Solved

W32 Time problems on a virtual domain controller.  Changing itself to CMOS source or other.

Posted on 2016-10-24
4
82 Views
Last Modified: 2016-10-28
Hello,
We are having network time issues on one of our Domain Controllers.  The server is running 2012 R2 on a virtual machine.  We have the server set to pick up time from a range of four sources –

0.uk.pool.ntp.org
1.uk.pool.ntp.org
2.uk.pool.ntp.org
3.uk.pool.ntp.org

Issues:
What we are finding is that after a reboot (does not appear to happen after every reboot), the server is either:
1)      Taking the time from the CMOS (and rapidly drifting by up to 5 minutes).
This is proven by the command w32tm /query /status
Or
      2)  At other times, a short time after reboot, the server is failing to obtain the time from one of our four sources    (uk.pool.ntp.org), despite the w32tm /query /status showing the current four valid sources after a reboot.  

When the machine is in this state, it appears to take over an hour to actually drift out and then propagate the wrong time to the network machines.
The domain controller is correctly announcing itself as a valid time source and other machines in the domain are taking their time from this server.

We are not pulling down the time from the host machine, we have unticked the Time Synchronization option a number of months ago.
The issue does not happen on every reboot but appears to be happening more regularly.

This morning we have set the time to be taken from our other domain controller, which is a physical box.  

Would appreciate any comments on why you think the time settings are deviating from our settings or failing after a time.

Thanks
0
Comment
Question by:Crown_Decc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41856765
0
 
LVL 29

Expert Comment

by:masnrock
ID: 41856780
Is the BIOS on the physical machine up to date? If not, update it. You also might want to check the CMOS battery.

What type of VM is it? If VMware, look at the article nitenKumar posted. If Hyper-V, you're going to need to make sure that the physical system and host OS have the right time. You also might want to look at the NIC driver in use on the server. It is up to date?
0
 
LVL 34

Accepted Solution

by:
it_saige earned 500 total points
ID: 41857034
Unless this DC is the PDC Emulator role holder, the OS should be configured to retrieve it's time from the domain hierarchy.  You can use the following command to configure the time service to synchronize from the domain hierarchy -
w32tm /config /syncfromflags:domhier /update

Open in new window

You also want to ensure that the VM instance is configured so that Time Integration services are disabled.

VMWare Disabling Time Synchronization - https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

Domain Controllers in Hyper-V - https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(v=ws.10).aspx

You may also want to consider configuring time services for your PDC Emulator via Group Policy.  I do this because in the midst of planning for DC demotion and promotion, Time Services are generally forgotten until something breaks.  To configure the time services for the PDC Emulator via Group Policy, please refer to this previous EE PAQ - https:/Q_28597899.html#a40553961

-saige-
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 41858513
Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

For a mature timekeeping service with well documented behaviour, I'd recommend this:

Use a Windows port of the classic *ix NTP service on your DCs. Ensure to disable the time sync features of VMware (to timekeeping services on one clock will cause time chaos). The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See my article on NTP basics for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question