Active directory time sync

We have multiple Active Directory forests in different locations as part of the requirement and design.  There are some applications deployed in one site that feed information to apps installed in other AD forests. Last month we had an incident in one of our sites that they had a time difference of some 15 minutes in their AD and the admin wanted to correct the time and changed the system clock on the PDC by 3 minutes. I am told that that change caused a major downtime where users were not able to access file shares and some couldn’t log on. They logged in to the DC form the hypervisor and changed it back to the original time and things got better.
Now we have time related issues in other sites also. all domain controllers are virtualized. So far the PDC are taking time locally and no time server is configured. We have configured switched in each of the sites as time sources.
There is a time difference of 15 minutes. This is what is scaring me. Time will change 15 mts ahead. I have the commands and the procedure. That is not the issue.
I want to explore the safest options where the time does not change abruptly and cause issues. I think when the PDC is configured to sync time with the time source the time should change gradually and not at one time.
Looking for the safest options to change time. 15 mts time difference between the PDC and the time source.
Aamer MAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
Gets a bit tricky when you have virtualised DCs.

A DC will try to talk to the RTC hardware in the virtual host, which of course it cannot. If the virtual host is a domain member, it will try to sync from the DC, which in turn grabs time from the RTC hardware, in conjunction with an external clock.

Gets confusing very quickly!

This is one reason for not having the host configured as a domain member. Personally, I like to have a physical PDC emulator, rather than virtualising it. I also configure the PDC emulator physical machine to power up a few mins before the main Virtual hosts, so the every machine has DNS, AD and time sync running at startup.

I know that virtualised DCs have ben supported by MS for a while now, but sometimes you get a chance to choose your battles, and to me a really low end server is well worth it. Eliminates a heap of problems like this, and makes a lot of RD and startup problems a lot simpler.

A second, virtualised DC is fine, and if you have one, there is no real requirement  to backup the physical machine. If it fails, just DCPROMO in anew one. I have even used an old desktop PC for this role, unless you have thousands of users, it has very little load.
Sajid Shaik MSystem AdminCommented:
i thinks you should go with authoritative time server with Group Policy Using WMI Filtering..

please chec kthe following technet article

https://blogs.technet.microsoft.com/askds/2008/11/13/configuring-an-authoritative-time-server-with-group-policy-using-wmi-filtering/

all the best
MaheshArchitectCommented:
Having virtualized domain controllers is not an problem at all

You can control if Domain controller VMs gets time from host or from PDC or other ADCs in site

Ideally don't sync guest VM from Host, for hyper-v you can uncheck time synchronization between host and guest from VM properties, now if hyper-v host is domain member, still it should not have issues

For VMware there is procedure, there is KB article which will stop host / guest time sync
https://kb.vmware.com/s/article/1189

Your issue is different, the time difference is going more than 15 minutes. The time difference between virtualization host is keep changing, there is some problem either because of manual intervention or faulty CMOS batteries on hosts or may be due to any host system hardware board issues. The ideal situation would be, the time difference between DCs and clients should not exceed 5 minutes
What you need to do, disable host to guest time sync, point your PDC to external reliable time source and point all clients / ADCs to PDC
The process should be repeated for all forests
OR
if you have internal hardware NTP device / GPS clock, point your PDCs to that
For each location you can find nearest internet time server from ntp.pool.org web site

The process is pretty straight forward, you already have steps, but still pointing here for reference in case
https://www.experts-exchange.com/questions/29018610/ntp-server.html

Mahesh.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

Aamer MAuthor Commented:
I will sync the PDC with a internal time source. that is not an issue. but the time on my PDC and the time source is 15 minutes. once I sync the time on my pdc will change 15 minutes at one shot.

clients or servers who have not updated the time yest will have issues right as my PDc will be 15 mts ahead of the member servers and the clients.

is there a way that the time sync happens like 30 sec every one hour. I don't mind if the time is fixed in a day or two. but I want time time to change gradually and not at one shot
MaheshArchitectCommented:
AD don't accept 15 minutes time difference

better option could be check what is exact time difference between machine out of your network on internet and your DC?
if it is 15 minutes or more, then you don't have any choice, however if that difference is less than 5 minutes, better you sync your PDc with some internet time servers instead of internal time source which is having 15 minutes gap

If still you want to do it with internal time source only,
do it off business hours probably on holiday and immediately sync it with all other DCs and clients, else it will create issues starting from logon and situation will get critical
Aamer MAuthor Commented:
so i have a time difference of 15 minutes between the correct time and the domain time. how do i fix it.
Aamer MAuthor Commented:
i totallu underastand 15 minuts is too much much beyond 5 minutes. now i have a situation like this. justed wanted to consult with the experts whatr is the safest way to fix this issue.

dc is 15 minutes behind. time server has the correct time
MaheshArchitectCommented:
Then as already commented do it on holiday or off business hrs and forcefully replicate changes quickly
Follow commands in article and get all in sync asap
That is only option
DrDave242Senior Support EngineerCommented:
This actually can be done gradually, maybe, but it requires some registry tinkering. First, here's a link with some information:

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings

Search that page for MaxAllowedPhaseOffset. You'll find an explanation of the setting as well as a whole section of the doc that talks about it further. W32Time handles time differences in one of two ways: it either simply sets the clock to the time received from the source, or it speeds up or slows down the clock so that it converges gradually with the source time. The MaxAllowedPhaseOffset plays a pivotal role in determining which of those options W32Time chooses. If the time difference is greater than MaxAllowedPhaseOffset, the clock gets set directly. If it's less than MaxAllowedPhaseOffset...then an equation comes into play.

I'll let you take a look at that page and decide what you want to do. Note that I've never done this before; I just went digging for info on clock discipline when I saw your question.
Aamer MAuthor Commented:
can I use any of the parameters below so that the time changes periodically and not at one go

FrequencyCorrectRate
HoldPeriod
LargePhaseOffset
MaxAllowedPhaseOffset
MaxNegPhaseCorrection
MaxPosPhaseCorrection
PhaseCorrectRate
PollAdjustFactor
SpikeWatchPeriod
UpdateInterval
DrDave242Senior Support EngineerCommented:
MaxAllowedPhaseOffset appears to be the only relevant setting, but you'll want to look at the equation in that article to determine whether changing its value will really allow the time to be corrected through clock discipline.
MaheshArchitectCommented:
Above route is tricky and need to be tested in lab 1st

Instead try practical approach

Set domain wide GPO and run system startup script in GPO
w32tm /config /syncfromflags:domhier /update

Open in new window

Then schedule time change activity during night time, if needed call your application server teams to tackle any authentication issue may arise after time shift
before making time change on PDC master, logon to all DC servers with RDP and keep sessions ready
Once you change time on PDC run below command on each DC from elevated cmd
net time \\PDCserver /set /y

Open in new window

This action will forcefully get all DCs in time sync, check time on each DC
Then reboot few client systems and check if they are able to pickup time from nearest Dc and can logon without any issues

If you get success, you don't have to do anything next day morning.........

Note - here I have assumed that you do not have any hardware related / RTC / CMOS battery issues and there is no time shift up and down, whatever time shift happened is fixed (15 mins)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.