WS2008 NTP – Using time.windows.com,0x9 – Time always skewed forwards

clock-synchronizationntptime

I have a domain controller configured to use time.windows.com (with 0x09 flags set). I've noticed that frequently the systems' clock is fast – it varies from 10 minutes to even 45 minutes. I always have to keep resetting the system date/time back to what it should be.

When I run "w32tm /query /source" it tells me it's using time.windows.com, and obviously I trust Microsoft not to serve incorrect times, but why is my server's clock fast?

EDIT:

There are a few Time-Service events in the System log:

Event ID: 142

Message: The time service has stopped advertising as a time source because the local clock is not synchronized.

Event ID: 139

Message: The time service has started advertising as a time source.

These two messages appear in pairs every hour or so. Event 142 appears 14 to 16 minutes after 139 appears.

Going back a few months, these events appear:

Event ID: 35

Message: The time service is now synchronizing the system time with the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.21:123).

Event ID: 37

Message: The time provider NtpClient is currently receiving valid time data from time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.21:123).

Event ID: 47

Message: Time Provider NtpClient: No valid response has been received from manually configured peer time.windows.com,0x9 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The time sample was rejected because: The peer is not synchronized, or it has been too long since the peer's last synchronization.

These three events only appear once in the log, back in October.

EDIT:

Here is the output of w32tm /query /status /verbose:

enter code here

C:\Users\Administrator>w32tm /query /status /verbose
Leap Indicator: 3(last minute has 61 seconds)
Stratum: 3 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.1794868s
Root Dispersion: 4.6419912s
ReferenceId: 0x41371515 (source IP:  65.55.21.21)
Last Successful Sync Time: 2011-12-05 23:25:18
Source: time.windows.com,0x9
Poll Interval: 6 (64s)

Phase Offset: 0.0000695s
ClockRate: 0.0156243s
State Machine: 1 (Hold)
Time Source Flags: 0 (None)
Server Role: 0 (None)
Last Sync Error: 2 (The computer did not resync because only stale time data was available.)
Time since Last Good Sync Time: 1281.9919104s

Best Answer

I had the same issue and finally resolved it this morning. Here is what I did:

Have a look in the registry (all hives and keys in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time) on both the server with the time issue and another member server that is syncing ntp correctly.

I found a few discrepancies and exported the required keys \ hives from the working server to the broken one. The following keys had been messed up, here is the good keys I exported from the working box onto the broken one. Please note that these values may not be the same as yours so please dont use the keys below:

The security Hive was missing so I recreated with this:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Security]
"Security"=hex:01,00,04,80,84,00,00,00,90,00,00,00,00,00,00,00,14,00,00,00,02,\
  00,70,00,05,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,\
  00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\
  00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,00,14,00,\
  8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,9d,01,02,00,01,\
  01,00,00,00,00,00,05,13,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00

And noticed that the NtpServer hive had missing keys, this was fixed by importing:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer]
"DllName"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,\
  00,33,00,32,00,74,00,69,00,6d,00,65,00,2e,00,64,00,6c,00,6c,00,00,00
"Enabled"=dword:00000000
"InputProvider"=dword:00000000
"AllowNonstandardModeCombinations"=dword:00000001
"EventLogFlags"=dword:00000000
"ChainEntryTimeout"=dword:00000010
"ChainMaxEntries"=dword:00000080
"ChainMaxHostEntries"=dword:00000004
"ChainDisable"=dword:00000000
"ChainLoggingRate"=dword:0000001e

I then amended the following existing keys to reduce phase:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Config] 
"MaxAllowedPhaseOffset"=dword:00000001 
"SpecialPollInterval"=dword:00000005 
"SpecialInterval"=dword:00000001

Once you are sure the registry is correct, Issue the following commands via Command Line as Administrator:

w32tm /config /manualpeerlist:"YOURNTPSERVER-OR-DCHERE.YOURDOMAIN.COM,0x01" /syncfromflags:MANUAL /update
net stop w32time && net start w32time
w32tm /resync /computer:YOURNTPSERVER-OR-DCHERE.YOURDOMAIN.COM /rediscover

Waited a few minutes then checked sync

w32tm /monitor /computers:YOURNTPSERVER-OR-DCHERE.YOURDOMAIN.COM

It should look a bit like this:

YOURNTPSERVER-OR-DCHERE.YOURDOMAIN.COM[IPOFYOUR.NTP.OR.DC:123]:
    ICMP: 0ms delay
    NTP: +0.0496804s offset from local clock
        RefID: YOURNTPSERVER-OR-PDCHERE [IPOFYOUR.NTP.OR.PDC]
        Stratum: 3

Then check phase:

w32tm /stripchart /computer:YOURNTPSERVER-OR-DCHERE.YOURDOMAIN.COM

It should look like this:

10:08:42 d:+00.0000000s o:+00.0139224s  [           *           ]
10:08:44 d:+00.0000000s o:-00.0015659s  [           *           ]
10:08:46 d:+00.0000000s o:-00.0014534s  [           *           ]
10:08:48 d:+00.0000000s o:-00.0013418s  [           *           ]
10:08:50 d:+00.0000000s o:-00.0012421s  [           *           ]

Hope this helps!

Related Topic