Recently, it has been found that the company’s server time has been inaccurate and cannot be synchronized with external time sources. The company is a domain environment. It is reasonable to say that the client PC should automatically synchronize with the domain control ad, but the PC’s time is always unable to synchronize, either slow or fast, or inconsistent with the domain control time. Other servers did not join the domain, but also hope to synchronize with ad time, but there are always various problems, unable to synchronize. After a meal of Baidu Google, the problem was finally solved. Now the solution process is recorded.
Introduction to the environment:
Domain controlled ad: as a time server, it is provided as a time source to PC and other servers joined or not added to a domain. At the same time, as the client of Internet time server, it can automatically synchronize time from Internet time server.
1. Configure ad as NtpClient to synchronize time from Internet time server
By default, there is no Internet time configuration label in the time configuration of the domain controller, because the domain controller defaults to its own time and provides time to the PC or member server joining the domain. That is to say, the domain member machine will regard the domain controller as a time source server and synchronize automatically.
Here you need to modify the registry
Open the registry and navigate to: HKEY_ LOCAL_ Set the enable value to decimal 1, which means NTP client is enabled
Set the specialpollinterval value to 900, which indicates how often to synchronize with the server in seconds.
Then change the annonceflags value to decimal 5 under the config subkey
When announceflags is set to 5, the external time source is used for synchronization, and 10 is for the local BIOS time.
Go to the parameters branch and modify the value of ntpserver to external time source domain name or IP address and type to NTP.
This is also the time server of Alibaba cloud searched on the Internet, and it is available for testing. Alibaba provides 7 time source servers, which are:
Ntpserver can have multiple values, separated by spaces.
This NTP client configuration is complete
Open the command line (run as an administrator) to restart the w32time service and set it to start automatically.
Displays the external time source specified by the current server
W32tm / query / status to see the last successful synchronization time of the time source domain name and IP address.
Displays the time difference between the local time and the target time
w32tm /stripchart /computer:time7.aliyun.com /samples:30 /dataonly
The difference between the current time of the machine and the time source is very small, which is basically accurate.
2. Configure ad or any machine as ntpserver to provide time source
Open the registry and navigate to: HKEY_ LOCAL_ Set the enable value to decimal 1, which means NTP server is enabled
3. Using domain policy to provide time source for PC
Open domain policy manager, create a new GPO editor, navigate to computer configuration management templates system Windows time service, double-click global time configuration and select enabled.
Modify the value of maxnegphasecorrection to 900 (i.e. 900 seconds, 15 minutes)
Modify the value of maxposphasecorrection to 900 (i.e. 900 seconds, 15 minutes)
Modify the value of announceflags to 5
Click “apply” and “OK”.
Computer configuration management templates system Windows time service time provider, enable windows NTP client, and select enabled.
Configure windows NTP client and select enabled.
Modify the value of ntpserver to ntpserver IP or domain name, 0x6
Change the value of type to NTP
Change the value of specialpollinterval to 900 (15 minutes)
4. Time synchronization configuration of PC and other servers not joined to the domain
5. Common problems
If it is manual synchronization, synchronization errors may occur frequently.
The cause of the error may be that the w32time service is not started. It is better to set the service to start automatically. Restart the service if necessary.
If the time source network of foreign countries has delay, try to use domestic source.
There is another important reason is that the improper application of group policy will also cause the problem of synchronization.
This is what happened to me. At first, I applied the synchronization time policy to the entire directory forest, including the domain controller and member servers. In this way, not only the time of the domain control server is not accurate, but also the time of importing to PC and other time is not accurate, and there will be errors when manually synchronizing.
The solution is:
Apply the policy to the Ou that does not contain the domain control server.
The above is the whole content of this article, I hope to help you in your study, and I hope you can support developeppaer more.