Adjustment of synchronization to the NTP hour for additional group policies. Features of adjusting the hour for virtual controllers in the domain

First proceed before synchronizing the time with the current server, do not forget to log in to your front-end Intermediate screen standard NTP port – UDP 123
(It is necessary to allow it both at the entrance and at the exit of the day).
AT controller domain tse vinyatok already є - called " Active Directory Domain Controller - W32Time (NTP-UDP-In)" (in Inbound Rules)

Synchronization topology by hour among Active Directory members

Among the computers that take part in the Active Directory, the synchronization scheme is coming to the hour:

• Root domain controller in lisi AD, Who should play the FSMO role of the PDC emulator, є zherelom hour to decide the controllers of this domain.
• The controllers of the child domains, synchronize the hour from the controllers of the domain that are upstream according to the AD topology.
• Ordinary members of the domain (servers and workstations) synchronize their hour get closer to them by an accessible domain controller, accessing the AD topology.

PDC can synchronize its time as zovnishnim dzherel, So and with itself, the rest is set by the standard configuration and є absurdity, about which pardons are periodically pulled in the system log.

Synchronization of PDC clients can be performed both from the 2nd internal year and from the 1st date. At first glance, the server of the root PDC will announce itself as "reliable".

NTP server configuration on the root PDC

Time server configuration (NTP servers) can be configured as an additional utility command line w32tm, i via registry.
De mozhlivo, I will bring offensive options.

Awareness of the synchronization of the internal yearbook with the external dzherel

• "Type"="NTP"
• w32tm /config /syncfromflags:manual

Switzerland- ch.pool.ntp.org
Israel- il.pool.ntp.org

LINKS:

False: Windows Server 2008 R2, Windows Server 2012 R2
for Windows Server 2003 R2 - є command difference for w32tm(The value of the register is y)

Among the computers that take part in the Active Directory, the time synchronization scheme is coming.

• The controller of the root domain in lisi AD, which should have the FSMO role of the PDC emulator (called the root PDC), it's time to decide the controller of this domain.
• The controllers of the child domains synchronize the hour from the controllers of the domain that are upstream according to the AD topology.
• Transitional domain members (servers and workstations) synchronize their time with the closest available domain controller to them, accessing the AD topology.

Rooted PDC can synchronize its own hour as if it were the original clock, and also with itself, the rest is set by the standard configuration and є absurdity, about which pardons are periodically pulled in the system log.

Synchronization of clients of the root PDC can be performed both from the 1st internal year and from the 1st root server. At first glance, the server of the root PDC will announce itself as "reliable".

Further, I will bring the server configuration optimally from my point of view to the hour of the root PDC, if the root PDC itself periodically synchronizes its hour with a trusted server on the Internet, and the hour of the clients, who turn back to new, synchronizes with their own year.

NTP server configuration on the root PDC

The server configuration (NTP server) can be configured as an additional w32tm command line utility, and through the registry. De mozhlivo, I will bring offensive options.

Awareness of the synchronization of the internal yearbook with the external dzherel

• 
  "Type"="NTP"
• w32tm /config /syncfromflags:manual

Humiliation of the NTP server as if it were not necessary

• 
  "AnnounceFlags"=dword:0000000a
• w32tm /config /reliable:yes

Notification of the NTP server

The NTP server is locked on all domain controllers, but it can be enabled on member servers.

• 
  "Enabled"=dword:00000001

Setting up a list of external phones for synchronization

• 
  "NtpServer"="time.nist.gov,0x8 ntp1.imvp.ru,0x8 ntp2.imvp.ru,0x8 time.windows.com,0x8 ru.pool.ntp.org,0x8"
• w32tm /config /manualpeerlist:"time.nist.gov,0x8 ntp1.imvp.ru,0x8 ntp2.imvp.ru,0x8 time.windows.com,0x8 ru.pool.ntp.org,0x8"

Flag 0×8 on the end means that the synchronization is due in NTP client mode through the time interval requested by the server. In order to set your own synchronization interval, you need to set the flag 0×1.

Setting the sync interval from the old clock

An hour in seconds between the experiments of the synchronization time, for locking 900s = 15hv. It is more practical for the dzherel, marked with the ensign 0 × 1.

• 
  "SpecialPollInterval"=dword:00000384

Introduced minimal positive and negative correction

The maximum positive and negative correction for the hour (the difference between the internal year and the synchronization time) is in seconds, when such a synchronization is overturned, it does not appear. I recommend the value 0xFFFFFFFF, for which the correction can be changed forever.

"MaxPosPhaseCorrection"=dword:FFFFFFFF
"MaxNegPhaseCorrection"=dword:FFFFFFFF

Everything you need in one row

w32tm.exe /config /manualpeerlist:"time.nist.gov,0x8 ntp1.imvp.ru,0x8 ntp2.imvp.ru,0x8 time.windows.com,0x8 pool.ntp.org,0x8" /syncfromflags:manual / reliable:yes /update

Colored commands

• Stopping changes made before the service configuration
  w32tm /config /update
• Primus Synchronization from Dzherel
  w32tm /resync /rediscover
• I will become a synchronization of domain controllers in the domain
  w32tm/monitor
• Inspection of streaming sync clocks and their status
  w32tm/query/peers

Features of virtualized domain controllers

Domain controllers that work with a virtualized medium should have a special setting for themselves.

• Time synchronization between the virtual machine and the host OS can be disabled. All adequate virtualization systems (Microsoft, vmWare, etc.) have components of integration of the guest OS with the host OS, which significantly increase the productivity of the guest system. Among the components of the host is the synchronization time of the guest OS with the host OS, which is more expensive for ordinary machines, as well as contraindications for domain controllers. That's why in every case there is an easy cycle, when the domain controller of that host OS is synchronized one by one. The sums of money.
• For the root PDC, synchronization from the original root can be set to factory. AT virtual environment the year is not exactly the same as for the physical, for that virtual machine working with a virtual processor and alterations, for which it is more characteristic as an increase, so it is possible to speed up the “magnificent” frequency. If you do not set up synchronization of the virtualized root PDC with the external server, the hour on all computers of the enterprise can be in / out for a year on the harvest. It doesn't matter if you show inaccuracy, if you can bring such a behavior.

Setting up an NTP server on Windows

Starting from Windows 2000, all operating Windows systems turn on the hour service W32Time. Tsya service is recognized for synchronization to the hour at the borders of the organization. W32Time works for both the client and server parts of the service for an hour, and the same computer can be an NTP (Network Time Protocol) client and server at the same time.

For the promotion, the hour service in Windows has been set up with the following rank:

When installed operating system Windows starts the NTP client and synchronizes at the correct time;
When adding a computer to the domain, the synchronization type is changed. mustache client computers and rows of servers in the domain have to be synchronized with the domain controller, which checks the correctness;
When a member server is promoted to a domain controller, an NTP server is launched on a new one, which is like a time-consuming controller for participation PDC-emulator;
PDC-emulator, distribution at the root domain lіsu, є the main server for the organization. At the same time, the wine itself is also synchronized with the old hour.

Such a scheme works for most people and does not require involvement. However, the structure of a service in Windows may not be recognized by the domain hierarchy, and it can be recognized as an older time whether it is a computer. As an example, I will describe setting up an NTP server in Windows Server 2008 R2, although the procedure has not changed in Windows 2000 hours.

Starting the NTP server

I’ll note that the Windows Server time service (starting in 2000 and ending 2012) can’t graphic interface and can be configured either from the command line, or by way of direct modification of the system registry. Especially less close another way, let's go to the register.

Otzhe, before us, we need to start the NTP server. Open the registry key
HKLM\System\CurrentControlSet\services\W32Time\TimeProviders\NtpServer.
Here for setting the NTP server parameter Enabled you need to insert a value 1 .

Let's restart the service with the command net stop w32time && net start w32time

After restarting the NTP service, the server is already active and can serve clients. You can switch at tsiomu for the help of the w32tm /query /configuration command. Qia command to display complete list service parameters. Yakshcho split NtpServer revenge row Enabled:1, then everything is garazd, the server works for an hour.

In order for the NTP server to instantly serve clients, do not forget to open the firewall UDP port 123 for inbound and outbound traffic.

Basic NTP server setup

The NTP server has been upgraded, now you need to tweak it. Open the registry key HKLM\System\CurrentControlSet\services\W32Time\Parameters. Here we are ahead of us to click the parameter type, which determines the type of synchronization. Vin can take the following values:

NoSync- The NTP server is not synchronizing with whatever good time it is. Victory anniversary, vbudovaniya at the CMOS chip of the server itself;
NTP- The NTP server is synchronized with the outgoing servers at the time specified in the registry parameters NtpServer;
NT5DS- NTP server to synchronize with the domain hierarchy;
AllSync- NTP server wins all available dzherel for synchronization.

Promotion value for a computer that can enter a domain. NT5DS, for okremo computer, what to cost — NTP.

І parameter NtpServer, in which NTP servers are specified, with which to synchronize the hour Danish server. For promotion in this parameter, the Microsoft NTP server (time.windows.com, 0x1), if necessary, you can add more NTP servers by entering their DNS names or IP addresses through a space. You can look through the list of available servers in an hour, for example, .

For example, a skin name can be added with an ensign (eg. ,0x1) which is the mode for synchronization with the server hour. The following values ​​are allowed:

0x1- SpecialInterval, selection of a special interval for training;
0x2– UseAsFallbackOnly mode;
0x4– SymmetricActive, symmetrical active mode;
0x8– Client, overpowering the request from the client mode.

If the ensign SpecialInterval is chosen, it is necessary to set the value of the interval in the key SpecialPollInterval. If the UseAsFallbackOnly flag is set, the service will be informed for an hour that this server will be victorious as a backup and before synchronization it will be victorious to the other servers in the list. The symmetrical active mode is overridden by NTP servers for locking, and the client mode can be overridden in case of synchronization problems. You can marvel at the report about synchronization modes, but don’t fool around and just put it down ,0x1(as for the sake of Microsoft).

Another important parameter Announce Flags be located in the registry HKLM\System\CurrentControlSet\services\W32Time\Config. Vіdpovidaє for those, as the NTP server declares and can accept the following values:

0x0( Not a time server) - the server will not tell itself through NetLogon like it's too late. Wine can be confirmed to NTP for a drink, but judges cannot recognize it as early as the hour;
0x1(Always time server) - the server is always deafened to itself independently of the status;
0x2(Automatic time server) - the server is less likely to be stunned, because it takes the last hour from another country (NTP or NT5DS);
0x4(Always reliable time server) - the server is always declared to itself, as if it were too late for the hour;
0x8(Automatic reliable time server) - the domain controller is automatically stunned by the name, which is the PDC emulator of the root domain of the fox. This entitlement allows the head PDC to declare itself as if it was authorized for an hour for the entire forest to make a connection with the greater NTP servers for the day. Another controller or a private server (for ensign) 0x2) you can’t declare about yourself, as if it were too late for the hour, as if you couldn’t know the hour for yourself.

Value Announce Flags warehousing the sum of warehouse yogis, for example:

10=2+8 — the NTP server declares to itself as a nadіynoy dzherelі hour for the mind, scho vіn otrimuє і from nadіynyj dzherelі chi є PDC of the root domain. Flag 10 is assigned for locking both for domain members, and for servers, which can stand.

5=1+4 - NTP-server always declares to itself as if it were too late. For example, to say a regular server (not a domain controller) like it’s too early, ensign 5 is needed.

Well, adjust the interval between updates. For a new one, it’s already a clue SpecialPollInterval, what is in the registry HKLM\System\CurrentControlSet\services\W32Time\TimeProviders\NtpClient. Vin is set in seconds and for locking, its value is 604 800, which becomes 1 day. For this reason, change the value of SpecialPollInterval to a reasonable value, say, up to 1 year (3600).

After installation, it is necessary to update the configuration of the service. You can do this with the w32tm/config/update command. І more commands for setting up, monitoring and diagnostics of the service:

w32tm /monitor - for additional options, you can find out how many system hours this computer vіdіznyaєtsya vіd o'clock on the controllerі domain or on other computers. For example: w32tm /monitor/computers:time.nist.gov
w32tm / resync - for additional help of the command, you can set the computer to synchronize with the server at the hour that it is victorious.
w32tm /stripchart – show time difference remote computer, moreover, you can display the result in a graphical way. For example, the team w32tm /stripchart /computer:time.nist.gov /samples:5 /dataonly split 5 pairs from the assigned dzherel and display the result in the text view.

w32tm /config is the main command used to configure the NTP service. For help, you can set a list of servers per hour, the type of synchronization, and much more. For example, you can recalculate the value for the promotion and set the synchronization time with the current clock, you can use the command w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.gov /update
w32tm /query - Shows threaded service settings. For example, the command w32tm /query /source will show more timely, and w32tm /query /configuration will show all the parameters of the service.

Well, on the extreme slope 🙁
w32tm /unregister - unregister the hour service from the computer.
w32tm /register - registers the hour service on the computer. With this, all the parameters in the registry are created anew.

updated 03/26/2012

You want to bachiti on the computer exact hour In addition, it is also important for the normal functioning of the Windows domain and AD. It would be better if it were simpler, to create a PDC emulator for synchronization with some kind of ntp and everything will stop on its own ... But, even more than once, it was posterized to synchronize the controllers in the domain between itself and skargi coristuvachіv on those, our hour is going to be accurate for a couple of quills.

It used to be, the problem is ridiculous - a sprat of khvilin, but for a working robot, and a sprat of khvilin is important. Especially, as the editor of the line of news www.korrespondent.net. It’s true, bulge and hot skargi, you stink through this problem, tsilih 2, 3 or 5 whilins are reworked :-)

The standard "dances with tambourines", as if I were timid, and then our engineer, we helped Microsoft on the ceramics, but not for a long time. Tobto. An hour to converge, pardons from the logs are known, and after a couple of years, otherwise everything starts anew through doba. And then, after a couple of days, or a month or two, the pardon will again reach the expansion of more than 2 hvilin and everything is new.

So if you want to do good, do it yourself. We may have three domain controllers that work under Windows 2003 Server R2, a couple of workstations under Windows XP Professional SP3. How is the company's ntp server serve Cisco 2821

Signs of a problem on the DC, which is also a PDC emulator, is the presence of upcoming pardons in the Event log:

Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 47
Date: 11/17/2009
Time: 13:21:45
User: N/A
Computer: DC04
Description:
Time Provider NtpClient: Will be canceled every day after manually configured peer ntp.mydomain.ua,0x1 after 8 attempts to contact it. This peer will know as soon as possible and NtpClient will be accepted before writing a new peer with this DNS name.

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 29
Date: 11/17/2009
Time: 13:21:45
User: N/A
Computer: DC04
Description:
Time provider NtpClient is configured to acquire time from 1 or more time sources, when none of the sources are currently accessible. Please contact a source will be made for 15 minutes. NtpClient has no source of accurate time.

Event Type: Information
Event Source: W32Time
Event Category: None
Event ID: 38
Date: 11/17/2009
Time: 14:06:45
User: N/A
Computer: DC04
Description:
Time provider NtpClient cannot reach or currently receiving invalid time data from ntp.mydomain.ua
(ntp.m|0x1|192.168.0.50:123->10.10.72.17:123).

On the domain controller's name, Event ID 47, present Event ID: 24

Event Type: Warning
Event Source: W32Time
Event Category: None
Event ID: 24
Date: 11/18/2009
Time: 06:46:56
User: N/A
Computer: DC03
Description:
Time Provider NtpClient: Time Provider NtpClient: Will be removed from pdacemul.addomain after 8 before contact it. This home controller will be reviewed as soon as the dzherel and NtpClient will be written to the new home controller like before synchronize.

Also, the procedure for updating the w32tm service

1. If you don't know what to remember, then you know all DCs and which of them is a PDC emulator
   netdom query fsmo
2. Now I'm reviewing the availability of the PDC server emulator for an hour.
   portqry -n ntp.mydomain.ua -e 123 -p UDPQuery target system called:
   ntp.mydomain.com
   Note for resolution name to IP address…
   Name resolved to 10.10.72.17

   UDP port 123 (ntp service): LISTENING or FILTERED

   Might as well be like this “LISTENING or FILTERED”

   This utility is included before the Support Tools for Windows 2003 Server. Unfortunately, Windows 2008 R2 won't work.

3. Let's help regedit for help, I'm adjusting the ntp server parameters
   There may be recorded the ip address or the exact name of our ntp server and the record is due to be bound by the language ending in the row “,0x1”. Paws, clear river, you need to clean up. Before the speech, before which suffix I will turn around later. To make sure that there are no pardons here, it would be inappropriate to send copies to the address or name.
4. In the same place, go to the parameter
   HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
   that perekonatisya, scho it is registered NTP, not NT5DS
5. Now the following is another meaning
   HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags
   here can buti 5
6. Restart service time:
   
7. Now I restart the sync:
   w32tm /resync /rediscover
8. It is recommended to run the following on the domain controllers:
   w32tm /unregister
   w32tm/register
   This operation will see the service of the hour, and then we will restore it again, moreover, it is important to see it, and then the whole bunch of parameters at the registry will be created again.
9. It is also recommended to restart the domain controller, which is a pdc emulator, and that's it.
10. As on the pdc emulator, the pardons are re-appeared, as in my opinion, varto try to change the value 0x1 to 0x08 for the parameter
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer
    so that the standard client requests began to be overpowered.
11. Restart the service
    net stop w32time && net start w32time

Default Domain Controllers group policy
default domain group policy

well, and everything else, how can you change the domain controllers, servers and work stations and in any changes, be it the value in the distribution

Computer configuration/Administrative Templates /System/Windows Time service/Time Providers

Check that all the values ​​there can be “not configured”. If necessary, play with the following parameters.

12. If we changed it at the policy, then we restart the service for the hour:
    net stop w32time && net start w32time
13. Since nothing helped, then it is necessary to reset the clock service parameters on the pdc emulator
    net stop w32time
    w32tm /unregister
    w32tm/register
    after which it will be necessary to adjust all the parameters anew, starting from clause 3. As soon as you write about the access fence at the stage of withdrawal, then you need to re-advantage.

w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update

de PEERS - servers - dzherela exact hour, moreover, the value is either DNS name or IP address. If there is more than one, you need to enter a space between them, and the list itself is to blame for the paws: "time.domain.com time1.domain.com".

Operating systems of the Windows family replace the W32Time hour service. Tsya service is recognized for synchronization to the hour at the borders of the organization. W32Time works for both the client and server parts of the service for an hour, and the same computer can be an NTP client and server at the same time (NTP - Network Time Protocol).

For the promotion, the hour service in Windows has been set up with the following rank:

Once the Windows operating system is installed, it starts the NTP client, which is synchronized at the appropriate time;

When adding a computer to the domain, the synchronization type is changed. All client computers and row servers in the domain have to synchronize the domain controller, which checks the correctness;

When a member server is promoted to a domain controller, an NTP server is launched on a new one, which is like a time-consuming controller for participation PDC-emulator;

PDC-emulator, distribution at the root domain lіsu, є the main server for the organization. At the same time, the wine itself is also synchronized with the old hour.

Such a scheme works for most people and does not require involvement. However, the structure of the service in Windows may not be recognized by the domain hierarchy and may be recognized as the most recent time of the computer.

As an example, we can set up an NTP server in Windows Server 2008 R2, by analogy, you can set up an NTP server in Windows 7.

Starting the NTP server

Clock service on Windows Server does not have a graphical interface and can be configured either from the command line, or by way of direct modification of the system registry. Let's look at another way:

It is necessary to start the NTP server. Open the registry key:

HKLM\System\CurrentControlSet\services\W32Time\TimeProviders\NtpServer.

To enable the NTP server, the Enabled parameter needs to be set to 1. Then we restart the service with the command net stop w32time && net start w32time.

After restarting the NTP service, the server is already active and can serve clients. You can switch to cioma with the help of the w32tm/query/configuration command. This command displays the full list of service parameters. As soon as NtpServer has set up the Enabled:1 row, then everything is safe, the server works for an hour.

In order for the NTP server to be able to serve clients, the firewall needs to open UDP port 123 for incoming and outgoing traffic.

Basic NTP server setup

Open the registry key:

HKLM\System\CurrentControlSet\services\W32Time\Parameters.

NoSync - NTP server is not synchronized at any time. The system yearbook is written into the CMOS chip of the server itself (for example, this yearbook can be synchronized with the NMEA device via RS-232);

NTP - the NTP server is synchronized with the outgoing servers for the hour, as specified in the NtpServer registry parameter;

NT5DS - NTP server zdіysnyuє zgіznіzіyu zgіdnou ієєєєrіhієyu;

AllSync - NTP server wins for synchronization of all available devices.

The value for the lock for the computer to enter to the domain is NT5DS, for the hosted computer - NTP.

The NtpServer parameter specifies NTP servers, from which to synchronize the clock data of the server. At the request of some settings, the Microsoft NTP server (time.windows.com, 0x1), for the consumer, you can add more NTP servers, entering their DNS names or IP addresses through a space. For example, you can add a flag (for example, 0×1) which determines the synchronization mode with the server to the hour.

The following values ​​are allowed for the mode:

SpecialPollInterval, which is in the registry:

HKLM\System\CurrentControlSet\services\W32Time\TimeProviders\NtpClient.

Vin is set in seconds and for locking, its value is 604 800, which becomes 1 day. Tse already rich, that Varto change the value of SpecialPollInterval to a reasonable value - 1 year (3600).

After installation, it is necessary to update the configuration of the service. You can do this with the w32tm/config/update command.

І more commands for setting up, monitoring and diagnostics of the service:

w32tm /monitor – for additional options, you can find out if the system hour of a given computer is checked by the hour on the domain controller or on other computers. For example: w32tm /monitor/computers:time.nist.gov

w32tm / resync - for additional help of the command, you can set the computer to synchronize with the server at the hour that it is victorious.

w32tm /stripchart – shows the difference between the hour and the exact date on the remote computer. Team w32tm /stripchart /computer:time.nist.gov /samples:5 /dataonly split 5 pairs from the designated dzherel and see the result in the text view.

w32tm /config - This is the main command that is used to set up the NTP service. For help, you can set a list of servers per hour, the type of synchronization, and much more. For example, you can recalculate the value for the promotion and set the synchronization time with the current clock, you can use the command w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.gov /update

w32tm /query - Show service settings inline. For example, the command w32tm /query /source will show more timely, and w32tm /query /configuration will show all the parameters of the service.

net stop w32time - Starts the service for the hour as it is running.

w32tm /unregister - unregister the hour service from the computer.

w32tm /register - registers the hour service on the computer. With this, all the parameters in the registry are created anew.

net start w32time - starts the service.

Features noted in Windows 7 - the service does not start automatically for an hour when Windows starts. Fixed in SP1 for Windows 7.