Server 2003 NTP Time Sync Troubles

Recently I had problems getting a Windows Server 2003 domain controller to sync time with an external NTP time server. In an Active Directory environment, time sync is done through the domain heirarchy, but at the very top, the DC with the PDC emulator FSMO role in the forest root domain by default has no server to sync with. I set this server to sync with several external NTP time servers, but it was repeatedly failing with event ID’s 38, 47, and 29 from the W32Time service. The not very helpful messages only stated that either a connection couldn’t be made or inaccurate time data was being received. I ruled out firewall / connectivity issues by verifying with Wireshark that time data was being returned in response to the server’s queries.

This Microsoft KB article, detailing problems when attempting to sync to a non-Windows NTP server, seemed to describe my situation, but after testing various registry and client sync mode settings, I still couldn’t get time sync to work. I finally found this KB, which describes a known issue in which Server 2003 will not sync with a time server whose precision value is less than -30. I verified that the external NTP servers I had configured were returning a precision value of -31 by enabling debug logging for the W32Time service, which logged these events of specific interest:

  • Sending packet to time.nist.gov in Win2K detect mode, stage 1.
  • ListeningThread — response heard from 192.43.244.18:123
  • Poll Interval: 15 – out of valid range;  Precision: -31 – -0.465661ns per tick
  • Rejecting packet w/ bad precision

The ntp.org FAQ site defines precision as “the random uncertainty of a measured value, expressed by the standard deviation or by a multiple of the standard deviation.” Whatever, that reminds me a little too much of my college statistics course. I guess the implications of using a time source with a low precision means your time will be somewhat off, but 31 microseconds still seems acceptable to me, and as far as Active Directory is concerned, what matters most is that your machines are synced to each other. My biggest complaint with this is the error messages generated when the sync failed. Nowhere is precision, or any other specific problem, mentioned, even though the information is available as evident by the log file.

There is a hotfix available by request from MS to resolve this, but in my case I just used some trial and error to find several stratum 1 time servers with a high enough precision value to be accepted. Microsoft has posted a list of public NTP servers here.

Advertisements

3 Responses

  1. Your blog is interesting!

    Keep up the good work!

  2. Thank You very much!

    Indeed you saved me from a lot of work.

    I appreciate people like you who take the time and write about solutions that they have found.

    I definitely agree with Alex:

    Your blog is interesting!

    Keep up the good work!

  3. Thanks a lot. Wrong time setting in Windows 2003, can cause a lot of kerberos warning in securitylog.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: