Solved

W32 Time problems on a virtual domain controller.  Changing itself to CMOS source or other.

Posted on 2016-10-24
4
72 Views
Last Modified: 2016-10-28
Hello,
We are having network time issues on one of our Domain Controllers.  The server is running 2012 R2 on a virtual machine.  We have the server set to pick up time from a range of four sources –

0.uk.pool.ntp.org
1.uk.pool.ntp.org
2.uk.pool.ntp.org
3.uk.pool.ntp.org

Issues:
What we are finding is that after a reboot (does not appear to happen after every reboot), the server is either:
1)      Taking the time from the CMOS (and rapidly drifting by up to 5 minutes).
This is proven by the command w32tm /query /status
Or
      2)  At other times, a short time after reboot, the server is failing to obtain the time from one of our four sources    (uk.pool.ntp.org), despite the w32tm /query /status showing the current four valid sources after a reboot.  

When the machine is in this state, it appears to take over an hour to actually drift out and then propagate the wrong time to the network machines.
The domain controller is correctly announcing itself as a valid time source and other machines in the domain are taking their time from this server.

We are not pulling down the time from the host machine, we have unticked the Time Synchronization option a number of months ago.
The issue does not happen on every reboot but appears to be happening more regularly.

This morning we have set the time to be taken from our other domain controller, which is a physical box.  

Would appreciate any comments on why you think the time settings are deviating from our settings or failing after a time.

Thanks
0
Comment
Question by:Crown_Decc
4 Comments
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41856765
0
 
LVL 25

Expert Comment

by:masnrock
ID: 41856780
Is the BIOS on the physical machine up to date? If not, update it. You also might want to check the CMOS battery.

What type of VM is it? If VMware, look at the article nitenKumar posted. If Hyper-V, you're going to need to make sure that the physical system and host OS have the right time. You also might want to look at the NIC driver in use on the server. It is up to date?
0
 
LVL 33

Accepted Solution

by:
it_saige earned 500 total points
ID: 41857034
Unless this DC is the PDC Emulator role holder, the OS should be configured to retrieve it's time from the domain hierarchy.  You can use the following command to configure the time service to synchronize from the domain hierarchy -
w32tm /config /syncfromflags:domhier /update

Open in new window

You also want to ensure that the VM instance is configured so that Time Integration services are disabled.

VMWare Disabling Time Synchronization - https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

Domain Controllers in Hyper-V - https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(v=ws.10).aspx

You may also want to consider configuring time services for your PDC Emulator via Group Policy.  I do this because in the midst of planning for DC demotion and promotion, Time Services are generally forgotten until something breaks.  To configure the time services for the PDC Emulator via Group Policy, please refer to this previous EE PAQ - https:/Q_28597899.html#a40553961

-saige-
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 41858513
Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

For a mature timekeeping service with well documented behaviour, I'd recommend this:

Use a Windows port of the classic *ix NTP service on your DCs. Ensure to disable the time sync features of VMware (to timekeeping services on one clock will cause time chaos). The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See my article on NTP basics for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question