Question : Domain Controller time out of sync

Dear all,

Please help me resolve a problem with the Windows Time Service.

The environment:
- Domain Controller (Windows Server 2003)
- A mixture of Windows XP, Vista & 7 clients

For security reasons the DC has no gateway setting, therefore, I keep it away from the internet.

I have however allowed it and the NTP (123) protocol on the firewall to sync and update the time then close all access and block NTP on the firewall once its done.

The problem is the time is out of sync, well not straight away everything works fine after the sync with an external time source (ntp.internode.on.net) for a few days.

Then I notice the time lagging 5 minutes, then 10 minute a few days after 15 minutes then it stops finally after it's 30 minutes behind? And of course it affects ALL the client machines including the servers as the PDC is the authoritative time source.

I thought the it may be the hardware clock causing this so I had a look at the bios and the clock is correct.

Then I thought I'd try to stop it from trying to sync with an external time source and just force it to use the bios clock...

http://support.microsoft.com/kb/816042 (Configuring the Windows Time service to use an internal hardware clock)

Even after changing the registry and rebooting I still get the PDC crying about not being able to sync with an external time source ...

Event Type:      Information
Event Source:      W32Time
Event Category:      None
Event ID:      38
Date:            19/12/2009
Time:            12:01:19 PM
User:            N/A
Computer:      DC01
Description:
The time provider NtpClient cannot reach or is currently receiving invalid time data from ntp.internode.on.net (ntp.m|0x0|192.168.1.100:123->192.231.203.132:123).

Event Type:      Warning
Event Source:      W32Time
Event Category:      None
Event ID:      47
Date:            19/12/2009
Time:            12:02:55 PM
User:            N/A
Computer:      DC01
Description:
Time Provider NtpClient: No valid response has been received from manually configured peer ntp.internode.on.net after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name.

Event Type:      Error
Event Source:      W32Time
Event Category:      None
Event ID:      29
Date:            19/12/2009
Time:            12:02:55 PM
User:            N/A
Computer:      DC01
Description:
The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. NtpClient has no source of accurate time.

Please help me get the system clock back into order and stop it lagging 30 minutes, I even tried to update the clock manually and double-checked the time zone... but still it just goes back being 30 minutes late!!!!

Also, it would be awesome if you can help me rid of the even log errors for W32Time. I know I am supposed to apply a command to stop windows from checking the external site source and just sit tightly and wait for me to do it when I feel like it.

Your help is much appreciated.

Answer : Domain Controller time out of sync

I have never seen anyone not configure the gateway on the server. If your server is performing forwarding DNS, (meaning an iterative query on behalf of the clients), I could see performance issues on your domain.

The server will need information from beyond the router. If there is no direction to the router, I can't see how this will not seriously impede performance on the domain.

I would expect intermittent web pages, the inability for some clients to go to web pages from time to time.

Now, that's just DNS. Let's talk about DHCP for a second.

Let's say you create VLANS for your system and use a DHCP relay. That requires L3 IP routing. So, if there is no pointer to the gateway, you will not be able to administer DHCP on VLANS that are not on the same subnet as your server.
_______________________________________________________________________

With that said:

You will not be able to get an outside time source because it uses IP routing at the L3 level. Since your DC does not have a gateway set, time will not be able to synch from an outside time source.

Your DC, by default, should be braodcasting its time to all clients on the domain. These clients will synch up, as long as they are not within a +/- 5 minute phase offset. That means if they go beyond +/- five minutes, they will synch up to the server. You can adjust the phase offset in registry.

Bottom line::::
1) without a default gateway, your going to have problems with anything that uses L3 routing and requires server assistance, (like DHCP relay, replications between sites, DNS (if using forwarders), ect...)
2) You will not be able to synch with an outside time source.
3) your clients will synch up if they are out of the 5 minute threshhold

Random Solutions

Can a Lookup column be used in a calculated column

C# ASP.NET Clear TextBox on UserControl

Filter, Add New Sheet, Delete All Sheets

IF EXISTS versus IF NOT EXISTS problem.

SBS 2003 drops *most* Internet connections every three hours

Does CMap support multi-threading?

Folders being created - Outlook Calendar, Outlook Contacts

Mandatory Range of Cells in Excel

change the default opening folder for Excel 2007