If you work with Windows servers and Windows domain controllers in your environment you can relate to this story. From time to time (pun intended) you will stumble over network time protocol (NTP) issues. It can cause you some serious trouble and impact other systems. Here is how to revert everything to a clean slate.
- Your clients time drifts off and they can not be authenticated to the active directory.
- Or even worse, there is a complete mess and you have two different times spreading in your network.
From my experience, this only occurs when someone messed with the standard NTP settings in the past. Now it is your job to fix the work someone did in the past and revert to the standard settings.
Table of Content
- General information about NTP
- Checking your settings
- Revert to the standard settings
General information about NTP
From this picture, the following rule is derived: “Every NTP client synchronizes with a source above it, but never on the same level”. That means in our case, a client synchronizes with a DC or the PDC (Primary domain controller). All domain controllers only sync with the PDC. For our case this information is enough, further information can be found here.
Checking your settings
Determine the PDC
First you need to determine which domain controller is your primary domain controller (PDC). This tutorial cowers two ways to check which DC is your PDC.
The first way is to type the following line to PowerShell on a server that has the ActiveDirectory module installed.
Get-ADDomain fistoftech.ch | Format-Table PDCEmulator
The second one is to head over to Active Directory Users and right-click on your Domain, then click Operations Masters. In the new window click the PDC tab and check the server you see there, this is your PDC server.
Check the settings on the PDC
Run “w32tm /query /configuration” to see the whole configuration on your PDC. We will focus on the two settings highlighted in red.
The AnnounceFlags on the following screenshot should be 5. This gets set by setting the /reliable parameter of w32tm to yes. And it is to determine whether the time of this server is reliable or not, so only use this on the PDC.
The NTPServer: setting should point to your external time source, whether it is another server or an NTP pool does not matter. But it is also important, that only the PDC gets an external source.
Check the settings on all other NTP Clients
On the clients you can use the same command again “w32tm /query /configuration”
If your client is on the standard-setting and syncing with the domain the AnnounceFlags (not on the screenshot) has the value 10. And your TimeProvider section needs to be Type: NT5DS (Source) which basically means your client receives its time from the domain hierarchy (/synfromflags:domhier parameter).
Revert to the standard settings
In the small sections before we learned how to check the settings and know if they are on the standard sync from domain setting. The only part missing is how to actually go back to the standard settings.
On the PDC:
w32tm /config /syncfromflags:manual /manualpeerlist:ch.pool.ntp.org /update /reliable:YES
On all the Clients (including the other DCs):
w32tm /config /syncfromflags:domhier /update /reliable:no
If time flies by, check your NTP.Zen Master Xiakit