I’ve noticed an issue with Microsoft Windows Server 2016, where a default install, when joined to an Active Directory Domain, will not get it’s time from the domain itself, but rather from “time.windows.com”.
I first noticed this a couple months ago when I had some time issues with one of my Server 2016 member servers. I ran “net time” which reported time from the domain controller, so I simply restarted the VM and it resolved the issue (or so I thought). I did not know there was a larger underlying issue.
While performing maintenance today, I noticed that all Windows Server 2016 VMs were getting their time from “time.windows.com”. When running “w32tm /monitor”, the hosts actually reported the PDC time sources, yet it still used the internet ntp server. I checked all my Windows Server 2012 R2 member servers and they didn’t have the issue. All workstations running Windows 10 didn’t have the issue either.
When this issue occurs, you’ll notice in the event log that the Windows Time Service actually finds your domain controllers as time sources, but then overrides it with the internet server time.windows.com for some reason. The only reference you’ll find pertaining to “time.windows.com”, will be when you run the “w32tm /query /configuration” command.
We need to change the time source from that host to the domain “NT5DS” time source. We’ll do so by resetting the configuration to default settings on the member server.
How to reset the Windows Time Service (w32tm) to default settings
PLEASE NOTE: Only run this on member servers that are experiencing this issue. Do not run this on your domain controller.
- Open an elevated (administrative) command prompt
- Run the following commands:
net stop w32time w32tm /unregister w32tm /register net start w32time
- Restart the server (may not be needed, but is a good idea)
After doing this, when running “w32tm /query /configuration” you’ll notice the time source will now reflect “NT5DS”, and the servers should now being using your domain hierarchy time sources (domain controllers).
This guide fails. The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.
Hi Sean,
I think the issue you’re experiencing is different than the topic covered in this post. If you’re having issues with services failing due to issues with SIDs, than this is an issue that should be investigated and correct. The point of this post is just to address an issue with AD member servers pulling time from an incorrect source.
Stephen
Thank you, this was my exact issue, which was affecting DFS to be glitchy. Your commands worked perfectly to restore proper time sync.
After you reset the time service sometime you get “System error 1290 has occurred.”
Run “sc config w32time type= own”
Leave the space after the =.
Reference: https://social.technet.microsoft.com/Forums/ie/en-US/a7683e1d-806c-4464-a326-491c44ab023a/windows-time-service-error-1290?forum=winservergen
Thanks Stephen, this is exactly what I was looking for!!