Wednesday, August 1, 2012

Where is my NTP Server?

How to find the NTP Server

Time is off on one of my co-workers computers by 2 minutes. Apparently he doesn't know how to read his appointment reminders on his phone or read his watch correctly. Because of this, he is blaming IT for being late to all his meetings. We had him correct the time, but the very next day he was complaining about the same issues with time being off. To correct this, we will be using the "w32tm" command.

By default, in your Microsoft Windows Active Directory Domain environment, the following will take place:
  • The PDC Emulator of the root domain is going to control time
  • All other DC's in the root domain will sync time with the PDC Emulator
  • The PDC Emulators in the child domains will sync with the PDC Emulator in the root domain
  • All users of a domain will sync time with the domain controllers of their respective domain
So lets figure out if our computer is syncing with the domain or with a NTP server. There are two means that I know of to figure out this question
  1. Use w32tm
  2. Check the Registry


You can use "w32tm" to figure out where the NTP server resides. This is the method I prefer to use. To find the NTP server issue the command:
  • w32tm /dumpreg /subkey:parameters
That command will display the following output:

From looking at the "NtpServer" section, you see the value is ",0x9". Also note, that the Type is "NTP" and not "Nt5DS". In this case, my computer is not apart of my domain, and I am just using Microsoft for my time sync. If the type was "Nt5DS", then the "NtpServer" value would have been something to the effect of "DEN-DC-01". I would then know that I need to log into "DEN-DC-01" to correct my time issues.


Lets open up the registry and look at the following key:
  • HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type
If "Type" is set to "Nt5DS" then the computer is synchronizing time with the closest domain controller in your domain. If it's configured with the value "NTP" then the computer is synchronizing time with the NTP server specified in the "NtpServer" value in the registry. You can see which domain controller it is syncing with, by issuing:
  • w32tm /query /status
That will tell you who you are syncing with. In my case, I set the time correctly on the PDC Emulator, did a "w32tm /resync" on my onsite domain controller, and then did a "w32tm /resync" on the users computer.

Where’s my enabled Users?

Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated....