I have a performance lab running behind a firewall, so none of the machines in the lab has internet access. All machines in the lab are part of a domain with the domain controller also present inside the lab. The problem is that some server's time are drifting heavily.
Some background info:
The DC is Win Server 2K3 Enterprise SP2.
From the above, it seems the issue is with the 2008 servers.
I found the following:
How to configure an authoritative time server in Windows Server [to use an internal hardware clock] http://support.microsoft.com/kb/816042
From here I have installed "Microsoft Fix it 50394" on PT-DC01 (The domain controller)
I also found:
How to configure an authoritative time server in Windows Server http://support.microsoft.com/kb/816042
From here I have installed "Microsoft Fix it 50395" on SSVMM (A Server in the environment) with the following settings:
* Excluding anything in brackets obviously.
I’ve also restarted the Windows Time Service on both servers. I’ve done only these two servers to prove that it works first. The problem is that it doesn’t seem to: At time of writing SSVMM’s time was 12:10 and PT-DC01’s time was 12:04.
I checked in the registry and none of these values have changed so I manually updated the NtpServer and also left the MaxPosPhaseCorrection and MaxNegPhaseCorrection at 0xffffffff which means they will always update.
Restarting the servers had no effect.
c:\>w32tm /resync /nowait
had no effect
I also ran the following commands from http://www.zimbio.com/open+source+consulting/articles/193/Troubleshooting+w32tm+issues
w32tm /config /manualpeerlist:"pt-dc01.pt.local",0×1 /syncfromflags:MANUAL w32tm /config /update net stop w32time net start w32time w32tm /resync /nowait pause
Also with no effect. I also tried it with 0x8 instead of 0x1 in the first line.
Any help would be much appreciated.
All domain members should automatically sync their time with the domain controller that they authenticated against last. Those DCs will, in turn, sync from the DC with the PDC Emulator role on it. There's no need to get crazy with configuring this unless you have a real reason to. It's all default settings.
If you are running some of the servers on AMD processors and the VMs (on the AMD-based boxes) do not have a "sync client time to host" option active, you will get some drift. This appears to be AMD-specific, it does not affect Intel based chips. The drift, however, is not something that will throw you off - we're talking seconds at worst.
Active Directory will auto-magically sync to domain controllers elsewhere (as pointed out by MarkM) but the period in which they do so is laughably long...sometimes several hours. All of this occurs with Windows Time Service, which is (I believe) by default enabled. Kerberos typically has a +/- 5 minute tolerance. If you are drifting more than 5 minutes on your clocks, something is seriously wrong.
If you are desperate, and it continues despite all other efforts, you may want to get a 3rd party NTP service installed if it keeps up. Install the service once, on physical hardware (not a VM!), and point all of the other machines at it.
The above is true only if you have NetBIOS enabled.
Also, for virtual servers running on Hyper-V: Hyper-V has a default setting when you create a virtual machine that states that the VM should synchronise it's time with the host. This seems to be enforced no matter what you do on the VM. So, either then make sure your host's time is synced with your PDC or disable the setting in Hyper-V (VM Properties -> Hardware Configuration -> Integration Services -> Time synchronisation).
User contributions licensed under CC BY-SA 3.0