Time on a Windows Domain based network is very important. Time is used by users to get to meetings on time and within database transactions. Time is also used extensively in Keberos authentication. If your computer clock is off by a few minutes from and authenticating server or other computer you may be unable to logon. Some symptoms of this behavior is getting an error or warning that says “Incorrect Username or Password” when neither is true but the computer time either on your end or the remote end is incorrect.
There are various ways to correct this problem or improve how time is synced. I recently encountered this problem at my job. The issue probably existed much longer, but we had an issue a few weeks after migrating the FSMO roles from an old server to a new server. We had time sync issues throughout our domain after this was done. One of the FSMO roles transferred is called the PDC role, this role regulates the time to the domain.
Problems we encountered:
- Various servers within the same site and different sites were a few minutes ahead or behind
- Some machines had to be rebooted for them to connect and get the correct time
- After performing command such as “net time %logonserver% /set /y” the computers would still lose time after a few days
- Time still wasn’t correct based on Cell and GPS time servers, which we were pulling from.
In a working domain environment the time should flow this way:
PDC Server > Domain Controllers > Computers & Servers
In our environment nothing was working well.
How I made the time a lot more reliable. My first step was to make the domain time the same to all the machines, this way at kerberos would not fail.
Step 1
- Make all the times on every server sync up even if it was wrong with the external time.
- This is important because I could at least change the time on the PDC server after and get the time correct. However, all the machines need to have the correct time whether they were in a different TimeZone (this gets calculated automatically in Windows). If the time is not correct email servers would stop working and people wouldn’t be able to connect to different machines… which is a big problem!
- Via Group Policy force the client machines to update the time every hour instead of 1 time per day. In our circumstance the time was getting out of sync faster than it could resync up. Windows will autofix only a certain amount of seconds per day. If the time service is removing 30 seconds off the clock but time server only updates 1 per day you could be adding more seconds overtime.
Step 2
- After making the servers and computer sync up throughout the domain. I began getting the time sync working with the external time pools so we would have much more accurate time. Out of the box windows will try to sync with time.microsoft.com, this server is overloaded by requests from around the world and doesn’t do a good job.
What to do
- Find all old time servers and make sure they are not acting as a time server by resetting their configurations.
A. Reset Domain Controllers, Member Servers and Clients (Do not use on a PDC Role Domain Controller)
@echo off
cls
echo .....................................
echo . WARNING - PLEASE READ - DC Time Sync Fix
echo . Running this on a DC that has the PDC role will create issues.
echo . Please make sure you are not running this on DC which contains this role.
echo . Otherwise you may run this on any server or client
echo .....................................
pause
REM - RESETS THE TIME SERVICE TO DEFAULT SETTINGS
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
ping -n 3 127.0.0.1 > nul
REM - TELLS THE SERVER TO LOOK FOR THE TIME within the DOMAIN FOREST.
w32tm /config /syncfromflags:domhier /update
ping -n 3 127.0.0.1 > nul
REM - FORCES TIME SERVICE TO RESYNC IMMEDIATELY
net stop w32time && net start w32time
w32tm /resync /nowait
cls
echo .....................................
echo . DC Time Sync Fix Completed
echo .....................................
ping -n 3 127.0.0.1 > nul
exit
- Configure Group Policy if desired to automatically check the time and make the appropriate corrections every hour instead of every day (default).
- I made my PDC act as the Time Server. It technically is the master time server already. The time will naturally flow to the domain controllers and remote sites but it is vital to ensure the PDC is able to connect to the External pools. Make sure that port 123 outbound is open.
A. Reset PDC DC Server Time Service
@echo off
cls
echo .....................................
echo . PDC - DC - Time Sync Fix
echo .....................................
REM - RESETS THE TIME SERVICE TO DEFAULT SETTINGS
net stop w32time
w32tm /unregister
w32tm /register
net start w32time
ping -n 3 127.0.0.1 > nul
REM - SETS the TIME SYNC PEERS.
w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /syncfromflags:manual /reliable:yes /update
ping -n 3 127.0.0.1 > nul
REM - FORCES TIME SERVICE TO RESYNC IMMEDIATELY
net stop w32time && net start w32time
ping -n 5 127.0.0.1 > nul
net start w32time
w32tm /resync /nowait
cls
echo .....................................
echo . PDC - DC - Time Sync Fix Completed
echo .....................................
ping -n 10 127.0.0.1 > nul
exit
Force the PDC to sync with large external time pools to ensure accuracy and reliability. You must make sure the server is able to communicate to Port 123 UDP outbound for the timesync to work. Windows Server may show information stating it is working and you will see success messages but in reality it may not be working at all… I encountered this numerous times. Keep in mind it may take several hours for the time to be reflected correctly through the organization.