Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

W32 Time problems on a virtual domain controller.  Changing itself to CMOS source or other.

Posted on 2016-10-24
4
Medium Priority
?
99 Views
Last Modified: 2016-10-28
Hello,
We are having network time issues on one of our Domain Controllers.  The server is running 2012 R2 on a virtual machine.  We have the server set to pick up time from a range of four sources –

0.uk.pool.ntp.org
1.uk.pool.ntp.org
2.uk.pool.ntp.org
3.uk.pool.ntp.org

Issues:
What we are finding is that after a reboot (does not appear to happen after every reboot), the server is either:
1)      Taking the time from the CMOS (and rapidly drifting by up to 5 minutes).
This is proven by the command w32tm /query /status
Or
      2)  At other times, a short time after reboot, the server is failing to obtain the time from one of our four sources    (uk.pool.ntp.org), despite the w32tm /query /status showing the current four valid sources after a reboot.  

When the machine is in this state, it appears to take over an hour to actually drift out and then propagate the wrong time to the network machines.
The domain controller is correctly announcing itself as a valid time source and other machines in the domain are taking their time from this server.

We are not pulling down the time from the host machine, we have unticked the Time Synchronization option a number of months ago.
The issue does not happen on every reboot but appears to be happening more regularly.

This morning we have set the time to be taken from our other domain controller, which is a physical box.  

Would appreciate any comments on why you think the time settings are deviating from our settings or failing after a time.

Thanks
0
Comment
Question by:Crown_Decc
4 Comments
 
LVL 7

Expert Comment

by:Niten Kumar
ID: 41856765
0
 
LVL 33

Expert Comment

by:masnrock
ID: 41856780
Is the BIOS on the physical machine up to date? If not, update it. You also might want to check the CMOS battery.

What type of VM is it? If VMware, look at the article nitenKumar posted. If Hyper-V, you're going to need to make sure that the physical system and host OS have the right time. You also might want to look at the NIC driver in use on the server. It is up to date?
0
 
LVL 35

Accepted Solution

by:
it_saige earned 2000 total points
ID: 41857034
Unless this DC is the PDC Emulator role holder, the OS should be configured to retrieve it's time from the domain hierarchy.  You can use the following command to configure the time service to synchronize from the domain hierarchy -
w32tm /config /syncfromflags:domhier /update

Open in new window

You also want to ensure that the VM instance is configured so that Time Integration services are disabled.

VMWare Disabling Time Synchronization - https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

Domain Controllers in Hyper-V - https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(v=ws.10).aspx

You may also want to consider configuring time services for your PDC Emulator via Group Policy.  I do this because in the midst of planning for DC demotion and promotion, Time Services are generally forgotten until something breaks.  To configure the time services for the PDC Emulator via Group Policy, please refer to this previous EE PAQ - https:/Q_28597899.html#a40553961

-saige-
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 41858513
Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

For a mature timekeeping service with well documented behaviour, I'd recommend this:

Use a Windows port of the classic *ix NTP service on your DCs. Ensure to disable the time sync features of VMware (to timekeeping services on one clock will cause time chaos). The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See my article on NTP basics for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question