Windows Client Time Sync with Domain Controller(s) not working properly

Question

I can confirm my domain controller (primary and backup) are syncing with a time server correctly. They're within +0.0002 or so seconds last I checked.

I can confirm this with w32tm /monitor from the servers or any client

PS M:\> w32tm /monitor
vdc0.domain *** PDC ***[192.168.10.212:123]:
    ICMP: 1ms delay
    NTP: +0.0000000s offset from vdc0.domain
        RefID: vFile0.domain[192.168.10.214]
        Stratum: 12
vFile0.domain[192.168.10.214:123]:
    ICMP: 0ms delay
    NTP: -0.0016548s offset from vdc0.domain
        RefID: 'VMTP' [0x50544D56]
        Stratum: 1

I've used the following commands, in this order, to get my clients to attempt to sync to my domain controllers:

w32tm /config /manualpeerlist:"vdc0.domain,vfile0.domain" /syncfromflags:manual /reliable:yes /update
net stop W32Time
w32tm /unregister
w32tm /register
net start W32Time
w32tm /resync /force

I can confirm that the clients are seeing and seeking the domain controller(s) for the time with w32tm /query /status:

Leap Indicator: 0(no warning)
Stratum: 13 (secondary reference - syncd by (S)NTP)
Precision: -23 (119.209ns per tick)
Root Delay: 0.0000000s
Root Dispersion: 10.0000000s
ReferenceId: 0xC0A80AD4 (source IP:  192.168.10.212)
Last Successful Sync Time: 1/21/2021 12:58:59 PM
Source: vdc0.domain, vfile0.domain
Poll Interval: 10 (1024s)

When I attempt to see the offsets and delays for the time server with w32tm /stripchart /computer:vdc0 I get some mixed results. It seems Windows is adding a bunch of time a few tenth's of a second at a time, seeing where it's at, then oops, gotta subtract a bit, oops, too far, add a bit more. Here is a good example:

14:04:30, d:+00.0038921s o:+30.7786947s  [                           |                          @]
14:04:37, d:+00.0056698s o:+25.7768253s  [                           |                          @]
14:04:44, d:+00.0034796s o:+20.7756529s  [                           |                          @]
14:04:51, d:+00.0076417s o:+15.7719032s  [                           |                          @]
14:04:58, d:+00.0035039s o:+10.7713422s  [                           |                          @]
14:05:05, d:+00.0089287s o:+05.7685848s  [                           |               *           ]
14:05:12, d:+00.0035771s o:+00.7299773s  [                           | *                         ]
14:05:19, d:+00.0033301s o:-04.2704371s  [               *           |                           ]
14:05:26, d:+00.0097744s o:-09.2731762s  [ *                         |                           ]
14:05:33, d:+00.0044543s o:-14.2518533s  [@                          |                           ]
14:05:40, d:+00.0028743s o:-19.2300777s  [@                          |                           ]
14:05:47, d:+00.0155809s o:-24.2134555s  [@                          |                           ]
14:05:54, d:+00.0026456s o:-29.1929530s  [@                          |                           ]
14:06:01, d:+00.0037886s o:-34.1688432s  [@                          |                           ]
14:06:08, d:+00.0036843s o:-39.1453284s  [@                          |                           ]

This client was +214.893 from vdc0 (the PDC) at 13:55:18 and then as it was syncing blew by the domain controller's time. It went all the way down to -520.414s until for a bit it finally found it and was wavering between -00.05s and +0.05s. Randomly it started counting back up to around +1.056s and then with no intervention by any user (all I had was the command running in a Remote PowerShell session, the PC is otherwise idle) it started adjusting back down again, going all the way to -10.2394s when it started adjusting back up. It looks like it got to -02.268s and now adjusting back down, on -04.112s as I type this.

This seems to be on all my clients and I'm not sure if it might be a server or client thing. I don't see anything in the Event viewer on the Server or Client that point to an issue happening with the Windows Time Service.

Even if I stop the Windows Time Service it keeps trying to sync, adding or subtracting time past the +0s mark up and down.

Any ideas? Any command I can give it to just sync the time instantly? anything I might be missing? I'm working remote so I don't have physical access to some of my clients. Some are being used, some are not, so I can reboot them if needed (but I've tried that a dozen times, no change).

Answer 1

Have a look at these artcles and see if they point you in the direction you're looking for:

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/support-boundary

and

https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/configuring-systems-for-high-accuracy.

While what you're doing may seem functionally the same, the fact is that you're locking your domain joined clients into syncing only with those 2 DC's rather than the authenticating DC (the domain hierarchy), which is the intended design.

What if the domain joined clients are in a remote site that has a DC? Do you want them reaching across to a DC in another site to sync time? Or would you configure those clients to sync with their local DC? What happens if you add more sites and more DC's? How sustainable a practice is that?

What if you need to replace one or both of these DC's? Do you want to reconfigure all of your domain joined clients? Again, how sustainable is that?

You may be saying "We'll never grow large enough for this to be an issue." But what if you do?

My approach is to not deviate from Microsoft's guidance and best practice recommendations unless I have a specific reason to, or their guidance and best practice recommendations have been proven to be wrong, or they just won't work in my unique situation... which is to say that I rarely stray from their guidance and best practice recommendations. They built this stuff. They know best how to deploy and configure it. I'm not smarter than Microsoft.