Configure Windows Server 2003 and 2008 w32tm commands on domain controller

This drove me nuts!  Why Microsoft had to take something totally simple in Windows 2000 and make it a complicated thing is NOT beyond me!  This is MS we’re talking about!  Of course it’s not easy with newer versions.

Took me a little bit, but here’s the commands I used on our primary domain controller, and it’s working great. that first w32tm command is all one line.

w32tm /config /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org pool.ntp.org”,0×8 /syncfromflags:MANUAL /reliable:yes

w32tm /config /update

net stop w32time

net start w32time

w32tm /resync /rediscover

That should do it. However, always make sure you firewall is open to port 123 outbound!  I initially was receiving this error after running a “w32tm /resync” :

The computer did not resync because no time data was available.

In my case, that was caused by my firewall blocking port 123 for NTP traffic.  Go figure, we’ve been running this particular network for probably 2 years with that firewall blocking port 123, and only now did someone come and ask “why is our computer time off by 6 or  7 minutes?”  This is when you say, “Welcome to the world, can I help you?”  (Good old Beavis)  Well, at least we got our server configured better as a “reliable” time source with the right ntp.org pools.

  • Frank

    Thanks for this article, helped me out.
    I do advice to use a ‘w32tm /unregister’ and ‘w32tm /register’ after the ‘net stop w32time’

  • Frank (another one)

    Hi
    First of all thanks a lot to Greg: This is the first site I found after a lot of googeling that just told me the w32tm command to make my DC a timeserver!!!

    My DC is Windows Server 2008 SP2 Standard

    My experience with w32tm:
    - do stuff as “the” (domain) Administrator, not just as a normal administrator user!!! (Unlike Unix, these two users do not have identical authorizations!!!)
    - in the command prompt work directly under C:\!!! Not in the Administrator home directory….
    - turn off ALL anti-virus functions, scanners, programs!!
    - Do NOT use the “Net” command. Only use w32tm commands.

    When you get strange error messages while setting up w32time (stuff like “access denied” or the system telling you, a command execution was not possible because service is marked for deletion):
    - use “w32tm /unregister”
    - reboot (removes the marked for deletion service (w32time) definitely and removes any crippled registry entries for w32time)
    - use “w32tm /register” (creates new standard registry entries, installs w32time service. Service not running but in “Automatic” mode)
    - reboot (after reboot service is running. Just starting the service without reboot got me error messages due to some not unique service IDs…. )
    - use the “w32tm /config…” command above. You can add the “/update” in the first line.
    - remember not to use “Net Start” stuff
    - then use “w32tm /resync /rediscover”
    - if you then use “w32tm /stripchart /computer:”your NTP server” /samples:5 /dataonly” you should find out that the local time is max. 0.000something different from the NTP server time. Where the NTP server is the first in the list you set up with “manualpeerlist”.

    Regards,
    Frank

    • http://www.1stbyte.com Greg

      Frank, thanks for the great info! Glad you found my measly little notes useful. I keep these because of the exact reason you mentioned. Sometimes you find all kinds of great info out there, but then its tough get a simple example. (or it’s buried in a ton of docs) Anyway, thanks!

  • Sue

    Thanks guys! These info helped a lot! You have no idea how grateful i am to be able to go back and get some sleep now…

  • http://www.1stbyte.com Greg

    Just thought I’d mention. Today I had a server that wouldn’t take the command listed above with all the pool.ntp.org items. I ended up running this and it all worked: (that sould read “north-america” and all on one line)

    w32tm /config /manualpeerlist:north-america.pool.ntp.org,0×8 /syncfromflags:MANUAL /reliable:yes
    
    w32tm /config /update
    
    net stop w32time
    net start w32time
    
    w32tm /resync
    

    And that worked great. It wouldn’t work with all the pool items before, said something like “such and such… is unexpected” and wouldn’t take it.

    I also tried NOT using the net stop and start commands, and wouldn’t work. Had to do the stop and start and only “/resync” on the last command, then worked great!

  • Kane

    Hello. When I run the commands only the time gets updated. Is there anyway to have the date also sync. Just like when you click on update for syncing the time and date in the clock properties.

    • http://www.1stbyte.com Greg

      Is your system bios set to the correct date? I’d make sure that is set right first. I don’t know if dates are sync’d with NTP, don’t know enough about that to say for sure. But it seems to me that if your date is wrong, you’d want it set right in the bios anyway, then allow NTP to keep the time.

  • Devin

    Just thought I would add some input……

    Windows Time in Windows 2000 used SNTP. SNTP is one of the most easily exploitable protocols, if not the easiest, that exists.

    NTP was developed to address some of the major/critical security issues that were known when the time Windows Server 2003 came out.

    All Microsoft Windows versions since Windows 2000 include the Windows Time Service, which has the ability to sync the computer clock to an NTP server. However, the version in Windows 2000 only implements Simple NTP, and violates several aspects of the NTP version 3 standard. Beginning with Windows Server 2003, the Microsoft documentation states that Windows Time Service implements the full NTPv3 protocol as specified in RFC 1305.

    Next time think about why something is changed…..there is usually a reason behind it.

  • udi

    thanks guys, this article helped me.
    just wanted to ask – what does the 0×8 mean ?