+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 33
Windows Server 2008 R2 Thread, AD time is 1 hour behind this morning - what will break when I fix it? in Technical; Noticed this morning that the time across my entire network is 1 hour behind. The clock on the FSMO DC ...
  1. #1

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395

    AD time is 1 hour behind this morning - what will break when I fix it?

    Noticed this morning that the time across my entire network is 1 hour behind. The clock on the FSMO DC has gotten behind somehow, and of course everything syncs with that by design.

    Everything is working normally other than that, and I'm looking into why it has happened now, but my main concern is what could break if I resync the DCs now. I know AD replication relies on the time delta being less than 15 minutes, so I can sync those manually, but will the workstations carry on working while they catch up?

    We have no 802.1x in operation so no worries there.

    Situation so far:
    • The FSMO DC syncs with time.windows.com and is set as the reliable time source for the AD. - CHECKED OK
    • All other servers and workstations sync with the FSMO. - CHECKED OK
    • Time sync between host and guests in Hyper-V is disabled for all DCs as per best practice - CHECKED OK
    • Time zone is set correctly (to "(UTC) Dublin, Edinburgh, Lisbon, London") and daylight savings adjustments checked on the DCs and workstations.
    • I have a couple of errors on the FSMO for Time-Service from yesterday morning at about 3am saying that time.windows.com was unreachable, but no other fault since.
      Time Provider NtpClient: No valid response has been received from manually configured peer time.windows.com after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a new peer with this DNS name. The error was: The peer is unreachable.
    • All DCs and Hyper-V hosts were rebooted to install updates yesterday morning (Monday) at about 3am, as per their scheduled update settings. I have a sneaking suspicion that whatever happened, happened then, but I'm not sure exactly what.
    Last edited by AngryTechnician; 3rd May 2011 at 10:54 AM.

  2. #2

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,206
    Thank Post
    286
    Thanked 777 Times in 587 Posts
    Rep Power
    336
    Anything using Kerberos will break if it's more than 5 minutes out, so all your clients will fail authentication until they sync time properly.

  3. Thanks to teejay from:

    AngryTechnician (3rd May 2011)

  4. #3

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    Quote Originally Posted by teejay View Post
    Anything using Kerberos will break if it's more than 5 minutes out, so all your clients will fail authentication until they sync time properly.
    Meaning no new logons, correct?

  5. #4

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,206
    Thank Post
    286
    Thanked 777 Times in 587 Posts
    Rep Power
    336
    Meaning anyone logged in trying to access a share or anyything will fail as well until the time syncs properly.

  6. #5

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,818
    Thank Post
    272
    Thanked 1,138 Times in 1,034 Posts
    Rep Power
    350
    Yeah i would wait until tonight remote desktop to all your severs then set it on the PDC and run net time /set on the others and the clients should update when booted (in theory) there was only 2 clients which didn't here out of 800 when i corrected although mine was only 4 mins out.

    Toby

  7. Thanks to glennda from:

    AngryTechnician (3rd May 2011)

  8. #6

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    OK, so as per my original gut response, I won't be fixing this until this evening. Still can't find any smoking gun to indicate what's caused it though.

  9. #7

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,206
    Thank Post
    286
    Thanked 777 Times in 587 Posts
    Rep Power
    336
    Quote Originally Posted by glennda View Post
    Yeah i would wait until tonight remote desktop to all your severs then set it on the PDC and run net time /set on the others and the clients should update when booted (in theory) there was only 2 clients which didn't here out of 800 when i corrected although mine was only 4 mins out.

    Toby
    Apart from you may lose your vpn connection or remote desktop connections when you change time on the server. Best done on site rather than remotely ;-)

  10. #8
    DrCheese's Avatar
    Join Date
    Apr 2008
    Posts
    1,035
    Thank Post
    97
    Thanked 161 Times in 110 Posts
    Rep Power
    60
    Sure it's not just the timezone set incorrectly? I noticed this a few weeks ago when some of our Windows 7 clients were set to "Greenwich Standard Time(Iceland)" instead of "GMT(London)"
    You can change the timezone without Windows getting in a fizz, but if you change it by hand you'll end up with the 5 minute issue

  11. #9

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    Checked the timezone on workstations and the FSMO, both set correctly.

    I will be onsite when I fix this, not taking any chances there.

  12. #10

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,267
    Thank Post
    112
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Kerberos will break until all the clocks are back in sync. So logons will fail. Other than that depending on you're set up the users *might* not see anything else as Windows will fall back to NTLMv2.

    What are your DC's syncing to? Are they in a VM by anychance?

    W2K used to have setting to controll how far a clock could jump at anyone time if it was out of sync with its time server. Technet implies this no longer works, but I could have read that wrong. To be safe I'd perhaps set a script to knock the time forward by 4m30s (my recollection is that kerberos tickets default MaxClockSkew is 5 minutes) every hour for 13hrs and then ensure the DCs are syncing to a reasonably reliable external source (e.g. your ISP time server or uk.pool.ntp.org)

    An hour isn't too bad, but DC's that get way out of time are very very bad news. Here's a horror story: Leonid's notes: Wrong Time on a Domain Controller

    As general background reading, this may be useful:How to configure the Windows Time service against a large time offset
    Last edited by psydii; 3rd May 2011 at 11:22 AM.

  13. Thanks to psydii from:

    AngryTechnician (3rd May 2011)

  14. #11

    Join Date
    Jan 2008
    Location
    South West
    Posts
    1,819
    Thank Post
    217
    Thanked 266 Times in 216 Posts
    Rep Power
    68
    I noticed that the time on my Joggler (WifI Picture Frame, that uses npt micrsoft) was an hour behind this weekend (Also had the wrong month for a couple of hours?!)

  15. Thanks to chazzy2501 from:

    AngryTechnician (3rd May 2011)

  16. #12

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,267
    Thank Post
    112
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Just spotted your update up top. If they've stopped syncing to the external time source for some reason and exist in a VM you're lucky they are only an hour out.

    I'd warn your users not to trust the time, and then gradually bring them back into sync. While you're doing that investigate what might have caused the sync to fail. I believe that reconfiguring via w32tm and a restart of the time service should bring external synching back to life for you, but I wouldn't do that until you are sure that your domain and users are within 5 minutes of the correct time, or you have confirmed that the DC will automatically limit themselves to carefully paced sub five minute corrections, so as not to loose or cause errors in kerberos authentication.

    Or you could wait for the evening, correct the time and reboot everything that's not the authoritative time source for the domain? The flaw in my original suggestion is that being in VMs any correction may have drifted by the time the script next runs.

    As for root cause: your servers all restarted around 3am.. is it possible the the DC that was trying to contact its external time source couldn't get past the firewall?

    Further, thought on root cause: The VMs BIOS initially gets it time from the Host, so if NTP has failed, your DC has nowhere to get its time but from the vm bios. What are the timezone settings on the VM hosts?
    Last edited by psydii; 3rd May 2011 at 11:34 AM.

  17. #13

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    Timezone settings on the VM hosts are correct, and as stated above, the time sync integration service is disabled in Hyper-V for all DCs anyway specifically to stop time creep.

  18. #14

    Join Date
    Apr 2008
    Posts
    853
    Thank Post
    111
    Thanked 112 Times in 108 Posts
    Rep Power
    46
    Some commands that helped me with problems:

    w32tm /query /status - do on client ot see where its getting time from
    w32tm /resync /rediscover - this should point clients to dcs

    Also use /status to see where dcs are getting time from if CMOS I advise resetting to a internet time

  19. Thanks to irsprint84 from:

    AngryTechnician (3rd May 2011)

  20. #15

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    OK, the servers and workstations I've checked are getting their time from DCs as they should be. However, the FSMO is returning the following:

    Source: Free-running System Clock

    which is clearly Not Right. So it looks like external time sync has failed on the FSMO. The question is why it then fell back to an incorrect time. This server is a VM, but without the time sync integration, where would the CMOS time come from?

    Also, I will be giving up on time.windows.com from now on as I've found a slew of intermittent failures from there going back months. Planning to use europe.pool.ntp.org unless anyone has anything bad to say about it?
    Last edited by AngryTechnician; 3rd May 2011 at 12:09 PM.

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 14
    Last Post: 3rd November 2010, 10:18 PM
  2. Replies: 8
    Last Post: 4th June 2009, 11:04 PM
  3. [CLOSED] Bug/Error: Time out by 1 hour
    By SimpleSi in forum EduGeek.net Site Problems
    Replies: 2
    Last Post: 7th January 2008, 10:19 AM
  4. The first problem to fix of the morning
    By Scruff in forum General Chat
    Replies: 4
    Last Post: 12th September 2007, 10:52 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •