question

Anahaym avatar image
0 Votes"
Anahaym asked DSPatrick commented

NTP for domain machines which are out of domain network

Hi, we have an Active Directory infrastructure based on WS 2016.
Also we have a VPN server based on the Check Point router.
When a client computer located in a domain local network - everything is fine: domain joined computers get time from the DCs. But when a user works from home his computer can't reach the DC and loses the time sync. The connection to the DC restores only after the user logs in and starts the VPN. The problem is - the user is unable to log in due to time synchronization issues getting an error on the logon screen: Bad request timestamp.
Question: is it possible to configure NTP on the client so that it uses external NTP while being outside the domain LAN, and uses DC NTP while being in the domain LAN?

Thank you!

windows-serverwindows-10-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Anahaym avatar image
0 Votes"
Anahaym answered

I've used a GPO and looks like it works. I have only one question: which flags should I use for external time server: 0x2?

92146-image.png




image.png (67.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @Anahaym,

Thank you for posting here.

We can configure it as below on this client computer.

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
Key Name: Type
Type: REG_SZ(String Value)
Data: AllSync


91978-ti1.png


Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Key Name: AnnounceFlags
Type: REG_DWORD (DWORD Value )
Data: 0xa

92019-ti2.png


After we configure the registry values above, then check if the problem "the user is unable to log in due to time synchronization issues getting an error on the logon screen: Bad request timestamp." disappears.

When the user takes the client computer to AD domain network again, the client computer should switch from external NTP to DC NTP server automatically.


For more information, we can refer to link below.
Windows Time service tools and settings
https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings#parameters


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



ti1.png (22.6 KiB)
ti2.png (23.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Any progress or updates?

--please don't forget to Accept as answer if the reply is helpful--




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

You probably don't need any flags defined. When defining a list of NTP servers to sync from, we can specify the following flags
- 0x1 Instead of following the NTP specification, wait for the interval specified in the SpecialPollInterval entry before attempting to reconnect this time source. Setting this flag decreases network usage, but it also decreases accuracy.

  • 0x2 Use this time source only as a fallback. If all time sources that are not fallbacks have failed, then the system selects one fallback time source at random and uses it.

  • 0x4 Set the local computer to operate in symmetric active mode in the association with this source.

  • 0x8 Set the local computer to operate in client mode in the association with this source.



--please don't forget to Accept as answer if the reply is helpful--





· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ok, thank you!

0 Votes 0 ·

You're welcome. (wrong answer marked??)

--please don't forget to Accept as answer if the reply is helpful--



0 Votes 0 ·