Detailed explanation of Windows time server configuration method

Recently, I found that the company's server time has been inaccurate and cannot be synchronized with external time sources. The company is a domain environment. Logically, the client PC should automatically synchronize time with the domain controller AD, but the PC time is always out of sync. It is either too slow or too fast, or it is inconsistent with the domain controller time. Other servers are not joined to the domain, but they also want to synchronize time with AD. However, various problems always occur and synchronization cannot be achieved. After searching Baidu and Google, I finally solved the problem. Now I record the solution process.

Environment Introduction:

Domain controller AD: acts as a time server to provide time sources for PCs and other servers that are joined or not joined to the domain. It also acts as a client of the Internet time server and automatically synchronizes time from the Internet time server.

Steps:

1. Configure AD as NTPclient to synchronize time from Internet time server

By default, there is no internet time configuration label in the domain controller's time configuration. This is because the domain controller uses its own time by default and provides time to PCs or member servers that join the domain. In other words, domain member machines will use the domain controller as a time source server and automatically synchronize.

You need to modify the registry here

Open the registry and locate: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient branch. Set the enable value to decimal 1, which means that the ntp client is enabled.

Then set the value of SpecialPollInterval to 900. This value indicates how often to synchronize with the server, in seconds.

Then change the AnnounceFlags value to decimal 5 under the config sub-item

If AnnounceFlags is set to 5, it means that the external time source is used for synchronization, and 10 means that the local BIOS time is used as the basis.

Go to the Parameters branch and change the value of ntpserver to the domain name or IP address of the external time source and the value of Type to ntp.

This is also the Alibaba Cloud time server that I searched online and it is available for testing. Alibaba provides 7 time source servers, namely:

time1.aliyun.com

time2.aliyun.com

time3.aliyun.com

time4.aliyun.com

time5.aliyun.com

time7.aliyun.com

There can be multiple ntpserver values, separated by spaces.

At this point, the ntp client configuration is complete

Open the command line (run as administrator) and restart the w32time service, and set this service to start automatically.

Displays the external time source currently specified by the server

w32tm /query /status can view the time when the time source domain name and IP address were last successfully synchronized.

Display the time difference between local time and target time

w32tm /stripchart /computer:time7.aliyun.com /samples:30 /dataonly

We can see that the current time of the machine is very close to the time of the time source, which means it is basically accurate.

2. Configure AD or any machine as NTP server to provide internal time source

Open the registry and locate: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer branch. Set the enable value to decimal 1, which means that the NTP server is enabled.

3. Use domain policy to provide a time source for the PC

Open the Domain Policy Manager, create a new GPO and edit it. Navigate to Computer Configuration - Administrative Templates - System - Windows Time Service, double-click "Global Time Configuration" and select "Enabled".

Change the value of MaxNegPhaseCorrection to 900 (900 seconds, 15 minutes)

Change the value of MaxPosPhaseCorrection to 900 (900 seconds, 15 minutes)

Change the value of AnnounceFlags to 5

Click "Apply", "OK".

Computer Configuration - Administrative Templates - System - Windows Time Service - Time Provider, "Enable Windows NTP Client", select "Enabled".

In "Configure Windows NTP Client", select "Enabled".

Modify the value of NtpSever to ntpserver ip or domain name, 0x6

Change the Type value to NTP

Change the value of SpecialPollInterval to 900 (15 minutes)

4. Time synchronization configuration between PCs not joined to the domain and other servers

5. Frequently Asked Questions

If you synchronize manually, synchronization errors may occur frequently.

The reason for the error may be that the w32time service is not started. It is best to set this service to start automatically and restart it if necessary.

Foreign time source networks have delays, so try to use domestic sources.

Another important reason is that improper application location when making group policies can also cause synchronization problems.

This is the situation I encountered. At first, I applied the time synchronization policy to the entire directory forest, including domain controllers and member servers. In this way, not only was the domain controller time inaccurate, but it also caused the PC and other times to be inaccurate, and errors would occur during manual synchronization.

The solution is:

Apply the policy to the OU that does not contain the domain controller.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.