Solved

NTP server that uses time.gov yet all internal servers get time from gone down

Posted on 2013-05-24
24
454 Views
Last Modified: 2013-12-04
We had an issue where the time service on our vm host stopped and thus our domain controller that is acting as our NTP server getting it's time from .gov and all on premise machines getting their time go to were getting bad time given the server wasn't updating.  

I am wondering if there is a way to setup a secondary NTP server that in cases where the primary were to be off the secondary would sync with it or take over.  I'm not sure this would work as the clients didn't know the server's time was wrong so adjusted to the wrong time accordingly but had it not been a simple service restart wanted to see what others do so we have a solid backup plan going forward.  

Servers and Clients --------> DC1 NTP --------------------------> time-a.nist.gov
DC2 backup to DC1 for DNS only no DHCP on this as this is an empty root.
0
Comment
Question by:bergquistcompany
  • 7
  • 5
  • 2
  • +4
24 Comments
 

Expert Comment

by:userPrincipalName
ID: 39194897
I'm not sure I understand the scenario completely.  Are you using Hyper-V?  I know in Hyper-V when you install integration services on the children, the vmictimesync service is installed.  This service can cause all sorts of problems with Virtual DCs and I would recommend uninstalling the service entirely (Not just disabling it).  If your DC comes online after a restart and cannot contact an authoritative time source, it will sync with the Hyper-V parent.

If you have been having problems with w32time and have been using w32tm with the "/reliable" parameter to fix it,  you are setting yourself up for a failure.  This switch governs what the "AnnounceFlags" value is.  Check the registry on each of your DCs and make sure your "AnnounceFlags" are set to 10 on ALL dcs except the PDCe (which should be set to 5).  You should be controlling this via group policy.  




In any event, you should point your PDCe to a trusted time source such as ntp.gov and then let all other DCs in your AD look to the PDCe.  I would shy away from pointing individual DCs to external time server - it will work, but its contrary to best practice.


This is the policy I use for non-PDCe DCs:
 
System/Windows Time Service
Policy				Setting
Global Configuration Settings	Enabled  
Clock Discipline Parameters 
  FrequencyCorrectRate 		4 
  HoldPeriod 			5 
  LargePhaseOffset 		50000000 
  MaxAllowedPhaseOffset 	300 
  MaxNegPhaseCorrection 	172788 
  MaxPosPhaseCorrection 	172800 
  PhaseCorrectRate 		7 
  PollAdjustFactor 		5 
  SpikeWatchPeriod 		900 
  UpdateInterval 		100 
General Parameters 
  AnnounceFlags 		10 
  EventLogFlags 		2 
  LocalClockDispersion 		10 
  MaxPollInterval 		10 
  MinPollInterval 		6 
  ChainEntryTimeout 		16 
  ChainMaxEntries 		128 
  ChainMaxHostEntries 		4 
  ChainDisable 			0 
  ChainLoggingRate 		30 
 

System/Windows Time Service/Time Providershide
Policy 				Setting
  Configure Windows NTP Client 	Enabled  
  NtpServer 			www.ntp.gov,0x1 
  Type 				NT5DS
  CrossSiteSyncFlags 		2 
  ResolvePeerBackoffMinutes 	15 
  ResolvePeerBackoffMaxTimes 	7 
  SpecialPollInterval 		3600 
  EventLogFlags 		0 
 
Policy Setting Comment 
  Enable Windows NTP Client Enabled 

Open in new window


For the PDCe I change the value of the "AnnounceFlags" to 5 and "Type" to NTP.  I target the PDCe with a WMI FIlter.
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 39200504
To the question part about redundancy in the time sources:

You can add possiby as many time sources to the NTP config file (ntp.conf) as  you like.

NTP communicates with all of them and does statistics checking all the time to find out which server is the most reliable time source at the moment. That server is used, the others are "reserve".

I would recommend to make use of the public ntp pool service at pool.ntp.org.

Here's an example of a ntp.conf with several server entries from the "worldwide" ntp pool:
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

driftfile %windir%\\ntp.drift
logfile C:\temp\ntp.log

Open in new window

There are regional (roughly "continental") groups of servers, too.
0
 

Author Comment

by:bergquistcompany
ID: 39208791
i'm sorry let me clarify the scenario

External time source - Domain Controller - All other servers/Desktops

Currently all internal machines point to this one DC for time via NTP and that machine in turn gets it's time from externally.  The external part isn't an issue but we had an issue with the DC where the time service stopped and it thus wasn't serving time and when machines couldn't be logged in we noticed the 30 min delay and fixed the DC and all worked again.

I am trying to avoid that by having a secondary DC in sync with the current one so if one stops providing time the other can pick up?
0
 

Expert Comment

by:userPrincipalName
ID: 39209373
I am trying to avoid that by having a secondary DC in sync with the current one so if one stops providing time the other can pick up?

All domain controllers are time servers...  Your PDCe is the authoritative time server and should sync with either a hardware clock if you have one on your network or some external time source which is trustworthy.  All your domain controllers will sync with the PDCe and your member servers will will choose a time domain controller as a time source using an algorith that weights domain controllers by AD site proximity, time server settings (announctFlags) and what FSMO role it holds (specifically whether its a PDCe or not).  If you leave windows time to do what its supposed to, it will just work.  Once you start messing with the configurations without truly understanding what those settings impact, you are opening a can of worms...

Again, I would urge you to manage time services via GPO.

Recommended reading:
http://technet.microsoft.com/en-us/library/cc773013%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc773263%28v=ws.10%29.aspx#w2k3tr_times_tools_vwtt
http://technet.microsoft.com/en-us/library/cc773061.aspx
http://support.microsoft.com/kb/884776/EN-US
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 39215501
If your client machines have internet access (at least for NTP), I would recommend to let 'em sync themselves (and the DC itself) with the external time sources. That would keep most of your domain in sync, provides more stable time and circumvents the DC as stability bottleneck. If the DC itself gets unsynced, it could drift away, anyhow.

If you point your NTP clients to more than one NTP time source, they will figure out the best of 'em and sync to it. If it fails or degrades, the shift over to another. That's one part of the magic within NTP.

And last, but not least: There are simple ways to monitor NTP servers and clients (which ist mostly the same - any NTP client is a server, too). Just try NTPMonitor. Another way - very nice to use on *UX machines with some grep/sed/awk magic - is
ntpq -p [remoteserver]

i.e.

ntpq -p 192.168.1.2

Open in new window

With that you can qurey the state of the remote machine and interpret the results. RTFM of ntpq for details or ask fore more if that doesn't help.
0
 

Author Comment

by:bergquistcompany
ID: 39253622
Based on the responses and what I read in the links we currently have an empty root domain from 2003 setup days and 2 DCs in that domain that back each other up.  One gets it's time from an external source and is the NTP server all clients point to.  

However it sounds like it doesn't work well across domains so I should have a secondary NTP server on the client domain pointing externally and all the clients on that domain point to that server?

@frankhelk - How can I point the clients to multiple NTP time sources as this is exactly what I need so if my DC goes down they aren't all out of sync rather they shift to another?

I will also check NTP monitor.
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 39389517
You really need to thoroughly read this article:

http://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx
How the Windows Time Service Works

The ONLY server in the forest that needs to be configured for time is the PDCe in the Forest Root Domain.  Every other computer in the Forest should use the built-in Windows Time Hierarchy.

I also recommend using, for the USA, as my external time server north-america.pool.ntp.org,0x1,  That gives you a pool of hundreds of highly reliable external time servers.

If you are having to manually configure any other computer in your environment other than the root forest domain's PDCe, you are doing it wrong.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39389558
Also, do NOT use the top level time-gov in the first place.  There are plenty of time servers that are not only closer to you geographically, but also they are going to be inherently more accurate due to the latency/drift inconsistency.

Also what CarlWebster touched on, but didn't emphasize, is that the reason MSFT did it this way is because this is how you want it to be.   You want every system in your domain to have exactly the same time.  So that is why the one system that gets time from the outside world must be the time server for everybody else in your domain. This is the only way to insure consistency, especially when they add leap seconds or if a machine isn't allowed to talk to the outside world for security reasons or just misconfiguration issues.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39389564
You can set up any server on the domain, including another DC, to synchronize with an outside time source. However, due to the way a Windows domain is configured, the clients will all automatically synch with the server that has the PDC emulator role.  So, in order to have the clients synch with a different DC, you'd have to move the PDC emulator role to that DC.  If the DC you have now acting as the PDC emulator has a wonky time service that won't run reliably, then the only way to resolve this would be to move the PDC emulator role to another domain controller.

However, I'm a little confused about your reference to an "empty" Windows 2003 domain and a separate "client" domain.  Could you please explain this configuration further?

BTW, you should be using time.nist.gov, which uses a round-robin method of synchronization with numerous time servers belonging to NIST. This provides the safest and most reliable method of synchronizing, as you don't have to worry about whether a specific server is responding properly or not.  Here's a link about this:

http://tf.nist.gov/tf-cgi/servers.cgi
0
 
LVL 36

Expert Comment

by:Carl Webster
ID: 39389632
hypercat, Microsoft, in years past, recommended an empty root forest domain and then child domains.  You could have account child domains and resource child domains.  None of this really made much sense from a security viewpoint so Microsoft did away with those recommendations.

If you read Microsoft's current recommendations, they recommend a much simpler design.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39389758
Thank you for the tip about the nist servers being redone.  Last time I looked at that was maybe 10 years ago, and had issues with them timing out.  Hence I always found several public time servers geographically located near me and set them manually.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39389762
@CarlWebster

I have to say I don't remember that being any type of "standard," and I've been working with Microsoft networking since the early 90's. Could be my oldtimer's disease kicking in, or maybe I forgot it on purpose...as I tend to do with many dysfunctional Microsoft recommendations of the past.
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 39392844
Sorry ... I've been a little bit off line from this question.
@frankhelk - How can I point the clients to multiple NTP time sources as this is exactly what I need so if my DC goes down they aren't all out of sync rather they shift to another?

Just as in the example I've pointed out above for using servers from pool.ntp.org. Just include them into your ntp.conf file:
mypdc iburst prefer
mybdc 1.pool.ntp.org iburst

driftfile %windir%\\ntp.drift
logfile C:\temp\ntp.log

Open in new window


Note: The use of ntp.conf for configuration issues is limited to the classic NTP client (*ux) and its descendants for other OS's (Windows, Apple's OS, etc.). Since I had hassle with the Windows timekeeping crap (W32time) whenever I used it in NTP mode, I would recommend to kick W32time out and use the classic client (see my article on this).

If you insist on using W32time, it could use multiple NTP sources either. Depending on your windows version, one of these commands should work:
w32tm /config /syncfromflags:manual /manualpeerlist:mypdc,mybdc

net time /setsntp:"mypdc,mybdc"

Open in new window

Besides of my experiences about it being unstable, the diagnostic of NTP performance & problems is more cryptic (by far) with W32time.

Last but not least, the use of the classic NTP client would separate the role "time server" from the role "domain controller" - if you like it that way, you might even set up a separate appliance solely for timekeeping ... there's explicit hardware around for that. And you might kick the concept of a local NTP server completely and let all clients sync to an external NTP server pool (see the article or my post about pool.ntp.org above)
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 39392874
@dlethe: You should have a look at pool.ntp.org. That would save you from the task of perpetual checking the availability of your configured time servers. The pool of supplied servers is provided granular down to countries, i.e.
0.de.pool.ntp.org
1.de.pool.ntp.org
2.de.pool.ntp.org
3.de.pool.ntp.org

Open in new window

would give servers only in Germany.
0
 
LVL 18

Expert Comment

by:sarang_tinguria
ID: 39400806
Three things to consider while configuring time service in domain env

Before that REMOVE ANY GROUP POLICIES CONFIGURED

1) Guest DC should not sync with Host time service
to achieve this Run this if host is Hyper V  referred from
http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx
reg add HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider /v Enabled /t reg_dword /d 0 

Open in new window


2) PDC should sync with external time source
to achive this run below

net stop w32time
w32tm /unregister
w32tm /register
net start w32time
net time /setsntp: 
net stop w32time & net start w32time
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update
w32tm /resync /rediscover
net stop w32time & net start w32time

Open in new window



3) All DC should sync with PDC
to achive this run below

net stop w32time 
w32tm /unregister 
w32tm /register 
net start w32time 
net time /setsntp: 
Net stop w32time & net start w32time 
w32tm /config /syncfromflags:domhier /update 
W32tm /resync /rediscover 
net stop w32time & net start w32time

Open in new window


Let me know if you are using VMWare
0
 

Author Comment

by:bergquistcompany
ID: 39526374
Thanks I'll review all the suggestions
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 39527236
Just a small  comment at the end: If you use W32time to sync time in a domain, the "time master" role is automatically combined with the DC role and cannot separated from it. If the BDC replaces a failing DC, it gets its time server role, too.

The only way to circumvent this - only weakly (if anyhow) required - intermix of roles is to do time sync separtely with classic NTP (just repeating the reference: my article about NTP)
0
 

Author Comment

by:bergquistcompany
ID: 39663156
@ userPrincipalName - So you have the GPO you showed applied to ALL systems or just all DCs that are not the PDCe?  Then you have a secondary GPO for the PDCe?

We have all our servers in the same OU so I'm thinking if I created a policy at the OU level then it would hit the PDCe also so would apply the secondary to the PDCe so it would override?

Thus if my time service stopped on my VM host where my PDCe resides it should still work as it isn't pointing to the VM host for time?
0
 

Author Comment

by:bergquistcompany
ID: 39663191
@ CarlWebster and @diethe - so if I only configure the PDCe is it in the registry still that you are doing this or GPO on that machine only?
0
 

Author Comment

by:bergquistcompany
ID: 39663232
@ sarang_tinguria yes using VMWare and given my PDCe is a VM it gets it's time from the host even though I have it setup in the registry to go to NTPServer .gov.

Thus when the host time service went down my PDCe VM had wrong time and served it.  Shouldn't having set the NTP override the PDCe from using the host time?
0
 
LVL 18

Accepted Solution

by:
sarang_tinguria earned 500 total points
ID: 39670966
This is a known issue when you disable host to guest time sync...guest still try syncing with host
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189
0
 

Author Closing Comment

by:bergquistcompany
ID: 39697233
this is exactly my issue
0

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now