Solved

W32 Time problems on a virtual domain controller.  Changing itself to CMOS source or other.

Posted on 2016-10-24
4
43 Views
Last Modified: 2016-10-28
Hello,
We are having network time issues on one of our Domain Controllers.  The server is running 2012 R2 on a virtual machine.  We have the server set to pick up time from a range of four sources –

0.uk.pool.ntp.org
1.uk.pool.ntp.org
2.uk.pool.ntp.org
3.uk.pool.ntp.org

Issues:
What we are finding is that after a reboot (does not appear to happen after every reboot), the server is either:
1)      Taking the time from the CMOS (and rapidly drifting by up to 5 minutes).
This is proven by the command w32tm /query /status
Or
      2)  At other times, a short time after reboot, the server is failing to obtain the time from one of our four sources    (uk.pool.ntp.org), despite the w32tm /query /status showing the current four valid sources after a reboot.  

When the machine is in this state, it appears to take over an hour to actually drift out and then propagate the wrong time to the network machines.
The domain controller is correctly announcing itself as a valid time source and other machines in the domain are taking their time from this server.

We are not pulling down the time from the host machine, we have unticked the Time Synchronization option a number of months ago.
The issue does not happen on every reboot but appears to be happening more regularly.

This morning we have set the time to be taken from our other domain controller, which is a physical box.  

Would appreciate any comments on why you think the time settings are deviating from our settings or failing after a time.

Thanks
0
Comment
Question by:Crown_Decc
4 Comments
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41856765
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41856780
Is the BIOS on the physical machine up to date? If not, update it. You also might want to check the CMOS battery.

What type of VM is it? If VMware, look at the article nitenKumar posted. If Hyper-V, you're going to need to make sure that the physical system and host OS have the right time. You also might want to look at the NIC driver in use on the server. It is up to date?
0
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
ID: 41857034
Unless this DC is the PDC Emulator role holder, the OS should be configured to retrieve it's time from the domain hierarchy.  You can use the following command to configure the time service to synchronize from the domain hierarchy -
w32tm /config /syncfromflags:domhier /update

Open in new window

You also want to ensure that the VM instance is configured so that Time Integration services are disabled.

VMWare Disabling Time Synchronization - https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

Domain Controllers in Hyper-V - https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(v=ws.10).aspx

You may also want to consider configuring time services for your PDC Emulator via Group Policy.  I do this because in the midst of planning for DC demotion and promotion, Time Services are generally forgotten until something breaks.  To configure the time services for the PDC Emulator via Group Policy, please refer to this previous EE PAQ - https:/Q_28597899.html#a40553961

-saige-
0
 
LVL 13

Expert Comment

by:frankhelk
ID: 41858513
Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

For a mature timekeeping service with well documented behaviour, I'd recommend this:

Use a Windows port of the classic *ix NTP service on your DCs. Ensure to disable the time sync features of VMware (to timekeeping services on one clock will cause time chaos). The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See my article on NTP basics for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now