I was involved in a question on Experts Exchange this week where the asker could not get their PDC to sync time from an external NTP server.
He was seeing an Event ID 12 Error;
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
If you see this error in the event log, then when you try and ‘resync’ you may see;
The computer did not resync because no time data was available
Then look at the following
UDP Port 123 (NTP) is not opened, (outbound) for this host on the corporate firewall.
This is easy to check, use NTPTool, if it looks like this either the hostname/IP address you are going to is incorrect, or the PORT is blocked on your firewall.
If it looks like this then your hostname/IP is correct, and the port IS open.
Is the Server a Virtual Machine?
If so it might be getting its time set at the Hyper Visor level, (this is not good for Windows machines). Check the VM Settings
VMware 6
VMware 5
There is a GPO enforced on the PDC emulator that is enforcing the incorrect time settings
Again easy to check, open an administrative command Window and run ‘rsop’
Navigate to;
[box]Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers [/box]
Note: The Time servers must be in Name(comma) Stratum-level (space) format. For troubleshooting just try pool.ntp.org, 0x1 (Then you can specify ones closer to home, as you prove they work ok, if you get the stratum level or the syntax wrong then you will see the “The computer did not resync because no time data was available,” error.
If you have arrived here, you have either noticed that the time is wrong on your server(s) or client PC(s), or you have looked in the event viewer and seen one of the following events being logged. Event ID’s 12, 22, 29, 36, 38, 47, and 50.
Event ID 12 (W32 Time Time Provider NtpClient: This machine is configured to use {text omitted}, but it is the PDC emulator…).
Event ID 29 (The time provider NtpClient is configured to acquire time from one or more time sources…).
Event ID 36 (The time service has not synchronized the system time for 86400 seconds…).
Event ID 38 (The time provider NtpClient cannot reach or is currently receiving invalid time data from…).
Event ID 47 (Time Provider NtpClient: No valid response has been received from manually configured peer…).
Time Problem Events – On Domain Members
Event ID 50 (The time service detected a time difference of greater than 5000 milliseconds for 900 seconds…).
Event ID 22 (The time provider NtpServer encountered an error while digitally signing the NTP response for peer…).
Solution
Setting domain time is a TWO-STEP process, set the time correctly on the PDC emulator, then let the clients take their time from the PDC emulator.
Locate the PDC Emulator
1. On a domain controller, Windows Key+R > netdom query fsmo {Enter}.
2. Take note of the PDC name and go to that server.
NTP Firewall config
1. Ensure UDP Port 123 is open outbound from the PDC Emulator. How this is done will vary depending on your firewall vendor. If you have a Cisco ASA or a Cisco PIX see my article here.
To Test Use NTPTool
Below either the port is blocked (or the hostname/IP of the external NTP server is incorrect);
This is how it should look, every-time you press query you should get a response, now you know the correct port is open;
Configure the PDC Emulator to collect Reliable Time
Of course our PDC Emulator is also a domain controller, so we need to link a GPO to the domain controllers OU. But we dont want all DC’s getting their time from an external source, so we will create a WMI filter to ensure the policy will only apply to the PDC emulator server.
Administrative tools > Group Policy Management > WMI Filter > New > PDC-Emulator-Only > Add > Select * from Win32_ComputerSystem where DomainRole = 5 > OK.
Don’t panic if you see this error > OK > Save.
Create a new GPO linked to the Domain Controllers OU.
Change the policy so it uses your WMI filter;
Edit The Policy, and navigate to;
[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]
Configure Windows NTP Client
Enable the policy > set the NtpServer setting to server-name(comma)stratum-type(space). If you get this wrong you wont sync, and you will see this error.
Enable Windows NTP Client
Enable the Policy (The server still needs to get its time from the external source!)
Enable Windows NTP Server
Enable the policy (The server also needs to provide time to the domain clients).
Save and exit the policy editor, then on the PDC emulator force a policy update and resync the time. Finally run rsop to make sure the settings have applied.
Setting PDC Emulator Time From Command Line
1. On the PDC emulator Windows Key+R > cmd {Enter}.
2. At command line execute the following four commands;
[box]
w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update
net stop "windows time"
net start "windows time"
w32tm /resync
[/box]
Note: If you are NOT in the UK or simply want to use a different NTP time server go here for alternatives.
3. Look in the servers Event log > System Log for Event ID 37.
---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time provider NtpClient is currently receiving valid time
data from ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————
4. You will also see Event ID 35.
---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time service is now synchronizing the system time with the time source
ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————
Step 2 Check the domain clients
This is all you should need to do, because, (by default) all Domain clients get their time from the PDC when they log on, but to check;
1. Windows Key+R > cmd {enter}.
2. Execute the following command;
[box] w32tm /monitor [/box]
3. You will see the time this client can see, on all the domain controllers.
(In the case above the time on server-dc is way out, address that first – (it was an old Windows 2000 server and running “net time server-pdc” {enter} fixed it).
4. Once all the domain controllers have a time that’s accurate (like the last three in the example above), then proceed.
5. Execute the following commands on a client machine;
[box]
net stop "windows time"
net start "windows time"
w32tm /resync
[/box]
6. The machines event log should show the following successful events;
Event ID 37 (The time provider NtpClient is currently receiving valid time data from..).
Event ID 35 (The time provider NtpClient is currently receiving valid time data from..).
Setting Domain Clients Time via GPO
As already outlined you should not need to do this, (as it’s the default setting,) but if there’s a problem you can force domain clients to look at your PDC emulator for reliable time.
Create a GPO, and link it to the OU containing the computers you want to sync’
Edit the policy and navigate to;
[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]
Configure Windows NTP Client
Enable the policy > Set the NtpServer to {Your-PDC-Name},0x9 > Set the Type to NT5DS.
Enable Windows NTP Client
Enable this policy.
Testing Client NTP Settings
Either run;
[box]w32tm /query /status[/box]
Or run RSOP.
Related Articles, References, Credits, or External Links
Starting test: Advertising
Warning: Server-Name is not advertising as a time server.
......................... Server-Name failed test Advertising
Running enterprise tests on : PeteNetLive.com Starting test: Intersite ……………………. PeteNetLive.com passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. ……………………. PeteNetLive.com failed test FsmoCheck
Solution
Note: Any one of the things below can cause this problem, I suggest you retry running dcdiag after each step until it runs without error.
1. In a windows domain, clients normally get their time from the domain controller that holds the PDC Emulator role. Locate that server and log on.
3. If you have got this far, then should already have the windows time service running, check!
4. From command line, remove and reinstall the Windows time service with the following two commands.
[box]w32tm /unregister<br />w32tm /register[/box]
Note: It’s not unusual to see the following error after you issue a ‘w32tm /unregister’ command,
Error
The following error occurred: Access is denied (0x80070005)
If this happens don’t panic, open the services console (Press F5) and the Windows Time Service may have disappeared (if so re-register it). If not manually stop the Windows Time service and try to unregister again, then re-register.
WARNING: After doing this, you will need to set the time service to get reliable time from an NTP External Server again.
5. Press Windows Key+R > regedit {enter} > Navigate to the following registry key;
Ensure the Type value it set to NTP, the restart the Windows time service and check again.
5. Whilst still in the registry editor navigate to;
[box]HKLM > System > CurrentControlSet > services > W32Time > Config[/box]
Set the AnnounceFlags value to 5.
6. Whilst still in the registry editor navigate to;
[box]HKLM > System > CurrentControlSet > services > W32Time > Time Providers > NtpServer[/box]
Make sure the Enabled value is set to 1 (one).
7. If the problem persists, on the PDC Emulator run gpedit.msc > Navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]
Make sure ‘Global Configuration Settings’ is set to ‘Not Configured’.
Navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]
Make ALL the settings are to ‘Not Configured’.
If you changed anything, run ‘gpupdate /force’ and try again.
8. On the PDC Emulator, Open a command window (Note: You must Run as Administrator!) > In the Computer Settings section locate all the policies that are applying to the server.
Note: As a shortcut to find the offending policy, you could run ‘gpresult /v > c:gpresult.txt’ then search that text file, for any instance of w32tm, (here’s an example).
As above navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]
Make sure Global Configuration Settings is set to ‘Not Configured’.
Navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]
Make ALL the settings are set to ‘Not Configured’.
If you changed anything, run ‘gpupdate /force’ and try again.
Related Articles, References, Credits, or External Links
If you are replacing a domain controller, or simply taking one offline for a while, you might want to transfer its FSMO roles to another Domain Controller.
There are 5 FSMO roles which are,
· Schema master – Forest-wide and one per forest. · Domain naming master – Forest-wide and one per forest. · RID master – Domain-specific and one for each domain. · PDC Emulator is domain-specific and one for each domain. · Infrastructure master – Domain-specific and one for each domain.
FSMO Roles Solution
Traditionally we either “Seized” or “Transferred” the FSMO roles from command line using the ntdsutil tool like THIS. But you can transfer the roles with the normal graphical consoles you have.
1. Start > Administrative tools > Active Directory Users and Computers.
2. Right click the domain > Operations Masters > Select each Tab in turn > Change > Yes > Repeat for the other two tabs.
Moving the Domain Naming Master
1. Start > Administrative tools > Active Directory Domains and Trusts.
2. Right click the top level entry > Operations Master > Change > Yes.
Moving the Schema Master.
1. In the Search/Run box type regsvr32 schmmgmt.dll {enter} > It should say that it succeeded.
2. Now in the Search/Run box type mmc {enter} > A Microsoft Management Console will open > File > Add/Remove Snap-in.
3. Select the “Active Directory Schema” Snap-in > Add.
4. By default you will connect to the Schema Master, you need to be connected to the server you are on, Expand the “Active Directory Schema” > Right click it > Select “Change Active Directory Domain Controller” > Select the NEW one > OK.
5. Now Right click again > Operations Masters > Change > Yes.
If you only have 1 domain in the forest everything goes in that one domain. If not….
Forest Root Domain gets the Domain Naming Master, and the Schema Master roles.
Each Domain gets The PDC Emulator, Infrastructure Master and RID Master roles.
Though not an FSMO role each logon location should have a Global Catalogue server
(Note: Yes you can cache logon requests and have Read only domain controllers now but in an ideal world I still place a GC at each site)
Placement
1. Do not put the Infrastructure Master on a Global Catalogue Server (see below for how to see if a domain controller is a global Catalogue server).
2. The PDC Emulator and RID Master should be on the same Server, If possible NOT on a Global Catalogue Server (though not essential).
3. The Schema Master and Domain Naming Master should be on the same machine that IS a Global Catalogue Server. (This is not true if your forest functional level is Windows Server 2003).
To check if a domain controller is also a global catalogue server
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller’s folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, locate the Global Catalogue check box to see if it is selected.
Related Articles, References, Credits, or External Links
I’ve been posting domain time articles for a long time, and on more than one occasion I’ve really needed to take my Windows time from a Cisco Device and failed miserably. I’ve even used third party NTP software to solve this problem on my own test network.
On a client network, my colleague deployed ACS5 this week, I secured the ASA5585-X for AAA and it failed authentication. Logging revealed a clock skew error, so we manually set the time on the domain PDC. Within half an hour it was failing. The network topology prevented me syncing to a public NTP server from the domain PDC.
We did however have all the network devices syncing from a public time source, if only we could use one of those?
Solution
Step 1 Configure NTP on your Cisco Device.
Here I’m using a 7200 Router in GNS3, the NTPIP addresses I use are UK based NTP servers, I suggest you replace them with some public NTP servers on your own continent. I’m using two for redundancy.
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ntp server 130.88.202.49 prefer
Petes-Router(config)#ntp server 194.35.252.7
[/box]
NOTE: You need to force the Cisco device to advertise itself with a low stratum, typically the lower the stratum, the closer to atomic time you are supposed to be, (so we are actually forcing the device to lie, but if we don’t, Windows wont trust it!)
[box]
Petes-Router(config)#ntp master 5
[/box]
It can take a while for NTP, (go and have a coffee), then check it’s synchronised, DO NOT proceed until the Cisco device has synchronised.
[box]
R1#show ntp statusClock is synchronized, stratum 5, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
ntp uptime is 364600 (1/100 of seconds), resolution is 4000
reference time is D898D3A0.319A96D4 (23:05:04.193 GMT Wed Feb 25 2015)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.26 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000000 s/s
system poll interval is 16, last update was 3 sec ago.
[/box]
Step 2 Configure Windows to use Cisco NTP Time
In the past I’ve said “Windows Does not use NTP, it uses Win32 Time” This is not strictly true, it does use NTP, but by default it uses ‘Symmetric Active Mode NTP’ and your Cisco Device expects its NTP requests to be submitted via ‘Client Mode NTP‘. (See MS KB 875424 for more info).
Note: By default Windows Domains take their time from the PDC emulator, carry this procedure out on that server!
Open an elevated command prompt and execute the following commands (the Cisco device IP is shown in red, change accordingly);
[box]
w32tm /config /manualpeerlist:"123.123.123.148",0x8 /syncfromflags:MANUAL
net stop "windows time"
net start "windows time"
w32tm /resync
Note: If you want to specify TWO Cisco devices, use the following syntax
w32tm /config /manualpeerlist:"123.123.123.148,123.123.123.149",0x8 /syncfromflags:MANUAL
[/box]
Now in the Servers System log, you should see the following two events logged.
Event ID 37
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:33:19
Event ID: 37
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time provider NtpClient is currently receiving valid time data from 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).
Event ID 35
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:21:17
Event ID: 35
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time service is now synchronizing the system time with the time source 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).
Windows and Cisco NTP Problems and Errors
Event ID 47
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:11:07
Event ID: 47
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
Time Provider NtpClient: No valid response has been received from manually configured
peer 123.123.123.148 after 8 attempts to contact it. This peer will be discarded as a
time source and NtpClient will attempt to discover a new peer with this DNS name. The
error was: The peer is unreachable.
On your Cisco Device you will see debug output like so, (it will repeat 8 times);
[box]
Petes-Router#debug ntp all
NTP events debugging is on
NTP core messages debugging is on
NTP clock adjustments debugging is on
NTP reference clocks debugging is on
NTP packets debugging is on
Petes-Router#
000031: Feb 25 22:07:45.831: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000032: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: message received
000033: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#
000034: Feb 25 22:07:54.967: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000035: Feb 25 22:07:54.967: NTP Core(DEBUG): ntp_receive: message received
000036: Feb 25 22:07:54.971: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#
[/box]
Causes:
This is a pretty generic error, but in this case, one of the following situations can cause this;
1. UDP Port 123 is blocked between Windows and the Cisco NTP device.
2. The Cisco NTP device has not synchronised form a reliable NTP source.
3. The stratum of the Cisco NTP device is to high.
4. Windows is attempting to sync time using ‘Symmetric Active Mode NTP‘ See my comments above.
Related Articles, References, Credits, or External Links