Monthly Archives: October 2011

How to configure “Authorative Time server” in a AD domain.

If you want to ensure that the clocks on your machines are more accurate in terms of absolute (and not just relative) time, you need to sync the PDC Emulator role owner DC in your forest root domain to one of the reliable time servers available on the Internet. This is a good idea if your company is a large enterprise with sites spanning several countries, or if your organization has two or more forests linked by forest trusts.

Verify PDC role holder DC name by running command “netdom query fsmo“.

IMPORTANT UPDATE:
If  PDC role owner is on Hyper-V, then its recommended to partially Disable the HyperV Time Service on PDC role owner DC only.

To partially disable the Hyper-V time synchronization provider, leave Time synchronization enabled under Integration Services and run the following command from an elevated command prompt on the guest domain controller:”
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0

CONFIGURATION SECTION:
Run following commands on PDC role holder DC in the forest root domain:
W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

net stop w32time & net start w32time & W32tm /resync /rediscover

Run following commands on former PDC and/or NON-PDC role holder DC:
w32tm /config /syncfromflags:domhier /update

net stop w32time & net start w32time & W32tm /resync /rediscover

You can use any of reliable external time server in below link: http://support.microsoft.com/kb/262680

Commonly used external time servers  : “time.windows.com,0x1” “pool.ntp.org,0x1″ etc.

It may take an hour or so for the PDC Emulator to fully synchronize with the external time server because of the nature of the polling method W32Time uses. Depending on the latency of your Internet connection, the accuracy of the CMOS clock on your forest root PDC Emulator may be within a second or two of UTC. If you need more accurate time however, you can purchase a hardware time source like an atomic clock and connect it to your PDC emulator.

Alternatively, if you don’t want to wait for time convergence to occur between your stratum 2 time server (your forest root PDC Emulator) and the external stratum 1 time server, you can run the following command on your PDC Emulator:  w32tm /resync /rediscover

Quick note and parameter explanation:
Domain Controllers (except PDC) and Domain members  TYPE entry in registry should be NT5DS :http://support.microsoft.com/kb/223184

both the server and the client are communicating with each other using the SNTP protocol which normally uses User Datagram Protocol (UDP) port 123. so make sure that UDP port 123 is open on firewall.

/manualpeerlist:peers
Set the manual peer list to <peers>, which is a space-delimited list of DNS or IP address of the reliable external time server.

/syncfromflags:manual
Set what sources the NTP client should sync from.

/update:
Set the time service configuration update.

Time Configuration using Group Policy:
To alter the Windows Time Service on the PDC emulator role holder DC, authoritative Windows Time server cannot be changed with GPO even that is not recommended. However, you may use Group Policy to make all the domain clients to sync time with the authoritative time server in the domain.

You can find the Group Policy settings used to configure W32Time in the Group Policy Object Editor snap-in in the following locations:

Configure Global Configuration Settings at following path:
Computer Configuration\Administrative Templates\System\Windows Time Service

Configure Windows NTP Client settings  at following path:
Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers

Windows cannot access the file gpt.ini

This error usually indicates that the user or computer does not have the appropriate permissions to access the GPO or or GPO has been corrupted/deleted.

Default permissions:
Authenticate Users – Read & Apply Group Policy
Creator Owner – Special permission
Domain Admins – Full Control & Special permission
Enterprise Admins – Full Control & Special permission
Enterprise Domain Controllers – Special permission
System – Full Control except Apply Group Policy

Troubleshooting steps:
1. First of all check the SYSVOL and NETLOGON shares are available and on server, problematic GPO is present.
2. Run Group Policy Best Practice Analyzer to check errors.
3. Right click on the problematic gpt.ini file and click Permissions.
4. Switch to Security tab and click Edit.
5. Highlight Authenticated Users, remove all the boxes under Deny and check the following items under Allow.
  Read & execute
  Read
6. Click OK twice to test the issue.

For more information,Event ID 1058 — Group Policy Preprocessing
http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx
 
If the issue persists, please run the following command and check output:
Cacls %systemroot%\SYSVOL\sysvol\DomainName\Policies\{GUID}\gpt.ini

Note: Replace DomainName and GUID with the real DomainName and GUID.

If it still cannot work, follow the troubleshooting suggestions in KB article provides:
Userenv errors occur and events are logged after you apply Group Policy to computers that are running Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;887303