Cisco NTP configuration – Blog by Raihan Al-Beruni

The Time Service tool (W32tm) is a required protocol by the Kerberos authentication in Microsoft Active Directory. Windows time services ensure that entire server and client fleet in an organization that are running the Microsoft operating system use a common and correct time.
To ensure correct time usage, the Windows time service uses a hierarchical control of time services and avoids any loops in time hierarchy. In this hierarchy, the PDC emulator of Active Directory FSMO role is at the root of the forest becomes authoritative for the organization. By default, Windows-based domain joined computers use the following hierarchy:

All client desktop computers and member servers nominate the authenticating domain controller as their in-bound time partner.
All secondary domain controllers and RODCs in a domain nominate the primary domain controller (PDC) as their in-bound time partner.
All PDC emulator follow the hierarchy of domains in the selection of their in-bound time partner.

Microsoft recommends the following:

Configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication between PDC and external time source.
Reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.

Before you configure NTP Server and Client, you must consider the following for time Services for a virtualized Domain Controller and/or virtual machines.

There must be a unique time provider in your infrastructure. You cannot have domain controller or hyper-v host or ESXi host as time provider. Only domain controller is your time provider and domain controller sync time with hardware time provider or internet time provider.
Never put a virtualized domain controller in a saved state.
Never sync a domain controller time with the virtual host
Uncheck time synchronization in the Integration Services if the DC and virtual servers are virtualized on Hyper-v
Uncheck time synchronization of DC and virtual machines in VMware Tools configuration
Do not restore a snapshot to a production domain controller (PDC)

Step1: Remove Time Synchronisation of Guest with Host

Follow the procedure if the host is Hyper-v Host

1. If the virtual machine is on Hyper-V, Right click the VM, Click Settings, choose Integration Services under Management.

2. On the Integration Service, uncheck Time synchronization.

3. Click OK.

Follow the procedure if the host is ESXi Host

1. If the virtual machine is on VMware ESXi, Right click on VM, Click Edit Settings,

2. Click Option, Click VMware Tools, uncheck Synchronise guest time with host, Click Ok.

Step2: Configure Cisco Switch as NTP Source

global configuration mode	switch# config t
Enable NTP	switch(config)#ntp enable
Show NTP Status	switch(config)# show ntp status
configures the NTP server	switch(config)#ntp server {ip-address \| ipv6-address \| dns-name} [prefer] [use-vrf vrf-name]
configures the NTP peer to communicate over the specified NTP Server	switch(config)#ntp peer {ip-address \| ipv6-address \| dns-name} [prefer] [use-vrf vrf-name]
Displays the configured server and peers.	switch(config)#show ntp peers
Saves the changes	switch(config)# copy running-config startup-config

Follow this example to configure Cisco 6000 series as NTP on High Availability Catalyst 6000 Switch. Cisco NTP guide is available here.

Step3: Configure a Domain Controller as a NTP Server

Follow the procedure to configure NTP server using elevated command line otherwise use step3 to configure NTP server using GPO. My recommended approach is GPO instead of command line. But if you are command line junky then you can use this command line.

Find out whether the server you are configure NTP provider is a PDC emulator. Command to issue in PDC Emulator.

Netdom query fsmo

Run the following commands from an Elevated command prompt to stops the time service

net stop w32time

Completely removes all time settings from the registry – you may have to run this twice, or you may get an access denied. If you get an access denied, just run it again.

w32tm /unregister

Re-creates the Registry Settings

w32tm /register

Starts the service

Net start w32time

Sets the server to sync with the NTP servers on pool.ntp.org. To find out correct time pool in your region visit http://www.pool.ntp.org/en/ and Click your region on the right hand side panel to find out your NTP server in your time zone. Example is an Australian time zone setup.

w32tm /config /syncfromflags:manual /manualpeerlist:”au.pool.ntp.org time.windows.com” /reliable:yes /update

when using hardware time source, use this command

w32tm /config /syncfromflags:manual /manualpeerlist:”IP Address (DNS if available) of Cisco Core Switch” /reliable:yes /update

Updates the configuration

w32tm /config /update

Restarts the service so the new settings take effect.

net stop w32time && net start w32time

Syncs the clock to your new NTP servers. This needs to return “The command completed successfully.”

w32tm /resync /rediscover

Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

Step4: Configure a NTP Server using Group Policy Object

Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters
FrequencyCorrectRate	4
HoldPeriod	5
LargePhaseOffset	50000000
MaxAllowedPhaseOffset	300
MaxNegPhaseCorrection	300
MaxPosPhaseCorrection	300
PhaseCorrectRate	1
PollAdjustFactor	5
SpikeWatchPeriod	900
UpdateInterval	30000
General Parameters
AnnounceFlags	5
EventLogFlags	2
LocalClockDispersion	10
MaxPollInterval	10
MinPollInterval	6
ChainEntryTimeout
ChainMaxEntries
ChainMaxHostEntries
ChainDisable
ChainLoggingRate

4. Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers, Enable Enable Windows NTP Client and Enable Windows NTP Server. Double Click Configure Windows NTP Client settings, type NTP server Name (example shown below),

NtpServer	au.pool.ntp.org time.windows.com OR IP Address of Cisco Core Switch if you are using Hardware Time Provider.
Type	NTP
CrossSiteSyncFlags	2
ResolvePeerBackoffMinutes	15
ResolvePeerBackoffMaxTimes	7
SpecialPollInterval	3600
EventLogFlags	1

Standard time configuration should look like this:

Location	Configuration	Status	Settings
Computer ConfigurationAdministrative TemplatesSystemWindows Time Service	Configure Global Configuration Settings here	Enabled	Default
Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers	Configure Windows NTP Client settings here.	Enabled	au.pool.ntp.org time.windows.com
Enable Windows NTP Client here. Enable	Enabled	–
Enable Windows NTP Server here.	Enabled	–

Step5: Create and link a separate GPO for domain joined client or server

Open Group Policy Management Console, Right Click Domain Controllers OU, Click New group Policy, Type the Name of the GPO as Time Provider, Click Ok
Right Click Time Provider GPO, Click Edit, Expand to Computer ConfigurationAdministrative TemplatesSystemWindows Time Service
Right On the Configure Global Configuration Settings, Click Edit, Click Enable, Click Ok. Example shown below.

Clock Discipline Parameters
FrequencyCorrectRate	4
HoldPeriod	5
LargePhaseOffset	50000000
MaxAllowedPhaseOffset	300
MaxNegPhaseCorrection	300
MaxPosPhaseCorrection	300
PhaseCorrectRate	1
PollAdjustFactor	5
SpikeWatchPeriod	900
UpdateInterval	30000
General Parameters
AnnounceFlags	5
EventLogFlags	2
LocalClockDispersion	10
MaxPollInterval	10
MinPollInterval	6
ChainEntryTimeout
ChainMaxEntries
ChainMaxHostEntries
ChainDisable
ChainLoggingRate

NtpServer	dc.superplaneteers.com
Type	NT5DS
CrossSiteSyncFlags	2
ResolvePeerBackoffMinutes	15
ResolvePeerBackoffMaxTimes	7
SpecialPollInterval	3600
EventLogFlags	1

Standard configuration should look like this:

Location	Configuration	Status	settings
Computer ConfigurationAdministrative TemplatesSystemWindows Time Service	Configure Global Configuration Settings here	Enabled	Default
Computer ConfigurationAdministrative TemplatesSystemWindows Time ServiceTime Providers	Configure Windows NTP Client settings here.	Enabled	NT5DS
Enable Windows NTP Client here. Enable	Enabled	–
Enable Windows NTP Server here.	Disabled	–

Broadcasting Time Configuration using DHCP Server

Note that use either GPO to configure time or DHCP to broadcast time for Windows 7 and Windows 8 clients. My recommendation is to use GPO to configure time for windows client. However here is a guide how to configure Windows Time via DHCP.

Log on to the DHCP Server, Click Server Manager, Click Tools, Click DHCP Manager.
Click Server Options, Click Property, on the general tab, scroll down and select 042 Time Servers, type the IP address of time server, Click resolve, Click Add, Click Ok.

NTP Client Configuration for domain joined Hyper-v Server 2012

Create an OU in Active Directory named Hyper-v Server 2012. Place all Hyper-v Server in that OU.
Right click on Hyper-v Server 2012 OU that you want to apply this policy to and click “Link an Existing GPO”. Highlight your time policy you have created in Step5 then select and click OK.
Repeat for other OUs as necessary. Remember that a nested OU will inherit from its parent unless inheritance is blocked or unless it has its own linked GPO with conflicting settings.

NTP Client Configuration for non domain joined Hyper-v Server 2012

Sets the server to sync with the NTP servers

w32tm /config /syncfromflags:manual /manualpeerlist:”dc.superplaneteers.com” /reliable:yes /update

Where DC.superplaneteers.com is the PDC and Time Provider.

Restarts the service so the new settings take effect.

net stop w32time && net start w32time

Syncs the clock to your new NTP servers. This needs to return “The command completed successfully.”

w32tm /resync /rediscover

Query the time configuration to make sure time is configured as desired

W32TM /query /status

w32tm /query /peers

w32tm /query /configuration

NTP Client Configuration in ESXi Host

Open Virtual Infrastructure Client, Connect to Virtual Center, Expand Data Center, Expand Cluster, Select ESXi Host, Click Configuration, Click Time Configuration, Click Property

On the General Tab, Select Start and Stop with Host

Click NTP Settings, Click Add, Type FQDN of Domain Controller, Click Ok, Click Ok

If you have a Host Profile in Virtual Center, Click Home, Click Host Profiles, Click Create a Host Profile or Edit an existing Host Profile, Expand date and time configuration, Click Time Settings, Type FQDN of DC, Click Ok.

Time drifting error in Windows Machine

Time can drift for many reasons for example network latency and misconfiguration of time services. You may find time drifting event in Windows Server event log which is shown below. A troubleshooting guide has been provided in below URL.