Thank you for your reply.
The question is: what is the correct configuration for fallback (backup, failover) NTP server time source in the registry?
So I need the string which will configure my PDC emulator to update its time from the following servers, in the following order:
1. NTP (our local Meinberg NTP device synchronized via GPS) - normal operation
2. time-nw.nist.gov (only if 1. is unavailable)
3. 0.pool.ntp.org (only if 1. and 2. are unavailable)
Hi MilanBanjac,
Maybe my blog can help you out with your goals. I have numerous links and info with Microsoft documentation and links documented in the blog.
Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
As for failover time source, the way it works, the time service will loop through each one starting with the first listed in the order they are listed until a time service response is received. It is suggested to use the actual IP addresses, or at least
I suggest it, which is an old school thing I have because years ago, Windows 2000 had an issue with FQDNs, which was fixed with a hotfix, but I still use the IP address method.
Here'a an older KB that explains this (disregard the part about Windows 2000, because the service still operates in the same behavior:
W32Time client does not fail over to secondary NTP servers by FQDN
http://support.microsoft.com/kb/285641
Based on the way it works, that is it rotates through each entry, you can simply configure the additional time sources on the PDC Emulator with the w32time command. I've found this works nicely without requiring registry modifications. Suggestion for
your scenario:
w32tm /config /manualpeerlist:”MeinbergNTPdeviceIpAddressorFQDN time-nw.nist.gov 0.pool.ntp.org ” /reliable:yes /update
Now if you need to specifically insure that the time service will perform it in the order you want, all the time that you want, then you will need to go third party time service installed inside your infrastructure that you would simply set the PDC to use,
and in the third party source, configure the multiple entries and failover settings.
There is also a caveat, or actually a design limitation with the Windows time service that it will not sync up if the time skew is below 2-3 minutes. This is also documented by Microsoft. If you need finite time sync that has much tighter time tolerance,
you will definitely need to go third party. THis is also in my blog.
I hope you find this info helpful.
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thank you for your reply, it is helpful.
I read about the windows 2000 bug with FQDN list of NTP servers, so I supposed that it is not an issue with later OS.
You wrote:
Now if you need to specifically insure that the time service will perform it in the order you want, all the time that you want, then you will need to go third party time service installed inside your infrastructure that you would simply set the PDC to
use, and in the third party source, configure the multiple entries and failover settings.
I don't understand your point. What happens if my PDC uses third party NTP server installed in my infrastructure, and this NTP server fails?
How can I be sure that PDC will step over to the next NTP server listed in "manualpeerlist" parameter? What is the timeout setting for a failing NTP source? How can we configure this?
What will happen when my internal NTP server goes back online? Will my PDC try the list of NTP sources periodically and go back to my internal NTP source? Is this failback process documented somewhere?
Thanks,
Regards
Milan
Hi Milan,
Sorry it too so long to reply. Email alerts and notifications just started working again this morning for the forums.
I don't understand your point. What happens if my PDC uses third party NTP server installed in my infrastructure, and this NTP server fails?
Then the third parrty you've chosen wouldn't be considered a reiliable time service. I'm sure some of the third party NTP services have some sort of feature or ability to use multiple servers internally to provide synchronization and fault tolerance, such
as a clustered Exchange server. If your time requirements for your infrastructure are that tight, you should look into your NTP provider's options and features, and if they don't fit the bill, to find one that will meet your organization's goals.
How can I be sure that PDC will step over to the next NTP server listed in "manualpeerlist" parameter? What is the timeout setting for a failing NTP source? How can we configure this?
I had a reference to this many years ago, and I can't find it in my notes. It's algorithm is similar to the client side resolver. When I find it, I will post it, but going on memory, I believe the time-out setting is about 2 minutes or less.
You can set the manualpeerslist to use the two 3rd party NTP servers that you've configured as a fault tolerant source, that is if the third party supports this feature.
If the lack of accuracy or control doesn't fit your bill, and as I previously mentioned, the Windows time service is not a reliable time service that the best you will get is time synch in the organization down to about 2-3 minutes anyway, you will need
to go third party and use that as the primary time source where you need to install the third party time service on the machines in question that need high reliability.
Here's more from Microsoft on the lack of high accuracy:
The following quoted from Windows Time Service Technical Reference (http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx):
"The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs and is not supported by Microsoft as such. For more information, see Microsoft Knowledge Base article 939322, Support boundary to configure the Windows
Time service for high-accuracy environments (http://go.microsoft.com/fwlink/?LinkID=179459)."
Also, the following quoted from Support boundary to configure the Windows Time service for high accuracy environments,
http://support.microsoft.com/kb/939322:
"We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to
do the following:
Make the Kerberos version 5 authentication protocol work.
Provide loose sync time for client computers.
The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service."
What will happen when my internal NTP server goes back online? Will my PDC try the list of NTP sources periodically and go back to my internal NTP source? Is this failback process documented somewhere?
It will act similar to the client side resolver, where there is a timeout period that it will reset the list to use the first one, or if immediately required to use the first one, to restart the time service. As I said, I need to find the link to this, but
that;s the basis of it.
To reiterate, if the Windows Time service's loose synchronization features of 2-3 minutes is not adequate, you'll need to go third party. The time service was designed to make sure Kerberos functions within it;s 5 minute time skew tolerance, and a 2-3
minute synch setting fits this bill.
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
