W32Time not synchronizing with PDC after /syncfromflags:domhier

We have two domain controllers on a local network:

Zeus [PDC]
Neptune

Zeus is configured to pull from an external time source and is set as reliable:

w32tm /config /manualpeerlist:0.pool.ntp.org /syncfromflags:manual /reliable:yes /update

However, when setting Neptune to pull from the domain hierarchy, or, even configuring to pull from Zeus directly, W32Time always just pulls from CMOS:

w32tm /config /syncfromflags:domhier /update
Source: Local CMOS Clock
w32tm /config /manualpeerlist:zeus.example.com /syncfromflags:manual /update
Source: Local CMOS Clock

I've tried unregistering and reregistering Windows Time on Neptune to no avail:

net stop w32time
w32tm /unregister
w32tm /register
net start w32time

Zeus' firewall allows all incoming traffic on domain networks for purposes of testing, and there's no other network devices in between them.

IAmTheSquidward

Posted 2016-01-22T14:39:20.680

Reputation: 471

Answers

Let me tell you how I setup and run time on my Domain controllers, they work without any problems. And the clients have no problem syncing up with them.

All machines go through these, what I call the "standard 4" lines from a command prompt:

sc stop w32time #Stop the service

w32tm /unregister # Clear the registry

w32tm /register # Re-register

sc start w32time # restart the service

This flushes out any time information they may have accumulated. Now that we have a clean slate to work with, I Set one DC as the primary time source. This is the machine that goes out on the internet looking for a time source to sync with, it then advertises as a reliable time source. (All other DC's in the domain sync with this DC and then advertise as well to their local clients.) The line you have above is pretty much the same line I use, but this only sets up the peerlist:

w32tm /config /update /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org"

Next I tell the DC to sync up and load in the correct time:

w32tm /resync /rediscover /nowait

And lastly, and this is where I think you are having trouble, I tell the DC to advertise on the network that it is a reliable time source:

w32tm /config /reliable:yes

All other DC's go through the same sequence, except for configuring the peerlist. They go through the first four lines and get a clean slate, then they are instructed to sync up(they automatically know to sync with the primary DC) and lastly they are told to advertise as a reliable time source.

With this in place we turn to the clients.

First of all they must already be domain members, the DC will not respond to them if not. So join them to the domain if you haven't already.

They also go through the standard four and get cleared out.

sc stop w32time
w32tm /unregister
w32tm /register
sc start w32time

...and then you just tell them to sync up:

w32tm /resync /rediscover /nowait

They know enough to seek out a domain controller and get the correct time on their own. Give them a couple seconds to sync up and then enter:

w32tm /query /source

They will tell you the name of the DC they are syncing with.

I think in your case, you didn't tell the DC to advertise as a reliable time source, so the clients couldn't find a reliable DC and therefore they run from CMOS.

Good luck.

Larryc

Posted 2016-01-22T14:39:20.680

Reputation: 814

Late response I know, but a few comments/observations from someone who has wrestled with this. Note: I don't claim to know the answer directly to your question.

Have you submitted a resync after these config changes?
What do your Event Logs say? Windows-Time can be quite vocal and gives reasonably good troubleshooting guidance.
I wouldn't use the NTP pool for time sync with Windows domains. I previously read that Windows isn't fond of the change in servers stratums which is commonplace between requests.
On your second DC why not just set it to also sync from a manual peer list and see if that alters things.
Extension of 3, here you can find a list of servers to sync with. You should even be able to find some stratum 1 servers in your region. I'm in the UK and have maintained perfect time sync using ntppub.le.ac.uk, ntp.cis.strath.ac.uk and ntp2c.mcc.ac.uk for years.

A previous question of mine generated a great response and there's tons of info here on this subject.

George

Posted 2016-01-22T14:39:20.680

Reputation: 163