DC time sync to windows clients

externa1 · May 8, 2017, 6:30pm

Hi,

In AD Domain (MS Server) the clients get time synced on logon to DC, however in UCS with samba4 this does not take place.

so my question, what is the best practise to get the time synced in the domain with UCS and samba4 ?

rg
Christian

Grandjean · May 8, 2017, 6:42pm

Um, but that should happen. As long as the clients are joined to the domain, they should use a AD DC as timeserver (the “PDC Emulator”, if I’m not mistaken. Samba or Microsoft shouldn’t matter).
Can you please run these commands on the joined windows clients to check the current time config?

w32tm /query /configuration
w32tm /query /status

externa1 · May 8, 2017, 7:07pm

Hi Grandjean,

here is the output of one of the clients:

Configuration:

C:\Users\gr.FISCHER>w32tm /query /configuration
[Konfiguration]

EventLogFlags: 2 (Lokal)
AnnounceFlags: 10 (Lokal)
TimeJumpAuditOffset: 28800 (Lokal)
MinPollInterval: 10 (Lokal)
MaxPollInterval: 15 (Lokal)
MaxNegPhaseCorrection: 4294967295 (Lokal)
MaxPosPhaseCorrection: 4294967295 (Lokal)
MaxAllowedPhaseOffset: 300 (Lokal)

FrequencyCorrectRate: 4 (Lokal)
PollAdjustFactor: 5 (Lokal)
LargePhaseOffset: 50000000 (Lokal)
SpikeWatchPeriod: 900 (Lokal)
LocalClockDispersion: 10 (Lokal)
HoldPeriod: 5 (Lokal)
PhaseCorrectRate: 1 (Lokal)
UpdateInterval: 30000 (Lokal)


[Zeitanbieter]

NtpClient (Lokal)
DllName: C:\windows\system32\w32time.dll (Lokal)
Enabled: 1 (Lokal)
InputProvider: 1 (Lokal)
CrossSiteSyncFlags: 2 (Lokal)
AllowNonstandardModeCombinations: 1 (Lokal)
ResolvePeerBackoffMinutes: 15 (Lokal)
ResolvePeerBackoffMaxTimes: 7 (Lokal)
CompatibilityFlags: 2147483648 (Lokal)
EventLogFlags: 1 (Lokal)
LargeSampleSkew: 3 (Lokal)
SpecialPollInterval: 3600 (Lokal)
Type: NT5DS (Lokal)

VMICTimeProvider (Lokal)
DllName: C:\windows\System32\vmictimeprovider.dll (Lokal)
Enabled: 1 (Lokal)
InputProvider: 1 (Lokal)
NtpServer (Lokal)
DllName: C:\windows\system32\w32time.dll (Lokal)
Enabled: 0 (Lokal)
InputProvider: 0 (Lokal)

Status:

C:\Users\gr.FISCHER>w32tm /query /status
Sprungindikator: 3(die letzte Minute umfasst 61 Sekunden)
Stratum: 0 (nicht angegeben)
Präzision: -6 (15.625ms pro Tick)
Stammverzögerung: 0.0000000s
Stammabweichung: 0.0000000s
Referenz-ID: 0x00000000 (nicht angegeben)
Letzte erfolgr. Synchronisierungszeit: nicht angegeben
Quelle: Free-running System Clock
Abrufintervall: 10 (1024s)

rg
christian

Grandjean · May 9, 2017, 7:20am

Thanks! I will look into this later. I really need to check if this is a general issue or not. As a workaround, I would configure the timeserver via Group Policy, but let me check first

I’m sorry, but I can’t remember what UCS version you are currently running - could you please add this information? (univention-app info would be great).

Grandjean · May 9, 2017, 8:00am

Hi,

I just checked a Windows 7 and a Windows 10 Client joined to a UCS 4.1-4 Samba/AD domain. There I get (without any manual configuration):


PS C:\Users\ADministrator> w32tm /query /status
Leap Indicator: 0(no warning)
Stratum: 11 (secondary reference - syncd by (S)NTP)
Precision: -6 (15.625ms per tick)
Root Delay: 0.0093849s
Root Dispersion: 11.7216001s
ReferenceId: 0x0AC817FA (source IP:  10.200.20.123)
Last Successful Sync Time: 09.05.2017 09:47:53
Source: ucsma01.schulen.example.org
Poll Interval: 10 (1024s)

ucsma01.schulen.example.org (10.200.20.123) is my UCS Master and also Samba AD DC.

Can you please check who your PDC Emulator is?

→ samba-tool fsmo show

I get this output (have a look a PdcEmulationMasterRole):

SchemaMasterRole owner: CN=NTDS Settings,CN=UCSMA01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schulen,DC=example,DC=org
InfrastructureMasterRole owner: CN=NTDS Settings,CN=UCSMA01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schulen,DC=example,DC=org
RidAllocationMasterRole owner: CN=NTDS Settings,CN=UCSMA01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schulen,DC=example,DC=org
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=UCSMA01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schulen,DC=example,DC=org
DomainNamingMasterRole owner: CN=NTDS Settings,CN=UCSMA01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schulen,DC=example,DC=org
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=UCSMA01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schulen,DC=example,DC=org
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=UCSMA01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=schulen,DC=example,DC=org

externa1 · May 9, 2017, 9:14am

root@fischer11:~# samba-tool fsmo show
SchemaMasterRole owner: CN=NTDS Settings,CN=FISCHER11,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fischer,DC=local
InfrastructureMasterRole owner: CN=NTDS Settings,CN=FISCHER11,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fischer,DC=local
RidAllocationMasterRole owner: CN=NTDS Settings,CN=FISCHER11,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fischer,DC=local
PdcEmulationMasterRole owner: CN=NTDS Settings,CN=FISCHER11,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fischer,DC=local
DomainNamingMasterRole owner: CN=NTDS Settings,CN=FISCHER11,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fischer,DC=local
DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=FISCHER11,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fischer,DC=local
ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=FISCHER11,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=fischer,DC=local

root@fischer11:~# univention-app info
UCS: 4.1-4 errata413
App Center compatibility: 4
Installed: dhcp-server=10.0.1 samba4=4.5
Upgradable:

I have this on 2 installations one with UCS 4.1 and the other is UCS4.2 (upgraded from UCS 4.1)
but i remember that i did a s4 reprovision about one year ago following this article http://sdb.univention.de/content/6/274/en/re_provisioning-samba4-on-a-dc-master.html

and i did not rejoin the windows clients - maybe thats the problem - but i wonder as there are no other issues as grp policies or logon problems

rg
Christian

Grandjean · May 9, 2017, 10:44am

Hm, would be good to know if a re-join of the clients solves the problem.

Otherwise I would go for a Group Policy:

Install RSAT on a Windows Client that is joined to the domain (if not already present)
Use the Group Policy Management Tool to
- edit the policy “Default Domain Policy”
- head to Computer Configuration/Policies/Administrative Templates/System/Windows Time Service/Time Providers
- the default settings should be fine, but you can change the NtpServer to the FQDN of your Samba AD DC

externa1 · May 13, 2017, 7:52am

Hi,

I did a rejoin of the Client PC’s and now it works as expected.
I put the PC’s in Workgroup
removed Object from Domain
rejoined domain

rg
Christian