

@amber My fault - you're right - very old versions of w32tm like the one in Server 2003 don't have the /query parameter. I was attempting to verify whether your system really was synchronizing with the navy.mil NTP server or not. You can still go traipsing through the registry to find the Windows Time settings, but I'd rather not. The stripchart verifying the huge offset between you and the NTP server tells me that you aren't actually synchronizing time with the navy.mil server like you think you are. But it also verifies that you can connect to the NTP server and read time from it, which is good.

If this is a virtual machine, I would disable the VM IC time sync integration and/or fix the time on the hypervisor.

Ben Armstrong, Hyper-V Program Manager, says never disable the Hyper-V time integration service, but he's not the boss of me, I say it's OK to do it in certain circumstances. :)

In situations where you have both the virtual machine time integration service turned on, and you also have internet NTP configured, the VM Time IC service typically overrides NTP. Which I think is what you're seeing here.

If this is a physical machine, I would start by just blowing away the existing w32time configuration and resetting to factory defaults, with these commands:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Then set your configuration to synchronize with the upstream NTP server like so:

w32tm /config /manualpeerlist:"tock.usno.navy.mil,0x8" /syncfromflags:MANUAL /reliable:yes /update

I would recommend that you set multiple time sources, which you can do by separating them with spaces, such as "tock.usno.navy.mil 0.us.pool.ntp.org"enclosing the whole thing with a set of quotation marks. The ,0x8 part after the server name is a bitmap, and can be any one of or a combination of 0x1, 0x2, 0x4, and/or 0x8.

0x1 Instead of following the NTP specification, wait for the interval specified in the SpecialPollInterval entry before attempting to recontact this time source. Setting this flag decreases network usage, but it also decreases accuracy.

0x2 Use this time source only as a fallback. If all time sources that are not fallbacks have failed, then the system selects one fallback time source at random and uses it.

0x4 Set the local computer to operate in symmetric active mode in the association with this source.

0x8 Set the local computer to operate in client mode in the association with this source.

You only want to set this configuration on your forest root PDCe. Everything else in your domain will use the Active Directory domain hierarchy to locate a time source. You don't want to point everything in your AD domain at an external time source.

You may find it more important that you fix the NTP time on your hypervisor first. If you only fix your forest root PDCe, but you leave all your other virtual machines synchronizing incorrect time from the same hypervisor, then you'll leave yourself in a situation where your domain controllers have different time than all the domain members, and Kerberos authentication will break down, and you won't be able to log on to anything in the domain.

I bolded the above paragraph because I'm warning you to be careful and think about what will happen before you go flipping switches. :)

Lastly, plan for upgrade path away from Server 2003. The clock is ticking fast.