Definite's Extractor

My findings on Life, Linux, Open Source, and so on.

Tag Archives: Windows server 2016

HOWTO: Configure Time (NTP) for Windows Server 2016 Using Command Line (cmd)

This is aimed to be complete steps for configuring the time service (NTP) for Windows Sever 2016. This is especially useful should you want to setup your own Active Directory Domain Controller (ADDC).

0. Networking Check

Ensure you can reach the NTP server. Assuming you are using 0.pool.ntp.org :

ping 0.pool.ntp.org

1. Set the Time Zone

By default, windows just assume a time zone and show you the system clock. However, the default time zone is not necessary correct.

1.1. Check the Current Timezone

tzutil /g

1.2 (Optional) Query Available Time Zone

tzutil /l

1.3 (Optional) Set Time Zone

tzutil /s "E. Australia Standard Time"

2. Set the w32time service

2.1 Configure NTP Service

w32tm /config /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org" /syncfromflags:manual /reliable:no /update

2.2 Confirm that NTP Configuration

List the peers

w32tm /query /peers
The result looks like:
#Peers 3
Peer: 1.pool.ntp.org
State: Active
Time Remaining: 123.4567890s
Mode: 1 (Symmetric Active)
...

List the time source

w32tm /query /source
The result looks like:
1.pool.ntp.org

2.3 Resync

w32tm /resync
The result looks like:
Sending resync command to local computer
The command completed successfully.

2.4 Indicate that NTP service is now reliable

w32tm /config /reliable:yes /update

2.5 Confirm status

w32tm /query /status
The result should looks like:
Leap Indicator: 0(no warning)
...

This should be it.

To make Windows server 2016 time service unreliable to make it reliable

I was trying to resolve How do I force sync the time on Windows Workstation or Server?, and surprise! You need to make it “unreliable”!

Let’s make sure the w32time service is already configure to use external NTP. If not, run following to configure w32time:

w32tm.exe /config /manualpeerlist:”ntp1.example.net ntp2.example.net” /syncfromflags:manual /update

Also follows the article setting NTP server on Windows machine using PowerShell if you also want your control panel in-sync.

Most solutions do not work if the host is a Windows Server 2016 Active Directory Domain Controller (ADDC), as it treats itself as a “reliable” source that cannot make big time change.

w32tm /resync /force does not work, because the /force does not appear in server 2016.

net time /SET /Y does not work either, because it would have asked:

Do you want to set the local computer’s time to match the time at
\AD.example.net? (Y/N) [Y]

Of course, it won’t work if you are on AD.example.net, /Y just hides the question.

The steps work for me using PowerShell:

1. Set w32time service as unreliable

w32tm /config /reliable:no /syncfromflags:manual /update

Option /syncfromflags:manual means sync with NTP listed in peer list (i.e. external NTP), /update for notifying the time service the configuration have changed.

2. Restart the w32time

Stop-Service w32time
Start-Service w32time

3. sync

w32tm /resync

This should work.

4. If you DO need ADDC as a reliable time source, make it reliable again:

w32tm /config /reliable:yes /update
Stop-Service w32time
Start-Service w32time

How to Join an Active Directory Domain in Windows 10?

Short answer: the using the Run as Administrator PowerShell command line like

Add-Computer -domain example.net

Benefits are:

  1. Command line is less likely to change. Most of the GUI steps I found do not apply to my Windows 10
  2. You got more clue (i.e. debug message). GUI just tell me “Something is wrong, ask your administrator…”, but I am the administrator, who should I ask? :-/

Command line reveals me the true cause: “The user is disabled”. After I enable the user on the server side with

dsmod user <UserDN> -disabled no

Things are worked as expected.