August 5, 2013

NTP: How To Sync Time Between Servers, Workstations (Windows, Ubuntu)

Who Needs Roads? - OUTATIME - photo by Peter Taylor

It’s important for all workstations and servers to agree what time it is. There’s a long list of reasons for this, including log file synchronization, and avoiding the inevitable end-user complaints when their computer’s time does not match their phone’s time. Unfortunately, when I recently set up a LAN with a number of Windows Server 2008 R2 and Ubuntu Server 12.04 VMs, I found that all the servers had their own ideas about what time it was. Making matters worse, the Windows XP Pro and Windows 7 Pro workstations were periodically logging events complaining about not being able to contact a time server, and so they too were all drifting through time like lost sailboats.

The error that is logged on a Windows machine (System log) when it can’t sync to the NTP server is:

Event ID 129, Source: Time-Service
Warning: NtpClient was unable to set a domain peer to use as a time source because of a discovery error. NtpClient will try again in minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)

When I initially noticed this, I was neck-deep in 1000 high-priority issues related to getting the servers up and running smoothly, so I gave up after a short period of troubleshooting, setting it aside for later. Well that time finally came. And the good news for you? I’m not going to run through the long list of things I tried (from various Google searches) that didn’t work. Instead, I’ll list what did ultimately work. And just to clarify, all of these servers are pretty stock/minimal set ups – nothing exotic is going on – I only configured/installed/tweaked what had to be done to get the function accomplished that I was looking for. So if this worked for me, it should work for you, assuming you too have a relatively run-of-the-mill installation. But, of course, YMMV. 😉

I have a file server acting as my PDC & Primary DNS, which I decided to make my NTP server (i.e., the server in charge of telling everybody else what time it is). All the other Windows & Ubuntu servers get their time from this server, as do the workstations. To my surprise, every single server had to be configured in some way to get this all working smoothly – NONE of them just automatically did what one might assume they’d do (i.e., PDC acts as NTP server, member/secondary servers look to the PDC for the time, etc.). The configuration is below:

First, make sure all machines have UDP port 123 open. This is the port used by NTP to sync time, and this actually was open on all the machines I checked, so thankfully, no modifications were necessary for me there.

(Bonus tip: Normally you can test to see if you’re communicating on an open port by Telneting to it, but since this is on a UDP port, this trick doesn’t work. Telnet only works via TCP – this is something that I figured out only after banging my head against the wall, for longer than I care to admit, trying to figure out why this port wasn’t responding!)

To get the PDC to advertise itself as a good time source, enter this command at the administrator-level command prompt:

w32tm /config /manualpeerlist:0.us.pool.ntp.org,0x1 /syncfromflags:manual /reliable:yes /update

Then restart the Windows Time service and type this to confirm it worked:

w32tm /query /status

Or check event log (note – it can take a few seconds to take effect).

The first command above is telling the Windows Time service to acquire time from a a list of internet servers specified in “manualpeerlist.” In this example I’m using my local time server for someone living in the Northeast, USA. (Go to http://ntp.org for more info on finding the best server in your area.) I could’ve specified additional servers by separating them with spaces, so it could’ve been “0.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1” etc.

The “,0x1” is an important part that I missed in my initial troubleshooting. If I remember correctly, it basically tells the server that it’s in charge and should take what this server says as trustworthy. If you really want the technical explanation, you can do a “w32tm /?” at the prompt or some Google searches. 😉 The other switch that I missed in my initial failed attempts to get this working was “/reliable:yes” – again, this basically tells the server that it’s in charge and is considered a reliable time source.

You then need the “/syncfromflags:manual” switch to tell it to sync from the servers you listed in the manualpeerlist switch. Seems redundant to me, but whatever – that’s Windows for you. Without that switch, I couldn’t get it working.

In addition, you should verify that this registry key is set to “NTP” (it usually is):

HKLM\SYSTEM\CurrentControlSet\services\W32Time\Parameters\Type

(NOTE: if your Windows server is running as a VM in VMware, then you’ll also want to go into the VMware tools icon running in your server’s systray and verify that the box is unchecked that tells the VM to sync with VMware’s clock. For me this was already unchecked by default, but VMware advises you do this if you’re having sync problems between machines, so better safe than sorry!)

If you do the things listed above, you’ll have configured a server to be the master time keeper in your organization. Now, we need to tell the other machines about it! The good news is, your workstations should catch on to this change automatically within an hour or so of the master server coming online, so there’s nothing to do there. You’ll see their time change SLOWLY though, because if a machine’s time is like 20 minutes off, it could potentially cause problems to jump that far in a single moment, so instead Windows will incrementally shave seconds off every few seconds, bringing the time into sync, over a few minutes. You can actually watch it to this if you double-click on the clock in the systray and watch the second-hand magically skip ahead faster than normal.

To get other servers to act as clients and look to the PDC for their time, first change this key to say: NT5DS

HKLM\SYSTEM\CurrentControlSet\services\W32Time\Parameters\Type

Then type this at an elevated command prompt:

w32tm /config /manualpeerlist:10.0.1.2,0x8 /syncfromflags:MANUAL /update

Then restart the Windows Time service and type this to confirm it worked:

w32tm /query /status

Or check event log (note – it can take a few seconds to take effect). To force it to resync right now, instead of taking the time it usually takes, type:

w32tm /resync

Again, the manualpeerlist is key here. Replace “10.0.1.2” above with the address of your main NTP server, that you configured earlier. You can also use the FQDN if you don’t feel like using IP address. The “,0x8” part tells it to essentially be a client machine, and get its info from the NTP server.

Ok, so now you’ve got all of your Windows servers and workstations configured, but what if you want to get your Ubuntu servers to sync to that Windows NTP server we configured above too? No problem!

Type “date” on the command line to see the current time & date. It’s probably pretty far off.

Test communication with an NTP server by typing:

sudo ntpdate 10.0.1.2

(you could also replace “10.0.1.2” with “ntp.ubuntu.com” or “0.us.pool.ntp.org”, etc. if you want to sync externally instead of using your internal NTP server.)

Once you decide which NTP server to use, tell Ubuntu to update its time against that server daily by typing:

sudo vi /etc/cron.daily/ntpdate

And insert (press the “i” key) a line that says:

#!/bin/sh
ntpdate 10.0.1.2

And save it (by typing “:wq”)

Now make it executable:

sudo chmod 755 /etc/cron.daily/ntpdate

That’s it! Now everyone agrees what time it is! Now if only we could get the office phones to stay in sync too…

photo by Peter Taylor

Please share your thoughts