Definite's Extractor

My findings on Life, Linux, Open Source, and so on.

Tag Archives: active directory

To make Windows server 2016 time service unreliable to make it reliable

I was trying to resolve How do I force sync the time on Windows Workstation or Server?, and surprise! You need to make it “unreliable”!

Let’s make sure the w32time service is already configure to use external NTP. If not, run following to configure w32time:

w32tm.exe /config /manualpeerlist:”ntp1.example.net ntp2.example.net” /syncfromflags:manual /update

Also follows the article setting NTP server on Windows machine using PowerShell if you also want your control panel in-sync.

Most solutions do not work if the host is a Windows Server 2016 Active Directory Domain Controller (ADDC), as it treats itself as a “reliable” source that cannot make big time change.

w32tm /resync /force does not work, because the /force does not appear in server 2016.

net time /SET /Y does not work either, because it would have asked:

Do you want to set the local computer’s time to match the time at
\AD.example.net? (Y/N) [Y]

Of course, it won’t work if you are on AD.example.net, /Y just hides the question.

The steps work for me using PowerShell:

1. Set w32time service as unreliable

w32tm /config /reliable:no /syncfromflags:manual /update

Option /syncfromflags:manual means sync with NTP listed in peer list (i.e. external NTP), /update for notifying the time service the configuration have changed.

2. Restart the w32time

Stop-Service w32time
Start-Service w32time

3. sync

w32tm /resync

This should work.

4. If you DO need ADDC as a reliable time source, make it reliable again:

w32tm /config /reliable:yes /update
Stop-Service w32time
Start-Service w32time

How to Join an Active Directory Domain in Windows 10?

Short answer: the using the Run as Administrator PowerShell command line like

Add-Computer -domain example.net

Benefits are:

  1. Command line is less likely to change. Most of the GUI steps I found do not apply to my Windows 10
  2. You got more clue (i.e. debug message). GUI just tell me “Something is wrong, ask your administrator…”, but I am the administrator, who should I ask? :-/

Command line reveals me the true cause: “The user is disabled”. After I enable the user on the server side with

dsmod user <UserDN> -disabled no

Things are worked as expected.