I understand how the time sync should work. PDCE syncs with external time source or hardware clock. Other DC's sync with the PDCE and workstations and member servers sync with domain controllers, right? I'm a little confused about the commands. Net Time is used is seems, on a depricated basis and replaced with w32tm. On a 2003 domain it seems some net time commands are used and some w32tm commands are used. The problem is, some DCs in my clients domain are not configure with a time source. Seems easy enough to fix with the w32tm command to sync with a dc. On the PDCE, if I run the net time /setsntp command and set it to the external time source and then run the net time /querysntp, it will reflect the external time server as the time source. However, if I then just run the net time command, it says the 'local time on at \\servername is xxxx'. The servername listed is another dc. I would expect it to return itself - the time on the local machine. I need to fix this for the client. Unfortunately due to change control restrictions, I can't do anything until I write up the steps and get them approved. Can someone be so kind as to provide the proper commands for setting the external time source on the PDCE and then the commands to run on the other DCs for Windows 2003 servers. I don't have a test lab to play with and can't 'just try things' on the client site. Any help is greatly appreciated.

Hello Glen, A useful link for your reference to configure time source at your place.Configuring a time source for the forest:http://technet.microsoft.com/en-us/library/cc784800(v=ws.10)Regards, Ravikumar P

Hi Glen, Thank you for the post. 1.Do not use the "net time" command on Windows 2003 and later. Configure your domain time service like below: On the PDC server: w32tm /config /manualpeerlist:time-a.nist.gov /syncfromflags:manual /reliable:yes /update net stop w32time net start w32time On other DCs : w32tm /config /syncfromflags:domhier /update net stop w32time net start w32time 2.When you run net time without option, the workstation will show one time source on the network. So your client display is normal. Run command "net time \\localhost" to show the time on local machine. http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx If there are more inquiries on this issue, please feel free to let us know. Regards, Rick Tan TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Rick Tan TechNet Community Support

Hi Glen, If I didn't read your question wrongly, your question is when you are on PDCE and applied NET TIME command, you are getting the local time from another DC. Am I right? If you have applied NET TIME command on PDCE without any other option and it display "local time on at \\servername is xxxx", it means that your domain main time server is \\servername. I hope I have answered your question. __________________________________ NET TIME [\\computername | /DOMAIN[:domainname] | /RTSDOMAIN[:domainname]] [/SET] NET TIME synchronizes the computer's clock with that of another computer or domain, or displays the time for a computer or domain. When used without options on a Windows Server domain, it displays the current date and time at the computer designated as the time server for the domain. \\computername Is the name of the computer you want to check or synchronize with. /DOMAIN[:domainname] Specifies to synchronize the time from the Primary Domain Controller of domainname. /RTSDOMAIN[:domainname] Specifies to synchronize with a Reliable Time Server from domainname. /SET Synchronizes the computer's time with the time on the specified computer or domain. The /QUERYSNTP and /SETSNTP options have been deprecated. Please use w32tm.exe to configure the Windows Time Service. NET HELP command | MORE displays Help one screen at a time. __________________________________ You can use this to find out if your PDCE is configured to external time server on Server 2003. C:\> W32TM /dumpreg /subkey:parameters You can configure the PDCE to external time server on Server 2003. (http://technet.microsoft.com/en-us/library/cc786897(v=ws.10) C:\> W32TM /config /manualpeerlist:time.windows.com /reliable:yes /update If you have more interest on reading further about the differences about W32TM and NET TIME, kindly read this link below on why NET TIME is still around. It is good reading for all administrators. http://blogs.msdn.com/b/w32time/archive/2009/08/07/net-time-and-w32time.aspx Remember to Vote as helpful for others and accept the the proposed Answer if it is relevant to build KB in this Forum. [MCITP] | [MCITP:EA] | [MCITP:VA] | [MCITP:EMA] | [MCITP:SPA] | [MCSE] | [MCSE:M+] | [MCSA] | [MCSA:M+] | [ITILv3] | [CCNA] | [IPSWITCH:WhatsUpGold]

Hello, I also recommend reading Meinolf's article about Windows Domain Time Synchronization: http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Thank you all very much for your replies. Very helpful. And I will read the recommended articles. I do have another question though... Rick, you are saying "When you run net time without option, the workstation will show one time source on the network. So your client display is normal." That makes sense. Does it pick a specific server or just one at random? But Ryen says - "If you have applied NET TIME command on PDCE without any other option and it display "local time on at \\servername is xxxx", it means that your domain main time server is \\servername. " That is might be the root of my question - what is the 'main time server'. I would expect that to be the PDCE, so running the NET TIME command directly on the PDCE, I would expect it to return the time on itself. Can you clarify? I want to make sure the PDCE is configured as the main time server. Thanks again for your assistance on this.

Hi Glen Why dont you use GPO to sync time?Best regards Dubravko Marak MCP Blog: Windows Server Administration Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. Please VOTE as HELPFUL if the post helps you. This can be beneficial to other community members reading the thread.

Hi Glen, Does it pick a specific server or just one at random? Please first read Time Synchronization in an AD DS Hierarchy chart and Time Source Selection section in this article. A computer uses one of the following methods to identify a time source to synchronize with: If the computer is not a member of a domain, it must be configured to synchronize with a specified time source. If the computer is a member server or workstation within a domain, by default, it follows the AD DS hierarchy and synchronizes its time with a domain controller in its local domain that is currently running the Windows Time service. So the server is workstation logon DC server (based on AD site and subnet) which could show via command "set l". Regards, Rick Tan TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere. Rick Tan TechNet Community Support

Hi Glen, Can you do export this from the registry on the PDCE and paste it in here? HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Parameters Remember to Vote as helpful for others and accept the the proposed Answer if it is relevant to build KB in this Forum. [MCITP] | [MCITP:EA] | [MCITP:VA] | [MCITP:EMA] | [MCITP:SPA] | [MCSE] | [MCSE:M+] | [MCSA] | [MCSA:M+] | [ITILv3] | [CCNA] | [IPSWITCH:WhatsUpGold]

Here it is... Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters] "ServiceMain"="SvchostEntry_W32Time" "ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\ 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,33,00,\ 32,00,74,00,69,00,6d,00,65,00,2e,00,64,00,6c,00,6c,00,00,00 "NtpServer"="172.xx.x.254 172.xx.x.1" "Type"="NT5DS" By they way, I have "Alert me' checked and an email address configured but I'm not getting Alerts so I don't always reply as quickly as I'd like.

Hi Glen, What is you PDCE ipaddress? "NtpServer"="172.xx.x.254 172.xx.x.1" Your preferred time is from this host with the ipaddress of 172.xx.x.254 Your next time is from this host with the ipaddress of 172.xx.x.1 So when you use NET TIME, which host with the ipaddress did you got? 172.xx.x.254 or 172.xx.x.1 NtpServer : REG_SZ (optional) Used to manually configure the time source. Set this to the DNS name or IP address of the NTP server to synchronize from. You can modify this from the command line by using the net time command. Value is blank by default http://support.microsoft.com/kb/223184 To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not allow for loops. By default, Windows-based computers use the following hierarchy: All client desktop computers nominate the authenticating domain controller as their in-bound time partner.All member servers follow the same process that client desktop computers follow.All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner. How to configure an authoritative time server in Windows Server http://support.microsoft.com/kb/816042#method2 Remember to Vote as helpful for others and accept the the proposed Answer if it is relevant to build KB in this Forum. [MCITP] | [MCITP:EA] | [MCITP:VA] | [MCITP:EMA] | [MCITP:SPA] | [MCSE] | [MCSE:M+] | [MCSA] | [MCSA:M+] | [ITILv3] | [CCNA] | [IPSWITCH:WhatsUpGold]

The IP of the PDCE is 172.x.97.12 When I do the NET TIME command on the PDCE is says "The current time at \\ServerX is " where serverx is another DC that holds no FSMO roles. Running NET TIME on the PDCE does not return the time from either of the servers listed as the time source. Should it? I just noticed this is Event Viewer. Even though the registry settings above would indicate the PDCe is configured with a time source, I get the following: Event Type: Warning Event Source: W32Time Event Category: None Event ID: 36 Date: 7/25/2012 Time: 11:08:53 PM User: N/A Computer: the PDCE dc Description: The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service is no longer synchronized and cannot provide the time to other clients or update the system clock. Monitor the system events displayed in the Event Viewer to make sure that a more serious problem does not exist. And.... TimeWritten Source EventID Message ----------- ------ ------- ------- 7/25/2012 11:08:53 PM W32Time 36 The time service has not synchronized the system time for 86400 seconds ... 7/24/2012 11:08:53 PM W32Time 12 Time Provider NtpClient: This machine is configured to use the domain hierarchy to... 7/24/2012 11:05:43 PM W32Time 22 The time provider NtpServer encountered an error while digitally signing the ... 7/24/2012 11:05:31 PM W32Time 22 The time provider NtpServer encountered an error while digitally signing the ... 7/18/2012 11:40:13 PM W32Time 12 Time Provider NtpClient: This machine is configured to use the domain hierarchy to... 6/27/2012 11:51:29 PM W32Time 36 The time service has not synchronized the system time for 86400 seconds ... 6/27/2012 9:27:29 AM W32Time 22 The time provider NtpServer encountered an error while digitally signing the ... 6/27/2012 9:27:19 AM W32Time 22 The time provider NtpServer encountered an error while digitally signing the ... 6/27/2012 9:27:13 AM W32Time 22 The time provider NtpServer encountered an error while digitally signing the ... 6/26/2012 11:51:29 PM W32Time 12 Time Provider NtpClient: This machine is configured to use the domain hierarchy to... 5/23/2012 11:51:34 PM W32Time 36 The time service has not synchronized the system time for 86400 seconds ... 5/22/2012 11:51:34 PM W32Time 12 Time Provider NtpClient: This machine is configured to use the domain hierarchy to... 5/22/2012 11:48:19 PM W32Time 22 The time provider NtpServer encountered an error while digitally signing the ... 5/22/2012 11:48:07 PM W32Time 22 The time provider NtpServer encountered an error while digitally signing the ... 5/8/2012 1:47:08 AM W32Time 22 The time provider NtpServer encountered an error while digitally signing the ... The details to EventID 22 are as follows: The time provider NtpServer encountered an error while digitally signing the NTP response for peer <multipleIPaddresse:123. NtpServer cannot provide secure (signed) time to the client and will ignore the request. The error was: Not enough storage is available to process this command. (0x80070008) ----------------------------- Occassionally the above message also end with "the specified user does not exist" or " This operation is only allowed on the primary domain controller of the domain. (0x800708B2) The change is scheduled to be done next week so I'm hoping to get things as much in line as possible before then. Thank you again for all your assistance.

Hi, So what are these 172.xx.x.254 or 172.xx.x.1? and what is ServerX ipaddress? 172.xx.x.254 or 172.xx.x.1 are private ip address range so it is point to some where internal within your organisation. That means your PDCE is not getting tim from external at all. Secondly, if those 172.xx.x.254 or 172.xx.x.1 are not reachable than that will explains why you are getting Event ID 36. Event ID 36 Detail http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=36&EvtSrc=w32time&LCID=1033 Remember to Vote as helpful for others and accept the the proposed Answer if it is relevant to build KB in this Forum. [MCITP] | [MCITP:EA] | [MCITP:VA] | [MCITP:EMA] | [MCITP:SPA] | [MCSE] | [MCSE:M+] | [MCSA] | [MCSA:M+] | [ITILv3] | [CCNA] | [IPSWITCH:WhatsUpGold]

Ryen, I am only at this client on a limited basis so I don't have a lot of details but it is my understanding that those two servers -the 172.xx.x.254 and 172.xx.x.1 are Linux servers running NTP. I have asked them to verify that UDP port 123 is open. Those two servers are not technically external since they are obviously on the internal LAN but those servers do sync to an external source and are the servers they want to be the time servers for the PDC. Does it matter that they are not on an external network? In other words, as long as they are 'external' to the PDC and are truly reliable time servers, shouldn't that work just fine? Is there a way I can tell if those time servers are the 'right' sort of time servers? They obviously show up in the registry but are they giving the right sort of reply to the PDC? I don't know the IP address of ServerX but it just another DC in the domain that holds no FSMO roles.

Hi, Because I don't know your infrastructure design at all so I was assuming 172.xx.x.254 and 172.xx.x.1 as a router/gateway or wintel boxes or any devices. In fact, there is no issue if you have Linux NTP server in the inafrastructure as long as your Linux has samba and winbind for kerberos authentication with AD. If not, AD will not regard them as a domain member and therefore authentication failed. If you look at the event 22 on your event log, the full detail explaination of the event is below. Event ID 22 http://technet.microsoft.com/en-us/library/cc756497(v=ws.10).aspx It is clear enough that there is authentication issue from the NTP source and you will need to check those Linux server. I will not be able to support you any further in this forum as this will be mainly a Linux NTP server issue. You might want to post the Linux NTP & AD integration question in the Linux distro forum and probably I can help you from there. Cheers. ******************** If you find my assistances are so far helpful in your troubleshooting, please kindly vote as helpful. Thank you.Remember to Vote as helpful for others and accept the the proposed Answer if it is relevant to build KB in this Forum. [MCITP] | [MCITP:EA] | [MCITP:VA] | [MCITP:EMA] | [MCITP:SPA] | [MCSE] | [MCSE:M+] | [MCSA] | [MCSA:M+] | [ITILv3] | [CCNA] | [IPSWITCH:WhatsUpGold]

Hi, Because I don't know your infrastructure design at all so I was assuming 172.xx.x.254 and 172.xx.x.1 as a router/gateway or wintel boxes or any devices. In fact, there is no issue if you have Linux NTP server in the inafrastructure as long as your Linux has samba and winbind for kerberos authentication with AD. If not, AD will not regard them as a domain member and therefore authentication failed. If you look at the event 22 on your event log, the full detail explaination of the event is below. Event ID 22 http://technet.microsoft.com/en-us/library/cc756497(v=ws.10).aspx It is clear enough that there is authentication issue from the NTP source and you will need to check those Linux server. I will not be able to support you any further in this forum as this will be mainly a Linux NTP server issue. You might want to post the Linux NTP & AD integration question in the Linux distro forum and probably I can help you from there. Cheers. ******************** If you find my assistances are so far helpful in your troubleshooting, please kindly vote as helpful. Thank you.Remember to Vote as helpful for others and accept the the proposed Answer if it is relevant to build KB in this Forum. [MCITP] | [MCITP:EA] | [MCITP:VA] | [MCITP:EMA] | [MCITP:SPA] | [MCSE] | [MCSE:M+] | [MCSA] | [MCSA:M+] | [ITILv3] | [CCNA] | [IPSWITCH:WhatsUpGold]

Hi Glen, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Rick Tan TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Rick Tan TechNet Community Support

Hi Glen, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Rick Tan TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Rick Tan TechNet Community Support

I will be making this change today. Turns out the time source is a Cisco appliance. I believe it is a Cisco switch. I suspect the issue might be how this device and the Windows servers are communicating. I'll have to see what comes of it when I make the changes above, reset everything and try to resync things up. Thank you for the help.

Upon further investigation, I find that this client has a setting in the Default Domain policy to apply sntp settings. I originally looked for this in the default domain controller policy and didn't find it per article KB929276, then found it in the default policy. So, I will remove those settings and retry syncing the time again. Unfortunately this client has fairly strong change management requirements so it will probably be a week before I can perform the changes.