none
Time Loop - how did this even work for at least a year?

    Question

  • Hi,

    not sure where to post this really so i've posted it here because of trying to configure time for existing virtual domain controllers

    so, we have the following setup for how time works:

    Server1 is a virtual domain controller, it gets its time from the integration components in hyper-v

    Server2 is the hyper-v host, it gets its time from Server3

    Server3 is a physical domain controller, it gets its time from Server1

    The above was all shown using w32tm /query /source on each server

    This causes a loop of dependencies, but out of curiosity - how on earth did my time not drift by hours/days/weeks in this setup - its been running for at least a year like this, its a closed loop. Neither Server1 or Server3 are the PDC, that's actually another domain controller not included in the above. Can anyone shed any light on this? it's no big deal, my time was only out by like 2 minutes but im puzzled by how it would be only 2 minutes because server1 would have accumulated some clock skew.

    Cheers

    Steve

    Thursday, February 02, 2017 7:38 PM

All replies

  • Hi Steve,

    >>Server1 is a virtual domain controller, it gets its time from the integration components in hyper-v

    Not recommended.

    https://technet.microsoft.com/en-us/library/d2cae85b-41ac-497f-8cd1-5fbaa6740ffe(v=ws.10)#deployment_considerations_for_virtualized_domain_controllers

    As far as I know, we could configure all the domain controllers to synchronize from the PDC. And configure the PDC to synchronize with an external time server.

    Here is the reference about AD time configuration: 

    https://blogs.technet.microsoft.com/nepapfe/2013/03/01/its-simple-time-configuration-in-active-directory/

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 03, 2017 5:42 AM
    Moderator
  • Completely not what I asked Leo

    I am well aware of the correct way to setup time in a virtualised environment, the current configuration was not mine, i was correcting it. However, ignoring the issue of correct time configuration, my question was how did the existing configuration not cause the time to drift out? it is a loop of dependencies so I was wondering if someone could explain that one to me, there must be a real time clock involved somewhere but just not sure which one and when that gets used.

    thanks

    Sunday, February 05, 2017 4:27 PM
  • Hi Steve,

    I know what you were asking. But I suppose your question was not a question, the current configuration was just working, though some of the configuration was not recommended, it doesn't mean it would not work. 

    If none of the servers' time drift out, the configuration would work normally.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 06, 2017 9:16 AM
    Moderator
  • ok thanks, i just found it a bit weird that it actually did work, i expected it to drift since in a virtualised environment even with little utilization on the host there is bound to be some drift in time due to the CPU clock cycles being shared across different resources, it just surprised me it did work and wondered if there was a reason as to how it kept very well within the correct time, only like 1 minute out after all the time it's been configured.
    Tuesday, February 07, 2017 4:48 PM
  • Hi Steve,

    Luckily, it worked well for a year, without a lot of time drift.

    Not sure how long it could keep, you'd better configure it as recommended.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 09, 2017 7:45 AM
    Moderator
  • Wow,

    Gentleman, I hope the people involved in this thread are still active.  I am a fairly new admin and I have recently inherited a network at a new job that has the exact same setup as described here.  My network has not drifted either and I am surprised considering I can not seeing any server connected to an outside time source. 

    I have been doing a lot of research and learning about the correct way to setup a Virtualized DC.  I want to correct the configuration.

    My concern is this:.....Once I disable my DC from time synchronization from the Hyper-v Host, and then proceed to setup the virtualized DC to outside time sources, and then point the rest of my servers to the virtualized DC for time synchronization, will I experience any issues? There doesn't appear to be any time drift that I can see now. 

    Should I be concerned about the issues that could spring up around Kerberos, etc, etc. ?  I don't know enough about all of it yet to be confortable.

    Thanks in advance for all the help.

    KyRou


    • Edited by KyRou Friday, June 01, 2018 1:32 PM
    Friday, June 01, 2018 1:18 PM
  • If there has not been a meaningful amount of drift, then no, you won't have problems. After you've made the change, I would go to as many systems as possible and force the issue (restarting the Windows Time service should do it). Any lingering problems should be solved by a reboot.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    Friday, June 01, 2018 3:57 PM
  • Thank you Eric for the reply.  I am a big fan of your blog and have been reading it quite a bit now.I actually cross posted this issue on your Altaro blog as well.

    My only other questions, is how do I get all the server and or Workstations to now point to the new Authoritative Time server?

    I have been basically doing this on each server :

    w32tm /config /manualpeerlist:"XXX.XXX.XXXXXXXXX.com,0x1“
    w32tm /config /syncfromflags:MANUAL

     net stop w32time && net start w32time

    w32tm /resync /force

    This seems to work for the servers, but would I have to do this for every workstation as well?

    Regards,

    KyRou

    Friday, June 01, 2018 6:20 PM
  • KyRou, 

    I didn't read the entire thread, so i apologize if i missed this in the thread.. 

    But.. 

    You can do this with Group Policy.. 

    In my Hyper-V setup i have one physical DC and One Secondary DC on a hosted server.. 

    On my setup.. 

    I have the DC settings set to not sync time with the Host, there is a setting in the Hyper V settings under Integration services.. 

    On the DC i have a policy set on the dc's to use: 

    Computer configuration/Administrative Templates/System/Windows Time Service/Time Providers

    Configure Windows NTP Client 

    and pointed it to the US Navy NTP system.. 

    I don't know if that helps, again i notice a bunch of additional notes above, so i apologize if i missed something. 


    Rob

    Friday, June 01, 2018 8:56 PM
  • I have been basically doing this on each server :

    w32tm /config /manualpeerlist:"XXX.XXX.XXXXXXXXX.com,0x1“
    w32tm /config /syncfromflags:MANUAL

     net stop w32time && net start w32time

    w32tm /resync /force

    This seems to work for the servers, but would I have to do this for every workstation as well?

    Regards,

    KyRou

    You should not be doing that on every server. Only the PDC emulator should have special settings. All other Windows systems that belong to the domain will automatically pull from the domain hierarchy. DCs without the PDC emulator role will sync to the PDC emulator and everyone else will choose one of the DCs at service startup. If your PDC emulator refers to an authoritative time source then your entire domain will fall right into line without further configuration.

    If you run "w32tm /query /source" on anyone besides the PDC emulator (ETA: also besides non-DC Hyper-V guests, which should sync from the Hyper-V ICs), they should show a domain controller as a source. If they don't, then run "w32tm /config /syncfromflags:domhier" and restart the service. You might need to clear out some of the registry settings. You also might need to just reset the service a few times. W32time can be flaky; "jiggling the handle" is sometimes the fix.

    You should only override non-domain systems. My PDC emulator operates in NTP mode and my DHCP server automatically distributes it as a time source. I only perform manual configuration for anything that happens to be left over, and I still point those to the PDC emulator.

    By only overriding the PDC, you create only one place for external verification to fail. If the PDC emulator fails to connect to the external source for some reason, then everyone in your domain happily drifts off together. Not desirable, but not bad, either. If you have multiple systems configured to independently draw time from an external source, then you will never be able to guarantee internal time synchronization. If they all use the same pool and that pool is reliable and nothing goes wrong (like that source deciding that your network is (D)DoSing it or the members of that source pool drifting from each other or someone being compromised), then you'll probably be OK. If something does go wrong, it might only affect some of your systems, which would result in your domain members skewing from each other. That's bad.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.


    Friday, June 01, 2018 9:58 PM
  • Eric,

    You mention possibly having to clear out some registry setting...   Which settings would that be?

    At the end of the day, I want to ensure that all my "other" servers and all workstations are getting time from my Virtualized DC.

    Any time I do w32tm /query /source it seems randomly they return local cmos clock, eventhough previously, they came up with the correct domain controller.

    Also,  I have another backup Domain Controller that, on occasion, some of my servers seem to want to grab time from.  What do I have to do to clear that out so that the old server (Which I am hoping to decommission soon), stops making itself available for time sync?

    I also know, in another article, you talked about creating GPO's to ensure all workstations and servers point to the correct place for Time Sync.  I am still in a very mixed environment, which includes Windows 7 desktops.  I have attempted, in the past,  to implement more GPO based controls on my network (Simple drive mapping for example), and I find the Windows 7 workstations don't always listen to GPO's.

    Regard,

    K


    • Edited by KyRou Monday, June 04, 2018 12:43 PM
    Monday, June 04, 2018 12:29 PM
  • Mostly, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer.

    But if it were me, I would do a stare-and-compare between a system at defaults and any that you configured manually. Return the configured systems to defaults. You could also craft a GPO that scopes to all non-DC systems that either returns them to defaults or enforces your domain hierarchy.

    When you decommission a domain controller, it will stop being part of the domain hierarchy and the other systems will stop using it automatically. If you are using a GPO to distribute it as a source, then you'll have to modify the GPO. If you've manually configured any systems to use it as a source, you'll have to override from GPO or manually correct.

    Some systems will occasionally choose Local CMOS clock as a source. That's part of the whole flakiness of the Windows time service. Make sure your configuration is as correct as possible, make sure there are no addressable errors in the system event log, and reset the service. Reboot if necessary. Some systems will just flake out on you periodically. If their clocks are close and nothing is going wrong, then I would not invest a lot of time in them.

    Windows 7 should not have meaningful levels of problems implementing GPOs. I would look into that and see if you're not having some connectivity or authentication problems. However, using GPOs to enforce NTP settings is just an "I really mean it!" step. The defaults should work well enough.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    Monday, June 04, 2018 1:17 PM
  • Thank you Eric,

    This has all been a great help.  So far everything seems to be running great.  I have some other issues with my Hyper-V cluster that I can't seem to resolve.  Is there a better forum to post questions about that, or reach out to you directly some how?

    I have a fail over Hyper-V cluster with several VM's on it.  The VM's all use to have their VHDX files sitting on a shared cluster storage.  I moved the VHDX file for my virtual DC to the local storage of one of the 2 Host servers in the cluster.  I have tried everything I can think of as far as permissions , etc, But now that particular VM will only run on one side of the hyper-v cluster.  Interestingly enough.  The physical VHD file now sits on (Lets say)  Hyper-v server # 1, but it won't run on hyper-v server # 1, it will only run on Hyper-V server # 2.  Live or quick migrations fail.  I don't remember the exact error it throws, but something along the lines of, ca not find a VM with id .....Very Long String......


    Regards,

    K

    Friday, June 08, 2018 11:46 AM
  • You should start a new thread for each unique problem.


    Eric Siron
    Altaro Hyper-V Blog
    I am an independent contributor, not an Altaro employee. I accept all responsibility for the content of my posts. You accept all responsibility for any actions that you take based on the content of my posts.

    Friday, June 08, 2018 2:29 PM