Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Time synchronisation and multiple time sources/peers

Answered Time synchronisation and multiple time sources/peers

  • Monday, May 14, 2012 2:11 AM
     
     
    Sign In to Vote
    0

    Hi, we have a hardware time source which gets it's time from 5 Stratum 1 Internet sources, plus a couple of GPS receivers that are within our environment. Currently, we have the PDC Emulator (Windows 2008 R2) use this NTP server as it's time source, and then our Domain Heirarchy references this PDCE through all 16 DCs (some 2003, some 2008R2) in our single 2003 Native Mode AD, and all 68 of our sites will then get their time through either a DC, and we have 5 timezones. An added complexity is that we have VMWare on a Blade Chassis so the blades get their time from the NTP hardware source, and the ESX hosts are also configured to get their time from the hardware NTP system. All non-Windows systems get their time directly from the same hardware NTP source, including switches.

    I configured the PDC emulator with instructions to edit the registry from http://<cite>support.microsoft.com/kb/816042</cite>

    We are having some times where there is divergence happening where some DCs will be as much as 5 seconds out (from the NTP source) and member servers have been as much as 130 seconds out (mostly in distant sites).

    • Is it a supported / best practice configuration to have ALL our DCs get their time from the NTP server directly and not depend upon the domain hierarchy that depends upon the PDCE?
    • Additionally, for the member servers that have a dependency on accurate time (some of our applications, our database servers, SharePoint and other servers that use Kerberos authentication) - would it be valid / best practice for these servers to be configured to get their time from the hardware NTP device too?
    • Finally, as this is one NTP server in one site, what would be the most appropriate way for me to specify that the PDCE (whcih is a hardware standalone server and not ESX or a blade) is a backup or secondary time source? What should I enter into "HKLM\System\CurrentControlSet\Services\W32Time\Parameters\NTPServer" to achieve this?

    Thanks for your feedback...

     

All Replies

  • Monday, May 14, 2012 6:22 AM
     
      Has Code
    Sign In to Vote
    0

    Hi Christian,

    Regardless of which virtualisation platform it is, you're better off disabling time synchronisation at the virtualisation level and leaving the native Windows synchronisation mechanics do their thing. The reason I say this is the scenario you've described where the virtual hosts themselves skew the clock over a period of time is all too common.

    Still, common or not, 130 seconds is massive.

    The normal structure is pretty much as you've already described it: the PDC role holder gets it from a stratum server (or local hardware in your case which in turn talks to the stratum server), the other domain controllers get it from the PDC role holder and the clients get it from the local DC.

    The most important part though in leaving it at the Windows level is that the polling (by default) is relatively frequent, so you sure as nuts shouldn't end up a whopping 130 seconds out. If you bring up a command prompt on a server and run the following, you should see for yourself that the maximum polling interval is set to 15 minutes:

    w32tm /query /configuration

    This keeps the time per host on the straight and narrow.

    I can't comment on the applications side of things, as I'm not sure to what degree they're configurable in relation to things like polling intervals. In the event they're very basic and don't resync very often, look for an option to just use the operating system time. If the operating system is configured as I've said above where the virtualisation approach is disabled and the Windows time service handles synchronisation, you should not find your applications straying.

    In other words, get the dependancy off the virtual platform and onto the service platform. It's more reliable (speaking anecdotally).

    On your second point, no, I wouldn't do this. We run everything off the operating system's time with everything chaining back up the line of command as described above, with only the PDC role holder speaking with the hardware device.

    On your final bullet point, the above structure can scale out as far as you like. So long as each domain's PDC points to a level 2 or 1 stratum server, you're not going to have any issues.

    Cheers,
    Lain

     
  • Monday, May 14, 2012 8:27 AM
     
     
    Sign In to Vote
    0

    Hello,

    I would not recommend making all DCs sync time with a public NTP server. I would recommend making the PDC emulator of the root domain sync time with a reliable public NTP server and leave other DCs sync time based on domain hierarchy.

    Details in Meinolf's blog: http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

     
  • Monday, May 14, 2012 8:45 AM
     
     Proposed Answer
    Sign In to Vote
    0

    Hello,

    for time sync in the domain please see http://msmvps.com/blogs/mweber/archive/2010/06/27/time-configuration-in-a-windows-domain.aspx

    VMs time sync should be configured according to http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx and http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

    "Is it a supported / best practice configuration to have ALL our DCs get their time from the NTP server directly and not depend upon the domain hierarchy that depends upon the PDCE?"

    NO, ONLY the PDCEmulator is the domain time source.

    "Additionally, for the member servers that have a dependency on accurate time (some of our applications, our database servers, SharePoint and other servers that use Kerberos authentication) - would it be valid / best practice for these servers to be configured to get their time from the hardware NTP device too?"

    NO, see answer before, the domain PDCEmulator controls the time sync and this is important because of the Kerberos time, that cannot be lower then 600 seconds by default.

    "Finally, as this is one NTP server in one site, what would be the most appropriate way for me to specify that the PDCE (whcih is a hardware standalone server and not ESX or a blade) is a backup or secondary time source? What should I enter into "HKLM\System\CurrentControlSet\Services\W32Time\Parameters\NTPServer" to achieve this?"

    There is NO need to work in the registry just for setting the time source, use the w32tm command line tool, as mentioned in my article.

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


     
  • Wednesday, May 16, 2012 12:46 AM
     
     
    Sign In to Vote
    0

    Thanks for everyone's reply.

    Yup, never selected in VMTools to allow the VM to synchronise time to the host - I agree that this is not good (for my reason/explination, see below). However, when a VM powers on, it will reference it's "hardware clock" which is actually the ESX host's clock, which is synchronised to the NTP source.

    Currently all DCs are using domain heirarchy for time sync (except the PDC) and so I will leave it as is. Unfortunately we had an audit where they noticed that the registry contains time.windows.com as an NTP source (but because the source type is NT5DS, this is not referenced or used) so I will just explain that this entry is irrelevant to the auditors.

    Initially, when we implemented a single NTP system, we were considering if it was necessary to implement two NTP systems in different datacentres - but the answer was that it does not matter what the time actually is, or if it is accurate to some Atomic clock somewhere - but what is more important is that time must be consistent in the environment. This should mean that even if time has drifted from "real" time by a few milliseconds, providing that all systems in our environment are consistent then this is OK.

    It appears though that this is where the problem occurs. All non-Microsoft devices we have are using the NTP system as their time source, and all domain members are using NT5DS to the PDC to get their time. The problem is that W32tm is not highly accurate, and this is probably where the time differences occur - drift in the domain is OK, providing everything drifts by the same amount - but as we have two sources (the NTP system and Domain Hierarchy), they can become diverged.

    I think the best answer is to choose one - initially I was expecting to make NTP the source of truth, but based on this advice, instead I should be trying to make all non-Microsoft systems use the domain as it's time source instead of NTP.

     
  • Wednesday, May 16, 2012 2:16 AM
     
     
    Sign In to Vote
    0


    You also need to disable the time sync apart from diabling from VM tool.By default it will sync time if the VM is poweron,restarted,resume from suspend,etc.Refer below link to diable the same.
    http://xtravirt.com/disabling-virtual-machine-guest-host-time-synchronization-multiple-hypervisors

    It is better to keep time sync from PDC role holder server instead of having individual NTP time sync.
    Configure authorative time server on the PDC role holder server below is the KB article for the same.
    http://support.microsoft.com/kb/816042

    To configure an NTP client: http://www.ehow.com/how_5981545_configure-windows-ntp-client.html

    Please also make sure that udp port 123 which as direction the chosen NTP server is not blocked.

    For other domain computers / servers, make sure that they are using NT5DS for time sync. More here: http://support.microsoft.com/kb/223184

    You are correct regarding the NT5DS type registry value by default the value is set to Nt5DS on client hence it will sync time from DC.You can provide link http://support.microsoft.com/kb/223184 for justification.

    Note:By default, domain allows time skew of 5 min, which means systems in the domain including DC can have time difference of 5 min but not more or less.

    More on time sync refer Jorge's Time Service blogs
    Configuring and Managing the Windows Time Service, Parts 1 to 4:
    http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-1.aspx
    http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-2.aspx
    http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-3.aspx
    http://blogs.dirteam.com/blogs/jorge/archive/2010/09/26/configuring-and-managing-the-windows-time-service-part-4.aspx

     

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

     
  • Wednesday, May 16, 2012 2:29 AM
     
     Answered
    Sign In to Vote
    0

    Hi Christian,

    Your summary does represent the best solution in those circumstances.

    To be clear though, the w32tm - which is really just another NTP implementation, is no better or worse than the hardware's (or any software abstraction layer such as a hypervisor in between) timing ability. There's nothing wrong with the construct of the service itself. As I said, the fact that it checks every ten minutes is actually a strong mechanic.

    In relation to the registry entry, that setting will be ignored unless the client flags are set to manual. Make sure you use the "win32tm /query /configuration" and "/query /peers" commands to determine how the service is configured and the synchronisation status of it's upstream NTP peers, not the registry.

    Your comment about the boot stage where the local clock is referenced before the Windows Time service actually starts is a pain point and I've seen numerous Kerberos and derived errors from this being different at startup, but ultimately there's no way to resolve that. The underlying hardware or virtualisation platform simply has to be on the same time schedule and if there's a "breaking point" somewhere between the hypervisor or local clock and the NTP source then that issue has to be resolved separately, outside of the Windows space.

    There must be a reason for such a dramatic slide over such a short period of time.

    I've seen it before on physical hardware where the frequency timing of a particular model of server we had wasn't spot on, so the hardware clock was slipping against that of the NTP source, which manifested in Kerberos and then a swag of knock-on issues upon rebooting. This was corrected by a BIOS update to that particular generation of server.

    The current place I work at is small to medium in size, yet our vSphere cluster of some 120 virtual and around two dozen physical guests is configured as described above and has no such discrepencies in the time when compared to the upstream public stratum 1 servers.

    These are both only meant to serve as anecdotal references, but the point is that the Windows Time service itself is quite robust and that there are definitely other variables that influence the outcome. If it were truly problematic courtesy of its design, it wouldn't be useful to anyone.

    Cheers,
    Lain

     
  • Wednesday, May 16, 2012 4:21 AM
     
     Answered
    Sign In to Vote
    0

    Christian,

    I would like to add, and agree with you, that the Windows time service is not that highly accurate. Matter of fact, if the time is within 2 minutes, it won't sync. If it goes beyond 2, then it will. The only real purpose of the default Windows time service is to keep ALL machines in a forest within Kerberos' 5 minute skew tolerance. If the time skew between two machines is beyond 5 minutes, AD authentication will fail trying to access it.  If you need tighter tolerances such as within milliseconds (maybe for stock market transactions down to the milliseconds?), you will definitely need a third party time service.

    In addition to Meinolf's and Jorge's time blocks, you can find additional info about the time service, including the weak tolerance I've mentioned above. 

    Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
    Published by Ace Fekay, MCT, MVP DS on Sep 18, 2009 at 8:14 PM  3050  1 
    http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

    .

    I agree with everyone that should definitely configure ONE common time source for the environment.

    Just to add to everyone's comments on disabling VMWare's time service, here's VMWare's KB on this. 

    VMWare KB1318: Timekeeping best practices for Windows, including NTP: Quoted:
    "When using w32time or NTP in the guest, disable VMware Tools periodic time synchronization."
    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1318

    .

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

     
  • Friday, May 18, 2012 4:39 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Any update?

    If there is any thing else we can do for you, please feel free let us know.

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Yan Li

    TechNet Community Support

     
  • Friday, May 18, 2012 4:19 PM
     
     Answered
    Sign In to Vote
    0

    Hello,

    "However, when a VM powers on, it will reference it's "hardware clock" which is actually the ESX host's clock, which is synchronised to the NTP source"

    This is highly correct but only if you mess around with the domain time you run into problems. If the domain time configuration is set correct the machines will sync really short after contacting the domain and the time is corrected without any problems. For complete disabling see http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.