1

Our AD domain controller time runs 9/10 minutes fast. How do I resolve the issue?

Note: I looked at several answers/posts, but did not get enlightened.

Details: We have a Hyper-V Server, which hosts our primary and secondary DC (domain controllers).

I did see on several answers that Time Synchronization in the Integration Services settings must be unchecked. I complied. I read that following that, the Windows Time service on the DC must restart. I did that, as well as physically restarted each DC. Still, the same problem.

Here is a screenshot showing the Hyper-V with the setting unchecked.

Screenshot Showing Time Synchronization Option

I read that the NTP registry settings are important. I do not fully understand them, but here they are:

W32Time / Parameters

Registry: W32Time Parameters

W32Time / Config

enter image description here

Both DCs have the same settings.

The Hyper-V server has also the same problem with the time being 9/10 minutes fast.

Here are several articles that I looked at: Why is my NTP controlled computer clock two minutes ahead? Domain Controller time is 7 minutes fast Domain time ahead than the real time!

The answer in the first article did not do anything for my problem. The others were explained in a bit too complicated way or did not help.

What is the problem and the resolution?

UPDATE:

PDC (.50/AD1)

C:\>w32tm /query /source
Local CMOS Clock

C:\>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

C:\>

DC (.51/AD2)

Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\> w32tm /query /source
JMR-AD1.ad.jmr.com
PS C:\> w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)


[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

PS C:\>
Sarah Weinberger
  • 421
  • 2
  • 9
  • 23
  • `Our AD domain controller time runs 9/10 minutes fast` - Fast in reference to what? – joeqwerty Dec 05 '17 at 17:31
  • Can you run the following from an elevated command prompt on each DC and post the output in your question. Please note which DC is the PDCe in the output. **w32tm /query /source** - **w32tm /query /configuration** – joeqwerty Dec 05 '17 at 17:51
  • @joeqwerty in comparison to reality time (office phone, cell phone, time.gov, etc.) – Sarah Weinberger Dec 05 '17 at 18:01
  • @joeqwerty I updated the question with the output. What does the 'e' in PDCe stand for? A Google search turned up Emulator. PDC is Primary Domain Controller. That would make Primary Domain Controller Emulator? I am not following what the 'e'/Emulator does and how that differs from the DC. – Sarah Weinberger Dec 05 '17 at 18:20
  • The e in PDCe does in fact stand for "emulator". The PDCe role is one of the 5 FSMO roles. The PDCe should be configured to sync time with an external time source. All other domain joined machines (including all other Domain Controllers) should by default sync their time with the domain hierarchy. Follow step 3 in the linked article to reconfigure the PDCe. As it stands right now, the PDCe is misconfigured. - https://technet.microsoft.com/en-us/library/cc794937(v=ws.10).aspx – joeqwerty Dec 05 '17 at 19:04
  • @joeqwerty I will comply and update to see if the link helps. I can tell you that earlier, when I logged in to get the response to the w32tm command, I manually adjusted the time and restarted the Windows Time service. Nothing happened, however I just happened to look at my local desktop and noticed that my local time is that of the PDC time, which I set, namely off by 30-seconds or so now. I did not do an accurate set. That means that you are 100% that the PDC is misconfigured. Stay tuned. – Sarah Weinberger Dec 05 '17 at 19:27

1 Answers1

0

You have no external time source listed for your systems to sync to.

To extend joequerty's answer about setting your PDC-emulator to sync to external clock source, you may wish to use Group Policy to configure it, so that the job of synchronising external time will follow whichever server holds the PDC-emulator role: See the article "Configure NTP Group Policy for PDC DC" here: http://www.cloudyfuture.net/2016/01/26/configure-pdc-emulator-ntp-settings-using-gpo/

(Ignore the article for client GPO)

CGretski
  • 111
  • 2