Windows Server 2016 Active Directory NTP time synchronization

Time:2019-12-8

In the actual production domain environment, there are often many problems related to time out of sync. To put it simply, there are several common scenarios: the local client time and domain control time are not unified, resulting in the inability to add domain; each time the client computer enters the password to enter the desktop environment for n long time;Skype forBusiness can’t log in; the third-party business call fails; the time of virtualization environment is not uniform; the client is out of domain; trust fails and so on I’m sure you will often encounter such problems. Since there are so many problems, we have to solve the problem of time synchronization. When it comes to time synchronization, we will surely think of w32tm.exe, which is a tool for diagnosing time server under windows. In an enterprise, if there is a time difference between servers, it may cause major problems. This tool is used to synchronize with Microsoft time server.

The following scenario:

We found that the time between the two primary and secondary domain controllers in the production environment was significantly different:

2018-02-13_000012018-02-13_00002

Treatment method:

1. Specify the primary site domain control source and synchronize:

w32tm /config /manualpeerlist:major.azureyun.local /syncfromflags:manual /reliable:yes /update
/Manualpeerlist refers to the list of external time source servers, which can be separated by spaces
/Syncfromflags: manual means to synchronize with the server in the specified external time source server list
/Reliable: Yes sets this computer to be a reliable time source. This setting is only meaningful for domain controllers
/Update notifies the time service that the configuration has changed for the change to take effect

2. Synchronization time

w32tm /resync

3. Display the synchronization time source specified by the current server
w32tm /query /source
4. Restart time service

net stop w32time 
net start w32time

In the domain environment, it is generally only necessary to set the external time source of the root domain controller. Other servers will automatically set the time synchronization with the main domain controller after adding the domain. Note: domain control time synchronization issue event ID: eventid: 36

2018-02-13_00005

Supplement 1: NTP servers commonly used in China, most of which are owned by scientific research and education institutions, and few of which are published by social organizations, are common time servers as follows:

cn.pool.ntp.org
0.cn.pool.ntp.org
1.cn.pool.ntp.org
2.cn.pool.ntp.org
3.cn.pool.ntp.org
tw.pool.ntp.org
0.tw.pool.ntp.org
1.tw.pool.ntp.org
2.tw.pool.ntp.org
3.tw.pool.ntp.org
Supplement 2: how to configure the authoritative time server in Windows Server

Supplement 3: registry location: HKEY? Local? Machine \ software \ Microsoft \ windows \ CurrentVersion \ datetime \ servers

Example: fast synchronization of alintp time:

w32tm /config /manualpeerlist:ntp1.aliyun.com /syncfromflags:manual /update 
w32tm /resync
w32tm /query /source
net stop w32time & net start w32time

Welcome to WeChat public: Xiao Wen Xi she.