Re: w32time question
From: Jeff Qiu [MSFT] (jefffqiu_at_online.microsoft.com)
Date: 04/02/04
- Next message: Kim Ellis: "Re: Windows Server 2003 IIS6 ASP Script Debugging"
- Previous message: Kristofer Gafvert: "Re: Windows Server 2003 IIS6 ASP Script Debugging"
- In reply to: JDTHREE [MVP]: "Re: w32time question"
- Next in thread: JDTHREE [MVP]: "Re: w32time question"
- Reply: JDTHREE [MVP]: "Re: w32time question"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 02 Apr 2004 12:27:51 GMT
Hi JDTHREE,
Thank you for your update.
Windows includes the W32Time Time service tool that is required by the
Kerberos authentication protocol. The purpose of the Time service is to
ensure that all computers that are running Windows 2000 or later in an
organization use a common time. The Time service uses a hierarchical
relationship that controls authority and does not permit loops to ensure
appropriate common time usage.
Windows-based computers use the following hierarchy by default:
- All client desktop computers nominate the authenticating domain
controller as their in-bound time partner.
- All member servers follow the same process as client desktop computers.
- Domain controllers may nominate the primary domain controller (PDC)
operations master as their in-bound time partner but may use a parent
domain controller based on stratum numbering.
- All PDC operations masters follow the hierarchy of domains in the
selection of their in-bound time partner.
Following this hierarchy, the PDC operations master at the root of the
forest becomes authoritative for the organization, and you should configure
the PDC operations master to gather the time from an external source.
Please refer to the following Knowledge Base articles to configure W32Time
service:
216734 How to Configure an Authoritative Time Server in Windows 2000
http://support.microsoft.com/?id=216734
305135 The Windows 2000 and Windows Server 2003 Time Service Does Not Work
Through a Proxy with Access Control Enabled
http://support.microsoft.com/?id=305135
262680 A List of the Simple Network Time Protocol Time Servers That Are
Available on the Internet
http://support.microsoft.com/?id=262680
I suggest we may query the current time server settings on the second and
third DC for a try:
net time /querysntp
Does it list the correct machine as its time source?
At the same time, as long as the time is correctly synchronized, the third
party time service is the same as the built-in time service.
Hope this helps!
Please feel free to let me know if you have any further concerns or
questions regarding the issue.
Have a nice day!
Best Regards,
Jeff Qiu
Microsoft Online Partner Support
MCSE 2000, MCDBA, MCSA
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
--------------------
>From: "JDTHREE [MVP]" <john@removeforspam.engagenet.com>
>Subject: Re: w32time question
>Date: Thu, 01 Apr 2004 07:53:02 -0600
>microsoft.public.windows.server.general
>
>Nope. Still no joy.
>
>First DC gets no errors. It is set to sync to an "external" time
>server - one in my DMZ. The one in my DMZ (windows 2000 server) is
>using a third party utility to update from government sources.
>
>So DC1 is working without errors.
>
>Second DC, however, gets the w32time errors still, as does the 2003
>member server running exchange.
>
>On both servers where it fails, it's the same thing. Event ID 47,
>telling me there's no valid response from the server they're trying to
>get time updates from. Then it's followed by an Event ID 29, about
>NTPClient has no source of accurate time.
>
>The second DC is pointing to the first DC, and the 2003 member server
>running exchange was pointed to the second DC via the instructions
>given below. There are no errors on the first DC to indicate that it
>is no longer "serving time".
>
>So it's still doing the same thing.
>
>Back to the original question - is there any reason that AD *requires*
>the use of the w32time service, or can I simply disable it and use a
>more functional third party time utility for the domain controllers?
>
>Thanks again
>
>John
>
>
>
>On Thu, 01 Apr 2004 06:24:49 -0600, "JDTHREE [MVP]"
><john@removeforspam.engagenet.com> wrote:
>
>>Thanks for the info! I ran this procedure on the three servers in
>>question, so we'll see if that clears everything up. The changes went
>>without error, so here's me crossing my fingers. :)
>>
>>Thanks
>>
>>John
>>
>>
>>On Thu, 01 Apr 2004 09:58:52 GMT, jefffqiu@online.microsoft.com ("Jeff
>>Qiu [MSFT]") wrote:
>>
>>>Hi JDTHREE,
>>>
>>>Thanks for posting!
>>>
>>>My name is Jeff and I understand your issue to be:
>>>Your W32time system doesn't work after upgraded to Windows Server 2003
AD.
>>>
>>>If I have misunderstood your issue please let me know.
>>>
>>>Based on my research, I suggest we may rebuild the Windows Time Service
by
>>>the articles below:
>>>
>>>Using Windows Server 2003 in a Managed Environment
>>>Windows Time Service
>>>http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologi
es/
>>>security/ws03mngd/26_s3wts.mspx
>>>
>>>Here, I would like to include some main part of how-tos:
>>>
>>>How to Configure the Windows Time Service with an external Time Source
>>>----------------------------------------------------------------------
>>>
>>>This scenario is the recommended scenario and should be used with
>>>precedence. Microsoft recommends that you configure the PDC Emulator for
>>>the Forest Root Domain with mulitple Startum 1 NTP Servers to ensure
>>>reliable Time synchronisations. To synchronize an internal time server
>>>perform the following steps:
>>>
>>>1. Open a command prompt. Start, Run, cmd.exe
>>>
>>>2. Type the following, where PeerList is a comma-separated list of
>>> Domain Name System (DNS) names or Internet protocol (IP) addresses of
>>> the desired time sources:
>>> w32tm /config /syncfromflags:manual /manualpeerlist:PeerList
>>>
>>>3. Type: w32tm /config /update
>>>
>>>In a scenario with one or more Child Domains you should also consider
>>>synchronizing the PDC emulator of each Child Domain with an external
>>>Stratum 1 NTP Server. This setup will allow more accurate time
>>>synchronization then the default Domain Hierarchy Synchronization. In
most
>>>scenarios however the default Domain Hierarchy Synchronization is
>>>absolutely sufficient and provides accurate time synchronization.
>>>
>>>Troubleshooting
>>>---------------
>>>
>>>The Windows Time Service relies on correct functioning Networking
>>>Infrastructure. The most common problems are:
>>>
>>>- TCP/IP connectivity Problems, e.g. Dead Gateway
>>>
>>>- Name Resolution is not working properly
>>>
>>>- High Network Delays, e.g. Synchronizing over high Latency WAN Links
>>>
>>>- Synchronizing from inaccurate Time Sources
>>>
>>>For Troubleshooting Network related Issues Microsoft recommends to use
>>>netdiag.exe supplied with the Windows 2003 Support Tools. Please refer
to
>>>the Tools Help for a complete List of possible command Line parameters
of
>>>netdiag.exe. If all the above mentioned problems are ruled out, you can
>>>enable the Windows Time Service Debug Log. Please refer to
>>>KBLink:816043.KB.EN-US: for detailed Steps how to enable the Debug
>>>Logging.
>>>
>>>Hope this helps.
>>>
>>>Please feel free to let me know if you have any further concerns or
>>>questions regarding the issue.
>>>
>>>Have a nice day.
>>>
>>>Best Regards,
>>>
>>>Jeff Qiu
>>>Microsoft Online Partner Support
>>>MCSE 2000, MCDBA, MCSA
>>>Get Secure! - www.microsoft.com/security
>>>This posting is provided "as is" with no warranties and confers no
rights.
>>>
>>>--------------------
>>>>From: "JDTHREE [MVP]" <john@removeforspam.engagenet.com>
>>>>Subject: w32time question
>>>>Date: Wed, 31 Mar 2004 07:55:44 -0600
>>>>microsoft.public.windows.server.general
>>>>
>>>>After migrating my exchange from 5.5 to 2003, and upgrading my 2000 AD
>>>>to 2003, I'm having w32time issues.
>>>>
>>>>I've called PSS to get the patch for Windows 2003 server to alleviate
>>>>the known issue (KB830092) but it hasn't cleared it out for me on one
>>>>DC and on my standalone 2003 exchange server.
>>>>
>>>>DCDIAGS run without any errors, as does NETDIAG.
>>>>
>>>>I have no errors for *anything*, not even warnings, in the event logs
>>>>on any of the servers other than the w32time.
>>>>
>>>>I'm contemplating simply stopping the w32time service on the 2003
>>>>servers, and installing a third party time sync util that will allow
>>>>them to sync and to reply to queries from domain members.
>>>>
>>>>Just wanted to doublecheck that I'm not unaware of some requirement
>>>>for the domain memebers to sync via w32time as opposed to any other
>>>>time server software. Replacing the native time server with a third
>>>>party won't hork up anything in AD or for the clients, will it? I.E.
>>>>the AD client computers aren't looking for w32time specifically,
>>>>they're simply querying the DC's to sync time, right? So any time
>>>>program would work as long as it can respond to the query?
>>>>
>>>>Thanks for any information
>>>>
>>>>John
>>>>
>>>>
>>>
>
>
- Next message: Kim Ellis: "Re: Windows Server 2003 IIS6 ASP Script Debugging"
- Previous message: Kristofer Gafvert: "Re: Windows Server 2003 IIS6 ASP Script Debugging"
- In reply to: JDTHREE [MVP]: "Re: w32time question"
- Next in thread: JDTHREE [MVP]: "Re: w32time question"
- Reply: JDTHREE [MVP]: "Re: w32time question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
