Dual DC Time Service

active-directoryntpwindows-server-2008

I believe I'm having an issue with my Domain Controllers and Time Server. On my back up DC, I keep seeing a warning stating "The time service has stopped advertising as a time source because the local clock is not synchronized."

Does this mean that my backup DC believes it's a Time Server? My PDC should be the time server and I have gone through setting up the PDC as the time server.

I was not around for the original setup of the time server with the old PDC and Backup DC. But I believe the old PDC was the time server so I setup the new PDC as the new time server, when I decommissioned the old PDC. Is it possible that the Backup DC was setup as the time server and it still thinks it's suppose to be giving out time to everyone?

Registry for PDC has NTP
Registry for Backup has NT5D5

Results of w32tm /monitor

Getting AD DC list for default domain...
Analyzing:delayoffset from DC1.local..com
Stratum: 4
delayoffset from DC1.local..com
Stratum: 3

Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across 
NTP implementations and may not be using IP addresses.

DC2.local..com[192.168.1.8:123]:
ICMP: 1ms 
NTP: -0.6349491s         RefID: DC1.local..com [192.168.1.9]

DC1.local..com *** PDC ***[192.168.1.9:123]:
ICMP: 0ms 
NTP: +0.0000000s         RefID: wwwco1test12.microsoft.com [65.55.21.20]

Best Answer

Ok, first to clear a few things up: There are no PDCs and BDC unless you're in an NT4 domain. If this is the case, skip the rest of my answer, you're on your own there. In Windows 2000 AD and later, there are multi-master peers. One of the multi-master (FSMO) roles is PDC Emulator. The word Emulator is important, as it is not a PDC. It is simply a peered Domain Controller that performs some additional functions that used to be performed exclusively by a PDC.

One of those functions is providing time services to other DCs and to member servers. The way that a Windows Domain handles time sync is as follows:

Windows Clients -----> Logon Server -----> DC with the PDC Emulator role

What this means is that some clients will sync their time directly with the DC holding the PDC Emulator role, but only if that DC is their logon server. You can check this by inspecting the %logonserver% environmental variable on a domain member.

If you run w32tm /monitor you should be able to see all Domain Controllers in your AD. The lower the stratum, the better. Your PDC Emulator should have the lowest stratum of the bunch, normally 4 or 5.

As you can see, ALL DCs act as time sources in the domain. All DCs sync their time from the PDC Emulator. As such, if a non-PDC Emulator is set to sync its time from an external source (which I think may be your actual issue), you want to reset this to sync from the domain hierarchy. To do this, run w32tm /config /syncfromflags:DOMHIER /Update then stop and start the Windows Time Service and run w32tm /resync.

Before you do any of this, make sure that the server holding the PDC Emulator role is configured to sync from a reliable external source or has a good internal clock. It's usually best to sync if from an external source.

tl;dr; - Sounds like your config is a bit screwed up. All DCs offer time service. Make sure your PDC Emulator syncs from a reliable source. Then make sure that all other DCs and domain members sync from the default domain hierarchy.

Related Solutions

Windows Domain – Time Not Propagating to Machines

Try this on the PDC hosting the correct time

NET TIME /SETSNTP:time.windows.com 
NET STOP W32TIME
NET START W32TIME
W32TM /config /reliable:YES
W32TM /resync /rediscover

then on each of the "client" NTP machines

W32TM /resync /rediscover

Linux – Seemingly poor quality of NTP time synchronization using a GPS clock

The value that ntpstat displays after "time correct to within" is the root dispersion + root delay / 2. ntpq -p doesn't show the "root dispersion" run ntpq -c rl instead.

Notwithstanding, it is clear that the main source of the lack of accuracy is the dispersion rather than the delay (which is only 0.964).

The dispersion is the "nominal error relative to the primary reference source." I've briefly looked through the NTPv4 RFC and this is what it has to to say:

The dispersion (epsilon) represents the maximum error inherent in the measurement. It increases at a rate equal to the maximum disciplined system clock frequency tolerance (PHI), typically 15 PPM. 1 PPM is equal to 10^(-6) seconds/second.

To use rrdtool terminology dispersion isn't a gauge but rather a counter. Seeing a large value may not indicate anything is wrong.

Alas, I wasn't able to understand the ntp algorithm well enough to see how to make this number smaller. I've noticed this value is reset occasionally. I don't know why.

Best Answer

Related Solutions

Windows Domain – Time Not Propagating to Machines

Linux – Seemingly poor quality of NTP time synchronization using a GPS clock

Related Topic