Monday, September 10, 2007

Setting up an Authoritative Time Server

I received a ticket today regarding an issue Windows Time being out of sync with the phone system, which just so happens to be getting its time from the official Naval time source Stratum server. Now keep in mind we are running a semi-large domain and theoretically our workstations and servers all get their time from the PDC (Primary Domain Controller). Turns out we are in effect 3 minutes fast according to the official US time which can be found here.

So in order to troubleshoot this issue I went to our Primary Domain Controller. If you are unsure which one that may be, you can download the Server 2003 Support Tools and run the NETDOM utility (from command line: "netdom query fsmo") to tell you which server is in fact the PDC. Once you have this information you log onto that server and check the registry settings as defined in this article. To save time and space I won't repeat everything that is in the article but here are some important points:

All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.

So this information seemed to check out and all the registry settings were there (see 'Configuring the Windows Time service to use an external source' in the above link) but I was still not able to get the updated time. After looking into the issue further and doing some 'Googling', I found that if you have your Windows Time Service configured in Group Policy and any GPO with this configured is being applied to the Primary Domain Controller, it simply will NOT work. Someone had this very thing configured in our Default Domain Controllers Policy and upon changing the settings to 'Not Configured' and updating the policy on the PDC (from command line: gpupdate /force) I was then able to sync the time without any issues.

When configuring an external time source for your domain always remember to:

-Check to see if any Group Policies with Windows Time Service settings enabled are being applied to the Domain Controllers, if so be sure to set them as Not Configured.
- Make sure you only have your Primary Domain Controller Emulator set as the 'NTP' server as mentioned in the above Microsoft article.
-Follow Microsoft's Best Practices when setting your refresh and correction intervals on the PDC.

If everything is hosed up and you want to start over, just use these commands:

net stop w32time
w32tm /unregister (this will wipe out all Windows Time settings)
w32tm /register
Configure your NTP settings in the Registry
net start w32time
w32tm /resync /rediscover

I happen to use tock.usno.navy.mil as my time server, if you want to check for more, I would recommend downloading and using a utility called NTP Query to test connections to time servers before going through the trouble of modifying your registry. It can be downloaded HERE.