Issues setting up Authoritative Time Server

Gurus,

I'm trying to set up one of my DC's as an Authoritative Time Server, as I am
experiencing W32time errors (ID's 36, 49, 14) in the Event logs of all three
of my DC's. As far as I know a Time service or server of any kind has never
been properly set up.

Following the steps in KB 816042, How to configure an authoritative time
server in windows server 2003, configuring for 'outside source'. Everything
goes well until step 4, -- the KB says to modify
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\W32Time\Parameters\NtpServer, however the 'NtpServer' object does not exist in my 'Parameters' folder.

Thanks for any advice!

-Michael

Hi,

Make sure you select correct domain controller first. You should use domain
controller that holds PDC FSMO role.

Next thing you can simply use command

net time

to set external time server.

Example would e.g. be

net time /SETSNTP:ntp1.arnes.si

where ntp1.arnes.si is my time server.

If you now (for e.g. test) restart Windows Time Service on this domain
controller and then check Event Logs (System Logs) you should see Event ID:
37 with Source W32Time. Inside it should be something like:

****************
The time provider NtpClient is currently receiving valid time data from
ntp1.arnes.si (ntp.d|10.10.10.10:123->193.2.1.88:123).
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Make sure you have UDP port 123 open on your firewall (from this DC to
external time source).
****************
--
Mike
Microsoft MVP - Windows Security

"Holo20" <> wrote in message
news:059E3E04-240B-4C21-A51A-...
> Gurus,
>
> I'm trying to set up one of my DC's as an Authoritative Time Server, as I
> am
> experiencing W32time errors (ID's 36, 49, 14) in the Event logs of all
> three
> of my DC's. As far as I know a Time service or server of any kind has
> never
> been properly set up.
>
> Following the steps in KB 816042, How to configure an authoritative time
> server in windows server 2003, configuring for 'outside source'.
> Everything
> goes well until step 4, -- the KB says to modify
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\W32Time\Parameters\NtpServer,
> however the 'NtpServer' object does not exist in my 'Parameters' folder.
>
> Thanks for any advice!
>
> -Michael

Thanks for the great info. I am fairly certain that none of my domain
controllers is a PDC emulator (they are all Server 2003); I had never even
heard of it until you mentioned it, and I had to research it a little.

-Michael

"Miha Pihler [MVP]" wrote:

> Hi,
>
> Make sure you select correct domain controller first. You should use domain
> controller that holds PDC FSMO role.
>
> Next thing you can simply use command
>
> net time
>
> to set external time server.
>
> Example would e.g. be
>
> net time /SETSNTP:ntp1.arnes.si
>
> where ntp1.arnes.si is my time server.
>
> If you now (for e.g. test) restart Windows Time Service on this domain
> controller and then check Event Logs (System Logs) you should see Event ID:
> 37 with Source W32Time. Inside it should be something like:
>
> ****************
> The time provider NtpClient is currently receiving valid time data from
> ntp1.arnes.si (ntp.d|10.10.10.10:123->193.2.1.88:123).
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Make sure you have UDP port 123 open on your firewall (from this DC to
> external time source).
> ****************
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Holo20" <> wrote in message
> news:059E3E04-240B-4C21-A51A-...
> > Gurus,
> >
> > I'm trying to set up one of my DC's as an Authoritative Time Server, as I
> > am
> > experiencing W32time errors (ID's 36, 49, 14) in the Event logs of all
> > three
> > of my DC's. As far as I know a Time service or server of any kind has
> > never
> > been properly set up.
> >
> > Following the steps in KB 816042, How to configure an authoritative time
> > server in windows server 2003, configuring for 'outside source'.
> > Everything
> > goes well until step 4, -- the KB says to modify
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\W32Time\Parameters\NtpServer,
> > however the 'NtpServer' object does not exist in my 'Parameters' folder.
> >
> > Thanks for any advice!
> >
> > -Michael
>
>
>

Hi,

I am pretty sure you have a PDC Emulator on your network ;-) or you would
notice strange and slow behavior of your clients in Active Directory. There
are five special roles in domain and forest that domain controllers can have
and PDC Emulator is one of them.

If we take a quick look at all 5 roles:
- Schema Master -- one per forest
- Domain naming master -- one per forest
- Infrastructure Master -- one per domain (e.g. if you have 4 domains you
will have 4 Infrastructure Masters inside forest)
- RID Master -- one per domain
- PDC Emulator -- one per domain

All these roles are in place when you set up Active Directory and live on
first domain controller you set up.

Time source is synchronized like this:
- client will query any domain controller (usually nearest one) for time
service
- domain controller query PDC emulator in domain to correct time
- PDC emulator should check time with external time service and this is why
it is important why you have to configure external time on server holding
this role.

Here is more information on FSMO roles and how to figure out which domain
controller(s) holds them.

How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801/

--
Mike
Microsoft MVP - Windows Security

"Holo20" <> wrote in message
news:B5FC6302-EDC1-48FF-B4BD-...
> Thanks for the great info. I am fairly certain that none of my domain
> controllers is a PDC emulator (they are all Server 2003); I had never even
> heard of it until you mentioned it, and I had to research it a little.
>
> -Michael
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> Make sure you select correct domain controller first. You should use
>> domain
>> controller that holds PDC FSMO role.
>>
>> Next thing you can simply use command
>>
>> net time
>>
>> to set external time server.
>>
>> Example would e.g. be
>>
>> net time /SETSNTP:ntp1.arnes.si
>>
>> where ntp1.arnes.si is my time server.
>>
>> If you now (for e.g. test) restart Windows Time Service on this domain
>> controller and then check Event Logs (System Logs) you should see Event
>> ID:
>> 37 with Source W32Time. Inside it should be something like:
>>
>> ****************
>> The time provider NtpClient is currently receiving valid time data from
>> ntp1.arnes.si (ntp.d|10.10.10.10:123->193.2.1.88:123).
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>> Make sure you have UDP port 123 open on your firewall (from this DC to
>> external time source).
>> ****************
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Holo20" <> wrote in message
>> news:059E3E04-240B-4C21-A51A-...
>> > Gurus,
>> >
>> > I'm trying to set up one of my DC's as an Authoritative Time Server, as
>> > I
>> > am
>> > experiencing W32time errors (ID's 36, 49, 14) in the Event logs of all
>> > three
>> > of my DC's. As far as I know a Time service or server of any kind has
>> > never
>> > been properly set up.
>> >
>> > Following the steps in KB 816042, How to configure an authoritative
>> > time
>> > server in windows server 2003, configuring for 'outside source'.
>> > Everything
>> > goes well until step 4, -- the KB says to modify
>> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\W32Time\Parameters\NtpServer,
>> > however the 'NtpServer' object does not exist in my 'Parameters'
>> > folder.
>> >
>> > Thanks for any advice!
>> >
>> > -Michael
>>
>>
>>

Mike,

You are correct. After some more reading, I rooted around and found which DC
was performing the FSMO roles. The odd thing is that it is the DC that I was
trying to set up as a time server; yet the registry keys that must be
modified are not present. Is there a different method that I could use to set
time on my network?

Thanks,

Michael

"Miha Pihler [MVP]" wrote:

> Hi,
>
> I am pretty sure you have a PDC Emulator on your network ;-) or you would
> notice strange and slow behavior of your clients in Active Directory. There
> are five special roles in domain and forest that domain controllers can have
> and PDC Emulator is one of them.
>
> If we take a quick look at all 5 roles:
> - Schema Master -- one per forest
> - Domain naming master -- one per forest
> - Infrastructure Master -- one per domain (e.g. if you have 4 domains you
> will have 4 Infrastructure Masters inside forest)
> - RID Master -- one per domain
> - PDC Emulator -- one per domain
>
> All these roles are in place when you set up Active Directory and live on
> first domain controller you set up.
>
> Time source is synchronized like this:
> - client will query any domain controller (usually nearest one) for time
> service
> - domain controller query PDC emulator in domain to correct time
> - PDC emulator should check time with external time service and this is why
> it is important why you have to configure external time on server holding
> this role.
>
> Here is more information on FSMO roles and how to figure out which domain
> controller(s) holds them.
>
> How to view and transfer FSMO roles in Windows Server 2003
> http://support.microsoft.com/kb/324801/
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Holo20" <> wrote in message
> news:B5FC6302-EDC1-48FF-B4BD-...
> > Thanks for the great info. I am fairly certain that none of my domain
> > controllers is a PDC emulator (they are all Server 2003); I had never even
> > heard of it until you mentioned it, and I had to research it a little.
> >
> > -Michael
> >
> > "Miha Pihler [MVP]" wrote:
> >
> >> Hi,
> >>
> >> Make sure you select correct domain controller first. You should use
> >> domain
> >> controller that holds PDC FSMO role.
> >>
> >> Next thing you can simply use command
> >>
> >> net time
> >>
> >> to set external time server.
> >>
> >> Example would e.g. be
> >>
> >> net time /SETSNTP:ntp1.arnes.si
> >>
> >> where ntp1.arnes.si is my time server.
> >>
> >> If you now (for e.g. test) restart Windows Time Service on this domain
> >> controller and then check Event Logs (System Logs) you should see Event
> >> ID:
> >> 37 with Source W32Time. Inside it should be something like:
> >>
> >> ****************
> >> The time provider NtpClient is currently receiving valid time data from
> >> ntp1.arnes.si (ntp.d|10.10.10.10:123->193.2.1.88:123).
> >> For more information, see Help and Support Center at
> >> http://go.microsoft.com/fwlink/events.asp.
> >> Make sure you have UDP port 123 open on your firewall (from this DC to
> >> external time source).
> >> ****************
> >> --
> >> Mike
> >> Microsoft MVP - Windows Security
> >>
> >> "Holo20" <> wrote in message
> >> news:059E3E04-240B-4C21-A51A-...
> >> > Gurus,
> >> >
> >> > I'm trying to set up one of my DC's as an Authoritative Time Server, as
> >> > I
> >> > am
> >> > experiencing W32time errors (ID's 36, 49, 14) in the Event logs of all
> >> > three
> >> > of my DC's. As far as I know a Time service or server of any kind has
> >> > never
> >> > been properly set up.
> >> >
> >> > Following the steps in KB 816042, How to configure an authoritative
> >> > time
> >> > server in windows server 2003, configuring for 'outside source'.
> >> > Everything
> >> > goes well until step 4, -- the KB says to modify
> >> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\W32Time\Parameters\NtpServer,
> >> > however the 'NtpServer' object does not exist in my 'Parameters'
> >> > folder.
> >> >
> >> > Thanks for any advice!
> >> >
> >> > -Michael
> >>
> >>
> >>
>
>
>

Hi,

as mentioned in my first reply, you can use

net time /SETSNTP:ntp1.arnes.si

instead of registry settings.

Note: replace ntp1.arnes.si with your chosen time service server name.

Personally I never used registry for this. I always used net time or w32tm
command.

Please let me know if you need any more help with this.

--
Mike
Microsoft MVP - Windows Security

"Holo20" <> wrote in message
news:E0E82E10-E4E7-45DD-8937-...
> Mike,
>
> You are correct. After some more reading, I rooted around and found which
> DC
> was performing the FSMO roles. The odd thing is that it is the DC that I
> was
> trying to set up as a time server; yet the registry keys that must be
> modified are not present. Is there a different method that I could use to
> set
> time on my network?
>
> Thanks,
>
> Michael
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> I am pretty sure you have a PDC Emulator on your network ;-) or you would
>> notice strange and slow behavior of your clients in Active Directory.
>> There
>> are five special roles in domain and forest that domain controllers can
>> have
>> and PDC Emulator is one of them.
>>
>> If we take a quick look at all 5 roles:
>> - Schema Master -- one per forest
>> - Domain naming master -- one per forest
>> - Infrastructure Master -- one per domain (e.g. if you have 4 domains you
>> will have 4 Infrastructure Masters inside forest)
>> - RID Master -- one per domain
>> - PDC Emulator -- one per domain
>>
>> All these roles are in place when you set up Active Directory and live on
>> first domain controller you set up.
>>
>> Time source is synchronized like this:
>> - client will query any domain controller (usually nearest one) for time
>> service
>> - domain controller query PDC emulator in domain to correct time
>> - PDC emulator should check time with external time service and this is
>> why
>> it is important why you have to configure external time on server holding
>> this role.
>>
>> Here is more information on FSMO roles and how to figure out which domain
>> controller(s) holds them.
>>
>> How to view and transfer FSMO roles in Windows Server 2003
>> http://support.microsoft.com/kb/324801/
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "Holo20" <> wrote in message
>> news:B5FC6302-EDC1-48FF-B4BD-...
>> > Thanks for the great info. I am fairly certain that none of my domain
>> > controllers is a PDC emulator (they are all Server 2003); I had never
>> > even
>> > heard of it until you mentioned it, and I had to research it a little.
>> >
>> > -Michael
>> >
>> > "Miha Pihler [MVP]" wrote:
>> >
>> >> Hi,
>> >>
>> >> Make sure you select correct domain controller first. You should use
>> >> domain
>> >> controller that holds PDC FSMO role.
>> >>
>> >> Next thing you can simply use command
>> >>
>> >> net time
>> >>
>> >> to set external time server.
>> >>
>> >> Example would e.g. be
>> >>
>> >> net time /SETSNTP:ntp1.arnes.si
>> >>
>> >> where ntp1.arnes.si is my time server.
>> >>
>> >> If you now (for e.g. test) restart Windows Time Service on this domain
>> >> controller and then check Event Logs (System Logs) you should see
>> >> Event
>> >> ID:
>> >> 37 with Source W32Time. Inside it should be something like:
>> >>
>> >> ****************
>> >> The time provider NtpClient is currently receiving valid time data
>> >> from
>> >> ntp1.arnes.si (ntp.d|10.10.10.10:123->193.2.1.88:123).
>> >> For more information, see Help and Support Center at
>> >> http://go.microsoft.com/fwlink/events.asp.
>> >> Make sure you have UDP port 123 open on your firewall (from this DC to
>> >> external time source).
>> >> ****************
>> >> --
>> >> Mike
>> >> Microsoft MVP - Windows Security
>> >>
>> >> "Holo20" <> wrote in message
>> >> news:059E3E04-240B-4C21-A51A-...
>> >> > Gurus,
>> >> >
>> >> > I'm trying to set up one of my DC's as an Authoritative Time Server,
>> >> > as
>> >> > I
>> >> > am
>> >> > experiencing W32time errors (ID's 36, 49, 14) in the Event logs of
>> >> > all
>> >> > three
>> >> > of my DC's. As far as I know a Time service or server of any kind
>> >> > has
>> >> > never
>> >> > been properly set up.
>> >> >
>> >> > Following the steps in KB 816042, How to configure an authoritative
>> >> > time
>> >> > server in windows server 2003, configuring for 'outside source'.
>> >> > Everything
>> >> > goes well until step 4, -- the KB says to modify
>> >> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\W32Time\Parameters\NtpServer,
>> >> > however the 'NtpServer' object does not exist in my 'Parameters'
>> >> > folder.
>> >> >
>> >> > Thanks for any advice!
>> >> >
>> >> > -Michael
>> >>
>> >>
>> >>
>>
>>
>>