6

Our Active Directory server has a problem whereby the time keeps setting itself 12 minutes ahead of the real time. This causes authentication issues on the network.

I have tried syncing to an external NTP service with the following:

w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:MANUAL
stop-service w32time
start-service w32time

Then tried to set the time 12 minutes back. But within seconds it skipped 12 minutes ahead again.

I tried to unregister the service using:

w32tm /unregister

Then tried setting the time correctly but again it reverted to the incorrect setting.

Is there some way I can set the time without it changing itself?

Aaron Cunnington
  • 161
  • 1
  • 1
  • 4
  • 4
    Is it a Virtual server? – BDRSuite Dec 18 '14 at 20:43
  • 4
    NTP is pretty infallible. I *highly* recommend keeping it on, especially on an AD server. Turning it off will lead to even more auth issues. What are you basing "real time" on? – Arthur Dec 18 '14 at 20:56
  • It is a virtual server. The host has the correct time. I'm basing real time on the time I see on my phone, which is the same time I see on all servers except this one. –  Dec 19 '14 at 10:20
  • 1
    whtas the result of `w32tm /query /source` and what virtualization do you use? – marsh-wiggle Dec 19 '14 at 14:04
  • 1
    If using hyper-v you may find help [here](http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx). This questions seems to fit: `Question #7 – I have a virtual machine that has gotten ahead of time, and it never gets corrected back to the correct time. What is going on here?` and `Question #6 – Wait a minute! My virtual machine should be synchronizing to the domain (or an external server) – but when I run that command it tells me that the Hyper-V time synchronization provider is being used! How do I fix this` (the document is for W2008R2 hyper-v) – marsh-wiggle Dec 19 '14 at 14:21
  • 1
    @Arthur wait... Windows supports actual NTP now? – Hyppy Dec 19 '14 at 14:36
  • 2
    @Hyppy [If by "now", you mean since about 15 years ago, then yes](http://support.ntp.org/bin/view/Support/WindowsTimeService). Windows does support NTP "now". :) – HopelessN00b Dec 19 '14 at 14:41
  • 1
    @HopelessN00b All I remember is trying to get a windows 2008 DC to participate in NTP peering (or acting as a higher stratum) with *nix and Cisco, and never being able to find a non-third-party answer. – Hyppy Dec 19 '14 at 14:43
  • @hyppy by default, all workstations on the domain try to sync up with the DC using NTP. I'm not exactly sure what sort of options there are when it comes to using it as a server for non AD computers, but the purpose of including it was so all AD computers have roughly the same time. – Arthur Dec 19 '14 at 17:49
  • 3
    You all had me questioning my sanity, but after re-researching I found that indeed Windows' W32Time implementation of NTP is a bit... off. It's really SNTP half-baked into an NTP lookalike. For example, it's only accurate to ~3+ seconds, and doesn't implement error checking/filtering correctly enough for real NTP peers to maintain an association. MS specifically suggests using third-party tools for time sensitive clock keeping or for time synchronization not specific to Kerberos. https://support.microsoft.com/kb/939322 – Hyppy Dec 19 '14 at 18:01
  • @hyppy huh. TIL. – Arthur Dec 19 '14 at 18:20
  • Is the server actually able to reach pool.ntp.org? – Katherine Villyard Dec 19 '14 at 20:03

2 Answers2

1

First off pool.ntp.org is not a reccomended source for the Windows Time Service. See here: Active Directory Time Synchronisation - Time-Service Event ID 50

I am confused by your comment that this one server is off, but all the other ones are accurate, but you are using pool.ntp.org. In an Active Directory environment, the PDCe is the "root" time server that every other domain controller syncs against (and every member server and workstation syncs against the domain controllers). The PDCe should be configured to sync with an external time source via NTP. The PDCe should be the only server that syncs with an external source.

See here: http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

Note that if you are in an Active Directory environment, and everything is syncing from the PDCe as it should, then VMs should not be configured to sync their time with the physical host. If you have two things trying to correct the clock, they will fight each other.

Community
  • 1
myron-semack
  • 2,593
  • 19
  • 17
0

I've had a similar issue. I think my time was about 5 minutes out... I tried all the usual w32time commands / restarted services and it wouldn't adjust... No Joy!!

What I did in the end was purposefully set the time to something obscure e.g. a few months ahead or behind re-ran the w32time commands and hey presto it came back within a good tolerance (a few milliseconds).

Rhys Evans
  • 919
  • 8
  • 23