question

DanielSupport-0606 avatar image
0 Votes"
DanielSupport-0606 asked TEJAK-3430 published

Windows 2019 NTP not syncing

We are unable to get the server to use the NTP time and falls back to CMOS time. I'm 23 seconds off but the company has moved to online banking and exact time sync is a base requirement. This implementation is on hold as well as the company's banking ability. This new environment was implemented to handle the banking system.

I opened a support ticket a week ago and support has spent about 8 hours connected to the server and a number of hours on phone support.

I'm reaching out to the community to see if I can get some suggestions.

This is a small single server environment.
- One HP ML350 server with Window 2019 STD,
- HP switch,
- Sonicwall firewall


System process
- VoIP
- Wireless
- Accounting software
- Banking software
- VPN

Current Test results
(See dump below)

Actions I have executed
Used a couple of NTP test programs with good results
Reviewed Switch and firewall to verify rules
Ran packet scans from both the server and firewall - This is a copy of the file sent to MS but lost the screen shot with this editor

MS Support has run through a number of steps
- I setup GPO time sync - Support removed these setting to registry defined
- MS Requested Actions
- I install BDC server - Done installed 2016 BDC server - NTP time good on this server - Hyper_V based
- CMOS patched
- Waiting 3 days for MS response

What I'm seeing is that the third party NTP test tools are good with verification of the packets through the firewall

Using w32tm /stripchart /computer:time.google.com we are getting good results with verification of the packets through the firewall

Using w32tm /resync we get BAD results and only see packets on the Server using the Microsoft packet monitor

No changes were made to any device or the setting on either packet monitor between each command

There is a lot more done and tested and I'll try to expand with any questions from the community

Workaround option - looking for opinions
Make the Windows 2016 BDC primary?


Thanks
Dan

WCC-AD01 -- After WCC-AD02 BDC installed

C:\Users\Administrator>
C:\Users\Administrator>w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 1 (primary reference - syncd by radio clock)
Precision: -23 (119.209ns per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0x4C4F434C (source name: "LOCL")
Last Successful Sync Time: 6/12/2021 11:11:34 AM
Source: Local CMOS Clock
Poll Interval: 6 (64s)

C:\Users\Administrator>w32tm /query /configuration
[Configuration]

EventLogFlags: 2 (Local)
AnnounceFlags: 5 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)

[TimeProviders]

NtpClient (Local)
DllName: C:\Windows\SYSTEM32\w32time.DLL (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
AllowNonstandardModeCombinations: 1 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 1024 (Local)
Type: NTP (Local)
NtpServer: time.windows.com,0x8 time.nist.gov,0x8 pool.ntp.org,0x8 (Local)

NtpServer (Local)
DllName: C:\Windows\SYSTEM32\w32time.DLL (Local)
Enabled: 0 (Local)
InputProvider: 0 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 0 (Local)
InputProvider: 1 (Local)



C:\Users\Administrator>w32tm /query /peers

Peers: 6


Peer: pool.ntp.org,0x8
State: Active
Time Remaining: 7.2995920s
Mode: 3 (Client)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: pool.ntp.org,0x8
State: Active
Time Remaining: 7.3152472s
Mode: 3 (Client)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: pool.ntp.org,0x8
State: Active
Time Remaining: 7.3308100s
Mode: 3 (Client)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: pool.ntp.org,0x8
State: Active
Time Remaining: 7.3463862s
Mode: 3 (Client)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: time.nist.gov,0x8
State: Active
Time Remaining: 7.3620702s
Mode: 3 (Client)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

Peer: time.windows.com,0x8
State: Active
Time Remaining: 7.3776937s
Mode: 3 (Client)
Stratum: 0 (unspecified)
PeerPoll Interval: 0 (unspecified)
HostPoll Interval: 6 (64s)

C:\Users\Administrator>w32tm /resync
Sending resync command to local computer
The computer did not resync because no time data was available.

C:\Users\Administrator>w32tm /stripchart /computer:time.google.com
Tracking time.google.com [216.239.35.8:123].
The current time is 6/12/2021 11:12:58 AM.
11:12:58, d:+00.0284005s o:+24.0492718s [ | @]
11:13:00, d:+00.0242894s o:+24.0498287s [ | @]
11:13:02, d:+00.0236041s o:+24.0494866s [ | @]
11:13:04, d:+00.0270472s o:+24.0504955s [ | @]
11:13:06, d:+00.0236929s o:+24.0492093s [ | @]
^C
C:\Users\Administrator>

WCC-AD01 -- After WCC-AD02 BDC installed


Summary:

This is a test of 3 different NTP processes
• Microsoft w32tm using
o w32tm /resync command
• Microsoft w32tm using
o w32tm /stripchart /computer:time.google.com command
• Galleon NTP Check tool

We capture packets in two devices
• SonicWall firewall
o Using Sonicwall packet monitor
• Server
o Using Microsoft packet monitor

Results showed that two methods produced good results with packet captures on both monitors to validate traffic and good results by the tools

The third method “w32tm /resync command” failed in the captures and the results


Galleon NTP Check tool
Program Results – Good Packets seen at each capture and results returned to the tool



SonicWall Firewall Packet monitor


Microsoft Network Monitor

817 8:58:41 AM 6/8/2021 4.9129865 192.168.1.20 216.239.35.0 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:2, IPv4:1}

823 8:58:41 AM 6/8/2021 4.9557845 216.239.35.0 192.168.1.20 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:2, IPv4:1}

931 8:58:43 AM 6/8/2021 7.3931930 192.168.1.20 216.239.35.0 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:3, IPv4:1}
933 8:58:43 AM 6/8/2021 7.4348819 216.239.35.0 192.168.1.20 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:3, IPv4:1} 
W32tm /resync
Program Results –
• Failed Shows sending packet but no return packets
• Packet did not show on firewall

C:\Users\Administrator>w32tm /resync command
'ow32tm' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator>
C:\Users\Administrator>w32tm /resync
Sending resync command to local computer
The computer did not resync because no time data was available.

C:\Users\Administrator>w32tm /resync
Sending resync command to local computer
The computer did not resync because no time data was available.

Microsoft Network Monitor
551 11:52:29 AM 6/8/2021 20.8355028 192.168.1.20 162.248.241.94 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:39, IPv4:38}

559 11:52:29 AM 6/8/2021 20.8817437 192.168.1.20 38.229.58.9 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:44, IPv4:43}

564 11:52:29 AM 6/8/2021 20.8910869 192.168.1.20 68.54.100.49 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:46, IPv4:45}

565 11:52:29 AM 6/8/2021 20.8911644 192.168.1.20 38.229.71.1 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:21, IPv4:20}

570 11:52:29 AM 6/8/2021 20.9533228 192.168.1.20 204.2.134.163 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:88, IPv4:87}

573 11:52:29 AM 6/8/2021 21.0001628 192.168.1.20 185.216.231.116 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:323, IPv4:322}

574 11:52:29 AM 6/8/2021 21.0002410 192.168.1.20 64.62.190.177 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:48, IPv4:47}

575 11:52:29 AM 6/8/2021 21.0003019 192.168.1.20 149.28.114.150 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:50, IPv4:49}

576 11:52:29 AM 6/8/2021 21.0782785 192.168.1.20 138.236.128.36 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:264, IPv4:263}
577 11:52:29 AM 6/8/2021 21.1251693 192.168.1.20 64.79.100.196 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:52, IPv4:51}
578 11:52:29 AM 6/8/2021 21.1252419 192.168.1.20 108.61.73.244 SNTP SNTP:Common stub parser. See the "How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)" help topic for tips on loading this parser set. {UDP:317, IPv4:316}

SonicWall Packet Monitor
No Packet captured

windows-server-2019
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,


Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

Hi i am also facing similar issues in windows 2019 domain controllers and we observed when root dispersion value is 16 s clients and member servers not taking time from domain hierarchy, please let me if any solution which solved your time sync issue.

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
It will be helpful to narrow down the issue if you can help to collect the following information.

How many DCs do you have, and which one is the PDC?
Now the issue is that one domain member client can't synchronize time with the external time source, right?
Are all the DCs physical server?
If any of the DCs are virtual machine, remember to Disable time synchronization with the host.

Best Regards,


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DanielSupport-0606 avatar image
0 Votes"
DanielSupport-0606 answered FanFan-MSFT commented

Thanks for responding

Here is the answers to your questions. Contact if I missed something or did not understand the question correctly

How many DCs do you have, and which one is the PDC?

The environment started with one DC (2019 STD). New environment about 2 months old. MS had me install a BDC to fix the issue. Installed a 2016 STD server configured as a BDC running in Hyper-V environment last Friday 6/11.


Now the issue is that one domain member client can't synchronize time with the external time source, right?

The 2019 PDC server (WCC-AD01) can not sync with external source and fail backs to the CMOS clock. The newer 2016 BDC server (WCC-AD02) is able to sync with external time sources.

The 2019 server is a gateway to the banking destination and uses the time defined on the 2019 server to match the bank when communicating

Are all the DCs physical server?

The PDC 2019 STD server (WCC-AD01) is on new HP hardware and is unable to set eternal time. MS had me patch the BIOS with no effect.
The BDC 2016 STD server (WCC-AD02) is defined via Hyper-V on the 2019 server and is able to get external time

If any of the DCs are virtual machine, remember to Disable time synchronization with the host.

Did not set this but the VM is not getting the time from the host.

It difficult to define the exact cause. Monitoring the packet flow on the server and firewall I see correct packet flow and results on the application on the third party NTP time tool and w32tm /stripchart /computer:time.google.com command

The w32tm /resync command fails and packets are not seen on the firewall

C:\Users\Administrator>w32tm /resync
Sending resync command to local computer
The computer did not resync because no time data was available.

All commands and the packet monitors are refreshed after each run and used the same command window. All parameter are keep the same for each test. While I don't have enough knowledge to back my thought but it appears that there is a problem with w32tm as it works with option to get the eternal time but fails when the option is to get and write the time to the system.

I need to either resolve or get a workaround. The company has banking down for a week now and MS is not responding to my emails 4 days now, won't escalate the ticket and not responding to actions they were going to provide.

I'm going move the PDC from the 2019 server to the 2016 server tonight to get it to provide time to the 2019 server. Not sure if it will work but I can't wait MS.

Any input would be very welcome. Even just a conversation help discuss ideas

Thanks again for your response and looking forward to your feedback

Dan

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Had already confirmed the following information on the PDC:
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Key Name: AnnounceFlags
Type: REG_DWORD (DWORD Value )
Data: 0x5


Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
Key Name: Type
Type: REG_SZ(String Value)
Data: NTP


Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Key Name: NtpServer
Type: REG_SZ(String Value)
Data: Peers (time.windows.com,0x9)

Best Regards,

0 Votes 0 ·
DanielSupport-0606 avatar image
0 Votes"
DanielSupport-0606 answered FanFan-MSFT commented

I appreciate your help

The parameter below was different.
MS has spent about 8 hours connected to this server and back and forth with reg changes

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Key Name: NtpServer
Type: REG_SZ(String Value)
Data: Peers (time.windows.com,0x8 time.nist.gov,0x8 pool.ntp.org,0x8 )

I changed to your setting and tested with bad results.

I need to get the correct time on the 2019 server so will this work to make the 2016 the PDC and have the 2019 get time from the 2016 server? Correct me if I'm off track or missed something

Since opening the ticket with MS, I have installed the 2016 BDC, Last night I setup and confirms DNS sync and moved the FSMO role to the 2016 server.

I should be able to turn on the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer on the 2016 server

Set the 2019 server to use NT5DS or NTP from the 2016 server

Thanks for your help

Dan

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
If the New DC was already set up, we may take a try to see if this can fix the issue.
If there are any progresses, welcome to share here!
Best Regards,

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

Some general info
- All domain members should use NT5DS domain time.
- Desktops and member servers sync with any domain controller.
- Domain controllers sync with PDC emulator (one per domain)
- PDC emulator in child domain can sync with any domain controller in parent domain.
- PDC emulator in parent domain syncs with either a hardware clock or possibly an external source.
https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

On the PDCe

w32tm /unregister
net stop w32time
w32tm /register
net start w32time
w32tm /config /manualpeerlist:<ntp ip address> /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time
then check
w32tm /query /source
w32tm /query /configuration




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.