Windows – Why doesn’t the time match on two Windows Domain Controllers despite resync

domain-controllerntptime-synchronizationwindows

In my domain there are two domain controllers, there is a gap of 3 minutes between their times and than I can find this difference between many clients (it depends on their DC).

If I run this command:

w32tm /monitor

I can see that DCs can see each other's time.
But if I run this command:

w32tm /resync

Nothing changes, can you tell me why?

EDIT

This is my test output from the secondary DC:

PS C:\Users\administrator.MYDOMAIN> w32tm /config /syncfromflags:DOMHIER /update
The command completed successfully.
PS C:\Users\administrator.MYDOMAIN> w32tm /resync /nowait /rediscover
Sending resync command to local computer
The command completed successfully.
PS C:\Users\administrator.MYDOMAIN> w32tm /monitor
SRVDC1.MYDOMAIN.locale *** PDC ***[10.0.0.10:123]:
    ICMP: 0ms delay
    NTP: +0.0000000s offset from SRVDC1.MYDOMAIN.locale
        RefID: ntp.ngi.it [88.149.128.123]
        Stratum: 3
SRVDC2.MYDOMAIN.locale[[fe80::c5ec:8a39:e860:e2e7%13]:123]:
    ICMP: 0ms delay
    NTP: -146.4122820s offset from SRVDC1.MYDOMAIN.locale
        RefID: 80.84.77.86.rev.sfr.net [86.77.84.80]
        Stratum: 2

Warning:
Reverse name resolution is best effort. It may not be
correct since RefID field in time packets differs across
NTP implementations and may not be using IP addresses.
PS C:\Users\administrator.MYDOMAIN>

After 15 minutes, the time gap is still there.

This is the query status command output (seems that the sync is working):

PS C:\Users\administrator.MYDOMAIN> w32tm /query /status /verbose
Leap Indicator: 0(no warning)
Stratum: 2 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0000000s
Root Dispersion: 0.0100000s
ReferenceId: 0x564D5450 (source IP:  86.77.84.80)
Last Successful Sync Time: 28/08/2014 08.52.00
Source: VM IC Time Synchronization Provider
Poll Interval: 6 (64s)

Phase Offset: 0.0051939s
ClockRate: 0.0156215s
State Machine: 2 (Sync)
Time Source Flags: 3 (Authenticated Hardware )
Server Role: 64 (Time Service)
Last Sync Error: 0 (The command completed successfully.)
Time since Last Good Sync Time: 3.3291425s

I don't know if it is important, but DC1 and DC2 are Virtual Machines in two different servers.

Best Answer

  1. A resync operation is generally not instantaneous, but work by speeding up or slowing down the clock until it is in sync with its time source.

  2. The resync operation will resync the system clock with its time source. In this case, it looks pretty unlikely that your domain controllers are using the same time source. If you're just having them sync up with different, out-of-sync time sources (like their individual hardware clocks, for example), their system clocks will remain out of sync.

    • Therefore, look into what your NTP time sources for the domain controllers are. Your PDC emulator should be synced to a reliable time source (pool.ntp.org, for example), and all domain controllers should use the PDC emulator as their time source.
    • Microsoft has a page on time settings here, that you may wish to look at.
Related Topic