Solved

W32 Time problems on a virtual domain controller.  Changing itself to CMOS source or other.

Posted on 2016-10-24
4
51 Views
Last Modified: 2016-10-28
Hello,
We are having network time issues on one of our Domain Controllers.  The server is running 2012 R2 on a virtual machine.  We have the server set to pick up time from a range of four sources –

0.uk.pool.ntp.org
1.uk.pool.ntp.org
2.uk.pool.ntp.org
3.uk.pool.ntp.org

Issues:
What we are finding is that after a reboot (does not appear to happen after every reboot), the server is either:
1)      Taking the time from the CMOS (and rapidly drifting by up to 5 minutes).
This is proven by the command w32tm /query /status
Or
      2)  At other times, a short time after reboot, the server is failing to obtain the time from one of our four sources    (uk.pool.ntp.org), despite the w32tm /query /status showing the current four valid sources after a reboot.  

When the machine is in this state, it appears to take over an hour to actually drift out and then propagate the wrong time to the network machines.
The domain controller is correctly announcing itself as a valid time source and other machines in the domain are taking their time from this server.

We are not pulling down the time from the host machine, we have unticked the Time Synchronization option a number of months ago.
The issue does not happen on every reboot but appears to be happening more regularly.

This morning we have set the time to be taken from our other domain controller, which is a physical box.  

Would appreciate any comments on why you think the time settings are deviating from our settings or failing after a time.

Thanks
0
Comment
Question by:Crown_Decc
4 Comments
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41856765
0
 
LVL 23

Expert Comment

by:masnrock
ID: 41856780
Is the BIOS on the physical machine up to date? If not, update it. You also might want to check the CMOS battery.

What type of VM is it? If VMware, look at the article nitenKumar posted. If Hyper-V, you're going to need to make sure that the physical system and host OS have the right time. You also might want to look at the NIC driver in use on the server. It is up to date?
0
 
LVL 33

Accepted Solution

by:
it_saige earned 500 total points
ID: 41857034
Unless this DC is the PDC Emulator role holder, the OS should be configured to retrieve it's time from the domain hierarchy.  You can use the following command to configure the time service to synchronize from the domain hierarchy -
w32tm /config /syncfromflags:domhier /update

Open in new window

You also want to ensure that the VM instance is configured so that Time Integration services are disabled.

VMWare Disabling Time Synchronization - https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1189

Domain Controllers in Hyper-V - https://technet.microsoft.com/en-us/library/virtual_active_directory_domain_controller_virtualization_hyperv(v=ws.10).aspx

You may also want to consider configuring time services for your PDC Emulator via Group Policy.  I do this because in the midst of planning for DC demotion and promotion, Time Services are generally forgotten until something breaks.  To configure the time services for the PDC Emulator via Group Policy, please refer to this previous EE PAQ - https:/Q_28597899.html#a40553961

-saige-
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 41858513
Hmmm ... W32time, the timekeeping service in Windows. I experienced enough trouble with that piece of crap when in NTP mode to avoid using it whenever I can.

For a mature timekeeping service with well documented behaviour, I'd recommend this:

Use a Windows port of the classic *ix NTP service on your DCs. Ensure to disable the time sync features of VMware (to timekeeping services on one clock will cause time chaos). The NTP service software is free. Easy to install and configure, works like a charm and is stable as a rock. And it is nicer when it comes to one of the rare cases of troubleshooting.

See my article on NTP basics for the "How To".

The NTP service has a low ressource footprint, therefore the NTP functionality could be hooked onto existing machines or VM's like webservers, ftp servers, mailservers or database hosts - even in a DMZ - without visible performance impact.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now