Monday , May 22 2017

Configuring NTP with Master Clock in Isolated Network

Typically in Active Directory Based Environment – Primary Domain Controller (PDC) will be the master for Time and all other domain joined machines will receive time from the master.

Login to Primary Domain Controller (PDC) which holds PDC Emulator Role – In my Case its an Windows Server 2012 R2 or above.

To Find who is holding the PDC Role – Login to Active Directory –

netdom query fsmo

image

To Set NTP on a Isolated network –  (Same Process Applies on a network with Internet Connectivity just the NTP IP differs)

Setting 10.10.10.10 as my NTP Source for my primary Domain Controller

Open PowerShell Run as Administrator

w32tm /config /manualpeerlist:"10.10.10.10",0x8 /syncfromflags:manual /reliable:yes /update
Get-Service W32time | Restart-Service

Note : UDP Port 123 Should be open

Verify Time Source Applied Properly –

w32tm /query /source

image

To Resync Time with the NTP –

w32tm /resync

image

To Check Clock Type –

w32tm /query /peers

image

Verify NTP is ok and we can receive time from NTP

w32tm /stripchart /computer:10.10.10.10 /dataonly

image

For Debugging NTP w32tm

w32tm /debug /enable /file:Deb.log /entries:300 /size:100

W32tm Registry Location –

HKLM\System\CurrentControlSet\Services\w32time\Parameters

image

Had to use a Custom NTP Appliance from Master Clock  which acts as an NTP in a isolated Environment.

Download Win discovery from Master Clock Site.

Enter Global Password – Default public

Exit Win discovery Open it again.

Discover – Enter Network Configuration for Static IP

image

Administrative Actions – Set Password

image

Save it.

Enter Global Password – Save it . Close – Re open

Discover

image

exit – reopen – discover again.

Enable – NTP Server

Uncheck – Set NTP Alarm flag when not locked to a reference on Free running clocks like NTP 100

image

For Cisco Routers MD5 has to be enabled

Trusted Allowed – Enter keyword all lower case to be easier.

Enable MD5 authentication for Client Request

— Ignore Request if not Authenticated – Leave it checked as PDC is using the same master clock

image

Set Time Zone / Time offset

In my case UTC +4

image

image

Now Set the Time on UTC
Note you have to set the time always in UTC (Google Current UTC Time with Seconds)

image

SSH Enabled by Default – Add user name password. Easy to Change time / Reboot Appliance

ssh

username – public

password – publicpass

? – list all commands

Options – ssh ?

image

Known Issues –

  • VMware Machine keeps saying Local CMOS Clock

As a Recommended Practice – Apply  https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

tools.syncTime = "FALSE"
time.synchronize.continue = "FALSE"
time.synchronize.restore = "FALSE"
time.synchronize.resume.disk = "FALSE"
time.synchronize.shrink = "FALSE"
time.synchronize.tools.startup = "FALSE"
time.synchronize.tools.enable = "FALSE"
time.synchronize.resume.host = "FALSE"

Check 1 – Synchronize Guest time with Host is unchecked

image

Check 2 – Verify UDP 123 Port is Open on Windows Firewall and you can query the time using strip chart command

w32tm /stripchart /computer:10.10.10.10 /dataonly

Check 3 –  Configuring another NTP and Check Status Changes , It Could be NTP not giving the time in a proper way So that Windows Server puts back to default Local CMOS Clock

Check Event Viewer

Log Name:      System
Source:        Microsoft-Windows-Time-Service
Date:          4/17/2017 5:11:22 PM
Event ID:      47
Task Category: None
Level:         Warning
Keywords:
User:          LOCAL SERVICE
Computer:      DS002
Description:
Time Provider NtpClient: No valid response has been received from manually configured peer 10.10.10.10,8 after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable.

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in Supporting/Deploying/Designing Microsoft Exchange for some years. Extensive experience on Microsoft Technologies.

Check Also

Removing DHCP Server on Windows Server

Force Removal of DHCP Server will leave entries in Active Directory. Lets see how to ...

Leave a Reply

Your email address will not be published.