I have a DMZ machine that i wish to sync to a time source ().pool.ntp.org.
Perimeter Firewall is setup to allow relevant ports through.
Obviously local FW on the server is on and configured to allow again, the relevant ports through for time sync.
The configurations in the registry have been checked for the windows time service: the server is not a domain member (in DMZ). –i.e. it is an NTP 'type' configuration.
so i.e the various registry settings have been set. my question is this.
I open the GUI to adjust the time settings and open the internet setting tab and insert the pool.ntp address–this is fine! i ask it to update by clicking the button and i get an error about "…..time expired" not fine but stay with me, when i go to the command line i type w32tm /query /status or w32tm /query /source the info that comes back is (among other things) source:Local CMOS Clock and when i type w32tm /rsync i get "…..no time data was available".
I followed a fair amount of advice from various posts on the net to no avail. from the command line with w32tm i am always getting "source:Local CMOS Clock" this may or may not matter and is probably the reason why i get the "….no data available" message for the resync.
I have not been able to get a "successfully synched message" from my manual efforts and i am waiting for the automated synch messages.
Win 2003 from my internal network is working fine….no issues.
Does anyone have an expanation as to why the command line and the gui can be so different?
There is three (registry, date/time GUI, w32tm command line tool) ways to set the ntp server as far as i can see and i expect that they should all be linked to the same mechanism.
Very frustrating……
If i set the ntp server in the GUI, i expect it to be reflected in the command line and the registry. am i worng in this belief???? P.S event viewer on the server does not indicate anything untoward -(a lot of schannel errors and that is another problem i guess)….i will keep an eye out though. here are the outputs for the w32tm CLIs and GUI.Mind you i did see a successfully synched message on the GUI since i posted this question.
Here is the lates synch (GUI)… the command line still shows the same errors as outlined.
Best Answer
It looks like this a VMware VM, and it is set up to synchronize its time with the VMware host using the VMware tools time synchronization mechanism. You should disable that time synchronization option in VMware tools if you want to use NTP to synchronize time instead.
Assuming you have disabled VMware's time sync, run w32tm /monitor /computers:au.pool.ntp.org. If you are having connectivity issues, this will fail with a "no response". Then you need to re-verify the firewall rules.
Note your VMware host should also synchronize it's time using NTP; this can be configured in vCenter or vSphere client. Again you may have to futz with firewalls if you don't have an internal NTP server.
Best practice is to have exactly one or three+ NTP servers "inside" your network (never two). These internal synchronize with external sources (or reference clocks like GPS), and then all other internal machines synchronize to your internal NTP servers. Using Windows domain controllers as these internal NTP servers is common in small networks, but dedicated boxes, routers, firewalls, or UNIX-ish servers are more common in larger networks.