How to configure an authoritative time server in Windows Server

2

I have a performance lab running behind a firewall, so none of the machines in the lab has internet access. All machines in the lab are part of a domain with the domain controller also present inside the lab. The problem is that some server's time are drifting heavily.

Some background info:

The DC is Win Server 2K3 Enterprise SP2.

  • 9 machines are running Server 2K3 Standard. (These are all within 1 minute, so not a problem)
  • 3 machines are Win Server 2K8 R2 Standard (These are Physical Servers) - (These vary by between 1 and 6 minutes and never sync up again)
  • 6 Machines are Win Server 2K8 R2 Core (These are Hyper-V hosts) (Some also Vary)
    • On those 6 machines we host 1 instance of Win 2K8 R2 Standard on each.(These vary by between 1 and 6 minutes and never sync up again)
  • 1 machine running win 2K8 R2 Enterprise acting as the SCVMM.(6 minutes out and never sync up again)

From the above, it seems the issue is with the 2008 servers.

I found the following:

How to configure an authoritative time server in Windows Server [to use an internal hardware clock] http://support.microsoft.com/kb/816042

From here I have installed "Microsoft Fix it 50394" on PT-DC01 (The domain controller)

I also found:

How to configure an authoritative time server in Windows Server http://support.microsoft.com/kb/816042

From here I have installed "Microsoft Fix it 50395" on SSVMM (A Server in the environment) with the following settings:

  • NtpServer: pt-dc01.pt.local,0x1
  • SpecialPollInterval: 900 (15 minutes*)
  • MaxPosPhaseCorrection: 3600 (1 Hour*)
  • MaxNegPhaseCorrection: 3600 (1 Hour*)

* Excluding anything in brackets obviously.

I’ve also restarted the Windows Time Service on both servers. I’ve done only these two servers to prove that it works first. The problem is that it doesn’t seem to: At time of writing SSVMM’s time was 12:10 and PT-DC01’s time was 12:04.

I checked in the registry and none of these values have changed so I manually updated the NtpServer and also left the MaxPosPhaseCorrection and MaxNegPhaseCorrection at 0xffffffff which means they will always update.

Restarting the servers had no effect.

c:\>w32tm /resync /nowait

had no effect

I also ran the following commands from http://www.zimbio.com/open+source+consulting/articles/193/Troubleshooting+w32tm+issues

w32tm /config /manualpeerlist:"pt-dc01.pt.local",0×1 /syncfromflags:MANUAL 
w32tm /config /update 
net stop w32time 
net start w32time 
w32tm /resync /nowait 
pause

Also with no effect. I also tried it with 0x8 instead of 0x1 in the first line.

Any help would be much appreciated.

windows-server-2003
windows-server-2008-r2
ntp
w32time
asked on Server Fault Dec 1, 2011 by Gineer • edited Dec 2, 2011 by Gineer

3 Answers

2

All domain members should automatically sync their time with the domain controller that they authenticated against last. Those DCs will, in turn, sync from the DC with the PDC Emulator role on it. There's no need to get crazy with configuring this unless you have a real reason to. It's all default settings.

answered on Server Fault Dec 1, 2011 by MDMarra
2

If you are running some of the servers on AMD processors and the VMs (on the AMD-based boxes) do not have a "sync client time to host" option active, you will get some drift. This appears to be AMD-specific, it does not affect Intel based chips. The drift, however, is not something that will throw you off - we're talking seconds at worst.

Active Directory will auto-magically sync to domain controllers elsewhere (as pointed out by MarkM) but the period in which they do so is laughably long...sometimes several hours. All of this occurs with Windows Time Service, which is (I believe) by default enabled. Kerberos typically has a +/- 5 minute tolerance. If you are drifting more than 5 minutes on your clocks, something is seriously wrong.

If you are desperate, and it continues despite all other efforts, you may want to get a 3rd party NTP service installed if it keeps up. Install the service once, on physical hardware (not a VM!), and point all of the other machines at it.

answered on Server Fault Dec 1, 2011 by Avery Payne
1

The above is true only if you have NetBIOS enabled.

Also, for virtual servers running on Hyper-V: Hyper-V has a default setting when you create a virtual machine that states that the VM should synchronise it's time with the host. This seems to be enforced no matter what you do on the VM. So, either then make sure your host's time is synced with your PDC or disable the setting in Hyper-V (VM Properties -> Hardware Configuration -> Integration Services -> Time synchronisation).

answered on Server Fault Apr 30, 2012 by Gineer

User contributions licensed under CC BY-SA 3.0