Having your ESX Server running the correct time is quite important, and before you visit this subject, I would suggest you MAKE SURE the time is set in the ESX Servers BIOS, ie the internal clock is set correctly first. I’ve lost count of the amount of times I’ve seen Windows domains fall over because the ESX host has reverted to its BIOS time and replicated that time to its guests, suddenly your domain clocks are two years apart and carnage ensues!
Throughout this procedure I will be setting my VMware environment to sync time with a LOCAL windows domain controller, some may argue if the domain controller is a virtual machine in a virtual environment that this is a BAD IDEA. I understand that argument (but this is my test network). In production I would rather have my devices getting time synchronised from a public reliable public time source.
Solution : ESX NTP
Step 1: vCenter NTP
Assuming you have already set time correctly on you domain controller as per this article. Then the next step is to configure you vCenter server(s) NTP time source. note: If you are using stand-alone ESX Servers please skip this section.
Note: For this to work the hosts need to be able to communicate with the time servers over NTP (UDP Port 123), ensure your firewall has this port open to the NTP source or time sync will fail.
Connect you your vCenter(s) direct admin console https://{ip-or-domain-name}:5400 log in as root. Navigate to Time > Select the correct Time Zone (Note: there is GMT but no BST So if you’re in the UK select Europe/London). Under Time Synchronization > Edit > Mode = NTP > Time Servers = the IP(s) of you time sources > Save.
Have a coffee, eventually it should look like this.
Step 2: ESX NTP (Directly)
Note: If you are managing ESX hosts via vCenter skip to the next section, this procedure is used to set NTP on an ESX host directly. Connect to the management console of your ESX Server. Navigate to Manage > System > Time & Date > Edit NTP Settings.
Select “Start and Stop with Host” > Enter the IP addresses or names of the NTP Source(s) > Save.
Step 2: ESX NTP (via vCenter)
Connect to vCenter and select your first ESX host > Configure > Time configuration > Add Service > Network Time Protocol > Enter the IP addresses(s) or name(s) of you NTP Server(s) > OK.
At this point go and have a coffee > Hit Refresh > ONCE there’s an entry under Last Time Sync > Test Services.
The output should look something like this
ESX NTP For OLDER versions of vSphere
Connect to the host (or vCenter and drill down to the host(s)). Select the host in question > Configuration > Time Configuration > Properties > Tick NTP Client Enabled > Options > Add > Add in your public time server IPs > Tick ‘Restart NTP Service to apply changes’ > OK > OK.
Note: I’m in the UK so I’m using two time servers in this country, you may want to use one closer to home.
Note: If all these details are IN RED, then it has failed to sync, either be patient, try putting the host into and out of maintenance mode, or reboot it, if it continues to fail check it can see the public time servers on UDP port 123.
Related Articles, References, Credits, or External Links
If you have arrived here, you have either noticed that the time is wrong on your server(s) or client PC(s), or you have looked in the event viewer and seen one of the following events being logged. Event ID’s 12, 22, 29, 36, 38, 47, and 50.
Event ID 12 (W32 Time Time Provider NtpClient: This machine is configured to use {text omitted}, but it is the PDC emulator…).
Event ID 29 (The time provider NtpClient is configured to acquire time from one or more time sources…).
Event ID 36 (The time service has not synchronized the system time for 86400 seconds…).
Event ID 38 (The time provider NtpClient cannot reach or is currently receiving invalid time data from…).
Event ID 47 (Time Provider NtpClient: No valid response has been received from manually configured peer…).
Domain Time Problem Events – On Domain Members
Event ID 50 (The time service detected a time difference of greater than 5000 milliseconds for 900 seconds…).
Event ID 22 (The time provider NtpServer encountered an error while digitally signing the NTP response for peer…).
Solution : Domain Time Problems
Setting domain time is a TWO-STEP process, set the time correctly on the PDC emulator, then let the clients take their time from the PDC emulator.
Locate the PDC Emulator
1. On a domain controller, Windows Key+R > netdom query fsmo {Enter}.
2. Take note of the PDC name and go to that server.
NTP Firewall config (Domain Time)
1. Ensure UDP Port 123 is open outbound from the PDC Emulator. How this is done will vary depending on your firewall vendor. If you have a Cisco ASA or a Cisco PIX see my article here.
To Test Use NTPTool
Below either the port is blocked (or the hostname/IP of the external NTP server is incorrect);
This is how it should look, every-time you press query you should get a response, now you know the correct port is open;
Configure the PDC Emulator to collect Reliable Domain Time
Of course our PDC Emulator is also a domain controller, so we need to link a GPO to the domain controllers OU. But we dont want all DC’s getting their time from an external source, so we will create a WMI filter to ensure the policy will only apply to the PDC emulator server.
Administrative tools > Group Policy Management > WMI Filter > New > PDC-Emulator-Only > Add > Select * from Win32_ComputerSystem where DomainRole = 5 > OK.
Don’t panic if you see this error > OK > Save.
Create a new GPO linked to the Domain Controllers OU.
Change the policy so it uses your WMI filter;
Edit The Policy, and navigate to;
[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]
Configure Windows NTP Client
Enable the policy > set the NtpServer setting to server-name(comma)stratum-type(space). If you get this wrong you wont sync, and you will see this error.
Enable Windows NTP Client
Enable the Policy (The server still needs to get its time from the external source!)
Enable Windows NTP Server
Enable the policy (The server also needs to provide time to the domain clients).
Save and exit the policy editor, then on the PDC emulator force a policy update and resync the time. Finally run rsop to make sure the settings have applied.
Setting PDC Emulator Time From Command Line
1. On the PDC emulator Windows Key+R > cmd {Enter}.
2. At command line execute the following four commands;
[box]
w32tm /config /manualpeerlist:ntp2d.mcc.ac.uk /syncfromflags:manual /reliable:yes /update
net stop "windows time"
net start "windows time"
w32tm /resync
[/box]
Note: If you are NOT in the UK or simply want to use a different NTP time server go here for alternatives.
3. Look in the servers Event log > System Log for Event ID 37.
---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 37
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time provider NtpClient is currently receiving valid time
data from ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————
4. You will also see Event ID 35.
---------------------------------------------------------------
Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 35
Date: xx/xx/xxxx
Time: xx:xx:xx
User: N/A
Computer: {servername}
Description:
The time service is now synchronizing the system time with the time source
ntp2d.mcc.ac.uk (ntp.m|0x0|10.0.0.1:123->130.88.203.64:123).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. —————————————————————
Step 2 Check the domain clients
This is all you should need to do, because, (by default) all Domain clients get their time from the PDC when they log on, but to check;
1. Windows Key+R > cmd {enter}.
2. Execute the following command;
[box] w32tm /monitor [/box]
3. You will see the time this client can see, on all the domain controllers.
(In the case above the time on server-dc is way out, address that first – (it was an old Windows 2000 server and running “net time server-pdc” {enter} fixed it).
4. Once all the domain controllers have a time that’s accurate (like the last three in the example above), then proceed.
5. Execute the following commands on a client machine;
[box]
net stop "windows time"
net start "windows time"
w32tm /resync
[/box]
6. The machines event log should show the following successful events;
Event ID 37 (The time provider NtpClient is currently receiving valid time data from..).
Event ID 35 (The time provider NtpClient is currently receiving valid time data from..).
Setting Domain Clients Time via GPO
As already outlined you should not need to do this, (as it’s the default setting,) but if there’s a problem you can force domain clients to look at your PDC emulator for reliable time.
Create a GPO, and link it to the OU containing the computers you want to sync’
Edit the policy and navigate to;
[box]Computer Configuration > Policies > Administrative eTemplates > System > Windows Time Service > Time Providers[/box]
Configure Windows NTP Client
Enable the policy > Set the NtpServer to {Your-PDC-Name},0x9 > Set the Type to NT5DS.
Enable Windows NTP Client
Enable this policy.
Testing Client NTP Settings
Either run;
[box]w32tm /query /status[/box]
Or run RSOP.
Related Articles, References, Credits, or External Links
I’m doing some work for a client that has Azure AD Sync running, and we keep kicking each other off the server, so I thought I’d login with another account. However, when I tried to open the Synchronisation Service Manager;
Unable to connect to the Synchronisation Service
Some possible reasons are:
1) The service is not started.
2) Your account is not a member of the requires security group.
See the Synchronisation Service documentation for details.
Solution
Well it was the second option in my case. Open Server Manager > Tools > Computer Management > System tools > Local Users and groups > Groups > ADSyncAdmins > Add your user in here.
Related Articles, References, Credits, or External Links
I’ve seen this a few times now, I’ve had users that will not sync from Active Directory to Azure Active Directory (Office 365). When you look to see why, you will see something like;
The Connector {Your-Domain}.onmicrosoft.com – AAD contains another object with the same DN which is already connected to the MV.
Note: For the uninitiated, DN is Distinguished Name, and MV is MetaVerse.
If you attempt to troubleshoot the sync, you may also see something like this;
Object {Distinguished-Name} is not found in AAD Connector Space.
Solution
First we need to temporarily halt the sync;
[box]
Set-ADSyncScheduler -SyncCycleEnabled $False
[/box]
Then launch Sycronization Service Manager > Connectors > Select your AAD Connector > Delete > Delete connector space only > Yes.
Note: Whoa! it says I’m going to lose data, what are we doing?
Well we are essentially removing all the ‘cached objects associated with this connector, I think about it like ‘flushing the cache’. I’ve never seen this operation break anything, and I’ve certainly never ‘lost’ anything.
While it’s still running, do the same with your local AD connector.
Start the sync scheduler again.
[box]
Set-ADSyncScheduler -SyncCycleEnabled $True
[/box]
Perform a Full Import on your AAD connector..
With the above still running you can repeat a Full Import on your AD Connector
Providing the full import has finished (i.e the connector says ‘idle’) perform an Export on the AAD Connector.
Providing the full import has finished (i.e, the connector says ‘idle’) perform an Export on the Local AD Connector.
At first this was just a bug, now it’s annoying, I don’t know why Cisco have not got round to fixing this, it’s still a problem in the latest (6.2.2 at time of writing,) version.
Solution
Configuration > ASA FirePOWER Configuration > Local > System Policy > Time > Synchronisation > Manually > Save Policy and Exit.
Deploy > Deploy FirePOWER Changes > Deploy.
To View Task Progress: Monitoring > ASA FirePOWER Monitoring > Ensure the policy has applied successfully, (go and have a coffee).
Configuration > ASA FirePOWER Configuration > Local > Configuration > Time > Select the time zone ‘Hyperlink’ > Set the correct zone > Save > Done.
Configuration > ASA FirePOWER Configuration > Local > System Policy > Time > Synchronisation > Via NTP From… > Type in a public NTP Server > Save Policy and Exit.
You would like to sync your files/folders between more than one machine? Dropbox, is a service that lets you keep files in “The Cloud” and synchronise them across multiple machines and platforms. It’s one of those things that once you start to use it you wonder what you did before you had it. Simply put it’s like having a USB drive that you don’t need to carry around with you, and even if you still carry your USB drive, you can run Dropbox portable on that as well.
Related Articles, References, Credits, or External Links
All credit for the Dropbox Portable version used above (DropboxPortableAHK) should go to user against t for taking the time to create and support it – Thanks
Starting test: Advertising
Warning: Server-Name is not advertising as a time server.
......................... Server-Name failed test Advertising
Running enterprise tests on : PeteNetLive.com Starting test: Intersite ……………………. PeteNetLive.com passed test Intersite Starting test: FsmoCheck Warning: DcGetDcName(TIME_SERVER) call failed, error 1355 A Time Server could not be located. The server holding the PDC role is down. Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error 1355 A Good Time Server could not be located. ……………………. PeteNetLive.com failed test FsmoCheck
Solution
Note: Any one of the things below can cause this problem, I suggest you retry running dcdiag after each step until it runs without error.
1. In a windows domain, clients normally get their time from the domain controller that holds the PDC Emulator role. Locate that server and log on.
3. If you have got this far, then should already have the windows time service running, check!
4. From command line, remove and reinstall the Windows time service with the following two commands.
[box]w32tm /unregister<br />w32tm /register[/box]
Note: It’s not unusual to see the following error after you issue a ‘w32tm /unregister’ command,
Error
The following error occurred: Access is denied (0x80070005)
If this happens don’t panic, open the services console (Press F5) and the Windows Time Service may have disappeared (if so re-register it). If not manually stop the Windows Time service and try to unregister again, then re-register.
WARNING: After doing this, you will need to set the time service to get reliable time from an NTP External Server again.
5. Press Windows Key+R > regedit {enter} > Navigate to the following registry key;
Ensure the Type value it set to NTP, the restart the Windows time service and check again.
5. Whilst still in the registry editor navigate to;
[box]HKLM > System > CurrentControlSet > services > W32Time > Config[/box]
Set the AnnounceFlags value to 5.
6. Whilst still in the registry editor navigate to;
[box]HKLM > System > CurrentControlSet > services > W32Time > Time Providers > NtpServer[/box]
Make sure the Enabled value is set to 1 (one).
7. If the problem persists, on the PDC Emulator run gpedit.msc > Navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]
Make sure ‘Global Configuration Settings’ is set to ‘Not Configured’.
Navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]
Make ALL the settings are to ‘Not Configured’.
If you changed anything, run ‘gpupdate /force’ and try again.
8. On the PDC Emulator, Open a command window (Note: You must Run as Administrator!) > In the Computer Settings section locate all the policies that are applying to the server.
Note: As a shortcut to find the offending policy, you could run ‘gpresult /v > c:gpresult.txt’ then search that text file, for any instance of w32tm, (here’s an example).
As above navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service[/box]
Make sure Global Configuration Settings is set to ‘Not Configured’.
Navigate to;
[box]Computer Configuration > Administrative Templates > system > Windows Time Service > Time Providers[/box]
Make ALL the settings are set to ‘Not Configured’.
If you changed anything, run ‘gpupdate /force’ and try again.
Related Articles, References, Credits, or External Links
I’ve been posting domain time articles for a long time, and on more than one occasion I’ve really needed to take my Windows time from a Cisco Device and failed miserably. I’ve even used third party NTP software to solve this problem on my own test network.
On a client network, my colleague deployed ACS5 this week, I secured the ASA5585-X for AAA and it failed authentication. Logging revealed a clock skew error, so we manually set the time on the domain PDC. Within half an hour it was failing. The network topology prevented me syncing to a public NTP server from the domain PDC.
We did however have all the network devices syncing from a public time source, if only we could use one of those?
Solution
Step 1 Configure NTP on your Cisco Device.
Here I’m using a 7200 Router in GNS3, the NTPIP addresses I use are UK based NTP servers, I suggest you replace them with some public NTP servers on your own continent. I’m using two for redundancy.
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ntp server 130.88.202.49 prefer
Petes-Router(config)#ntp server 194.35.252.7
[/box]
NOTE: You need to force the Cisco device to advertise itself with a low stratum, typically the lower the stratum, the closer to atomic time you are supposed to be, (so we are actually forcing the device to lie, but if we don’t, Windows wont trust it!)
[box]
Petes-Router(config)#ntp master 5
[/box]
It can take a while for NTP, (go and have a coffee), then check it’s synchronised, DO NOT proceed until the Cisco device has synchronised.
[box]
R1#show ntp statusClock is synchronized, stratum 5, reference is 127.127.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**19
ntp uptime is 364600 (1/100 of seconds), resolution is 4000
reference time is D898D3A0.319A96D4 (23:05:04.193 GMT Wed Feb 25 2015)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.26 msec, peer dispersion is 0.23 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is -0.000000000 s/s
system poll interval is 16, last update was 3 sec ago.
[/box]
Step 2 Configure Windows to use Cisco NTP Time
In the past I’ve said “Windows Does not use NTP, it uses Win32 Time” This is not strictly true, it does use NTP, but by default it uses ‘Symmetric Active Mode NTP’ and your Cisco Device expects its NTP requests to be submitted via ‘Client Mode NTP‘. (See MS KB 875424 for more info).
Note: By default Windows Domains take their time from the PDC emulator, carry this procedure out on that server!
Open an elevated command prompt and execute the following commands (the Cisco device IP is shown in red, change accordingly);
[box]
w32tm /config /manualpeerlist:"123.123.123.148",0x8 /syncfromflags:MANUAL
net stop "windows time"
net start "windows time"
w32tm /resync
Note: If you want to specify TWO Cisco devices, use the following syntax
w32tm /config /manualpeerlist:"123.123.123.148,123.123.123.149",0x8 /syncfromflags:MANUAL
[/box]
Now in the Servers System log, you should see the following two events logged.
Event ID 37
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:33:19
Event ID: 37
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time provider NtpClient is currently receiving valid time data from 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).
Event ID 35
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:21:17
Event ID: 35
Task Category: None
Level: Information
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
The time service is now synchronizing the system time with the time source 123.123.123.148,
0x8 (ntp.m|0x8|0.0.0.0:123->123.123.123.148:123).
Windows and Cisco NTP Problems and Errors
Event ID 47
Log Name: System
Source: Microsoft-Windows-Time-Service
Date: 25/02/2015 22:11:07
Event ID: 47
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: 2012-DC-CA.petenetlive.com
Description:
Time Provider NtpClient: No valid response has been received from manually configured
peer 123.123.123.148 after 8 attempts to contact it. This peer will be discarded as a
time source and NtpClient will attempt to discover a new peer with this DNS name. The
error was: The peer is unreachable.
On your Cisco Device you will see debug output like so, (it will repeat 8 times);
[box]
Petes-Router#debug ntp all
NTP events debugging is on
NTP core messages debugging is on
NTP clock adjustments debugging is on
NTP reference clocks debugging is on
NTP packets debugging is on
Petes-Router#
000031: Feb 25 22:07:45.831: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000032: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: message received
000033: Feb 25 22:07:45.835: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#
000034: Feb 25 22:07:54.967: NTP message received from 123.123.123.151 on interface 'GigabitEthernet0/0' (123.123.123.148).
000035: Feb 25 22:07:54.967: NTP Core(DEBUG): ntp_receive: message received
000036: Feb 25 22:07:54.971: NTP Core(DEBUG): ntp_receive: peer is 0x67A57898, next action is 1.
Petes-Router#
[/box]
Causes:
This is a pretty generic error, but in this case, one of the following situations can cause this;
1. UDP Port 123 is blocked between Windows and the Cisco NTP device.
2. The Cisco NTP device has not synchronised form a reliable NTP source.
3. The stratum of the Cisco NTP device is to high.
4. Windows is attempting to sync time using ‘Symmetric Active Mode NTP‘ See my comments above.
Related Articles, References, Credits, or External Links
With NTP, there will be two things you want to do, 1) Allow a device behind the ASA to take its time from a public NTP server, and 2) Set the ASA to take its system time from a public NTP sever (for accurate date stanps on the logs, and for time critical things like Kerberos authentication.)
Solution
Allow internal host(s) to get system time though the firewall.
1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#
[/box]
2. To rules are being applied to traffic going OUT through the firewall, run a “show run access-group” command.
[box]
PetesASA(config)# show run access-group
Sample Output
access-group outbound in interface inside
access-group inbound in interface outside
[/box]
Note: If it returns nothing then outbound traffic is NOT being filtered, and NTP should work anyway, but in the example above I can see the traffic that is going IN the inside interface (That’s traffic going out if you think about it!) Is being filtered by an access list called ‘outbound’ (Because I give the ACL’s sensible names, yours could be called anything!)
3. To allow ALL hosts use the word any, for a specific host use the keyword host.
[box]
Allow all hosts access to NTP
PetesASA(config)# access-list outbound permit udp any any eq 123
Allow one host (192.168.1.1)
to NTP
PetesASA(config)# access-list outbound permit udp host 10.254.254.1 any eq 123
[/box]
4. Finally save the updated config.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Set the ASA to get its System Time from an External NTP Source
1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#
[/box]
2. The IP address I’m using is in the UK if you want one more local look here.
[box]
PetesASA(config)# ntp server 130.88.212.143 source outside
[/box]
3. To check on its status, simply execute a “show ntp status” command. BUT it will take a few minutes to synchronise, until it does you will see;
[box]
PetesASA(config)# show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a01de.60ad92ea (13:04:30.377 UTC Fri May 25 2012)
clock offset is 3414265.0854 msec, root delay is 26.09 msec
root dispersion is 3430186.81 msec, peer dispersion is 16000.00 msec
PetesASA(config)#
[/box]
When it is finally synchronised it will say;
[box]
PetesASA(config)# show ntp status
Clock is synchronized, stratum 3, reference is 130.88.212.143
nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6
reference time is d36a0f74.a34d5dde (14:02:28.637 UTC Fri May 25 2012)
clock offset is -9.1688 msec, root delay is 25.91 msec
root dispersion is 15915.95 msec, peer dispersion is 15890.63 msec
PetesASA(config)#
[/box]
4. Finally save the updated config.
[box]
PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]
Related Articles, References, Credits, or External Links