The Windows Time service, despite its apparent simplicity, is one of the foundations necessary for the normal functioning of a domain. Active Directory. In a properly configured AD environment, the time service works like this: Users' computers get the exact time from the nearest domain controller that they have logged into. All domain controllers in turn receive the exact time from the DC with " PDC emulator”, and the PDC controller synchronizes its time with a certain . The external time source can be one or more NTP servers, such as time.windows.com or your ISP's NTP server. Also note that, by default, clients in a domain synchronize time using the Windows Time service (Windows Time), not NTP.

If you are faced with a situation where the time on clients and domain controllers differs, it is possible that your domain has problems with time synchronization and this article will be useful to you.

First of all, choose a suitable NTP server that you could use. A list of public NTP servers is available at http://ntp.org. In our example, we will use NTP servers from the ru.pool.ntp.org pool:

• 0.ru.pool.ntp.org
• 1.ru.pool.ntp.org
• 2.ru.pool.ntp.org
• 3.ru.pool.ntp.org

Setting up domain time synchronization using Group Policy consists of two steps:

1) Create a GPO for a domain controller with the PDC role
2) Create a GPO for clients (optional)

Configuring the NTP Synchronization Policy on the PDC Domain Controller

This step involves configuring a domain controller with the PDC emulator role to synchronize time with an external NTP server. Because theoretically the PDC emulator role can move between domain controllers, we need to make a policy that would apply only to the current owner of the PDC role. To do this, in the management console Group Policy Management Console(GPMC.msc), create a new . For this, in the section WMI Filters create a filter with a name PDC Emulator and WMI query: Select * from Win32_ComputerSystem where DomainRole = 5

Then create a new GPO and assign it to the Domain Controllers container.

Switch to policy edit mode and expand the following policy section: Computer Configuration->Administrative Templates->System->Windows Time Service->Time Providers

We are interested in three policies:

• Configure Windows NTP Client: Enabled (policy settings are described below)
• Enable Windows NTP Client: Enabled
• Enable Windows NTP Server: Enabled

In policy settings Configure Windows NTP Client specify the following options:

• NtpServer: 0.ru.pool.ntp.org,0x1 1.ru.pool.ntp.org,0x1 2.ru.pool.ntp.org,0x1 3.ru.pool.ntp.org,0x1
• type:NTP
• CrossSiteSyncFlags: 2
• ResolvePeerBackoffMinutes: 15
• Resolve Peer BAckoffMaxTimes: 7
• SpecilalPoolInterval: 3600
• EventLogFlags: 0

Advice. Remember to configure the firewall so that the PDC server can access external NTP servers using the NTP protocol (UDP port 123).

Note. Pay attention to the syntax in the field NtpServer. The format for specifying multiple NTP servers is as follows: ntsrv1.org,0x1 ntpsrv2.org,0x1(space separator). The screenshot contains erroneous data!

Apply the filter you created earlier PDC Emulator to this policy.

Advice. You can find the name of the server with the PDC role using the command: netdom query fsmo

It remains to update the policies on the PDC controller:
gpupdate /force

Manually start time synchronization:
w32tm /resync

Check current NTP settings:
w32tm /query /status

Advice. In the event that the time is not synchronized, restart the Windows Time service and reset the current settings:
net stop w32time
w32tm.exe /unregister
w32tm.exe /register
net start w32time

Configuring Time Synchronization on Domain Clients

In an Active Directory environment, by default, domain clients synchronize their time with domain controllers (option Nt5DS– synchronize time according to the domain hierarchy). As a rule, this scheme works and does not require reconfiguration. However, if you are having trouble synchronizing time on domain clients, you can try to force a time server to be assigned to clients using a GPO.

To do this, create a new GPO and assign it to containers (OU) with computers. In the GPO editor, navigate to Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers and enable the policy Configure Windows NTP Client.

Specify the PDC name or ip address as the NTP server, for example msk-dc1.site,0x9, and NT5DS as the synchronization type

Update the Group Policy settings on the clients and verify that the clients have successfully synchronized their time with the PDC.

Advice. The specified scheme is applicable only to small domains. For large distributed domains with many DCs and sites, you will need to create a separate policy for each site so that clients synchronize their time with the DCs in the site.

On the Internet you can find a whole sea of ​​​​manuals for setting up a time server - ntpd, but the irony is that 95% of them are either not entirely correct, and the authors do not even notice this, or do not provide the necessary information. Next, I will tell you how to organize an NTP server under Linux in local network, which will synchronize its time with servers on the Internet, and devices on the local network will already synchronize time with it.

A little before history. As expected, it all started unexpectedly, the server that I set up the night before, at the next boot, it crashed. “Gorgeous,” I thought, and got into the logs ... As a result, the ntpd service was to blame for the vis server, which, due to incorrect network settings, could not contact the external server for synchronization. Looking at the startup script, I came across an interesting entry:

start() ( readconf; if [ -n "$dostep" ]; then gprintf $"Syncing time for ntpd: " # try hard, some networks/slow machines/... take a while to have DNS local triesleft=7 while [ $triesleft -gt 0 ]; do /usr/sbin/ntpdate -s -b $NTPDATE_OPT $tickers RETVAL=$? [ $RETVAL -eq 0 ] && break triesleft=$(($triesleft-1)) sleep 1 done unset triesleft [ $RETVAL -eq 0 ] && success || failure echo if [ $RETVAL -eq 0 ]; then [ "$SYNC_HWCLOCK" = "yes" ] && sync_hwclock else OPTIONS="$OPTIONS -g" fi else # - g can replace the grep for time servers # as it permits ntpd to violate its 1000s limit once.OPTIONS="$OPTIONS -g" fi # Start daemons.gprintf $"Starting $prog: " daemon ntpd $OPTIONS RETVAL=$?echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/ntpd return $RETVAL )

And now attention to the line with number 8. This is the beginning of a cycle in which an attempt will be made as many as 7 times for the initial, rough time synchronization. Everything would be fine, but if your network or DNS is configured incorrectly, it will cause the server to freeze for 7 * (1 + DNS availability check time, about 5 seconds) seconds. In general, waiting for a minute obviously did not suit me, so let's get started.

Setting the initial, coarse synchronization

The wonderful /etc/ntp/step-tickers file stores the names of the servers against which the initial, coarse (hundreds of milliseconds) adjustments are made. If you are sure that you will always have access to the Internet, you can list server names in it, for example:

But if you have no connection to the Internet at the time of the initial server load, then under certain conditions, this will cause the console to freeze for quite a long time. That's why I deleted all the records from there. In the end, I can manually make a rough time adjustment. There is another option to play around with the options and tweak the startup script, but this is not my way. Therefore, we proceed directly to setting up a full-fledged NTP server, which will synchronize its time with public servers on the Internet, and provide it to members of the local network if necessary.

A task: Organize an NTP server on the local network that will synchronize its time with the Internet, and devices on the local network will already synchronize time with it.
Distribution: Mandriva 2010.2 free ntpd version: 4.2.4p8

Setting up NTPD

The world of Linux is really great, all the settings in it come down to simple editing of configuration files. ntpd is no exception in this regard. So, if you don't have an ntpd server yet, install it:

Those who wish can compile from source, or install it in another way, but my fees include showing how to set up this miracle, since you can find a whole sea of ​​\u200b\u200bmanuals for setting up ntpd on the Internet, but the irony is that 95% of them are either not quite are correct (and the authors do not even notice this when calling the statuses) or do not provide the necessary information. So the file with the settings is stored in /etc/ntp.conf, the minimum settings are something like this:

server 0.ru.pool.ntp.org server 1.ru.pool.ntp.org server 2.ru.pool.ntp.org server 3.ru.pool.ntp.org

Each line indicates a server (lists of servers can be found here http://www.pool.ntp.org) with which synchronization will take place. Four lines with server, respectively, four servers. Although in fact in this example this is not entirely true. Each entry points to a pool (group) of servers. When contacting, say, at the address 2.ru.pool.ntp.org, 1 IP address of the server with which synchronization will take place will be selected. Matches are updated once per hour. Now for more simple example. In total we have 4 boxes with watches. We take and randomly take out 1 watch from each box, in total we get 4 hours, with which we will compare our time. For an hour, every time we check the time, we will take the same watch. In an hour, if we turn to these boxes again, we will pull out another watch. Thus, our time will be constantly checked against different clocks, and if some of them turn out to be not working, then nothing terrible will happen, because in 1 hour, our local clock will not get out of sync too much. Well, we digress, let's continue. Before you start the ntpd server, you need to do an initial, rough time setup. You can simply set the time manually, or you can execute the command (of course, if we have a correct connection to the Internet):

After the time is roughly synchronized, you can start the main service (just in case, restart it):

Then we execute the command:

As a result, you should see something like:

remote refid st t when poll reach delay offset jitter ====================================== ===================================== mx.kr-pro.ru 62.149.0.30 2 u 26 64 1 22.416 77.711 0.001 Phobos.bsys-Net 192.36.143.151 2 U 25 64 1 32.994 64.937 0.001 WebHost.mitht.r 77.105.134.138 3 U 25 64 1 68.134 37.119 0.001 Hornet.itconnec 77.233.172.7 3 U 24 64 1 58.604 38.047 0.001

A little explanation of what is what. remote - FQDN or IP address of the server; refid - IP address of the server with which the server is currently synchronizing from the remote column; st - server stratum; t - server operation mode: "u" - unicast, "m" - multicast, "b" - broadcast, "-" - manycast; when - time elapsed since the last server response in seconds, or "-" if the server has not yet responded (most likely, it "died", and it is time to remove information about it from the configuration file); poll - server polling interval in seconds (it has a small value after startup, so that synchronization occurs faster, the value increases over time); reach - the status of the last eight attempts to request time from the server in octal representation (in case of a successful attempt, the corresponding bit is set); delay - server response delay in seconds; offset - the most important value is the difference between the local time and the time on the server (over time, the value decreases, because the time becomes more accurate); jitter - dispersion, phase jitter (lower values ​​provide more accurate synchronization). We are waiting 10 minutes. We repeat the command and see:

remote refid st t when poll reach delay offset jitter ====================================== ===================================== *mx.kr-pro.ru 62.117.76.142 2 U 5 64 377 20.558 38.662 19.060 + Phobos.bsys-Net 192.36.143.151 2 U 6 64 377 17.726 38.447 15.132 -Webhost.mitht.r 77.105.134.138 3 U 4 64 377 66.744 13.451 16.257 + Hornet.itconnec 77.233.172.7 3 U 11 64 377 57.291 43.556 13.327

Yeah, here it is, all sorts of additional characters have appeared and this is what they mean: "*" - the server with which synchronization is currently being performed, "#" - the server is selected for synchronization, but the distance to it exceeds the maximum possible, "?" - the server is selected for synchronization and uses the PPS signal, "+" - the server is added to the list of servers selected for synchronization, "x" - the server uses an incorrect algorithm, "." - the server is selected from the end of the list of servers selected for synchronization, "-" - the server is rejected by the grouping algorithm, space - the server has too high a stratum and/or cannot be checked; Now, in a simple way, if we see "+", "-", "*" synchronization has started. offset - the deviation of our time and time remote server, if the value, say, is greater than 100, then the synchronization did not really happen. On some resources you can see the following picture:

remote refid st t when poll reach delay offset jitter ====================================== ===================================== 172.22.128.8 93.185.187.89 3 u 142 256 377 3.906 -450.41 61.937 195.200.216.16 .INIT. 16 u - 64 0 0.000 0.000 0.000 ams1.x31.com .INIT. 16 u - 64 0 0.000 0.000 0.000 mail2.mgts.by .INIT. 16 u - 64 0 0.000 0.000 0.000 *LOCAL(1) .LOCL. 3 l 13 64 377 0.000 0.000 3.906

We see that half of the servers (2, 3, 4) do not work at all and actually work with the local server and with 172.22.128.8. We look at the offset value which says that there is no synchronization at all! From the listing, only one conclusion can be drawn that the server is synchronized with itself, and its time has little to do with the actual one. Be careful, don't let me fool you :) We could stop at this, but now, as they say, we complicate the task. We want our server to be a source of time for the local network, but at the same time no one could do anything wrong with your server. What is the problem? In fact, for normal synchronization, even if you do not plan to let someone synchronize time with you, YOU MUST have udp port 123 open. After reading many manuals and a day of wasted time, this is what I got in /etc/ntp.conf:

01 # Public NPS servers, from we get time 02 server 0.ru.pool.ntp.org 03 server 1.ru.pool.ntp.org 04 server 2.ru.pool.ntp.org 05 server 3.ru.pool .ntp.org 06 server 0.europe.pool.ntp.org 07 server 1.europe.pool.ntp.org 08 09 # For all other acces denied 10 restrict default ignore 11 12 # Public NPS servers can't control our local server 13 restrict 0.ru.pool.ntp.org nomodify notrap 14 restrict 1.ru.pool.ntp.org nomodify notrap 15 restrict 2.ru.pool.ntp.org nomodify notrap 16 restrict 3.ru.pool.ntp. org nomodify notrap 17 restrict 0.europe.pool.ntp.org nomodify notrap 18 restrict 1.europe.pool.ntp.org nomodify notrap 19 20 # Our server provide NTP service for local network, 21 # and clients can"t control our local server 22 restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap nopeer 23 24 # Need for loopback synchronization, without it no will work 25 restrict 127.0.0.1 nomodify notrap

We go into it carefully. Our server is synchronized with 6 external server pools, lines 02 to 07. Line 10, we forbid anyone from doing anything with our server. Now we need to make an exception for the servers with which our server will be synchronized, lines 13 to 18. At the same time, the nomodify notrap parameters indicate that it is forbidden to change the state of OUR server and send exception messages by EXTERNAL servers, i.e. so that none of these servers did nothing. Line 22, we allow members of the local network to synchronize time with our server, but at the same time we also introduce a restriction. Now the most important line is 25, let's assume that this is a local loop. It won't work without it. As a result, our server is synchronized with external servers, while it itself is a server, but only for our local network, access is denied to all others. Let's restart the service again:

Let's go smoke, drink tea, coffee (underline as appropriate), then execute the command:

remote refid st t when poll reach delay offset jitter ====================================== ===================================== *mx.kr-pro.ru 62.117.76.142 2 U 5 64 377 20.558 38.662 19.060 + Phobos.bsys-Net 192.36.143.151 2 U 6 64 377 17.726 38.447 15.132 -Webhost.mitht.r 77.105.134.138 3 U 4 64 377 66.744 13.451 16.257 + Hornet.itconnec 77.233.172.7 3 U 11 64 377 57.291 43.556 13.327 +sinister.wzw.tu 129.69.1.153 2 a

We see that our server is synchronized, the deviation does not exceed 50ms. The NTPD setup is almost the same for all Xnix systems, and differs in essence only in the way it is launched. I advise everyone to also read the article where the configuration option for FreeBSD is described. http://www.sergeysl.ru/freebsd-ntpd/ That's actually all.

In the article, we will consider setting up an NTP client.

Setting the time zone

To begin with, we look at what time zone we have set. For this we use the command .

#date Fri Mar 8 17:38:47 MSK 2019

If the time zone is set incorrectly, then set the correct time zone. To do this, we create the /etc/localtime file from the corresponding time zone from the /usr/share/zoneinfo/ directory. For example for Moscow.

Ln -sf /usr/share/zoneinfo/Europe/Moscow /etc/localtime

Configuring NTP Client to Synchronize with NTP Server

Installing the ntp package

Yum install ntp

To synchronize a local client machine on Linux with an NTP server, you need to edit the file /etc/ntp.conf. The following example specifies multiple time servers, which is useful in case one of them is unavailable. Or you can register other external servers, for example pool.ntp.org

Server 0.rhel.pool.ntp.org iburst server 1.rhel.pool.ntp.org iburst server 2.rhel.pool.ntp.org iburst server 3.rhel.pool.ntp.org iburst

iburst: This option improves synchronization accuracy, eight packets are sent instead of one. When the server is not responding, packets are sent every 16 seconds, when it does, every 2 seconds.

Server 192.168.1.1 prefer

prefer: if this option is specified, the specified server is considered to be preferred over the others, but if the response of this server is significantly different from the responses of other servers, it will be ignored. Instead of 192.168.1.1, enter the ip address of your server

Starting the NTP Service

After modifying ntp.conf and setting the required parameters, start the NTP service (daemon). Depending on the settings, it can work both as a server and as a client.

Systemctl start ntpd

and add it to startup

Systemctl enable ntpd

to check the time, type the command

Checking NTP Status

You can check the status of NTP using the ntpq command. If you get a connection refused error, then the time server is not responding, the NTP service on the client is not running, or the port is closed.

sudo ntpq –p remote refid st t when poll reach delay offset jitter =================================== ==================================== *elserver1 192.168.1.1 3 u 300 1024 377 1.225 -0.071 4.606

remote– name or address of the time server. It is preceded by a service character, in this case "*", which means the server used. "+" means that the server is suitable for updating, "-" - that it is unusable, "x" - the server is unavailable;
refid– a server higher in the Stratum hierarchy;
st– server level in the Stratum hierarchy;
t– connection type (u – unicast, single connection, b – broadcast, broadcast connection, l – local clock);
when– time elapsed since the last response;
poll– polling period in seconds;
reach– availability status (when represented in binary, 1 means a successful attempt, 0 means a failure. After 8 successful attempts, the value is set to 377);
delay– packet double turnaround time;
offset– current time offset relative to the server;
jitter is the standard deviation of time.

Meaning jitter should be low, if not, check the clock offset in the driftfile. If it is too large, you may need to change the NTP server. The following command manually synchronizes the time with an NTP server:

Manual time synchronization

To query the NTP server and set the date and time manually, use the command ntpdate. This is usually required only once.

First disable ntp service

systemctl stop ntpd

Start synchronization by specifying the server from which you want to synchronize time

Ntpdate 192.168.1.1

Start the ntp service

Systemctl start ntpd

After this initial synchronization, the NTP client will regularly poll the NTP server to ensure that the local time matches the exact time.

If you find an error, please highlight a piece of text and click Ctrl+Enter.

Introduction.

The Linux system, like most other modern operating systems, actually has two hours. The first clock is a hardware clock, sometimes called the Real Time Clock, abbreviated (RTC), or BIOS clock, usually associated with an oscillating quartz crystal, which has an accuracy of up to several seconds per day. The accuracy depends on various fluctuations, such as ambient temperature. The second clock is an internal software clock that runs continuously, including during breaks in the system. They are subject to fluctuations associated with high system load and interrupt latency. However, the system usually reads the hardware clock at boot and then uses the system clock. The date command does not set the hardware clock, but the system clock.

If NTP is used, you can set the hardware clock during the first installation of the system and never worry about it again.

The real time clock (RTC) chip used on motherboards, is not particularly accurate and usually lags behind, or runs ahead of certain time everyday.

You can synchronize the hardware clock with the system clock using the hwclock command with the -w or --systohc option, and synchronize the system clock with the hardware clock with the hwclock command with the -s or --hctosys option.

Setting.

First, in the /etc/ntp.conf file, add the line:

The time will be synchronized from the specified server. If the first one is not available, the next ones in the list are taken. The first registered the local NTP server.

The next moment, sets the local or universal time to be used.

#cat /etc//etc/sysconfig/clock

We don't have:

We rule ZONE - on "Europe/Moscow"

We get:

UTC=true system clock does not use universal time representation

ARC=true The normal UNIX epoch is used.

The timezone under Linux is set via a symbolic link from /etc/localtime to a file in the /usr/lib/zoneinfo (or /usr/share/zoneinfo) directory, which indicates which timezone you are in.

Picture. Contents of /usr/share/zoneinfo

We execute commands.

rm -rf /etc/localtime

ln -s /usr/share/zoneinfo/Europe/Moscow /etc/localtime

Everything works!

If the ntpd daemon is running, the following message is displayed when attempting to synchronize with the ntp server.

This command shows which servers to connect to.

Addition:

Setting the hardware clock

To set the hardware clock, first set the system time and then the hardware time using the program "/sbin/clock -w" (or "/sbin/clock -wu" if using universal time). To find out the hardware time, run clock without parameters. If the hardware clock is set to local time and you want to see the world time type "/sbin/clock -u"

Setting the system clock

To set the system clock in Linux, use the date program. For example, setting the current time (system!) and date to July 31, 23:16, type "date 07312316" (note that the time is given in 24-hour notation) If you want to change the year, type "date 073123161998". To set the seconds, dial "date 07312316.30" or "date 073123161998.30". To get the system time, run date with no arguments.

Good afternoon, dear readers and guests of the blog site, how many people talk about time, that it runs quickly or slowly, and everyone understands that it is priceless and important. So in the infrastructure of Active Directory, it is one of the most important factors for the proper functioning of the domain. In the domain, everyone trusts each other, and once logged in and received all the tickets from Kerberos, the user goes anywhere, limited only by his available rights. So, if you do not have the exact time on your workstations to the domain controller, then you can assume that you are starting to have serious problems, which we will discuss below and consider how to fix them using Windows NTP server settings.

Time Synchronization in Active Directory

The following time synchronization scheme works among computers participating in Active Directory.

• The root domain controller in the AD forest that owns the PDC emulator FSMO role (let's call it root PDC) is the time source for all other domain controllers in that domain.
• Child domain controllers synchronize time with domain controllers upstream in the AD topology.
• Ordinary domain members (servers and workstations) synchronize their time with the nearest available domain controller to them, respecting the AD topology.

The root PDC can synchronize its time both with an external source and with itself, the latter is set by default and is absurd, as errors in the system log periodically hint at.

Synchronization of clients of the root PDC can be performed both from its internal clock and from an external source. In the first case, the root PDC's time server advertises itself as "reliable".

Next, I will give the optimal configuration of the root PDC time server from my point of view, in which the root PDC itself periodically synchronizes its time from a reliable source on the Internet, and synchronizes the time of clients accessing it with its internal clock.

Enter netdom query fsmo. In my example, the role of the PDC and NTP server belongs to the dc7 controller

NTP Server Configuration on the Root PDC

Configuring the Windows time server (NTP server) can be done using the utility command line w32tm, and through the registry. Where possible, I will provide both options. But at the beginning, look at your complete settings on the computer, this is done with the command:

w32tm /query /configuration

EventLogFlags: 2 (Local)
AnnounceFlags: 10 (Local)
TimeJumpAuditOffset: 28800 (Local)
MinPollInterval: 6 (Local)
MaxPollInterval: 10 (Local)
MaxNegPhaseCorrection: 172800 (Local)
MaxPosPhaseCorrection: 172800 (Local)
MaxAllowedPhaseOffset: 300 (Local)

FrequencyCorrectRate: 4 (Local)
PollAdjustFactor: 5 (Local)
LargePhaseOffset: 50000000 (Local)
SpikeWatchPeriod: 900 (Local)
LocalClockDispersion: 10 (Local)
HoldPeriod: 5 (Local)
PhaseCorrectRate: 7 (Local)
UpdateInterval: 100 (Local)

NtpClient (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)
CrossSiteSyncFlags: 2 (Local)
ResolvePeerBackoffMinutes: 15 (Local)
ResolvePeerBackoffMaxTimes: 7 (Local)
CompatibilityFlags: 2147483648 (Local)
EventLogFlags: 1 (Local)
LargeSampleSkew: 3 (Local)
SpecialPollInterval: 3600 (Local)
Type: NT5DS (Local)

NtpServer (Local)
DllName: C:\Windows\system32\w32time.dll (Local)
Enabled: 1 (Local)
InputProvider: 0 (Local)
AllowNonstandardModeCombinations: 1 (Local)

VMICTimeProvider (Local)
DllName: C:\Windows\System32\vmictimeprovider.dll (Local)
Enabled: 1 (Local)
InputProvider: 1 (Local)

Enabling synchronization of the internal clock with an external source

Enable NTP Server

The NTP server is enabled by default on all domain controllers, but it can also be enabled on member servers.

Setting the list of external sources for synchronization

The 0x8 flag at the end means that synchronization should occur in NTP client mode, at intervals suggested by this server. In order to set your own synchronization interval, you must use the 0x1 flag.

Setting the synchronization interval with an external source

Time in seconds between synchronization source polls, default 900s = 15min. Works only for sources marked with the 0x1 flag.

• 
  "SpecialPollInterval"=dword:00000384

Setting the minimum positive and negative correction

The maximum positive and negative time correction (difference between the internal clock and the synchronization source) in seconds, above which synchronization does not occur. I recommend the value 0xFFFFFFFF, at which the correction can always be made.

"MaxPosPhaseCorrection"=dword:FFFFFFFF
"MaxNegPhaseCorrection"=dword:FFFFFFFF

Everything you need in one line

w32tm.exe /config /manualpeerlist:"time.nist.gov,0x8 ntp1.imvp.ru,0x8 ntp2.imvp.ru,0x8 time.windows.com,0x8 pool.ntp.org,0x8" /syncfromflags:manual / reliable:yes /update

Useful Commands

• Apply changes made to the time service configuration
  w32tm /config /update
• Force sync from source
  w32tm /resync /rediscover
• Display the synchronization status of domain controllers in a domain
  w32tm /monitor
• Display of current synchronization sources and their status
  w32tm /query /peers

Configuring NTP Server and Client by Group Policy

Since we have an Active Directory domain, it's stupid not to use group policies to mass configure servers and workstations, I'll show you how to configure your NTP server in windows and a client. Open the Group Policy Editor snap-in. Before setting up our NTP server on Windows, we need to create a WMI filter that will apply the policy only to the PDC master server.

Enter the query name, namespace, will be "root\CIMv2" and the query "Select * from Win32_ComputerSystem where DomainRole = 5". We save it.

You then create a policy on the Domain Controllers container.

At the very bottom of the policy, apply your created WMI filter.

Go to the branch: Computer Configuration > Policies > Administrative Templates > System > Windows Time Service > Time Providers.

Here we open the "Configure Windows NTP Client" policy. Set parameters

• NtpServer: 0.ru.pool.ntp.org,0x1 1.ru.pool.ntp.org,0x1 2.ru.pool.ntp.org,0x1 3.ru.pool.ntp.org,0x1
• Type: NTP
• CrossSiteSyncFlags: 2. A two means that if this parameter is set to 2 (All), any sync member can be used. This value is ignored unless NT5DS is set. Default value: 2 (decimal) (0x02 (hexadecimal))
• ResolvePeerBackoffMinutes: 15. This value, expressed in minutes, determines how long the W32time service waits before trying to resolve a DNS name if it fails. Default value: 15 minutes
• Resolve Peer BAckoffMaxTimes: 7. This value determines the number of DNS name resolution attempts that the W32time service makes before restarting the discovery process. Each time DNS name resolution fails, the interval to wait before the next attempt is doubled. Default value: seven attempts.
• SpecilalPoolInterval: 3600 This NTP client setting value, expressed in seconds, determines how often a manually configured time source that uses a specific polling interval is polled. If the SpecialInterval flag is set for the NTPServer parameter, the client uses the value specified as SpecialPollInterval instead of the MinPollInterval and MaxPollInterval values ​​to determine how often the time source is polled. Default value: 3600 seconds (1 hour).
• EventLogFlags: 0

We make a separate group policy for client working machines, here with such parameters.

• NtpServer: The address of your domain controller with the PDC role.
• Type: NT5DS
• CrossSiteSyncFlags: 2
• ResolvePeerBackoffMinutes: 15
• Resolve Peer BAckoffMaxTimes: 7
• SpecilalPoolInterval: 3600
• EventLogFlags: 0