3

Some of our servers have Domain Time II on them but we are having to make the possible decision to buy over 100+ licenses for Domain Time II or enable the windows time service.

The installation of Domain Time II was done a few years before I arrived and I am trying to figure out if there was a reason for it over the windows time service. I have been told that Domain Time II is more accurate that the windows time service but I want to see all the options.

We have our domain controller running server 2003. The other OSes in our environment are: Server 2008, windows xp, windows 7 and other windows 2003 servers. Would the windows time service have a problem working with these machines especially if windows updates were not always performed? I just hate to make a large purchase without getting all my facts straight. Any suggestions as to which one to go with and why would be much appreciated. Thank you.

Patrick
  • 401
  • 3
  • 5
  • 15
  • 1
    Someone did show me this: http://support.microsoft.com/kb/939322 it shows how the windows time service can be inaccurate up to 2 seconds but that might be ok. – Patrick Jul 11 '12 at 16:06
  • 1
    "Domain Time II is more accurate that the windows time service" - How accurate do you need? Windows Time service is good within a minute at worst (when running correctly). NTP is good to about 20ms, commonly 10ms. PTP is good for 1ms or better. – Chris S Jul 11 '12 at 18:19
  • Turns out we need it to be highly accurate. I have found more information after posting this thread and of course after reading all of your responses I have learned a great deal more. I'm looking into NTP and PTP but as we already have Domain Time II on many of the assets, getting everyone to agree to move to something else... well.. you know how that goes I'm sure. – Patrick Jul 11 '12 at 18:53
  • 1
    "highly accurate" is pretty meaningless. Are we talking about 1s, 10ms, or 1ms? Those are basically your choices. Domain Time actually uses NTP or PTP, so you likely would not have to change any of the existing clients until it's convenient (hardware or software refresh cycle or similar). – Chris S Jul 11 '12 at 19:24
  • good point, we need it really at least 50 ms or lower, so I guess highly would not be accurate (pun intended). Also I was told logging is apparently desired in the future. I'm new to what NTP and PTP all is, only in the past few days have I ever even started hearing about it and you all have been a major help in elaborating on the differences. Thanks again. – Patrick Jul 12 '12 at 20:32
  • Excellent, now what do you mean by "logging". The reference NTPd can dump more logging information than you'll ever want into a flat file or standard syslog. But if the logging has to integrate with Windows logging, then you'd need something different. – Chris S Jul 12 '12 at 20:50
  • I believe that the type of logging I was told was possibly desired is the "time drift" of each machine. I think that is the only type of logging that we would ever care for. – Patrick Jul 12 '12 at 21:05
  • 1
    The reference NTPd with a couple options will write a statistics file that can pretty easily be picked up by most monitoring software. [NTP.org has an article describing some of it](http://www.ntp.org/ntpfaq/NTP-s-trouble.htm), which includes the most commonly used two options that would have to be added to the config file. Not sure if you have a mixed OS environment, but it's also the exact same software and config files (except paths) across Windows, Mac, Linux, BSD, and Solaris. You may be stuck with Domain Time for now, but keep NTP in mind in the future. – Chris S Jul 12 '12 at 23:44

2 Answers2

8

I've supported a number of Customers over the years varying in size from a single Windows Server machine and a handful of domain-joined PCs to a Fortune 1,000 company w/ over 6,000 PCs and a couple-hundred Windows Server machines. I haven't seen anyone using, nor used myself, a time synchronization mechanism other than Windows Time for physical Windows Server machines in any environment.

Virtual machines have been a different story. In the past, VMware has made recommendations re: using the VMware Tools time synchronization functionality and synchronizing the host with NTP. Today's revision of their recommendations for timekeeping in a Windows environment talk about using the Windows Time service with manually-specified NTP servers.

The FINRA "1 second clock rule" is the biggest reason for companies to push for more accurate time synchronization mechanisms and mechanisms that are more amenable to audit. If you're covered by this rule then you should consider whether or not the "Windows Time" service actually meets your needs. If you're not covered then, I suspect, the "Windows Time" service would be "good enough" for you (as it is for many organizations).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Actually I have been working some years ago in a 1200 server install with high resolution time sync. Talk national IPTV setup. There are SOME scenarios where you ditribute high real time data and want to know within a high accuracy when it is where. But those are VERY far between and likely this is the type you ask in teh company why you do it, half the people tell you. Very special. – TomTom Jul 11 '12 at 17:01
  • Oh, great. EA is back. Everyone can stop trying to catch him now. – MDMarra Jul 11 '12 at 17:07
  • @MDMarra: Heh heh... Don't get too worried. I've got so much less time to play Server Fault than I had even a year ago. – Evan Anderson Jul 11 '12 at 17:09
  • I've got the free [Meinberg NTPd](http://www.meinberg.de/english/sw/ntp.htm) (a Windows binary of the reference NTP implementation) running on two physical servers. Windows Time Service is certainly good enough for most people, but we had a few minor issues (mainly that WTS doesn't seem to ever disqualify a time source). – Chris S Jul 11 '12 at 17:21
  • It turns out that we are going to go with Domain Time II as I found we are needing and extremly accurate time sync that I recently found out due to the type of business we are. As mentioned below i also found a moment ago we have most the licenses we need and only a few more would need to be purchased to cover all the machines. This information is a big help. Thank you – Patrick Jul 11 '12 at 18:49
4

The main reason for running the NTP time service on DCs within a Windows AD domain by default and have the clients synchronize their time is that the authentication mechanism used for log ons (Kerberos) would break if the client's time deviation is too large. As "too large" would mean > 5 minutes in this context, nearly any periodical time synchronization mechanism would do, thus the Microsoft implementation only uses a subset of the NTP functionality referred to as S(implified)NTP. The SNTP clients have been an integral part of Windows Server and Client operating systems since Windows 2000, so none of your listed OSes would have the need for any additional software to synchronize to the DC NTP servers.

As Domain Time II aims for higher accuracy than the Windows built-in SNTP implementation, it should be noted that Windows builds / ports of the open-source NTP project are available which would get you an accuracy within 10 milliseconds in any network with reasonable latency.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • +1 I can't believe people pay for time software when the venerable and reliable NTPd is free. – Chris S Jul 11 '12 at 17:23
  • Wow. I wasn't even aware that there were commercial NTP daemons. This thing sure looks like an Enterprise Thing with Visio graphs and all! https://www.greyware.com/software/domaintime/v5/overview/ ... I think I will continue using my good old ntpd. – Janne Pikkarainen Jul 11 '12 at 17:36
  • 2
    @JannePikkarainen I would think the main idea behind it is not just having clocks synchronized but also have centralized, collected reports on clock deviations over a time line so you could factor them in when evaluating logs. – the-wabbit Jul 11 '12 at 17:39
  • 1
    Ahh, like with `ntpmon` :-) http://libertysys.com.au/software/ntpmon/screen-shots – Janne Pikkarainen Jul 11 '12 at 17:43
  • Thank you for the information. That is a big help that you mentioned the OS info. I didn't know about the open-source NTP project. I will definately look into that. Seeing as how I just found out a few minutes ago we already have most the licenses we need for Domain Time II, it looks like we will be using that one and buying just a few more. Definately bookmarking those sites. Thank you – Patrick Jul 11 '12 at 18:50