Solved Server 2008R2 Time Sync

March 9, 2013 at 02:09:54
Specs: windows server 2008R2
Ok so this has been bothering me all week!

We have 2 physical hyper V servers running 8 VMs between them, each physical server has a Domain controller on it running in a VM and all servers are 2008R2

The VM PDC is set to NTP and to sync with time.microsoft.com and the rest including the physical servers are NT5DS

when i run w32tm /query /status

im getting VM IC Time Synchronization Provider on both VM DCs, what is that?
When i look at the events im getting an error 12something or 13something i cant remember right now, complaining about DNS so it looks like my PDC is not getting out?

I have followed MS details on setting up an external time source and made all registry changes but i think the DNS is getting me....

Any thoughts?

What does VM IC Time Synchronization Provider mean?
Im also assuming if i run w32tm /query /status on the PDC it should say the external time source as source?

Cheers


See More: Server 2008R2 Time Sync

Report •


✔ Best Answer
March 22, 2013 at 06:24:19
I have finally got it working!
The goal of this is to help people out who are starting at the beginning of setting a Domains time.

In this example all Servers, Primary Domain Controller (PDC), other Domain Controllers (DC) and other servers are running Windows 2008 R2 and are virtualised with Hyper-V.

First things first you will read to disable the 'Time Synchronization Integration Service' on any virtual machine within Hyper-V but instead you should manipulate the Windows Time Service (w32tm service) from within the virtual DC, you should not disable this because when a VM restarts this will cause problems, it should be done with w32tm.
http://blogs.msdn.com/b/virtual_pc_...

You will need to find out what server is the PDC and running FSMO roles. Run this:
netdom query fsmo
The result should be your PDC and this is where you make most of your changes.

Make sure in the firewall there is an “Outbound” rule on UDP123 and the program is %SystemRoot%\System32\w32tm.exe just browse to windows directory and find the exe for time

This is where the registry changes go down!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time

Make sure the PDC under config in the above registry address is set to NTP for “type“and all other servers are NT5DS, this means NTP is the daddy!
Best practise here is to have the PDC look externally for time and everything sync to it.

Run this on all domain controllers (including PDC), it will partially disable windows time so it does not look at the host machine for time, important because we are virtualised.
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

You can go to the ntp.org http://support.ntp.org/bin/view/Ser...
site to find a server closest to you to sync your external time. I recommend not using Microsoft as they are heavily used and can slip out because of this.

Below command will set the PDC to look externally but also check the registry settings as defined here to sync externally (you need to do both)
http://support.microsoft.com/kb/816042

Run this on PDC
w32tm /config /manualpeerlist:“0.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes
w32tm /config /update
w32tm /resync
w32tm /resync /rediscover

Run these 2 commands at any time on any server to see their source and when they last updated, these will be used throughout this exercise to make sure your PDC and other servers are getting time from the right place
w32tm /query /status
w32tm /query /source

Then run this on all DC except the PDC, it will make them look at the PDC for time and resync to it
w32tm /config /syncfromflags:DOMHIER /update
net stop w32time
net start w32time
w32tm /resync /force

Issues:
When you run the Status or Source query give them a minute or 2 after changes, you should not be looking at the Local CMOS Clock and you should not be using vm ic time synchronization provider as source either.

If successful the PDC should read the external site you have set and the other servers should say the PDC as source

Hope this helps people good luck!



#1
March 9, 2013 at 17:42:07
http://serverfault.com/questions/41...

How do you know when a politician is lying? His mouth is moving.


Report •

#2
March 11, 2013 at 09:29:02
For VM's on any hypervisor, do you not use the "sync with host" feature.

Tony


Report •

#3
March 12, 2013 at 03:47:05
Hi Tony thanks for info but disabling that is not the best way to do it, have a look at guapos post and it explains why.

I think my problem may be firewall related as on further inspection i have an inbound rule for UDP 123 but not for outbound i will be testing this tomorrow


Report •

Related Solutions

#4
March 22, 2013 at 06:24:19
✔ Best Answer
I have finally got it working!
The goal of this is to help people out who are starting at the beginning of setting a Domains time.

In this example all Servers, Primary Domain Controller (PDC), other Domain Controllers (DC) and other servers are running Windows 2008 R2 and are virtualised with Hyper-V.

First things first you will read to disable the 'Time Synchronization Integration Service' on any virtual machine within Hyper-V but instead you should manipulate the Windows Time Service (w32tm service) from within the virtual DC, you should not disable this because when a VM restarts this will cause problems, it should be done with w32tm.
http://blogs.msdn.com/b/virtual_pc_...

You will need to find out what server is the PDC and running FSMO roles. Run this:
netdom query fsmo
The result should be your PDC and this is where you make most of your changes.

Make sure in the firewall there is an “Outbound” rule on UDP123 and the program is %SystemRoot%\System32\w32tm.exe just browse to windows directory and find the exe for time

This is where the registry changes go down!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time

Make sure the PDC under config in the above registry address is set to NTP for “type“and all other servers are NT5DS, this means NTP is the daddy!
Best practise here is to have the PDC look externally for time and everything sync to it.

Run this on all domain controllers (including PDC), it will partially disable windows time so it does not look at the host machine for time, important because we are virtualised.
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

You can go to the ntp.org http://support.ntp.org/bin/view/Ser...
site to find a server closest to you to sync your external time. I recommend not using Microsoft as they are heavily used and can slip out because of this.

Below command will set the PDC to look externally but also check the registry settings as defined here to sync externally (you need to do both)
http://support.microsoft.com/kb/816042

Run this on PDC
w32tm /config /manualpeerlist:“0.pool.ntp.org,0x1” /syncfromflags:MANUAL /reliable:yes
w32tm /config /update
w32tm /resync
w32tm /resync /rediscover

Run these 2 commands at any time on any server to see their source and when they last updated, these will be used throughout this exercise to make sure your PDC and other servers are getting time from the right place
w32tm /query /status
w32tm /query /source

Then run this on all DC except the PDC, it will make them look at the PDC for time and resync to it
w32tm /config /syncfromflags:DOMHIER /update
net stop w32time
net start w32time
w32tm /resync /force

Issues:
When you run the Status or Source query give them a minute or 2 after changes, you should not be looking at the Local CMOS Clock and you should not be using vm ic time synchronization provider as source either.

If successful the PDC should read the external site you have set and the other servers should say the PDC as source

Hope this helps people good luck!


Report •


Ask Question