OK. After a lot of fun with syncing time across my workstations, I got that sorted out. My workstations are now perfectly synced with my Server 2008 R2 Domain Controller (physical server, not virtual).
Unfortunately, that means all our computers are now WRONG because the time is incorrect!
I have configured the Domain Controller using a Group Policy as such:
- enable Windows NTP Server (works great, all the workstations are pulling the wrong time from this server)
- enable Windows NTP Client
- configure Windows NTP Client
Config:
NtpServer: ca.pool.ntp.org,0x09
Type: NTP
CrossSiteSyncFlags: 2
ResolvePeerBackoffMinutes: 15
ResolvePeerBackoffMaxTimes: 7
SpecialPollInterval: 3600
EventLogFlags: 0
The output of w32tm /query /status is:
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0949367s
Root Dispersion: 4.6343267s
ReferenceId: 0xC632918A (source IP: 198.50.145.138)
Last Successful Sync Time: 2014-08-05 11:34:35 AM
Source: ca.pool.ntp.org,0x09
Poll Interval: 6 (64s)
And w32tm /query /peers is:
#Peers: 1
Peer: ca.pool.ntp.org,0x09
State: Active
Time Remaining: 2064.7302675s
Mode: 3 (Client)
Stratum: 2 (secondary reference - syncd by (S)NTP)
PeerPoll Interval: 6 (64s)
HostPoll Interval: 6 (64s)
As far as I can tell, everything is right. But my current time is 11 minutes ahead of what http://time.gov/ says is the right time for my time zone. What the heck???
The worst part is if I do a w32tm /resync it gets the right time and everything drifts back into place, and then a few days later it's horribly wrong again so it's really hard to troubleshoot. Thoughts?
Best Answer
CRUMMY ANSWER, I will switch the answer to a better one when a better one shows up. This is what I did for now.
I still have no idea why the group policy didn't work, but I "fixed" it by disabling the group policy that told it to enable and configure the NTP client (NTP server part is still on).
This broke the w32tm service on the server. W32tm simply returned some permission message, and "net start w32time" said something about the service being queued to be removed.
I had to reboot the server, run w32tm /register, reboot the server again, and then the server began using its own internal clock, which is more accurate than randomly skewing the NTP time forward by 10+ minutes in three days.
I will try the command line version of w32tm syncing from NTP at some future date, but I shouldn't have to do that - that's the entire point of group policy, no? I wanted to just be able to replace this DC with another one and have the NTP server set itself up.
I'm wondering if Microsoft's Group Policy templates are broken for the NTP client.