NTP Configuration for Time Sync



Introduction:

Windows Time Service(w32tm) with help of Network Time Protocol synchronize time with most reliable time sourced from top, if more than one referral time sources are available, then with help of NTP algorithm, NTP client select best one base on its ability to sync time.

Stratum:

External Time sources are defined according to its time accuracy/reliability by Stratum, lower the value, higher accuracy. Stratum 0 – Hardware Nuclear Clock, GPS Clock, Radio Clock. Stratum 1 connect to Stratum 0 & Stratum 2 with Stratum 1. These clocks are referral clock. The Stratum value define the synchronization distance to referral clock.

Time Synchronization Process:

Referral clock & our NTP server sync time with these referrals clock & its client sync with NTP Server time. The time difference between local clock & NTP is called “skew time”. Normally time service adjust time by changing the clock rate, but if the difference is too large to adjust, time service changes the clock time, this is called “clock discipline”.
Windows Time Sync Hierarchy: In ADDS domain, the PDC Emulator of Forest Root Domain act as most reliable time source in the forest. All PDCE of other domains sync with it & DCs are sync with respective PDCE or other DC of same domain or other domain in forest. Domain members are sync with DC. If the computer is not a member of a domain, it must be manually configured to sync with a specified time source.

Pix-01: Time Synchronization in an AD DS Hierarchy

Scenario:

In my case, all servers are Windows Server 2012 & we have configured a Network Core Switch as NTP Server (IP is – 10.10.10.123). DC & all non-domain server will sync with 10.10.10.123. All domain members will sync with DC.

Check the registry value - REG_SZ in HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters of any domain or non-domain member. If REG_SZ is NT5DS, it is a domain member & by default time is synced with domain PDCE. For non-domain its value is NTP.  Here also need to check NtpServer value in same registry path. By default, Windows sync its time with time.windows.com, we need to change its value to our intended NTP server (i.e. 10.10.10.123). You can also execute following command to check the registry value: reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Pix-02: Registry value of a Domain member

Pix-03: Registry value of a Non-Domain member

Configuration:

At PDC Emulator:
1.    Run this command at PDCE in command prompt admin mode. Also note that if PDC Emulator is in VM, it is not configured to sync with host.
w32tm /config /manualpeerlist:"10.10.10.123,0x1" /syncfromflags:manual /reliable:yes /update
Note: For multiple referral time source mention as “0.time.google.com,0x1 1. time.windows.com ,0X1” or "10.22.44.88,10.44.22.11" (i.e. our organization have own NTP server in Mumbai & Chennai). Typo mistake may show error in w32tm /resync command. 0x1 define stratum 1.
Now check the respective registry value as below snap, NtpServer is showing -10.10.10.123.

Pix-04: Change in registry

2.    By default, NTP client poll NTP server every 1 Hr. or 3600 Sec. You can change its value.

Pix-05: Poll interval default registry value

3.    Run the following commands:

net stop w32time
net start w32time

If possible restart the PDC Emulator.


         At Domain Members:

 Nothing to do, just run w32tm /query /status in admin mode to check whether it sync time with DC (10.10.10.10- PDCE role played by DC). See Pix-06

Pix-06: Domain member is pointed to DC for time sync

At Non-domain member:
 Need to configure the time source manually. You can either pointed them to DC (10.10.10.10) or NTP server (10.10.10.123). Here I am configuring to point DC.
Run this command in admin mode: w32tm /config /manualpeerlist:"10.10.10.10,0x1" /syncfromflags:manual /reliable:yes /update
After doing this check the registry of respective client (Pix-07).

Pix-07: Non-domain members are pointed to DC for time sync

Few Useful Commands:

1.       W32tm /query /status - To get the various information about time resource, poll interval etc.

Pix-08: Output of w32tm /query /status

2.       w32tm /query /configuration (run in admin mode) - Configuration info about time source.

Pix-09: Output of w32tm /query /configuration

3.    w32tm /monitor - Time sync report.

Pix-10: Output of w32tm /monitor from one of domain member

4.    w32tm /resync (run in admin mode)– manually sync time with configured time source.
Sometime this command shows error “The computer did not resync because no time data was available”. Check the time source configuration properly, probably it is wrongly defined.

Pix-11: Output of w32tm /resync

Few Points to Note:

1.    Through group policy, NTP configuration can be pushed to domain members.
a) Navigate to Computer Configuration->Policies->Administrative Templates->System->Windows Time Service->Time Providers. In the right pane, double-click “Enable Windows NTP Client”. Set it to “Enabled” and click OK.
b) Next, double-click “Configure Windows NTP Client”. Configure the options then append, 0x1 to the NtpServer field so that it reads 10.10.10.10,0x1 (PDCE/DC’s IP Address)

Pix-12: GPO Configuration for NTP

2.       In virtualization Guest machine used to sync time with physical host. So, to configure NTP, need to disable VM Time sync with host.
3.       UDP port 123 should be open in FW for both directions.
4.       For non-domain members, you can configure NTP through DHCP Server Scope option 042, don’t use 004.

Pix-13: DHCP Scope option for NTP

Reference Link:



Popular posts from this blog

Google Chrome Bookmark & Homepage through GPO

DNS Server IP Address change in Client Systems through Group Policy

File Server Migration: Windows Server 2008R2 to Windows Server 2019